Académique Documents
Professionnel Documents
Culture Documents
_________________________________
2
What Should My Security Strategy Achieve?
_________________________________
• Recognizes that positions and departments may change _________________________________
• Recognizes that people may change _________________________________
• Recognizes that roles need to be flexibly assembled so _________________________________
that they can be easily changed
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
5
Using Your Organization’s Structural Hierarchy
_________________________________
• Do seek the benefits of using your organization’s _________________________________
structural hierarchy for role allocation
_________________________________
Organizational Unit/Work Center _________________________________
_________________________________
Job
Indirec
t Role (AG) Dire _________________________________
ct
Position (S) _________________________________
Employee (P)
_________________________________
UserID (US) _________________________________
_________________________________
• Value represented between ( ) = SAP ERP object types
6
8
Using Your Organization’s Structural Hierarchy (cont.)
_________________________________
• Since the use of the Organizational Hierarchy allows for _________________________________
inferring authorizations, there is no need for doubling up
_________________________________
on the same authorizations or using composite roles
_________________________________
• No longer a need for one role to contain all authorizations
for a requirement (~ SAP-Delivered roles) _________________________________
Purchasing Manager: _________________________________
f Execute Business Explorer (BEx) Analyzer via RRMX
_________________________________
f Execute, create, and modify queries prefixed ZM*
10
12
13
14
Pros and Cons of the SAP-Delivered Roles (cont.)
_________________________________
• The one SAP-delivered role I would recommend using: _________________________________
SAP_SAP_BW_BI_ADMINISTRATOR. Why?
_________________________________
BI Technical Content is all SAP-Delivered Objects and
thus requires no additional “tweaking” to make it work _________________________________
If modifications are made to the BI Technical Content, SAP
_________________________________
would also update the reliant role
BI Technical Content is same across every Business _________________________________
Intelligence installation; thus non-client specific
_________________________________
BI Technical Content is segregated from the rest of the
Data Warehouse _________________________________
Make sure you have the latest SAP modifications by using current versions
_________________________________
of all the SAP-Delivered Objects related to the Administration Cockpit
_________________________________
f If you make enhancements or use your own naming convention as a copy
of the role, you could fall behind maintenance if BI Technical Content is
reinstalled 15
Power User
_________________________________
_________________________________
_________________________________
Department Administrator _________________________________
_________________________________
_________________________________
BI Developer
18
20
1 – Query User Role
_________________________________
• Applies to ALL systems _________________________________
• Ability to execute BEx Analyzer _________________________________
S_TCODE
_________________________________
f Transaction code = RRMX
S_GUI _________________________________
f Activity = 60, 61 (Import, Export) _________________________________
f Authorization for GUI activities, execution of workbooks
_________________________________
S_BDS_DS and S_BDS_D
f Activity = 03, 30; Class Type = OT
_________________________________
f Authorization for document set _________________________________
f S_GUI and S_BDS_DS enables users to save workbooks to
_________________________________
their Favorites Folder
21
22
27
28
29
3 – BI Department Administrator Role (cont.)
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
• Role usertype_deptadmin_all_ZBW_A_UT_DA_FI_ALL
30
4 – BI Developer Role
_________________________________
• All authorizations to do with query development would _________________________________
be inherited by the power user and department
_________________________________
administrator classifications
• BI developer roles have two different role distinctions _________________________________
similar to the BI Department Administrator _________________________________
SAP BW developer-only: this role is not transported _________________________________
ALL: this role is transported and is applicable to SAP NetWeaver
BI Dev, QA, and Prod environments _________________________________
_________________________________
Due to the number of tasks and size, screenshots of this role are _________________________________
not included in this presentation. Refer to the take-home CD.
f Role usertype_developer_all_ZBW_A_UT_DV_IT_ALL
_________________________________
f Role usertype_developer_bwd_ZBW_A_UT_DV_IT_BWD
32
Organizational Hierarchy and BI User Type Impacts
_________________________________
_________________________________
Query User Role _________________________________
1000 Corporate
_________________________________
1001 Logistics Department
Job_1 MM Dept. Admin. Role
_________________________________
1001001 Purchasing Manager _________________________________
1002111 Purchase Operations 1
MM Power User Role _________________________________
1002112 Purchase Operations 2
Job_2 _________________________________
1002 Finance Department _________________________________
_________________________________
33
34
36
37
38
InfoArea and Data Target-Level Security (cont.)
_________________________________
• SAP NetWeaver BI 7.x has impacted these role _________________________________
classifications
_________________________________
• S_RS_COMP is still valid
_________________________________
• The use of S_RS_ICUBE, S_RS_ISET, S_RS_ODSO, and
S_RS_MPRO has changed _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
39
41
InfoArea and Data Target-Level Security (cont.)
_________________________________
• Pre BI 7.x – Obsolete Concept enabled the INACTIV authorization _________________________________
object – should be active as they are still used
• The following illustrates Post BI 7.x – new Reporting Analysis _________________________________
Concept enabled and thus INACTIV status: _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
42
44
What We’ll Cover …
_________________________________
• What makes a good BI security model? _________________________________
• How and why to set up a flexible position-based model _________________________________
Roles for BI user type
_________________________________
Special function roles
InfoArea and Data Target-level security _________________________________
InfoObject-level security _________________________________
• How to control ad hoc query creation using role menus _________________________________
• How to leverage the company organizational hierarchy _________________________________
• Wrap-up
_________________________________
_________________________________
45
48
49
50
How to Control Ad Hoc Query Creation Using Menus in
Roles (cont.) _________________________________
• Accessing _________________________________
Menu
_________________________________
Folder
Roles from _________________________________
SAPGUI _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
51
52
60
61
63
64
67
68
How to Allocate Roles Using HR Organization
Structure (cont.) _________________________________
• Nine steps to HR-ORG role allocation _________________________________
Execute transaction PFCG
_________________________________
Specify the role for assignment
Choose the User tab page _________________________________
Click the Organizational Mgmt button _________________________________
Click the Assignment button _________________________________
Choose Agent Type Organizational unit
_________________________________
Enter Search term * and select Org tree icon. HR-ORG is
displayed. _________________________________
Select the node for allocation. Choosing a high node auto _________________________________
selects lower level nodes.
Specify relationship validity period. Create. _________________________________
69
70
71
How to Allocate Roles Using HR Organization
Structure (cont.) _________________________________
• Step 6 – Choose Agent Type Organizational unit _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
• Step 7 – Enter Search term * and select Org tree icon _________________________________
72
73
74
How to Allocate Roles Using HR Organization
Structure (cont.) _________________________________
• Result of the allocation from the HR-ORG tree _________________________________
perspective:
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
• Organization levels that appear blue in the tree have had Indirect _________________________________
role assignments allocated. Green highlights are Direct role
assignments.
75
76
77
Query User Example (Direct User Assignment)
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
78
79
80
Resources
_________________________________
• SAP Service Marketplace note _________________________________
934848 “Collective note: (FAQ) BI Administration Cockpit”
• Documentation BI Administration Cockpit _________________________________
http://help.sap.com/saphelp_nw70/helpdata/en/43/15c54048035a39e10000000 _________________________________
a422035/content.htm
• Documentation BI Query Runtime Statistics _________________________________
http://help.sap.com/saphelp_nw70/helpdata/en/ef/372242c4e05033e10000000 _________________________________
a155106/content.htm
• How to Upload Roles into your BI System _________________________________
“How to Upload the Roles.doc” _________________________________
• Indirect Role Assignments
http://help.sap.com/saphelp_nw04/helpdata/en/8b/3c713eeaac5441e10000000 _________________________________
a114084/frameset.htm
_________________________________
f “Indirect Role Assignment Using HR-ORG.PDF”
Resources (cont.)
_________________________________
• Indirect Role Assignments (cont.) _________________________________
SAP Service Marketplace (https://websmp109.sap-ag.de/notes *) _________________________________
f SAP Note 200343: HR-CA-ALE: Composite SAP Note Re
Distributing HR Master Data _________________________________
f SAP Note 363187: HR-CA-ALE: Initial Distribution w. _________________________________
HRMD_A/ HRMD_ABA (hint)
_________________________________
f SAP Note 200066: HR-CA-ALE: Q&A for Setting Up HR-ALE
Scenarios _________________________________
This note contains links to the QuickStart documentation
_________________________________
for ALE and the ALE HR business processes
f SAP Note 581019: Distribute PFCG HR-ORG model for _________________________________
indirect role assignment _________________________________
82
83
7 Key Points to Take Home (cont. )
_________________________________
• More effort is required in the initial setup of a flexible _________________________________
model. However, an inflexible one requires higher on-
_________________________________
going maintenance and is more prone to security
inconsistencies. _________________________________
• Separate roles that control user actions with roles that _________________________________
control viewing of data _________________________________
• Separate roles that have authorizations defined within _________________________________
them from roles that contain only menus as they operate
on a different maintenance schedule _________________________________
_________________________________
_________________________________
84
Your Turn!
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
How to contact me: _________________________________
Tracey Brookes _________________________________
tbrookes@sapient.com
85
Notes:
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
Notes:
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
Wellesley Information Services, 990 Washington Street, Suite 308, Dedham, MA 02026
Copyright © 2008 Wellesley Information Services. All rights reserved.