Hovitaga authorization concept and setup guide
Upcoming SlideShare
Loading in...5
×
 

Hovitaga authorization concept and setup guide

on

  • 980 views

An overview of SAP authorizations used in Hovitaga OpenSQL Editor and Hovitaga Report Generator.

An overview of SAP authorizations used in Hovitaga OpenSQL Editor and Hovitaga Report Generator.

Statistics

Views

Total Views
980
Views on SlideShare
977
Embed Views
3

Actions

Likes
0
Downloads
117
Comments
0

2 Embeds 3

http://www.linkedin.com 2
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Hovitaga authorization concept and setup guide Hovitaga authorization concept and setup guide Document Transcript

    • Authorization concept overview and setup guide for Hovitaga OpenSQL Editor and Hovitaga Report GeneratorVersion 1.02012.06.06. 1
    • Table of contentsOverview............................................................................................................................................................................ 3 Transaction level authorizations.................................................................................................................................... 3 Table group level authorizations ................................................................................................................................... 4 Record level authorizations ........................................................................................................................................... 4 SAP standard line-oriented authorizations ................................................................................................................ 4 Custom row level authorizations............................................................................................................................... 4 Field level authorizations............................................................................................................................................... 5General comments ............................................................................................................................................................ 6Step by step tutorials ........................................................................................................................................................ 7 Table group level authorizations ................................................................................................................................... 7 SAP standard line-oriented authorizations: S_TABU_LIN.......................................................................................... 10 S_TABU_LIN Customizing.................................................................................................................................... 12 Adding the S_TABU_LIN to a role ........................................................................................................................ 15 Column level authorizations ........................................................................................................................................ 21 Custom row level authorizations.................................................................................................................................. 22Further checks in the OpenSQL Editor........................................................................................................................ 25 Standard authorization objects .................................................................................................................................... 25 Custom authorization objects....................................................................................................................................... 25Objects shipped............................................................................................................................................................... 26 Authorization Objects .................................................................................................................................................. 26 Authorization Object ZSQL_COMM ..................................................................................................................... 26 Authorization Object ZSQL_RES........................................................................................................................... 26 Authorization Object ZSQL_CLSP......................................................................................................................... 27 Authorization Object ZSQL_COL .......................................................................................................................... 27 Authorization Object ZSQL_MAIN ....................................................................................................................... 27 Predefined Roles .......................................................................................................................................................... 28 Role ZSQL_USER .................................................................................................................................................. 28 Role ZSQL_DEVELOPER ..................................................................................................................................... 28Appendix – Links to SAP Help...................................................................................................................................... 29 2
    • OverviewThe authorization system of Hovitaga OpenSQL Editor and Hovitaga Report Generator isexactly the same. Here you can see an overview of the whole authorization concept: fig 1: Authorization concept overviewTransaction level authorizationsThe SAP standard authorization object S_TCODE is used to control who can start thetransaction. 3
    • fig 2. Transaction check with S_TCODETable group level authorizationsThe authorization system uses the SAP standard authority objects S_TABU_DIS to controlaccess to table groups and S_TABU_CLI to control maintenance of client-independenttables. This is done both for reading and writing operations.Record level authorizationsSAP standard line-oriented authorizationsWhile the tools mostly used by consultants and developers (SE16 and SAP Query) onlyuse table group level authorizations to filter query results, Hovitaga OpenSQL Editor canbe controlled in a much more sophisticated way. This means that besides defining whichtables can be read, you can control which records can be read from a table. A genericstandard SAP authority object (S_TABU_LIN) is used to filter the query results based onany organizational criteria defined in customizing. For example a scenario can be set upeasily where certain users only see data for their company code (or country or anyorganizational level). This row level authorization concept is part of every SAP system andcan be maintained within customizing (SPRO). If it has been already set up, then thequeries will filtered accordingly.Custom row level authorizationsAdditionally any number of authority objects can be assigned to tables within acustomizing transaction. A field mapping between the authority object and the table mustbe made that is used when filtering query results.For example to filter entries in the VBAK table (Order headers) by sales organizationsimply assign authority object V_VBAK_VK0 to the table. To filter entries by plant in tableMARC (Plant data), assign authority object M_MATE_WRK to table MARC. If theseauthority objects were already used in the SAP system, then the roles, profiles etc. do notneed to be changed, no other user maintenance effort is required. 4
    • Field level authorizationsIn addition to the record level authorization query results can be filtered on field level also.For example, certain users could see the contents of the salary field in a table, otherscould not, depending on the authorizations.There is a custom authority object that controls what columns may a user access in adatabase table. This can be maintained with the standard SAP tools without any specialcustomizing effort. 5
    • General commentsKeep in mind that if you change the authorizations of a user, in order for the changes totake effect the user must log out and log in again.Please note that authorizations are not checked if the SQL query is using the addition„client specified”. The reason is that authorizations are always checked for the logon clientanyway. In order to still have protection, S_TABU_CLI and ZSQL_CLSP are checked forauthorization to maintain client-independent tables and to use the “client specified” SQLaddition.If you create a new role for the OpenSQL Editor, the ZSQL_COL authorization object mustbe added. If you do not want to limit the columns displayed, add a star chatacter to thetable name and field name. 6
    • Step by step tutorialsTable group level authorizationsAuthorization object S_TABU_DIS provides you authorizations for displaying ormaintaining tables. The object only controls access using the standard table maintenancetool (transaction SM31), enhanced table maintenance (SM30) or the Data Browser,including access in Customizing.The authorization object checks the following fields: • DICBERCLS Authorization Group Authorization for tables grouped by authorization class according to table TDDAT. Enter the name of the allowed classes. Table classes are defined in table TBRG. • ACTVT Activity Possible values: • 02: Create, change, or delete table entries • 03: Display table entries only • BD: Skip change lock for Customizing distributionAs a first step, we will create a new authorization group in transaction SE54. Select thehighlighted radiobutton and press „Create/change”. fig 3. Transaction SE54Our new entry will be named ZFLI. 7
    • fig 4. Creating a new authorization groupAs a second step we will assign our table ZFLIGHTS to this new authorization group. Todo so, select the last radiobutton in SE54 („Assign Authoriz. Group) and press„Create/Change”. A popup window will appear where we can select how we should findthe records we want to work with. Since we are creating a new entry, this is not importantnow. fig 5. Popup window displaying ways to find the correct entry fig 6. Search for entries for our new authorization groupAfter selecting a range of authorization groups and pressing enter, we can add our newentry to this customizing view. Keep in mind that one table can be part of only oneautorization group, but one authorization group can contain many tables. 8
    • fig 7. Assigning table ZFLIGHTS to authorization group ZFLIIn this example we deliberately do not assign authorization to our test user, so we can seethat the OpenSQL Editor will refuse access to tabe ZFLIGHTS: fig 8. OpenSQL Editor does not display data from ZFLIGHTSIf you want to protect cross-client tables, a second step in the table access control isrequired, which is based on the object S_TABU_CLI. The object consists of only one fieldCLIDMAINT. The value for this object is X (indicator for cross-client maintenance). The 9
    • object S_TABU_CLI is the object that especially protects the client-independent (alsocalled cross-client) tables.The indicator X does not automatically allow maintenance, the access scope is still limitedthrough the field values in ACTVT of the object S_TABU_DIS.SAP standard line-oriented authorizations: S_TABU_LINThe example uses a custom table which is a copy of table SFLIGHT, which is included inSAP systems for demonstration purposes. This holds flight information. Our goal is to filterthe table contents by Carrier ID (Airline Code). So for example a user who is responsiblefor Lufthansa flights must only see records related to Lufthansa and nothing else. fig 9. Custom table ZFLIGHTS 10
    • We have also created a maintenance view for this table. fig 10. Table maintenance with all authorizations 11
    • S_TABU_LIN CustomizingThe customizing entries in the IMG can be found under SAP NetWeaver - ApplicationServer - System Administration - Users and Administration - Line-oriented Authorizations. fig 11. Customizing path for S_TABU_LINWhen „Define organizational criteria” is executed, we create a new entry for ourorganizational criteria, which is called Flights. fig 12. Creating a new organizational criteria for Carrier IDThe „Table-independent” checkbox can be very useful. If it is not checked, then thisorganizaional criterie will only filter the contents of the table that we later will specify. If it ischecked, then it will filter the contents of all tables, whose key fields are related to alldomains specified in the attributes. We used the first option in our example to filter onlytable ZFLIGHTS.After defining the organizational criteria, we have to maintain the attributes of it. We willmaintain two attributes, which will check the first two key fields of the table (Carrier ID andConnection ID). 12
    • fig 13. Maintaining the first attributeAfter creating the first attribute, we have to maintain the table field details. Here we candefine which table we want to filter and which key field does the attribute filter. Keep inmind that only key fields can be used. fig 14. Assigning the first attribute to the Carrier ID field 13
    • We will do the same process for the second attribute and table key field: fig 15. Assigning the second attribute to the Connection ID fieldSo after setting this up, we can see that for our new organizational criteria called ZFLIGHTwe have two attributes: the first one for the Carrier ID and the second one for theConnection ID. fig 16. Overview of organizational criteria ZFLIGHTAfter defining the oranizational criteria, we have to activate it using the second customizingtransaction in SAP NetWeaver - Application Server - System Administration - Users andAdministration - Line-oriented Authorizations. Simply check the Active checkbox and save. 14
    • fig 17. Activation of organizational criteria ZFLIGHTAdding the S_TABU_LIN to a roleAfter the definition and activation of organizational criteria ZFLIGHT, we have to maintainthe user authorizations. We have to define which users can see which data in our table. Todo so, simply create a role using transaction PFCG.We will create a role for the Lufthansa administrator, called ZFLIGHT_LH. fig 18. Creation of a role using PFCG 15
    • On the third tab called „Authorizations” press button „Change Authorization Data”. This willcall a screen where we can actually define what data can the Lufthansa administrator see. fig 19. The marked button will call the screen we will useThe next screen will be empty be for the first time. It is time to authorization objectS_TABU_LIN to this role using the „Manually” button (Manual entry of authorizationobjects). After adding S_TABU_LIN to the role, we will see the following screen: 16
    • fig 20. Press this button to add an authorization object to the roleThe icons will be yellow when the exact values are not maintained for the authorizationobjects. To maintain them, press any of the pencil icons. A popup window will appearwhere we select our new organizational criteria: fig 21. Choose organizational criteria ZFLIGHTAnother popup window will appear where we will set up which exact values the user cansee. Here we make sure that the Lufthansa administrators will only see records whereCARRID equals „LH”. The star character is the wildcard character, so all flight connectionswill be visible for Lufthansa. The Activity field can be used to separate Display and Changeoperations. Using the star character this setting will be valid for both operations. 17
    • fig 3. Lufthansa admins should see only LH flights, but all flight connectionsAfter successfully maintaining the values for the authorization object, the icons will turngreen as seen here: fig 23. Exact values mainained for S_TABU_LIN in role ZFLIGHT_LHThe last step in PFCG is to generate the profile. Press Shift-F5 or button „Generate” to doso. A popup window will appear where you can give a name to the profile. You can use thedefault if you like. 18
    • fig 24. Giving a name to the generated profileThe very last step is to assign our new role to our test user. To do so, use transactionSU01.Simply add our new role on the „Roles” tabsheet and save. fig 25. Adding the new role to user ZLH_USERThen testing our new authorization setup, we can see that the standard maintenance viewfilters the table contents for user ZLH_USER, only LH records are visible. 19
    • fig 26. Table contents are filtered in the maintenance viewFinally, lets test the OpenSQL Editor by writing a query that selects all records from tableZFLIGHTS. As you can see, the OpenSQL Editor automatically uses the authorizationsettings, so only LH records are displayed. fig 27. Table contents filtered by the OpenSQL Editor 20
    • Column level authorizationsIf you want to hide a specific field from a user, you can do so by adding authorizationobject ZSQL_COL to the role. In this example we will only let the user see the country-related information for the flights. Press the pencil icon to maintain the values for theauthorization object. fig 28. List the fields that the user will seeAs a resul we will see the table and allowed fields in PFCG with green icons: fig 29. Setup of authorization object ZHTDB_COLFinally, lets test the OpenSQL Editor by writing a query that selects all records from tableZFLIGHTS. As you can see, the OpenSQL Editor displays only the fields that are allowedby the authorization setup. 21
    • fig 30. Assigning an authoirzation object to a tableKeep in mind that if you create a new role for the OpenSQL Editor, the ZSQL_COLauthorization object must be added. If you do not want to limit the columns displayed, adda star chatacter to the table name and field name.Custom row level authorizationsAdditional protection can be achieved by assigning any number of authority objects totables.The first step is to maintain table ZHTDB_AUTH_OBJ using SM30. In our example we willfilter the contents of table VBAK (Sales Document: Header Data) using the standardauthorization object V_VBAK_VKO. 22
    • fig 31. Assigning an authoirzation object to a tableAs he second step a field mapping between the authority object and the table must bemade that is used when filtering query results. This can be done by maintaining tableZHTDB_AUTH_FIELD using SM30. Basically here we define that which field of the tablewill be passed to which field of the authorization object. In this example the field names areexactly the same. fig 32. Assigning authorization object fields to tble fieldsOnce this data is saved, the OpenSQL Editor will use V_VBAK_VKO to filter the contentsof VBAK. Now we assign this authorization object to our role using PFCG and restrict theauthorizations to Distribution Channel „C1. fig 33. Filtering table VBAK for Distribution Channel C1 23
    • Once the settings are saved and the authorization profile is generated, the OpenSQLEditor restricts the access of table VBAK to records with Distribution Channel C1. fig 34. OpenSQL Editor filters VBAK for Distribution Channel C1 24
    • Further checks in the OpenSQL EditorStandard authorization objectsSAP standard Authorization Object S_DEVELOP (ABAP Workbench) is checked when theSQL Editor is loaded, and the Loop-at Workbench is available or not depending on theresult of the check. It is also checked when the user want to access the table definition ortechnical settings, or a data element.SAP standard Authorization Object S_DATASET is checked when the user executes abackground job (the job writes the results into a file) and also checked when the userreads the results from the file.SAP standard Authorization Objects S_BTCH_ADM and S_BTCH_JOB are checked whenthe user administers his own jobs.Custom authorization objectsThe following is the list of all custom authorization checks in the program.ZSQL_COL controls: − if a certain field of a table can be displayed or editedZSQL_COMM controls: − what kind of commands can a user create, change, execute, delete − if the command properties can be edited or notZSQL_RES controls: − if the result set of a query can be used to create and fill a new table − if the result set of a query can be edited or notZSQL_MAIN controls: − if a report can be generated based on a query (feature of Hovitaga Report Generator)ZSQL_CLSP controls: − if the user can use the „CLIENT SPECIFIED” keyword in a command 25
    • Objects shippedAuthorization ObjectsThe Authorization Object Class ZSQL contains the following authorization objects.Authorization Object ZSQL_COMMContains all the command-type and client role specific authorizations. It is possible torestrict activities by Client Role.Possible values for a Client Role:P ProductionT TestC CustomizingD DemoE Training/EducationS SAP referenceFor example, Update commands could be executed on Test clients, but not on Productionclients.Basically this defines what a user can do with each kind of command, and in what kind ofclient.Authorization Fields:ZSQL_CTYPE Command TypeACTVT ActivityCCCATEGORY Client control: Role of client (production, test…)Permitted activities:01 Create or generate02 Change03 Display06 Delete16 ExecuteAuthorization Object ZSQL_RESContains all authorizations related to a Result Set of any select command. This can be setup per Client Role.Authorization Fields:ACTVT ActivityCCCATEGORY Client control: Role of client (production, test…)Permitted activities:02 Change40 Create in DB 26
    • Activity 02 is relevant for modifying and saving the Result Set of a select command.Activity 40 is relevant for moving the records of the Result Set to a different table.Authorization Object ZSQL_CLSPContains the authorizations related to the usage of clause “CLIENT SPECIFIED”.Authorization Fields:ACTVT ActivityZSQL_CTYPE Command TypePermitted activities:16 ExecuteAuthorization Object ZSQL_COLContains the authorizations which are used to control which fields of a table can bedisplayed or edited.Authorization Fields:ACTVT ActivityTABLE Table NameZSQL_COL Field NamePermitted activities:02 Change03 DisplayAuthorization Object ZSQL_MAINContains the authorizations which are used to control basic features of the program.Authorization Fields:ACTVT ActivityTABLE Table NameZSQL_COL Field NamePermitted activities:16 Execute64 GenerateActivity 64 is the generation of a report based on a select query (feature of HovitagaReport Generator). Activity 16 is obsolete (use S_TCODE instead). 27
    • Predefined RolesThe aim of providing predefined roles is to ease the process of authorizing users for theSQL Editor.Note that both roles grant access to all SAP table groups. This might have to be adjusted,as it allows to much freedom to the user.Role ZSQL_USERThis role is a basic role for users with only read access to the SAP tables. Users with thisrole can:- Create, edit and execute Select statements on all SAP tables- Create, edit and execute Select for all entries statements- Create, edit and execute Loop at workbench statements (provided the user has theS_DEVELOP authorization object from another role or profile)Role ZSQL_DEVELOPERThe developer role allows even more activities than the user role. Users with this role can:- Do everything that is included in the ZSQL_USER role (note that this role still does notgrant the S_DEVELOP authority object for security reasons)- Create, edit and execute Update statements in non-production systems- Create, edit and execute Delete statements in non-production systems − Import and export data to/from SAP tables − Edit and insert new entries into the result set 28
    • Appendix – Links to SAP HelpSAP Help on the Authorization concept:http://help.sap.com/saphelp_nw70/helpdata/en/52/671285439b11d1896f0000e8322d00/content.htmSAP Help on PFCG:http://help.sap.com/saphelp_nw04/helpdata/en/52/6714a9439b11d1896f0000e8322d00/content.htmSAP Help on User Maintenance:http://help.sap.com/saphelp_nw04/helpdata/en/e1/120024e74011d2962b0000e82de14a/frameset.htmSAP Help on Organizaional Criteria (Authorization object S_TABU_LIN):http://help.sap.com/saphelp_erp2005/helpdata/en/6d/56cdd3edabc14ebd1bc84dae20dec8/frameset.htmSAP Help on Authorization Groups for tables (S_TABU_DIS)http://help.sap.com/saphelp_nw04/helpdata/en/1e/e867408cd59b0ae10000000a155106/frameset.htm 29