More Related Content
Similar to 157265792-Advanced-Features-of-SAP-BW-Reporting-Authorizations.pdf
Similar to 157265792-Advanced-Features-of-SAP-BW-Reporting-Authorizations.pdf (20)
157265792-Advanced-Features-of-SAP-BW-Reporting-Authorizations.pdf
- 1. Advanced Features
of SAP BW Reporting
Authorizations
Session 709
Amelia Lo
Platinum Consultant, SAP NetWeaver RIG
SAP Labs, LLC
- 2. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 2
Learning Objectives
As a result of this workshop, you will
be able to:
„ Have a good handle of the most misunderstood features of
the BW Reporting Authorization
‹ Understand how authorizations variable works
‹ Understand how hierarchy node variable works
„ Learn the new functionality and new BW Authorizations
Objects in BW3.0
„ Learn the basics of Planning and Strategize BW
Authorizations
„ Know the dos and don’ts on BW Authorizations
- 3. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 3
SAP NetWeaver™
The integration and application platform for lower TCO
Unifies and aligns people,
information and business
processes
„ Integrates across
technologies and
organizational boundaries
„ A safe choice with full .NET
and J2EE interoperability
The business foundation for
SAP and partners
„ Powers business-ready
solutions that reduce custom
integration
„ Its Enterprise Services
Architecture increases
business process flexibility
DB and OS Abstraction
.NET WebSphere
…
People Integration
Composite
Application
Framework
Process Integration
Integration
Broker
Business Process
Management
Information Integration
Business
Intelligence
Knowledge
Management
Multi-Channel Access
SAP NetWeaver
SAP NetWeaver™
™
Portal Collaboration
Life
Cycle
Management
Master Data Management
J2EE ABAP
Application Platform
DB and OS Abstraction
- 4. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 4
Don’t Miss the SAP Business Solutions Tour!
Your chance to see SAP NetWeaver in action – see live demonstrations of:
„ SAP Enterprise Portal
„ SAP Business Information Warehouse
„SAP Exchange Infrastructure
„ SAP Web Application Server
„ SAP Mobile Infrastructure
„ SAP Master Data Management
30-minute tour timeslots available
„ Monday 10:30 – 5:10
„ Tuesday 9:40 – 5:30
„ Wednesday 8:00 – 12:00
Located at Wyndham Hotel Parking Lot
- 5. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 5
Agenda
Special Topics on BW Reporting Authorizations
Planning & Strategize BW Authorizations
What’s New in BW 3.0
The Dos and Don’ts
- 6. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 6
Agenda
Special Topics on BW Reporting Authorizations
Planning & Strategize BW Authorizations
What’s New in BW 3.0
The Dos and Don’ts
- 7. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 7
Special Topics of BW Reporting Authorizations
A Quick Review of BW Reporting Authorizations
A few most misunderstood Features
„ Variable filled Authorizations
„ Important parameter when use Global Variable Customer Exit
„ Hierarchy Authorizations with Compound Characteristics
Tracing Authorizations in BW
- 8. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 8
Open Data Warehouse Architecture
- 9. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 9
SAP R/3 vs. BW Authorizations
What’s the same
„ Role Based Security Authorizations
‹ Users are assigned roles
‹ Roles contain profiles
‹ Profiles contain authorizations
‹ Roles are maintained using same tool (“PFCG” transaction)
‹ Can be administered via CUA (Central User Administration)
„ Authorization objects define specific permissions
„ There are standard authorization objects available in the system
What’s different
„ Unique BW Objects (InfoProvider, InfoArea, InfoObject, Query…)
„ Unique SAP BW Authorization Tool to administer BEx Reporting
data security
„ It is possible to use variable security runtime parameters
„ It is possible to generate profiles from datasources
- 10. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 10
Authorization Concept Overview
Meta Data Manager
Meta Data Manager
Business Explorer
Business Information
Warehouse Server
Meta Data
Repository
Meta Data
Repository
InfoCubes
InfoCubes
Data Manager
Data Manager
Non R/3 Production
Data Extractor
Non R/3 Production
Data Extractor
Non R/3 OLTP Applications
Non R/3 OLTP Applications
OLAP Processor
OLAP Processor
3rd party OLAP
client
3rd party OLAP
client
ODS
ODS
Staging Engine
Staging Engine
BAPI
BAPI
R/3 OLTP Applications
R/3 OLTP Applications
OLTP
Reporting
OLTP
Reporting
Production Data
Extractor
Production Data
Extractor
3
Scheduling
Scheduling
Monitor
Monitor
Administrator
Workbench
Administration
Administration
2
1
Bex Browser
Bex Browser
Analyzer
Bex Query Designer
Bex Analyzer
Web Appl Designer
Web Appl Designer Web Report
Web Report
Bex Analyzer
Bex Analyzer
Query Designer
Query Designer
- 11. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 11
Types of BW Authorizations
Systems Communication Authorizations
Administration
„ Concept very close to standard R/3
„ all authorization relevant objects are delivered by SAP
„ Pre-defined Templates can be used as a starting point
„ Administration of authorizations like in R/3
Reporting
„ no authorization relevant object definition is delivered
„ set of tools to define customer specified concept embedded
in SAP BW administration
- 12. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 12
SAP BW Authorization Overview
User
User
Profile
Profile
Authorization
Authorization
Value
Value
Object
Object
Field
Field
AUTHORIZATION OBJECT CLASS:
BUSINESS INFORMATION
WAREHOUSE-Administration
AUTHORIZATION OBJECT CLASS:
AUTHORIZATION OBJECT CLASS:
BUSINESS INFORMATION
BUSINESS INFORMATION
WAREHOUSE
WAREHOUSE-
-Administration
Administration
Value
Value
Object
Object
Field
Field
AUTHORIZATION OBJECT CLASS:
BUSINESS INFORMATION
WAREHOUSE- REPORTING
AUTHORIZATION OBJECT CLASS:
AUTHORIZATION OBJECT CLASS:
BUSINESS INFORMATION
BUSINESS INFORMATION
WAREHOUSE
WAREHOUSE-
- REPORTING
REPORTING
Role
Role
Profile Generator
Profile Generator
- 13. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 13
SAP BW Reporting Authorizations Objects
0..n
SAP BW Objects
SAP BW InfoProviders
1..m
< Authorization Object >
<field 1>
<field 2>
<...>
Key Figure Object (1KFYNM)
Authorization
Relevant Characteristic
Hierarchy Node
0..1
0..10
0..10
0..n
•
• Only “one” 0TCTAUTHH
Only “one” 0TCTAUTHH
per Reporting
per Reporting
Authorization Object
Authorization Object
•
• Many Hierarchy
Many Hierarchy
Authorizations can be
Authorizations can be
entered characteristic
entered characteristic
0TCTAUTHH
0ORGUNIT
0Costcenter
0Profitcenter
<...>
- 14. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 14
Steps to Create Reporting Authorizations
1
Mark characteristics as "Authorization Relevant”
Create an Authorization Object for Reporting
(Transaction: RSSM)
• Include required “Authorization Relevant Characteristics”
• If key figure authorization required, include 1KYFNM,
• If Hierarchy authorization required, Include 0TCTAUTHH and
leaf Characteristics,
Create Hierarchy Authorizations
• Define a description of a hierarchy authorization.
• Create an authorization for the new authorization object. Enter
the technical name of the description of a hierarchy
authorization as value for field 0TCTAUTHH.
Create Authorizations with the values
2
3
4
- 15. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 15
Mark InfoObject Authorization Relevant
1
- 16. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 16
Authorizations
2
- 17. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 17
Create Authorization Object for Reporting
2
- 18. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 18
Authorization Definition for Hierarchy
3
- 19. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 19
BW Reporting Object in a Profile & Assign Value
< Authorization Object >
0EMPLOYEE
0ORGUNIT
0TCTAUTHH
4
- 20. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 20
Special Topics of BW Reporting Authorizations
A Quick Review of BW Reporting Authorizations
A few most misunderstood Features
„ Variable filled Authorizations
„ Important parameter when use Global Variable Customer Exit
„ Hierarchy Authorizations with Compound Characteristics
Tracing Authorizations in BW
- 21. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 21
Create Authorizations Variables
VARIABLE WIZARD
IN BEx
Characteristic
Variable
Hierarchy
Node Variable
- 22. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 22
Authorization Variables of Customer Exit type
z Create Variable
1
2 Assign Variable to Query
- 23. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 23
Use of Variable filled Authorizations Scenario 1
SCENARIO:
• You defined two Reporting Authorization Objects with same authorization relevant
characteristic (0ORGUNIT)
• RA_OBJ1 contains values HR_EMEA & HR_US; RA_OBJ2 contains HR_US & HR_ASIA
• Both Reporting Authorization Objects are assigned to User Amelia’s Profile
RESULT:
Amelia have authorization to view “HR_US” ONLY !!!
HR_US
< RA_OBJ1 >
Orgunit
<...>
HR_EMEA
< RA_OBJ2 >
Orgunit
<...>
HR_ASIA
OSS note
653383
- 24. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 24
Use of Variable filled Authorizations – Scenario 1
Possible Approach:
Define one Reporting Authorization Object and populate the values in one of the
following ways:
• Manually populated in the profile
• Automated authorizations generation from the authorizations ODSs
• Derive the values via the authorizations Users Exit (RSR000001)
< RA_OBJ >
Orgunit
<...>
HR_EMEA HR_US HR_ASIA
OSS notes
653383
557924
- 25. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 25
Maintain Global Variable for Authorization: via User Exit
$VAR
Query with
authorizations
varaible
User Exit
“RSR00001”
Structure:
RRRANGEEXIT
$VAR initiates User exit
ZAUTH
Read Customer
AUTH Table
Authorization
Check
1. Use transaction “CMOD” to develop
User Exit “RSR00001”, Function
Module: EXIT_SAPLRRS0_001
2. Maintain Customer Authorization
Table as required
3. Create Authorization Variable
4. Include Variable in your query
Return
Result
- 26. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 26
Be Aware Your Import Parameter Specification
I_Step Values:
„ I_Step = 0 -> Enhancement is
not called (Default)
„ I_Step = 1 -> Enhancement is
called up before Variable Entry
„ I_Step = 2 -> Enhancement is
called up after Variable Entry
„ I_Step = 3 -> Called up to check
the Variable Value; Variable
appears once more
- 27. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 27
Compounded Hierarchy Authorizations - Scenario 2
SCENARIO:
• You defined a Reporting Authorization Objects for a Hierarchy with Compounded
characteristics (0CO_Area and 0CostCenter)
• You filled the authorizations variable with “Flat Values” for 0Costcenter
< Authorization Object >
0CO_Area
0Costcenter
0TCTAUTHH
RESULT:
Brain 804 “no authorization”
Solution:
Define and use Hierarchy Node Variable
Hierarchy Node Variable
- 28. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 28
Special Topics of BW Reporting Authorizations
A Quick Review of BW Reporting Authorizations
A few most misunderstood Features
„ Variable filled Authorizations
„ Important parameter when use Global Variable Customer Exit
„ Hierarchy Authorizations with Compound Characteristics
Tracing Authorizations in BW
- 29. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 29
Tracing Authorizations
ST01
ST01
SU53
SU53
RSSM
RSSM
- 30. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 30
Tracing Authorization: Overview
Trace functionality embedded in SAP R/3 basis
„ Recording of authority checks for system (Transaction ST01)
„ Display the last failed authority check of user (Transaction
SU53)
SAP BW reporting authority trace*
„ set up user related trace recording for OLAP authority checks
Transaction RSSM
*Authorizations checked against Reporting Objects are not supported with
standard trace functionality's
- 31. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 31
Recording of Authority Checks
Start Transaction ST01
Configure detail of trace recording
Activate trace
Perform actions on system
Analyze trace using transaction ST01
Note:
Trace ST01 can be used either in BW and R/3 source
system.
1
2
3
4
5
- 32. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 32
Recording of Authority Checks
2
3
5
- 33. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 33
SAP BW Reporting Authority Trace
Start transaction RSSM in SAP BW
Choose Authorization trace from Authorization object
reporting menu or locate it from the bottom of the screen.
Insert user
Perform reporting activity
Analyze trace
1
2
3
4
5
3
5
2
- 34. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 34
Agenda
BW Authorizations Overview
Planning & Strategize BW Authorizations
What’s New in BW 3.0
The Dos and Don’ts
- 35. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 35
Guiding Principals
Integrate in your Development Life Cycle
„ Plan Authorizations Early on in your Development Life Cycle
„ Authorizations requirement collection at Blue Print Phase
„ Identify and Assign Data Ownership
KISS Principal (Keep it Simple and Small)
„ A balance act among Granularity vs. Maintenance vs. Performance
„ Design for simplicity and Ease of Maintenance without
compromising “Mandatory” data security
„ Divide user into Groups and manage security at InfoArea or
InfoProvider level
Thorough Authorizations Testing
„ Must be a part of system Integration Test plan
„ Performance testing is a essential part of test plan
Staffing for BW Authorizations
„ R/3 Authorization expert does not equivalent to BW Authorizations
Experience
„ Segregation of Duties among BW Users and Administrator
- 36. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 36
BW Authorizations Roadmap (I)
Develop Authorizations Strategy
1. Consider company policy:
2. Consider Legal requirements
3. Classify types of users & required roles
4. Consider Proof of Concept phase to valid
complex authorization model
5. Define Data Ownership and Responsibility
6. Develop questionnaire for blue print
7. Document requirements in Matrix
8. Develop naming convention for Authorization
9. Design the Roles – consider segregate
Activities from Data Access roles
10. Use SAP delivered templates as the baseline
11. Revise to meet your requirements
12. Define BW Reporting Objects for InfoObjects
per step 6
13. Consider using Hierarchy node authorization
based on user access pattern
14. For complex & detailed authorizations needs,
consider using Authorizations Variable to
ease maintenance
Develop Authorizations Matrix to
collect authorization requirement
for blue print phase
Define BW Authorization for
Admin workbench
Define BW reporting
authorizations
- 37. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 37
BW Authorizations Roadmap (2)
Testing BW Authorizations
Testing
15. Develop detailed test scenarios and plan
Involve Business in authorizations testing
16. Develop performance test plan and establish
the test environment and data volume
17. Incorporate BW Authorizations testing in the
overall SAP System Tests (R/3 and non R/3).
18. Develop BW User Security request and
approval processes
19. Consider a Web-based authorization request
workflow and user guide
20. Develop a BW Security Administration
checklist
21. Define Periodic BW Security Reviews and
Assessment Process
22. BW Authorizations Training for Security
Administrators
23. Include BW Authorizations impact on data
access as a part of the BW user training.
Develop Administrative and
Monitoring Process for BW
Authorizations
Conduct BW Authorization
Training
- 38. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 38
Agenda
BW Authorizations Overview
Planning & Strategize BW Authorizations
What’s New in BW 3.0
The Dos and Don’ts
- 39. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 39
New in Authorization Objects, Frontend (3.0)
S_RS_COMP
„ New Authorizations Check for Variables in Query Definition
„ Object type is ‘VAR’
S_RS_COMP1
„ Is checked additionally with S_RS_COMP
„ Checks for authorizations on query components dependent on the
owner (creator RSZOWNER)
„ Authorizations are necessary, e.g. for creating queries
S_RS_FOLD
„ Suppress InfoArea view of BEx elements
„ Specify ‚X‘ (true) in the authorization maintenance for suppressing
- 40. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 40
New Authorization Objects, Backend (3.0)
S_RS_IOBJ
„ Authorization object for working with InfoObjects
„ Is checked if authorization is not available via S_RS_ADMWB
„ Additional checks for update rule authorizations
S_RS_ISET
„ For displaying / maintaining InfoSets (new object in BW)
S_RFC
„ Authorization for GUI activities
„ Add following RFC_NAMEs with RFC_TYPE ‚FUGR‘ and ACTVT ‚16‘
‹ RRXWS: BW Web Interface
‹ RS_PERS_BOD: Personalization of Bex Open Dialog
‹ RSMENU: Roles and Menus
S_GUI
„ Authorization forGUI activities. Add the activity 60 (upload)
- 41. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 41
Automated Authorization Generator
Sourced from Two types of ODS Objects
„ Authorization Value ODS
„ Hierarchy ODS
ODS Population
„ From R/3: HR Structural Authorizations
„ From R/3: Cost Center (BW 3.1 content)
„ From Flat Files
New RSSM User Interface
- 42. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 42
Value
Value
ODS-Objects
SAP BW
Server
InfoSource
Automated Authorization Generation: the Architecture
Update Rules
Mapping & Transfer
Rules
DataSource
BW Metadata
replicated
Metadata
DataSource
File
File R/3
R/3
Other
Other
BW
S-API
Mapping & Transfer
Rules
Value Hierarchy Text User Assign
0TCA_DS01 0TCA_DS02 0TCA_DS03 0TCA_DS04
Tcode: RSSM – Generate Authorization
Tcode: RSSM – Generate Authorization
< Auth Object >
0TCTAUTHH
0ORGUNIT
0EMPLOYEE
- 43. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 43
HR Structural Authorizations
- 44. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 44
BW/HR Structural Authorizations
What’s BW/HR Structural Authorizations
„ Bring R/3 Structural Authorizations to BW via Standard Extraction
„ Associate with BW Authorizations via execution of special Module
„ Full Refresh on a Customer Selected Frequency
Key Benefits
„ Reduced the Redundant Security Setup
„ Provide Cross System Consistency
- 45. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 45
BW
BW
R/3 OLTP
R/3 OLTP
Structural Authorization in BW
Structural Authorization in BW
RSSM
Trans
Security
Security
Check
Check
OR
Program
Modules
RSSB_Generate
_Authorizations
PSA PSA
PSA PSA
0HR_PA_2
0HR_PA_2
Data
Data
Source
Source
Struc Auth
0PA_DS02
PSA
PSA
Transfer
Rules
ODSs
ODSs
Update
Rules
0HR_PA_3
0HR_PA_3
Data
Data
Source
Source
Struc Auth
0PA_DS03
R/3 Org. Structure
R/3 Org. Structure
INDX
INDX
Cluster
Cluster
(0HR_PA_2
(0HR_PA_2
&
&
0HR_PA_3)
0HR_PA_3)
Data
Data
Sources
Sources
R
H
B
A
U
S
0
0
T77UA
T77UA
Assignment
Assignment
T77UU
T77UU
User
User
T77PR
T77PR
Profile
Profile
- 46. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 46
12 Steps to Install Structural Authorizations
Create Structural Authorization Profile (IMG or TR-OOSP)
1
Assign User to Profile (IMG or TR-OOSB)
2
Update T77UU table to include User Name
3
Execute program RHBAUS00 to create INDX
4
Activate 0HR_PA_2 & 3 DataSource in R/3 and BW
5
Activate or Create 0HR_PA_2 & 3 InfoSource &
Communication Structure
6
- 47. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 47
12 Steps to Install Structural Authorizations
Activate and load ODS from R/3
7
Activate Target InfoObjects “Authorization Relevant”
8
Create Authorization Object (Transaction Code: RSSM)
9
Use Transaction code: RSSM or Execute RSSB Function
Modules to generate BW Authorization
10
Create Authorization Variables
11
Create Query with Authorization Variables
12
- 48. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 48
Steps to Create Authorization from Flat Files
Planning & Mapping
0 • Determine what you want to secure
• Mapping Objects & create Flat file
1 • Mark InfoObjects Auth. Relevant
• Define Reporting Auth Object via RSSM
Define Reporting Object
2 Create Authorization
Value Infosoure & ODS
• Use 0TCA_DS01 as template
• ODS name must be xxxx_DS01
3 Create Authorization Hier
Infosoure & ODS
• Use 0TCA_DS02 as template
• ODS name must be xxxx_DS02
4 •The data format = yyyymmdd or per
Your Default Format
•Several Objects can define as constant
Create Update Rules for
ODS Loads
Generate Profiles via
RSSM or RSSB program
5 • RSSM: Find your ODSs & Mark Auth Obj
• Exec RSSB_Generate_Authorizations
6 Create Authorizations
Variable in Query Def.
• Define Variables for Auth InfoObjects
• Include Variables in your Queries
- 49. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 49
Tips & Hints for Automatically Generated Authorizations
Performance
„ If you have very large number of values in your user master record,
the query performance will be significantly impacted
„ It is a multiplication effect of: # authorization objects X # values X
„ Ex: 20 orgunits X 10,000 EE X 5 objects = 1,000,000 checking
Alternatives
„ For top executives: setup a role to give full authorizations
„ Use Hierarchy variables for queries initial view with Hierarchy
„ Use RSR00001 User exit against the populated ODSs
How To Paper
„ HTTP://WWW.Service.SAP.com/BW -> Service & Implementation ->
How to Papers
‹ BW/HR Authorizations
‹ Generate Authorizations Profile from Flat File
- 50. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 50
Agenda
BW Authorizations Overview
Planning & Strategize BW Authorizations
What’s New in BW 3.0
The Dos and Don’ts
- 51. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 51
Dos and Don’ts
Dos
„ Keep the four guiding principals in mind when planning BW
authorizations
„ Consider a Proof of Concept phase for complex authorizations model
„ Check out OSS Notes on Authorizations
„ Apply BW 3.0B SP15 for performance enhancement & corrections
„ Note 625049: Improved performance
„ Note 315094: Authorization recommendation
„ Check out the BW Online document on Security with Scenarios
„ Use caution when request of user query publishing in Production
„ Limit number of users authorized
„ Setup specific user published reporting roles with administrative
process (clean-up) and alert users as “Uncertified Reports”
- 52. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 52
Dos and Don’ts
Dos
„ Create an effective OSS Message for authorizations
„ Prepare a query which is as simple as possible and still
reproduces the error
„ Prepare a SAP_ALL user and a restricted user.
„ If you use variables (customer exits) replace their content into
profile of the restricted user
„ (we do not support customer code)
„ explain clearly what you expect to see and what the error is.
„ don't forget to give all the necessary information: usernames,
passwords, System, names,
„ open the system.
Don’ts
„ Don’t setup Field level specific security just because you’ve been
asked – Challenge the requester for legal or policy requirements
- 53. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 53
Further Information
Î Public Web:
www.sap.com/solutions/bi/
SAP Customer Services Network: www.service.sap.com/BW
Î Consulting Contact
Roy Wood, VP SAP NetWeaver Consulting Practice (r.wood@sap.com)
Î Related SAP Education Training Opportunities
http://www.sap.com/usa/education/
BW 365, Business Information Warehouse Authorizations
Î Related Workshops/Lectures at ASUG BITI Forum 2003
- 54. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 54
Questions?
Q&A
- 55. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 55
Feedback
Please complete your session evaluation
and drop it in the box on your way out.
Be courteous — deposit your trash,
and do not take the handouts for the
following session.
- 56. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 56
Copyright 2003 SAP AG. All Rights Reserved
„ No part of this publication may be reproduced or transmitted in any form or for any purpose without the express
permission of SAP AG. The information contained herein may be changed without prior notice.
„ Some software products marketed by SAP AG and its distributors contain proprietary software components of other
software vendors.
„ Microsoft®
, WINDOWS®
, NT®
, EXCEL®
, Word®
, PowerPoint®
and SQL Server®
are registered trademarks of
Microsoft Corporation.
„ IBM®
, DB2®
, DB2 Universal Database, OS/2®
, Parallel Sysplex®
, MVS/ESA, AIX®
, S/390®
, AS/400®
, OS/390®
,
OS/400®
, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere®
, Netfinity®
, Tivoli®
, Informix
and Informix®
Dynamic ServerTM
are trademarks of IBM Corporation in USA and/or other countries.
„ ORACLE®
is a registered trademark of ORACLE Corporation.
„ UNIX®
, X/Open®
, OSF/1®
, and Motif®
are registered trademarks of the Open Group.
„ Citrix®
, the Citrix logo, ICA®
, Program Neighborhood®
, MetaFrame®
, WinFrame®
, VideoFrame®
, MultiWin®
and
other Citrix product names referenced herein are trademarks of Citrix Systems, Inc.
„ HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®
, World Wide Web Consortium,
Massachusetts Institute of Technology.
„ JAVA®
is a registered trademark of Sun Microsystems, Inc.
„ JAVASCRIPT®
is a registered trademark of Sun Microsystems, Inc., used under license for technology invented
and implemented by Netscape.
„ MarketSet and Enterprise Buyer are jointly owned trademarks of SAP AG and Commerce One.
„ SAP, R/3, mySAP, mySAP.com, xApps, xApp and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other
countries all over the world. All other product and service names mentioned are the trademarks of their respective
companies.
- 57. © SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 57
Copyright 2003 SAP AG. Alle Rechte vorbehalten
„ Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher
Form auch immer, ohne die aus-drückliche schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser
Publikation enthaltene Informationen können ohne vorherige Ankün-digung geändert werden.
„ Die von SAP AG oder deren Vertriebsfirmen angebotenen Softwareprodukte können Softwarekomponenten auch
anderer Softwarehersteller enthalten.
„ Microsoft®
, WINDOWS®
, NT®
, EXCEL®
, Word®
, PowerPoint®
und SQL Server®
sind eingetragene Marken der
Microsoft Corporation.
„ IBM®
, DB2®
, DB2 Universal Database, OS/2®
, Parallel Sysplex®
, MVS/ESA, AIX®
, S/390®
, AS/400®
, OS/390®
,
OS/400®
, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere®
, Netfinity®
, Tivoli®
, Informix
und Informix®
Dynamic ServerTM
sind Marken der IBM Corporation in den USA und/oder anderen Ländern.
„ ORACLE®
ist eine eingetragene Marke der ORACLE Corporation.
„ UNIX®
, X/Open®
, OSF/1®
und Motif®
sind eingetragene Marken der Open Group.
„ Citrix®
, das Citrix-Logo, ICA®
, Program Neighborhood®
, MetaFrame®
, WinFrame®
, VideoFrame®
, MultiWin®
und
andere hier erwähnte Namen von Citrix-Produkten sind Marken von Citrix Systems, Inc.
„ HTML, DHTML, XML, XHTML sind Marken oder eingetragene Marken des W3C®
, World Wide Web Consortium,
Massachusetts Institute of Technology.
„ JAVA®
ist eine eingetragene Marke der Sun Microsystems, Inc.
„ JAVASCRIPT®
ist eine eingetragene Marke der Sun Microsystems, Inc., verwendet unter der Lizenz der von
Netscape entwickelten und implementierten Technologie.
„ MarketSet und Enterprise Buyer sind gemeinsame Marken von SAP AG und Commerce One.
„ SAP, R/3, mySAP, mySAP.com, xApps, xApp und weitere im Text erwähnte SAP-Produkte und –Dienstleistungen
sowie die entsprechenden Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und anderen
Ländern weltweit. Alle anderen Namen von Produkten und Dienstleistungen sind Marken der jeweiligen Firmen.