Sap Bi Security

 

Maintaining Authorizations in BI/BW SAP BI security is an integral part of any BI implementation. Integrating all the data coming from various source systems and providing the data access based on the user’s role is role is one of the major concerns of all the BI Projects. Security of SAP R/3-ECC systems are systems are based on the activities while SAP BI security is security  is focused on what data user can access. Security in BI is categorized by major 2 categories: Administrative Users  Users  !he way we maintain security for administrative users is same as "## security but we have additional authorization objects in system which are defined only for BI objects. Reporting Users Users $e have separate tools%&nalysis &uthorization' to maintain security for reporting users. !at is Aut!ori"ation #$%ect&  #$%ect&  It allows to chec( whether a user is allowed to perform a certain action. &ctions are defined on the fields) and each field in authorization object should pass the chec(. $e can chec( all the Standard BI &uthorization *bjects using tcode SU'( tcode SU'( under  under the Business $are $arehouse house folder:

 

$ith the S&P BI +., we have new tool to maintain the reporting level security.. $e can access this new tool using tcode RSECA)*I+ security RSECA)*I+ which  which replaces the old -SS tool of B$ /.0.

,, Below are the Step-$y-Step ,, Below Step-$y-Step instructions  instructions to create1maintain authorization objects for SAP BI Reporting I am covering the scenario s cenario where each employee %Sales !eam' is a assigned ssigned with one territory number) and the data should be accessible to employee based on their territory only. or this scenario to wor( we have to set security restriction for the corresponding territory In.o#$%ect %34$S5!"-'. , !he first step before we create any Aut!ori"ation #$%ect is to set all the In.o#$%ects as In.o#$%ects  as aut!ori"ation relevant for which we want to restrict data access.

 

Aut!ori"ation #$%ects on In.o#$%ect’s o. type C!aracteristic   , or accessing the new &nalysis &uthorization tools we use tcode RSECA)*I+ - Aut!ori"ations Aut!ori"ation s 0a$ - *aintenance Button

 

# $e can also use tcode RSECAU01 tcode RSECAU01 directly  directly to come to maintenance screen:

 

# $e have to give the technical name of the &uthorization *bject %34$67!"S!' then hit the create button:

 

# !he very first step of creating any &uthorization *bject is to add the special characteristics as field for restirction:

 

# !he below 3 c!aracteristics are c!aracteristics are mandatory for defining any Aut!ori"ation #$%ect. #$%ect. If we don8t have this we will get no access to any In.orProvider.. By default this gives us access to all the In.oProvider In.orProvider In.oProvider%ull %ull &ccess') but we can also set the value of In.oProvider for which we want the Aut!ori"ation #$%ect to wor(.

 

  # 9ow I am adding the in.oo$%ect2)S40ER5 the in.oo$%ect2)S40ER5 for which we want to add restriction

 

in.o$%ect)) and can define the # $e can double clic( on the newly added in.o$%ect value which weusing want #ustomer to allow for this Info*bject. $e can also later set the dynamic value "0it #ode which we will cover in this blog.

 

Assigning Authorization Authorization objects to Users in BI/BW

Assigning Aut!ori"ation #$%ects to Users   , o to the screen %-S"#&4I9') and clic( on assignment assig nment button under user tab:

Authorizations in SAP NW BI

 

TOPICS 1. MODELING  MODELING 

rsecadmin  Difference between rssm and rsecadmin  Step by Step  Step 

2. AUTO!I"ATION AUTO!I"ATION  

!ep#rtin$ User   De%e&#pper   Genera&  Genera& 

'. ASSIGNEMENT ASSIGNEMENT  

(rsecadmin)  Generati#n (rsecadmin)  !#&e (pfc$)  (pfc$) 

*.TE+NI+AL   *.TE+NI+AL

Tab&es   Tab&es  c-ec    A,t-#rity c-ec

1. MODELING Diference between rssm and rsecadmin

RSSM

RSECADMIN

O&d transacti#n/ RSSM

New transacti#n / RSECADMIN

 

+#ncept #f a,t-#ri0ati#n/ 'Reporting

+#ncept #f a,t-#ri0ati#n/ 'Analysis Authorization'  Authorization' 

Authorization'  Assi$nement #f !ep#rtin$ a,t-#ri0ati#n/ by pfcg: mass distrib,ti#n #f a,t- by ,sin$ r#&e by RSSM RSSM// $enerati#n way (,se wit,siness +#ntent and f&at fi&es &#adin$)

 Assi$nement #f Ana&ysis a,t-#ri0ati#n / by PFC: PFC: mass  mass distrib,ti#n #f a,t- by ,sin$ r#&e3 by RSECADMIN RSECADMIN man,a&  man,a& way 45 Assi$nement 45 A,t- se&ecti#n 45Insert3 by RSECADMIN RSECADMIN// $enerati#n way (,se wit- ,siness +#ntent and f&at fi&es &#adin$)

6,&& A,t-#ri0ati#n/ SAP!A""# SAP!NE$ 6,&& A,t-#ri0ati#n/ SAP!A""# SAP!NE$ %&I!A"":  A&&#w f,&& a,t-#ri0ati#n f#r t-e IO a,t-#ri0ati#n re&e%ant3 Used in t-e a,t-#ri0ati#n #b7ect/ S!RS!A()# Report 'RSEC!ENERA(E!&I!A""' for the SAP!A"" user#  user# 

 

ATT! T! can be A,t-#ri0ati#n re&e%ant3 Mo*eling/ IO mared as Authorization rele+ant3 Mo*eling/ rele+ant3 M#de&in$/ IO < Na%i$ati#n AT  An IO auth IO auth rele+ant is rele+ant is a,t- re&e%ant f#r a&& t-e c,be -e is rssm enab&e t# flag rele+ant infopro+i*er#  infopro+i*er#  rss, are ,sed t# c,st#m A,-t-#ri0ati#n #b7ect3 ,sed3

 

 A,t-#ri0ati#n %ariab&e are ,sed in e8 9,ery3 :fc$ t# assi$n rep#rtin$ a,t-#ri0ati#n tr#,$- t-e t -e Ob7ect c&ass/ RSR# 9,ery access mana$e by #b7ect S!RS!C-MP# S!RS!C-MP.# S!RS!C-MP#  Area ,tt#n; Access / S!RS!F-"D# S!RS!F-"D#  

rsecadmin t# define Ana&ysis a,t-#ri0ati#n wit- sepcia& IO / %(CAAC(0(# %(CAIPR-0# %(CA0A"ID3 %(CA0A"ID3  A,t-#ri0ati#n %ariab&e are ,sed in e8 9,ery3 pfc$ t# assi$n ana&ysis a,t-#ri0ati#n t-r#,$- t-e #b7ect S!RS!A() (Ob7ect +&ass/ RS RS)3 )3 9,ery access mana$e by #b7ect S!RS!C-MP#

 A,t-#ri0ati#n f#r +,be3 ODS3 ierarc-y S!RS!C-MP.3 S!RS!C-MP.3  Area ,tt#n; Access / S!RS!F-"D# and inf#set mana$ed by/ S!RS!IC&E# S!RS!-DS-#

 A,t-#ri0ati#n f#r +,be and -DS f#r rep#rtin$ ,ser are

S!RS!)IER#

mana$ed by t-e specia& a,t-#ri0ati#n c-aracteristic %(CAIPR-0# c-aracteristic %(CAIPR-0#   S!RS!IC&E# S!RS!-DS-# S!RS!)IER# S!RS!ISE(/ S!RS!ISE(/ are

S!RS!ISE(/

n#t c-eced anym#e f#r reporting user .  S!RS!IC&E# S!RS!-DS-# S!RS!)IER# S!RS!ISE(: are S!RS!ISE(: are ,sed f#r a&&#win$ access t# de%e&#pper team3 New #b7ect t# mana$e acess f#r *e+elopper user:

4 New #b7ect a,t-#ri0ati#n f#r = eb app&icati#n Desi$ner > !ep#rt Desi$ner/ S!RS!&(MP# S!RS!&I(M# S!RS!ERP(# S!RS!ERE"/

Step by Step RSSM ?. :re4re@,isites

RSECADMIN

4  Acti%ate a&& b,siness c#ntent re&ated t#

 

a,t-#ri0ati#ns bef#re y#, $et started/ Inf#Ob7ects/ ?T+A and ?T+T Inf#+,bes/ ?T+A Set t-e f#&&#win$ Inf#Ob7ects as a,t-#ri0ati#n re&e%ant/ %(CAAC(0( re&e%ant/ %(CAAC(0( %(CAIPR-0 %(CA0A"ID %(CA12FNM (#pti#na&3 %(CA12FNM  (#pti#na&3 if ey fi$,re restricti#n needed)  Add %(CAIFAREA %(CAIFAREA as  as an e8terna& -ierarc-y c-aracteristic t# %INF-PR-0 %INF-PR-0 (#pti#na&)  (#pti#na&) 1. Set Master data

RSA. 34 Info-56ects 34 &usiness E7plorer (a5 34

Authorization rele+ant  rele+ant 

Flag 'Authorization rele+ant

RSA. 34 Info-56ects 34 &usiness E7plorer (a5 34 Flag 'Authorization rele+ant RSA. 34 Info-56ects 34 Attri5ute Attri5u te (a5 34 Flag 'AuthorizRele+ant'

2. +reate A,t-#ri0ati#n

RSSM 45 Enter t-e name #f y#,r A,t-#ri0ati#n #b7ect

Ob7ect; Ana&ysis

45 +reate 45 :,t IO A,t-#ri0ati#n re&e%ant in t-e

a,t-#ri0ati#n

se&ected Info-56ects Info-56ects part  part 45 Sa%e

'. Set Inf# pr#%ider

RSSM 45 RSSM  45 Se&ect/ B+-ec f#r Inf# +,besB 45 +-an$e 45 6&a$ t-e re&ated Inf# +,bes

*. +reate EC %ariab&e

1. !i$-t c&ic #n t-e IO 45 c-##se B!estrictB

f#r a,t-#ri0ati#n

2. +-##se BSe&ecti#nB  BSin$&e a&,eB and Bfr#m ierarc-yB  Bf&at &istB If a -ierarc-y e8ists3 se&ect t-e -ierarc-y f#r t-e IO '. G# #n t-e %ariab&es tab 45 !i$-t c&ic 45 BNew %ariab&eB *. 6#r a restricti#n wit-#,t wit -#,t -ierarc-y3 t-e type #f %ariab&e is B+-aracteristic a&,eB and if y#, -a%e c-##se a -ierarc-y3 t-e type #f %ariab&e is Bierarc-y n#deB F. Se&ect a %ariab&e name > a descripti#n . +-##se B:r#cessin$ byB/  BA,t-#ri0ati#nB t-en c-ec t-e c-aracteristic and c&ic Bne8tB H. +-##se t-e disp&ay area f#r f #r t-e %ariab&e 45 ariab&e represents/  BSin$&e a&,eB #r BSe&ecti#n Opti#nB . +-##se if t-e %ariab&e entry is Opti#na& #r mandat#ry3 J. D#nBt se&ect B!eady f#r inp,tB and B+an be c-an$ed in @,ery na%i$ati#n 1?. Ne8t t# t-e end

F. Insert A,t-#ri0ati#n in !#&e . Assi$n A,t-#ri0ati#n;

T-e IO a,t-#ri0ati#n re&e%ant are authorization rele+ant f#r a&& c,bes

 

!#&e t# Users

AT!O"IATION TION 2. AT!O"IA  

"e$%rtin& ser' A(t)%ri*ati%n +%r End ser

 

S,"S,AT!' Insert here the Analysis Authorization you customize in Rsecadmin. Allow right on IO marked as 'authorization relevant' (Data) S,"S,COMP : S,"S,COMP  : uery Accessi!ility Accessi!ility Activity Activity:: -1 Create %r &enerate/0 -2 C)an&e/0 - Dis$a Dis$a3/0 3/0 -4 Deete/0 14 E5ec(te/0 22 Enter0 Inc(de0 Assi&n/ In+%Area' 676 In+%C(be'  "#elected in$o%rovider& In+%C(be' ame (ID) o$ a re%orting com%onent: "#elected uery&    y%e y%e o$ a re%orting re%orting com%one com%onent: nt: *+, (*alcula (*alculated ted key -gu -gure) re) /0 ( (uery uery /iew) R12 (uery) R+, (Restricted key -gure) #O3 (#election o!4ect ew o!4ect 555) #R (em%late structure) /AR (/aria!le) S,"S,COMP1 : uery $or s%eci-c users S,"S,8OLD ( 6ide ',older' 2ush!utton): ',alse' or 'rue' S,SE",AG"' Role S,SE",AG"'  Role ame S,"S,9ITM  : 555 10 555 S,"S,9ITM :  S,"S,9TMP S,"S,9TMP :  : 555 10 555  

De:e%$$er

 

S,DE;ELOP S,"O,9CT"A 7in S,"O,9CT"A  7in 1** side $or activate (remote) Datasource S,"S,9C S,"S,9CS S,GI S,"S,DS' Authorizations S,"S,DS'  Authorizations $or working with the DataS%(rce the DataS%(rce or its s(b#' and to map it in SAP B to B to maintian consistency between the two systems the of @for interest are: (5 tables 066PR   @for Structural Aut!ori"ation pro.iles '5   066UA '5 066UA @for  @for user assignments 35   066UU 35 066UU @for  @for users users %in  %in this table you can select s elect the users for e0traction. ou ou can either select all or specific users' Structural Aut!ori"ations in SAP B !he following steps show the way Structural &uthorization is enforced in SAP B7 !he following steps to be carried out in the mySAP my SAP ERP 1C* system. 1C* system.

(5 #all program R1BAUS8' (5 #all R1BAUS8' for  for uploading uploading !able  !able 066UU 066UU and  and enter users. '5 #all '5  #all program R1BAUUS88 for generating an indeF for indeF for structural authorization profile 35   &ctivate 4ata source 81R@PA@'7 35  !he following steps to be carried out in the SAP B system B system

 (5 (5 -eplicate  -eplicate )ata source  source 81R@PA@' '5 &ctivate '5  &ctivate *4S In.oProvider In.oProvider  81R@PA@' 35 #reate 35  #reate an In.oPacGage In.oPacGage to  to perform an e0traction for 81R@PA@' 5 5oad 5  5oad *4S data from myS&P "-P ># 5 ar( In.o#$%ects In.o#$%ects as  as relevant for authorization %In order to use structural aut!ori"ations in aut!ori"ations  in SAP B) B) all characteristic values li(e position: employee etc. etc. which are relevant relevant to  to reporting should be mar(ed as aut!ori"ation relevant In.o#$%ects.' In.o#$%ects.' D5   #reate reporting authorization objects D5 65 5in( authorization objects to In.oCu$es J' #all program RSSB@?enerate@Aut!ori"ations7 RSSB@?enerate@Aut!ori"ations7   htt%:wiki.scn.sa%.comwikidis%lay3O33usinessEIntelligence

htt%:wiki.scn.sa%.comwikidis%lay3O33usinessEIntelligence