bi 7 security concepts.ppt
Post on 01-Mar-2018
215 Views
Preview:
TRANSCRIPT
-
7/26/2019 BI 7 Security Concepts.ppt
1/53
BI 7 Security Concepts
-
7/26/2019 BI 7 Security Concepts.ppt
2/53
Topics Covered:
Difference between BW 3.x and BI 7 Securing reporting users access
Authoriation !race Creation of Ana"ysis Authoriation Assign#ent of Ana"ysis Authoriation Securing Access to Wor$boo$s Additiona" BI7 Security %eatures &ew Authoriation 'b(ects
-
7/26/2019 BI 7 Security Concepts.ppt
3/53
!here was no SA) de"i*ered authoriation
ob(ect to "in$ the hierarchies to +o"es.
Custo#ied Auth ob(ect need to be created
which wi"" fa"" under SA) C"ass +S+.
Difference between BW 3.x and BI Security
SA) de"i*ered Auth ob(ect S,+S,A-!
/C"ass +S0 can be added to the +o"es and
further "in$ed to ana"ysis authoriation
-
7/26/2019 BI 7 Security Concepts.ppt
4/53
Contd
RSS RS!C"DI#
$%d transaction1 +SS2
Concept of aut&ori'ation1 +eportingAuthoriation
#ew transaction1 +S4CAD2I&
Concept of aut&ori'ation1 Ana"ysis
Authoriation
-
7/26/2019 BI 7 Security Concepts.ppt
5/53
Contd
"ut&ori'ation:)%C5 /+o"e based approach0
"ut&ori'ation:)%C5 /+o"e based approach0+S4CA-! /Ana"ysis Authoriation BasedApproach0
-
7/26/2019 BI 7 Security Concepts.ppt
6/53
Contd
(u%% "ut&ori'ation1SA),A66 SA),&4W
)BI*"++1 A""ow fu"" authoriation for the I'authoriation re"e*ant
,sed in t&e aut&ori'ation ob-ect1 S,+S,A-!
(u%% "ut&ori'ation1SA),A66 SA),&4W
-
7/26/2019 BI 7 Security Concepts.ppt
7/53
Authoriation ob(ects are grouped according to authoriation ob(ect c"asses. !he #a(or
authoriation ob(ect c"ass in BI is +S.
S*RS*C$:Decides which Info area Info pro*ider8s data user can *iew
S*RS*C$/:Decides which owner8s 9ueries a user can execute
S*RS*($+D:ide or disp"ay the :Info Area; push button for end users
S*RS*",T0:5i*es access to ana"ysis Authoriations
S*RS*"DWB:-sed by BW ad#inistrator for 2ode"ing and contro""ing
So#e other Auth ob(ects1 !o sa*e wor$boo$s
-
7/26/2019 BI 7 Security Concepts.ppt
8/53
In BI 7 reporting users access needs to be restricted to certain "e*e"s "i$e
InfoCube +eve%:+estrict at the InfoCube "e*e".
C&aracteristic +eve%Info $b-ect:+estrict access to a"" *a"ues for a particu"ar
characteristic.
C&aracteristic 4a%ue +eve%:+estrict access to certain *a"ues of a particu"ar
characteristic.
5ey (i6ure +eve%:+estrict access to certain $ey figures.
0ierarc&y #ode:+estrict access to certain nodes of a hierarchy
Restrictin6 access in BI
-
7/26/2019 BI 7 Security Concepts.ppt
9/53
Be"ow are the #ini#u# authoriation re9uire#ents for a reporting user1
Ana"ysis authoriations for an Info )ro*ider S,+S,C'2) /Acti*ities ?3 @0 S,+S,C'2)@ /=uery owner0
S,+%C /Bex Ana"yer or Bex Browser on"y0 S,!C'D4 /++2> for Bex Ana"yer0
A reporting user #ust ha*e authoriations for the S,+S,C'2) S,+S,C'2)@
authoriation ob(ects as we"" as ana"ysis authoriations for the Info )ro*ider on
which the 9uery is based.
In addition if the reporting user wi"" be using the Bex Ana"yer reporting too"
they wi"" need authoriations for ob(ect S,+%C and S,!C'D4 with authoriation
for transaction code ++2>.
Securin6 Data "ccess for Reportin6 ,sers
-
7/26/2019 BI 7 Security Concepts.ppt
10/53
Secure by Info Cube:If the authoriations need to be chec$ed on"y on Info )ro*ider
"e*e". ou can then create ro"es that a""ow you to run 9ueries fro# the specified Info
)ro*ider /s0.
Securin6 by 7uery:Another option wou"d be to use the Info )ro*ider in con(unctionwith the 9uery na#e. !o do this you wi"" need a strict na#ing con*ention for 9uery
na#es so that security does not ha*e to be updated each ti#e a new 9uery is
created.
Securin6 by Info $b-ect:A""owing two user to execute the sa#e 9uery but to get
different resu"ts based on their assigned data access for di*ision cost center or
so#e other Info 'b(ect is $nown as info 'b(ect "e*e" security or fie"d "e*e" security
$ptions for Securin6 Data "ccess
-
7/26/2019 BI 7 Security Concepts.ppt
11/53
!he #ore granu"ar "e*e" of restricting access of the users is at Info 'b(ect
-
7/26/2019 BI 7 Security Concepts.ppt
12/53
!he Authoriation +e"e*ant setting
for an Info 'b(ect #ade in the
Info 'b(ect definition on the
Business 4xp"orer tab. !he
business needs wi"" dri*e which
Info 'b(ects shou"d be re"e*antfor security.
4xecute !code +SD@ 4nter the info ob(ect
na#e 5o to Business 4xp"orer
!ab Se"ect the chec$ box
:Authoriation +e"e*ant; Acti*ate the info ob(ect
"ut&ori'ation Re%evance
-
7/26/2019 BI 7 Security Concepts.ppt
13/53
Ana"ysis Authoriations are funda#enta" bui"ding b"oc$s of the new reporting concept which
contains both the data *a"ue and hierarchy restrictions.
4xecute !code +S4CAD2I& 5o to 2aintenance in Authoriation !ab
4nter !he Ana"ysis Authoriation and c"ic$ Create
Create ana%ysis aut&ori'ations:
-
7/26/2019 BI 7 Security Concepts.ppt
14/53
'nce you ha*e created ana"ysis
authoriations users wi"" need access
to the right authoriations according to
business needs. ou can assign
authoriations in ro"es using S,+S,A-! ordirect"y in transaction +S4CAD2I& or
+S-?@.
"ssi6n aut&ori'ations to users:
-
7/26/2019 BI 7 Security Concepts.ppt
15/53
"dd a variab%e to t&e 8ueries
If we want a 9uery to on"y pro*ide resu"ts based on the di*ision for exa#p"e then the
9uery itse"f needs the abi"ity to fi"ter specific di*ision *a"ues. Before we can secure on
di*ision the 9uery #ust be ab"e to restrict data by di*ision. !he on"y way the 9uery can
restrict data dyna#ica""y is through a *ariab"e. !he *ariab"e can be added anyti#e
independent of the other steps "isted here.
-
7/26/2019 BI 7 Security Concepts.ppt
16/53
!xercises:
Create a si#p"e 9uery fro# an existing Info Cube execute it and sa*e it as a new
wor$boo$
Defining Info 'b(ectE6e*e" Security for +eporting -sers
6i#it 9uery access within the Bex Ana"ye using S,+S,C'2)@ and S,+S,%'6D
-
7/26/2019 BI 7 Security Concepts.ppt
17/53
Authorization Trace
-
7/26/2019 BI 7 Security Concepts.ppt
18/53
Trace Too% : ST)/ and RS!C"DI#
!ransaction code S!?@ executes a trace too" that exists on a"" ABA) based syste#s.
A#ong other purposes this too" ser*es as trace for a"" SA)Epro*ided authoriations ob(ects.
ou si#p"y turn on the trace /for a specific user0 and when the trace is co#p"eted you can
see which authoriation ob(ects were chec$ed and the resu"ts of the chec$.
In transaction +S4CAD2I& FAna"ysis you can execute a trace that is specific to BI ana"ysisauthoriations. Ana"ysis authoriations wi"" not appear in the S!?@ trace
-
7/26/2019 BI 7 Security Concepts.ppt
19/53
"ut&ori'ation Trace
In BI 7 we can !race 1
@0 Authoriation 2onitoring
0 Change "og of Ana"ysis authoriation
-
7/26/2019 BI 7 Security Concepts.ppt
20/53
"ut&ori'ation onitorin6
C&ec9in6 "ut&ori'ations
6og on with your own user ID
Chec$ 9uery execution with the authoriations of a specific user
-
7/26/2019 BI 7 Security Concepts.ppt
21/53
Contd..
!va%uate +o6 rotoco%
!urn on "ogging of user acti*ities re"ated to ana"ysis authoriations
Giew detai"ed infor#ation about authoriation chec$s
-
7/26/2019 BI 7 Security Concepts.ppt
22/53
C&an6e %o6 of "na%ysis aut&ori'ation
Acti*ate the fo""owing Girtua" )ro*iders fro# the Business Content /GA6 H
Ga"ues I4 H ierarchies -A H -ser Assign#ent0
!he syste# records a"" changes to authoriations and user assign#ents.
=ueries can be bui"t on these Info )ro*iders to find out the trace ofE ow #any users ha*e access to a gi*en InfoCube
E Which users ha*e access to co#pany code >
E When was authoriation :>J; created and by who#
-
7/26/2019 BI 7 Security Concepts.ppt
23/53
!xercise s;:
!race BI authoriations
S!?@ !race
-
7/26/2019 BI 7 Security Concepts.ppt
24/53
Creation of "na%ysis
"ut&ori'ation
-
7/26/2019 BI 7 Security Concepts.ppt
25/53
Creation of "na%ysis "ut&ori'ation
!here are two ways to create the ana"ysis authoriation in BI 7
@. 2anua" creation of ana"ysis authoriation through +S4CA-! !code
. Auto#atic generation of ana"ysis authoriation approach /for #ass creation andassign#ent0
-
7/26/2019 BI 7 Security Concepts.ppt
26/53
Creation t&rou6& RS!C"DI#
@0 4xecute !code +S4CAD2I&
0 5o to 2aintenance in Authoriation !ab
30 4nter !he Ana"ysis Authoriation and c"ic$ Create
-
7/26/2019 BI 7 Security Concepts.ppt
27/53
"uto
-
7/26/2019 BI 7 Security Concepts.ppt
28/53
"ctivate Business Content
SA) de"i*ers Business Content for storing authoriations and user
assign#ent of authoriations shou"d be acti*ated
-
7/26/2019 BI 7 Security Concepts.ppt
29/53
+oad of Data Store $b-ects
%i"" the Data Store ob(ects with the user data and authoriations
4xtract the data for exa#p"e fro# an SA) +
-
7/26/2019 BI 7 Security Concepts.ppt
30/53
1enerate "ut&ori'ations
Start the generation by specifying the re"e*ant Data Store ob(ects
-
7/26/2019 BI 7 Security Concepts.ppt
31/53
4iew 1eneration +o6
Detai"ed "og can be *iewed once the generation is co#p"eted
-
7/26/2019 BI 7 Security Concepts.ppt
32/53
Assign#ent of Ana"ysis
Authoriation
-
7/26/2019 BI 7 Security Concepts.ppt
33/53
"ssi6n
-
7/26/2019 BI 7 Security Concepts.ppt
34/53
Direct assi6n
-
7/26/2019 BI 7 Security Concepts.ppt
35/53
ros:
!his approach re#o*es the use of creating +o"es for the corresponding ana"ysis
authoriation .
Cons:
&o Change docu#ents are pro*ided by SA) for assigning and re#o*a" of Ana"ysis
authoriation fro# the user
&o S-I2 /Syste# -ser Infor#ation 2anage#ent0 reports are pro*ided by SA) for
ana"ysis authoriation
&o possib"e way to assign #ass ana"ysis authoriation to the users at a stretch.
"na%ysis aut&ori'ation based "pproac&:
-
7/26/2019 BI 7 Security Concepts.ppt
36/53
If an id is de"eted using S-?@ who is ha*ing ana"ysis authoriation assigned to it
these authoriation wi"" not get de"eted fro# the user8s profi"e. If the sa#e id is
recreated auto#atica""y user id wi"" be popu"ated with the ear"ier ana"ysis
authoriations.
So if this approach is fo""owed it is a"ways reco##ended that ana"ysis authoriationare #anua""y de"eted fro# the user id using +S-?@ and then id using S-?@
Contd..
-
7/26/2019 BI 7 Security Concepts.ppt
37/53
Indirect "ssi6n
-
7/26/2019 BI 7 Security Concepts.ppt
38/53
ros:
A"" the Change docu#ents are a"ready a*ai"ab"e
A"" the existing S-I2 reports are a"ready a*ai"ab"e
)ossib"e to perfor# #ass assign ro"e assign#ent
Cons:
+o"es need to be created corresponding to the ana"ysis authoriation which wi""
inc"ude #ore #aintenance in the syste#
ros and Cons
-
7/26/2019 BI 7 Security Concepts.ppt
39/53
=uery is #ore the technica" definition of what the resu"ts shou"d "oo$ "i$e. Wor$boo$s are
actua" resu"ts that ha*e been for#atted and can be refreshed each ti#e the wor$boo$ is
executed.
!he 9uery is a definition of what data the 9uery shou"d fetch and how the data shou"d beinitia""y disp"ayed. A 9uery definition inc"udes rows co"u#ns fi"ters and free characteristics.
!he wor$boo$ is a resu"t set of the 9uery. In this wor$boo$ the data is disp"ayed by sa"es
organiation. 4*ery ti#e the user executes the wor$boo$ the data wi"" be refreshed but the
for#at can re#ain the sa#e depending on the settings for the 9uery in the wor$boo$.
2u"tip"e 9uery resu"ts sa*ed in wor$boo$s fro# the sa#e 9uery definition enab"e users to
custo#ie how they want to re*iew the resu"ts and ana"ye the data.
7ueries and Wor9boo9s:
-
7/26/2019 BI 7 Security Concepts.ppt
40/53
If a user wants to sa*e a wor$boo$ to a "ocation where it can be easi"y accessed by
others they need to sa*e to a +o"e. Sa*ing to a +o"e #eans sa*ing to a security
ro"e. ou #ay want to set up ro"es specifica""y for sa*ing wor$boo$s. ou can then
assign the ro"e to a"" parties who need to share wor$boo$s.
In order to sa*e wor$boo$s to ro"es a user needs1 S,-S4+,A5+1 Authoriations1 +o"e chec$
S,-S4+,!CD1 !ransactions in ro"es
!he authoriation ob(ect S,-S4+,A5+ has two fie"ds1 Acti*ity and +o"e &a#e. %or the
Acti*ity fie"d the user #ust ha*e at "east *a"ues ?@ ? and . If the user can de"ete
wor$boo$s they wi"" a"so need *a"ue ?. %or the +o"e &a#e you shou"d enter the specific
ro"es you ha*e created for sa*ing wor$boo$s.
Authoriation ob(ect S,-S4+,!CD has one fie"d !ransaction Code. !he user needs *a"ue
++2> in this fie"d.
Savin6 wor9boo9s to 7ueries:
-
7/26/2019 BI 7 Security Concepts.ppt
41/53
!xercise s;:
Securing Access to Wor$boo$s
-
7/26/2019 BI 7 Security Concepts.ppt
42/53
BI 2 Security (eatures
-
7/26/2019 BI 7 Security Concepts.ppt
43/53
Concept of BW security re#ains the sa#e in BI 7 whi"e changes are
#ore with respect to new authoriation features #ore authoriation
ob(ects newer !codes and #ore f"exibi"ity.
@. Ana"ysis Authoriation. Specia" Characteristics
3. Specia" Authoriation1 ?BI,A66
. Co"on authoriation
K. )ound Authoriation
. Ley %igure Authoriation
BI 2 Security (eatures
-
7/26/2019 BI 7 Security Concepts.ppt
44/53
Ana"ysis Authoriations are funda#enta" bui"ding b"oc$s of the new reporting concept which
contains both the data *a"ue and hierarchy restrictions.
!his is a"so ca""ed data "e*e" access. With the new &W??s ana"ysis authorisation
princip"es it is now possib"e to create an ana"ysis authorisation ob(ect direct"y on an infoob(ect
!he authorisation can either be sing"e *a"ues or a *a"ue range or created with a reference to
a hierarchy pro*ided the info ob(ect is created with a hierarchy and the info ob(ect is
authorisation re"e*ant.
"na%ysis "ut&ori'ation:
-
7/26/2019 BI 7 Security Concepts.ppt
45/53
!hese specia" characteristics #ust be assigned to a user in at "east one
authoriation
)TC""CT4T1 +estrict access to acti*ities i.e. disp"ay create change etc
)TC"IR$4:+estrict access to the Info )ro*ider i.e. Info Cube 'DS2u"ti pro*ider etc
)TC"4"+ID:)ro*ides the *a"idity of the ana"ysis authoriation
A"" these authoriation shou"d be #ar$ed as authoriation re"e*ant
Specia% C&aracteristics:
-
7/26/2019 BI 7 Security Concepts.ppt
46/53
An authoriation for a"" *a"ues of authoriationEre"e*ant characteristics is created
auto#atica""y in the syste#. It has the na#e )BI*"++. It can be *iewed but not changed.
4*ery user that recei*es this authoriation can access a"" the data at any ti#e. 4ach ti#e an
Info 'b(ect is acti*ated and the property :authoriation re"e*ant; is changed for the
characteristic or a na*igation attribute ?BI,A66 is auto#atica""y ad(usted.
A user that has a profi"e with the authoriation ob(ect S,+S,A-! and has entered ?BI,A66
/or has inc"uded *a"ue as M0 has co#p"ete access to a"" data.
)BI*"++
-
7/26/2019 BI 7 Security Concepts.ppt
47/53
Co%on : ;as "ut&ori'ation
Two urposes for Co%on "ut&ori'ation 4a%ue:
If the Info )ro*ider has sensiti*e data it cou"d be that you do not want the user to see any
su##aried data. %or exa#p"e "et us assu#e you ha*e an Info )ro*ider that has
sensiti*e forecasting data. In this business scenario you ha*e chosen to secure by
Info 'b(ects /for exa#p"e Co#pany Code0. If you do not want a user with access to
Co#pany Code @??? to see A& data fro# other co#pany codes then you #ight not
5i*e this user the co"on /10 *a"ue in the authoriation. !his wou"d #ean that A& 9ueries
on your Info )ro*ider that do not use the Co#pany Code Info 'b(ect wi"" fai" for this user.
Second purpose of the Co"on authoriation is to gi*e user
access to the aggregated data. %or exa#p"e user can see!ota" of sa"es done by a"" sa"es organiation but detai"s data
of on"y his sa"es organiation.
-
7/26/2019 BI 7 Security Concepts.ppt
48/53
ound =; as "ut&ori'ation
-sing a )ound Sign /N0 as an Authoriation Ga"ue1
When data is "oaded into SA) BW so#e fie"ds #ay be #ar$ed as no *a"ue
assigned /posted with I&I!IA60. If you ha*e secured an Info 'b(ect that has data
that is unassigned in the Info Cube you #ay choose to gi*e the user a pound sign
/N0 in order to a*oid an authoriation error at runti#e.
!he N character is interpreted as authoriation for the disp"ay of the *a"ue
Not assigned/posted with I&I!IA60.
-
7/26/2019 BI 7 Security Concepts.ppt
49/53
5ey (i6ure "ut&ori'ation
!his restriction is used to grant authoriation to particu"ar $ey figures to
the users.
!echnica" na#e1 ?!CAL%&2
)ossib"e *a"ues1
E Sing"e *a"ue /4=0 4xact"y one $ey figure
E +ange /B!0 Se"ection of $ey figures
E )attern /C)0 Se"ection of $ey figures based on pattern
#ote: If a particu"ar $ey figure is defined as authoriationEre"e*ant it wi"" be chec$ed for
e*ery Info )ro*ider
-
7/26/2019 BI 7 Security Concepts.ppt
50/53
#ew "ut&ori'ation $b-ects
-
7/26/2019 BI 7 Security Concepts.ppt
51/53
Be"ow are the new authoriation ob(ects in BI7 for ad#inistration wor$bench
business 4xp"orer and ana"ysis authoriation.
"ut&ori'ation ob-ects for t&e Data Ware&ousin6 Wor9benc&:
S*RS*DS:%or the DataSource or its sub ob(ects /&W??s0
S*RS*IS#!W:%or new InfoSources or their sub ob(ects /&W ??s0
S*RS*DT:%or the data transfer process and its sub ob(ects
S*RS*TR:%or transfor#ation ru"es and their sub ob(ects
S*RS*CTT:%or currency trans"ation types
S*RS*,$:%or 9uantity con*ersion types
S*RS*T0>T:%or $ey date deri*ation types
S*RS*+!#7:Authoriations for #aintaining or disp"aying the "oc$ settings
S*RS*RST:Authoriation ob(ect for the +S trace too"
S*RS*C:%or process chains
S*RS*$0D!ST:'pen ub Destination
BI 2 new "ut&ori'ation $b-ects
-
7/26/2019 BI 7 Security Concepts.ppt
52/53
"ut&ori'ation ob-ects for t&e Business !xp%orer:
S*RS*D"S:%or Data Access Ser*ices
S*RS*BT:%or B4x Web te#p"ates
S*RS*B!?T?:Authoriations for the #aintenance of B4x texts
"ut&ori'ation ob-ects for t&e "d
-
7/26/2019 BI 7 Security Concepts.ppt
53/53
top related