bw hr authorization

SAP (SAP America, Inc. and SAP AG) assumes no responsibility for errors or omissions in these materials.

These materials are provided “as is” without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP shall not be liable for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials.

SAP does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within these materials. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third party web pages nor provide any warranty whatsoever relating to third party web pages.

mySAP BI “How-To” papers are intended to simplify the product implementation. While specific product features and procedures typically are explained in a practical business context, it is not implied that those features and procedures are the only approach in solving a specific business problem using mySAP BI. Should you wish to receive additional information, clarification or support, please refer to SAP Professional Services (Consulting/Remote Consulting).

BW/HR AUTHORIZATION

ASAP FOR BW ACCELERATOR BUSINESS INFORMATION WAREHOUSE

An Implementation Guide for BW/HR Structural Authorizations

Document Version 1.0 Applicable Releases: BW 3.0 , PI 2001.2 and above

June 15, 2002

BW/HR Authorizations

Table of Contents

1. PURPOSE................................................................................................................. 3

2. SOFTWARE VERSION SUPPORTED...................................................................... 3

3. GENERAL BW AUTHORIZATION STRATEGY ....................................................... 3 3.1.1. General Considerations .................................................................................................................................... 4 3.1.2. Specific HR Considerations ............................................................................................................................. 4

4. BRINGING HR STRUCTURAL AUTHORIZATIONS TO BW ................................... 5

4.1. Overview of HR Structural Authorization ......................................................................................... 5

4.2. BW/HR Structural Authorizations Architectural Description......................................................... 6

4.3. Pre-Requisites for Structural Authorization in BW .......................................................................... 6 4.3.1. Software Releases............................................................................................................................................. 6 4.3.2. R/3 Functions ................................................................................................................................................... 6

4.4. BW/HR Business Content for Structural Authorizations ................................................................. 7 4.4.1. Data Sources..................................................................................................................................................... 7 4.4.2. Info Providers and associated update rules ...................................................................................................... 7

4.5. Restrictions ............................................................................................................................................ 7 4.5.1. Supported Organizational Management Objects .............................................................................................. 7 4.5.2. Only Current Plan Version is supported (version”01”).................................................................................... 7 4.5.3. Data Source 0HR_PA_2................................................................................................................................... 7

4.6. Performance Considerations................................................................................................................ 7 4.6.1. The Catch 22 .................................................................................................................................................... 7 4.6.2. Possible Alternatives ........................................................................................................................................ 8

5. THE STEP BY STEP SOLUTION ............................................................................. 8

5.1. Prepare Structural Authorizations to be Extracted in R/3 Environment........................................ 9 5.1.1. Create Structural Authorization Profile:........................................................................................................... 9 5.1.2. Assign User to Profile in R/3.......................................................................................................................... 10 5.1.3. Update T77UU table to include User Name in SAP Memory........................................................................ 11 5.1.4. Regeneration of INDX Table ......................................................................................................................... 11

5.2. Activate Structural Authorizations DataSource in R/3................................................................... 11

5.3. Activities on BW side .......................................................................................................................... 12

5.4. Create BW Authorization .................................................................................................................. 15

2002 SAP AMERICA, INC. AND SAP AG 2


1. PURPOSE

Human Resources is one of the R/3 functional areas that contain a considerable amount of confidential and sensitive data in terms of legality and privacy issues. Customers typically have more stringent security requirements in HR than other functional areas. This document is intended to provide customers, partners and consultants with a brief general overview of BW authorization strategy1. The emphasis of this document is primarily on the unique considerations in an HR environment focused on the new BW/HR Structural Authorizations functionality. An in-depth description of this new function, the pre-requisites, its current restrictions, and the implementation processes in a BW environment will be provided.

2. Software Version Supported

This document is valid for BW version 3.0A with plug-in 2001.2 or above.

3. General BW Authorization Strategy

As an analytical and information access tool, the “Reporting Aspect” of BW security has some fundamental differences from the OLTP (R/3 online transactional process) environment as depicted in the following tabular form: OLTP (R/3) OLAP (BW) o Clearly divided into several business areas

(Finance, Controlling, Logistics, HR…) o OLAP Benefit means “combining data

from different areas” o Security based on Transactions for:

o Master Data o Business process data

o Analytical process is not transaction oriented.

o Data access separated into different activities:

o Create o Change o Display o Delete

o 99% OLAP processing is Display

While there are distinct differences, BW authorizations are based on the standard SAP authorization concept. R/3, BW and all new dimension products under SAP family are integrated based on SAP’s Role concept and can be managed via Central User Administration function. For the BW Administration functions, the authorization concept is very close to



standard R/3 and SAP BW delivers pre-defined roles. Please refer to the “BW Authorization White Paper“ on SAP Marketplace BW web site2. There is no pre-delivered BW Roles for reporting and no authorization relevant object definition as delivered. This is due to the unique reporting authorization requirements at each customer installation. However, a set of tools is embedded in SAP BW Administration Workbench to facilitate the definition of customer specified reporting authorizations. This includes the new BW/HR Structural Authorizations functionality.

3.1.1. General Considerations As a general guideline, the following basic steps should be considered when defining BW authorizations: o Identify Roles in your company

o Task oriented (reporting, administration…) o Functional oriented (Board, Assistant, Manager, HR Generalist, Payroll

Administrators, Analyst, Employee….) o Subject oriented (FI, Sales, Recruitment, Time, Payroll etc. with cross

functional considerations.) o Define responsibility for identified role o Set up role oriented authorization, with special focus on reporting objects. o Assign BW users to a role

3.1.2. Specific HR Considerations In an R/3 HR environment, customers who have implemented Organizational Management component often adopted an authorization model that is an actual model of the current organizational structure. This is the so-called “Structural Authorizations” in R/3 HR environment. To establish the security equivalent to R/3 HR Structural Authorizations, it would take a vast amount of effort in BW environment to reproduce such a comprehensive setup based on the R/3 organizational management. To provide a richer set of functionality, BW and HR development have taken a giant step forward to built the foundation for a technique to allow bringing detailed authorizations objects at userid level from a source system and automatically generate user profiles in a BW environment. As a part of the BW/HR business contents, SAP has delivered the extractors and data sources required to bring R/3 structural authorizations to BW environment beginning BW 3.0A and Plug-in 2001.2. Customer now has the option to bring the R/3 Structural Authorizations to BW environment using standard business content. However, there are certain restriction and pre-conditions, which will be discussed in section 4 of this document. In addition to structural authorizations, HR customers should also be aware the following facts and establish proper authorization as needed: o 0Employee and 0Person Master Data consists of following attributes that typically

considered as sensitive information from privacy and legal perspectives. Without

2 SAP Marketplace URL: http://service.sap.com



field level reporting authorization or structural authorizations, users could access these attributes as display attribute via “local change” capability to gain access.

o Annual Salary o Age o Nationality o Salary grade o Typical US customization for Ethnicity and SSN

Please note that authorizations for display attributes are “all or nothing”. You are allowed either to display or not. There’s nothing in between.

o To define field level reporting authorization, please refer to the “BW authorization white paper” on SAPNet and OSS note 315094.

4. Bringing HR Structural Authorizations to BW

4.1. Overview of HR Structural Authorization

R/3 Organizational Management provides customer with the capability to create organizational plan that depicts the structure of the enterprise. By defining the relationships among objects such as jobs, positions, employee, cost centers and work centers, you create a network that mirrors your organizational and reporting structures. The diagram below depicts an example of a simple organizational structure in R/3 HR.

Structural Authorizations function makes it possible to link the authorization check based on the organizational reporting structure. With the legal and privacy issues when dealing with HR data, the availability of structural authorizations has been a vital function in an R/3 environment. A typical structural authorization scenario is that only the head of the organizational unit in the above diagram have authorization to access the data of employees who hold positions under his/her supervision. This is done via the Evaluation Path of O-S-P



(Organization Unit – Position – Person). From HR security perspectives, Structural Authorizations is one of the most requested functionality to be replicated in the BW environment.

4.2. BW/HR Structural Authorizations Architectural Description With the initial release of this functionality, the following diagram provides a basic architectural overview of this function.

Structural Authorization in BWStructural Authorization in BW

RSSMTrans

PSA PSAPSA PSA

0HR_PA_20HR_PA_2DataData

SourceSource

Struc Auth

0PA_DS02

PSAPSATransfer Rules

ODSsODSs

UpdateRules

BWBW

Security Security CheckCheck

0HR_PA_0HR_PA_33DataData

SourceSourceStruc Auth

0PA_DS03

ORFunction

Modules

RSSB_Generate_Authorizations

R/3 Org. StructureR/3 Org. Structure

T77UAT77UA

AssignmentAssignment

T77UUT77UU

UserUser

T77PRT77PR

ProfileProfile

INDXINDXClusterCluster

(0HR_PA_(0HR_PA_22&&

0HR_PA_3)0HR_PA_3)DataData

SourcesSources

R/3 OLTPR/3 OLTP

RHBAUS00

As depicted in the diagram, BW/HR Structural Authorizations extracts content of R/3 Structural Authorizations using standard BW Service API into BW environment as two sets of ODS Info Providers which are used as input for generating unique profiles in each user master records in BW. If HR Structural Authorizations have been configured in R/3, then the T77PR (profile) and T77UA (user assignment) tables should have already been populated. T77UU (users) table that contains user ids for which the extraction will be performed must be updated for all users. By executing report “RHBAUS00”, an INDX cluster table will be regenerated for the structural authorization profiles. This INDX cluster table will be used as the base to extract HR structural authorizations datasource 0HR_PA_2. For datasource 0HR_PA_3 the customizing tables are read directly (i.e. executing RHBAUS00 isn’t necessary).

4.3. Pre-Requisites for Structural Authorization in BW

4.3.1. Software Releases o BW must be at least at 3.0A level. o R/3 BW Plug-ins must be at least at 2001.2.

4.3.2. R/3 Functions o R/3 HR Organizational Management must be installed and activated.



o R/3 HR Structural Authorizations must be configured.

4.4. BW/HR Business Content for Structural Authorizations

4.4.1. Data Sources o 0HR_PA_2: Value Authorizations, which extracts specific object type

and object id that a given user is authorized to access. For example, userid “LOA” allowed to access Organizations 50000595 and 50000603, has following entries: Date Userid Object type Object id 14.09.2001 LOA O 50000595 14.09.2001 LOA O 50000603

o 0HR_PA_3: Hierarchy Authorizations, which extracts specific object with given hierarchy name and version. For example, userid “LOA” is authorized to access Orgunit hierarchy for object id of 50000595. Date-from Date-To Userid Object type Object id Hierarchy Version 01.01.1999 31.12.9999 LOA O 50000595 ORGEH 000

4.4.2. Info Providers and associated update rules o 0PA_DS02: Value Authorizations ODS used as the input to generate

authorization profiles for each user for given InfoObjects. The delivered update rule translates HR object type into InfoObjects. 0PA_DS03: Hierarchy Authorizations ODS used as input to generate authorization profiles for hierarchies.

4.5. Restrictions

4.5.1. Supported Organizational Management Objects o 0HR_PA_2: all o 0HR_PA_3: only hierarchy on organizational units (O) / evaluation

path ORGEH is supported. In other words, only the hierarchy with the technical name ORGEH (delivered in BCT) is supported by this DataSource

4.5.2. Only Current Plan Version is supported (version”01”).

4.5.3. Data Source 0HR_PA_2. The Structural Authorization brought into BW environment by this datasource is Time-Independent. It’s a snapshot of the authorizations, which are valid when extraction was performed. This means that historical authorization view from R/3 will not be available. The Calday in the extract structure represents the data of extraction not the date the INDX file was built (when RHBAUS00 was executed). This may not be an issue, if daily extraction is performed.

4.6. Performance Considerations

4.6.1. The Catch 22 BW/HR structural authorizations take advantage of the flexibility of “Variable filled Authorizations” in BW. When accessing a query that contains more than



one authorization relevant InfoObjects (e.g. variables filled by authorizations), all combinations will be checked. In the case of a very large organization unit, this leads to many checks. For example: the common evaluation path involves Orgunit, Positions and Employees. Suppose a department manager is responsible for 10 orgunits, which has 200 positions with a total of 200 employees. This would result in 3 variables for InfoObjects 0Orgunit, 0Hrposition and 0Employee are filled by authorizations. The variables are filled by 10, 200, 200 values. This leads to 10*200*200 = 400,000 checks at the interface. The number of authorization objects to be checked will further multiply the number of other InfoObjects required in the reporting authorization object, such as Ethnicity, Annual Salary etc. However, in order to secure the data access thoroughly and to replicate the structural authorizations from R/3, it is imperative that all authorization relevant InfoObjects must be checked. The catch 22 is that the completeness of authorization checks is at the price of slow query performance.

4.6.2. Possible Alternatives While a long-term solution is being contemplated, there’s no immediate technical resolution at this time. A few potential alternatives to avoid this performance issue for very large organizations are as follows. However, you must carefully evaluate the consequences for your particular installation based on your query design and business requirements.

• Define a special Management role for the top management with large number of organization and staff members; allow unrestricted access for management with huge organizations. This means that the reporting authorization objects will contain * for full access.

• If possible, use only the Orgunit value and Orgunit hierarchy authorization instead of the complete evaluation path via authorization value lists (i.e. Orgunit ->Position -> Employee). This will only be possible, if you establish a query design standard when accessing confidential HR InfoProviders, the initial screen will begin with Orgunit Hierarchy. You must not define summary (:) level of authorization.This will force end user to filter through a valid node or Orgunit value to avoid any potential loop hole for unauthorized access.

• Reduce the number of authorization relevant InfoObjects (used in the query) where possible without compromising the security.

5. The Step By Step Solution

When bringing R/3 structural authorizations from R/3 to BW environment, you can bring all or selected users and profiles via the SAP delivered extractor. The following example depicts the selection of the structural authorization for user “LOA”. User “LOA” is responsible for Corporate Service organization. The objective is to allow LOA to view data for all organization units at a summary level, but can only access the detailed level of data relevant



to the position within her organization and the detail information about employees who are holding these positions.

5.1. Prepare Structural Authorizations to be Extracted in R/3 Environment This section describes the steps to maintain structural authorizations profile and assignment of user. If your installation has configured for HR structural authorizations, these steps should have been done. You can skip to 5.1.3. Please check the R/3 online documentation for further information on the customizing of structural authorizations in HR. https://sapneth4.wdf.sap.corp/~form/sapnet?_SHORTKEY=01100035870000344300&

5.1.1. Create Structural Authorization Profile:

First you must create or maintain Structural Authorization Profile for LOA. This is done on the R/3 system -> Transaction ‘OOSP’ -> Select Authority profile -> Click on “New Entry” push button -> Give an Authorization Profile name and description.

1.



Within the same transaction screen -> Select Authorization Profile Maintenance -> Click on “New Entry” push button -> For the subject Authorization profile -> enter the following:

o Sequence number -> you assign

o Plan version = 01

o Object type (O or S or P)

o Object ID -> the 8-digit orgunit ID LOA is responsible for

o Evaluation Path -> O-S-P

o You can specify depth of access

o The 2nd entry shows all organizations can be viewed by LOA.

o Save the entries.

2.

5.1.2. Assign User to Profile in R/3

Assign User to Profile in R/3:

Transaction OOSB -> Select “New Entry” push button -> enter user name -> LOA and the associated Authorization profile -> Amelia -> Save.

3.



5.1.3. Update T77UU table to include User Name in SAP Memory.

Create an entry for User name LOA:

Transaction SE16 -> table T77UU -> Create new entry -> LOA -> Save.

Hint: You can use the report RHBAUS02 to create the entries in the table for all users (Threshold value should be 1).

4.

5.1.4. Regeneration of INDX Table

Execute program ‘RHBAUS00’ to regenerate indexes for structural authorization profiles. This report can only be generator for users who has entry in T77UU table.

Transaction SE38 -> Enter ‘RHBAUS00’ as program name -> Click Execute

5.

5.2. Activate Structural Authorizations DataSource in R/3 Two datasources (0HR_PA_2 and 0HR_PA_3) are delivered as standard HR business content that extracts Authorization Values and Hierarchy Authorizations. You must first activate them in R/3 system as follows:



In R/3 system, Execute Transaction “SBIW”. Expand and execute “Transfer Business Content DataSource”. Under 0PA _OS application component, check mark and click on the “Transfer Data Source” push button on the top of the menu bar to activate the 0HR_PA_2 and 0HR_PA_3 datasources from R/3. Respond to the transport request.

6.

5.3. Activities on BW side

Replicate DataSources for 0HR_PA_2. (Admin Workbench -> Modeling -> Source System -> SAP Appl component -> Organization Management -> right mouse click and select “Replicate Datasources). Or you can just replicate data sources under 0PA_OS application components.

7.



8. Activate the Structural Authorizations ODS Infoprovider 0PA_DS02 via Business Content Activation function. (Admin Workbench -> Business Content -> Data Target -> Human Resources ->Organizational Management -> drag 0PA_DS02 to the right pane. Use “Data Flow before and after” option under the “Grouping” Icon and “Install” in batch on the right pane of your screen.

9. Repeat the step 7 & 8 processes for 0PA_DS03 for Structural Authorizations Hierarchy data target.

10. Check and activate Transfer rules

for 0HR_PA_2, if not already activated.



11. Check and activate Transfer rules for –HR_PA_3, if not already activated.

12. Create Infopackage to extract the Structural Authorization from R/3 source system to the new 0PA_DS2 data target.



13. Verify the monitor to insure the Structural Authorization ODS data target has been successfully loaded.

Repeat step 13 & 14 for 0PA_DS03 data target.

5.4. Create BW Authorization

14. Mark the relevant InfoObjects as Authorization Relevant:

o Maintain InfoObject (RSD1) -> Change InfoObject name (e.g. 0Orgunit) -> highlight Business Explorer tabstrip -> Check mark Authorization Relevant -> Activate the InfoObject. -> Repeat for other InfoObjects (0hrposition, 0employee etc.).



15. Create Authorization Objects via RSSM transaction or via Business Explorer -> Reporting Authorization Objects -> Create -> give a name, such as ZBW_HR_SA with a description.

16. Move the InfoObjects from the select list on the right pane to the left using left arrow -> Save



17. Relate the Authorization Object ZBW_HR_SA to the ODS you have populated (0PA_DS02) using RSSM transaction -> enter the authorization object ZBW_HR_SA -> Select “check for Infocubes” button -> click Change icon ->

18. To generate Authorization Object, you go through the following path:

Transaction RSSM -> go to the 3rd section “Authorizations” -> select “Generating Authorizations” -> click the change icon (yellow pencil) This will lead you to the input parameter screen in next section.



19. Select the authorization object s that you want to generate profiles for by click the appropriate box and click on generate button. HR Structural authorizations ODS are listed on the top section with unique naming convention (0PA_DS02 and 0PA_DS03).

20. Alternatively, you may generate the authorization profile for each User from HR Structural Authorizations ODS (0PA_DS02) by executing program RSSB_GENERATE_AUTHORIAZTIONS.

Transaction SE38 -> enter Program RSSB_GENERATE_AUTHORIZATIONS -> execute.

Enter the authorization object(s) as input parameter: ZBW_HR_SA



21. Verify the result:

Execute transaction “ SLG1” or SE38 program name = RSSB_BW_SHOW_LOG_AUTH_MODIFY -> Green lights indicated successfully generated profiles for users in user master record.

22. Create Authorization Variable to automatic loading of authorized object values for the user when executing the query. Create variable for each of the involved Infoobject. I.e. 0Orgunit, 0Hrposition and 0Empolyee. Be sure to choose “Selection option” as variable represents parameter.



Include the authorization variables in your query.

23.


bw hr authorization

Documents