bwauthconcepts judi 1204[1]

Download Bwauthconcepts JUDI 1204[1]

Post on 24-Nov-2015




5 download

Embed Size (px)


  • AuthorizationsAuthorizationsmySAP Business IntelligencemySAP Business Intelligence

    Mohamed JudiSAP Systems Integration America

    Session Code: 1204

  • I. Introduction to SAP Authorization Concept

    II. Authorization Concept in mySAP BW 3.0

    III. mySAP BW Authorization Concept Implementation

    IV. HR Authorizations in mySAP BW 3.0

    V. Authorizations in mySAP SEM

    VI. Authorizations in SAP Enterprise Portal

    VII. Demonstrations


  • Company Profile

    SAP SI Systems Integration is a majority-owned subsidiary of SAP

    Professional services in selected industries and knowledge areas (i.e. Business Intelligence)

    1,600 employees worldwide Systems integrator for solutions and 3rd

    party applications

    Significant global player in the space with international market presence

    Partner for large corporations and mid-size companies

    Internationally diverse team of experienced consultants

    US headquarter in Atlanta and offices in Philadelphia and Irvine/Los Angeles

  • Our SAP Business Intelligence Focus

    To optimize processes, information & technology inz Reporting and Analytical Applicationsz Data Warehousing & Information Deploymentz Planning, Budgeting and Consolidationz Enterprise and Financial Managementz Performance Mgmt and Balanced Scorecardsz Knowledge and Content


  • Monier

    SAP SI America: Trusted Advisors in SAP Business Intelligence

  • Sensitive Security Areas








    User ManagementSecure Network

    Secure Communication


    Single Sign-On

    User Directory

    Third Party System

    Portal Server

  • Development User Administration & SecurityObject Class

    Authorization Object

    Authorizations Authorization Profiles

    User Master Record

    4. Organizational Structure

    F* , VA03

    Display , Create


    1. Menu

    2. Authorizations

    3. Workflow














    TCD: TCD:

    Technical Overview of the SAP Authorization Concept

  • Financial Planning: Plan Entry Re-evaluation ...

    User Menus from Single Roles

    Authorizations (Profiles)

    User Assignments


    Single Role(Activity Group)

    Authorization Profiles in Roles

    Financial ManagerComposite Role(Collective Activity


  • AuthorizationProfile

    Profile Generator: Create Authorization Profiles

  • Traffic LightsTraffic Lights

    Organizational fields have missing values (Cant generate)

    Non-organizational fields have missing values (Authorization failure)

    All fields have values assigned (Doesnt mean they have the right values!)

    Other IconsOther IconsView field contents

    Maintain field contents

    Delete field contents, inactive authorization,or further authorizations for an object

    Copy authorization

    Inactivate an active authorization,or authorizations for an object

    Reactivate an inactive authorization

    Merge several authorizations

    Transactions for an authorization object

    Allocation of full authorization

    Other IconsOther Icons

    Authorization Maintenance: Icon Legend

  • User Buffer

  • Role 1

    Role 2

    Role 3Role 4

    Role 5

    Role 6

    Role 7

    Composite Role A

    Composite Role B

    Assigning Users to Roles (Activity Groups)

  • AuthorizationProfile

    Comparing the User Master

  • Whos Changing


    Note: If tracing is not activated, there is no way to view changes in RSSM.

    Change Documentation

  • Authorization Concept in BW 3.0

  • 32 4



    BW 3.0 Authorizations Overview with a BI Perspective

  • User

    User Role (Channels, Activity Groups)




    InfoObjects - Key figures

    InfoObjects - Characteristic Values

    + simplification- security

    - simplification+ security

    Information Complexity in BW

  • z Warehouse Design Workbench Objects Variables Query Objects InfoCube Objects ODS Objects InfoSources InfoObjects Source Systems

    z Warehouse Administration InfoPackages Monitor Meta Data Reporting Agent Settings

    Authorization Relevant Elements

  • Open Dialog S_RS_FOLD

    System Manager Can Turn Off InfoArea Specify X (true) in the authorization maintenance for suppressing Prevent Global View

    Variable Definition in Query Definition S_RS_COMP

    New Authorizations Check for Variables in Query Definition Object type is VAR Available in BW 3.0A Support Package 2

    InfoSet in BEx S_RS_ISET

    For displaying / maintaining InfoSets

    Authorization Objects to Support New 3.0 Functions

  • S_RS_FOLD - Turn Off InfoArea Folder

  • S_RS_COMP1 Is checked additionally with S_RS_COMP Checks for authorizations on query components dependent on

    the owner (creator RSZOWNER) Authorizations are necessary, e.g. for creating queries

    S_RS_IOBJ Authorization object for working with InfoObjects Is checked if authorization is not available via S_RS_ADMWB Additional checks for update rule authorizations

    New Authorization Objects (continued)

  • With Role Based Authorization Web Report can be published into a Role as:

    URL MiniApp iView

    Web Templates is similar to the Workbooks: Role Based Web Application Designer is Based on Web Template: Role Based

    Pre-Calculated Objects OLAP Engine Check if it is Pre-Calculated Object:

    Do Not Refresh Data But Check Authorization

    If It is Copied Pre-Cached Data, theres no possibility to Check Authorization for: Pre-Calculated Report Agent

    Authorization in the Web Environment

  • Web Items Accessible Via Library of Items which are Assigned to Roles Similar to Web Template Handling No Restriction once you have Access to Certain Library

    Can DisplayCan Change, if Delete Authorization is Granted Same Authorization as Assign Library

    Query Views Inherited from Query

    Authorization in the Web Environment - Continued

  • z Prior to 3.0, InfoObjects were protected via authorization object S_RS_ADMW (Administrator Workbench Object = INFOOBJECT). You were only able to assign the authorization either for all InfoObjects or for none.

    Solution:Solution:z As of 3.0 there is an additional authorization object S_RS_IOBJ.

    With this authorization object you can differentiate the authorization by the technical names of the InfoObjects (for example to permit namespace A* or B*).

    z In such a case the user must not have the authorization for object S_RS_ADMWB, because one of the two authorizations is sufficient to process the InfoObjects.

    Authorization Object for Securing InfoObjects

  • 1. Mark characteristics as "Authorization Relevant

    2. Create an Authorization Object for Reporting

    3. Create Authorizations with the values

    3 Steps to Setup InfoObject Authorizations in BW

  • 1. Mark characteristics as Authorization Relevant

  • 2. Create an Authorization Object for Reporting

  • 3. Create Authorizations in Profile

  • 1. Activate InfoObject 0TCTAUTHH from Business Content (if necessary).

    2. Create Reporting Object by using 0TCTAUTHH and leaf InfoObject.

    3. Define a description of a hierarchy authorization.

    4. Create an authorization for the new authorization object. Enter the technical name of the description of a hierarchy authorization as value for field 0TCTAUTHH.

    4 Steps to Setup Hierarchy Authorizations in BW

  • 1. Activate 0TCTAUTHH in Business Content

  • 2. Create Authorization Object with 0TCTAUTHH

  • 3. Define a Description of a Hierarchy Node

  • 9 In 2.0, the level must be given by an absolute value with respect to the hierarchy. With this new mode, the level is set relative to the node and remains the same when the node is moved to another position in the hierarchy.

    9 This will dramatically reduce the amount of maintenance required to maintain Unique Hierarchy Authorization Node Identifiers.

    New Mode for Hierarchy Nodes

  • 4. Create an Authorization for the New Object

  • Transa


    Code R


    Maintaining Unique Hierarchy Node IDs

    Transporting Hierarchy Authorization Ids and

    InfoCube Check

    Maintaining Authorization Objects

    & InfoCubes Check

    A Different Way of Looking at

    InfoCubes Check

    Maintaining Authorizations for

    One, or More Users Collectively


    Authorizations for Reporting

  • 1. Create Variable

    2. Define Properties

    3. Assign Variable to Query

    Authorization Variables in BW 2.x

  • 1. Create Variable & Define Properties in Query Designer

    2. Assign Variable to Query

    Authorization Variables in BW 3.x

  • Authorization Variables Characteristic Value Type

  • Multiple Selection View

    Authorization Variables Hierarchy Node Type

  • If this property is set, maintenance of the master data / texts individual records for this characteristic can

    be protected by means of authorizations. E.g., user A may only maintain values from 1000 -

    1999 and user B may only maintain values from 2000 - 2999.

    Maintenance of Mast