AuthorizationsAuthorizationsmySAP Business IntelligencemySAP Business Intelligence

Mohamed JudiSAP Systems Integration America

Session Code: 1204

I. Introduction to SAP Authorization Concept

II. Authorization Concept in mySAP BW 3.0

III. mySAP BW Authorization Concept Implementation

IV. HR Authorizations in mySAP BW 3.0

V. Authorizations in mySAP SEM

VI. Authorizations in SAP Enterprise Portal

VII. Demonstrations

Agenda

Company Profile

SAP SI Systems Integration is a majority-owned subsidiary of SAP

Professional services in selected industries and knowledge areas (i.e. Business Intelligence)

1,600 employees worldwide Systems integrator for mySAP.com solutions and 3rd

party applications

Significant global player in the mySAP.com space with international market presence

Partner for large corporations and mid-size companies

Internationally diverse team of experienced consultants

US headquarter in Atlanta and offices in Philadelphia and Irvine/Los Angeles

Our SAP Business Intelligence Focus

To optimize processes, information & technology inz Reporting and Analytical Applicationsz Data Warehousing & Information Deploymentz Planning, Budgeting and Consolidationz Enterprise and Financial Managementz Performance Mgmt and Balanced Scorecardsz Knowledge and Content

Management

Monier

SAP SI America: Trusted Advisors in SAP Business Intelligence

Sensitive Security Areas

1

2

3

4

5

6

Authentication

User ManagementSecure Network

Secure Communication

Authorization

Single Sign-On

User Directory

Third Party System

Portal Server

Development User Administration & SecurityObject Class

Authorization Object

Authorizations Authorization Profiles

User Master Record

4. Organizational Structure

F* , VA03

Display , Create

0001-0005

1. Menu

2. Authorizations

3. Workflow

FI_COMP_CODES

CROSS_APPS

FI_AC

S_TCODE

F_BURS

ACT:

TARGET:

FI_TRANS_CODE

ACT:

TARGET:

FI_TRANS_CODE

FI_COMP_CODES

FI_ROLE

TCD: TCD:

Technical Overview of the SAP Authorization Concept

Financial Planning: Plan Entry Re-evaluation ...

User Menus from Single Roles

Authorizations (Profiles)

User Assignments

ProfileGenerator

Single Role(Activity Group)

Authorization Profiles in Roles

Financial ManagerComposite Role(Collective Activity

Group)

AuthorizationProfile

Profile Generator: Create Authorization Profiles

Traffic LightsTraffic Lights

Organizational fields have missing values (Cant generate)

Non-organizational fields have missing values (Authorization failure)

All fields have values assigned (Doesnt mean they have the right values!)

Other IconsOther IconsView field contents

Maintain field contents

Delete field contents, inactive authorization,or further authorizations for an object

Copy authorization

Inactivate an active authorization,or authorizations for an object

Reactivate an inactive authorization

Merge several authorizations

Transactions for an authorization object

Allocation of full authorization

Other IconsOther Icons

Authorization Maintenance: Icon Legend

User Buffer

Role 1

Role 2

Role 3Role 4

Role 5

Role 6

Role 7

Composite Role A

Composite Role B

Assigning Users to Roles (Activity Groups)

AuthorizationProfile

Comparing the User Master

Whos Changing

What?

Note: If tracing is not activated, there is no way to view changes in RSSM.

Change Documentation

Authorization Concept in BW 3.0

32 4

5

1

BW 3.0 Authorizations Overview with a BI Perspective

User

User Role (Channels, Activity Groups)

InfoAreas

InfoCubes

Queries

InfoObjects - Key figures

InfoObjects - Characteristic Values

+ simplification- security

- simplification+ security

Information Complexity in BW

z Warehouse Design Workbench Objects Variables Query Objects InfoCube Objects ODS Objects InfoSources InfoObjects Source Systems

z Warehouse Administration InfoPackages Monitor Meta Data Reporting Agent Settings

Authorization Relevant Elements

Open Dialog S_RS_FOLD

System Manager Can Turn Off InfoArea Specify X (true) in the authorization maintenance for suppressing Prevent Global View

Variable Definition in Query Definition S_RS_COMP

New Authorizations Check for Variables in Query Definition Object type is VAR Available in BW 3.0A Support Package 2

InfoSet in BEx S_RS_ISET

For displaying / maintaining InfoSets

Authorization Objects to Support New 3.0 Functions

S_RS_FOLD - Turn Off InfoArea Folder

S_RS_COMP1 Is checked additionally with S_RS_COMP Checks for authorizations on query components dependent on

the owner (creator RSZOWNER) Authorizations are necessary, e.g. for creating queries

S_RS_IOBJ Authorization object for working with InfoObjects Is checked if authorization is not available via S_RS_ADMWB Additional checks for update rule authorizations

New Authorization Objects (continued)

With Role Based Authorization Web Report can be published into a Role as:

URL MiniApp iView

Web Templates is similar to the Workbooks: Role Based Web Application Designer is Based on Web Template: Role Based

Pre-Calculated Objects OLAP Engine Check if it is Pre-Calculated Object:

Do Not Refresh Data But Check Authorization

If It is Copied Pre-Cached Data, theres no possibility to Check Authorization for: Pre-Calculated Report Agent

Authorization in the Web Environment

Web Items Accessible Via Library of Items which are Assigned to Roles Similar to Web Template Handling No Restriction once you have Access to Certain Library

Can DisplayCan Change, if Delete Authorization is Granted Same Authorization as Assign Library

Query Views Inherited from Query

Authorization in the Web Environment - Continued

z Prior to 3.0, InfoObjects were protected via authorization object S_RS_ADMW (Administrator Workbench Object = INFOOBJECT). You were only able to assign the authorization either for all InfoObjects or for none.

Solution:Solution:z As of 3.0 there is an additional authorization object S_RS_IOBJ.

With this authorization object you can differentiate the authorization by the technical names of the InfoObjects (for example to permit namespace A* or B*).

z In such a case the user must not have the authorization for object S_RS_ADMWB, because one of the two authorizations is sufficient to process the InfoObjects.

Authorization Object for Securing InfoObjects

1. Mark characteristics as "Authorization Relevant

2. Create an Authorization Object for Reporting

3. Create Authorizations with the values

3 Steps to Setup InfoObject Authorizations in BW

1. Mark characteristics as Authorization Relevant

2. Create an Authorization Object for Reporting

3. Create Authorizations in Profile

1. Activate InfoObject 0TCTAUTHH from Business Content (if necessary).

2. Create Reporting Object by using 0TCTAUTHH and leaf InfoObject.

3. Define a description of a hierarchy authorization.

4. Create an authorization for the new authorization object. Enter the technical name of the description of a hierarchy authorization as value for field 0TCTAUTHH.

4 Steps to Setup Hierarchy Authorizations in BW

1. Activate 0TCTAUTHH in Business Content

2. Create Authorization Object with 0TCTAUTHH

3. Define a Description of a Hierarchy Node

9 In 2.0, the level must be given by an absolute value with respect to the hierarchy. With this new mode, the level is set relative to the node and remains the same when the node is moved to another position in the hierarchy.

9 This will dramatically reduce the amount of maintenance required to maintain Unique Hierarchy Authorization Node Identifiers.

New Mode for Hierarchy Nodes

4. Create an Authorization for the New Object

Transa

ction

Code R

SSM

Maintaining Unique Hierarchy Node IDs

Transporting Hierarchy Authorization Ids and

InfoCube Check

Maintaining Authorization Objects

& InfoCubes Check

A Different Way of Looking at

InfoCubes Check

Maintaining Authorizations for

One, or More Users Collectively

PFCG!

Authorizations for Reporting

1. Create Variable

2. Define Properties

3. Assign Variable to Query

Authorization Variables in BW 2.x

1. Create Variable & Define Properties in Query Designer

2. Assign Variable to Query

Authorization Variables in BW 3.x

Authorization Variables Characteristic Value Type

Multiple Selection View

Authorization Variables Hierarchy Node Type

If this property is set, maintenance of the master data / texts individual records for this characteristic can

be protected by means of authorizations. E.g., user A may only maintain values from 1000 -

1999 and user B may only maintain values from 2000 - 2999.

Maintenance of Master Data with Authorization

mySAP BW Authorization Concept

Implementation

Strategyfor

Authorizations

Role Identification, First Requirements

Authorization Requirements

Authorization Design

Implementation

Test

BW authorization Requirements

Collection Template

(with suggested design rules)

Authorization Concept ASAP Methodology

Authorization Tasks in the ASAP Roadmap Project Preparation

1. Functional scope definition.2. Project team member user IDs & roles definition.

1. Role identification.2. First identification of the authorization relevant

characteristics.3. Definition of an authorization strategy.

Authorization Tasks in the ASAP Roadmap Business Blueprint

1. Collection of authorization requirements at the chosen level of detail.

2. Profile design.3. Authorization implementation.

Authorization Tasks in the ASAP Roadmap Realization

1. Test of authorizations.

Authorization Tasks in the ASAP Roadmap Final Preparation

Data Modeler(S_RS_RDEMO)

System Administrator(s)(S_RS_RDEAD, S_RS_ROPAD & S_RS_ROPOP)

Reporting User(S_RS_RREPU)

Reporting Developer(S_RS_RREDE)

mySAP BW MacroRoles

InfoCube-based ApproachYou can collect the requirements allowing or not allowing for specific

InfoCubes. If its convenient, you can use the concept of InfoArea to allow or not for a group of InfoCubes belonging to the same InfoArea.You can go in a more detail if you limit the accessibility of a cube, allowing only

for a part of it. We can name dataset the Sub-InfoCube which is limited by the authorizations assigned to a user. In BW a dataset can be defined according to characteristics, key figures, hierarchies and their combinations.

Query Name-based Approach For pure reporting users (not allowed to build new queries) you can use the

query names to simplify the authorization design, creating specific queries for specific roles and allowing only certain query names. The disadvantage of this approach is that theres no relationship between query name and set of data, so new queries are potentially security dangers.

InfoCube Independent Dataset ApproachBefore the data model you dont know the InfoCubes, but you can express

authorization requirements through data set, i.e. limitations on to characteristics, key figures, hierarchies and their combinations at various level of detail.

Authorization Requirements Collection Approaches

The Authorization Accelerator

The Authorization Accelerator A Bug

In Visual Basic, Remstatement is used to add comments in the code.

The bug is caused because there is no

between False and Rem. To fix, add after False.

The Authorization Accelerator The Fix

HR Authorizations in BW 3.0

HR Key Figures / Standard QueriesApproximately 140 predefined Queriesand 200 Key Figures in 2.1C

HR InfoCubes20 in 2.1C

HR Extractors for R/315 in 2.1C

HR Business Content

Available Hierarchies in HR Organizational Units Cost Centers Employees Age Capacity Utilization Level Qualifications, Qualification Groups Business Events, Business Event Groups

Hierarchies as Characteristics for Navigation

Business Content in HR also contains standard calculations / templates for calculations (approximately 70 templates for standard calculations) such as, Predefined time series comparisons Calculation of averages

Business Content: Calculations and Time series

Similar to other functional areas, mySAP BW has a comprehensive access control concept operating at various levels for HR, Access authorization can be given

9for complete reports9for certain key figures (e.g. salary in HR InfoCube)9even for certain characteristic values (e.g. a cost center)

Access authorizations are granted and changed in the Authorization for Reporting transaction (RSSM).

From 3.0, Online Data Storage (ODS) objects are utilized to provide structural authorizations in BW.

HR Authorization Concept in BW

Bring Structural Authorization into BW Environment Selectively or bring all R/3 Structural Authorizations Restrictions

Active Plan version only without time-dependency Delivered contents supports Organization, Position & EE only DataSource supports all Object types from R/3, but additional

customized update rules required in BW Accelerator will be available to guide Implementation

Authorization for Display Attributes Available in BW 2.0B since patch 7

HR Structural Authorization

RSSM or

Function

Module

PSA PSAPSA PSA

R/3 Org. Structure

T77PR T77PR ProfileProfile

T77UA T77UA AssignmentAssignment

T77UU T77UU UserUser

INDXCluster

(0HR_PA_2)(0HR_PA_3)

DataSources

0HR_PA_2And

0HR_PA_3Data

Sources

Structural Authorizations

0PA_DS02

PSATransfer Rules

Structural Authorizations

ODSs

R/3 OLTP mySAP BW

Security Check

Transfer R

ules

0PA_DS03

HR Structural Authorization

1. Create Structural Authorization Profile (IMG or OOSP)2. Assign User to Profile (IMG or OOSB)3. Update T77UU table to include User Name4. Execute program RHBAUS00 to create INDX5. Activate 0HR_PA_2 & 3 DataSource in R/3 and BW6. Create 0HR_PA_2 & 3 InfoSource & Communications Structure7. Activate and load ODS from R/38. Activate Target InfoObjects Authorization Relevant9. Create Authorization Object in RSSM10. Use RSSM or Execute RSSB Function Modules to generate BW

Authorization11. Create Query with Authorization Variables

Steps to Install Structural Authorization

HR Structural Authorization

BW20 Incorporated

BW20-02Group 2

BW20-01Group 1

BW20-03Group 3

CC: 2001IT

CC: 2001Market

CC: 2001Sales

CC: 2001FI

CC: 2001HR

20010009Employee #9

20010004Employee #4

20010003Employee #3

20010008Employee #8

20010001Employee #1

20010006Employee #6

20010011Employee #11

20010013Employee #13

20010014Employee #14

20010005Employee #5

20010010Employee #10

20010002Employee #2

20010007Employee #7

20010012Employee #12

Scenario

Why Automated Authorizations Generator Simplify the Process to Maintain InfoObject Level of Authorization Enable Authorizations Generated from R/3 and Non-R/3 Source Systems Bring R/3 Structural Authorizations to BW via Standard Business

Content Full Refresh on a Customer Selected Frequency

Key Benefits Reduced the Redundant Security Setup Provide Cross System Consistency

Motivation and Benefits

Sourced from Four type of ODS Objects Authorization Value ODS Hierarchy ODS Text ODS User List ODS

ODS Population From R/3: HR Structural Authorizations From Flat Files

New HR Structural Authorizations Business Content New RSSM User Interface

Automatic Security Profile Generator

ODS-Objects

SAP BWServer

InfoSource

Update Rules

BW Metadata

replicated Metadata

DataSourceDataSource

FileFile R/3R/3OtherOther

BWS-API

Mapping & Transfer Rules

ValueValue HierHier.. TextTextUserUser

AssignAssign

0TCA_DS01 0TCA_DS02 0TCA_DS03 0TCA_DS04

T. Code: RSSM Generate AuthorizationT. Code: RSSM Generate Authorization< Auth Object >

0TCTAUTHH

0ORGUNIT

0EMPLOYEE

DataSource

Automatic Profile Generation Architecture

Value ODS Object Overview

Hierarchy ODS Object Overview

Generating Authorizations in RSSM

Steps to Create Authorization from Flat Files

Generate Profiles via RSSM or RSSB program

Create AuthorizationValue InfoSource & ODS

Define Reporting Object

Create Authorization Hierarchy InfoSource & ODS

Create Update Rules &Flat Files for ODS Loads

Mark InfoObjects Auth. Relevant Define Reporting Auth Object via RSSM

Create Authorizations Variable in Query Definition

Use 0TCA_DS01 as template ODS name must be XXXX_DS01

Use 0TCA_DS02 as template ODS name must be XXXX_DS02

The data format = YYYYMMDD or per your Default Format

Several Objects can define as constant

RSSM: Find your ODSs & Mark Auth Object

Exec RSSB_Generate_Authorizations

Define Variables for Auth InfoObjects Include Variables in your Queries

Authorizations in mySAP SEM

Authorizing Transaction Datain mySAP BW

Authorizing Customizing Datain mySAP SEM

For Example:Cost CenterProfit CenterPersonnel Number..etc.

For Example:Global PI SequencePlanning ProfilePlanning PackagePlanning MethodPlanning SetPlanning LevelPlanning Area

3.0A

3.0A

3.0A

3.0A

Enhancements of Authorization Concept in SEM 3.0

Authorizations in Enterprise Portal

Enterprise Portal Sensitive Security Areas

1 2

3

4

5

6

Authentication

User ManagementSecure Network

Secure Communication

Authorization

Single Sign-On

User Directory

Third Party System

Portal Server

CentralUserStore

User

Portal Infrastructure

WebApplication

ServerOther

ApplicationServer

Exchange Infrastructure

LDAP (XML)

Decentralized Role Assignment

Registration, Authentication, Role Definition

Local Authorization Configuration

mySAP Technology New User Management

Depending on what release you are currently on, the level of integration of your SAP systems with your corporate directories can differ.

Recently, Directory Services and the Lightweight Directory Access Protocol (LDAP) has become the focal point for access to centralorganizational and configuration data across the entire system landscape.

As of SAP Basis Release 4.5, Central User Administration and Global User Manager1 functionalities exist within SAP systems via ALE.

As of SAP Basis Release 4.6, access to corporate directories is facilitated from the SAP system with the LDAP Connector.

With SAP Web Application Server 6.10 comes support for periodic synchronization of user data with your corporate directory using the LDAP Connector.

1 In September 2001, SAP advised all customers not to use the Global User Manager (Transaction SUUM) until further notice. Refer to OSS Note 433941.

Central User Management

Contacts

Mohamed Judimohamed.judi@sap.com

Business Intelligence & TechnologySAP Systems Integration America, LLC

5 Concourse Parkway, Suite 925Atlanta GA 30328

http://www.sap-si.com

Thank you for attending!Please remember to complete and return

your evaluation form following this session.

Session Code: 1204