BI Authorizations

© 2008 Wellesley Information Services. All rights reserved.

An A-to-Z Guide on How to Develop a Flexible Position-Based Security Model for SAP NetWeaver Business Intelligence

Tracey BrookesSapient Corp

11

What We’ll Cover …

• What makes a good BI security model?• How and why to set up a flexible position-based model

Roles for BI user typeSpecial function rolesInfoArea and Data Target-level security InfoObject-level security

• How to control ad hoc query creation using role menus• How to leverage the company organizational hierarchy• Wrap-up

22

What Makes A Good BI Security Model?

• Many mistakes from a bad security model come from trying to apply SAP ERP security principles to a Business Intelligence (BI) model

An SAP ERP transaction code does not equal SAP NetWeaver®

BI transaction codeSAP NetWeaver BI is not transaction-driven, but data- and function-driven!

Data access is controlled in SAP NetWeaver BI by configuring different restrictions on authorization object S_RS_COMP

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

33

What Should My Security Strategy Achieve?

• Recognizes that positions and departments may change• Recognizes that people may change• Recognizes that roles need to be flexibly assembled so

that they can be easily changed

44

BI Security Model Dos and Don’ts

• Do: Use your organization’s structural hierarchy for role allocationUse single rolesDocument common transactions in only one role Identify common elements across requirements and groups accordingly Capture distinct activities in one role

E.g., ad hoc query creationCreate a logical naming standard for InfoProviders and queries

Use wildcards (*) in restricting values assigned to authorization objects

Separate roles that have authorization objects and menusSeparate roles that hold reports that are transported (standardized/certified) vs. production-created reports (ad hoc)

55

BI Security Model Dos and Don’ts (cont.)

• Don’t:Assign roles directly to user IDsUse composite roles Use one role to contain everything for a specific position (~ most SAP-delivered roles)

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

6

• Do seek the benefits of using your organization’s structural hierarchy for role allocation

• Value represented between ( ) = SAP ERP object types6

Using Your Organization’s Structural Hierarchy

Organizational Unit/Work Center

JobRole (AG)

Position (S)Employee (P)

UserID (US)

Indirect Direct

77

Using Your Organization’s Structural Hierarchy (cont.)

• Indirect Role AssignmentThis allows for authorizations to be inferred from the higher levels in the organizational hierarchy down to the lower levelsThe use of single roles allocated across an organizational hierarchy thus functions similarly as a composite role would. Thus the reasoning: composite roles are no longer required.Added flexibility if employees change positions; roles do not have to be moved as roles are allocated to the position and not the person

Authorization update is immediate with no maintenance lag in time. Not violating company security policy.

88


• Recognize the difference in role assignmentsIndirect: blue (best approach)Direct: black

DirectIndirect

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

99


• Since the use of the Organizational Hierarchy allows for inferring authorizations, there is no need for doubling up on the same authorizations or using composite roles

• No longer a need for one role to contain all authorizations for a requirement (~ SAP-Delivered roles)

Purchasing Manager: Execute Business Explorer (BEx) Analyzer via RRMXExecute, create, and modify queries prefixed ZM*

Purchasing Operations:Execute Business Explorer (BEx) Analyzer via RRMXExecute queries prefixed ZM*

10

Using Your Organization’s Structural Hierarchy: Result

BI Developer

Department Administrator

Power User

QueryUser

S_TCODE: RRMX

S_TCODE: RRMX

S_TCODE: RRMX

S_TCODE: RSA1, RRMX

1111

Using Your Organization’s Structural Hierarchy: Result (cont.)

BI Developer

MMDepartment Administrator

MM Power User

MMQueryUser

S_RS_COMP: InfoArea = 0MM*; InfoCube = *; Component = ZM*; Activity = Display ; Subobject = REP

S_RS_COMP: InfoArea = 0MM*; InfoCube = *; Component = ZM*; Activity = Create, Modify; Subobject = REP

S_RS_COMP: InfoArea = 0MM*; InfoCube = *; Component = ZM*; Activity =; Delete; Subobject = REP

S_RS_COMP: n/a

**BI Developer infers all of the above under the hierarchy allocation scheme

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

1212





1313

Pros and Cons of the SAP-Delivered Roles

• ProsProvides a template for role analysis if no roles existGrants ideas for role creation rather than building roles entirely from scratchGood guideline when you have no experience in SAP NetWeaver BI security, but I don’t recommend it in generalTechnical Content for areas like BI Statistics and Administration Cockpit have delivered SAP roles already configured for use

Contains all complex iViews, queries, Web templates, and authorizations necessary for displaying the BI Statistics’Technical ContentWill never change unless SAP updates them

1414

Pros and Cons of the SAP-Delivered Roles (cont.)

• ConsA lot of the delivered roles have been around since SAP BW 1.2bHighly position-based at the lowest level; very specificRoles are not unique – authorization objects are duplicatedUse composite rolesTend to require a lot of maintenance since all of the roles needto be modified rather than one role radiating downwards through a treeNot SOX compliant

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

1515

Pros and Cons of the SAP-Delivered Roles (cont.)

• The one SAP-delivered role I would recommend using: SAP_SAP_BW_BI_ADMINISTRATOR. Why?

BI Technical Content is all SAP-Delivered Objects and thus requires no additional “tweaking” to make it workIf modifications are made to the BI Technical Content, SAP would also update the reliant roleBI Technical Content is same across every Business Intelligence installation; thus non-client specificBI Technical Content is segregated from the rest of the Data Warehouse

Make sure you have the latest SAP modifications by using current versions of all the SAP-Delivered Objects related to the Administration Cockpit

If you make enhancements or use your own naming convention as a copy of the role, you could fall behind maintenance if BI Technical Content is reinstalled

1616

How to Set up a (More) Flexible, Position-Based Model

• Let’s revisit a few statements:“Since the use of the Organizational Hierarchy allows for inferring authorizations, there is no need for doubling up on the same authorizations or using composite roles.”“No longer a need for one role to contain all authorizations for a requirement”“BI is not transaction-driven but data- and function-driven”

• All authorizations can be grouped according to:Function or action a user can performData a user can view

The roles defined in this presentation also work in an SAP NetWeaver BI 7.0 environment. However, they should be modified to incorporate the new authorization objects rolled out as part of that release.

1717

How to Set up a (More) Flexible, Position-Based Model (cont.)• User Actions

BI User Type RolesExamples – Query User, Power User, Department Administrator, Developer

Special Function RolesExamples – Release Transports, Delete InfoObject Master data

• User Data ViewedInfoArea/Data Target Roles

Examples – MM, FI, HR, SD, PMSupply Costing: Financial Data assigned to MM users

InfoObject Restrictions (InfoObject/data-level security)Examples – 0COSTCENTER, 0CO_AREA

Menu Folder RolesExample – Finance queries viewed only by Finance Dept.

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

18

Four Key BI User Types

BI Developer

Department Administrator

Power User

QueryUser

1919

Translating Requirements into User Role Types

• Identify tasks for each BI User TypeTransactions that are common between roles belong in the one role allocated to the highest level of the organization hierarchy

Transaction RRMX is assigned to the Query User role onlySince the Query User role is allocated at a node higher than other roles, the authorizations are inherited down to the lower levels

• “1_Task Matrix.xls”The document lists all tasks associated with each BI User Type role defined in this presentationYour requirements may vary depending on your business, but these assignments were derived from more than one company

ClientIssue

2020

Four Key BI User Types

XDelete a query

XSave standard query to standard menu role (BWD)

XXSave ad hoc query to ad hoc menu role (BWD/BWQ/BWP)

XCreate/Change another user’s query (BWD/BWQ/BWP)

XXCreate/Change own query (BWD/BWQ/BWP)

XXXExecute queries/workbooks

XXXExecute BEx from SAPGUI (RRMX) or Start Programs

SAP NetWeaver BI Dept. Admin.

Power User

QueryUser

Task

• BI User Type role definitions in this presentation are based on actions defined in the Task Matrix

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

2121

1 – Query User Role

• Applies to ALL systems• Ability to execute BEx Analyzer

S_TCODETransaction code = RRMX

S_GUIActivity = 60, 61 (Import, Export)Authorization for GUI activities, execution of workbooks

S_BDS_DS and S_BDS_DActivity = 03, 30; Class Type = OTAuthorization for document setS_GUI and S_BDS_DS enables users to save workbooks to their Favorites Folder

2222

1 – Query User Role (cont.)

• InfoArea tab should not be seenon Query Open

S_RS_FOLDHide ‘Folder’ Pushbutton = X (True)

2323

1 – Query User Role (cont.)

• Role usertype_queryuser_ZBW_A_UT_QU_AL_ALL that you can import into your system

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

2424

2 – Power User Role

• Applies to ALL systems • Ability to save queries to Ad hoc Menu

S_USER_AGRActivity: 01,02,22Role Name: {based on role naming convention} ZBW_M_FI_D

• Ability to create and change department ad hoc BEx queries …S_RS_COMP

Activity: 01,02; InfoArea: 0COOM; InfoCube: *Component: ZF* (ad-hoc); Type: REP

• … Only related to their user ID S_RS_COMP1

Activity: 02; Component: ZF* ; Type: REP ; Owner = $USER• InfoArea tab should be seen on Query Open

S_RS_FOLDHide ‘Folder’ Pushbutton = ‘ ’ (False)

Z* = Ad hoc queriesY* = Certified/ Standard Queries

2525

2 – Power User Role (cont.)

• Role usertype_poweruser_finance_ZBW_A_UT_PU_FI_ALL

26

• Role usertype_poweruser_finance_ZBW_A_UT_PU_FI_ALL26

2 – Power User Role (cont.)

• Individual user requirements would define the need for an SAP BW development-only role

• Only an example of the ALL role is supplied in this presentation

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

2727

3 – BI Department Administrator Role

• Different authorizations apply to ALL systems and BWD-only systems

• Ability to modify queries in the Standard Menu (BWD)S_USER_AGR

Activity: 01,02,06,22Role Name: {based on role naming convention} ZBW_M_FI_C

• Ability to modify department Standard BEx queries (BWD) …S_RS_COMP

Activity: 01,02,06; InfoArea: 0COOM; InfoCube: *Component: YF* (standard/transported); Type: REP

• … Related to any user ID S_RS_COMP1

Activity: 02,06; Component: YF* ; Type: REP ; Owner = *


2828

3 – BI Department Administrator Role (cont.)

• Role usertype_deptadmin_bwd_ZBW_A_UT_DA_FI_BWD

2929


• Ability to delete queries in the Department Menu (ALL)S_USER_AGR

Activity: 06Role Name: {based on role naming convention} ZBW_M_FI_D

• Ability to modify and delete department ad hoc BEx queries (ALL) …

S_RS_COMPActivity: 06; InfoArea: 0COOM; InfoCube: *Component: ZF* (standard/transported); Type: REP

• … Related to any user ID S_RS_COMP1

Activity: 02,06; Component: ZF* ; Type: REP ; Owner = *

Where is Display (03)and Execute (16)?

See InfoArea/Data Target roles


_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

3030


• Role usertype_deptadmin_all_ZBW_A_UT_DA_FI_ALL

3131


• Role usertype_deptadmin_all_ZBW_A_UT_DA_FI_ALL

• Ability to display all Master Data related to Finance• Master Data viewable in ALL systems

3232

4 – BI Developer Role

• All authorizations to do with query development would be inherited by the power user and department administrator classifications

• BI developer roles have two different role distinctions similar to the BI Department Administrator

SAP BW developer-only: this role is not transportedALL: this role is transported and is applicable to SAP NetWeaverBI Dev, QA, and Prod environments

Due to the number of tasks and size, screenshots of this role are not included in this presentation. Refer to the take-home CD.

Role usertype_developer_all_ZBW_A_UT_DV_IT_ALLRole usertype_developer_bwd_ZBW_A_UT_DV_IT_BWD

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

3333

Organizational Hierarchy and BI User Type Impacts

1000 Corporate1001 Logistics Department

Job_11001001 Purchasing Manager1002111 Purchase Operations 11002112 Purchase Operations 2

Job_21002 Finance Department

Query User Role

MM Power User Role

MM Dept. Admin. Role

3434





3535

Special Function Roles

• Special Function roles are distinct from the main stream roles as they are functions that are assigned temporarily or address one-off scenarios

• Highly company-dependent• Examples:

Display Data Warehouse WorkbenchAssigned to BI Department Administrators during testing phase

Release TransportsWhen BI Developers are not permitted to release transports

super user reviews and releases transportsAssigned to BI Department Administrators for controlling BEx Transport releases in their area alone

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

3636

Special Function Roles (cont.)

• Examples:Delete Data from Data Targets

Assigned to control data maintenanceData is not owned nor is it the responsibility of the BI Developer; Data is owned by the responsible functional areas or business analysts assigned to the functional area

Maintenance of Master DataIn this solution, maintenance of master data is tasked under the appropriate Department’s BI AdministratorThis function could be split out to a special function depending on company requirementsEach master data is owned only by one department

3737





3838

InfoArea and Data Target-Level Security

BI Developer

MMDepartment Administrator

MM Power User

MMQueryUser

S_RS_COMP: InfoArea = 0MM*; InfoCube = *; Component = ZM*; Activity = Display ; Subobject = REP

S_RS_COMP: InfoArea = 0MM*; InfoCube = *; Component = ZM*; Activity = Create, Modify; Subobject = REP

S_RS_COMP: InfoArea = 0MM*; InfoCube = *; Component = ZM*; Activity = Delete; Subobject = REP

S_RS_COMP: n/a

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

3939

InfoArea and Data Target-Level Security (cont.)

• SAP NetWeaver BI 7.x has impacted these role classifications

• S_RS_COMP is still valid• The use of S_RS_ICUBE, S_RS_ISET, S_RS_ODSO, and

S_RS_MPRO has changed

4040


• SAP states the following on help.sap.com:Authorization Objects for InfoProvider AccessThe authorization objects S_RS_ICUBE, S_RS_MPRO, S_RS_ISET, and S_RS_ODSO will no longer be checked during query processing. Instead, the check is performed using special characteristics 0TCAIPROV, 0TCAACTVT, and 0TCAVALID. These authorization objects are offered during migration configuration as a migration option. If you select these authorization objects, authorization for these special characteristics are generated according to the entries in the Activity and the associated field for the corresponding InfoProvider and then assigned to the users.

• What does this mean and what are the impacts?http://help.sap.com/saphelp_nw70/helpdata/en/ad/8f7842fdb70f53e10000000a155106/frameset.htm

Whereto

FIND it

Whereto

FIND it

4141


• After you migrate to the new Reporting Analysis Authorization concept, the following authorization restriction combinations are no longer needed

S_RS_ICUBE, S_RS_IOBJ, S_RS_ISET, S_RS_MPROActivity: 03Subobject: DATA

• The above restrictions can be removed from existing roles as they have been replaced by the restrictions defined on authorization object S_RS_AUTH, created under transaction RSECADMIN (RSECADMIN replaces transaction RSSM for building InfoObject level security)

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

42


• Pre BI 7.x – Obsolete Concept enabled the INACTIV authorization object – should be active as they are still used

• The following illustrates Post BI 7.x – new Reporting Analysis Concept enabled and thus INACTIV status:

4343


• The InfoArea/Data Target role should be created to look like the following illustration on version BI 7.x when the Reporting Analysis Concept has been switched to the new concept

InfoArea_datatarget_fico_all_ZBW_A_DT_0FMCO_ALL

4444


• Organizational Hierarchy




0SCM Supply Chain Management InfoArea

ZFPU_M01 Goods Receipts (Finance)

0FI Finance InfoArea(includes 0FICO InfoArea)

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

4545





4646

InfoObject Level Security

• Prior to SAP NetWeaver BI 7.x (SAP BW 2.x, 3.x) RSSM: Transaction used to create InfoObject level security rolesautomatically

• Now with SAP NetWeaver BI 7.xRSECADMIN: Transaction used to create InfoObject level security roles automaticallyProgram RSEC_MIGRATION: Program that assists in migrating SAP BW 3.x authorization objects to new BI 7.x format

For more information on InfoObject level security concepts for either SAP BW 3.x or SAP NetWeaver BI 7.x, please refer to presentation “Options, Strategies, and Best Practices for Migrating to and Using SAP NetWeaver Business Intelligence 7.0 Authorization Concepts”

4747

InfoObject Level Security (cont.)

• Organizational Hierarchy




Enterprise-wide Authorization Object (ZBI_ALL)(ZBI_ALL = 0BI_ALL – FI restriction)

Cost Center Restrictions (ALL)

Cost Center Restrictions (1001 ONLY)

Cost Center Restrictions (2* – 3*)This is based on BI 7.x concepts

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

4848





4949

How to Control Ad Hoc Query Creation Using Menus in Roles • What are menu folder roles?

Areas to define the folder structures where workbooks and queries are saved for storage in SAP NetWeaver BI and are accessed by other SAP NetWeaver BI users. They are defined by the Basis team under the PFCG transaction code in the role’s Menu tab and are separate from Authorization Roles.SAP NetWeaver BI users can access the queries and workbooks stored in the Menu roles from the BEx Analyzer under the Role tab.

5050

How to Control Ad Hoc Query Creation Using Menus in Roles (cont.)• What are menu folder roles? (cont.)

Ad hoc menu folder rolesCapture reports that users have created in the production environment directly where users want to circulate them to a greater audience (e.g., Department)

Standard (Certified) menu folder rolesCapture reports that users have created in development and transported to production. They are certified through quality, usually tested thoroughly for performance, and follow company query design standards

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

5151

How to Control Ad Hoc Query Creation Using Menus in Roles (cont.)

• Accessing Menu Folder Roles from SAPGUI

5252


• Accessing Menu Folder Roles from SAP BExAnalyzer

5353

How to Control Ad Hoc Query Creation Using Menus in Roles (cont.)• Rules to prevent loss of information

Initially, both ad hoc and Standard/Certified menu roles should be created in SAP NetWeaver BI Development and transported through the system landscape On-going maintenance or adjustments to Standard/Certified Menus will still be conducted in the development environmentOn-going maintenance or adjustments to ad hoc menus will be maintained directly in the affected system and never be transported again after the initial folder setup to prevent query/folder overwriting during transport

Any additional folders need to be added manually in the Production environment

All transported queries and workbooks need a menu role assigned; otherwise, they cannot be viewed by the users

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

5454

How to Control Ad Hoc Query Creation Using Menus in Roles (cont.)• DO separate roles that have authorization objects and

menus• DO separate roles that hold reports that are transported

(standardized/certified) versus production-created reports (ad hoc)

• But why?Authorizations and menus operate on a different modification schedule: Menus get updated more frequently with queries, workbooks, and Web reportsEnsures ad hoc queries, workbooks, and Web reports created in a Production system are not overwritten by the same role after transporting from Development: Two separate roles – one ad hoc (Production developed objects) and one standard/certified (Development created objects) should be used.

55

• Ad hoc query creation controlled through menus and naming conventions under the BI User Type definitions

55


BW Dev. (BWD) BW Prod. (BWP)

StandardMenu

Y* Standard Query

Standard Workbooks

Standard Web Reports

BWD Ad hocMenu

Z* Ad hoc Query

Ad hoc Workbooks

Ad hoc Web Reports

Z* Ad hoc Query

Ad hoc Workbooks

Ad hoc Web Reports

BWP Ad hocMenu

StandardMenu

Y* Standard Query

Standard Workbooks


CorrectSetup

56Ad hoc Web Reports (BWD)Ad hoc Workbooks (BWD)

Z* Ad hoc Query (BWD)

• Incorrect setup overwrites any ad hocs created in BWP

56


BWD

OneMenu

Y* Standard Query

Standard Workbooks


IncorrectSetup

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

57Ad hoc Web Reports (BWD)Ad hoc Web Reports (BWP)

Ad hoc Workbooks (BWD)Ad hoc Workbooks (BWP)

Z* Ad hoc Query (BWD)Z* Ad hoc Query (BWP)

57

BWD BWP

OneMenu

Y* Standard Query

Standard Workbooks


OneMenu

IncorrectSetup

How to Control Ad Hoc Query Creation Using Menus in Roles (cont.)• Incorrect setup overwrites any ad hocs created in

BWP (cont.)

Y* Standard Query

Standard Workbooks


58

How to Control Ad Hoc Query Creation Using Menus in Roles (cont.)• Incorrect setup overwrites any ad hocs created in

BWP (cont.)

Ad hoc Web Reports (BWP)Ad hoc Workbooks (BWD)

Ad hoc Workbooks (BWP)Ad hoc Web Reports (BWD)

Z* Ad hoc Query (BWP)Z* Ad hoc Query (BWD)

58

BWD BWP

OneMenu

Y* Standard Query

Standard Workbooks


IncorrectSetup

59

How to Control Ad Hoc Query Creation Using Menus in Roles (cont.)• How to set up Menu role in transaction PFCG

Menu light will be red if Menu folders are empty. This is okay for initial setup.Authorization light will remain red as Authorizations and Menus are defined in two separate roles

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

6060

How to Control Ad Hoc Query Creation Using Menus in Roles (cont.)• Organizational Hierarchy




Logistics Department Menu Folders(Both Ad hoc and Standard Menus)

Finance Department Menu Folders(Both Ad hoc and Standard Menus)

Corporate Menu Folders

6161

How to Control Ad Hoc Query Creation Using Menus in Roles (cont.)• Loss of functionality in SAP NetWeaver BI 7.x

Enter in Role feature no longer supported in BEx

GOTCHA!

6262

How to Control Ad Hoc Query Creation Using Menus in Roles (cont.)• So how can you get queries and workbooks into Menus?• Queries: can still be saved into the role. This doesn’t

create a new technical ID.• Workbooks: cannot be saved into the role, as this would

create a new technical IDWorkaround for saving reports/workbooks into menu roles

Option 1: Use the old SAP BW 3.x tools to assign them. This doesn’t affect the version the query is developed in.OROption 2: Go into transaction PFCG and assign the reports/workbooks manually. You may need to review your authorization strategy for this since transaction PFCG is usually a Security Administrator’s role only.

Tip

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

6363

How to Control Ad Hoc Query Creation Using Menus in Roles (cont.)• Go into transaction PFCG and assign the reports/

workbooks manually:

Tip

6464





6565

How to Distribute the HR Organization Structure

• Cannot use normal BI extraction toolset under the Data Warehouse Workbench (transaction RSA1)

SAP NetWeaver BI master data extraction of InfoObject 0ORGUNIT populates the data warehouseThe HR Organization Structure used for role allocation is separate from the data warehouse and thus functions differently (e.g., distribute method and loading outside of SAP NetWeaver BI ETL toolsets)

• PrerequisitesInfotype 0105 is maintainedTable T77S0, Group PLOGI, Semantic Abbreviation PLOGI has 01 Active Plan version in both systemsAll users must exist in both systems (Central User Administration [CUA] distribution)

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

6666

How to Distribute the HR Organization Structure (cont.)

• Six steps to distributionCreate the HR-ORG distribution model (view of entire tree) in the source system (e.g., SAP ERP)Generate partner profiles in SAP ERP and CUA systemsIf employee (P) object type is undefined in the source system, create an outbound filter using the customer exit in the source systemActivate the change pointers, write change pointers in Infotype 0105Distribute the initial HR-ORG hierarchyDistribute changes to the HR-ORG hierarchy

• Refer to document for greater details“Indirect Role Assignment using HR-ORG.pdf”

6767

How to Distribute the HR Organization Structure (cont.)

• Potential issuesModel doesn’t distribute. Under step “Creating an HR-ORG Distribution Model in the Sending System,” the filter definitions for the HR System as Target System may not work as documented

Solution: Create different Filter Groups, run different parameters during initialization and delta of objectsRefer to document for greater details“Indirect Role Assignment using HR-ORG Supplement.doc”

Model isn’t found in target system under CUA model, although it is successfully distributed

Solution: Plan the Report RPDAPP01 with type HRMD_ABA

6868

How to Allocate Roles Using HR Organization Structure

• Ensure the Organization Model setting is activeExecute transaction PFCGSelect Goto SettingsChoose option “Complete view (Organizational Management and workflow)”

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

6969

How to Allocate Roles Using HR Organization Structure (cont.)• Nine steps to HR-ORG role allocation

Execute transaction PFCGSpecify the role for assignment Choose the User tab page Click the Organizational Mgmt buttonClick the Assignment buttonChoose Agent Type Organizational unitEnter Search term * and select Org tree icon. HR-ORG is displayed.Select the node for allocation. Choosing a high node auto selects lower level nodes. Specify relationship validity period. Create.

70

How to Allocate Roles Using HR Organization Structure (cont.)• Step 1 – Execute transaction PFCG• Step 2 – Specify the role for assignment• Step 3 – Choose the User tab page • Step 4 – Click the Organizational Mgmt button

7171

How to Allocate Roles Using HR Organization Structure (cont.)• Step 5 – Click the Assignment button

Any user IDs that appear green in the tree have been directly assigned to the role

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

7272

How to Allocate Roles Using HR Organization Structure (cont.)• Step 6 – Choose Agent Type Organizational unit

• Step 7 – Enter Search term * and select Org tree icon

7373

How to Allocate Roles Using HR Organization Structure (cont.)• Step 8 – Select the node for allocation

7474

How to Allocate Roles Using HR Organization Structure (cont.)• Step 9 – Specify relationship validity period. Create.

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

7575

How to Allocate Roles Using HR Organization Structure (cont.)• Result of the allocation from the HR-ORG tree

perspective:

• Organization levels that appear blue in the tree have had Indirect role assignments allocated. Green highlights are Direct role assignments.

7676

How to Allocate Roles Using HR Organization Structure (cont.)• Result of the allocation from role perspective defined

under transaction PFCG

DirectIndirect

7777





_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

7878

Query User Example (Direct User Assignment)

7979

Power User Example (Direct User Assignment)

8080

BI Department Administrator Example (Direct User Assignment)

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

8181

Resources

• SAP Service Marketplace note934848 “Collective note: (FAQ) BI Administration Cockpit”

• Documentation BI Administration Cockpithttp://help.sap.com/saphelp_nw70/helpdata/en/43/15c54048035a39e10000000a422035/content.htm

• Documentation BI Query Runtime Statisticshttp://help.sap.com/saphelp_nw70/helpdata/en/ef/372242c4e05033e10000000a155106/content.htm

• How to Upload Roles into your BI System“How to Upload the Roles.doc”

• Indirect Role Assignmentshttp://help.sap.com/saphelp_nw04/helpdata/en/8b/3c713eeaac5441e10000000a114084/frameset.htm

“Indirect Role Assignment Using HR-ORG.PDF”“Indirect Role Assignment Using HR-ORG Supplement.doc”

8282

Resources (cont.)

• Indirect Role Assignments (cont.)SAP Service Marketplace (https://websmp109.sap-ag.de/notes *)

SAP Note 200343: HR-CA-ALE: Composite SAP Note Re Distributing HR Master DataSAP Note 363187: HR-CA-ALE: Initial Distribution w. HRMD_A/ HRMD_ABA (hint)SAP Note 200066: HR-CA-ALE: Q&A for Setting Up HR-ALE Scenarios

This note contains links to the QuickStart documentation for ALE and the ALE HR business processes

SAP Note 581019: Distribute PFCG HR-ORG model for indirect role assignment

8383

7 Key Points to Take Home

• Use the HR Organizational Hierarchy to distribute roles across an organization

• Allocate roles to positions, jobs, and organizational unit nodes and not a user’s logon ID

• Capture common transactions at the highest point defined in the dependency of BW User Types

E.g., if an action is required by both Power User and Department Administrator, modify the Power User role

• Use Single roles and allow the hierarchy to build the combined “composite-like” authorizations

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

8484

7 Key Points to Take Home (cont. )

• More effort is required in the initial setup of a flexible model. However, an inflexible one requires higher on-going maintenance and is more prone to security inconsistencies.

• Separate roles that control user actions with roles that control viewing of data

• Separate roles that have authorizations defined within them from roles that contain only menus as they operate on a different maintenance schedule

8585

Your Turn!

How to contact me:Tracey Brookes

[email protected]

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

Notes: ______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

Notes: ______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

Wellesley Information Services, 990 Washington Street, Suite 308, Dedham, MA 02026

Copyright © 2008 Wellesley Information Services. All rights reserved.

Documents

BI Authorizations