Upload
suryya-kanta-adhikary
View
214
Download
0
Embed Size (px)
Citation preview
7/28/2019 BW ASAP 20b Phase 2 Authorizations.doc
1/7
Authorizations
ASAP FOR BW ACCELERATOR
BUSINESS INFORMATION WAREHOUSE
Methodology on how to analyse and design authorizations.(Description)
Document Version 1.0
SAP (SAP America, Inc. and SAP AG) assumes no responsibility for errors or omissions in these materials.
These materials are provided as is without a warranty of any kind, either express or implied, including but not limited to, the impliedwarranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP shall not be liable for damages of any kind including without limitation direct, special, indirect, or consequential damages thatmay result from the use of these materials.
SAP does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within thesematerials. SAP has no control over the information that you may access through the use of hot links contained in these materialsand does not endorse your use of third party web pages nor provide any warranty whatsoever relating to third party web pages.
7/28/2019 BW ASAP 20b Phase 2 Authorizations.doc
2/7
AUTHORIZATIONS
Table of Contents
AUTHORIZATIONS..............................................................................................................1
ASAP FOR BW ACCELERATOR............................................................................................1
TABLE OF CONTENTS....................................................................................................... 2
1 INTRODUCTION ................................................................................................................3
2 GUIDELINES .....................................................................................................................3
3 MACROROLES................................................................................................................3
4 AUTHORIZATION SPECIFICATION AND DESIGN TASKS DURING THE BW PROJECT............................................................................................................................................... 4
4.1 BUSINESS BLUEPRINT.....................................................................................................44.2 REALIZATION..................................................................................................................44.2 FINALPREPARATION.......................................................................................................4
5 AUTHORIZATION REQUIREMENT COLLECTION APPROACH.......................................6
5.1 INFOCUBEBASEDAPPROACH ..........................................................................................65.2 QUERYNAMEBASEDAPPROACH.....................................................................................65.3 INFOCUBEINDEPENDENT DATASETAPPROACH.................................................................6
6 THE AUTHORIZATION ACCELERATOR...........................................................................7
1998 SAP AMERICA, INC. AND SAP AG TABLEOF CONTENTS
7/28/2019 BW ASAP 20b Phase 2 Authorizations.doc
3/7
AUTHORIZATIONS
1 Introduction
In this paper we describe a project approach for the BW authorization requirements
collection and for the corresponding and strictly linked authorization design andimplementation.
2 Guidelines
Start to consider the authorization requirements as soon as possible during the project.
Keep the requirements as simple as possible. Complex authorization requirements imply
complex authorization design and some administration workload for the authorizationmaintenance.
Develop an authorization strategy.
Establish appropriate name ranges.
3 MacroRoles
We can identify several categories of BW users. From now on these categories will becalled MacroRoles. For each MacroRole theres a standard template to be used.Anyway here we discuss more in depth the reporting users, because their requirementsare customer specific and they need to be collected in a structured way during theproject. At a rough level we can identify the following MacroRoles (at the right you canfind the corresponding BW standard template to be used as a starting point):
MACROROLE BASIC TEMPLATE
BW DATA MODELER S_RS_RDEMO
BW SYSTEM ADMINISTRATOR(S)
Administrator ofdevelopment system
S_RS_RDEAD
Administrator ofproductive system
S_RS_ROPAD
Operator ofproductive system (formonitoring andloading)
S_RS_ROPOP
BW REPORTING DEVELOPER S_RS_RREDE
BW REPORTING USER S_RS_RREPU
PAGE 3 OF 7
7/28/2019 BW ASAP 20b Phase 2 Authorizations.doc
4/7
AUTHORIZATIONS
4 Authorization specification and design tasksduring the BW project
Here we describe which are the authorization linked tasks in the different ASAP for BWphases. In figures 4.1 and 4.2 you can find a summary of these tasks.
4.1 Business Blueprint
During the Business Blueprint phase there are three tasks concerning authorizations:
Role identification. For example you identify accounting manager and sale
responsible as two significant roles in your BW project.
First identification of the authorization relevant characteristics. Before the final datamodel design and for each role, you can collect some needed limitations on data accesssuch as the sale responsible can see only his own sales area data.
These two aspects are covered in the PI-Documentation-Paper which is a template for theBusiness Blueprinting. (Please check for existing Accelerator).
Definition of an authorization strategy. You have to identify a consistent approach to
authorization requirement collection and you have to choose which level of detail isneeded and which level of administration workload you can support. In paragraph 5 we
describe more in depth some possible approaches.
4.2 Realization
In parallel to data model implementation you can start one after the other the followingtasks:
the detail authorization requirements collection;
the authorization design (reporting object, authorization and profiles design);
the authorization implementation.
4.2 Final preparation
During the final preparation you have to test the authorizations for the initial set of queries.
PAGE 4 OF 7
7/28/2019 BW ASAP 20b Phase 2 Authorizations.doc
5/7
AUTHORIZATIONS
FIG. 1 maps of authorization related tasks
FIG. 2 authorization tasks and templates in the ASAP for BW Roadmap
Phase Tasks Template
Projectpreparation
BusinessBlueprint
Role identification PI-Documentation Templateallows you to add also accessrestrictions to characteristicsrelevant for each role.
First identification of theauthorization relevantcharacteristics
Definition of anauthorization strategy
Please refer to this paper as aguideline and share the approachwith the customer.
Realization Collection ofauthorizationrequirements at thechosen level of detail
Authorization requirement anddesign suggestion template(Excel)
Profile design
Authorizationimplementation
Finalpreparation
Test of authorizations
Go live and
support
PAGE 5 OF 7
Role identification, first requirements
Strategy
for
authorizationsAuthorization design
Implementation
Test
Authorization requirements BW authorizationrequiremets collection
template (withsuggested design
rules)
7/28/2019 BW ASAP 20b Phase 2 Authorizations.doc
6/7
AUTHORIZATIONS
5 Authorization requirement collection approach
Here we describe three compatible approaches to collect the authorization requirements.
5.1 InfoCube based approach
You can collect the requirements allowing or not allowing for specific InfoCubes. If itsconvenient, you can use the concept of InfoArea to allow or not for a group of InfoCubesbelonging to the same InfoArea.
You can go in a more detail if you limit the accessability of a cube, allowing only for a part of
it. We can name dataset the Sub-InfoCube which is limited by the authorizations assignedto a user. In BW a dataset can be defined according to characteristics, key figures,hierarchies and their combinations.
5.2 Query name based approach
For pure reporting users (not allowed to build new queries) you can use the query names tosimplify the authorization design, creating specific queries for specific roles and allowingonly certain query names. The disadvantage of this approach is that theres no relationshipbetween query name and set of data, so new queries are potentially security dangers.
5.3 InfoCube independent dataset approach
Before the data model you dont know the InfoCubes, but you can express authorizationrequirements through data set, i.e. limitations on to characteristics, key figures, hierarchiesand their combinations at various level of detail.
PAGE 6 OF 7
7/28/2019 BW ASAP 20b Phase 2 Authorizations.doc
7/7
AUTHORIZATIONS
6 The authorization accelerator
The authorization accelerator (file name BW authorization requirements template.xls)allows you to:
Collect the authorization requirements for specific roles (one Excel per Reporting User
Role)
Choose the best authorization approach and modifying consistently the template
Choose the right level of detail concerning the complexity of the requirements
The accelerator:
hides the complexity of the authorization requirement collection if this is not needed
links an example for each template sheet.
Although it is focused on the requirement specification, for each object (e.g. Infoareas,
Infocubes, queries, ) the accelerator gives the corresponding implementationsuggestions.
Heres the initial screen:
PAGE 7 OF 7