BW ASAP 20b Phase 2 Authorizations.doc

7/28/2019 BW ASAP 20b Phase 2 Authorizations.doc

1/7

Authorizations

ASAP FOR BW ACCELERATOR

BUSINESS INFORMATION WAREHOUSE

Methodology on how to analyse and design authorizations.(Description)

Document Version 1.0

SAP (SAP America, Inc. and SAP AG) assumes no responsibility for errors or omissions in these materials.

These materials are provided as is without a warranty of any kind, either express or implied, including but not limited to, the impliedwarranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP shall not be liable for damages of any kind including without limitation direct, special, indirect, or consequential damages thatmay result from the use of these materials.

SAP does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within thesematerials. SAP has no control over the information that you may access through the use of hot links contained in these materialsand does not endorse your use of third party web pages nor provide any warranty whatsoever relating to third party web pages.


2/7

AUTHORIZATIONS

Table of Contents

AUTHORIZATIONS..............................................................................................................1

ASAP FOR BW ACCELERATOR............................................................................................1

TABLE OF CONTENTS....................................................................................................... 2

1 INTRODUCTION ................................................................................................................3

2 GUIDELINES .....................................................................................................................3

3 MACROROLES................................................................................................................3

4 AUTHORIZATION SPECIFICATION AND DESIGN TASKS DURING THE BW PROJECT............................................................................................................................................... 4

4.1 BUSINESS BLUEPRINT.....................................................................................................44.2 REALIZATION..................................................................................................................44.2 FINALPREPARATION.......................................................................................................4

5 AUTHORIZATION REQUIREMENT COLLECTION APPROACH.......................................6

5.1 INFOCUBEBASEDAPPROACH ..........................................................................................65.2 QUERYNAMEBASEDAPPROACH.....................................................................................65.3 INFOCUBEINDEPENDENT DATASETAPPROACH.................................................................6

6 THE AUTHORIZATION ACCELERATOR...........................................................................7

1998 SAP AMERICA, INC. AND SAP AG TABLEOF CONTENTS


3/7

AUTHORIZATIONS

1 Introduction

In this paper we describe a project approach for the BW authorization requirements

collection and for the corresponding and strictly linked authorization design andimplementation.

2 Guidelines

Start to consider the authorization requirements as soon as possible during the project.

Keep the requirements as simple as possible. Complex authorization requirements imply

complex authorization design and some administration workload for the authorizationmaintenance.

Develop an authorization strategy.

Establish appropriate name ranges.

3 MacroRoles

We can identify several categories of BW users. From now on these categories will becalled MacroRoles. For each MacroRole theres a standard template to be used.Anyway here we discuss more in depth the reporting users, because their requirementsare customer specific and they need to be collected in a structured way during theproject. At a rough level we can identify the following MacroRoles (at the right you canfind the corresponding BW standard template to be used as a starting point):

MACROROLE BASIC TEMPLATE

BW DATA MODELER S_RS_RDEMO

BW SYSTEM ADMINISTRATOR(S)

Administrator ofdevelopment system

S_RS_RDEAD

Administrator ofproductive system

S_RS_ROPAD

Operator ofproductive system (formonitoring andloading)

S_RS_ROPOP

BW REPORTING DEVELOPER S_RS_RREDE

BW REPORTING USER S_RS_RREPU

PAGE 3 OF 7


4/7

AUTHORIZATIONS

4 Authorization specification and design tasksduring the BW project

Here we describe which are the authorization linked tasks in the different ASAP for BWphases. In figures 4.1 and 4.2 you can find a summary of these tasks.

4.1 Business Blueprint

During the Business Blueprint phase there are three tasks concerning authorizations:

Role identification. For example you identify accounting manager and sale

responsible as two significant roles in your BW project.

First identification of the authorization relevant characteristics. Before the final datamodel design and for each role, you can collect some needed limitations on data accesssuch as the sale responsible can see only his own sales area data.

These two aspects are covered in the PI-Documentation-Paper which is a template for theBusiness Blueprinting. (Please check for existing Accelerator).

Definition of an authorization strategy. You have to identify a consistent approach to

authorization requirement collection and you have to choose which level of detail isneeded and which level of administration workload you can support. In paragraph 5 we

describe more in depth some possible approaches.

4.2 Realization

In parallel to data model implementation you can start one after the other the followingtasks:

the detail authorization requirements collection;

the authorization design (reporting object, authorization and profiles design);

the authorization implementation.

4.2 Final preparation

During the final preparation you have to test the authorizations for the initial set of queries.

PAGE 4 OF 7


5/7

AUTHORIZATIONS

FIG. 1 maps of authorization related tasks

FIG. 2 authorization tasks and templates in the ASAP for BW Roadmap

Phase Tasks Template

Projectpreparation

BusinessBlueprint

Role identification PI-Documentation Templateallows you to add also accessrestrictions to characteristicsrelevant for each role.

First identification of theauthorization relevantcharacteristics

Definition of anauthorization strategy

Please refer to this paper as aguideline and share the approachwith the customer.

Realization Collection ofauthorizationrequirements at thechosen level of detail

Authorization requirement anddesign suggestion template(Excel)

Profile design

Authorizationimplementation

Finalpreparation

Test of authorizations

Go live and

support

PAGE 5 OF 7

Role identification, first requirements

Strategy

for

authorizationsAuthorization design

Implementation

Test

Authorization requirements BW authorizationrequiremets collection

template (withsuggested design

rules)


6/7

AUTHORIZATIONS

5 Authorization requirement collection approach

Here we describe three compatible approaches to collect the authorization requirements.

5.1 InfoCube based approach

You can collect the requirements allowing or not allowing for specific InfoCubes. If itsconvenient, you can use the concept of InfoArea to allow or not for a group of InfoCubesbelonging to the same InfoArea.

You can go in a more detail if you limit the accessability of a cube, allowing only for a part of

it. We can name dataset the Sub-InfoCube which is limited by the authorizations assignedto a user. In BW a dataset can be defined according to characteristics, key figures,hierarchies and their combinations.

5.2 Query name based approach

For pure reporting users (not allowed to build new queries) you can use the query names tosimplify the authorization design, creating specific queries for specific roles and allowingonly certain query names. The disadvantage of this approach is that theres no relationshipbetween query name and set of data, so new queries are potentially security dangers.

5.3 InfoCube independent dataset approach

Before the data model you dont know the InfoCubes, but you can express authorizationrequirements through data set, i.e. limitations on to characteristics, key figures, hierarchiesand their combinations at various level of detail.

PAGE 6 OF 7


7/7

AUTHORIZATIONS

6 The authorization accelerator

The authorization accelerator (file name BW authorization requirements template.xls)allows you to:

Collect the authorization requirements for specific roles (one Excel per Reporting User

Role)

Choose the best authorization approach and modifying consistently the template

Choose the right level of detail concerning the complexity of the requirements

The accelerator:

hides the complexity of the authorization requirement collection if this is not needed

links an example for each template sheet.

Although it is focused on the requirement specification, for each object (e.g. Infoareas,

Infocubes, queries, ) the accelerator gives the corresponding implementationsuggestions.

Heres the initial screen:

PAGE 7 OF 7

Documents

BW ASAP 20b Phase 2 Authorizations.doc