Embed Size (px)
Citation preview
BW Data Security and Reliability
Bhavesh Bhagat, Ernst & YoungBryan Glass, Ernst & Young
Session Code: 809Tue, May 20, 2003 @ 2:00 PM - 3:10 PM
Presentation Overview
• Overview of and Importance of BW Security
• BW Security Concept
• Data Integrity Within BW
• BW Security and Controls Best Practices
Overview of BW
• SAP Data Warehousing/Reporting Solution• Allows end users to analyze data from SAP R/3,
other applications, and external data sources such as databases, the Internet, and other source systems
• Provides flexible reporting capabilities• Security allows for protecting disclosure of
information and usage of system resources• Future Outlook-CRM Analytic, SEM, APO,
Business Content in BW
Importance of Data Security and Reliability
• Sarbanes-Oxley Act Implementation
– Increased regulatory emphasis on timely and accurate financial reporting
• Ensures sound systems controls environment by enforcing the written security policies and procedures within an organization
• Security provides for safeguard of confidential and proprietary corporate and employee data
• Increased management demand for accurate and reliable decision making information
Presentation Overview
• Overview of and Importance of BW Security
• BW Security Concept
• Data Integrity Within BW
• BW Security and Controls Best Practices
BW Data Security Concepts
• OLTP vs. OLAP Processing• Security Design Approach• BW Authorization Concept• BW Security Implementation/Administration• Security BW Data Flow and Extraction • Role Based Authorization Concept• Data Disclosure• BW Data Integrity and Quality
BW Security – New Paradigm
• BW Security-OLAP System– Security is not transaction
based– Typically limited to display
function– Limits what data users are
able to display or analyze– Only similarity is the
Administrative (GUI) side of BW
– Emphasis on controlling access to reporting on historical data
• R/3 Security-OLTP System– Security is clearly
segregated between functions/modules
– Based on users executing business transactions
– Transactions limited to specific activity (Create, Change, Delete, etc..)
– Controls the way users enter and process data
– Emphasis on controlling creation and maintenance of data
• “Need to Withhold” Design– Controlled at end user level– Decreased development and
design costs– Decreased maintenance and
enhancement costs– Does not provide level of
security that is sufficient– Limits the capabilities of
security staff– Example:
• Can control what cost centers a user can view data for
• “Need to Know” Design– Controlled at end user and
configuration levels– Provides for a more secure
environment– Protection of sensitive data– Increased customization in the
system– Requires more planning/design
costs– Extends capabilities of the system
and security team– Example:
• Can control what subsets of a cost center a user can view data for (more granular)
BW Security Approach
BW Authorization Levels
High
Moderate
End UserLittle
Moderate High
InfoCubes
User Roles
InfoAreas
Less
Queries
InfoObjects/Key Figures
InfoObjects/Characteristics
BW Security Classes
• End User Functions Include:– Executing
Workbooks/Queries– Analyzing
Workbooks/Queries– Some can create new
workbooks/queries– Publish or make queries
available to other users– Modify existing queries for
public or personal use (favorites)
– Manage personal favorites
• BW Queries are accessed from SAP BW Workbooks
• Workbooks can be assigned to roles • Reporting Users are assigned to
roles• Maintain query specific
authorizations (if required) in the profile generator
• Currently no Authorization Object available to set up authority for Workbooks-actually given as a transaction code
Query and Workbook Security
Issue:– Authority checks will not occur if data is saved within workbooks
without refreshing the query/workbook– Query results saved with the Workbook will be visible to the next user
even if they are unauthorized. – Users will not be able to query new data without the authority check, but
will be able to see the existing query data
Solution: – Save Workbook templates to the Role only without Query
results/blank– Use AutoRefresh functionality to ensure authorization checks occur
within the workbooks (VB code within workbook)– Limit the ability for users to save workbooks globally by limiting
them to saving to their favorites
Additional Considerations about Queries and Roles
• Central Point of BW Administration
• BW Design and Development
• Monitoring data load• Monitoring update process• Maintenance-
Administration• Scheduling data load• Executing data load
BW Administrator Workbench Security
Authorization Objects
BusinessInformationWarehouse
-Administrat.
Administrator Workbench - Hierarchy
BusinessInformationWarehouse- Reporting
Standard End User Security
Queries InfoCubes
Administrator Workbench - InfoCube
Custom BW Reporting
Limiting on Cost CenterCharacteristics
BW – Reporting• Standard BW security allows you to secure at a less
granular level (e.g. workbooks, InfoCubes, etc…)• Custom objects must be developed along with making
them authorization relevant for particular infocubes • Example here is shown as limiting security to a cost
center• You can limit access to other organizational
characteristics• These objects can be setup to be checked for all
infocubes to limit access to sensitive data
BW- Administration• Authorization Objects exist for Administration
Workbench Hierarchy, InfoCubes, InfoSources...
Object classObject class Authorization objectAuthorization object
Reporting Authorizations
• A Reporting Object is an Authorization Object that can restrict on the level of infocubes
• BW will only check reporting objects assigned to the actual reported InfoCube (authorization relevant custom assignment).
• Create fields within the object and assign them to the infocube
ACTVT 03
Characteristic CCENT1
Steps to set up a Reporting Authorization
• Create an Authorization Object for Reporting(use Basic Settings -> Authorizations -> Reporting Objects)
• Mark the InfoObject as "Authorization Relevant”
• Create Authorizations with the values within roles
Create Authorization Object-RSSM
Mark InfoObjects as Auth Relevant
Add to Role with Auth Values
BW Data Security Concepts Summary
• Security can be simple (Need to Withhold) or complex (Need to know - level of granularity)
• Reporting security is customized
• Administrator Workbench must be secured
• RSPARAM type settings must still be maintained to ensure secure system
–Password length
–Incorrect Logins
–Password Reset Intervals
Presentation Overview
• Overview of and Importance of BW Security
• BW Security Concept
• Data Integrity Within BW
• BW Security and Controls Best Practices
BW Data Quality and Integrity
• Importance of Data Integrity and Quality
• Data Corruption– Causes of Corrupted
Data– Sources of Corrupted
Data
• Data Correction– SAP Delivered Tools
BW Data Integrity and Quality Importance
• BW Information is highly integrated-data from other systems may not be reliable
• BW Information is accessed frequently (new and old)
• Management depends on quality data for making business decisions
• BW data can serve as a basis in systems for processing data
• Quality/Integrity refers to data being correct/free of errors, timely, and relevant
Data Corruption - Causes
• Referential Integrity issues• Lack of validation or edit checks• Duplicate Records• Reasonableness Checks• Data or file formats• Corruption during data loads
– Bugs in Programs– Time limits of data (data untimely or too new)– Upload master data after transactional data
Data Corruption - Sources
• Flawed Source System Data-can’t rely on controls in other systems
• Data Migration and Consolidation Activities
• Technical platforms or technology issues• Programs update data incorrectly or
incompletely• Unused or misuse of program edit and
validation checks
Common Data Spoilers
• Multiple Key Fields• Inconsistent Key Fields• Free Form Fields• Invalid Characters• Other Surprises• Redundant Data• Data Anomalies• Data Formats
Multiple Key Fields
KEY_FIELD PRODUCT Plant
USN_1298 Computer Laptop HOUSTON
XXP_1239 Laptop HOUSTON
KEY_FIELD PRODUCT Plant
USN_1298 Computer Laptop HOUSTON
KEY_FIELD PRODUCT_CODE
Plant
XXP_1239 Laptop HOUSTON
Within Multiple Tables
Within the Same Table
Inconsistent Key Fields
KEY_FIELD PRODUCT Plant
USN_1298 Laptop HOUSTON
KEY_FIELD PRODUCT_CODE Plant
USN_1298 Laptop DALLAS
Free Form Fields
PRODUCT Plant
Computer Laptop with oversized keys “prod #12989”
Austin
Computer laptop without oversized keys “prod #3456”
Austin
Invalid Characters and Other Surprises
KEY_FIELD PRODUCT Plant
USN_1298 Computer Laptop *&^*&^&^*()_ Orlando
XXP_1239 Laptop-refer to USN_1298 Orlando
Redundant Data
COMPANY PRODUCT Date AMOUNT
USN_1298 Laptop 02/27/2003 $600.00
USN_1298 Laptop 02/27/2003 $600.00
USN_1298 Laptop 02/27/2003 $600.00
USN_1298 Laptop 02/27/2003 $600.00
Data Anomalies and Data Formats
COMPANY PRODUCT Delivery Date AMOUNT
USN_1298 Laptop 02/28/2003 $999,000
USN_4897 Printer 03/24/9999 $600.00
USN_4439 Cables 10/27/2003 $125.00
COMPANY PRODUCT Date AMOUNT
USP_999 Laptop 02.28.03 $100.00
USN_4897 Printer 03/24/2003 $600,00
USN_4439 Cables 10/27/2003 $125.00
Overstated Amounts or Dates
Inconsistent Date or Currency Formats
Other Data Spoilers
• Extraction or Migrations– Incorrect use of
application exists – Generic BW program
exit RSAP0001– Incorrect program
routine logic
• Considerations– Timeliness of Data– Version Management– Return Codes– Header and Trailer
Records– Performance and
transfer timeouts
Additional Considerations - Data Quality
• System
– Source system is most effective (HR Personnel Numbers)
• Timing
– Implement and test data cleansing from beginning of project
• Personnel to implement
– Must have management support
– Technical and functional resources
Evaluating Your Data Integrity Strategy
• Evaluate risks/cost of corrupted data
• Consider legal ramifications
• Data classification and ownership policies
• Evaluate reliability of source system data
• BW Tools for maintaining integrity– Master Data Validation– Permitted Character
Checks– Consistency Checks– InfoPackage level
checks– Data Validation
• Aggregate Checks• Check Points• RSRV
• BW Tools for maintaining integrity– Master Data Validation– Permitted Character
Checks– Consistency Checks– InfoPackage level
checks– Data Validation
• Aggregate Checks• Check Points• RSRV
Data Correction - Preventing Data Corruption
Master Data Validation
Checks for Permitted Characters
C
Case A: characters not permitted Case B: characters permitted
Permitted by standard:
!"%&'()*+,-/:;<=>?_0123456789
ABCDEFGHIJKLMNOPQRSTUVWXYZ
Consistency Checks
Handling of Invalid Data Records
StagingEngineStagingEngine
Business Information Warehouse
PSAExtractExtract OKOK
Scheduler Scheduler
Error Handling:1- No Update, No Reporting2- Valid Records Update, No Reporting3- Valid Records Update, Reporting Possible
ErrorError
Correction of invalid data:• within source System• manually in PSA• by Rule (see RS_ERRORLOG_EXAMPLE)
PSA
Aggregate Checks
Transaction RSRV
• Can check integrity on most objects in the system– Tables– Hierarchies– InfoObjects
• Not supported by SAP but is available
• Can check integrity on most objects in the system– Tables– Hierarchies– InfoObjects
• Not supported by SAP but is available
BW Data Integrity & Quality Summary
Performing Audits can identify: When the data was created? Which source did the data come from? Which tools were used for extraction? Which rules had touched the data?
Presentation Overview
• Overview of and Importance of BW Security
• BW Security Concept• Data Integrity Within BW• BW Security and Controls Best
Practices
BW Security and Controls Best Practices
• Role Based Security Approach– Limits users based on function/role within the company
• Perform Periodic Reviews/Assessments– User Access– Business Processes, Standards, and Documentation– Data Reconciliation– Internal/External Audit– Implementation of Action Plans
• Risk and Controls Matrix
Role Based Security Approach
• Design types of users based on organizational requirements
• Segregate duties through job function
• Segregate duties among users and administrators
• Some end-users are more “powerful” than others
Types of Users-Examples
• Administrative Users– BW Configuration– Responsible for
administering data data model
– Setup and Control Data Flow
– Define Variables– Monitor Data Loads– Monitor BW
Performance (assisted w/BASIS)
• Reporting Users– End Users
• Execute and analyze queries/workbooks
• Manage personal favorites
– Power Users• Create new queries for
review
– Publishers• Controls what queries
are available to users• Designs, develops, and
publishes new queries
Role Design
• Just like R/3 you must define the following:– Roles within the company
• Task Oriented-Reporting vs Administration• Function Oriented-Upstream vs Downstream vs
Controllers• Subject Oriented-FI, CO, MM, HR, etc..• Geographical by function/task/subject• Combination of all the above to some extent• Security Administration, BASIS, Developers, etc…• HR-Self Access Restrictions
End User Role Definitions
• Standard End User Role Definition
– Execute Published Workbooks
– Modify published workbooks and save to favorites
– Create views for workbooks and save them in favorites
– Create exceptions and conditions for workbooks and save to favorites
• Power End User
– Creates workbooks and saves them to favorites
– Create workbooks and save them to roles (S_USER_AGR)
• NOTE: Should do in Dev and Transport to Prod
– Create conditions and exceptions for workbooks
– Create views for workbooks
Administrative End User Role Definition
• Publisher User-Query Access
– Can create queries for review
– Publish approved queries
– Publish power user queries
– Create calculated Key Figures
– Create restricted key figures
(at Infocube level and at Query level)
– Create structures
– Maintain characteristic variables
– Create conditions and exceptions at query level
– Create query views
• Publisher User-Workbook Access
– Create workbooks and save to favorites
– Publish workbooks and save to roles
– Create conditions and exceptions for workbooks
– Create views for the workbook
Role Based Security Summary
• Allows users to execute queries or perform functions based on their responsibility
• Security roles developed for each required business function
• Separates technical from end-user functions• Separates publisher and executer functions• Provides structure to the security design
BW Security and Controls Matrix
Information to Capture in Continuous Monitoring environment
•What Could Go Wrong scenarios
•Impact of the risk (H,M,L)
•Likelihood analysis
•Controls Identification - Identify controls implemented or to be implemented to prevent, detect, or correct the scenario
•Timing-Identify when the control is to be implemented or if it already is
•Accountability-Who is responsible for the control
•Status-Identify if the control is implemented or what stage of development it is in
•Continuous Control Monitoring plan -Identify if the control has been tested and signed off
Periodic BW Security and Controls Assessments
• Decrease the risk of unauthorized access or data corruption by implementation of controls
• Helps to identify what future risks that the environment faces• Increases efficiency and effectiveness of the BW solution• Provides opportunities to review new customer requirements or
future requirements and assess if the current model supports them• Third party reviews help to bring new ideas and a fresh perspective• Ensure that current process and system controls are functioning as
intended• Obtaining a periodic understanding of the effectiveness of the
current controls environment
Best Practice Approach
• Are business processes and approvals appropriate for supporting the system– User Access processes, approvals, and controls– Change control processes and controls
• Is documentation clearly written and appropriate– Updated upon process or system changes– Relevant to support the current controls environment
• Are processes and controls functioning as intended– Reviews established to periodically assess appropriateness of
documentation – Reviews conducted to periodically test functionality of controls
Thank you for attending!
Please remember to complete and return your evaluation form following this session.
Session Code: 809Tue, May 20, 2003 @ 2:00 PM - 3:10 PM
