BW Security

SAP BW Security Practices

Andreas WilmsmeierManaging Director

COMPENDIT

Email: [email protected]

Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 2

COMPENDIT

Provides premier, industry leading business intelligence solutions


Agenda

A generic setup to minimize role maintenance

Company policies and legal requirements

Automatic generation of authorization and other useful techniques

Changes to authorization objects in BW 3.0


A Generic Hierarchy Of Roles

Common Authorizations

Common Power User Authorizations

Common End User Authorizations

Common Administrator Authorizations

Business Role Specific Authorizations

Business Role Specific Menu



Data Value Authorizations



Common authorizations should go to a common authorizations role This way, there is only one single place where common

authorizations are maintained (e.g. after upgrades or as a consequence of changes to the overall authorization concept)

Examples: Authorizations for RFC access (RRMX, RSMENU,

RS_PERS_BOD, ) Transaction Codes (RRMX, ) Central functions (Document access, )


Common Authorizations for Power Users

Authorizations common to certain types of users (such as power users) should go to a common power user authorizations role (or to the one corresponding to the type of user) As for common authorizations this procedure keeps the

maintenance effort low for this type of authorization

Examples Batch job scheduling (for the reporting agent) Additional RFC calls, transactions Spooler (for the reporting agent)



Examples for business role specific authorizations for power users Maintenance of menu roles

(e.g. access/add/change menu items) Business Explorer components

(e.g. access/add/change query elements) InfoProviders

(e.g. read access to certain InfoProviders)


Data Value Authorizations

Reporting authorizations based upon data values

Examples: Characteristics (cost centers, regions, sales offices, ) Key figures (sales revenue, costs, salary, ) Hierarchies (organizational, regional, )

Data value authorizations should be kept separate from non-reporting authorizations for ease of maintenance


Data Value Specific Authorizations Example

Assumptions Total number of different business roles = 30 Total number of different data values = 50

Scenario 1: Data value authorizations maintained in business roles: Total number of potential roles to maintain:

30 * 50 = 1500

Scenario 2: Data value authorizations kept separately: Total number of potential roles to maintain:

30 + 50 = 80


Business Role Specific Menus

Contain menu items available to the business role, usually maintained by power users

Examples: Web applications available BEx worksbooks available Relevant internal and external links to documents, web

pages, applications,

Should be kept separate to allow for use by multiple different types of users (such as end users and power users) or even in different business roles


Use of Composite Roles









Data Value Specific Authorizations


Use of Composite Roles

In conjunction with the generic role hierarchy approach, composite roles help simplifying the process of assigning roles to users

Composite roles consist of The basic authorization role The end user / power user / administrator / role One or more business specific authorization roles One or more business specific menu roles

Main benefit of this setup:Only one role (instead of 4) assigned to a user to grant

the authorizations required by a certain business role


Use of Authorization Templates









Data Value Specific Authorizations


Use of Authorization Templates

Authorization templates can be used to copy empty authorizations to a role in the profile generator (PFCG)

SAP authorization templates are useful for defining common roles (such as basic, end user, power user, etc.)

Authorization templates can be defined in Transaction SU24 From within transaction PFCG, menu path Environment

- Maintain Templates

Custom templates are useful for defining business role specific authorizations


Naming Conventions

Clearly defined naming conventions are crucial for an efficient management of authorizations Naming conventions should be defined using a single

prefix or a hierarchy of prefixes for distinct application areas

Naming conventions should at least (but not only) be defined for reporting relevant objects(data providers, queries, workbooks, web templates, and so forth)

See Business Content for best practices


Naming Conventions

Naming conventions allow using wildcards in defining authorizations and avoid listing individual objects in order to allow access

Example: Authorizations for executing controlling queries

(Authorization object S_RS_COMP) InfoArea: 0CO* InfoProvider: 0CO* Component type: REP Component Name: 0CO* Activity: 16

Authorizations for maintaining and executing HR queries (Authorization object S_RS_COMP)

InfoArea: 0HR* InfoProvider: 0HR* Component type: * Component Name: 0HR* Activity: 01, 02, 03, 06, 16, 22


Agenda






The Security Trade-Off

Information Democracy Less control of who knows

what Lower maintenance effort

Controlled Distribution of Information More control of who knows

what Higher maintenance effort

MaintenanceEffort

Control


Legal requirements

Legal requirements may affect your security design

Examples: Privacy regulations may force you to prohibit access to

certain personal information about employees, customers or other types of business partners

Financial results may be required to be publicly available so you may want to release this information to the public


Agenda






Generation of Authorizations

Initial idea stems from making HR authorizations available to SAP BW in an automated way (this function is still part of the Business Content)

A more generic tool is available to generate authorizations based upon the following Business Content ODS Objects 0TCA_DS01 Reporting authorizations 0TCA_DS02 Reporting authorizations for hierarchies 0TCA_DS03 Texts 0TCA_DS04 Users


Authorization Generation Process

Authorizations & User Assignment

Transaction RSSM(Generation of Authorizations)

0TCA_DS01 0TCA_DS02 0TCA_DS03 0TCA_DS04

Staging Engine

DataSource DataSource DataSource


Generating Authorizations in 4 Steps

1. Copy ODS objects from Business Content Copies of 0TCA_DS0x allow for multiple different

authorization generation processes Not all ODS objects are required all the time

2. Implement DataSource / extraction process3. Define DataSources, InfoSource, transfer &

update rules in SAP BW4. Define and schedule authorization generation

process in RSSM


RSSM Generating Authorizations


Generated Authorizations Made Visible

Either use a MultiProvider on the authorization ODS objects

Or define an InfoCube including the main characteristics of the ODS objects and some key figures (such as dates) and update the InfoCube from the ODS objects

Defined queries as required


Agenda






Changes in 3.0

S_RS_COMP New authorizations check for variables (object type

VAR) in query definition

S_RS_COMP1 - Owners Used to define query element authorizations based upon

ownership $USER is used for own query elements Used in addition to S_RS_COMP Both authorization objects are checked and evaluated as

as a logical AND

S_RS_FOLD Suppress InfoArea view of BEx elements


Changes in 3.0

S_RS_IOBJ Authorization object for working with InfoObjects in

addition to S_RS_ADMWB

S_RS_ISET Authorizations for InfoSets

S_RFC Additional RFC_NAME (RFC_TYPE FUGR, ACTVT 16)

RRXWS: BW Web Interface RS_PERS_BOD: Personalization of Bex Open Dialog RSMENU: Roles and Menus

S_GUI Authorization for GUI activities (activity 60 = Upload)


Side Note on MultiProviders

S_RS_MPRO - MultiProviders Used to define authorizations on a MultiProvider level Used in addition to InfoCube authorizations Results in fewer checks for authorizations on

MultiProvider queries, if BW is customized accordingly Business Information Warehouse - General BW Settings - Settings

for Authorizations

For more information:

COMPENDIT Inc.Phone: +1 312.673.1158 Fax: +1 312.896.9400 Email: [email protected]: www.compendit.com

Documents

BW Security