SAP BW Authorization Migration
BW7.30
RKT Live Expert Session
Toni Tavric, Christoph Kretner
21.3.2011
Guiding Principals
Integrate in Your Development Life Cycle
Plan Authorizations Early on in your Development Life Cycle
Authorizations requirement collection at Blue Print Phase
Identify and Assign Data Ownership
KISS Principal (Keep it Simple and Small)
A balance act among Granularity vs. Maintenance vs. Performance (“Balanced Approach”)
Design for simplicity and Ease of Maintenance without compromising “Mandatory” data
security
Divide user into Groups and manage security at InfoArea or InfoProvider level
Thorough Authorizations Testing
Must be a part of system Integration Test plan
Performance testing is a essential part of test plan!!
Staffing for BW Authorizations
R/3 Authorization expert is not equivalent to BI Authorizations Experience
Segregation of Duties among BI Users and Administrator
Migration Strategy
Migration Strategy
Big Bang approach mandatory (“All or nothing”)
Not possible to go live with different user groups/scenarios in different phases
Need to go for new Authorization Concept as chance to review old solution
Raise developers awareness of implications due to changes on InfoObjects
Define the target concept first and then the migration path
Choose the right approach for your new analysis authorization concept
Depending on the actual system configuration, an InfoObject-based approach, an
InfoProvider-based approach or a mixture of booth would be the best solution
InfoProvider-specific Analysis Authorizations might become necessary to assure running BW
3.x scenarios
Take automation into consideration
Migration – Procedural Method
Analyze existing Reporting Authorizations (3.x) – SAP Service Offering
Analyze future authorization checks
Define concept for Analysis Authorizations including naming conventions
Define migration strategy
First realization of the concept prototype
Migrate authorizations according to the defined concept
Test the newly created authorizations
Go-live
Remove old authorization objects (if necessary)
Example Project schedule
Combined Upgrade & Authorization Migration
© SAP 2009 / Page 5
Plan phase (6 weeks)
Upgrade
Authorizations
DEV system (4 weeks)
Upgrade & Test
Authorization migration
QAS system (5 weeks)
Upgrade & Test
Authorization Test
PRD system (1 weekend)
Upgrade & GoLive
Cutover & Golive
KickOffLegend: Duration Milestone
Start Upgrade
1st month 2nd month 3rd month 4th month 5th monttj <month>
GoLive
Remark
Overall project duration dependends on the system complexity.
Given example is based on a higher complexity.
Migration – Analyze Existing Authorizations
1. Identify relevant InfoObjects
2. Identify relevant InfoProviders
3. Group InfoProviders by data owner (“applications”)
4. Identify on which InfoProviders authorization relevant characteristics are
checked
5. Identify auth. relevant navigational attributes and where they are checked
6. Determine which auths are needed for the different “applications”
Compare auth checks in old and new world
7. Clarify if there is customer specific coding which refers to the reporting
authorization objects in 3.x
8. Clarify how customer specific coding has to be adapted
One old authorization Object in a role can result in n Analysis Authorizations in
that role after migration!
© SAP 2008 /
The whole planning phase is a fixed price offer based on a
questionnaire.
The planning phase also considers alternative ways of
assigning authorizations.
Based on the planning phase the migration is also a fixed
price offer.
Our Service:
BI Authorization migration
Our BI authorization migration was developed based on
many BI migration concepts, which are well-established and
ensure a smooth migration.
The result is always an ideal, custom-tailored concept.
Fixed price migration
SAP Consulting Procedure
The complex analysis procedure is supported by a tool,
which analyzes the data model as well as the authorization
concept.
Based on these results the development of the target
concept is faster and more precise.
Tool supported Analysis
© SAP 2008 /
Three steps to a new analysis authorization
concept
DISCOVER-Package
„The Basics“
DISCOVER-Package
„The Basics“
PLAN-Package
„The Concept“
BUILD-Package
„The Migration“
DISCOVER-Package
„The Basics“
PLAN-Package
„The Concept“
Step 1:
Know-how-Transfer
First rough analysis
Migration strategies
Step 2:
Detailed analysis
(tool-supported)
Target concept
Migration path
Step 3:
Implementation
Test support
BI Authorization Migration
Our Service:BI 7.x Analysis
authorization
Tool-based Analysis
Tool-based Analysis - reworked
Optional: Analysis Authorization Migration with a
Migration Sandbox (SBX) system
© SAP 2009 / Page 11
Advantages
• More time for implementing the new Analysis Authorizations on the SBX
(Sandbox) system with a minimized development freeze on the DEV system
• Possibility to test with productive data prior to the upgrade of the productive
• landscape (if SBX is a copy of PRD)
• Possibility to test the upgrade itself on a Sandbox environment
• Possibility to create Analysis Authorizations for the DEV system for restricted
data access right after the upgrade on DEV
Disadvantages
• Additional hardware required
• Additional effort for a system copy and an upgrade
• Original system for Analysis Authorizations is SBX and has to be adjusted
after transporting to DEV
• Longer period for double maintenance (old Reporting Authorizations and new
Analysis Authorizations)
• Additional effort for parallel role maintenance (DEV and SBX)
© SAP 2008 /
Page 12
© SAP 2007 / Page 12
Contact
Christoph KretnerConsultant
Focus Group BI Technology
SAP Deutschland AG & Co. KG
Mobile +49 160 90822314
Toni TavricSenior Consultant
SAP Deutschland AG & Co. KG
Mobile +49 1608896174
AppendixAppendix
© SAP 2008 /
Benefits of the Analysis authorizations
1. Analysis authorizations are custom-tailored for authorization requests from a BI system
2. Very flexible in terms of changes concerning the authorization requests or data model
3. Direct assignments of authorizations on navigational attributes
4. New functionalities like integrated planning require analysis authorizations
5. Improved usability due to a new user interface
6. Improved analysis possibilities and easy authorization trace
7. Integration of hierarchy authorizations
8. Direct and indirect user assignment
Important Preparation Steps
1. Activate all business content related to authorizations before you get started
InfoObjects: 0TCA* (and 0TCT* if not done already)
InfoCubes: 0TCA*
2. Set the following InfoObjects as "authorization relevant"
0TCAACTVT
0TCAIPROV
0TCAVALID
0TCAKYFNM (optional, if key figure restriction needed)
3. Add 0TCAIFAREA as an external hierarchy characteristic to 0INFOPROV
(optional)
Testing Analysis Authorizations –
Recommendations (1/2)
Define positive and negative tests within and across applications!
Prioritize applications that have to be tested
High priority
– Choose most important Queries on each InfoProvider
– Do tests with different types of end-users (if existing) and typical selections
Low priority
– Spot tests: choose most important Queries
If possible: Compare Query results of Reporting Authorizations to those of Analysis
Authorizations
You can then be sure that the system behaves in the same way
Choose the same selections
Don’t do any data loading
Testing Analysis Authorizations –
Recommendations (2/2)
Testing in two steps:
Technical testing of new authorizations by administrators
Testing regarding content by business users
Don’t forget to test drill-down
Important: As you as customer know your applications best,
you are in charge to define and approve tests
Copyright
© Copyright 2011 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information
contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries,
xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+,
POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect,
RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks
of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States
and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business
Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the
United States and in other countries. Business Objects is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational
purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational
purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only
warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if
any. Nothing herein should be construed as constituting an additional warranty.