Sunday, June 15, 2014

SAP BI 7.0 Authorization - Part 2: Creating and assigning authorization


I the previous articles I discussed InfoObjects level authorizations. Now I will focus on creating and assigning authorization.

Creating authorization

To create analysis authorization perform the following steps:
1. Use TCode RSECADMIN, go to the Authorizations tab.
2. Press Maint. button and enter a name (e.g., Z_USR_A1) and press Create.
3. Fill required Short Text field.
4. Insert special characteristics: 0TCAACTVT, 0TCAIPROV, and 0TCAVALID by pressing Insert Special Characteristics button.


5. Insert authorization-relevant characteristics and navigational attributes (Insert Row -> press F4 -> choose item). I described how to set InfoObjects as authorization-relevant in previous articles.
6. Press Details button to restrict values and hierarchy authorization of inserted items.
7. Save the authorization.

You must include special characteristics: 0TCAACTVT (activity), 0TCAIPROV (InfoProvider), and 0TCAVALID (validity) in at least one authorization for a user. They are used for:
  • 0TCAACTVT - to restrict the authorization to activities, default value: Display;
  • 0TCAIPROV - to restrict the authorization to InfoProviders, default value: all (*);
  • 0TCAVALID - to restrict the validity of the authorization, default value: always valid (*).
If you want to authorize access to key figures, add 0TCAKYFNM characteristic to the authorization. It is important to know that if this characteristic is authorization-relevant, it will be always checked during query execution.

0BI_ALL authorization

The 0BI_ALL authorization includes all authorization-relevant characteristics. It is automatically updated when you restrict a BI InfoObject. Use this authorization if you have users that are allowed to execute all queries.

Assigning authorization to a user

You may assign authorization directly to a user or to a role. To assign authorization directly use TCode RSECADMIN, go to the User tab and press Assign. Now enter the user name, press Change and select the authorization. To assign authorization to the role use TCode PFCG, enter the role name and press Change. Using Authorization tab change authorization data by adding S_RS_AUTH entry. The entry includes analysis authorization in roles. Enter here authorization that you previously created.

Summary

I encourage you to collect all requirements related to BI security, structure of the organization and authorization needs before starting authorization preparation. I have learned that it can save a lot of time. Organization's hierarchy can facilitate your work by providing structures and levels of authorization. Indirect authorization assignment can also save your time because it is more flexible and easier to maintain.
Posted by at No comments:

SAP BI 7.0 Authorization - Part 1: InfoObjects level authorization


New SAP BI 7.0 Authorization concept (analysis authorization) change a lot in accessing, analyzing and displaying BI information. The approach allow to restrict data access on Key figure, Characteristic, Characteristic value, Hierarchy node, and InfoCube levels. It enables more flexible data access management.

Analysis authorization is active by default in SAP BI 7.0 systems and I think it is worth to spend some time to look closer at the new concepts and the features. In part one of this two-article series, I will show you how you can restrict access to SAP BW reports on InfoObjects level.

Initial settings

At the beginning activate business content objects (TCode RSORBCT) related to authorizations:
  • InfoObjects 0TCA*
  • InfoCubes 0TCA*
and set the following InfoObjects as Authorization-Relevant:
  • 0TCAACTVT (activity such as Display)
  • 0TCAIPROV (InfoProvider authorization)
  • 0TCAVALID (validity period of authorization)
  • 0TCAKYFNM (if you want to restrict access to key figure)

Characteristics authorization

Use TCode RSA1, go to Modelling -> InfoObjects. Display properties of the characteristic to which you want to restrict access and set it as Authorization-Relevant.


Characteristics values authorization

To authorize characteristics values you need to create new authorization object through TCode RSECADMIN. The following pictures show how allow users to access to specific sale organization (e.g., New York, San Francisco, Dallas).
1. Create new authorization object (e.g., Z_SORG_B).


2. Choose characteristic and press Details button.


3. Select sales organization (e.g., 1612 - New York, 1614 - San Francisco, 1615 - Dallas). Available operators: EQ - single value, BT - range of values, CP - pattern ending with (*) (e.g., abc*). You have also option to Include (I) or Exclude (E) values.

Attributes authorization

To authorize navigational attributes, set them as Authorization-Relevant.

Hierarchies authorization

To grant authorization on hierarchy level edit or create authorization object (e.g., Z_SORG_B), add hierarchy and nodes, and choose type of authorization.

Key figure authorization

To grant authorization to particular key figure, add special object 0TCAKYFNM to authorization object (e.g., Z_SORG_B), and choose the key figure to be authorized.

Summary

InfoObject level authorization gives you a great flexibility, but keep in mind system limitations. Avoid setting too many characteristics as authorization relevant (more than 10 in a query). All marked characteristics are checked for existing authorization if they are in a query or in an InfoProvider that is being used. Too much authorization objects may slow query execution. Exception are characteristics with all (*) authorization. If you want to check which InfoObjects are authorization relevant in your BI system, use TCode RSECADMIN -> Authorization Maintenance and display 0BI_ALL authorization. More about 0BI_ALL you will find in the article on creating and assigning authorization.

Remember that authorization do not work as a filters do. It means that the user who is executing the query, where characteristics are authorization relevant, must have sufficient authorization to the characteristics ("all-or-nothing" rule). Exceptions are hierarchies in the drill down and variables which are dependent on authorization.
Posted by at No comments:

Saturday, March 8, 2014

BI Security

Step-by-Step SAP BI Security
SAP BI security is an integral part of any BI implementation. Integrating all the data coming from
various source systems and providing the data access based on the user’s role is one of the major
concerns of all the BI Projects.
Security of SAP R/3-ECC systems are based on the activities while SAP BI security is focused on what
data user can access. Security in BI is categorized by major 2 categories:
Administrative Users – The way we maintain security for administrative users is same as ECC
security but we have additional authorization objects in system which are defined only for BI objects.
Reporting Users– We have separate tools(Analysis Authorization) to maintain security for reporting
users.
What is Authorization Object?
It allows to check whether a user is allowed to perform a certain action. Actions are defined on the
fields, and each field in authorization object should pass the check. We can check all the Standard BI
Authorization Objects using tcode SU21 under the Business Warehouse folder:
With the SAP BI 7.0 we have new tool to maintain the reporting level security. We can access this
new tool using tcode RSECADMIN which replaces the old RSSM tool of BW 3.x.
## Below are the Step-by-Step instructions to create/maintain authorization objects for SAP BI
Reporting:
I am covering the scenario where each employee (Sales Team) is assigned with one territory
number, and the data should be accessible to employee based on their territory only. For this
scenario to work we have to set security restriction for the corresponding territory InfoObject
(ZDWSLTER).
# The first step before we create any Authorization Object is to set all the InfoObjects as
authorization relevant for which we want to restrict data access.
Authorization Objects on InfoObject’s of type Characteristic:
# For accessing the new Analysis Authorization tools we use tcode RSECADMIN -> Authorizations
Tab -> Maintenance Button
# We can also use tcode RSECAUTH directly to come to maintenance screen:
# We have to give the technical name of the Authorization Object (ZDWKJTEST) then hit the create
button:
# The very first step of creating any Authorization Object is to add the special characteristics as field
for restirction:
# The below 3 characteristics are mandatory for defining any Authorization Object. If we don’t have
this we will get no access to any InforProvider. By default this gives us access to all the
InfoProvider(Full Access), but we can also set the value of InfoProvider for which we want the
Authorization Object to work.
# Now I am adding the infoobject(ZDWSLTER) for which we want to add restriction:
# We can double click on the newly added infobject, and can define the value which we want to
allow for this InfoObject. We can also set the dynamic value using Customer Exit Code which we will
cover later in this blog.
# Saving the changes:

Assigning Authorization Objects to Users:
# Go back to previous screen (RSECADMIN) by hitting the back button, and click on assignment
button under user tab:
# Now we can assign the created Authorization Object to any user using this tool.
# Adding the created Authorization Object (ZDWKJTEST) to the user ZNBITSRTS. I will be using the
same user through out this blog for running any query so that it can use the restrictions which are
applying using the Authorization Object.

# We can also assign the authorization to users through role/profile using the standard Authorization
Object S_RS_AUTH:
# We can check the Authorization Objects assigned using roles/profile for any user using tcode
RSU01 or we can also use the path tcode RSECADMIN->user tab->assignment->user->role-based
# User with Authorization Object 0BI_ALL is having full access to data, and can overwrite any other
Authorization Objects assignment to it.
# Query on InfoProvider with Authorization Objects: Below is the test query in which I added the
InfoObject for which we created the test Authorization Object (ZDWKJTEST).
# I am running the query with the same user name (ZNBITSRTS) whom we assigned the
Authorization Object (ZDWKJTEST).:
# The query output displays the authorization error, and we can check the error log using tcode
RSECPROT:
# The below log explains we are missing with some of the characteristics for the created object.
Logically we can think that we are only using one characteristic in our query and we did add it in
Authorization Object, but why still we are getting Authorization Error? The reason is we always have
to add all the authorization relevant InfoObject’s of the InfoProvider on which we created query.
# Now I added all the missing InfoObject’s with full access for the Authorization Object
(ZDWKJTEST):
# I have restricted the query with input ready variable on InfoObject territory (ZDWSLTER):
# Running the query with the same territory what I assigned for territory field of Authorization
Object:
# The query returns output without any authorization error:
# We can check the log in RSECPROT for the last run of query:
# Running the same query with some different territory number:
# We got the authorization error because of the value which we assigned for the object is not same
as what we passed:
# Authorization Variable on Query:
Using the Authorization Variable we can populate the value of InfoObject at run-time directly from
the Authorization Object field’s value.
# If we have authorization variable defined for the query and when we run the query it will not
prompt us for the variable selection screen & will run the query directly for the value we defined for
the field of the Authorization Object.
# Rather than assigning the fixed values in the authorization object, we can also define the
technical name of the customer exit variable in the field’s value starting with ‘$’ symbol which will
read the value of Authorization at query run-time based on the return value of customer exit code:
# Below is the sample code which reads the territory based on the portal login-id from the reference
table which we have in our BI system:
Use of ‘:’ Symbol in Authorization Objects Field’s Value:
# Now I am covering the scenario where query is not using any InfoObject for which we have
restriction of values in the Authorization Object. I have added division as object in query which is
having full authorization access, and now we don’t have any territory object in query anymore:
# Even though the division object is having full authorization access, still when we run the query we
get authorization error:
# By checking authorization log we can clearly see even though the query is not using territory
InfoObject it still checks for its value at query runtime because this object is part of InfoProvider on
which we have defined the query:
# To avoid the authorization check for the objects which are not being used in the query definition
we should always add ‘:’ symbol in the authorization object field value which allows queries to run
for all the values of object even if the object is not the part of the query:
# Once we defined ‘:’ now the query works fine (without any authorization failure):
# Below is the authorization log for the same:
Authorization Objects on InfoObject’s of type Key Figure:
# I created one test query with 2 key figures as output.
# Output of query:
# We can restrict this query to show the data only for one key figure. For this we just have to add
the required key figure (Record Count - ZDWCOUNT) as value for the field 0TCAKYFNM of our test
authorization object (ZDWKJTEST).
# Now if we run the same query it will not show data for any other key figure except the one which
we added in the authorization object definition.
# The log also explains the reason of authorization error for 2nd key figure:
Authorization Objects on InfoObject’s of type Hierarchy:
# I assigned brand hierarchy on the same test query:
# When we run the query it shows data for all the data brands as well the not-assigned brands:
# We can restrict the hierarchy using Authorization Object to show data only for 1st Node of above
displayed hierarchy:
# Assigned the node:
# Selected the Type of Authorization as ‘1’ which will allow the hierarchy to show all the nodes
which are below the selected node:
# After adding the authorization on brand hierarchy now we only see the data for node which we
restricted in the hierarchy authorization value:
Posted by at No comments:
Labels:

FAQ's


Posted by at 1 comment:
Labels:

Transport Request Management Part -3





















Posted by at No comments:
Labels:

SAP GRC 10(Access control)



GRC 10 LANDSCAPE


AC LANDSCAPE























            
       ** *** * ********************    GOOD LUCK******************************
Posted by at 4 comments:
Labels:
Subscribe to: Posts (Atom)