Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
SAP BI Authorizations
Aligning access rights in SAP R3 & BI through a uniform authorization concept
Agenda
1. Introduction
2. ERP System Concepts 3. BI System Concepts 4. Main BI Challenges 5. Lessons Learned 6. Questions & Answers 7. Contact
9/8/2010
Goals
Understand BW Authorizations design strategies Understand the different challenges Understand the different solutions
Conceptual Target audience: BW project stakeholders Technical design level, but no implementation focus
9/8/2010
Transactions (OLTP) Focus is high volume of small business transactions Fast transaction processing Data integrity Availability of system Users access a high number of different transactions
9/8/2010
Limitations on position in the organization company code, plant, warehouse, purchasing organization, ACME, Inc
Purchasing org US Purchasing org EU
Plant Chicago
7
Plant Milwaukee
Plant Global
Plant Dusseldorf
Plant Antwerp
2010 Deloitte Belgium
Transaction
Two-layered check Transaction code Coarse check if a user can use a transaction
Transaction leads to a program
Pass or Error
Authorization object Detailed checks on how a user can use a program Values control where in the organization a user can use a program
8 Aligning access rights in SAP R3 & BW through a uniform authorization concept
2010 Deloitte Belgium
9/8/2010
Receive Goods
Pass or Error
Example:
1. 2. 3. 4. 5. User executes transaction code to receive goods. System checks if the user has this transaction in his roles. System checks if the user has authorization objects to receive goods. User enters goods movement details. System checks if the user has authorization objects to create a goods movement for this plant, of the requested movement type, etc.
Aligning access rights in SAP R3 & BW through a uniform authorization concept
2010 Deloitte Belgium
BI System Concepts
9/8/2010
BI System focus
Analysis (OLAP) Focus is data analysis Flexibility of reporting Response time Users access a limited number of queries Same limitations should apply Functionally Organizationally
11
RFC
HTTP
SAP BW
SAP BW Content
SAP ABAP
SAP EP
ERP SYSTEM
12
SAP BW System
9/8/2010
SAP BI InfoArea
Links in ABAP Roles appear in BEX menu Workbook 1 Links in Portal iViews ... ...
InfoProvider
Query 1
Workbook N
Query N
13
Analysis Authorizations AA to InfoProvider Performed after ABAP checks Access to InfoProviders AA to data Access to data analysis of WHERE-clause in SQL statement
14 Aligning access rights in SAP R3 & BW through a uniform authorization concept
2010 Deloitte Belgium
9/8/2010
Main BI Challenges
(and Solutions)
Challenge Align functional level of access between ERP and BI Solution Role Naming Strategy
Challenge Align organizational level of access between ERP and BI Solution Organizational Design Strategy
Challenge Align AAs with ABAP auths in BI Solution BI Role design strategy
16
9/8/2010
Clarity needed Logic in naming convention Role mapping document Simplify user maintenance User administrators dont want guidelines to the guidelines Assurance on user access Users get appropriate reporting access Functional Domain in ERP Functional Level in ERP
17
ACME, Inc
Purchasing organization US
Purchasing organization EU
Plant Chicago
Plant Milwaukee
Plant Global
Plant Dusseldorf
Plant Antwerp
2010 Deloitte Belgium
18
9/8/2010
ERP
High High Yes No
BI
Very low Very low No Yes
Number of different objects Based on different tasks Based on general access to data
Links
BI
Data
Queries
19
BEX Analyzer
Client OS
SAP BI 7.0
++Only one system to maintain -- Cumbersome maintenance to ABAP menu roles - Less user friendly
20
10
9/8/2010
BEX Analyzer
Web Browser
Client OS
Client OS
SAP BI 7.0
-- Roles for Portal and ABAP backend need to be aligned + iView maintenance is easier than ABAP menu role maintenance ++Very user friendly
21
Client OS
SAP BI 7.0
-- Roles for Portal and ABAP backend need to be aligned - Portal has performance impact + iView maintenance is easier than ABAP menu role maintenance + User friendly
22 Aligning access rights in SAP R3 & BW through a uniform authorization concept
2010 Deloitte Belgium
11
9/8/2010
Organizational Unit
Depends on
More composites
Composite Role
Depends on
Complex composites
BEX Connection
Menu Role
AA InfoProviders
AA Data
Basic Authorizations
Workbooks
Access to BI Backend
23
Access to queries
Access to data
2010 Deloitte Belgium
24
12
9/8/2010
Lessons Learned
25
Lessons Learned
Manage requirements Use a risk-based approach If it takes a day to explain to an expert, its probably not going to work Use menus What a user sees must work Users need easy access Stable environment preferred If queries move or change, authorization requirements may change
26
13
9/8/2010
27
Thought Leaders
Melissa Dielman
mdielman@deloitte.com Deloitte Enterprise Risk Services Direct: + 32 2 800 24 38 Main: + 32 2 800 22 57 Fax: + 32 2 800 24 01
Pieter Lenaerts
plenaerts@deloitte.com Deloitte Enterprise Risk Services Direct: + 32 2 800 27 26 Main: + 32 2 800 22 57 Fax: + 32 2 800 24 01
28
14