Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
PUBLIC
Warning
This document has been generated from the SAP Help Portal and is an incomplete version of the official SAP product
documentation. The information included in custom documentation may not re ect the arrangement of topics in the SAP Help
Portal, and may be missing important aspects and/or correlations to other topics. For this reason, it is not for productive use.
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a4… 1/18
4/29/2020
Caution
This guide does not replace the manual for daily operations, which customers should create for their own productive
operations.
Target Group
Technical Consultants
System Administration
SAP NetWeaver BW integrates, transforms, and consolidates data from all areas of an enterprise so that it can then provide this
information for analysis, interpretation and distribution. This includes con dential corporate data, such as personal data from
personnel administration. This data forms the basis of decisions and target-oriented actions in all enterprise areas. Secure data
access and data integrity are therefore of paramount importance.
The following examples illustrate some of the risks that the BW system can be exposed to:
Attacks from the Internet or intranet when using SAP BEx Web functionality and Web services
This guide describes the security-related aspects of the usage types BW ABAP and BI Java, which are based on the usage types
AS ABAP and AS Java. The guide describes additional security information or security information that deviates from the
information that applies to the usage types AS ABAP and AS Java.
Application Server ffor ABAP SAP NetWeaver Application Server ABAP Security Guide
Application Server ffor Java SAP NetWeaver Application Server for Java Security Guide
For more information, see User Administration and Authenti cation User Management in the SAP NetWeaver Security Guide.
Users
Caution
Change initial passwords after installation to ensure that standard users cannot be misused.
Standard users that are speci ed when Application Server Java is installed.
For more information, see User Administration and Authenti cation User Administration and Standard Users in the SAP
NetWeaver Application Server for Java Security Guide.
Caution
Change initial passwords after installation to prevent misuse of standard users.
The following table provides an overview of additional users required when using BW and SAP BEx. These users do not form part of
the standard delivery and do not have default passwords.
SAP Source System Background Users in the SAP Technical User The background user in the SAP
Source System source system is used for
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a4… 3/18
4/29/2020
communication with BW and for
the extraction of data.
More information:
More information:
More information:
Analysis Authorizations
More information:
Analysis Authorizations
For more information, see User Administration and Authenti cation User Administration and Single Sign-On in the SAP
NetWeaver Security Guide.
BW uses a user ID and a password for logon (see Logon and Password Protection in SAP Systems ).
BW supports SAP login tickets. To make Single Sign-On available for several systems, users can obtain an SAP logon ticket after
logging on to the SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication
token. The user does not need to enter a user ID or password for authentication but can access the system directly after the
system has checked the logon ticket.
As an alternative to user authentication with user ID and passwords, users with Internet applications via the Internet Transaction
Server (ITS) can provide X.509 client certi cates. User authentication then takes place on the Web Server using the Secure
Sockets Layer Protocol (SSL Protocol). No passwords have to be transferred. User authorizations are valid in accordance with the
authorization concept in the SAP system.
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a4… 5/18
4/29/2020
The portal is the central entry point for users in SAP NetWeaver. It supports and issues SAP logon tickets. BEx Web applications
are usually called from the portal. The integration of BW and the portal enables access from BW too, where Single Sign-On is also
supported.
The following graphic illustrates the interaction between BW and the portal in terms of single sign-on:
Overview
Portal (explicit authentication at the portal; → BEx Web application (implicit authentication
Web browser receives portal ticket) in BW with portal ticket)
The following settings have to be made for Single Sign-On when calling BEx Web applications from the portal:
BW system must have imported the portal certi cate in order to authenticate tickets from the portal
See also:
SAP Customizing Implementation Guide → SAP NetWeaver → SAP NetWeaver Business Warehouse → Settings for Reporting and
Analysis → BEx Web → Integration into the Portal
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a4… 6/18
4/29/2020
→ Exporting the Portal Certi cate in the Portal
if they were registered for execution when data was changed, and the data change event was triggered from a process
chain
A scheduling user has registered or scheduled broadcast settings for another user.
the authorized user in the broadcast setting is not the scheduling user
the broadcast setting requires user-speci c execution for users other than the scheduling user
For security reasons, the system runs a check during processing to ensure that the scheduling user is authorized to schedule
background tasks for the other user(s) (authorization object S_BTCH_NAM).
A job can be executed in the background under various user names, which means the HTML documents are generated according
to user-speci c authorizations.
Storage in a Knowledge Management folder is triggered using an RFC call from ABAP to Java. Authentication is performed by
automatically generating SAP logon tickets. Automatic generation is de ned in the RFC destination. The corresponding user must
have write authorization for the selected Knowledge Management folder.
When using distribution by e-mail and precalculation of BEx workbooks with Microsoft Excel, no portal functions are required.
Overview
BEx Broadcaster is a special Web item that behaves like a normal BEx Web application and runs in SAP BEx. Input help is provided
for selecting a Knowledge Management folder to store the precalculated documents. This is implemented as a portal iView
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a4… 7/18
4/29/2020
(com.sap.ip.bi.portalnavigation.folderselection).
If BEx Broadcaster is called directly in the Web browser, authentication is required in the BW system. When the input help is called
for the KM folder, a second authentication is required in the portal.
Overview
If BEx Broadcaster is called in the portal, authentication takes place implicitly with the BW system if the appropriate Single Sign-
On has been set up between the portal and BI (see Calling BEx Web Applications from the Portal).
Overview
If the settings have been made, the portal accepts tickets from the BW system. There then no explicit authentication in the portal
(described under point 1) when you call input help.
Overview
Multiple portals can be connected to a BW system. See SAP Customizing Implementation Guide → SAP NetWeaver → SAP
NetWeaver Business Warehouse → Settings for Reporting and Analysis → BEx Web → Integration into the Portal → Maintain Portal
Server Settings for the Portal. The portal that is designated as the standard portal is used when the input help for the KM folder is
called.
To get this personalized information from the portal in BEx Web Application Designer, the user in the BW system has to be
assigned a user in the portal. Assignment is not necessary if the technical user name in the portal and in BW are identical. After
assignment, the portal user has to be authenticated. Authentication takes place using the BW ticket that BEx Web Application
Designer receives during explicit logon. The portal requires the BW certi cate to validate the BW tickets.
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a4… 8/18
4/29/2020
Overview
BEx Web Application Designer (explicit → Portal (implicit authentication on the portal
authentication in BW system, BW ticket with BW ticket)
available)
For publication to the portal in BEx Web Application Designer, the following settings must be made:
The portal must have imported the BW system BW certi cate, in order to authenticate tickets from BW
You must con gure the user assignment in the portal if the technical user names are not the same.
See also:
SAP Customizing Implementation Guide → SAP NetWeaver → Business Intelligence → Settings for Reporting and Analysis → BEx
Web → Integration into the Portal
Authorizations
Use
To ensure that SAP NetWeaver BW represents the structure of your company and meets your company's requirements, you have
to de ne who has access to what data. There are two different authorization concepts for this depending on the role and tasks of
the user:
Standard Authorizations
You use these authorizations for the various SAP NetWeaver BW tools, in the Data Warehousing Workbench or in BEx
Query Designer for example. The authorization concept for standard authorizations is based on the AS ABAP authorization
concept.
Analysis Authorizations
You use these authorizations to provide access to transaction data belonging to authorization-relevant characteristics, to
sales data for example. Authorizations of this type are not based on the AS ABAP authorization concept. They use their
own concept based on the needs of BW reporting and analysis instead.
Critical Authorizations
Authorization Description
0BI_ALL (authorization for all values of all authorization-relevant Every user with this authorization can access all the data at any
characteristics) time. Every user who has a pro le containing authorization object
S_RS_AUTH and who has entered 0BI_ALL (or has included it using
an asterisk (*), for example), has complete access to all data.
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a4… 9/18
4/29/2020
For more information, see the documentation for analysis
authorizations, under Assigning Authorizations to Users.
If you use authorization templates, note that some of these have wide-ranging authorizations:
S_RS_RDEAD (BW Role: Administrator (Development System)) These authorization templates contain wide-ranging authorizations
on authorization object S_RFC.
S_RS_RDEMO (BW Role: Modeler (Development System)) These authorization templates contain authorizations for all
InfoProviders on authorization object S_RS_COMP.
More Information
Authorizations in the Documentation for SAP NetWeaver BW
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a… 10/18
4/29/2020
makes it possible for a user to gain access to more authorizations than s/he would normally have. This transaction should
therefore be specially protected using authorization object S_RSEC.
More information:
Note that when you create and edit the ABAP routine in an analysis process, S_DEVELOP is not checked. You need authorization
for the authorization object RSANPR and activity 36 (extended maintenance).
In productive systems in particular, this can result in a situation where unauthorized users can edit and execute ABAP routines.
Front end and application server RFC See Security Guide RFC/ICF
Application server and application server RFC See Security Guide RFC/ICF
SAP J2EE Engine and application server RFC See Security Guide RFC/ICF
When using Web applications, we recommend that you switch on encryption for HTTPS.
Communication Destinations
Use
Connection destinations are required in the following BI areas:
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a… 11/18
4/29/2020
BEx Web
Using TREX
These destinations are not usually shipped with the software. Instead, they are created on the customer's system.
If you want to connect SAP systems and non-SAP data sources (as source systems) to BW, you usually need RFC
destinations.
To use UD Connect, you need an RFC destination to the Application Server Java. For more information, see BW
Customizing under UDI Settings by User Scenarios UD Connect Settings .
The Myself BW destination is automatically created when the BW Data Warehousing Workbench is opened for the rst
time.
The background user and the background user in the source system are responsible for communication between BW and
source systems (in the case of SAP source systems). The BW background user requires the S_BI-WHM_RFC authorization
pro le. The background user requires the S_BI-WX_RFC authorization pro le in the SAP source system. For more
information, see Authorization Pro les for Background Users .
Network Security
Use
For information about network security aspects when using BW, see Network and Communication Securityin the SAP NetWeaver
Security Guide.
We recommend using rewalls to control the network traffic in your system landscape. A rewall comprises hardware and software
components that specify which connections are permitted between communication partners. The rewall only allows the
speci ed connections to be used. All other others are blocked by the rewall. For more information, see Using Firewall Systems
for Access Controlin the SAP NetWeaver Security Guide.
To secure RFC connections or connections with Internet protocols, we recommend using Secure Network Communications (SNC)
or Secure Sockets Layer (SSL).
ICF Services
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a… 12/18
4/29/2020
ICF services are based on the Internet Communication Framework (ICF) of the SAP NetWeaver Application Server. ICF services
are HTTP services that are used to execute HTTP request handlers. The BW HTTP services allow you to display or exchange BW
data using a URL. Some of these services are implemented as Web services.
The URL of an HTTP service delivered in a BW namespace has the following structure:
<Protocol>://<Server>:<Port>/sap/bw/<Service>
URL Pre x
The values used for the place holder in the speci ed URL schema depend on the installation. For <Protocol>, http and https can be
selected. For <Server>, enter your message server.
You can check which URL pre x your BW system has generated as follows:
4. As import parameter I_HANDLERCLASS, enter the name of the ICF handler (HTTP Request Handler) for the required
service.
Note
You can nd out the name of the ICF handler in the Maintenance of Services (transaction SICF). Navigate to the
required service component in the HTTP service tree. Double-click to open the Change/Create a Service dialog box. The
HTTP request handler for the service is displayed on the Handler List tab page.
5. Choose Execute. Export parameter E_URL_PREFIX contains the generated URL pre x.
Service:
Enter the technical name of the required service here. The name comprises all the elements of the path in the HTTP service tree
(transaction SICF).
Note
To check this, navigate to the required service component in Service Maintenance (transaction SICF). If the service is active,
you cannot select the Activate Service entry in the context menu.
Delivered Service
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a… 13/18
4/29/2020
Under /sap/bc/webdynpro, you can nd the service for viewing the Web Dynpro-based metadata repository (see Analyzing
Metadata with the Metadata Repository).
Under /sap/bc/webdynpro/sap, you can nd the WDA_EQ_manager service. You need this in order to use the Easy Query
Manager (see Con guring Easy Queries).
The Web services that you have created are also not located in the BW namespace (see Transferring Data via Web
Services).
If end users evaluate data using Microsoft EXCEL, they can also store data locally. The end user has to make sure that no
unauthorized person can access the locally stored data.
If evaluations and analyses are called using BEx Web applications, the data is displayed in a Web Browser. The data is then stored
in a browser cache. We recommend always deleting the browser cache after evaluating data.
You can protect the data from being accessed by unauthorized end users by assigning analysis authorizations. In the default
setting, data is not protected. You can ag InfoObjects in BW as authorization-relevant however (see Tab Page: Business Explorer).
Data can then only be accessed if the user has the required authorizations.
Data in BW is mainly accessed for read purposes. In planning however, data is also modi ed. More information: Planning Engine.
Protecting Access to the File System Using Logical Paths and File Names
In transaction RSCRM_BAPI, query extracts can be created by writing the query results to les on the application server. To
maintain system integrity, it is important to specify where these les will be explicitly stored. This is done by specifying logical
paths and le names that are assigned to the physical paths. This assignment is validated at runtime to ensure that les are
generated in the correct name range.
The following lists show the logical le names and paths used in this context and the programs that these le names and paths
apply to:
The following logical le name has been created in order to enable validation of physical le names:
RSCRM_FILE_EXTRACT_PATH
Programs that use this logical path name and the parameters used in this context:
RSCRM_BAPI_REMOTE
CL_RSCRMBW_TOOLS
The logical le name listed above uses the logical path name RSCRM_FILE_EXTRACT_PATH.
We recommend de ning the physical path that is assigned to the temporary directory.
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a… 14/18
4/29/2020
Activate Validation of Logical Paths and File Names
These logical paths and le names are speci ed in the system for the corresponding programs. To ensure downward compatibility,
validation at runtime is deactivated by default. To activate validation at runtime, specify the physical path with transactions FILE
(non-client speci c) and SF01 (client-speci c). To nd out which paths are used by your system, you can activate the relevant
settings in the security audit log.
More information:
Protecting Access to the File System Using Logical Path and File
Data Protection
BEx Web applications can be implemented either as stateful or stateless applications. Use the BEx Web runtime for Web
application session cookies with a state to combine independent requests (the function calls in a Web application, navigation
steps for example) for a session. These cookies are called sap-contextid. The cookie contains a generated ID as a value. This ID
allows the relevant session to be identi ed on the server. The session cookie is a temporary cookie. It is deleted automatically
when the browser window is closed. The server also has a timeout parameter. The session cookie is invalid after the timeout and
can no longer be used for navigating in a Web application. Using Web template attribute NO-SESSION_COOKIE, you can use the
session coding in the URL for the Web application. In this case, no session cookies are generated. To ensure that the Web
application uses the session coding in the URL, set X for the NO-SESSION_COOKIE attribute.
The Spanish data protection law L ey O rgánica de P rotección de D atos de Carácter Personal (LOPD) stipulates certain rules that
companies have to observe when processing, saving and handling personal data. These rules involve logging all access to highly-
sensitive personal data. SAP NetWeaver BW provides a mechanism for LOPD logging of access to data in reporting and planning
applications. For more information, see SAP Note 933441 .
Minimum Installation
Use
SAP BEx uses JavaScript in the Web Browser when executing Web Applications. For minimum con guration, you have the option
of deactivating JavaScript. However, we recommend that you do not deactivate JavaScript. Deactivating JavaScript means that it
is no longer possible to use all of the Web items and dialogs on the Web. Navigation options in Web applications would also be
considerably restricted.
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a… 15/18
4/29/2020
The following tables are used to log changes to analysis authorizations and other authorization-related activities:
RSUDOLOG
This table contains log information about execution of a query (or other transaction) in the administration transaction for analysis
authorizations in Query Monitor (transaction RSRT) by one user for another.
For further information about executing transactions (especially RSRT) with another user, see Management of Analysis
Authorizations and Checking Analysis Authorizations as Another User.
User name of the user who has executed a transaction under another user name
Password prompt ag
Session ID
Time stamp
RSECVAL_CL
This table contains log information about changes to value authorizations. The log data includes the following:
Session ID
RSECHIE_CL
This table contains log information about changes to hierarchy authorizations. The log data includes the following:
Hierarchy-speci c data
Session ID
RSECUSERAUTH_CL
This table contains log information about the assignment of analysis authorizations by users in the administration transaction for
analysis authorizations.
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a… 16/18
4/29/2020
More information: Assigning Information to Users
Authorization
Time stamp
Session ID
Note
You can analyze changes to value and hierarchy authorizations and to user-user authorization assignments using
InfoProviders from the technical content. More information: Change Documents (Legal Auditing).
RSECTXT_CL
This table contains log information about changes to authorization texts. The log data includes the following:
Session ID
RSECSESSION_CL
This table contains log information about user activities in the session, including the date and time of any changes made. You can
use this table to nd out which user values, hierarchy authorizations or authorization texts have been changed.
SAP NetWeaver BW provides a mechanism for logging access in reporting and planning applications, which are security-related in
accordance with the Spanish data protection law L ey O rgánica de P rotección de D atos de Carácter Personal (LOPD)
sicherheitsrelevant sind. For more information, see SAP Note 933441 .
SAP BEx uses JavaScript on the client computer in the Web browser, when executing Web applications.
Information broadcasting uses SAP NetWeaver interface SAPconnect to create and send e-mails with BEx objects. This interface
does not support encryption or certi cates. E-mails created in the SAP system using Information Broadcasting are therefore not
encrypted and do not have certi cates.
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a… 17/18
4/29/2020
However, SAP supplies you with an additional product from another provider (the Secure Email Proxy), which allows you to
encrypt e-mails.
More information: SAPconnect . In particular, see the information under Secure E-Mail .
Features
The BW Security Manager for Documents ensures secure access to documents in the portal by creating a connection to the BW
system and checking the user access authorizations in the back end. This means that you do not need to maintain any additional
authorization in KM and can ensure that users in KM can only display documents for which they have authorization.
The authorization checks performed by the BW Security Manager for Documents can reduce system performance.
The standard ACL Security Manager is faster in terms of performance, but is not suitable since it requires that the authorizations
in the portal and in the BW system are maintained twice.
If you only want to use documents within BW applications, you do not need a security manager. In the dropdown box, choose "Not
Set".
In KM you are using an iView for the document search. There are 20 documents in your BW system; ten of these however contain
con dential information that should not be accessed by all users. If you choose the BW Security Manager for Documents for the
CM repository, authorization checks are performed for all 20 documents. If users do not have authorization for the ten
con dential documents, they are denied access to these documents and can only display the ten documents that do not contain
con dential information in KM.
Activities
To call the BW Security Manager for Documents con guration, choose System Administration System
Con guration Knowledge Management Repository Managers CM Repository .
1. Set the indicator for the CM repository for which authorizations are to be checked in the BW system when documents are
accessed.
The properties of the CM repository are displayed in the lower area of the screen.
3. In the dropdown box for the security manager, choose BW Document Security Manager.
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a… 18/18