4/29/2020

Security Guide SAP NetWeaver BW

Generated on: 2020-04-29

SAP NetWeaver 7.3 EHP1 | SPS26

PUBLIC

Original content: https://help.sap.com/viewer/1de08d48cf494e57a4278028103c7d83/7.31.26/en-US

Warning

This document has been generated from the SAP Help Portal and is an incomplete version of the official SAP product
documentation. The information included in custom documentation may not re ect the arrangement of topics in the SAP Help
Portal, and may be missing important aspects and/or correlations to other topics. For this reason, it is not for productive use.

For more information, please visit the https://help.sap.com/viewer/disclaimer.

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a4… 1/18
4/29/2020

Security Guide for SAP NetWeaver BW

Use

 Caution
This guide does not replace the manual for daily operations, which customers should create for their own productive
operations.

Target Group

Technical Consultants

System Administration

Why is Security Necessary?

SAP NetWeaver BW integrates, transforms, and consolidates data from all areas of an enterprise so that it can then provide this
information for analysis, interpretation and distribution. This includes con dential corporate data, such as personal data from
personnel administration. This data forms the basis of decisions and target-oriented actions in all enterprise areas. Secure data
access and data integrity are therefore of paramount importance.

The following examples illustrate some of the risks that the BW system can be exposed to:

Attacks from the Internet or intranet when using SAP BEx Web functionality and Web services

Infringement of data protection guidelines as a result of unauthorized access to personal data

About this Guide

This guide describes the security-related aspects of the usage types BW ABAP and BI Java, which are based on the usage types
AS ABAP and AS Java. The guide describes additional security information or security information that deviates from the
information that applies to the usage types AS ABAP and AS Java.

The table below provides an overview of other relevant security guides:

Application Security Guide

Application Server ffor ABAP SAP NetWeaver Application Server ABAP Security Guide

Application Server ffor Java SAP NetWeaver Application Server for Java Security Guide

Enterprise Portal Portal Security Guide

Knowledge Management Knowledge Management Security Guide

Process Integration SAP NetWeaver Process Integration Security Guide

User Management and Authentication

User Management
Use
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a4… 2/18
4/29/2020
BW uses the user management function that is delivered for the ABAP and Java SAP NetWeaver Application Platforms.

For more information, see User Administration and Authenti cation User Management in the SAP NetWeaver Security Guide.

Users

Standard users that are created when the BW system is installed

More information: Protecting Special Users .

 Caution
Change initial passwords after installation to ensure that standard users cannot be misused.

Standard users that are speci ed when Application Server Java is installed.

For more information, see User Administration and Authenti cation User Administration and Standard Users in the SAP
NetWeaver Application Server for Java Security Guide.

 Caution
Change initial passwords after installation to prevent misuse of standard users.

Users in BW and SAP Source Systems

The following table provides an overview of additional users required when using BW and SAP BEx. These users do not form part of
the standard delivery and do not have default passwords.

System User Type Description

BW Database Users For more information on

database users, see Operating
System and Database Platform
Security Guides in the SAP
NetWeaver Security Guide.

BW Background Users in BW Technical User The background user in BW is

used for communication with
the BW source systems, for the
extraction of data, and for
background processes in BW.
You create the background user
in Customizing in SAP
NetWeaver BW and assign it a
password (under Automated
Processes Create User for
Background Processes ). The
system prompts the user to
enter a background user
password when connecting to
the source system. The
authorization pro le for the
background user is S_BI-
WHM_RFC (see Authorization
Pro les for Background Users ).

SAP Source System Background Users in the SAP Technical User The background user in the SAP
Source System source system is used for

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a4… 3/18
4/29/2020
communication with BW and for
the extraction of data.

If you connect an SAP source

system to BW, the background
user is to be created in the
source system. You can create
the user directly in the source
system in user maintenance. In
BW Customizing, you can enter
a name in the Implementation
Guide to use as the default
name for the background user
when connecting a new source
system (under Connections to
Other Systems Connections
Between SAP Systems and BW
Systems Maintain Proposal for
Users in the Source System
(ALE Communication) ). If the
source system you are using is
also a BW system, SAP
recommends that you create the
background user for BW and the
background user for the (BW)
source system completely
separately. The authorization
pro le for the background user
in the source system is S_BI-
WX_RFC (see Authorization
Pro les for Background Users ).

BW Administrator Individual User The BW administrator is

responsible for connection to
source systems, loading
metadata and implementation
of BW statistics. S/he develops
the data model and plans and
monitors the processes in BW
(such as the loading process).

More information:

Authorization Pro les for

Working with the AWB

BW Authors and Analysts Individual User Authors and analysts require

advanced analysis functionality
and the ability to perform
special data analysis. To
perform their tasks, they need
useful, manageable reporting
and analysis tools.

More information:

Authorizations for Query

De nition and Information
Broadcasting

BW Executives and Knowledge Individual User Executives and knowledge

Workers workers require personalized,
context-related information
provided in an intuitive user
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a4… 4/18
4/29/2020
interface. They generally work
with pre-de ned navigation
paths, but sometimes need to
perform deeper data analyses.

More information:

Analysis Authorizations

BW Information Consumers Individual User Information consumers require

speci c information (snapshot
of a speci c data set) to be able
to perform their operative tasks.

More information:

Analysis Authorizations

Authentication and Single Sign-On

Use
The authentication process makes it possible to check a user's identity before granting them access to BW or BW data. SAP
NetWeaver supports various authentication mechanisms.

For more information, see User Administration and Authenti cation User Administration and Single Sign-On in the SAP
NetWeaver Security Guide.

Integration in Single Sign-On Environments

User ID and Password

BW uses a user ID and a password for logon (see Logon and Password Protection in SAP Systems ).

Secure Network Communications (SNC)

BW supports Secure Network Communications (SNC) .

SAP Logon Tickets

BW supports SAP login tickets. To make Single Sign-On available for several systems, users can obtain an SAP logon ticket after
logging on to the SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication
token. The user does not need to enter a user ID or password for authentication but can access the system directly after the
system has checked the logon ticket.

More information: SAP Logon Tickets .

Client Certi cates

As an alternative to user authentication with user ID and passwords, users with Internet applications via the Internet Transaction
Server (ITS) can provide X.509 client certi cates. User authentication then takes place on the Web Server using the Secure
Sockets Layer Protocol (SSL Protocol). No passwords have to be transferred. User authorizations are valid in accordance with the
authorization concept in the SAP system.

More information: X509 Client Certi cates .

Integration into the SAP NetWeaver Single Sign-On Environment

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a4… 5/18
4/29/2020
The portal is the central entry point for users in SAP NetWeaver. It supports and issues SAP logon tickets. BEx Web applications
are usually called from the portal. The integration of BW and the portal enables access from BW too, where Single Sign-On is also
supported.

The following graphic illustrates the interaction between BW and the portal in terms of single sign-on:

Calling BEx Web Applications from the Portal

Calling BEx Web applications from the portal is like calling applications from other components. Single-sign on means that you do
not have to log on to BW manually.

Overview

Portal (explicit authentication at the portal; → BEx Web application (implicit authentication
Web browser receives portal ticket) in BW with portal ticket)

The following settings have to be made for Single Sign-On when calling BEx Web applications from the portal:

BW system must accept tickets

BW system must have imported the portal certi cate in order to authenticate tickets from the portal

See also:

SAP Customizing Implementation Guide → SAP NetWeaver → SAP NetWeaver Business Warehouse → Settings for Reporting and
Analysis → BEx Web → Integration into the Portal

→ Con guring Single Sign-On in the BW System

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a4… 6/18
4/29/2020
→ Exporting the Portal Certi cate in the Portal

→ Import the Portal Certi cate to the BW System

Information Broadcasting as Background

Processing
When BW objects are precalculated and distributed using background processing, BEx Web applications are executed, and the
generated HTML documents are stored in the Knowledge Management folder or distributed by e-mail.

Broadcast settings are made in the background

if they were registered for execution at a speci c time

if they were registered for execution when data was changed, and the data change event was triggered from a process
chain

if they were scheduled directly in background processing

A scheduling user has registered or scheduled broadcast settings for another user.

This is the case if:

the authorized user in the broadcast setting is not the scheduling user

the broadcast setting requires user-speci c execution for users other than the scheduling user

For security reasons, the system runs a check during processing to ensure that the scheduling user is authorized to schedule
background tasks for the other user(s) (authorization object S_BTCH_NAM).

A job can be executed in the background under various user names, which means the HTML documents are generated according
to user-speci c authorizations.

Storage in a Knowledge Management folder is triggered using an RFC call from ABAP to Java. Authentication is performed by
automatically generating SAP logon tickets. Automatic generation is de ned in the RFC destination. The corresponding user must
have write authorization for the selected Knowledge Management folder.

When using distribution by e-mail and precalculation of BEx workbooks with Microsoft Excel, no portal functions are required.

Overview

Precalculation and generation of documents → Storage of documents in Knowledge

(explicit authentication in the BW occurs Management (implicit authentication in the
during job scheduling) Portal with BW ticket)

More information: Broadcasting BEx Objects.

Information Broadcasting in the Web

You can use BEx Broadcaster to distribute or set the scheduling for background processing of BEx Web applications directly in the
Web.

BEx Broadcaster is a special Web item that behaves like a normal BEx Web application and runs in SAP BEx. Input help is provided
for selecting a Knowledge Management folder to store the precalculated documents. This is implemented as a portal iView

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a4… 7/18
4/29/2020
(com.sap.ip.bi.portalnavigation.folderselection).

There are three different scenarios:

1. BEx Broadcaster is Called Directly in the Web Browser

If BEx Broadcaster is called directly in the Web browser, authentication is required in the BW system. When the input help is called
for the KM folder, a second authentication is required in the portal.

Overview

BEx Broadcaster (explicit authentication in → Input help (explicit authentication in the

BW, Web browser receives BW ticket) portal because the portal does not accept a
BW ticket)

2. BEx Broadcaster is Called in the Portal

If BEx Broadcaster is called in the portal, authentication takes place implicitly with the BW system if the appropriate Single Sign-
On has been set up between the portal and BI (see Calling BEx Web Applications from the Portal).

Overview

Portal (explicit → BEx Broadcaster (implicit → Input help (implicit

authentication at the authentication in BW with authentication at the
portal; Web browser portal ticket) portal with portal ticket)
receives portal ticket)

3. The settings described in Publshing to the Enterprise Portal

If the settings have been made, the portal accepts tickets from the BW system. There then no explicit authentication in the portal
(described under point 1) when you call input help.

Overview

BEx Broadcaster (explicit authentication in → Input help (implicit authentication at the

BW, Web browser receives BW ticket) portal because the portal does not accept a
BW ticket)

Multiple portals can be connected to a BW system. See SAP Customizing Implementation Guide → SAP NetWeaver → SAP
NetWeaver Business Warehouse → Settings for Reporting and Analysis → BEx Web → Integration into the Portal → Maintain Portal
Server Settings for the Portal. The portal that is designated as the standard portal is used when the input help for the KM folder is
called.

Publishing to the Portal

When publishing to the portal in BEx Web Application Designer, the portal roles assigned to the user and the personal folders in
Knowledge Management are displayed.

To get this personalized information from the portal in BEx Web Application Designer, the user in the BW system has to be
assigned a user in the portal. Assignment is not necessary if the technical user name in the portal and in BW are identical. After
assignment, the portal user has to be authenticated. Authentication takes place using the BW ticket that BEx Web Application
Designer receives during explicit logon. The portal requires the BW certi cate to validate the BW tickets.

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a4… 8/18
4/29/2020
Overview

BEx Web Application Designer (explicit → Portal (implicit authentication on the portal
authentication in BW system, BW ticket with BW ticket)
available)

For publication to the portal in BEx Web Application Designer, the following settings must be made:

The BW system must generate tickets

The portal must have imported the BW system BW certi cate, in order to authenticate tickets from BW

You must con gure the user assignment in the portal if the technical user names are not the same.

See also:

SAP Customizing Implementation Guide → SAP NetWeaver → Business Intelligence → Settings for Reporting and Analysis → BEx
Web → Integration into the Portal

→ Con guring Single Sign-On in the BW System

→ Exporting the BW Certi cate in the BW System

→ Importing the BW Certi cate into the Portal

→ Con guring User Assignments in the Portal

Authorizations
Use
To ensure that SAP NetWeaver BW represents the structure of your company and meets your company's requirements, you have
to de ne who has access to what data. There are two different authorization concepts for this depending on the role and tasks of
the user:

Standard Authorizations

You use these authorizations for the various SAP NetWeaver BW tools, in the Data Warehousing Workbench or in BEx
Query Designer for example. The authorization concept for standard authorizations is based on the AS ABAP authorization
concept.

Analysis Authorizations

You use these authorizations to provide access to transaction data belonging to authorization-relevant characteristics, to
sales data for example. Authorizations of this type are not based on the AS ABAP authorization concept. They use their
own concept based on the needs of BW reporting and analysis instead.

Critical Authorizations

Critical Analysis Authorizations

Authorization Description

0BI_ALL (authorization for all values of all authorization-relevant Every user with this authorization can access all the data at any
characteristics) time. Every user who has a pro le containing authorization object
S_RS_AUTH and who has entered 0BI_ALL (or has included it using
an asterisk (*), for example), has complete access to all data.
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a4… 9/18
4/29/2020
For more information, see the documentation for analysis
authorizations, under Assigning Authorizations to Users.

Critical Authorization Templates

If you use authorization templates, note that some of these have wide-ranging authorizations:

Authorization Template Description

S_RS_RDEAD (BW Role: Administrator (Development System)) These authorization templates contain wide-ranging authorizations
on authorization object S_RFC.

S_RS_ROPAD (BW Role: Administrator (Production System))

S_RS_TREQD (BW: Load Data (ALE, IDocs, RFC, Batch, Monitoring))

S_RS_RDEMO (BW Role: Modeler (Development System)) These authorization templates contain authorizations for all
InfoProviders on authorization object S_RS_COMP.

S_RS_TREPU (BW: Reporting User)

More Information
Authorizations in the Documentation for SAP NetWeaver BW

Authorization Log for Analysis Authorizations

Checking Analysis Authorizations as Another User

Using ABAP Routines in Analysis Process Designer

Authorization Log for Analysis

Authorizations
Use
A tool is available for analysis authorizations, which enables you to analyze authorization checks. It provides detailed information
on authorization-relevant data access instances. This check can be switched on or off permanently, or as and when required -
depending on the users involved. Access to this analysis tool should be protected using transaction RSECPROT and authorization
object S_RSEC. Only authorized users should have access to the tool.

More information: Error Log

Checking Analysis Authorizations as

Another User
Use
On the analysis authorization management screen, you can call speci c transactions as another user by choosing Execute as... on
the Analysis tab page. All checks for analysis authorizations (and only these authorizations) are run for the speci ed user. This

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a… 10/18
4/29/2020
makes it possible for a user to gain access to more authorizations than s/he would normally have. This transaction should
therefore be specially protected using authorization object S_RSEC.

More information:

Management of Analysis Authorizations

Overview: Authorization Objects

Using ABAP Routines in the Analysis Process

Designer
Use
In the Analysis Process Designer, you can transform data using an ABAP routine.

Note that when you create and edit the ABAP routine in an analysis process, S_DEVELOP is not checked. You need authorization
for the authorization object RSANPR and activity 36 (extended maintenance).

In productive systems in particular, this can result in a situation where unauthorized users can edit and execute ABAP routines.

Network and Communication Security

Communication Channel Security
Use
The following table provides you with an overview of the communication channels and the technology used for each channel:

Communication between... Communication technology How is data protected?

Front end and application server RFC See Security Guide RFC/ICF

Application server and application server RFC See Security Guide RFC/ICF

SAP J2EE Engine and application server RFC See Security Guide RFC/ICF

SAProuter and application server RFC See Security Guide RFC/ICF

Connection to database RFC See Security Guide RFC/ICF

Web browser and application server HTTP, HTTPS, SOAP

When using Web applications, we recommend that you switch on encryption for HTTPS.

Communication Destinations
Use
Connection destinations are required in the following BI areas:

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a… 11/18
4/29/2020
BEx Web

RFC destination on the Application Server Java

RFC destination for portal

For more information, see Automatically Con guring BI Java .

Using TREX

RFC destination on BW system

For more information, see BW Customizing under TREX Connection .

Connecting data sources to the BW system

These destinations are not usually shipped with the software. Instead, they are created on the customer's system.

If you want to connect SAP systems and non-SAP data sources (as source systems) to BW, you usually need RFC
destinations.

To use UD Connect, you need an RFC destination to the Application Server Java. For more information, see BW
Customizing under UDI Settings by User Scenarios UD Connect Settings .

The Myself BW destination is automatically created when the BW Data Warehousing Workbench is opened for the rst
time.

The background user and the background user in the source system are responsible for communication between BW and
source systems (in the case of SAP source systems). The BW background user requires the S_BI-WHM_RFC authorization
pro le. The background user requires the S_BI-WX_RFC authorization pro le in the SAP source system. For more
information, see Authorization Pro les for Background Users .

Network Security
Use
For information about network security aspects when using BW, see Network and Communication Securityin the SAP NetWeaver
Security Guide.

We recommend using rewalls to control the network traffic in your system landscape. A rewall comprises hardware and software
components that specify which connections are permitted between communication partners. The rewall only allows the
speci ed connections to be used. All other others are blocked by the rewall. For more information, see Using Firewall Systems
for Access Controlin the SAP NetWeaver Security Guide.

To secure RFC connections or connections with Internet protocols, we recommend using Secure Network Communications (SNC)
or Secure Sockets Layer (SSL).

Web Services und ICF Services in BW

Use
Various different Web services and ICF services are delivered with SAP NetWeaver Business Warehouse.

ICF Services

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a… 12/18
4/29/2020
ICF services are based on the Internet Communication Framework (ICF) of the SAP NetWeaver Application Server. ICF services
are HTTP services that are used to execute HTTP request handlers. The BW HTTP services allow you to display or exchange BW
data using a URL. Some of these services are implemented as Web services.

Structure of the URL

The URL of an HTTP service delivered in a BW namespace has the following structure:

<Protocol>://<Server>:<Port>/sap/bw/<Service>

URL Pre x

The values used for the place holder in the speci ed URL schema depend on the installation. For <Protocol>, http and https can be
selected. For <Server>, enter your message server.

You can check which URL pre x your BW system has generated as follows:

1. Call Function Builder (transaction SE37).

2. Enter RSBB_URL_PREFIX_GET as the function module.

3. Choose Test/Execute. The Test Function Module screen appears.

4. As import parameter I_HANDLERCLASS, enter the name of the ICF handler (HTTP Request Handler) for the required
service.

 Note
You can nd out the name of the ICF handler in the Maintenance of Services (transaction SICF). Navigate to the
required service component in the HTTP service tree. Double-click to open the Change/Create a Service dialog box. The
HTTP request handler for the service is displayed on the Handler List tab page.

5. Choose Execute. Export parameter E_URL_PREFIX contains the generated URL pre x.

Service:

Enter the technical name of the required service here. The name comprises all the elements of the path in the HTTP service tree
(transaction SICF).

Prerequisites for Using the Service

The required HTTP service must be active.

 Note
To check this, navigate to the required service component in Service Maintenance (transaction SICF). If the service is active,
you cannot select the Activate Service entry in the context menu.

Delivered Service

The following service is implemented as a Web service:

Open Analysis Interfaces (see XML for Analysis)

Web Services that are not in the BW Namespace

For details of the procedure for building URLs for Web services that are not in the /sap/bw namespace, see the documentation for
these Web services.

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a… 13/18
4/29/2020
Under /sap/bc/webdynpro, you can nd the service for viewing the Web Dynpro-based metadata repository (see Analyzing
Metadata with the Metadata Repository).

Under /sap/bc/webdynpro/sap, you can nd the WDA_EQ_manager service. You need this in order to use the Easy Query
Manager (see Con guring Easy Queries).

The Web services that you have created are also not located in the BW namespace (see Transferring Data via Web
Services).

Security for Data Storage

Use
Data Storage

In BW, data is stored on the application server database.

If end users evaluate data using Microsoft EXCEL, they can also store data locally. The end user has to make sure that no
unauthorized person can access the locally stored data.

If evaluations and analyses are called using BEx Web applications, the data is displayed in a Web Browser. The data is then stored
in a browser cache. We recommend always deleting the browser cache after evaluating data.

You can protect the data from being accessed by unauthorized end users by assigning analysis authorizations. In the default
setting, data is not protected. You can ag InfoObjects in BW as authorization-relevant however (see Tab Page: Business Explorer).
Data can then only be accessed if the user has the required authorizations.

Data in BW is mainly accessed for read purposes. In planning however, data is also modi ed. More information: Planning Engine.

Protecting Access to the File System Using Logical Paths and File Names

In transaction RSCRM_BAPI, query extracts can be created by writing the query results to les on the application server. To
maintain system integrity, it is important to specify where these les will be explicitly stored. This is done by specifying logical
paths and le names that are assigned to the physical paths. This assignment is validated at runtime to ensure that les are
generated in the correct name range.

The following lists show the logical le names and paths used in this context and the programs that these le names and paths
apply to:

Logical File Name Used in this Application

The following logical le name has been created in order to enable validation of physical le names:

RSCRM_FILE_EXTRACT_PATH

Programs that use this logical path name and the parameters used in this context:

RSCRM_BAPI_REMOTE

CL_RSCRMBW_TOOLS

Logical Path Names Used in this Application

The logical le name listed above uses the logical path name RSCRM_FILE_EXTRACT_PATH.

We recommend de ning the physical path that is assigned to the temporary directory.

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a… 14/18
4/29/2020
Activate Validation of Logical Paths and File Names

These logical paths and le names are speci ed in the system for the corresponding programs. To ensure downward compatibility,
validation at runtime is deactivated by default. To activate validation at runtime, specify the physical path with transactions FILE
(non-client speci c) and SF01 (client-speci c). To nd out which paths are used by your system, you can activate the relevant
settings in the security audit log.

More information:

Logical File Names

Protecting Access to the File System Using Logical Path and File

Security Audit Log

Data Protection

Using BEx Tools in SAP NetWeaver 2004

If using BEx tools in SAP NetWeaver 2004, note the following:

BEx Web applications can be implemented either as stateful or stateless applications. Use the BEx Web runtime for Web
application session cookies with a state to combine independent requests (the function calls in a Web application, navigation
steps for example) for a session. These cookies are called sap-contextid. The cookie contains a generated ID as a value. This ID
allows the relevant session to be identi ed on the server. The session cookie is a temporary cookie. It is deleted automatically
when the browser window is closed. The server also has a timeout parameter. The session cookie is invalid after the timeout and
can no longer be used for navigating in a Web application. Using Web template attribute NO-SESSION_COOKIE, you can use the
session coding in the URL for the Web application. In this case, no session cookies are generated. To ensure that the Web
application uses the session coding in the URL, set X for the NO-SESSION_COOKIE attribute.

LOPD Access Logging in Reporting and Planning Applications

The Spanish data protection law L ey O rgánica de P rotección de D atos de Carácter Personal (LOPD) stipulates certain rules that
companies have to observe when processing, saving and handling personal data. These rules involve logging all access to highly-
sensitive personal data. SAP NetWeaver BW provides a mechanism for LOPD logging of access to data in reporting and planning
applications. For more information, see SAP Note 933441 .

Minimum Installation
Use
SAP BEx uses JavaScript in the Web Browser when executing Web Applications. For minimum con guration, you have the option
of deactivating JavaScript. However, we recommend that you do not deactivate JavaScript. Deactivating JavaScript means that it
is no longer possible to use all of the Web items and dialogs on the Web. Navigation options in Web applications would also be
considerably restricted.

Security-Related Logging and Tracing

Use
Logging Security-Related Changes and Authorization-Related Activities

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a… 15/18
4/29/2020
The following tables are used to log changes to analysis authorizations and other authorization-related activities:

RSUDOLOG

This table contains log information about execution of a query (or other transaction) in the administration transaction for analysis
authorizations in Query Monitor (transaction RSRT) by one user for another.

For further information about executing transactions (especially RSRT) with another user, see Management of Analysis
Authorizations and Checking Analysis Authorizations as Another User.

The log data includes the following:

User name of the user who has executed a transaction under another user name

User name of the other user

The transaction that was executed

Password prompt ag

Flag to show correct password entered

Session ID

Time stamp

RSECVAL_CL

This table contains log information about changes to value authorizations. The log data includes the following:

The authorization that was changed

The characteristic that the authorization was changed for

Object version of the characteristic

Session ID

Time stamp for the change

RSECHIE_CL

This table contains log information about changes to hierarchy authorizations. The log data includes the following:

The authorization that was changed

The characteristic that the authorization was changed for

Object version of the characteristic

Hierarchy-speci c data

Session ID

Time stamp for the change

RSECUSERAUTH_CL

This table contains log information about the assignment of analysis authorizations by users in the administration transaction for
analysis authorizations.

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a… 16/18
4/29/2020
More information: Assigning Information to Users

The log data includes the following:

Authorization

Use name of the user whom the authorization was assigned to

Time stamp

Session ID

 Note
You can analyze changes to value and hierarchy authorizations and to user-user authorization assignments using
InfoProviders from the technical content. More information: Change Documents (Legal Auditing).

RSECTXT_CL

This table contains log information about changes to authorization texts. The log data includes the following:

The authorization that was changed

The authorization's short, medium and long text

Session ID

Time stamp for the change:

RSECSESSION_CL

This table contains log information about user activities in the session, including the date and time of any changes made. You can
use this table to nd out which user values, hierarchy authorizations or authorization texts have been changed.

Logging LOPD-Relevant Access in Reporting and Planning Applications

SAP NetWeaver BW provides a mechanism for logging access in reporting and planning applications, which are security-related in
accordance with the Spanish data protection law L ey O rgánica de P rotección de D atos de Carácter Personal (LOPD)
sicherheitsrelevant sind. For more information, see SAP Note 933441 .

Further Security-Relevant Information

Use
Use of active code

SAP BEx uses JavaScript on the client computer in the Web browser, when executing Web applications.

More information: Minimum Installation

E-mail encryption when distributing BEx objects

Information broadcasting uses SAP NetWeaver interface SAPconnect to create and send e-mails with BEx objects. This interface
does not support encryption or certi cates. E-mails created in the SAP system using Information Broadcasting are therefore not
encrypted and do not have certi cates.

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a… 17/18
4/29/2020
However, SAP supplies you with an additional product from another provider (the Secure Email Proxy), which allows you to
encrypt e-mails.

More information: SAPconnect . In particular, see the information under Secure E-Mail .

BW Security Manager for Documents

Use
The BW Security Manager for Documents protects and controls access to BW documents in Knowledge Management. It can be
used for the CM repository, that is, for documents stored on the portal, and for the BW Document Repository Manager, that is, for
documents stored on the BW server.

Features
The BW Security Manager for Documents ensures secure access to documents in the portal by creating a connection to the BW
system and checking the user access authorizations in the back end. This means that you do not need to maintain any additional
authorization in KM and can ensure that users in KM can only display documents for which they have authorization.

The authorization checks performed by the BW Security Manager for Documents can reduce system performance.

The standard ACL Security Manager is faster in terms of performance, but is not suitable since it requires that the authorizations
in the portal and in the BW system are maintained twice.

If you only want to use documents within BW applications, you do not need a security manager. In the dropdown box, choose "Not
Set".

In KM you are using an iView for the document search. There are 20 documents in your BW system; ten of these however contain
con dential information that should not be accessed by all users. If you choose the BW Security Manager for Documents for the
CM repository, authorization checks are performed for all 20 documents. If users do not have authorization for the ten
con dential documents, they are denied access to these documents and can only display the ten documents that do not contain
con dential information in KM.

Activities
To call the BW Security Manager for Documents con guration, choose System Administration System
Con guration Knowledge Management Repository Managers CM Repository .

1. Set the indicator for the CM repository for which authorizations are to be checked in the BW system when documents are
accessed.

2. Then choose Edit.

The properties of the CM repository are displayed in the lower area of the screen.

3. In the dropdown box for the security manager, choose BW Document Security Manager.

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22272790&topics=4f0b56878a585f86e10000000a… 18/18