BI 7 Security Concepts

Topics Covered:

Difference between BW 3.x and BI 7

Securing reporting users access
Authorization Trace
Creation of Analysis Authorization
Assignment of Analysis Authorization
Securing Access to Workbooks
Additional BI7 Security Features
New Authorization Objects

Difference between BW 3.x and BI Security

There was no SAP delivered authorization

object to link the hierarchies to Roles.
Customized Auth object need to be created
which will fall under SAP Class RSR.

SAP delivered Auth object S_RS_AUTH

(Class RS) can be added to the Roles and
further linked to analysis authorization

Contd

RSSM
Old transaction: RSSM
Concept of authorization: 'Reporting
Authorization'

RSECADMIN
New transaction : RSECADMIN
Concept of authorization: 'Analysis
Authorization'

Contd

Authorization:
PFCG (Role based approach)

Authorization:
PFCG (Role based approach)
RSECAUTH (Analysis Authorization Based
Approach)

Contd

0BI_ALL: Allow full authorization for the IO

authorization relevant,
Full Authorization:
SAP_ALL, SAP_NEW

Used in the authorization object: S_RS_AUTH

Full Authorization:
SAP_ALL, SAP_NEW

Authorization Objects in BI 7

Authorization objects are grouped according to authorization object classes. The major
authorization object class in BI is RS.
S_RS_COMP: Decides which Info area, Info providers data user can view
S_RS_COMP1: Decides which owners queries a user can execute
S_RS_FOLD: Hide or display the Info Area push button for end users
S_RS_AUTH: Gives access to analysis Authorizations
S_RS_ADMWB: Used by BW administrator for Modeling and controlling
Some other Auth objects: To save workbooks/Queries to Roles
S_USER_AGR: In which Role user can add workbooks and Queries
S_USER_TCD: should have value as RRMX and used in conjunction with S_USER_AGR

Restricting access in BI

In BI 7, reporting users access needs to be restricted to certain levels like

InfoCube Level: Restrict at the InfoCube level.
Characteristic Level/Info Object: Restrict access to all values for a particular
characteristic.
Characteristic Value Level: Restrict access to certain values of a particular
characteristic.
Key Figure Level: Restrict access to certain key figures.
Hierarchy Node: Restrict access to certain nodes of a hierarchy

Securing Data Access for Reporting Users

Below are the minimum authorization requirements for a reporting user:

Analysis authorizations for an Info Provider

S_RS_COMP (Activities 03, 16)
S_RS_COMP1 (Query owner)
S_RFC (Bex Analyzer or Bex Browser only)
S_TCODE (RRMX for Bex Analyzer)

A reporting user must have authorizations for the S_RS_COMP, S_RS_COMP1

authorization objects as well as analysis authorizations for the Info Provider on
which the query is based.
In addition, if the reporting user will be using the Bex Analyzer reporting tool,
they will need authorizations for object S_RFC and S_TCODE with authorization
for transaction code RRMX.

Options for Securing Data Access

Secure by Info Cube: If the authorizations need to be checked only on Info Provider
level. You can then create roles that allow you to run queries from the specified Info
Provider (s).
Securing by Query: Another option would be to use the Info Provider in conjunction
with the query name. To do this, you will need a strict naming convention for query
names so that security does not have to be updated each time a new query is
created.
Securing by Info Object: Allowing two user to execute the same query, but to get
different results based on their assigned data access for division, cost center, or
some other Info Object, is known as info Object level security or field level security

Securing by Info Object:

The more granular level of restricting access of the users is at Info Object/Field level .
The following procedure shows the steps you must be following when setting up
security for an Info Object:
1. Define the Info Object as authorization relevant.
2. Create (or adjust) analysis authorizations for the Info Object.
3. Assign authorizations to users.
4. Add a variable to the queries.

Authorization Relevance

The Authorization Relevant setting

for an Info Object made in the
Info Object definition on the
Business Explorer tab. The
business needs will drive which
Info Objects should be relevant
for security.

Execute Tcode RSD1

Enter the info object
name
Go to Business Explorer
Tab
Select the check box
Authorization Relevant
Activate the info object

Create analysis authorizations:

Analysis Authorizations are fundamental building blocks of the new reporting concept which
contains both the data value and hierarchy restrictions.

Execute Tcode RSECADMIN

Go to Maintenance in Authorization Tab
Enter The Analysis Authorization and click Create

Assign authorizations to users:

Once you have created analysis

authorizations, users will need access
to the right authorizations according to
business needs. You can assign
authorizations in roles using S_RS_AUTH or
directly in transaction RSECADMIN or
RSU01.

Add a variable to the queries

If we want a query to only provide results based on the division, for example, then the
query itself needs the ability to filter specific division values. Before we can secure on
division, the query must be able to restrict data by division. The only way the query can
restrict data dynamically is through a variable. The variable can be added anytime
independent of the other steps listed here.

Exercises:

Create a simple query from an existing Info Cube, execute it, and save it as a new
workbook

Defining Info Object-Level Security for Reporting Users

Limit query access within the Bex Analyze using S_RS_COMP1 and S_RS_FOLD

Authorization Trace

Trace Tool : ST01 and RSECADMIN

Transaction code ST01 executes a trace tool that exists on all ABAP based systems.
Among other purposes, this tool serves as trace for all SAP-provided authorizations objects.
You simply turn on the trace (for a specific user), and when the trace is completed you can
see which authorization objects were checked and the results of the check.
In transaction RSECADMIN Analysis you can execute a trace that is specific to BI analysis
authorizations. Analysis authorizations will not appear in the ST01 trace

Authorization Trace

In BI 7 we can Trace :
1) Authorization Monitoring
2) Change log of Analysis authorization

Authorization Monitoring

Checking Authorizations
Log on with your own user ID
Check query execution with the authorizations of a specific user

Contd..

Evaluate Log Protocol

Turn on logging of user activities related to analysis authorizations
View detailed information about authorization checks

Change log of Analysis authorization

Activate the following Virtual Providers from the Business Content (VAL =
Values, HIE = Hierarchies, UA = User Assignment)

The system records all changes to authorizations and user assignments.

Queries can be built on these Info Providers to find out the trace of
- How many users have access to a given InfoCube?
- Which users have access to company code X?
- When was authorization XYZ created, and by whom?

Exercise (s):

Trace BI authorizations
ST01 Trace

Creation of Analysis
Authorization

Creation of Analysis Authorization

There are two ways to create the analysis authorization in BI 7

1. Manual creation of analysis authorization through RSECAUTH Tcode
2. Automatic generation of analysis authorization approach (for mass creation and
assignment)

Creation through RSECADMIN

1)
2)
3)

Execute Tcode RSECADMIN

Go to Maintenance in Authorization Tab
Enter The Analysis Authorization and click Create

Automatic generation of analysis authorization

With the generation of analysis authorizations, we can load authorized

values from other systems into Data Store objects and generate
authorizations from them. This approach is generally used for mass
creation of analysis authorization and assignment of these authorizations
to the users.
Steps to be performed:
Data Warehouse Workbench (RSA1):
1. Activate Business Content
2. Load of Data Store Objects
Management of Analysis Authorizations (RSECADMIN):
3. Generate Authorizations
4. View Generation Log

Activate Business Content

SAP delivers Business Content for storing authorizations and user

assignment of authorizations should be activated

Load of Data Store Objects

Fill the Data Store objects with the user data and authorizations
Extract the data, for example, from an SAP R/3 source system or from a flat file

Note: Some consistency checks should be added to avoid errors during the generation
later

Generate Authorizations

Start the generation by specifying the relevant Data Store objects

View Generation Log

Detailed log can be viewed once the generation is completed

Assignment of Analysis
Authorization

Assignment of authorization

1. Direct assignment of Analysis authorization through RSECADMIN

2. Indirect assignment through Roles (PFCG)

Direct assignment

Direct assignment of Analysis authorization through RSECADMIN

Analysis authorization based Approach:

Pros:

This approach removes the use of creating Roles for the corresponding analysis
authorization .
Cons:

No Change documents are provided by SAP for assigning and removal of Analysis
authorization from the user

No SUIM (System User Information Management) reports are provided by SAP for
analysis authorization

No possible way to assign mass analysis authorization to the users at a stretch.

Contd..

If an id is deleted using SU01 who is having analysis authorization assigned to it,

these authorization will not get deleted from the users profile. If the same id is
recreated, automatically user id will be populated with the earlier analysis
authorizations.
So if this approach is followed, it is always recommended that analysis authorization
are manually deleted from the user id using RSU01 and then id using SU01

Indirect Assignment

Alternatively to the direct assignment, we can also assign authorizations to roles, which can
then be assigned to users.
Use authorization object S_RS_AUTH for the assignment of authorizations to roles
Maintain the authorizations as values for field BIAUTH

Pros and Cons

Pros:

All the Change documents are already available

All the existing SUIM reports are already available
Possible to perform mass assign role assignment

Cons:

Roles need to be created corresponding to the analysis authorization which will

include more maintenance in the system

Queries and Workbooks:

Query is more the technical definition of what the results should look like. Workbooks are
actual results that have been formatted and can be refreshed each time the workbook is
executed.
The query is a definition of what data the query should fetch and how the data should be
initially displayed. A query definition includes rows, columns, filters, and free characteristics.
The workbook is a result set of the query. In this workbook, the data is displayed by sales
organization. Every time the user executes the workbook, the data will be refreshed, but the
format can remain the same, depending on the settings for the query in the workbook.
Multiple query results saved in workbooks from the same query definition enable users to
customize how they want to review the results and analyze the data.

Saving workbooks to Queries:

If a user wants to save a workbook to a location where it can be easily accessed by

others, they need to save to a Role. Saving to a Role means saving to a security
role. You may want to set up roles specifically for saving workbooks. You can then
assign the role to all parties who need to share workbooks.
In order to save workbooks to roles, a user needs:

S_USER_AGR: Authorizations: Role check

S_USER_TCD: Transactions in roles

The authorization object S_USER_AGR has two fields: Activity and Role Name. For the
Activity field, the user must have at least values 01, 02 and 22. If the user can delete
workbooks, they will also need value 06. For the Role Name, you should enter the specific
roles you have created for saving workbooks.
Authorization object S_USER_TCD has one field, Transaction Code. The user needs value
RRMX in this field.

Exercise (s):

Securing Access to Workbooks

BI 7 Security Features

BI 7 Security Features

Concept of BW security remains the same in BI 7 while changes are

more with respect to new authorization features, more authorization
objects, newer Tcodes and more flexibility.
1.
2.
3.
4.
5.
6.

Analysis Authorization
Special Characteristics
Special Authorization: 0BI_ALL
Colon authorization
Pound Authorization
Key Figure Authorization

Analysis Authorization:

Analysis Authorizations are fundamental building blocks of the new reporting concept which
contains both the data value and hierarchy restrictions.
This is also called data level access. With the new NW2004s analysis authorisation
principles it is now possible to create an analysis authorisation object directly on an info
object
The authorisation can either be single values or a value range or created with a reference to
a hierarchy, provided the info object is created with a hierarchy and the info object is
authorisation relevant.

Special Characteristics:

These special characteristics must be assigned to a user in at least one

authorization
0TCAACTVT: Restrict access to activities i.e. display, create, change etc
0TCAIPROV: Restrict access to the Info Provider i.e. Info Cube, ODS,
Multi provider etc
0TCAVALID: Provides the validity of the analysis authorization
All these authorization should be marked as authorization relevant

0BI_ALL

An authorization for all values of authorization-relevant characteristics is created

automatically in the system. It has the name 0BI_ALL. It can be viewed, but not changed.
Every user that receives this authorization can access all the data at any time. Each time an
Info Object is activated and the property authorization relevant is changed for the
characteristic or a navigation attribute, 0BI_ALL is automatically adjusted.
A user that has a profile with the authorization object S_RS_AUTH and has entered 0BI_ALL
(or has included value as *) has complete access to all data.

Colon (: )as Authorization

Two Purposes for Colon Authorization Value:
If the Info Provider has sensitive data, it could be that you do not want the user to see any
summarized data. For example, let us assume you have an Info Provider that has
sensitive forecasting data. In this business scenario you have chosen to secure by
Info Objects (for example, Company Code). If you do not want a user with access to
Company Code 1000 to see ANY data from other company codes, then you might not
Give this user the colon (:) value in the authorization. This would mean that ANY queries
on your Info Provider that do not use the Company Code Info Object will fail for this user.
Second purpose of the Colon authorization is to give user
access to the aggregated data. For example, user can see
Total of sales done by all sales organization but details data
of only his sales organization.

Pound (#) as Authorization

Using a Pound Sign (#) as an Authorization Value:
When data is loaded into SAP BW, some fields may be marked as no value
assigned (posted with INITIAL). If you have secured an Info Object that has data
that is unassigned in the Info Cube, you may choose to give the user a pound sign
(#) in order to avoid an authorization error at runtime.
The # character is interpreted as authorization for the display of the value
Not assigned (posted with INITIAL).

Key Figure Authorization

This restriction is used to grant authorization to particular key figures to
the users.

Technical name: 0TCAKYFNM

Possible values:
- Single value (EQ) Exactly one key figure
- Range (BT) Selection of key figures
- Pattern (CP) Selection of key figures based on pattern

Note: If a particular key figure is defined as authorization-relevant, it will be checked for

every Info Provider

New Authorization Objects

BI 7 new Authorization Objects

Below are the new authorization objects in BI7 for administration workbench,
business Explorer and analysis authorization.
Authorization objects for the Data Warehousing Workbench:
S_RS_DS: For the DataSource or its sub objects (NW2004s)
S_RS_ISNEW: For new InfoSources or their sub objects (NW 2004s)
S_RS_DTP: For the data transfer process and its sub objects
S_RS_TR: For transformation rules and their sub objects
S_RS_CTT: For currency translation types
S_RS_UOM: For quantity conversion types
S_RS_THJT: For key date derivation types
S_RS_PLENQ: Authorizations for maintaining or displaying the lock settings
S_RS_RST: Authorization object for the RS trace tool
S_RS_PC: For process chains
S_RS_OHDEST: Open Hub Destination

Authorization objects for the Business Explorer:

S_RS_DAS: For Data Access Services
S_RS_BTMP: For BEx Web templates
S_RS_BEXTX: Authorizations for the maintenance of BEx texts
Authorization objects for the Admin of analysis authorizations
S_RSEC: Authorization for assignment and administration of analysis authorizations
S_RS_AUTH: Authorization object to include analysis authorizations in roles
Changed Authorization Objects:
S_RS_ADMWB (Data Warehousing Workbench: Objects): New values for filed
RSADMWBOBJ has been added like BIA_ZA, CNG_RUN, CONT_ACT etc for activities like
BI Accelerator Monitor Checks and Attribute Change Run.