SAP BW/BI Authorizations

Agenda

Why Security & What is Security

OLTP & OLAP Structure

Overview of BW 3.x authorizations

Overview of BI 7.x authorizations

Different Types of Security Design & User types

Trouble Shooting
 Security – Why & What

Why is Security Important?

So as to grant access to legitimate users, avoid misuse of information, protect

sensitive data.
To comply with Audits like SOX in US

What is Security?

The design, configuration, deployment and monitoring of SAP application in

compliance with Information Security and Sarbanes-Oxley requirements

3
 Overview of SAP BI

SAP’s Business Intelligence is a

 a reporting tool to perform query and analysis

 an extraction of transactional and master data from SAP or Non SAP systems.
 a repository of aggregated, historical data across days/weeks/months/years.
 BI is a data warehousing tool

 Integrating all the data coming from various source systems and providing the data
access based on the user’s role is one of the major concerns of all the BI Projects.

 Increase the usability of these analyses and enables a quick, cost-effective

implementation.

4
Overview of SAP BI

5
Overview of SAP BI

6
 OLTP

 ERP is an OLTP (online transaction processing) system

 Driven by transaction codes and corresponding field values
 Many transaction codes in my SAP ERP
 Users are restricted to access only certain transaction codes which they require to
carry out their job

In general, ERP security is focused on:

• Transaction codes
• Specific field values
• Activities a user can perform

7
 OLAP

There is no creation of purchase orders, sales orders, or material master records in

BI. There is no updating of business data in BI. The primary activities in BI are
displaying data and analyzing results. The end users will only analyze data without
making any changes to it.

The security function in BI does not put focus on transaction codes or activities, Instead
it focuses on data only. The security function in BI focuses on:

• InfoAreas

• InfoProvider (InfoCube, DataStore Objects)

• Queries

8
 Difference between R/3 Security & BI:
R/3 Security
It’s Tcode based security, the End users will use the
Tcodes to perform their day to day activities.
It’s OLTP Environment
Here will use authorization objects, Fields and
values to restrict the Tcode.
Here will use the Org Elements to restrict the
user at Company code, plant etc.
Here End users will create and modify the
master data.
By using SAP GUI only End users can able to
login to the system.
BI Security
It’s Report based security, here end users will execute
the reports to get the data.
It’s OLAP Environment
Here will use Info objects, info providers and
multi providers etc to restrict the Report.
Here will use the Characteristic values to
restrict the user while executing the report.
Here End users are able to analyze the data.
By using BEX(RRMX) or Browser(RSRT) or Portal
level only End users can be able to login to the
system.
9
 Business Explorer

 The Business Explorer (BEx) is the tool for Reporting in the Business Information
Warehouse. We work with the Business Explorer when we define queries,
analyze InfoCube data by navigating through queries, or save queries in
workbooks

 A query is a combination of a selection of characteristics and key figures

(InfoObjects), and is used to analyze InfoCube data for BW. Queries are defined
in the Business Explorer Analyzer, and stored in the BW Server

 A workbook is a Microsoft Excel file with several worksheets. In the BEx

Analyzer, you can insert one or more BW queries into a workbook

10
 SAP BW 3.x Security Concepts

 BW 3.x Authorization Concept is called as “Reporting Authorization”

 Designed to give restrictions on BW 3.x reporting authorization

 Control for which data a user has display authorization in a query

 It was achieved through standard SAP authorization concept (OLTP)

 Many Limitations e.g. limitations on the number of fields, can be attached to the
role only

11
 SAP BW Authorization Concept

SAP BW system has two different types of authorization objects:

Standard authorization objects: This type of authorization objects are provided by

SAP and covers all checks for e.g. system administration tasks, data modeling tasks,
and for granting access to InfoProviders for reporting. For this type of authorizations
the same concept and technique is used as in an SAP R/3 system.

Reporting authorization objects: For more granular authorization checks on an

InfoProvider’s data we need another type of authorization objects defined by the
customer. With these objects we can specify which part of the data within an
InfoProviders a user is allowed to see.

12
Authorization Object & Classes

13
 Different Activity types

Activity Text
01 Create or Generate
02 Change
03 Display
04 Print, edit Messages
05 Lock
06 Delete
07 Activate
08 Display Change Documents
16 Execute
21 Transport
23 Maintain
60 Import
61 Export
14
 S_RS_COMP

S_RS_COMP Business Explorer - Components … continuation

Using this authorization object, you can restrict working with certain
components of the Business Explorer Query Builder.

Component type: Determines which components

a given user is allowed to process.
••Calculated
Calculated key figure (Type = CKF)
•Restricted key figure (Type = RKF)
•Template structure (Type = STR)
•Query (Type = REP)

Display (Activity = 03)

Create (Activity = 01)
Change (Activity = 02)
Delete (Activity = 06)
Execute (Activity = 16)

The current query concept sees to it that all

users are allowed to display all query
definitions and query elements (activity 03
'Display').

15
 S_RS_COMP1

S_RS_COMP1- Business Explorer - Components: Enhancements to the Owner

Using this authorization object you can restrict the working with queries to the query owner only

Authorization RSZOWNER = “$USER” provides users with access to activities in all the
components for which they are an owner.

16
 S_RS_FOLD

S_RS_FOLD - Business Explorer - Folder View On/Off

Using this authorization object you can control the general view of Info-area Folder

The object contains a field:

SUP_FOLDER:  Hide the file view if the field is set to 'True' ('X'). If both 'True' and
'False' is selected ('All Values'), the value 'False' is valid, meaning that the
'InfoAreas' file is not hidden.

17
 S_RS_HIER

S_RS_HIER Administrator Workbench - Hierarchy

Using this authorization object you can restrict the working with hierarchies
in the Administrator Workbench.

S_RS_ICUBE
S_RS_ICUBE Administrator Workbench - InfoCube
Using this authorization object you can restrict working with InfoCubes or their sub-objects.
To display data, transaction ‘LISTCUBE’ can be used as well!

S_RS_ISRCM

S_RS_ISRCM Administrator Workbench - InfoSource (Master Data)

With this authorization object you can restrict the working with the
master data InfoSources or with their subobjects.

18
 S_RS_ODSO

S_RS_ODSO Administrator Workbench - ODS Object

With this authorization object you can restrict working with ODS objects
or their subobjects.

S_RFC
Authorization Check for RFC Access Field Name Heading
RFC_TYPE Type of RFC object
to be protected
RFC_NAME Name of RFC to be
protected
ACTVT Activity

19
 Few other imp Objects

S_USER_AGR Field Name Heading

Authorizations: Role Check ACT_GROUP Role Name
ACTVT Activity

S_USER_TCD
Authorizations: Transactions in Roles Field Name Heading
TCD Transaction Code

S_BDS_DS Field Name Heading

BC-SRV-KPR-BDS: Authorizations
ACTVT Activity
for Document Set
CLASSNAME Business Document
Service: Class name
CLASSTYPE Business Document
Service: Class type

20
 BW 3.x Security Design

Select the Info Object

you want to make
authorization relevant

In “Business Explorer”
tab mark the tick on
field “Authorization
Relevant”

21
Important Tcode (RSSM)

22
BW 3.x Security Design (Create Auth. Obj.)

23
Create an Authorization Object for
Reporting

24
Important Tcode (RSA1)

25
Important Tcode (RSD1)

26
Important Tcode (RSD1) – Auth relevancy

27
Important Tcode (RSD1) – Navigational
Attribute

28
Important T-Code (RSRT)

29
 Important Tcode RRMX

Analyzer Toolbar

Grayed out characteristics

Characteristics/Drilldowns = Used to already appear in the report
slice and dice once the data is results.
pulled into the workbook. Last date loaded
Last date refreshed

Key figures = Quantitative or qualitative data. What you selected

Results

30
Overview of BI 7.x
 BI 7.0 Security Concepts

 New authorization Concept called as Analysis authorizations

 It is not based on standard SAP authorizations to overcome the limitation of

older reporting authorizations

 Authorization objects no more work as a template, rather while creation one

should assign values

 Unlike reporting authorization, you need to select and restrict all authorization
relevant characteristics for the info provider while creating authorization
object

32
 BI 7.0 Security Concepts

In Addition…
 Auditing is easy with for the change documents

 All the authorizations and assignments of user will be recorded with the
following virtual info providers.
– 0TCA_VAL: Change documents for value authorizations
– 0TCA_VAL: Change documents for hierarchy authorizations
– 0TCA_UA : Change documents for user authorization assignments

 Following authorization objects will be obsolete with the Analysis Authorization

Concept. ( As the InfoProviders are handled with object 0TCAIPROV)
– S_RS_ICUBE
– S_RS_ODSO
– S_RS_ISET
– S_RS_MPRO

33
 Analysis Authorization

 Users who want to display data from authorization-relevant characteristics or

navigation attributes in a query require analysis authorizations.

 For management of analysis authorizations we need authorization for authorization

object S_RSEC.

 Analysis authorization can be created from t-code RSECADMIN in authorization tab

of maintenance or directly by t-code RSECAUTH.

 With a special authorization object for role connection, S_RS_AUTH, the new
analysis authorizations can be assigned using role maintenance.

34
 BI 7.0 Security Concepts

Pre-requisites to manage Analysis Authorizations

 To work with Analysis authorization, authorization to S_RSEC is required
 Activating all Business Content relate to authorizations before you get started
– InfoObjects: 0TCA* (and 0TCT* if not done already)
– InfoCubes: 0TCA*
 Following InfoObject should be checked as authorization relevant before
starting:
– 0TCAACTVT
– 0TCAIPROV
– 0TCAVALID
– 0TCAKYFNM

35
 BI 7.0 Security Concepts

Steps of Analysis Authorization Maintenance

 InfoObject Maintenance – RSD1

– Define Authorization-Relevant Characteristics
– Define Authorization-Relevant Attributes

 Management of Analysis Authorization – RSECADMIN

– Choose InfoProvider(s) and authorization relevant characteristics
– Authorize Characteristics Values
– Authorize Attribute Values
– Authorize Hierarchies
– Add Special Authorization Characteristics
– Add Key Figure Authorizations
– Add Variables in Authorizations

 Create a role – PFCG

 Assign the authorization object to the role with S_RS_AUTH - PFCG

 Tcode RSECADMIN

Central Maintenance for Analysis Authorizations transaction

RSECADMIN

37
 Tcode RSECADMIN

Scenario: A Group of users is authorized only to specific sales

organizations (e.g Berlin and Birmingham)

38
 Tcode RSECADMIN

A Group of users is authorized only to specific sales organizations

(e.g. Berlin and Birmingham)

Possible values:-
EQ :Single value
BT: range of values
CP: Contains simple
patterns ending
with*(e.g XY*)

39
 Special Authorization value

Special Authorization values (for all characteristics )

*(Asterisk)
 Denotes a set of arbitrary characters
 Used alone to grant access to all values
 Used at the end of the value to specify a simple pattern (e.g. SAP*)

#(Hash)
 Stands for the initial or unassigned value

+(Plus)
 Denotes exactly one character
 Used at the end of the value to specify a simple patter (e.g. RED+)
 Used to specify date patterns (only for validity (OTCAVALID))

40
 Special Authorization value Cont…

: (colon)
 Allow access to only aggregate data

 Using a Colon (:)-Allows access only to aggregated data

Authorization Field Value

Sales organization *
Authorization 1
Sales employee :

Key figure Sales figures

Sales organization 1000

Authorization 2
Sales employee *

Key figure Sales figures

41
 Special Authorization characteristics
Authorization on Special Characteristics

Some special characteristics can be included in an analysis authorization

 They must not be included in queries

 These special characteristics must be assigned to user in at least one Authorization

1) Infoprovider
2) Validity
3) Activity

It is not Technically necessary to include these special characteristics in every

authorization but it is considered best practice in order to retain clarity

Insert special values

42
 Full Access in Analysis Authorization

0BI_ALL
 Like SAP_ALL
 Gets regenerated each time a info object is made auth relevant
 Has * for all characteristics

43
 Assigning AA to a User

AA can be assigned to users in two ways

1) Adding it to a role under object S_RS_AUTH Required AA is added to a Security

role and then that Security role is assigned to the user

2) Adding AA directly to the user using RSECADMIN Required AA is directly added to

user via RSECADMIN

44
 Some important Tables
It will shows the relation between Analysis auth and corresponding info objects
with field values

45
Some important Tables

46
 Some important Tables
It will shows the information about maintains of AA. Eg. Shows the user details like who changed
AA and time stamp etc….

47
Some important Tables

48
Difference between BW 3.x & BI 7.x
 Technical Foundation

SAP BW 3.x

 Based on standard authorization objects and authorizations

 Many limitations since standard authorizations were never designed to handle OLAP
scenarios
 Maintenance via transactions RSSM and PFCG

SAP BI 7.x

 Based on analysis authorizations

 No authorization objects required
 Link to roles is still possible
 Maintenance via transaction RSECADMIN

50
 Maintenance

SAP BW 3.x

 Once a reporting authorization object is saved and used it can not be changed
anymore (for example, it's not possible to add new fields)
 Changes to authorizations require a new log-on to become effective

SAP BI 7.x

 Authorizations are changeable at all times (fields can be added and removed any
time)
 Changes to authorizations can be done on the fly and become effective
immediately with saving

51
 Number of InfoObjects

SAP BW 3.x

 Standard authorizations are limited to 10 fields

 Therefore very detailed authorizations are not possible

SAP BW 7.x

 Number of InfoObjects is not limited

 Very detailed authorizations are possible
 Also special InfoObjects can been added to authorizations

52
 Validity of Authorizations

SAP BW 3.x

 Validity has to be controlled via role assignment

 Authorizations 'expire' when the role is not valid anymore

SAP BW 7.x

 Validity is defined as dates or date ranges within the authorization

 Include and exclude of dates possible
 Even patterns can be used

Example  ++/01/2006 to ++/07/2006 to grant access for the first 7 days of

every month

53
 Authorizations for InfoProviders and
Hierarchies

SAP BW 3.x

 Authorization objects S_RS_ICUBE, S_RS_MPRO, S_RS_ISET and S_RS_ODSO are

checked during query processing
 S_RS_HIER is checked for any hierarchy that's part of query

SAP BI 7.x

 Authorization objects S_RS_ICUBE, S_RS_MPRO, S_RS_ISET and S_RS_ODSO are not

checkedanymore during query processing
 S_RS_HIER is not requiredanymore
 Those authorization objects are still used for BI administrator and BI developer
roles

54
 Different Type of Users

There are three different type of users in BI/BW systems

 End Users- They are the biggest part of users present in any BI system

 Power Users- They are the one who assist these End users whenever it is required by
them, they also work as coordinator between End users and Administrators

 Administrators- They form very important part of the system as they create all the
queries, info providers for user to work upon

55
 Matrix

End User Power User Administrator

Execute Query Yes Yes Yes
Change query No Only certain Yes
queries
Create Queries No Only certain Yes
Save Work Book No Yes Yes
Data Administration No No Yes
User Administration No No Yes
Create info-providers No No Yes

56
Analyzing Analysis Authorization issues:

To analyze the missing authorizations in Analysis

authorizations, you may use the “Error Logs” option in
RSECADMIN.
You can go to RSECADMIN, Analysis tab, and click Error Logs
button (or) go to transaction code RSECPROT. Below are
the steps:

1. Go to transaction code RSECADMIN

2. 2. Click Analysis tab.
3. Click button.
Adding user in Error Log Recording:

1. In the Authorization Log screen, click button.

2. Click button
3. Add the user ID
4. Click Save.

Deleting user from Error Log Recording:

Follow the steps mentioned in the “Adding user in

Error Log Recording” and once you are in the
Configure Log Recording screen, select the user
and click b button. Click Save to Save the
changes.
Analyzing the Error Logs:

To analyze the error logs, perform the following:

1. Go to transaction code RSECADMIN
2. Click Analysis tab.
3. Click button.
4. Enter the date range
5. Enter the user name in the Executing user field
6. Click Display icon
7. Select the last log displayed
 When there is an authorization error, you
The log will help you to analyze the will see “Not Authorized” error
missing authorization message:
NOTE:
If the Result for a characteristic This process can be used only to trace out the
missing Analysis Authorizations, and will not
says “Authorized”, that means user trace the S_RS_COMP missing authorization. To
has the authorization. trace authorization object level missing
authorizations, you can still use the ST01 trace.
Questions