Upload
wahed-mohammed
View
228
Download
4
Embed Size (px)
Citation preview
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 1/33
SECURITY IN BWSECURITY IN BW
AUTHORIZATIONSAUTHORIZATIONS
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 2/33
What is authorizationsWhat is authorizations
An authorization defines what a userAn authorization defines what a usercan do, and to which SAP objects.can do, and to which SAP objects.
For example, a user may be able toFor example, a user may be able todisplay and execute, but not change,display and execute, but not change,a query. Authorizations are defineda query. Authorizations are definedusing authorization objectsusing authorization objects
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 3/33
Security in OLTP(R/3)Security in OLTP(R/3)
In general r/3 security is focused onIn general r/3 security is focused on
Transaction codes.Transaction codes.
Specific field values.Specific field values.Which activities a user can perform.Which activities a user can perform.
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 4/33
Security needs in BW(OLAP)Security needs in BW(OLAP)
The business goals and purpose of BWThe business goals and purpose of BWsystem is exactly different than R/3.system is exactly different than R/3.
There is no updating of buisness dataThere is no updating of buisness datain BW.in BW.
The primary activities in BW areThe primary activities in BW aredisplaying data and analyzingdisplaying data and analyzingresults.results.
So the security is set accordingly.So the security is set accordingly.
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 5/33
Security Focus in SAPSecurity Focus in SAP--BWBW
Security is primary focused on dataSecurity is primary focused on dataitself.itself.
Mainly its focused on:Mainly its focused on:Info areasInfo areas
Info providersInfo providers
QueriesQueries
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 6/33
Authorization Objects Authorization Objects
An authorization object is used toAn authorization object is used todefine user authorizations. It hasdefine user authorizations. It has
fields with values that specifyfields with values that specifyauthorized activities, such as displayauthorized activities, such as displayand execution, on authorizedand execution, on authorizedbusiness objects, such as queries.business objects, such as queries.
The maximum number of charactersThe maximum number of charactersallowed for the technical name is 10.allowed for the technical name is 10.
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 7/33
Authorization objects in BW Authorization objects in BW
Group of activities and objects which aGroup of activities and objects which auser can have access to.user can have access to.
Buisness information warehouseBuisness information warehouse--ReportingReportingYou need to create authorization for field levelYou need to create authorization for field levelsecurity as required.security as required.
Buisness information warehouse:Buisness information warehouse:Authorization objects are delivered to protect allAuthorization objects are delivered to protect all
major authorizationsmajor authorizations
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 8/33
Following objects are thereFollowing objects are there
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 9/33
Authorizations primary for reporting Authorizations primary for reporting
purposepurpose
S_RS_ICUBES_RS_ICUBE--Info cube accessInfo cube access
S_RS_COMPS_RS_COMP--one field relates toone field relates toquery and one relates to info cubequery and one relates to info cube
S_RS_COMP1S_RS_COMP1--Secure query usingSecure query usinguser name.user name.
S_RS_FOLDS_RS_FOLD--display authorization fordisplay authorization for
favorite folder.favorite folder.S_RFCS_RFC--to enable the logon access toto enable the logon access tobusiness explorerbusiness explorer
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 10/33
Authorizations objects used Authorizations objects used
primarily by administratorsprimarily by administrators
S_RS_ADMWBS_RS_ADMWB--individual objects of admis.individual objects of admis.WbWb
S_RS_IOBJS_RS_IOBJ--Authorization for info objectsAuthorization for info objects
S_RS_ISOURS_RS_ISOUR--Authorization for sourceAuthorization for sourcesystem(transaction data info sources)system(transaction data info sources)
S_RS_ISRCMS_RS_ISRCM--Authorization for sourceAuthorization for source
system (master data info sources)system (master data info sources)
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 11/33
Securing Reporting UsersSecuring Reporting Users
Securing reporting users comes in pictureSecuring reporting users comes in picturestarting from user enters Bex explorer.starting from user enters Bex explorer.
Security is primarily tied to :Security is primarily tied to :
INFO AREAINFO AREA
INFOPROVIDERINFOPROVIDER
QUERYQUERY
This check can be performed usingThis check can be performed usings_rs_comp, s_rs_comp1,s_rs_icube,s_rfcs_rs_comp, s_rs_comp1,s_rs_icube,s_rfc
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 12/33
S_RS_COMPS_RS_COMP
Activity:Display(03)Activity:Display(03)
Execute(16)Execute(16)
Info Area: Specific Info Area nameInfo Area: Specific Info Area nameInfo Cube: Specific Info Cube or ODSInfo Cube: Specific Info Cube or ODSnamename
Name of ReportingName of Reporting
component:Specific query technicalcomponent:Specific query technicalname or ´*´.name or ´*´.
Type of reporting component:REPType of reporting component:REP
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 13/33
S_RS_COMP1S_RS_COMP1
Every field is present in conjunctionEvery field is present in conjunctionwith OWNERwith OWNER
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 14/33
RolesRoles
In Profile Generator, an authorizationIn Profile Generator, an authorizationprofile corresponds to a role. A userprofile corresponds to a role. A userassigned to the role automaticallyassigned to the role automaticallyhas the corresponding authorizationhas the corresponding authorizationprofile. A user can be assigned toprofile. A user can be assigned tomultiple roles. The maximummultiple roles. The maximum
number of characters allowed for thenumber of characters allowed for thetechnical name is 30.technical name is 30.
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 15/33
Setting up roleSetting up role
There is hierarchyThere is hierarchyto be followed:to be followed:
ROLES
AUTHORIZATION PROFILE
AUTHORIZATION OBJECTS
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 16/33
Creating RolesCreating Roles
TcodeTcode PFCGPFCG
Authorization ObjectsAuthorization Objects--S_RS_COMP,S_RS_COMP,
S_RS_ICUBE,S_RFCS_RS_ICUBE,S_RFC
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 17/33
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 18/33
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 19/33
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 20/33
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 21/33
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 22/33
Info object level securityInfo object level security
Make the info object authorizationMake the info object authorizationrelevant.relevant.
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 23/33
Create your own authorizationCreate your own authorizationobject.object.
Tcode:RSSMTcode:RSSM
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 24/33
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 25/33
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 26/33
Making info cube AuthorizationMaking info cube Authorization
relevantrelevant
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 27/33
Now check the query it will only giveNow check the query it will only givethe result for which user isthe result for which user isauthorized.authorized.
Also you can make the query variableAlso you can make the query variableitself checking the authorization:itself checking the authorization:
In the variable screen give variableIn the variable screen give variable
type as authorization variable.type as authorization variable.And uncheck ready to inputAnd uncheck ready to inputcheckbox.checkbox.
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 28/33
Authorizing Hierarchies Authorizing Hierarchies
Make the info object used asMake the info object used asHierarchy node authorizationHierarchy node authorizationrelevant.relevant.
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 29/33
Create an authorization object forCreate an authorization object forhierarchy and go to radio buttonhierarchy and go to radio buttonauthorization definition fr hier.authorization definition fr hier.
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 30/33
Fill The entries:Fill The entries:
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 31/33
Also check that field 0tctauthh isAlso check that field 0tctauthh ismade authorization relevant andmade authorization relevant andincluded in your authorization object.included in your authorization object.
Enter the authorization object in yourEnter the authorization object in yourrole.role.
Generate the profile.Generate the profile.
And execute the query.And execute the query.You should see only the node whichYou should see only the node whichyou made authorization relevant.you made authorization relevant.
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 32/33
8/7/2019 SECURITY IN BW
http://slidepdf.com/reader/full/security-in-bw 33/33
Go to Menu tab in the roles andGo to Menu tab in the roles andinsert two foldersinsert two folders
Now save your workbooks in theseNow save your workbooks in theseroles ,so that only authorized userroles ,so that only authorized usercan access workbooks.can access workbooks.