SECURITY IN BW

8/7/2019 SECURITY IN BW

http://slidepdf.com/reader/full/security-in-bw 1/33

SECURITY IN BWSECURITY IN BW

AUTHORIZATIONSAUTHORIZATIONS



What is authorizationsWhat is authorizations

An authorization defines what a userAn authorization defines what a usercan do, and to which SAP objects.can do, and to which SAP objects.

For example, a user may be able toFor example, a user may be able todisplay and execute, but not change,display and execute, but not change,a query. Authorizations are defineda query. Authorizations are definedusing authorization objectsusing authorization objects



Security in OLTP(R/3)Security in OLTP(R/3)

In general r/3 security is focused onIn general r/3 security is focused on

Transaction codes.Transaction codes.

Specific field values.Specific field values.Which activities a user can perform.Which activities a user can perform.



Security needs in BW(OLAP)Security needs in BW(OLAP)

The business goals and purpose of BWThe business goals and purpose of BWsystem is exactly different than R/3.system is exactly different than R/3.

There is no updating of buisness dataThere is no updating of buisness datain BW.in BW.

The primary activities in BW areThe primary activities in BW aredisplaying data and analyzingdisplaying data and analyzingresults.results.

So the security is set accordingly.So the security is set accordingly.



Security Focus in SAPSecurity Focus in SAP--BWBW

Security is primary focused on dataSecurity is primary focused on dataitself.itself.

Mainly its focused on:Mainly its focused on:Info areasInfo areas

Info providersInfo providers

QueriesQueries



Authorization Objects Authorization Objects

An authorization object is used toAn authorization object is used todefine user authorizations. It hasdefine user authorizations. It has

fields with values that specifyfields with values that specifyauthorized activities, such as displayauthorized activities, such as displayand execution, on authorizedand execution, on authorizedbusiness objects, such as queries.business objects, such as queries.

The maximum number of charactersThe maximum number of charactersallowed for the technical name is 10.allowed for the technical name is 10.



Authorization objects in BW Authorization objects in BW

Group of activities and objects which aGroup of activities and objects which auser can have access to.user can have access to.

Buisness information warehouseBuisness information warehouse--ReportingReportingYou need to create authorization for field levelYou need to create authorization for field levelsecurity as required.security as required.

Buisness information warehouse:Buisness information warehouse:Authorization objects are delivered to protect allAuthorization objects are delivered to protect all

major authorizationsmajor authorizations



Following objects are thereFollowing objects are there



Authorizations primary for reporting Authorizations primary for reporting

purposepurpose

S_RS_ICUBES_RS_ICUBE--Info cube accessInfo cube access

S_RS_COMPS_RS_COMP--one field relates toone field relates toquery and one relates to info cubequery and one relates to info cube

S_RS_COMP1S_RS_COMP1--Secure query usingSecure query usinguser name.user name.

S_RS_FOLDS_RS_FOLD--display authorization fordisplay authorization for

favorite folder.favorite folder.S_RFCS_RFC--to enable the logon access toto enable the logon access tobusiness explorerbusiness explorer



Authorizations objects used Authorizations objects used

primarily by administratorsprimarily by administrators

S_RS_ADMWBS_RS_ADMWB--individual objects of admis.individual objects of admis.WbWb

S_RS_IOBJS_RS_IOBJ--Authorization for info objectsAuthorization for info objects

S_RS_ISOURS_RS_ISOUR--Authorization for sourceAuthorization for sourcesystem(transaction data info sources)system(transaction data info sources)

S_RS_ISRCMS_RS_ISRCM--Authorization for sourceAuthorization for source

system (master data info sources)system (master data info sources)



Securing Reporting UsersSecuring Reporting Users

Securing reporting users comes in pictureSecuring reporting users comes in picturestarting from user enters Bex explorer.starting from user enters Bex explorer.

Security is primarily tied to :Security is primarily tied to :

INFO AREAINFO AREA

INFOPROVIDERINFOPROVIDER

QUERYQUERY

This check can be performed usingThis check can be performed usings_rs_comp, s_rs_comp1,s_rs_icube,s_rfcs_rs_comp, s_rs_comp1,s_rs_icube,s_rfc



S_RS_COMPS_RS_COMP

Activity:Display(03)Activity:Display(03)

Execute(16)Execute(16)

Info Area: Specific Info Area nameInfo Area: Specific Info Area nameInfo Cube: Specific Info Cube or ODSInfo Cube: Specific Info Cube or ODSnamename

Name of ReportingName of Reporting

component:Specific query technicalcomponent:Specific query technicalname or ´*´.name or ´*´.

Type of reporting component:REPType of reporting component:REP



S_RS_COMP1S_RS_COMP1

Every field is present in conjunctionEvery field is present in conjunctionwith OWNERwith OWNER



RolesRoles

In Profile Generator, an authorizationIn Profile Generator, an authorizationprofile corresponds to a role. A userprofile corresponds to a role. A userassigned to the role automaticallyassigned to the role automaticallyhas the corresponding authorizationhas the corresponding authorizationprofile. A user can be assigned toprofile. A user can be assigned tomultiple roles. The maximummultiple roles. The maximum

number of characters allowed for thenumber of characters allowed for thetechnical name is 30.technical name is 30.



Setting up roleSetting up role

There is hierarchyThere is hierarchyto be followed:to be followed:

ROLES

AUTHORIZATION PROFILE

AUTHORIZATION OBJECTS



Creating RolesCreating Roles

TcodeTcode PFCGPFCG

Authorization ObjectsAuthorization Objects--S_RS_COMP,S_RS_COMP,

S_RS_ICUBE,S_RFCS_RS_ICUBE,S_RFC













Info object level securityInfo object level security

Make the info object authorizationMake the info object authorizationrelevant.relevant.



Create your own authorizationCreate your own authorizationobject.object.

Tcode:RSSMTcode:RSSM







Making info cube AuthorizationMaking info cube Authorization

relevantrelevant



Now check the query it will only giveNow check the query it will only givethe result for which user isthe result for which user isauthorized.authorized.

Also you can make the query variableAlso you can make the query variableitself checking the authorization:itself checking the authorization:

In the variable screen give variableIn the variable screen give variable

type as authorization variable.type as authorization variable.And uncheck ready to inputAnd uncheck ready to inputcheckbox.checkbox.



Authorizing Hierarchies Authorizing Hierarchies

Make the info object used asMake the info object used asHierarchy node authorizationHierarchy node authorizationrelevant.relevant.



Create an authorization object forCreate an authorization object forhierarchy and go to radio buttonhierarchy and go to radio buttonauthorization definition fr hier.authorization definition fr hier.



Fill The entries:Fill The entries:



Also check that field 0tctauthh isAlso check that field 0tctauthh ismade authorization relevant andmade authorization relevant andincluded in your authorization object.included in your authorization object.

Enter the authorization object in yourEnter the authorization object in yourrole.role.

Generate the profile.Generate the profile.

And execute the query.And execute the query.You should see only the node whichYou should see only the node whichyou made authorization relevant.you made authorization relevant.





Go to Menu tab in the roles andGo to Menu tab in the roles andinsert two foldersinsert two folders

Now save your workbooks in theseNow save your workbooks in theseroles ,so that only authorized userroles ,so that only authorized usercan access workbooks.can access workbooks.

Documents

SECURITY IN BW