SlideShare ist ein Scribd-Unternehmen logo

Hovitaga authorization concept and setup guide

Hovitaga Kft.
Hovitaga Kft.

An overview of SAP authorizations used in Hovitaga OpenSQL Editor and Hovitaga Report Generator.

Technologie
1 von 29
Downloaden Sie, um offline zu lesen
Authorization concept overview and setup guide for Hovitaga OpenSQL Editor and Hovitaga Report Generator Version 1.0 2012.06.06. 1
Table of contents Overview............................................................................................................................................................................ 3 Transaction level authorizations.................................................................................................................................... 3 Table group level authorizations ................................................................................................................................... 4 Record level authorizations ........................................................................................................................................... 4 SAP standard line-oriented authorizations ................................................................................................................ 4 Custom row level authorizations............................................................................................................................... 4 Field level authorizations............................................................................................................................................... 5 General comments ............................................................................................................................................................ 6 Step by step tutorials ........................................................................................................................................................ 7 Table group level authorizations ................................................................................................................................... 7 SAP standard line-oriented authorizations: S_TABU_LIN.......................................................................................... 10 S_TABU_LIN Customizing.................................................................................................................................... 12 Adding the S_TABU_LIN to a role ........................................................................................................................ 15 Column level authorizations ........................................................................................................................................ 21 Custom row level authorizations.................................................................................................................................. 22 Further checks in the OpenSQL Editor........................................................................................................................ 25 Standard authorization objects .................................................................................................................................... 25 Custom authorization objects....................................................................................................................................... 25 Objects shipped............................................................................................................................................................... 26 Authorization Objects .................................................................................................................................................. 26 Authorization Object ZSQL_COMM ..................................................................................................................... 26 Authorization Object ZSQL_RES........................................................................................................................... 26 Authorization Object ZSQL_CLSP......................................................................................................................... 27 Authorization Object ZSQL_COL .......................................................................................................................... 27 Authorization Object ZSQL_MAIN ....................................................................................................................... 27 Predefined Roles .......................................................................................................................................................... 28 Role ZSQL_USER .................................................................................................................................................. 28 Role ZSQL_DEVELOPER ..................................................................................................................................... 28 Appendix – Links to SAP Help...................................................................................................................................... 29 2
Overview The authorization system of Hovitaga OpenSQL Editor and Hovitaga Report Generator is exactly the same. Here you can see an overview of the whole authorization concept: fig 1: Authorization concept overview Transaction level authorizations The SAP standard authorization object S_TCODE is used to control who can start the transaction. 3
fig 2. Transaction check with S_TCODE Table group level authorizations The authorization system uses the SAP standard authority objects S_TABU_DIS to control access to table groups and S_TABU_CLI to control maintenance of client-independent tables. This is done both for reading and writing operations. Record level authorizations SAP standard line-oriented authorizations While the tools mostly used by consultants and developers (SE16 and SAP Query) only use table group level authorizations to filter query results, Hovitaga OpenSQL Editor can be controlled in a much more sophisticated way. This means that besides defining which tables can be read, you can control which records can be read from a table. A generic standard SAP authority object (S_TABU_LIN) is used to filter the query results based on any organizational criteria defined in customizing. For example a scenario can be set up easily where certain users only see data for their company code (or country or any organizational level). This row level authorization concept is part of every SAP system and can be maintained within customizing (SPRO). If it has been already set up, then the queries will filtered accordingly. Custom row level authorizations Additionally any number of authority objects can be assigned to tables within a customizing transaction. A field mapping between the authority object and the table must be made that is used when filtering query results. For example to filter entries in the VBAK table (Order headers) by sales organization simply assign authority object V_VBAK_VK0 to the table. To filter entries by plant in table MARC (Plant data), assign authority object M_MATE_WRK to table MARC. If these authority objects were already used in the SAP system, then the roles, profiles etc. do not need to be changed, no other user maintenance effort is required. 4
Field level authorizations In addition to the record level authorization query results can be filtered on field level also. For example, certain users could see the contents of the salary field in a table, others could not, depending on the authorizations. There is a custom authority object that controls what columns may a user access in a database table. This can be maintained with the standard SAP tools without any special customizing effort. 5
General comments Keep in mind that if you change the authorizations of a user, in order for the changes to take effect the user must log out and log in again. Please note that authorizations are not checked if the SQL query is using the addition „client specified”. The reason is that authorizations are always checked for the logon client anyway. In order to still have protection, S_TABU_CLI and ZSQL_CLSP are checked for authorization to maintain client-independent tables and to use the “client specified” SQL addition. If you create a new role for the OpenSQL Editor, the ZSQL_COL authorization object must be added. If you do not want to limit the columns displayed, add a star chatacter to the table name and field name. 6
Step by step tutorials Table group level authorizations Authorization object S_TABU_DIS provides you authorizations for displaying or maintaining tables. The object only controls access using the standard table maintenance tool (transaction SM31), enhanced table maintenance (SM30) or the Data Browser, including access in Customizing. The authorization object checks the following fields: • DICBERCLS Authorization Group Authorization for tables grouped by authorization class according to table TDDAT. Enter the name of the allowed classes. Table classes are defined in table TBRG. • ACTVT Activity Possible values: • 02: Create, change, or delete table entries • 03: Display table entries only • BD: Skip change lock for Customizing distribution As a first step, we will create a new authorization group in transaction SE54. Select the highlighted radiobutton and press „Create/change”. fig 3. Transaction SE54 Our new entry will be named ZFLI. 7
fig 4. Creating a new authorization group As a second step we will assign our table ZFLIGHTS to this new authorization group. To do so, select the last radiobutton in SE54 („Assign Authoriz. Group) and press „Create/Change”. A popup window will appear where we can select how we should find the records we want to work with. Since we are creating a new entry, this is not important now. fig 5. Popup window displaying ways to find the correct entry fig 6. Search for entries for our new authorization group After selecting a range of authorization groups and pressing enter, we can add our new entry to this customizing view. Keep in mind that one table can be part of only one autorization group, but one authorization group can contain many tables. 8
fig 7. Assigning table ZFLIGHTS to authorization group ZFLI In this example we deliberately do not assign authorization to our test user, so we can see that the OpenSQL Editor will refuse access to tabe ZFLIGHTS: fig 8. OpenSQL Editor does not display data from ZFLIGHTS If you want to protect cross-client tables, a second step in the table access control is required, which is based on the object S_TABU_CLI. The object consists of only one field CLIDMAINT. The value for this object is 'X' (indicator for cross-client maintenance). The 9
object S_TABU_CLI is the object that especially protects the client-independent (also called cross-client) tables. The indicator 'X' does not automatically allow maintenance, the access scope is still limited through the field values in ACTVT of the object S_TABU_DIS. SAP standard line-oriented authorizations: S_TABU_LIN The example uses a custom table which is a copy of table SFLIGHT, which is included in SAP systems for demonstration purposes. This holds flight information. Our goal is to filter the table contents by Carrier ID (Airline Code). So for example a user who is responsible for Lufthansa flights must only see records related to Lufthansa and nothing else. fig 9. Custom table ZFLIGHTS 10
We have also created a maintenance view for this table. fig 10. Table maintenance with all authorizations 11
S_TABU_LIN Customizing The customizing entries in the IMG can be found under SAP NetWeaver - Application Server - System Administration - Users and Administration - Line-oriented Authorizations. fig 11. Customizing path for S_TABU_LIN When „Define organizational criteria” is executed, we create a new entry for our organizational criteria, which is called Flights. fig 12. Creating a new organizational criteria for Carrier ID The „Table-independent” checkbox can be very useful. If it is not checked, then this organizaional criterie will only filter the contents of the table that we later will specify. If it is checked, then it will filter the contents of all tables, whose key fields are related to all domains specified in the attributes. We used the first option in our example to filter only table ZFLIGHTS. After defining the organizational criteria, we have to maintain the attributes of it. We will maintain two attributes, which will check the first two key fields of the table (Carrier ID and Connection ID). 12
fig 13. Maintaining the first attribute After creating the first attribute, we have to maintain the table field details. Here we can define which table we want to filter and which key field does the attribute filter. Keep in mind that only key fields can be used. fig 14. Assigning the first attribute to the Carrier ID field 13
We will do the same process for the second attribute and table key field: fig 15. Assigning the second attribute to the Connection ID field So after setting this up, we can see that for our new organizational criteria called ZFLIGHT we have two attributes: the first one for the Carrier ID and the second one for the Connection ID. fig 16. Overview of organizational criteria ZFLIGHT After defining the oranizational criteria, we have to activate it using the second customizing transaction in SAP NetWeaver - Application Server - System Administration - Users and Administration - Line-oriented Authorizations. Simply check the Active checkbox and save. 14
fig 17. Activation of organizational criteria ZFLIGHT Adding the S_TABU_LIN to a role After the definition and activation of organizational criteria ZFLIGHT, we have to maintain the user authorizations. We have to define which users can see which data in our table. To do so, simply create a role using transaction PFCG. We will create a role for the Lufthansa administrator, called ZFLIGHT_LH. fig 18. Creation of a role using PFCG 15
On the third tab called „Authorizations” press button „Change Authorization Data”. This will call a screen where we can actually define what data can the Lufthansa administrator see. fig 19. The marked button will call the screen we will use The next screen will be empty be for the first time. It is time to authorization object S_TABU_LIN to this role using the „Manually” button (Manual entry of authorization objects). After adding S_TABU_LIN to the role, we will see the following screen: 16
fig 20. Press this button to add an authorization object to the role The icons will be yellow when the exact values are not maintained for the authorization objects. To maintain them, press any of the pencil icons. A popup window will appear where we select our new organizational criteria: fig 21. Choose organizational criteria ZFLIGHT Another popup window will appear where we will set up which exact values the user can see. Here we make sure that the Lufthansa administrators will only see records where CARRID equals „LH”. The star character is the wildcard character, so all flight connections will be visible for Lufthansa. The Activity field can be used to separate Display and Change operations. Using the star character this setting will be valid for both operations. 17
fig 3. Lufthansa admins should see only LH flights, but all flight connections After successfully maintaining the values for the authorization object, the icons will turn green as seen here: fig 23. Exact values mainained for S_TABU_LIN in role ZFLIGHT_LH The last step in PFCG is to generate the profile. Press Shift-F5 or button „Generate” to do so. A popup window will appear where you can give a name to the profile. You can use the default if you like. 18
fig 24. Giving a name to the generated profile The very last step is to assign our new role to our test user. To do so, use transaction SU01. Simply add our new role on the „Roles” tabsheet and save. fig 25. Adding the new role to user ZLH_USER Then testing our new authorization setup, we can see that the standard maintenance view filters the table contents for user ZLH_USER, only LH records are visible. 19
fig 26. Table contents are filtered in the maintenance view Finally, let's test the OpenSQL Editor by writing a query that selects all records from table ZFLIGHTS. As you can see, the OpenSQL Editor automatically uses the authorization settings, so only LH records are displayed. fig 27. Table contents filtered by the OpenSQL Editor 20
Column level authorizations If you want to hide a specific field from a user, you can do so by adding authorization object ZSQL_COL to the role. In this example we will only let the user see the country- related information for the flights. Press the pencil icon to maintain the values for the authorization object. fig 28. List the fields that the user will see As a resul we will see the table and allowed fields in PFCG with green icons: fig 29. Setup of authorization object ZHTDB_COL Finally, let's test the OpenSQL Editor by writing a query that selects all records from table ZFLIGHTS. As you can see, the OpenSQL Editor displays only the fields that are allowed by the authorization setup. 21
fig 30. Assigning an authoirzation object to a table Keep in mind that if you create a new role for the OpenSQL Editor, the ZSQL_COL authorization object must be added. If you do not want to limit the columns displayed, add a star chatacter to the table name and field name. Custom row level authorizations Additional protection can be achieved by assigning any number of authority objects to tables. The first step is to maintain table ZHTDB_AUTH_OBJ using SM30. In our example we will filter the contents of table VBAK (Sales Document: Header Data) using the standard authorization object V_VBAK_VKO. 22
fig 31. Assigning an authoirzation object to a table As he second step a field mapping between the authority object and the table must be made that is used when filtering query results. This can be done by maintaining table ZHTDB_AUTH_FIELD using SM30. Basically here we define that which field of the table will be passed to which field of the authorization object. In this example the field names are exactly the same. fig 32. Assigning authorization object fields to tble fields Once this data is saved, the OpenSQL Editor will use V_VBAK_VKO to filter the contents of VBAK. Now we assign this authorization object to our role using PFCG and restrict the authorizations to Distribution Channel „C1'. fig 33. Filtering table VBAK for Distribution Channel 'C1' 23
Once the settings are saved and the authorization profile is generated, the OpenSQL Editor restricts the access of table VBAK to records with Distribution Channel 'C1'. fig 34. OpenSQL Editor filters VBAK for Distribution Channel 'C1' 24
Further checks in the OpenSQL Editor Standard authorization objects SAP standard Authorization Object S_DEVELOP (ABAP Workbench) is checked when the SQL Editor is loaded, and the Loop-at Workbench is available or not depending on the result of the check. It is also checked when the user want to access the table definition or technical settings, or a data element. SAP standard Authorization Object S_DATASET is checked when the user executes a background job (the job writes the results into a file) and also checked when the user reads the results from the file. SAP standard Authorization Objects S_BTCH_ADM and S_BTCH_JOB are checked when the user administers his own jobs. Custom authorization objects The following is the list of all custom authorization checks in the program. ZSQL_COL controls: − if a certain field of a table can be displayed or edited ZSQL_COMM controls: − what kind of commands can a user create, change, execute, delete − if the command properties can be edited or not ZSQL_RES controls: − if the result set of a query can be used to create and fill a new table − if the result set of a query can be edited or not ZSQL_MAIN controls: − if a report can be generated based on a query (feature of Hovitaga Report Generator) ZSQL_CLSP controls: − if the user can use the „CLIENT SPECIFIED” keyword in a command 25
Objects shipped Authorization Objects The Authorization Object Class ZSQL contains the following authorization objects. Authorization Object ZSQL_COMM Contains all the command-type and client role specific authorizations. It is possible to restrict activities by Client Role. Possible values for a Client Role: P Production T Test C Customizing D Demo E Training/Education S SAP reference For example, Update commands could be executed on Test clients, but not on Production clients. Basically this defines what a user can do with each kind of command, and in what kind of client. Authorization Fields: ZSQL_CTYPE Command Type ACTVT Activity CCCATEGORY Client control: Role of client (production, test…) Permitted activities: 01 Create or generate 02 Change 03 Display 06 Delete 16 Execute Authorization Object ZSQL_RES Contains all authorizations related to a Result Set of any select command. This can be set up per Client Role. Authorization Fields: ACTVT Activity CCCATEGORY Client control: Role of client (production, test…) Permitted activities: 02 Change 40 Create in DB 26
Activity 02 is relevant for modifying and saving the Result Set of a select command. Activity 40 is relevant for moving the records of the Result Set to a different table. Authorization Object ZSQL_CLSP Contains the authorizations related to the usage of clause “CLIENT SPECIFIED”. Authorization Fields: ACTVT Activity ZSQL_CTYPE Command Type Permitted activities: 16 Execute Authorization Object ZSQL_COL Contains the authorizations which are used to control which fields of a table can be displayed or edited. Authorization Fields: ACTVT Activity TABLE Table Name ZSQL_COL Field Name Permitted activities: 02 Change 03 Display Authorization Object ZSQL_MAIN Contains the authorizations which are used to control basic features of the program. Authorization Fields: ACTVT Activity TABLE Table Name ZSQL_COL Field Name Permitted activities: 16 Execute 64 Generate Activity 64 is the generation of a report based on a select query (feature of Hovitaga Report Generator). Activity 16 is obsolete (use S_TCODE instead). 27
Predefined Roles The aim of providing predefined roles is to ease the process of authorizing users for the SQL Editor. Note that both roles grant access to all SAP table groups. This might have to be adjusted, as it allows to much freedom to the user. Role ZSQL_USER This role is a basic role for users with only read access to the SAP tables. Users with this role can: - Create, edit and execute Select statements on all SAP tables - Create, edit and execute Select for all entries statements - Create, edit and execute Loop at workbench statements (provided the user has the S_DEVELOP authorization object from another role or profile) Role ZSQL_DEVELOPER The developer role allows even more activities than the user role. Users with this role can: - Do everything that is included in the ZSQL_USER role (note that this role still does not grant the S_DEVELOP authority object for security reasons) - Create, edit and execute Update statements in non-production systems - Create, edit and execute Delete statements in non-production systems − Import and export data to/from SAP tables − Edit and insert new entries into the result set 28
Appendix – Links to SAP Help SAP Help on the Authorization concept: http://help.sap.com/saphelp_nw70/helpdata/en/52/671285439b11d1896f0000e8322d00/co ntent.htm SAP Help on PFCG: http://help.sap.com/saphelp_nw04/helpdata/en/52/6714a9439b11d1896f0000e8322d00/co ntent.htm SAP Help on User Maintenance: http://help.sap.com/saphelp_nw04/helpdata/en/e1/120024e74011d2962b0000e82de14a/fr ameset.htm SAP Help on Organizaional Criteria (Authorization object S_TABU_LIN): http://help.sap.com/saphelp_erp2005/helpdata/en/6d/56cdd3edabc14ebd1bc84dae20dec8 /frameset.htm SAP Help on Authorization Groups for tables (S_TABU_DIS) http://help.sap.com/saphelp_nw04/helpdata/en/1e/e867408cd59b0ae10000000a155106/fr ameset.htm 29

Empfohlen

Step by step exercise for bw 365
Step by step exercise for bw 365Step by step exercise for bw 365
Step by step exercise for bw 365
Siva Pradeep Bolisetti
 
SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security concepts
Siva Pradeep Bolisetti
 
Sap security tasks
Sap security tasksSap security tasks
Sap security tasks
Siva Pradeep Bolisetti
 
SAP Security important Questions
SAP Security important QuestionsSAP Security important Questions
SAP Security important Questions
Ragu M
 
SAP Security interview questions
SAP Security interview questionsSAP Security interview questions
SAP Security interview questions
Siva Pradeep Bolisetti
 
SAP HCM Structural Authorization Overview Presentation
SAP HCM Structural Authorization Overview PresentationSAP HCM Structural Authorization Overview Presentation
SAP HCM Structural Authorization Overview Presentation
KenBowers
 
Deploying customizations across microsoft dynamics ax 2012 environments ax2012
Deploying customizations across microsoft dynamics ax 2012 environments ax2012Deploying customizations across microsoft dynamics ax 2012 environments ax2012
Deploying customizations across microsoft dynamics ax 2012 environments ax2012
Prathamesh Joshi
 
Hovitaga Transport Tool
Hovitaga Transport ToolHovitaga Transport Tool
Hovitaga Transport Tool
Hovitaga Kft.
 

Empfohlen

Step by step exercise for bw 365
Step by step exercise for bw 365Step by step exercise for bw 365
Step by step exercise for bw 365
Siva Pradeep Bolisetti
 
SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security concepts
Siva Pradeep Bolisetti
 
Sap security tasks
Sap security tasksSap security tasks
Sap security tasks
Siva Pradeep Bolisetti
 
SAP Security important Questions
SAP Security important QuestionsSAP Security important Questions
SAP Security important Questions
Ragu M
 
SAP Security interview questions
SAP Security interview questionsSAP Security interview questions
SAP Security interview questions
Siva Pradeep Bolisetti
 
SAP HCM Structural Authorization Overview Presentation
SAP HCM Structural Authorization Overview PresentationSAP HCM Structural Authorization Overview Presentation
SAP HCM Structural Authorization Overview Presentation
KenBowers
 
Deploying customizations across microsoft dynamics ax 2012 environments ax2012
Deploying customizations across microsoft dynamics ax 2012 environments ax2012Deploying customizations across microsoft dynamics ax 2012 environments ax2012
Deploying customizations across microsoft dynamics ax 2012 environments ax2012
Prathamesh Joshi
 
Hovitaga Transport Tool
Hovitaga Transport ToolHovitaga Transport Tool
Hovitaga Transport Tool
Hovitaga Kft.
 
Oracle_Procurement_Cloud_Release_8_Whats_New
Oracle_Procurement_Cloud_Release_8_Whats_NewOracle_Procurement_Cloud_Release_8_Whats_New
Oracle_Procurement_Cloud_Release_8_Whats_New
Khalil Rehman NLP (MPrac) MCIPS, PMP,OCP
 
Query Analyser , SQL Server Groups, Transact –SQL
Query Analyser , SQL Server Groups, Transact –SQLQuery Analyser , SQL Server Groups, Transact –SQL
Query Analyser , SQL Server Groups, Transact –SQL
Komal Batra
 
Considerations for Data Access in the Lakehouse
Considerations for Data Access in the LakehouseConsiderations for Data Access in the Lakehouse
Considerations for Data Access in the Lakehouse
Databricks
 
How to implement access restrictions to your EA artifacts using Rational Syst...
How to implement access restrictions to your EA artifacts using Rational Syst...How to implement access restrictions to your EA artifacts using Rational Syst...
How to implement access restrictions to your EA artifacts using Rational Syst...
Bill Duncan
 
Sap tr um_dm_meter reading order creation, assignment and meter reading sheet...
Sap tr um_dm_meter reading order creation, assignment and meter reading sheet...Sap tr um_dm_meter reading order creation, assignment and meter reading sheet...
Sap tr um_dm_meter reading order creation, assignment and meter reading sheet...
UF Technology
 
What is sap security
What is sap securityWhat is sap security
What is sap security
grconlinetraining
 
SAP BI Security Features
SAP BI Security FeaturesSAP BI Security Features
SAP BI Security Features
dw_anil
 
An expert guide to new sap bi security features
An expert guide to new sap bi security featuresAn expert guide to new sap bi security features
An expert guide to new sap bi security features
Shazia_Sultana
 
Hovitaga OpenSQL Editor - Security and authorization concept
Hovitaga OpenSQL Editor - Security and authorization conceptHovitaga OpenSQL Editor - Security and authorization concept
Hovitaga OpenSQL Editor - Security and authorization concept
Hovitaga Kft.
 
Flavours - Classic/Technical BDD
Flavours - Classic/Technical BDDFlavours - Classic/Technical BDD
Flavours - Classic/Technical BDD
David Harrison
 
Role Based Access Control - Overview
Role Based Access Control - OverviewRole Based Access Control - Overview
Role Based Access Control - Overview
Hitachi ID Systems, Inc.
 
Informatica interview questions by H2kInfosys
Informatica interview questions by H2kInfosysInformatica interview questions by H2kInfosys
Informatica interview questions by H2kInfosys
H2kInfosys
 
Sql database audit
Sql database auditSql database audit
Sql database audit
Sqlperfomance
 
165373293 sap-security-q
165373293 sap-security-q165373293 sap-security-q
165373293 sap-security-q
Anywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU)
 
Global Azure Bootcamp 2018 - Oh no my organization went Azure
Global Azure Bootcamp 2018 - Oh no my organization went AzureGlobal Azure Bootcamp 2018 - Oh no my organization went Azure
Global Azure Bootcamp 2018 - Oh no my organization went Azure
Karim Vaes
 
Trunk and branches for database configuration management
Trunk and branches for database configuration managementTrunk and branches for database configuration management
Trunk and branches for database configuration management
scmsupport
 
How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systems
TL Technologies - Thoughts Become Things
 
MS SQL server audit
MS SQL server auditMS SQL server audit
MS SQL server audit
Portcullis Computer Security
 
359555069 aae-control room-usermanual
359555069 aae-control room-usermanual359555069 aae-control room-usermanual
359555069 aae-control room-usermanual
BishnujitBanerjee
 
Sql server 2012_licensing_reference_guide
Sql server 2012_licensing_reference_guideSql server 2012_licensing_reference_guide
Sql server 2012_licensing_reference_guide
amenus006
 
Hovitaga Mass Comparison Tool - overview
Hovitaga Mass Comparison Tool - overviewHovitaga Mass Comparison Tool - overview
Hovitaga Mass Comparison Tool - overview
Hovitaga Kft.
 
Hovitaga Translation Tool - overview
Hovitaga Translation Tool - overviewHovitaga Translation Tool - overview
Hovitaga Translation Tool - overview
Hovitaga Kft.
 

Weitere ähnliche Inhalte

Ähnlich wie Hovitaga authorization concept and setup guide

Query Analyser , SQL Server Groups, Transact –SQL
Query Analyser , SQL Server Groups, Transact –SQLQuery Analyser , SQL Server Groups, Transact –SQL
Query Analyser , SQL Server Groups, Transact –SQL
Komal Batra
 
Considerations for Data Access in the Lakehouse
Considerations for Data Access in the LakehouseConsiderations for Data Access in the Lakehouse
Considerations for Data Access in the Lakehouse
Databricks
 
Sap tr um_dm_meter reading order creation, assignment and meter reading sheet...
Sap tr um_dm_meter reading order creation, assignment and meter reading sheet...Sap tr um_dm_meter reading order creation, assignment and meter reading sheet...
Sap tr um_dm_meter reading order creation, assignment and meter reading sheet...
UF Technology
 
An expert guide to new sap bi security features
An expert guide to new sap bi security featuresAn expert guide to new sap bi security features
An expert guide to new sap bi security features
Shazia_Sultana
 
Sql server 2012_licensing_reference_guide
Sql server 2012_licensing_reference_guideSql server 2012_licensing_reference_guide
Sql server 2012_licensing_reference_guide
amenus006
 

Ähnlich wie Hovitaga authorization concept and setup guide (20)

Oracle_Procurement_Cloud_Release_8_Whats_New
Oracle_Procurement_Cloud_Release_8_Whats_NewOracle_Procurement_Cloud_Release_8_Whats_New
Oracle_Procurement_Cloud_Release_8_Whats_New
 
Query Analyser , SQL Server Groups, Transact –SQL
Query Analyser , SQL Server Groups, Transact –SQLQuery Analyser , SQL Server Groups, Transact –SQL
Query Analyser , SQL Server Groups, Transact –SQL
 
Considerations for Data Access in the Lakehouse
Considerations for Data Access in the LakehouseConsiderations for Data Access in the Lakehouse
Considerations for Data Access in the Lakehouse
 
How to implement access restrictions to your EA artifacts using Rational Syst...
How to implement access restrictions to your EA artifacts using Rational Syst...How to implement access restrictions to your EA artifacts using Rational Syst...
How to implement access restrictions to your EA artifacts using Rational Syst...
 
Sap tr um_dm_meter reading order creation, assignment and meter reading sheet...
Sap tr um_dm_meter reading order creation, assignment and meter reading sheet...Sap tr um_dm_meter reading order creation, assignment and meter reading sheet...
Sap tr um_dm_meter reading order creation, assignment and meter reading sheet...
 
What is sap security
What is sap securityWhat is sap security
What is sap security
 
SAP BI Security Features
SAP BI Security FeaturesSAP BI Security Features
SAP BI Security Features
 
An expert guide to new sap bi security features
An expert guide to new sap bi security featuresAn expert guide to new sap bi security features
An expert guide to new sap bi security features
 
Hovitaga OpenSQL Editor - Security and authorization concept
Hovitaga OpenSQL Editor - Security and authorization conceptHovitaga OpenSQL Editor - Security and authorization concept
Hovitaga OpenSQL Editor - Security and authorization concept
 
Flavours - Classic/Technical BDD
Flavours - Classic/Technical BDDFlavours - Classic/Technical BDD
Flavours - Classic/Technical BDD
 
Role Based Access Control - Overview
Role Based Access Control - OverviewRole Based Access Control - Overview
Role Based Access Control - Overview
 
Informatica interview questions by H2kInfosys
Informatica interview questions by H2kInfosysInformatica interview questions by H2kInfosys
Informatica interview questions by H2kInfosys
 
Sql database audit
Sql database auditSql database audit
Sql database audit
 
165373293 sap-security-q
165373293 sap-security-q165373293 sap-security-q
165373293 sap-security-q
 
Global Azure Bootcamp 2018 - Oh no my organization went Azure
Global Azure Bootcamp 2018 - Oh no my organization went AzureGlobal Azure Bootcamp 2018 - Oh no my organization went Azure
Global Azure Bootcamp 2018 - Oh no my organization went Azure
 
Trunk and branches for database configuration management
Trunk and branches for database configuration managementTrunk and branches for database configuration management
Trunk and branches for database configuration management
 
How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systems
 
MS SQL server audit
MS SQL server auditMS SQL server audit
MS SQL server audit
 
359555069 aae-control room-usermanual
359555069 aae-control room-usermanual359555069 aae-control room-usermanual
359555069 aae-control room-usermanual
 
Sql server 2012_licensing_reference_guide
Sql server 2012_licensing_reference_guideSql server 2012_licensing_reference_guide
Sql server 2012_licensing_reference_guide
 

Mehr von Hovitaga Kft.

Mehr von Hovitaga Kft. (7)

Hovitaga Mass Comparison Tool - overview
Hovitaga Mass Comparison Tool - overviewHovitaga Mass Comparison Tool - overview
Hovitaga Mass Comparison Tool - overview
 
Hovitaga Translation Tool - overview
Hovitaga Translation Tool - overviewHovitaga Translation Tool - overview
Hovitaga Translation Tool - overview
 
Hovitaga OpenSQL Editor - Overview
Hovitaga OpenSQL Editor - OverviewHovitaga OpenSQL Editor - Overview
Hovitaga OpenSQL Editor - Overview
 
Hovitaga OpenSQL Editor - Comparison with SE16 and SAP query
Hovitaga OpenSQL Editor - Comparison with SE16 and SAP queryHovitaga OpenSQL Editor - Comparison with SE16 and SAP query
Hovitaga OpenSQL Editor - Comparison with SE16 and SAP query
 
Hovitaga Notification System - Overview
Hovitaga Notification System - OverviewHovitaga Notification System - Overview
Hovitaga Notification System - Overview
 
Hovitaga Data Visualizer - Overview
Hovitaga Data Visualizer - OverviewHovitaga Data Visualizer - Overview
Hovitaga Data Visualizer - Overview
 
Hovitaga OpenSQL Editor - Product flyer
Hovitaga OpenSQL Editor - Product flyerHovitaga OpenSQL Editor - Product flyer
Hovitaga OpenSQL Editor - Product flyer
 

Kürzlich hochgeladen

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Kürzlich hochgeladen (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Hovitaga authorization concept and setup guide

  • 1. Authorization concept overview and setup guide for Hovitaga OpenSQL Editor and Hovitaga Report Generator Version 1.0 2012.06.06. 1
  • 2. Table of contents Overview............................................................................................................................................................................ 3 Transaction level authorizations.................................................................................................................................... 3 Table group level authorizations ................................................................................................................................... 4 Record level authorizations ........................................................................................................................................... 4 SAP standard line-oriented authorizations ................................................................................................................ 4 Custom row level authorizations............................................................................................................................... 4 Field level authorizations............................................................................................................................................... 5 General comments ............................................................................................................................................................ 6 Step by step tutorials ........................................................................................................................................................ 7 Table group level authorizations ................................................................................................................................... 7 SAP standard line-oriented authorizations: S_TABU_LIN.......................................................................................... 10 S_TABU_LIN Customizing.................................................................................................................................... 12 Adding the S_TABU_LIN to a role ........................................................................................................................ 15 Column level authorizations ........................................................................................................................................ 21 Custom row level authorizations.................................................................................................................................. 22 Further checks in the OpenSQL Editor........................................................................................................................ 25 Standard authorization objects .................................................................................................................................... 25 Custom authorization objects....................................................................................................................................... 25 Objects shipped............................................................................................................................................................... 26 Authorization Objects .................................................................................................................................................. 26 Authorization Object ZSQL_COMM ..................................................................................................................... 26 Authorization Object ZSQL_RES........................................................................................................................... 26 Authorization Object ZSQL_CLSP......................................................................................................................... 27 Authorization Object ZSQL_COL .......................................................................................................................... 27 Authorization Object ZSQL_MAIN ....................................................................................................................... 27 Predefined Roles .......................................................................................................................................................... 28 Role ZSQL_USER .................................................................................................................................................. 28 Role ZSQL_DEVELOPER ..................................................................................................................................... 28 Appendix – Links to SAP Help...................................................................................................................................... 29 2
  • 3. Overview The authorization system of Hovitaga OpenSQL Editor and Hovitaga Report Generator is exactly the same. Here you can see an overview of the whole authorization concept: fig 1: Authorization concept overview Transaction level authorizations The SAP standard authorization object S_TCODE is used to control who can start the transaction. 3
  • 4. fig 2. Transaction check with S_TCODE Table group level authorizations The authorization system uses the SAP standard authority objects S_TABU_DIS to control access to table groups and S_TABU_CLI to control maintenance of client-independent tables. This is done both for reading and writing operations. Record level authorizations SAP standard line-oriented authorizations While the tools mostly used by consultants and developers (SE16 and SAP Query) only use table group level authorizations to filter query results, Hovitaga OpenSQL Editor can be controlled in a much more sophisticated way. This means that besides defining which tables can be read, you can control which records can be read from a table. A generic standard SAP authority object (S_TABU_LIN) is used to filter the query results based on any organizational criteria defined in customizing. For example a scenario can be set up easily where certain users only see data for their company code (or country or any organizational level). This row level authorization concept is part of every SAP system and can be maintained within customizing (SPRO). If it has been already set up, then the queries will filtered accordingly. Custom row level authorizations Additionally any number of authority objects can be assigned to tables within a customizing transaction. A field mapping between the authority object and the table must be made that is used when filtering query results. For example to filter entries in the VBAK table (Order headers) by sales organization simply assign authority object V_VBAK_VK0 to the table. To filter entries by plant in table MARC (Plant data), assign authority object M_MATE_WRK to table MARC. If these authority objects were already used in the SAP system, then the roles, profiles etc. do not need to be changed, no other user maintenance effort is required. 4
  • 5. Field level authorizations In addition to the record level authorization query results can be filtered on field level also. For example, certain users could see the contents of the salary field in a table, others could not, depending on the authorizations. There is a custom authority object that controls what columns may a user access in a database table. This can be maintained with the standard SAP tools without any special customizing effort. 5
  • 6. General comments Keep in mind that if you change the authorizations of a user, in order for the changes to take effect the user must log out and log in again. Please note that authorizations are not checked if the SQL query is using the addition „client specified”. The reason is that authorizations are always checked for the logon client anyway. In order to still have protection, S_TABU_CLI and ZSQL_CLSP are checked for authorization to maintain client-independent tables and to use the “client specified” SQL addition. If you create a new role for the OpenSQL Editor, the ZSQL_COL authorization object must be added. If you do not want to limit the columns displayed, add a star chatacter to the table name and field name. 6
  • 7. Step by step tutorials Table group level authorizations Authorization object S_TABU_DIS provides you authorizations for displaying or maintaining tables. The object only controls access using the standard table maintenance tool (transaction SM31), enhanced table maintenance (SM30) or the Data Browser, including access in Customizing. The authorization object checks the following fields: • DICBERCLS Authorization Group Authorization for tables grouped by authorization class according to table TDDAT. Enter the name of the allowed classes. Table classes are defined in table TBRG. • ACTVT Activity Possible values: • 02: Create, change, or delete table entries • 03: Display table entries only • BD: Skip change lock for Customizing distribution As a first step, we will create a new authorization group in transaction SE54. Select the highlighted radiobutton and press „Create/change”. fig 3. Transaction SE54 Our new entry will be named ZFLI. 7
  • 8. fig 4. Creating a new authorization group As a second step we will assign our table ZFLIGHTS to this new authorization group. To do so, select the last radiobutton in SE54 („Assign Authoriz. Group) and press „Create/Change”. A popup window will appear where we can select how we should find the records we want to work with. Since we are creating a new entry, this is not important now. fig 5. Popup window displaying ways to find the correct entry fig 6. Search for entries for our new authorization group After selecting a range of authorization groups and pressing enter, we can add our new entry to this customizing view. Keep in mind that one table can be part of only one autorization group, but one authorization group can contain many tables. 8
  • 9. fig 7. Assigning table ZFLIGHTS to authorization group ZFLI In this example we deliberately do not assign authorization to our test user, so we can see that the OpenSQL Editor will refuse access to tabe ZFLIGHTS: fig 8. OpenSQL Editor does not display data from ZFLIGHTS If you want to protect cross-client tables, a second step in the table access control is required, which is based on the object S_TABU_CLI. The object consists of only one field CLIDMAINT. The value for this object is 'X' (indicator for cross-client maintenance). The 9
  • 10. object S_TABU_CLI is the object that especially protects the client-independent (also called cross-client) tables. The indicator 'X' does not automatically allow maintenance, the access scope is still limited through the field values in ACTVT of the object S_TABU_DIS. SAP standard line-oriented authorizations: S_TABU_LIN The example uses a custom table which is a copy of table SFLIGHT, which is included in SAP systems for demonstration purposes. This holds flight information. Our goal is to filter the table contents by Carrier ID (Airline Code). So for example a user who is responsible for Lufthansa flights must only see records related to Lufthansa and nothing else. fig 9. Custom table ZFLIGHTS 10
  • 11. We have also created a maintenance view for this table. fig 10. Table maintenance with all authorizations 11
  • 12. S_TABU_LIN Customizing The customizing entries in the IMG can be found under SAP NetWeaver - Application Server - System Administration - Users and Administration - Line-oriented Authorizations. fig 11. Customizing path for S_TABU_LIN When „Define organizational criteria” is executed, we create a new entry for our organizational criteria, which is called Flights. fig 12. Creating a new organizational criteria for Carrier ID The „Table-independent” checkbox can be very useful. If it is not checked, then this organizaional criterie will only filter the contents of the table that we later will specify. If it is checked, then it will filter the contents of all tables, whose key fields are related to all domains specified in the attributes. We used the first option in our example to filter only table ZFLIGHTS. After defining the organizational criteria, we have to maintain the attributes of it. We will maintain two attributes, which will check the first two key fields of the table (Carrier ID and Connection ID). 12
  • 13. fig 13. Maintaining the first attribute After creating the first attribute, we have to maintain the table field details. Here we can define which table we want to filter and which key field does the attribute filter. Keep in mind that only key fields can be used. fig 14. Assigning the first attribute to the Carrier ID field 13
  • 14. We will do the same process for the second attribute and table key field: fig 15. Assigning the second attribute to the Connection ID field So after setting this up, we can see that for our new organizational criteria called ZFLIGHT we have two attributes: the first one for the Carrier ID and the second one for the Connection ID. fig 16. Overview of organizational criteria ZFLIGHT After defining the oranizational criteria, we have to activate it using the second customizing transaction in SAP NetWeaver - Application Server - System Administration - Users and Administration - Line-oriented Authorizations. Simply check the Active checkbox and save. 14
  • 15. fig 17. Activation of organizational criteria ZFLIGHT Adding the S_TABU_LIN to a role After the definition and activation of organizational criteria ZFLIGHT, we have to maintain the user authorizations. We have to define which users can see which data in our table. To do so, simply create a role using transaction PFCG. We will create a role for the Lufthansa administrator, called ZFLIGHT_LH. fig 18. Creation of a role using PFCG 15
  • 16. On the third tab called „Authorizations” press button „Change Authorization Data”. This will call a screen where we can actually define what data can the Lufthansa administrator see. fig 19. The marked button will call the screen we will use The next screen will be empty be for the first time. It is time to authorization object S_TABU_LIN to this role using the „Manually” button (Manual entry of authorization objects). After adding S_TABU_LIN to the role, we will see the following screen: 16
  • 17. fig 20. Press this button to add an authorization object to the role The icons will be yellow when the exact values are not maintained for the authorization objects. To maintain them, press any of the pencil icons. A popup window will appear where we select our new organizational criteria: fig 21. Choose organizational criteria ZFLIGHT Another popup window will appear where we will set up which exact values the user can see. Here we make sure that the Lufthansa administrators will only see records where CARRID equals „LH”. The star character is the wildcard character, so all flight connections will be visible for Lufthansa. The Activity field can be used to separate Display and Change operations. Using the star character this setting will be valid for both operations. 17
  • 18. fig 3. Lufthansa admins should see only LH flights, but all flight connections After successfully maintaining the values for the authorization object, the icons will turn green as seen here: fig 23. Exact values mainained for S_TABU_LIN in role ZFLIGHT_LH The last step in PFCG is to generate the profile. Press Shift-F5 or button „Generate” to do so. A popup window will appear where you can give a name to the profile. You can use the default if you like. 18
  • 19. fig 24. Giving a name to the generated profile The very last step is to assign our new role to our test user. To do so, use transaction SU01. Simply add our new role on the „Roles” tabsheet and save. fig 25. Adding the new role to user ZLH_USER Then testing our new authorization setup, we can see that the standard maintenance view filters the table contents for user ZLH_USER, only LH records are visible. 19
  • 20. fig 26. Table contents are filtered in the maintenance view Finally, let's test the OpenSQL Editor by writing a query that selects all records from table ZFLIGHTS. As you can see, the OpenSQL Editor automatically uses the authorization settings, so only LH records are displayed. fig 27. Table contents filtered by the OpenSQL Editor 20
  • 21. Column level authorizations If you want to hide a specific field from a user, you can do so by adding authorization object ZSQL_COL to the role. In this example we will only let the user see the country- related information for the flights. Press the pencil icon to maintain the values for the authorization object. fig 28. List the fields that the user will see As a resul we will see the table and allowed fields in PFCG with green icons: fig 29. Setup of authorization object ZHTDB_COL Finally, let's test the OpenSQL Editor by writing a query that selects all records from table ZFLIGHTS. As you can see, the OpenSQL Editor displays only the fields that are allowed by the authorization setup. 21
  • 22. fig 30. Assigning an authoirzation object to a table Keep in mind that if you create a new role for the OpenSQL Editor, the ZSQL_COL authorization object must be added. If you do not want to limit the columns displayed, add a star chatacter to the table name and field name. Custom row level authorizations Additional protection can be achieved by assigning any number of authority objects to tables. The first step is to maintain table ZHTDB_AUTH_OBJ using SM30. In our example we will filter the contents of table VBAK (Sales Document: Header Data) using the standard authorization object V_VBAK_VKO. 22
  • 23. fig 31. Assigning an authoirzation object to a table As he second step a field mapping between the authority object and the table must be made that is used when filtering query results. This can be done by maintaining table ZHTDB_AUTH_FIELD using SM30. Basically here we define that which field of the table will be passed to which field of the authorization object. In this example the field names are exactly the same. fig 32. Assigning authorization object fields to tble fields Once this data is saved, the OpenSQL Editor will use V_VBAK_VKO to filter the contents of VBAK. Now we assign this authorization object to our role using PFCG and restrict the authorizations to Distribution Channel „C1'. fig 33. Filtering table VBAK for Distribution Channel 'C1' 23
  • 24. Once the settings are saved and the authorization profile is generated, the OpenSQL Editor restricts the access of table VBAK to records with Distribution Channel 'C1'. fig 34. OpenSQL Editor filters VBAK for Distribution Channel 'C1' 24
  • 25. Further checks in the OpenSQL Editor Standard authorization objects SAP standard Authorization Object S_DEVELOP (ABAP Workbench) is checked when the SQL Editor is loaded, and the Loop-at Workbench is available or not depending on the result of the check. It is also checked when the user want to access the table definition or technical settings, or a data element. SAP standard Authorization Object S_DATASET is checked when the user executes a background job (the job writes the results into a file) and also checked when the user reads the results from the file. SAP standard Authorization Objects S_BTCH_ADM and S_BTCH_JOB are checked when the user administers his own jobs. Custom authorization objects The following is the list of all custom authorization checks in the program. ZSQL_COL controls: − if a certain field of a table can be displayed or edited ZSQL_COMM controls: − what kind of commands can a user create, change, execute, delete − if the command properties can be edited or not ZSQL_RES controls: − if the result set of a query can be used to create and fill a new table − if the result set of a query can be edited or not ZSQL_MAIN controls: − if a report can be generated based on a query (feature of Hovitaga Report Generator) ZSQL_CLSP controls: − if the user can use the „CLIENT SPECIFIED” keyword in a command 25
  • 26. Objects shipped Authorization Objects The Authorization Object Class ZSQL contains the following authorization objects. Authorization Object ZSQL_COMM Contains all the command-type and client role specific authorizations. It is possible to restrict activities by Client Role. Possible values for a Client Role: P Production T Test C Customizing D Demo E Training/Education S SAP reference For example, Update commands could be executed on Test clients, but not on Production clients. Basically this defines what a user can do with each kind of command, and in what kind of client. Authorization Fields: ZSQL_CTYPE Command Type ACTVT Activity CCCATEGORY Client control: Role of client (production, test…) Permitted activities: 01 Create or generate 02 Change 03 Display 06 Delete 16 Execute Authorization Object ZSQL_RES Contains all authorizations related to a Result Set of any select command. This can be set up per Client Role. Authorization Fields: ACTVT Activity CCCATEGORY Client control: Role of client (production, test…) Permitted activities: 02 Change 40 Create in DB 26
  • 27. Activity 02 is relevant for modifying and saving the Result Set of a select command. Activity 40 is relevant for moving the records of the Result Set to a different table. Authorization Object ZSQL_CLSP Contains the authorizations related to the usage of clause “CLIENT SPECIFIED”. Authorization Fields: ACTVT Activity ZSQL_CTYPE Command Type Permitted activities: 16 Execute Authorization Object ZSQL_COL Contains the authorizations which are used to control which fields of a table can be displayed or edited. Authorization Fields: ACTVT Activity TABLE Table Name ZSQL_COL Field Name Permitted activities: 02 Change 03 Display Authorization Object ZSQL_MAIN Contains the authorizations which are used to control basic features of the program. Authorization Fields: ACTVT Activity TABLE Table Name ZSQL_COL Field Name Permitted activities: 16 Execute 64 Generate Activity 64 is the generation of a report based on a select query (feature of Hovitaga Report Generator). Activity 16 is obsolete (use S_TCODE instead). 27
  • 28. Predefined Roles The aim of providing predefined roles is to ease the process of authorizing users for the SQL Editor. Note that both roles grant access to all SAP table groups. This might have to be adjusted, as it allows to much freedom to the user. Role ZSQL_USER This role is a basic role for users with only read access to the SAP tables. Users with this role can: - Create, edit and execute Select statements on all SAP tables - Create, edit and execute Select for all entries statements - Create, edit and execute Loop at workbench statements (provided the user has the S_DEVELOP authorization object from another role or profile) Role ZSQL_DEVELOPER The developer role allows even more activities than the user role. Users with this role can: - Do everything that is included in the ZSQL_USER role (note that this role still does not grant the S_DEVELOP authority object for security reasons) - Create, edit and execute Update statements in non-production systems - Create, edit and execute Delete statements in non-production systems − Import and export data to/from SAP tables − Edit and insert new entries into the result set 28
  • 29. Appendix – Links to SAP Help SAP Help on the Authorization concept: http://help.sap.com/saphelp_nw70/helpdata/en/52/671285439b11d1896f0000e8322d00/co ntent.htm SAP Help on PFCG: http://help.sap.com/saphelp_nw04/helpdata/en/52/6714a9439b11d1896f0000e8322d00/co ntent.htm SAP Help on User Maintenance: http://help.sap.com/saphelp_nw04/helpdata/en/e1/120024e74011d2962b0000e82de14a/fr ameset.htm SAP Help on Organizaional Criteria (Authorization object S_TABU_LIN): http://help.sap.com/saphelp_erp2005/helpdata/en/6d/56cdd3edabc14ebd1bc84dae20dec8 /frameset.htm SAP Help on Authorization Groups for tables (S_TABU_DIS) http://help.sap.com/saphelp_nw04/helpdata/en/1e/e867408cd59b0ae10000000a155106/fr ameset.htm 29