2. Topics Covered:
• Difference between BW 3.x and BI 7
• Securing reporting users access
• Authorization Trace
• Creation of Analysis Authorization
• Assignment of Analysis Authorization
• Securing Access to Workbooks
• Additional BI7 Security Features
• New Authorization Objects
3. There was no SAP delivered authorization
object to link the hierarchies to Roles.
Customized Auth object need to be created
which will fall under SAP Class RSR.
Difference between BW 3.x and BI Security
SAP delivered Auth object S_RS_AUTH
(Class RS) can be added to the Roles and
further linked to analysis authorization
4. Contd…
RSSM RSECADMIN
Old transaction: RSSM
Concept of authorization: 'Reporting
Authorization'
New transaction : RSECADMIN
Concept of authorization: 'Analysis
Authorization'
7. Authorization objects are grouped according to authorization object classes. The major
authorization object class in BI is RS.
S_RS_COMP: Decides which Info area, Info provider’s data user can view
S_RS_COMP1: Decides which owner’s queries a user can execute
S_RS_FOLD: Hide or display the “Info Area” push button for end users
S_RS_AUTH: Gives access to analysis Authorizations
S_RS_ADMWB: Used by BW administrator for Modeling and controlling
Some other Auth objects: To save workbooks/Queries to Roles
S_USER_AGR: In which Role user can add workbooks and Queries
S_USER_TCD: should have value as RRMX and used in conjunction with S_USER_AGR
Authorization Objects in BI 7
8. In BI 7, reporting users access needs to be restricted to certain levels like
InfoCube Level: Restrict at the InfoCube level.
Characteristic Level/Info Object: Restrict access to all values for a particular
characteristic.
Characteristic Value Level: Restrict access to certain values of a particular
characteristic.
Key Figure Level: Restrict access to certain key figures.
Hierarchy Node: Restrict access to certain nodes of a hierarchy
Restricting access in BI
9. Below are the minimum authorization requirements for a reporting user:
• Analysis authorizations for an Info Provider
• S_RS_COMP (Activities 03, 16)
• S_RS_COMP1 (Query owner)
• S_RFC (Bex Analyzer or Bex Browser only)
• S_TCODE (RRMX for Bex Analyzer)
A reporting user must have authorizations for the S_RS_COMP, S_RS_COMP1
authorization objects as well as analysis authorizations for the Info Provider on
which the query is based.
In addition, if the reporting user will be using the Bex Analyzer reporting tool,
they will need authorizations for object S_RFC and S_TCODE with authorization
for transaction code RRMX.
Securing Data Access for Reporting Users
10. Secure by Info Cube: If the authorizations need to be checked only on Info Provider
level. You can then create roles that allow you to run queries from the specified
Info Provider (s).
Securing by Query: Another option would be to use the Info Provider in conjunction
with the query name. To do this, you will need a strict naming convention for query
names so that security does not have to be updated each time a new query is
created.
Securing by Info Object: Allowing two user to execute the same query, but to get
different results based on their assigned data access for division, cost center, or
some other Info Object, is known as info Object level security or field level security
Options for Securing Data Access
11. The more granular level of restricting access of the users is at Info Object/Field level .
The following procedure shows the steps you must be following when setting up
security for an Info Object:
1. Define the Info Object as authorization relevant.
2. Create (or adjust) analysis authorizations for the Info Object.
3. Assign authorizations to users.
4. Add a variable to the queries.
Securing by Info Object:
12. The Authorization Relevant setting
for an Info Object made in the
Info Object definition on the
Business Explorer tab. The
business needs will drive which
Info Objects should be relevant
for security.
• Execute Tcode RSD1
• Enter the info object
name
• Go to Business Explorer
Tab
• Select the check box
“Authorization Relevant”
• Activate the info object
Authorization Relevance
13. Analysis Authorizations are fundamental building blocks of the new reporting concept which
contains both the data value and hierarchy restrictions.
• Execute Tcode RSECADMIN
• Go to Maintenance in Authorization Tab
• Enter The Analysis Authorization and click Create
Create analysis authorizations:
14. Once you have created analysis
authorizations, users will need access
to the right authorizations according to
business needs. You can assign
authorizations in roles using S_RS_AUTH or
directly in transaction RSECADMIN or
RSU01.
Assign authorizations to users:
15. Add a variable to the queries
If we want a query to only provide results based on the division, for example, then the
query itself needs the ability to filter specific division values. Before we can secure on
division, the query must be able to restrict data by division. The only way the query can
restrict data dynamically is through a variable. The variable can be added anytime
independent of the other steps listed here.
16. Exercises:
• Create a simple query from an existing Info Cube, execute it, and save it as a new
workbook
• Defining Info Object-Level Security for Reporting Users
• Limit query access within the Bex Analyze using S_RS_COMP1 and S_RS_FOLD
18. Trace Tool : ST01 and RSECADMIN
Transaction code ST01 executes a trace tool that exists on all ABAP based systems.
Among other purposes, this tool serves as trace for all SAP-provided authorizations objects.
You simply turn on the trace (for a specific user), and when the trace is completed you can
see which authorization objects were checked and the results of the check.
In transaction RSECADMIN →Analysis you can execute a trace that is specific to BI analysis
authorizations. Analysis authorizations will not appear in the ST01 trace
19. Authorization Trace
In BI 7 we can Trace :
1) Authorization Monitoring
2) Change log of Analysis authorization
21. Contd……..
Evaluate Log Protocol
• Turn on logging of user activities related to analysis authorizations
• View detailed information about authorization checks
22. Change log of Analysis authorization
Activate the following Virtual Providers from the Business Content (VAL =
Values, HIE = Hierarchies, UA = User Assignment)
The system records all changes to authorizations and user assignments.
Queries can be built on these Info Providers to find out the trace of
- How many users have access to a given InfoCube?
- Which users have access to company code X?
- When was authorization “XYZ” created, and by whom?
25. Creation of Analysis Authorization
There are two ways to create the analysis authorization in BI 7
1. Manual creation of analysis authorization through RSECAUTH Tcode
2. Automatic generation of analysis authorization approach (for mass creation and
assignment)
26. Creation through RSECADMIN
1) Execute Tcode RSECADMIN
2) Go to Maintenance in Authorization Tab
3) Enter The Analysis Authorization and click Create
27. Automatic generation of analysis authorization
With the generation of analysis authorizations, we can load authorized
values from other systems into Data Store objects and generate
authorizations from them. This approach is generally used for mass
creation of analysis authorization and assignment of these authorizations
to the users.
Steps to be performed:
Data Warehouse Workbench (RSA1):
1. Activate Business Content
2. Load of Data Store Objects
Management of Analysis Authorizations (RSECADMIN):
3. Generate Authorizations
4. View Generation Log
28. Activate Business Content
SAP delivers Business Content for storing authorizations and user
assignment of authorizations should be activated
29. Load of Data Store Objects
• Fill the Data Store objects with the user data and authorizations
• Extract the data, for example, from an SAP R/3 source system or from a flat file
Note: Some consistency checks should be added to avoid errors during the generation
later
35. Pros:
• This approach removes the use of creating Roles for the corresponding analysis
authorization .
Cons:
• No Change documents are provided by SAP for assigning and removal of Analysis
authorization from the user
• No SUIM (System User Information Management) reports are provided by SAP for
analysis authorization
• No possible way to assign mass analysis authorization to the users at a stretch.
Analysis authorization based Approach:
36. • If an id is deleted using SU01 who is having analysis authorization assigned to it,
these authorization will not get deleted from the user’s profile. If the same id is
recreated, automatically user id will be populated with the earlier analysis
authorizations.
So if this approach is followed, it is always recommended that analysis authorization
are manually deleted from the user id using RSU01 and then id using SU01
Contd…..
37. Indirect Assignment
• Alternatively to the direct assignment, we can also assign authorizations to roles, which can
then be assigned to users.
• Use authorization object S_RS_AUTH for the assignment of authorizations to roles
• Maintain the authorizations as values for field BIAUTH
38. Pros:
• All the Change documents are already available
• All the existing SUIM reports are already available
• Possible to perform mass assign role assignment
Cons:
• Roles need to be created corresponding to the analysis authorization which will
include more maintenance in the system
Pros and Cons
39. Query is more the technical definition of what the results should look like. Workbooks are
actual results that have been formatted and can be refreshed each time the workbook is
executed.
The query is a definition of what data the query should fetch and how the data should be
initially displayed. A query definition includes rows, columns, filters, and free characteristics.
The workbook is a result set of the query. In this workbook, the data is displayed by sales
organization. Every time the user executes the workbook, the data will be refreshed, but the
format can remain the same, depending on the settings for the query in the workbook.
Multiple query results saved in workbooks from the same query definition enable users to
customize how they want to review the results and analyze the data.
Queries and Workbooks:
40. If a user wants to save a workbook to a location where it can be easily accessed by
others, they need to save to a Role. Saving to a Role means saving to a security
role. You may want to set up roles specifically for saving workbooks. You can then
assign the role to all parties who need to share workbooks.
In order to save workbooks to roles, a user needs:
• S_USER_AGR: Authorizations: Role check
• S_USER_TCD: Transactions in roles
The authorization object S_USER_AGR has two fields: Activity and Role Name. For the
Activity field, the user must have at least values 01, 02 and 22. If the user can delete
workbooks, they will also need value 06. For the Role Name, you should enter the specific
roles you have created for saving workbooks.
Authorization object S_USER_TCD has one field, Transaction Code. The user needs value
RRMX in this field.
Saving workbooks to Queries:
43. Concept of BW security remains the same in BI 7 while changes are
more with respect to new authorization features, more authorization
objects, newer Tcodes and more flexibility.
1. Analysis Authorization
2. Special Characteristics
3. Special Authorization: 0BI_ALL
4. Variables in Authorization (Custom Exit)
5. Colon authorization
6. Pound Authorization
7. Key Figure Authorization
8. Authorizing Navigational Attributes
BI 7 Security Features
44. Analysis Authorizations are fundamental building blocks of the new reporting concept which
contains both the data value and hierarchy restrictions.
This is also called data level access. With the new NW2004s analysis authorisation
principles it is now possible to create an analysis authorisation object directly on an info
object
The authorisation can either be single values or a value range or created with a reference to
a hierarchy, provided the info object is created with a hierarchy and the info object is
authorisation relevant.
Analysis Authorization:
45. These special characteristics must be assigned to a user in at least one
authorization
0TCAACTVT: Restrict access to activities i.e. display, create, change etc
0TCAIPROV: Restrict access to the Info Provider i.e. Info Cube, ODS,
Multi provider etc
0TCAVALID: Provides the validity of the analysis authorization
All these authorization should be marked as authorization relevant
Special Characteristics:
46. An authorization for all values of authorization-relevant characteristics is created
automatically in the system. It has the name 0BI_ALL. It can be viewed, but not changed.
Every user that receives this authorization can access all the data at any time. Each time an
Info Object is activated and the property “authorization relevant” is changed for the
characteristic or a navigation attribute, 0BI_ALL is automatically adjusted.
A user that has a profile with the authorization object S_RS_AUTH and has entered 0BI_ALL
(or has included value as *) has complete access to all data.
0BI_ALL
47. Variables of type Customer Exit can be used with the special value $ (as escape sequence)
as prefix before the variable name. This enables dynamic granting of authorizations
(authorized values are retrieved at runtime).
Customer exit reads the variable values using a selection routine placed in the function
module EXIT_SAPLRRBR_001 inside of enhancement RSR0001. (This Enhancement is
accessed via transaction code CMOD).
Custom Exit:
The advantage of this method is that you
can give all users the same authorization
by placing the variable name with a $ sign
in front of it instead of a value in The
characteristic value (or the hierarchy node)
48. Colon (: )as Authorization
Two Purposes for Colon Authorization Value:
If the Info Provider has sensitive data, it could be that you do not want the user to see any
summarized data. For example, let us assume you have an Info Provider that has
sensitive forecasting data. In this business scenario you have chosen to secure by
Info Objects (for example, Company Code). If you do not want a user with access to
Company Code 1000 to see ANY data from other company codes, then you might not
Give this user the colon (:) value in the authorization. This would mean that ANY queries
on your Info Provider that do not use the Company Code Info Object will fail for this user.
Second purpose of the Colon authorization is to give user
access to the aggregated data. For example, user can see
Total of sales done by all sales organization but details data
of only his sales organization.
49. Pound (#) as Authorization
Using a Pound Sign (#) as an Authorization Value:
When data is loaded into SAP BW, some fields may be marked as no value
assigned (posted with INITIAL). If you have secured an Info Object that has data
that is unassigned in the Info Cube, you may choose to give the user a pound sign
(#) in order to avoid an authorization error at runtime.
The # character is interpreted as authorization for the display of the value
Not assigned (posted with INITIAL).
50. Key Figure Authorization
This restriction is used to grant authorization to particular key figures to
the users.
• Technical name: 0TCAKYFNM
• Possible values:
- Single value (EQ) Exactly one key figure
- Range (BT) Selection of key figures
- Pattern (CP) Selection of key figures based on pattern
Note: If a particular key figure is defined as authorization-relevant, it will be checked for
every Info Provider
51. Authorizing Navigational Attributes:
To restrict the access to navigational attributes, it should be marked as authorization-
relevant in attribute tab strip.
Note: The referencing characteristic does not need to be authorization-relevant
52. Authorizing Navigational Attributes:
To restrict the access to navigational attributes, it should be marked as authorization-
relevant in attribute tab strip.
Note: The referencing characteristic does not need to be authorization-relevant
54. Below are the new authorization objects in BI7 for administration workbench,
business Explorer and analysis authorization.
Authorization objects for the Data Warehousing Workbench:
S_RS_DS: For the DataSource or its sub objects (NW2004s)
S_RS_ISNEW: For new InfoSources or their sub objects (NW 2004s)
S_RS_DTP: For the data transfer process and its sub objects
S_RS_TR: For transformation rules and their sub objects
S_RS_CTT: For currency translation types
S_RS_UOM: For quantity conversion types
S_RS_THJT: For key date derivation types
S_RS_PLENQ: Authorizations for maintaining or displaying the lock settings
S_RS_RST: Authorization object for the RS trace tool
S_RS_PC: For process chains
S_RS_OHDEST: Open Hub Destination
BI 7 new Authorization Objects
55. Authorization objects for the Business Explorer:
S_RS_DAS: For Data Access Services
S_RS_BTMP: For BEx Web templates
S_RS_BEXTX: Authorizations for the maintenance of BEx texts
Authorization objects for the Admin of analysis authorizations
S_RSEC: Authorization for assignment and administration of analysis authorizations
S_RS_AUTH: Authorization object to include analysis authorizations in roles
Changed Authorization Objects:
S_RS_ADMWB (Data Warehousing Workbench: Objects): New values for filed
RSADMWBOBJ has been added like BIA_ZA, CNG_RUN, CONT_ACT etc for activities like
BI Accelerator Monitor Checks and Attribute Change Run.