Analysis Authorizations - Lenoir-Rhyne...

© SAP AG 2006, SAP NW2004s Authorizations - Amelia Lo

Analysis Authorizations: The New BI Authorization in SAP

NetWeaver 2004s

Amelia LoPlatinum Consultant

SAP NetWeaver RIG, SAP Labs, LLCMarch 13th, 2006

Amelia LoPlatinum Consultant

SAP NetWeaver RIG, SAP Labs, LLCMarch 13th, 2006

Northern California ChapterNorthern California Chapter


Overview: The New BI Authorizations Concept

The Key Differences

Planning and Migration

New Authorization Objects

Q/A and Open Discussion

Agenda


Motivation

New Authorizations Concept for Analysis that is based on Business Oriented Security Requirements

Highly Integrated Infrastructure

Centralized Administration

New analysis tools to support usage and auditing

Migration support tool available


Introduction to Analysis Authorizations

Authorization Check okQuery results will be shown

Authorization Check not okQuery results will not be shown at all – even if parts of the authorizations are met

Authorizations

QuerySelection

Authorizations

QuerySelection


Authorization Levels

Access can be restricted by Authorizations…

On InfoCube levelOn characteristic levelOn characteristic value levelOn key figure levelOn hierarchy node level

Authorization

Authorization

Autho-rization

On key figure levelOn characteristic value level

On characteristic level



The Key Differences




Agenda


Comparing Authorization Concept

Comparison Analysis AuthorizationsBW 3.x versus SAP NetWeaver 2004s

Most important improvements

Analysis AuthorizationAuthorization Objects

<=SAP NetWeaver 2004 SAP NetWeaver 2004s

Technical Foundation

ChangeableNot ChangeableAfterwardsMaintenance

Unlimited Numberof InfoObjects10 fields à 10 chars.Number of InfoObjects

IndividuallyOnly on global basisNavigational Attributes

Equivalent to valueauthorizations

Via GUID and0TCTAUTHHHierarchy Authorizations

Union (‚as expected‘)Only Intersection of authobjects permitted

Composition ofAuthorizations

Only InfoObject settingPer InfoObject ANDInfoCubeAuthorization Relevance


Central Administration UI: TR RSECADMIN


Authorizing Characteristic Values – 1 –

Scenario: A group of users is authorized only to specific sales organizations (e.g. Berlin and Birmingham)

Central maintenancefor (analysis) authorizations / transaction RSECADMIN


Authorizing Navigational Attributes – 1 –

If you want to grantauthorizations on navigationalattributes, mark themin the attribute tabstrip as authorizationrelevant.


Authorizing Navigational Attributes – 2 –

Navigational AttributesCan be assigned individuallyThe referencing characteristic(here: 0D_SALE_ORG) needsnot be authorization-relevant


Authorizing Hierarchies – 1 –

On the same level like the value authorization, you can also grant authorizations on hierarchy levels.

Assume you’ll have a sales organization as depicted.



Now you grant access for the complete Americas and France.

You can also use variables for flexibly and dynamically determine hierarchy nodes.



Type of AuthorizationOnly the Selected NodesSubtree Below NodesSubtree Below Nodes to Level (Incl.)Complete HierarchySubtree Below Nodes to (and Incl.) Level (Relative)

Use case: hierarchies that happen to be restructured regularly.


Special Authorization Characteristics – 1 –

Authorizations on special characteristicsThree characteristics can and are recommended to be included in each authorization (note: they must not be included in queries!) – They mustbe assigned to a user in at least one authorization.

Activity (0TCAACTVT): e.g. reading (03)InfoProvider (0TCAIPROV): grants authorization to particular InfoProvidersValidity (0TCAVALID): grants authorization to specific time periodsDelivered with BI Content; must set to “authorization relevant” before use

Insert special characteristics


Special Authorization Characteristics – 2 –

Special authorizations* (asterisk): denotes a set of arbitrary characters+ (plus): denotes exactly one character (e.g. 01.++.2005 until 10.++.2005 : allows access only the first 10 days of each month in 2005) - only available for time validity (0TCAVALID): (colon): allows only aggregated access to data (e.g. allows information on all sales areas only on aggregated level – not on particular countries)0BI_ALL: allows access to everything

Key figure authorizations

For key figure authorizations, you can include 0TCAKYFNM as characteristic into the authorization. Note: hierarchy authorizations are not allowed on this characteristic.

Note: If a particular key figure is defined authorization-relevant, it will be checked for every InfoProvider.


Generated Authorizations

Generation Authorizations from DataStore ObjectsActivate Business Content DataStore objects

Templates: 0TCA_DS01, 0TCA_DS02, 0TCA_DS03, 0TCA_DS04, 0TCA_DS05 HR auths: 0TCA_DS01 & 0TCA_DS02Controlling authorizations: 0CCA_001, 0CCA_002, 0CCA_003

Load user data into DataStore object and start generation


Authorization Monitoring – 1 –

Checking AuthorizationsCheck query execution with the authorization of a specific user


Authorization Monitoring – 2 –

Evaluate Log ProtocolDetailed Information aboutAuthorization Checks

Which charact. are relevant?Which selections are checkedversus which authorizations?…much more


Legal Auditing – 1 –

Recording of changesRecording of authorization changes and user assignmentsTechnical Content RemoteProviders

0TCA_VAL0TCA_HIE0TCA_UA

Activate BusinessContent


Legal Auditing – 2 –

Recording of changesQuery Example

Linked into Administration Cockpit

Daily Batch Jobs;„Intrusions“?

Main working hoursLunch break



The Key Differences




Agenda


Migration Support

Migration SupportABAP program RSEC_MIGRATION (use transaction SA38)No complete, automatic migration, but support

About 80% automatic migration expectedThe more complex the existing authorization concept, the more manual migration work might be necessaryCustomer-exit variables for 0TCTAUTHH cannot be migrated; the respective hierarchy nodes must be assigned manuallyIntensive tests are highly recommended

Singular event, not for schedulingDuring migration to the new authorization concept, the existing concept won‘t be changed


About Migration Tool

Execute migrations multiple timesAll of the migration results of the previous migrations are completely deleted for all users from the user group that is to be migrated again. If a subgroup of the previously migrated users is part of the new group to be migrated, a warning is given that you can ignore if you wish.

Recommendation when re-migrateFirst delete completely or Do not migrate subgroups of already migrated users to avoid any inconsistencies or incomplete authorizations that might occur.

The migration is not intended for on-going useNot for regularly migrating newly created authorizations using the old concept. Nor can the complete functionality of a migrated authorization concept be guaranteed without manual reworking.

Complex authorization concepts may demonstrate different behavior after migration in the details.

This is especially true for concepts that are based on the compatibility modes for referencing characteristics with hierarchy and referencing navigation attributes. These have to be checked in detail and adapted manually as required.


About Migration

To delete all migrated entries for user DUMMY:Delete table USR04 and UST04

To find the inconsistent fields in the authorizations (i.e. fields for InfoObjects that do not exist anymore),

Put a break-point into Include LRSEC_MIGRATIONF02 FORM where_used_crossreferences on the statement "l_t_usvalues = c_t_usvalues." Run the migration up to the break-point. Then download c_t_usvalues to a local Excel file. Search the FIELD column for the InfoObject that was mentioned in the error message. You will find the associated profile and authorization object.


Migration

Former and new authorization conceptIt is “STRONGLY” recommended to migrate to the new conceptThe former authorization concept won‘t be supported any longerYou can, however, switch back to the former concept – in some exceptional cases (IMG setting)


Planning for Analysis Authorizations

1. IdentificationIdentify the roles, profiles and BI related authorizations objects Good opportunity to eliminate unused “roles/profiles/objects”Review and redesign where you can benefit from the new concept

2. Review the new authorization objects and templates in NW2004s

3. MappingMapping the new vs. old authorization objects, both front and backendReview the BW reporting authorizations objects

4. Identify authorization objects cannot be migratedCustomer-exit variables for 0TCTAUTHHVery Complex authorizationsreferencing characteristics with hierarchy and referencing navigationattributes


Planning for Analysis Authorizations

4. Determine the migration strategy Manual creation using the new analysis authorization toolUse migration tool

Determine the assignment method For company with large number of reporting authorizations and users; heavy role/profile usage, “Extend Profile Option” (#3) is recommended with “migrate all users and objects” as the approach

5. Review migration result perform manual adjustmentsUpdate 0TCAIPROV with applicable InfoProvider is needed: migration tool does not passing along the checked InfoProviders – fix is being worked onDuplicated authorizations generated from multiple profiles need to be cleaned upManual update of Hierarchy authorizations that had * value to top node is necessary Manual update to the role to reflect migrated “profiles” is necessary; migrated profile does not reflected in the role.

6. Create test cases and perform thorough testing


Important preparation steps

1. Activate all business content related to authorizations before you get started

InfoObjects: 0TCA* (and 0TCT* if not done already)InfoCubes: 0TCA*

2. Set the following InfoObjects as "authorization relevant" 0TCAACTVT 0TCAIPROV 0TCAVALID 0TCAKYFNM (optional, if key figure restriction needed)

3. Add 0TCAIFAREA as an external hierarchy characteristic to 0INFOPROV (optional)


Important OSS Notes

General Consulting notes:820183 for detail on new authorization concept923176 general consulting note (still in DE)

Migration Related notes:924180 Maximum no. of profiles for user dummy exceeded915956 Too many profiles for DUMMY in analysis auth

Advance corrections or till SP8:927935 In specific situations, the system displays more data than is authorized 926449 Abort when incorrect interval defined in authorization923790 When administrator or authorized user execute query as another user (RSUDO) got authorization error922578 Check for transaction code in Transaction RSUDO 923959 Termination occurs in RSSB_GET_AUTH_HIERA 923956 Authorization check in list cube transaction 872043 BEx Web Applications (Java): Access denied 815904 Information Broadcasting: access denied when call a folder selection dialog box to create a setting for the Enterprise Portal


Migration Steps

Migration:

1. Choose Users

2. Choose Auth Objects

3. Choose Assignment Method (3 Methods available)

4. Choose Details of Authorization Migration (which characteristics are affected)


User 2

Migration Steps – 1 –

Migration StepsStep 1: Choose users

Migration can be done for singular user groups

Pre-requisite: a user group must be complete and self-contained!

User 1Authorization Object 1

Authorization Object 2Authorization Object 3

If user 1 is chosen and authorization objects 1&2 should be migrated, you have to choose user 2 as well in order to have a complete user group.

Note: there might be entangled dependencies of users with respect to the authorization objects. You’ll get a message with information on the missing users in case the user group is not compete.



Migration StepsStep 2: Choose authorization objects to be migrated or All



Migration StepsStep 3: Choose assignment method

Direct user assignmentMigrated authorizations will be assigned to the users directly (not via roles)Migrated authorizations have prefix RSR_ and will be treated like generated authorizations

Create new profilesGeneration of profiles basing on authorization object S_RS_AUTH that contains the new, migrated authorizationsGenerated profiles have prefix RSR_

Extend existing profilesExisting profiles will be extended byauthorization object S_RS_AUTHcontaining the migrated authorizationsPreserves the existing role concept andextends the role profiles

Undo migrationAll migrated authorizations and profileswill be deleted, extended profiles containempty authorization object R_RS_AUTH



Migration StepsStep 4: Choose details of authorization migration (‚expert mode‘)

Settings for referencing navigational attributes and characteristics are only relevant for the compatibility mode setting in SAP BW 3.xPlease have a look at the detailed documentation for more information


NetWeaver (formerly R/3) Authorization Concept

USER

COSTCENTER

COUNTRY

TCTAUTHH

100, 200

DE

FUD12JXI1L

EMPLOYEE

1KYFNM

TCTAUTHH

´ ´

SALARY

XZH04815FD

Role

Profile

Auth Object1

AuthorizationFIELDS VALUES

Authorization

Profile

Auth Object1 Authorization



Migration of Authorization Content

COSTCENTER

COUNTRY

TCTAUTHH

100, 200

DE

FUD12JXI1L

NW-Authorization (BW 3.x)FIELDS VALUES RSSM(BW)

0COSTCENTER

0COUNTRY

TCTAUTHH

100, 200

DE

FUD12JXI1L

BI-Authorization (new)Fields Values Hier

Node 1001

Node EMEA

BW

Node 1001

Node EMEA


Manual Assignment of BI-Authorizations

USER

Role

Profile

BI Authorization 2

BI Authorization 1

S_RS_AUTHBIAUTH1,BIAUTH2,

…


Direct Assignment (RSU01)

Role Connection (SU01& PFCG)via auth object S_RS_AUTH

BI Authorization 1

BI Authorization 2


Requirement: Complete User Groups for Migration

Object AO2

USER1 USER2

Object AO1Profile 1

Profile 2

Object AO1 Profile 3

Object AO2

USER1 USER2

Object AO1Profile 1

Profile 2

Profile 3

USER3

Object AO2 Profile 4

Object AO2

Object AO1Object AO1

USER…

Profile …

Complete !

Heavily Entangled -> Complete ?

Migrate USER1 für AO1 and AO2

USER2 required!


USER

Method 1: Direct Assignment (RSU01)Method 2: New Profiles with Object S_RS_AUTHMethod 3: Extension of Profiles

Profile

BIAUTH RSR_12345678

BIAUTH RSR_87654321

S_RS_AUTH BIAUTHRSR_12345678

Profile


Profile

BIAUTH RSR_12345678

BIAUTH RSR_87654321

S_RS_AUTHBIAUTHRSR_12345678RSR_87654321

RSR_OBJ FIELD1 val1FIELD2 val0

Assignment: 3 Methods (plus Undo)



Profile Extension

Direct Assignment

Assign New Profiles


Migration 4: Migration Details („Expert Mode“)

Depend on comptabiltiy modes

Due to new feature of auth relevant Nav. Attr.

Information

choose


Migration – Protocol

Migration protocolA detailed protocol reports success and error events during the migration


Application Protocol



The Key Differences




Agenda



New Authorization Objects (Object class RS):Authorization objects for working with the Data Warehousing Workbench:

S_RS_DS: Authorizations for working with the DataSource or its subobjects(as of SAP NetWeaver 2004s)S_RS_ISNEW: Authorizations for working with new InfoSources or their subobjects (as of SAP NetWeaver 2004s)S_RS_DTP: Authorizations for working with the data transfer process and its subobjectsS_RS_TR: Authorizations for working with transformation rules and their subobjectsS_RS_CTT: Authorizations for working with currency translation typesS_RS_UOM: Authorizations for working with quantity conversion typesS_RS_THJT: Authorizations for working with key date derivation typesS_RS_PLENQ: Authorizations for maintaining or displaying the lock settings.S_RS_RST: Authorization object for the RS trace toolS_RS_PC: Authorizations for working with process chainsS_RS_OHDEST: Open Hub Destination



Authorization objects for working in the Business Explorer:S_RS_DAS: Authorizations for working with Data Access ServicesS_RS_BTMP: Authorizations for working with BEx Web templatesS_RS_BEXTX: Authorizations for the maintenance of BEx textsAuthorization objects for the administration of analysis authorizations:

S_RSEC: Authorization for assignment and administration of analysis authorizations

S_RS_AUTH: Authorization object to include analysis authorizations in rolesChanged Authorization Objects:

S_RS_ADMWB (Data Warehousing Workbench: Objects):New subobjects:

CONT_ACT – Installing Business Content USE_DND - Drag & Drop to InfoAreas and application componentsCNG_RUN - Attribute change run


New Authorization Activities

New activities:

Installing Business Content (63)Managing Business Content (23)Drag&Drop to InfoAreas and application components in the DW Workbench (16)Execute attribute change run (16)


New Authorization for Accessing Routines

For Display and change of routines, the authorization is mapped to the SAP NetWeaver authorization object S_DEVELOP.

Required field assignments:Activity; display (03), change (02)

Package:BWROUT_UPDR: Routines for update rulesBWROUT_ISTS: Routines for transfer rulesBWROUT_IOBJ: Routines for InfoObjectsBWROUT_TRFN: Routines for transformationsBWROUT_ISIP: Routines for InfoPackagesBWROUT_DTPA: Routines for DTPsOr BWROUT_* for all routines

Object name: GP*Object type: PROGAuthorization group: $BWROUT


New Authorization Objects and Role Template

New Role Templates:S_RS_NEW_NW04S: New authorizations for NW2004s

S_DEVELOP (Display/change BI routines)S_RS_ADMWB (Install Business Content, manage Content, Drag&Dropto InfoAreas and application components, execute attribute change run)S_RS_PC (all)S_RS_OHDEST (all)

Changed Role Templates:Existing authorization templates were enhanced with new authorization objects.Deleted Role Templates: None


S_RS_NEW_NW04s (1)


S_RS_NEW_NW04s (2)


S_RS_NEW_NW04s (3)


Special Note

0BI_AllAssign all Analysis Authorizations to a userEquivalent to SAP_All in BICan be assigned directly via RSU01As a value to S_RS_Auth

RSSMQ replaced by TR “RSUDO”

The authorization objects S_RS_ICUBE, S_RS_MPRO, S_RS_ISET and S_RS_ODSO will no longer be checked during query processing. Instead, the check is performed using special characteristics 0TCAIPROV, 0TCAACTVT and 0TCAVALID.

Documentations:http://help.sap.com/saphelp_nw04s/helpdata/en/80/d71042f664e22ce10000000a1550b0/frameset.htmhttp://help.sap.com/saphelp_nw04s/helpdata/en/66/019441b8972e7be10000000a1550b0/frameset.htm


Additional material…

Find more information:Preliminary features information is available in SAPNet/SAP Service Marketplace alias /bi, path SAP NetWeaver 2004s

Related other IT Scenarios and variantsEnterprise Reporting, Query, & Analysis / MS Excel IntegrationEnterprise Reporting, Query, & Analysis / Information Broadcasting


BI Analysis Authorizations in SCM

If you are using the BW authorization concept for Demand Planning:

Migrate to use the new BW authorization concept is recommendedManually orUse Migration tool (SA38: RSEC_Migration)

The old concept is no longer supported as of Release 5.0, you should migrate to the new concept as soon as possible.If you cannot migrate your old authorizations to the new conceptimmediately after the upgrade, you can return to the old conceptusing transaction RSCUSTV23.


BI Analysis Authorizations in SCM

If you newly installed with Release 4.1 SAP SCM and you are not yet using the BW authorization concept:

Check if you are planning to use the characteristics 9AMATNR, 9ALOCNO, or some characteristic of your own within a planning object structure in the new release.If you are not using them, unmark authorization-relevant using transaction RSD1.If you are using them, you must maintain all authorizations for all planning object structures and the InfoProvider that contain the authorization-relevant characteristics, especially 9AMATNR and 9ALOCNO. Otherwise, you will not have access to the relevant planning object structures and the InfoProvider, for example, when loading planning data for the interactive planning.



The Key Differences




Agenda


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries.Oracle is a registered trademark of Oracle Corporation.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc.JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden.SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

Copyright 2005 SAP AG. All Rights Reserved

Analysis Authorizations - Lenoir-Rhyne...

Documents

Transcript of Analysis Authorizations - Lenoir-Rhyne...