Professional Documents
Culture Documents
Vishwas Goel
Copyright 2010 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
Course Objective
SAP BI Overview
In BI, objects that provide information for reporting and analysis are called
InfoProviders. There are two types of InfoProviders:
Business Explorer
Suite
Security
Components in BI
Standard Authorizations
Based on standard role and authorization concept of SAP
Was and still are used for BI administrator and developer activities
Reporting Authorizations
Old security concept up to SAP NetWeaver 04 (up to SAP BW 3.5)
Control for which data a user has access to in a query
Realized through the standard authorization concept, which has many
limitations
Analysis Authorizations
New security concept as of SAP NetWeaver 2004s
Is not based on standard authorization concept in order to overcome the
limitations
Takes features of reporting and analysis in BI into consideration
Authorization Objects in BI
Authorization objects are grouped according to authorization object
classes. The major authorization object class in BI is RS.
Explore the
Authorization Objects
S_RS_COMP &
S_RS_ADMWB
Securing Data
Access for Reporting
Users
On InfoCube Level
On Characteristic Level
On Characteristic Value Level
On Key Figure Level
On Hierarchy Node Level
Authorization
Authorization
Authorization
Copyright 2010 Accenture All Rights Reserved. 28
SAP BI Security
Analysis
Authorizations
This is also called data level access. With the new NW2004s
analysis authorisation principles it is now possible to create an
analysis authorisation object directly on an info object
Authorization
Maintenance
Possible Values
EQ: Single value
BT: Range of values
CP: Contains (simple) patterns ending with * (e.g., XY*)
* (asterisk)
Denotes a set of arbitrary characters
Used alone to grant access to all values
Used at the end of a value to specify a simple pattern (example: SAP*)
: (colon)
Allows access only to aggregated data (e.g., allows information on all
sales areas only on aggregated level not on particular sales areas)
+ (plus)
Denotes exactly one character
Used at the end of a value to specify a simple pattern (example: RED+)
Used to specify date patterns (only for Validity (0TCAVALID))
# (hash)
Stands for the initial or unassigned value
Create Analysis
Authorization
Steps to be performed:
Data Warehouse Workbench (RSA1):
1. Activate Business Content
2. Load of Data Store Objects
Management of Analysis Authorizations (RSECADMIN):
3. Generate Authorizations
4. View Generation Log
There are five Data Store Objects delivered with Business Content
that serve as templates:
Fill the Data Store objects with the user data and authorizations
Extract the data, for example, from an SAP R/3 source system or
from a flat file
Note: Some consistency checks should be added to avoid errors
during the generation later
Assign Analysis
Authorization
Pros:
This approach removes the use of creating Roles for the
corresponding analysis authorization .
Cons:
No Change documents are provided by SAP for assigning and
removal of Analysis authorization from the user
No SUIM (System User Information Management) reports are
provided by SAP for analysis authorization
No possible way to assign mass analysis authorization to the users at
a stretch.
Add Analysis
Authorizations to
user profile
Monitoring Analysis
Authorizations
There are two primary transaction codes that can be used to trace
authorizations: ST01 and RSECADMIN.
Checking Authorizations
Log on with your own user ID (production support role)
Check query execution with the authorizations of a specific user