BI Security Overview

SAP BI Security
Vishwas Goel
Copyright 2010 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
Course Objective
SAP BI & BEx Overview

Security Components in BI
Securing Data Access for Reporting Users
Analysis Authorizations
Authorization Maintenance
Create Analysis Authorizations
Assign Analysis Authorizations
Monitoring Analysis Authorizations
Copyright 2010 Accenture All Rights Reserved. 2

SAP BI Security
SAP BI Overview

What is Business Intelligence?
Business intelligence refers to the

process of turning data into
information, information into
knowledge and knowledge into action Data Information
for business gain.
It is an end-user activity that is

facilitated by various analytical and
collaborative tools and applications
as well as a data warehousing
infrastructure.
Action Knowledge

BI Objectives
Standardized structuring and display of all business

information.
Simple access to business information via a single point of
entry.
Highly developed reporting for analysis with self service
for all areas.
Quick and cost-efficient implementation.
High performance environment. Data modeling from
heterogeneous sources.
Relieving OLTP systems.

BI Architecture

Extracting, Transforming & Loading
Data

Information in BI
In BI, objects that provide information for reporting and analysis are called
InfoProviders. There are two types of InfoProviders:
InfoObjects, InfoCubes, and Data Store Objects contain PHYSICAL data.

InfoSets, RemoteCubes, and MultiProviders are LOGICAL structures and do not
contain data.
An InfoCube is a transaction data container. In an InfoCube, data is organized in

terms of business dimensions. When reporting from an InfoCube, users can perform
multidimensional analysis from different business perspectives. For example, sales
analysis could be performed across different geographic regions or distribution
channels.
MultiProviders are used to combine data from various objects. A MultiProvider

provides access to data from several InfoProviders and makes the data available for
reporting and analysis. A MultiProvider can be assembled from different
combinations of InfoProviders.
SAP BI Security
Business Explorer
Suite

Business Explorer Suite

Business Explorer Suite
The Business Explorer Browser is the instrument for

accessing reports and other executable objects which are
assigned to a user.
The Business Explorer Analyzer can be used to execute,

navigate, and further process reports using MS Excel.
The Query Designer is used to create BI queries. It is a very

flexible and user-oriented tool.

Exercise
Create and Execute

a BI Query

SAP BI Security
Security
Components in BI

Authorization Concept
Based on roles and authorization concept

Users are assigned to roles
Roles contain authorizations
Authorizations are defined for authorization objects
The system checks authorization objects against the
authorizations of the user

Comparison of OLTP Systems &
OLAP Systems
OLTP Systems OLAP Systems
(Operative Environment) (Informative Environment)
Efficiency through automation of

Target Generating knowledge
business processes
High availability, higher data Simple to use, flexible access to

Priorities
volumes data
View of Data Detailed Aggregated
Age of Data Current Historical
Add, modify, delete (update) and

Database operations Read
read
Typical data structures Flat tables Multidimensional structures
Integration of Data from
Minimal Comprehensive
various applications
Data set 6-18 months 2-7 years

Archiving Yes Yes
Comparison of OTLP and OLAP
Security
Security in mySAP ERP (OLTP)

Transaction-based security
Restricts on:
Transaction codes
Specific field values
Which activities a user can perform
Focused on getting daily work completed as quickly and efficiently as possible
Security in SAP NetWeaver BI (OLAP)

Analysis-based security
Restricts on:
InfoProviders (InfoCube, DataStore Objects)
Queries
Data or Infoareas
Different business purpose and goals than OLTP
Focused on displaying, planning, and analyzing data

Authorizations in NW2004s
Standard Authorizations
Based on standard role and authorization concept of SAP
Was and still are used for BI administrator and developer activities
Reporting Authorizations
Old security concept up to SAP NetWeaver 04 (up to SAP BW 3.5)
Control for which data a user has access to in a query
Realized through the standard authorization concept, which has many
limitations
New security concept as of SAP NetWeaver 2004s
Is not based on standard authorization concept in order to overcome the
limitations
Takes features of reporting and analysis in BI into consideration

Limitations of earlier SAP BW
releases

Improvements with SAP NetWeaver
2004s

Authorizations in BI
Authorization Objects in BI
Authorization objects are grouped according to authorization object
classes. The major authorization object class in BI is RS.
Primary Authorization object used by Reporting Users - S_RS_COMP
Primary Authorization object used by Administrators - S_RS_ADMWB

Exercise
Explore the
Authorization Objects
S_RS_COMP &
S_RS_ADMWB

S_RS_COMP

S_RS_ADMWB

SAP BI Security
Securing Data
Access for Reporting
Users

Authorization Level
On InfoCube Level
On Characteristic Level
On Characteristic Value Level
On Key Figure Level
On Hierarchy Node Level

On Characteristic Level
Authorization

On Characteristic Value Level
Authorization

On Key Figure Level
Authorization
SAP BI Security
Analysis
Authorizations

Analysis Authorizations are fundamental building blocks of the

new reporting concept which contains both the data value and
hierarchy restrictions.
This is also called data level access. With the new NW2004s
analysis authorisation principles it is now possible to create an
analysis authorisation object directly on an info object
The authorisation can either be single values or a value range or

created with a reference to a hierarchy, provided the info object is
created with a hierarchy and the info object is authorisation
relevant.

Scenario: Sufficient Authorizations

Complete selection is subset of
Query
authorizations Selection
Query results will be shown
Authorizations
Scenario: Insufficient Authorizations

Complete or part of selection is outside
of authorizations
Query results will not be Query
Selection
shown at all
Authorizations

Exceptions for All-or-Nothing Rule
Display hierarchies are automatically filtered by the

authorization
Key figure values are not displayed if the key figure is not
authorized

SAP BI Security
Authorization
Maintenance

Before You Start
Activate all Business Content related to authorizations before you

get started
InfoObjects: 0TCA* (and 0TCT* if not done already)
InfoCubes: 0TCA*
Set the following InfoObjects as authorization-relevant

0TCAACTVT
0TCAIPROV
0TCAVALID
0TCAKYFNM

Authorization Relevant
Characteristics
InfoObjects must be flagged as Authorization Relevant before

they can be secured.
1. Execute T-code RSD1

2. Enter the info object name
3. Go to Business Explorer Tab
4. Select the check box
Authorization Relevant
5. Activate the info object

Authorizing Characteristic Values

Authorizing Characteristic Values
Possible Values
EQ: Single value
BT: Range of values
CP: Contains (simple) patterns ending with * (e.g., XY*)

Special Authorization Values
* (asterisk)
Denotes a set of arbitrary characters
Used alone to grant access to all values
Used at the end of a value to specify a simple pattern (example: SAP*)
: (colon)
Allows access only to aggregated data (e.g., allows information on all
sales areas only on aggregated level not on particular sales areas)
+ (plus)
Denotes exactly one character
Used at the end of a value to specify a simple pattern (example: RED+)
Used to specify date patterns (only for Validity (0TCAVALID))
# (hash)
Stands for the initial or unassigned value

Special Authorization
Characteristics
These special characteristics must be assigned to a user in at least

one authorization:
0TCAACTVT: Restrict access to activities i.e. display, create,

change etc.
0TCAIPROV: Restrict access to the InfoProvider i.e. InfoCube,
ODS, MultiProvider etc.
0TCAVALID: Provides the validity of the analysis authorization
All these authorization should be marked as authorization relevant.

Authorization Variables
Variables of type Customer Exit can be used with the special

value $ (as escape sequence) as prefix before the variable
name. This enables dynamic granting of authorizations
(authorized values are retrieved at runtime).
Customer exit reads the variable values using a selection

routine placed in the function module EXIT_SAPLRRBR_001
inside of enhancement RSR0001. (This Enhancement is
accessed via transaction code CMOD).

Contd
The advantage of this method is

that you can give all users the
same authorization by placing
the variable name with a $ sign
in front of it instead of a value in
the characteristic value (or the
hierarchy node).

Key Figure Authorizations
This restriction is used to grant authorization to particular key figures

to the users.
Technical name: 0TCAKYFNM

Possible values:
- Single value (EQ) Exactly one key figure
- Range (BT) Selection of key figures
- Pattern (CP) Selection of key figures based on pattern
Note: If a particular key figure is defined as authorization-relevant, it

will be checked for every InfoProvider

Authorizing Navigational
Attributes
To restrict the access to navigational attributes, it should be marked

as authorization-relevant in attribute tab strip.
Note: The referencing characteristic does not need to be

authorization-relevant.

Special Authorization: 0BI_ALL
An authorization for all values of authorization-relevant

characteristics is created automatically in the system. It
has the name 0BI_ALL. It can be viewed, but not changed.
Every user that receives this authorization can access all
the data at any time. Each time an Info Object is activated
and the property authorization relevant is changed for the
characteristic or a navigation attribute, 0BI_ALL is
automatically adjusted.
A user that has a profile with the authorization object

S_RS_AUTH and has entered 0BI_ALL (or has included
value as *) has complete access to all data.

Minimum Authorization Requirements
for a Reporting User
Analysis authorizations for an InfoProvider

S_RS_COMP (Activities 03, 16)
S_RS_COMP1 (Query owner)
S_RFC (BEx Analyzer or BEx Browser only)
S_TCODE (RRMX for BEx Analyzer)

SAP BI Security
Create Analysis
Authorization

Creation of Analysis Authorization
There are two ways to create the analysis authorization in

BI 7
1. Manual creation of analysis authorization through

RSECAUTH T-code.
2. Automatic generation of analysis authorization
approach (for mass creation and assignment).

Creation through RSECADMIN
1)Execute T-code RSECADMIN

2)Go to Maintenance in Authorization Tab
3)Enter The Analysis Authorization and click Create

Automatic generation of analysis
authorization
With the generation of analysis authorizations, we can load authorized
values from other systems into Data Store objects and generate
authorizations from them. This approach is generally used for mass
creation of analysis authorization and assignment of these authorizations to
the users.
Steps to be performed:
Data Warehouse Workbench (RSA1):
1. Activate Business Content
2. Load of Data Store Objects
Management of Analysis Authorizations (RSECADMIN):
3. Generate Authorizations
4. View Generation Log

Activate Business Content
There are five Data Store Objects delivered with Business Content
that serve as templates:
0TCA_DS01 Authorization data Values

0TCA_DS02 Authorization data Hierarchies
0TCA_DS03 Descriptive Text Authorizations
0TCA_DS04 Assignment User Authorizations
0TCA_DS05 Generate users for Authorizations

Load of Data Store Objects
Fill the Data Store objects with the user data and authorizations
Extract the data, for example, from an SAP R/3 source system or
from a flat file
Note: Some consistency checks should be added to avoid errors
during the generation later

Generate Authorizations
Start the generation by specifying the relevant DataStore

objects

View Generation Log
Detailed log can be viewed once the generation is completed

SAP BI Security
Assign Analysis
Authorization

Assignment of authorization
Direct assignment of Analysis authorization through

RSECADMIN
Indirect assignment through Roles (PFCG)

Direct assignment
Direct assignment of Analysis authorization through RSECADMIN

Pros and Cons
Analysis authorization based Approach:
Pros:
This approach removes the use of creating Roles for the
corresponding analysis authorization .
Cons:
No Change documents are provided by SAP for assigning and
removal of Analysis authorization from the user
No SUIM (System User Information Management) reports are
provided by SAP for analysis authorization
No possible way to assign mass analysis authorization to the users at
a stretch.

Contd..
If an id is deleted using SU01 who is having analysis authorization
assigned to it, these authorization will not get deleted from the users
profile. If the same id is recreated, automatically user id will be
populated with the earlier analysis authorizations.
So if this approach is followed, it is always recommended that analysis

authorization are manually deleted from the user id using RSU01 and then
id using SU01

Indirect Assignment
Alternatively to the direct assignment, we can also assign

authorizations to roles, which can then be assigned to users.
Use authorization object S_RS_AUTH for the assignment of
authorizations to roles
Maintain the authorizations as values for field BIAUTH

Pros and Cons
Indirect Assignment Approach
Pros:
All the Change documents are already available.
All the existing SUIM reports are already available.
Possible to perform mass assign role assignment.
Cons:
Roles need to be created corresponding to the analysis authorization
which will include more maintenance in the system.

Exercise
Add Analysis
Authorizations to
user profile

SAP BI Security
Monitoring Analysis
Authorizations

Using the Trace
There are two primary transaction codes that can be used to trace
authorizations: ST01 and RSECADMIN.
Transaction code ST01 is a system trace that is used for SAP-

provided objects.
Transaction code RSECADMIN is specific to BI and only traces the

custom analysis authorizations you create to control access to
InfoObject values. This trace can be very helpful when you need to
debug an authorization error.

Authorization Monitoring
Checking Authorizations
Log on with your own user ID (production support role)
Check query execution with the authorizations of a specific user

Evaluate Log Protocol
Evaluate Log Protocol

Turn on logging of user activities
related to analysis authorizations
View detailed information about
authorization checks

Change log of Analysis
authorization
Activate the following Virtual Providers from the Business Content

(VAL = Values, HIE = Hierarchies, UA = User Assignment)
The system records all changes to authorizations and user

assignments. Queries can be built on these Info Providers to find
out the trace of
- How many users have access to a given InfoCube?
- Which users have access to company code X?
- When was authorization XYZ created, and by whom?
Exercise
Trace the missing

authorizations

Q&A

BI Security Overview

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BI Security Overview

Uploaded by

Copyright:

Available Formats

SAP BI Security

SAP BI & BEx Overview

Copyright 2010 Accenture All Rights Reserved. 2

Copyright 2010 Accenture All Rights Reserved. 3

Business intelligence refers to the

It is an end-user activity that is

Copyright 2010 Accenture All Rights Reserved. 4

Standardized structuring and display of all business

Copyright 2010 Accenture All Rights Reserved. 5

Copyright 2010 Accenture All Rights Reserved. 6

Copyright 2010 Accenture All Rights Reserved. 7

InfoObjects, InfoCubes, and Data Store Objects contain PHYSICAL data.

An InfoCube is a transaction data container. In an InfoCube, data is organized in

MultiProviders are used to combine data from various objects. A MultiProvider

Copyright 2010 Accenture All Rights Reserved. 9

Copyright 2010 Accenture All Rights Reserved. 10

The Business Explorer Browser is the instrument for

The Business Explorer Analyzer can be used to execute,

The Query Designer is used to create BI queries. It is a very

Copyright 2010 Accenture All Rights Reserved. 11

Create and Execute

Copyright 2010 Accenture All Rights Reserved. 12

Copyright 2010 Accenture All Rights Reserved. 13

Based on roles and authorization concept

Copyright 2010 Accenture All Rights Reserved. 14

Efficiency through automation of

High availability, higher data Simple to use, flexible access to

Age of Data Current Historical

Add, modify, delete (update) and

Data set 6-18 months 2-7 years

Security in mySAP ERP (OLTP)

Security in SAP NetWeaver BI (OLAP)

Copyright 2010 Accenture All Rights Reserved. 16

Copyright 2010 Accenture All Rights Reserved. 17

Copyright 2010 Accenture All Rights Reserved. 18

Copyright 2010 Accenture All Rights Reserved. 19

Primary Authorization object used by Reporting Users - S_RS_COMP

Primary Authorization object used by Administrators - S_RS_ADMWB

Copyright 2010 Accenture All Rights Reserved. 20

Copyright 2010 Accenture All Rights Reserved. 21

Copyright 2010 Accenture All Rights Reserved. 22

Copyright 2010 Accenture All Rights Reserved. 23

Copyright 2010 Accenture All Rights Reserved. 24

Copyright 2010 Accenture All Rights Reserved. 25

Copyright 2010 Accenture All Rights Reserved. 26

Copyright 2010 Accenture All Rights Reserved. 27

Copyright 2010 Accenture All Rights Reserved. 29

Analysis Authorizations are fundamental building blocks of the

The authorisation can either be single values or a value range or

Copyright 2010 Accenture All Rights Reserved. 30

Scenario: Sufficient Authorizations

Scenario: Insufficient Authorizations

Copyright 2010 Accenture All Rights Reserved. 31

Display hierarchies are automatically filtered by the

Copyright 2010 Accenture All Rights Reserved. 32

Copyright 2010 Accenture All Rights Reserved. 33

Activate all Business Content related to authorizations before you

Set the following InfoObjects as authorization-relevant

Copyright 2010 Accenture All Rights Reserved. 34

InfoObjects must be flagged as Authorization Relevant before

1. Execute T-code RSD1

Copyright 2010 Accenture All Rights Reserved. 35

Copyright 2010 Accenture All Rights Reserved. 36

Copyright 2010 Accenture All Rights Reserved. 37