Escolar Documentos
Profissional Documentos
Cultura Documentos
Topics Covered:
Contd
RSSM
Old transaction: RSSM
Concept of authorization: 'Reporting
Authorization'
RSECADMIN
New transaction : RSECADMIN
Concept of authorization: 'Analysis
Authorization'
Contd
Authorization:
PFCG (Role based approach)
Authorization:
PFCG (Role based approach)
RSECAUTH (Analysis Authorization Based
Approach)
Contd
Authorization Objects in BI 7
Authorization objects are grouped according to authorization object classes. The major
authorization object class in BI is RS.
S_RS_COMP: Decides which Info area, Info providers data user can view
S_RS_COMP1: Decides which owners queries a user can execute
S_RS_FOLD: Hide or display the Info Area push button for end users
S_RS_AUTH: Gives access to analysis Authorizations
S_RS_ADMWB: Used by BW administrator for Modeling and controlling
Some other Auth objects: To save workbooks/Queries to Roles
S_USER_AGR: In which Role user can add workbooks and Queries
S_USER_TCD: should have value as RRMX and used in conjunction with S_USER_AGR
Restricting access in BI
Secure by Info Cube: If the authorizations need to be checked only on Info Provider
level. You can then create roles that allow you to run queries from the specified Info
Provider (s).
Securing by Query: Another option would be to use the Info Provider in conjunction
with the query name. To do this, you will need a strict naming convention for query
names so that security does not have to be updated each time a new query is
created.
Securing by Info Object: Allowing two user to execute the same query, but to get
different results based on their assigned data access for division, cost center, or
some other Info Object, is known as info Object level security or field level security
The more granular level of restricting access of the users is at Info Object/Field level .
The following procedure shows the steps you must be following when setting up
security for an Info Object:
1. Define the Info Object as authorization relevant.
2. Create (or adjust) analysis authorizations for the Info Object.
3. Assign authorizations to users.
4. Add a variable to the queries.
Authorization Relevance
Analysis Authorizations are fundamental building blocks of the new reporting concept which
contains both the data value and hierarchy restrictions.
If we want a query to only provide results based on the division, for example, then the
query itself needs the ability to filter specific division values. Before we can secure on
division, the query must be able to restrict data by division. The only way the query can
restrict data dynamically is through a variable. The variable can be added anytime
independent of the other steps listed here.
Exercises:
Create a simple query from an existing Info Cube, execute it, and save it as a new
workbook
Limit query access within the Bex Analyze using S_RS_COMP1 and S_RS_FOLD
Authorization Trace
Authorization Trace
In BI 7 we can Trace :
1) Authorization Monitoring
2) Change log of Analysis authorization
Authorization Monitoring
Checking Authorizations
Log on with your own user ID
Check query execution with the authorizations of a specific user
Contd..
Activate the following Virtual Providers from the Business Content (VAL =
Values, HIE = Hierarchies, UA = User Assignment)
Exercise (s):
Trace BI authorizations
ST01 Trace
Creation of Analysis
Authorization
1)
2)
3)
Fill the Data Store objects with the user data and authorizations
Extract the data, for example, from an SAP R/3 source system or from a flat file
Note: Some consistency checks should be added to avoid errors during the generation
later
Generate Authorizations
Assignment of Analysis
Authorization
Assignment of authorization
Direct assignment
Pros:
This approach removes the use of creating Roles for the corresponding analysis
authorization .
Cons:
No Change documents are provided by SAP for assigning and removal of Analysis
authorization from the user
No SUIM (System User Information Management) reports are provided by SAP for
analysis authorization
Contd..
Indirect Assignment
Alternatively to the direct assignment, we can also assign authorizations to roles, which can
then be assigned to users.
Use authorization object S_RS_AUTH for the assignment of authorizations to roles
Maintain the authorizations as values for field BIAUTH
Pros:
Cons:
Query is more the technical definition of what the results should look like. Workbooks are
actual results that have been formatted and can be refreshed each time the workbook is
executed.
The query is a definition of what data the query should fetch and how the data should be
initially displayed. A query definition includes rows, columns, filters, and free characteristics.
The workbook is a result set of the query. In this workbook, the data is displayed by sales
organization. Every time the user executes the workbook, the data will be refreshed, but the
format can remain the same, depending on the settings for the query in the workbook.
Multiple query results saved in workbooks from the same query definition enable users to
customize how they want to review the results and analyze the data.
Exercise (s):
BI 7 Security Features
BI 7 Security Features
Analysis Authorization
Special Characteristics
Special Authorization: 0BI_ALL
Colon authorization
Pound Authorization
Key Figure Authorization
Analysis Authorization:
Analysis Authorizations are fundamental building blocks of the new reporting concept which
contains both the data value and hierarchy restrictions.
This is also called data level access. With the new NW2004s analysis authorisation
principles it is now possible to create an analysis authorisation object directly on an info
object
The authorisation can either be single values or a value range or created with a reference to
a hierarchy, provided the info object is created with a hierarchy and the info object is
authorisation relevant.
Special Characteristics:
0BI_ALL
Below are the new authorization objects in BI7 for administration workbench,
business Explorer and analysis authorization.
Authorization objects for the Data Warehousing Workbench:
S_RS_DS: For the DataSource or its sub objects (NW2004s)
S_RS_ISNEW: For new InfoSources or their sub objects (NW 2004s)
S_RS_DTP: For the data transfer process and its sub objects
S_RS_TR: For transformation rules and their sub objects
S_RS_CTT: For currency translation types
S_RS_UOM: For quantity conversion types
S_RS_THJT: For key date derivation types
S_RS_PLENQ: Authorizations for maintaining or displaying the lock settings
S_RS_RST: Authorization object for the RS trace tool
S_RS_PC: For process chains
S_RS_OHDEST: Open Hub Destination