bi authorizations
Post on 06-Apr-2015
1.128 Views
Preview:
TRANSCRIPT
© 2008 Wellesley Information Services. All rights reserved.
An A-to-Z Guide on How to Develop a Flexible Position-Based Security Model for SAP NetWeaver Business Intelligence
Tracey BrookesSapient Corp
11
What We’ll Cover …
• What makes a good BI security model?• How and why to set up a flexible position-based model
Roles for BI user typeSpecial function rolesInfoArea and Data Target-level security InfoObject-level security
• How to control ad hoc query creation using role menus• How to leverage the company organizational hierarchy• Wrap-up
22
What Makes A Good BI Security Model?
• Many mistakes from a bad security model come from trying to apply SAP ERP security principles to a Business Intelligence (BI) model
An SAP ERP transaction code does not equal SAP NetWeaver®
BI transaction codeSAP NetWeaver BI is not transaction-driven, but data- and function-driven!
Data access is controlled in SAP NetWeaver BI by configuring different restrictions on authorization object S_RS_COMP
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
33
What Should My Security Strategy Achieve?
• Recognizes that positions and departments may change• Recognizes that people may change• Recognizes that roles need to be flexibly assembled so
that they can be easily changed
44
BI Security Model Dos and Don’ts
• Do: Use your organization’s structural hierarchy for role allocationUse single rolesDocument common transactions in only one role Identify common elements across requirements and groups accordingly Capture distinct activities in one role
E.g., ad hoc query creationCreate a logical naming standard for InfoProviders and queries
Use wildcards (*) in restricting values assigned to authorization objects
Separate roles that have authorization objects and menusSeparate roles that hold reports that are transported (standardized/certified) vs. production-created reports (ad hoc)
55
BI Security Model Dos and Don’ts (cont.)
• Don’t:Assign roles directly to user IDsUse composite roles Use one role to contain everything for a specific position (~ most SAP-delivered roles)
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
6
• Do seek the benefits of using your organization’s structural hierarchy for role allocation
• Value represented between ( ) = SAP ERP object types6
Using Your Organization’s Structural Hierarchy
Organizational Unit/Work Center
JobRole (AG)
Position (S)Employee (P)
UserID (US)
Indirect Direct
77
Using Your Organization’s Structural Hierarchy (cont.)
• Indirect Role AssignmentThis allows for authorizations to be inferred from the higher levels in the organizational hierarchy down to the lower levelsThe use of single roles allocated across an organizational hierarchy thus functions similarly as a composite role would. Thus the reasoning: composite roles are no longer required.Added flexibility if employees change positions; roles do not have to be moved as roles are allocated to the position and not the person
Authorization update is immediate with no maintenance lag in time. Not violating company security policy.
88
Using Your Organization’s Structural Hierarchy (cont.)
• Recognize the difference in role assignmentsIndirect: blue (best approach)Direct: black
DirectIndirect
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
99
Using Your Organization’s Structural Hierarchy (cont.)
• Since the use of the Organizational Hierarchy allows for inferring authorizations, there is no need for doubling up on the same authorizations or using composite roles
• No longer a need for one role to contain all authorizations for a requirement (~ SAP-Delivered roles)
Purchasing Manager: Execute Business Explorer (BEx) Analyzer via RRMXExecute, create, and modify queries prefixed ZM*
Purchasing Operations:Execute Business Explorer (BEx) Analyzer via RRMXExecute queries prefixed ZM*
10
Using Your Organization’s Structural Hierarchy: Result
BI Developer
Department Administrator
Power User
QueryUser
S_TCODE: RRMX
S_TCODE: RRMX
S_TCODE: RRMX
S_TCODE: RSA1, RRMX
1111
Using Your Organization’s Structural Hierarchy: Result (cont.)
BI Developer
MMDepartment Administrator
MM Power User
MMQueryUser
S_RS_COMP: InfoArea = 0MM*; InfoCube = *; Component = ZM*; Activity = Display ; Subobject = REP
S_RS_COMP: InfoArea = 0MM*; InfoCube = *; Component = ZM*; Activity = Create, Modify; Subobject = REP
S_RS_COMP: InfoArea = 0MM*; InfoCube = *; Component = ZM*; Activity =; Delete; Subobject = REP
S_RS_COMP: n/a
**BI Developer infers all of the above under the hierarchy allocation scheme
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
1212
What We’ll Cover …
• What makes a good BI security model?• How and why to set up a flexible position-based model
Roles for BI user typeSpecial function rolesInfoArea and Data Target-level security InfoObject-level security
• How to control ad hoc query creation using role menus• How to leverage the company organizational hierarchy• Wrap-up
1313
Pros and Cons of the SAP-Delivered Roles
• ProsProvides a template for role analysis if no roles existGrants ideas for role creation rather than building roles entirely from scratchGood guideline when you have no experience in SAP NetWeaver BI security, but I don’t recommend it in generalTechnical Content for areas like BI Statistics and Administration Cockpit have delivered SAP roles already configured for use
Contains all complex iViews, queries, Web templates, and authorizations necessary for displaying the BI Statistics’Technical ContentWill never change unless SAP updates them
1414
Pros and Cons of the SAP-Delivered Roles (cont.)
• ConsA lot of the delivered roles have been around since SAP BW 1.2bHighly position-based at the lowest level; very specificRoles are not unique – authorization objects are duplicatedUse composite rolesTend to require a lot of maintenance since all of the roles needto be modified rather than one role radiating downwards through a treeNot SOX compliant
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
1515
Pros and Cons of the SAP-Delivered Roles (cont.)
• The one SAP-delivered role I would recommend using: SAP_SAP_BW_BI_ADMINISTRATOR. Why?
BI Technical Content is all SAP-Delivered Objects and thus requires no additional “tweaking” to make it workIf modifications are made to the BI Technical Content, SAP would also update the reliant roleBI Technical Content is same across every Business Intelligence installation; thus non-client specificBI Technical Content is segregated from the rest of the Data Warehouse
Make sure you have the latest SAP modifications by using current versions of all the SAP-Delivered Objects related to the Administration Cockpit
If you make enhancements or use your own naming convention as a copy of the role, you could fall behind maintenance if BI Technical Content is reinstalled
1616
How to Set up a (More) Flexible, Position-Based Model
• Let’s revisit a few statements:“Since the use of the Organizational Hierarchy allows for inferring authorizations, there is no need for doubling up on the same authorizations or using composite roles.”“No longer a need for one role to contain all authorizations for a requirement”“BI is not transaction-driven but data- and function-driven”
• All authorizations can be grouped according to:Function or action a user can performData a user can view
The roles defined in this presentation also work in an SAP NetWeaver BI 7.0 environment. However, they should be modified to incorporate the new authorization objects rolled out as part of that release.
1717
How to Set up a (More) Flexible, Position-Based Model (cont.)• User Actions
BI User Type RolesExamples – Query User, Power User, Department Administrator, Developer
Special Function RolesExamples – Release Transports, Delete InfoObject Master data
• User Data ViewedInfoArea/Data Target Roles
Examples – MM, FI, HR, SD, PMSupply Costing: Financial Data assigned to MM users
InfoObject Restrictions (InfoObject/data-level security)Examples – 0COSTCENTER, 0CO_AREA
Menu Folder RolesExample – Finance queries viewed only by Finance Dept.
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
18
Four Key BI User Types
BI Developer
Department Administrator
Power User
QueryUser
1919
Translating Requirements into User Role Types
• Identify tasks for each BI User TypeTransactions that are common between roles belong in the one role allocated to the highest level of the organization hierarchy
Transaction RRMX is assigned to the Query User role onlySince the Query User role is allocated at a node higher than other roles, the authorizations are inherited down to the lower levels
• “1_Task Matrix.xls”The document lists all tasks associated with each BI User Type role defined in this presentationYour requirements may vary depending on your business, but these assignments were derived from more than one company
ClientIssue
2020
Four Key BI User Types
XDelete a query
XSave standard query to standard menu role (BWD)
XXSave ad hoc query to ad hoc menu role (BWD/BWQ/BWP)
XCreate/Change another user’s query (BWD/BWQ/BWP)
XXCreate/Change own query (BWD/BWQ/BWP)
XXXExecute queries/workbooks
XXXExecute BEx from SAPGUI (RRMX) or Start Programs
SAP NetWeaver BI Dept. Admin.
Power User
QueryUser
Task
• BI User Type role definitions in this presentation are based on actions defined in the Task Matrix
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
2121
1 – Query User Role
• Applies to ALL systems• Ability to execute BEx Analyzer
S_TCODETransaction code = RRMX
S_GUIActivity = 60, 61 (Import, Export)Authorization for GUI activities, execution of workbooks
S_BDS_DS and S_BDS_DActivity = 03, 30; Class Type = OTAuthorization for document setS_GUI and S_BDS_DS enables users to save workbooks to their Favorites Folder
2222
1 – Query User Role (cont.)
• InfoArea tab should not be seenon Query Open
S_RS_FOLDHide ‘Folder’ Pushbutton = X (True)
2323
1 – Query User Role (cont.)
• Role usertype_queryuser_ZBW_A_UT_QU_AL_ALL that you can import into your system
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
2424
2 – Power User Role
• Applies to ALL systems • Ability to save queries to Ad hoc Menu
S_USER_AGRActivity: 01,02,22Role Name: {based on role naming convention} ZBW_M_FI_D
• Ability to create and change department ad hoc BEx queries …S_RS_COMP
Activity: 01,02; InfoArea: 0COOM; InfoCube: *Component: ZF* (ad-hoc); Type: REP
• … Only related to their user ID S_RS_COMP1
Activity: 02; Component: ZF* ; Type: REP ; Owner = $USER• InfoArea tab should be seen on Query Open
S_RS_FOLDHide ‘Folder’ Pushbutton = ‘ ’ (False)
Z* = Ad hoc queriesY* = Certified/ Standard Queries
2525
2 – Power User Role (cont.)
• Role usertype_poweruser_finance_ZBW_A_UT_PU_FI_ALL
26
• Role usertype_poweruser_finance_ZBW_A_UT_PU_FI_ALL26
2 – Power User Role (cont.)
• Individual user requirements would define the need for an SAP BW development-only role
• Only an example of the ALL role is supplied in this presentation
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
2727
3 – BI Department Administrator Role
• Different authorizations apply to ALL systems and BWD-only systems
• Ability to modify queries in the Standard Menu (BWD)S_USER_AGR
Activity: 01,02,06,22Role Name: {based on role naming convention} ZBW_M_FI_C
• Ability to modify department Standard BEx queries (BWD) …S_RS_COMP
Activity: 01,02,06; InfoArea: 0COOM; InfoCube: *Component: YF* (standard/transported); Type: REP
• … Related to any user ID S_RS_COMP1
Activity: 02,06; Component: YF* ; Type: REP ; Owner = *
Z* = Ad hoc queriesY* = Certified/ Standard Queries
2828
3 – BI Department Administrator Role (cont.)
• Role usertype_deptadmin_bwd_ZBW_A_UT_DA_FI_BWD
2929
3 – BI Department Administrator Role (cont.)
• Ability to delete queries in the Department Menu (ALL)S_USER_AGR
Activity: 06Role Name: {based on role naming convention} ZBW_M_FI_D
• Ability to modify and delete department ad hoc BEx queries (ALL) …
S_RS_COMPActivity: 06; InfoArea: 0COOM; InfoCube: *Component: ZF* (standard/transported); Type: REP
• … Related to any user ID S_RS_COMP1
Activity: 02,06; Component: ZF* ; Type: REP ; Owner = *
Where is Display (03)and Execute (16)?
See InfoArea/Data Target roles
Z* = Ad hoc queriesY* = Certified/ Standard Queries
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
3030
3 – BI Department Administrator Role (cont.)
• Role usertype_deptadmin_all_ZBW_A_UT_DA_FI_ALL
3131
3 – BI Department Administrator Role (cont.)
• Role usertype_deptadmin_all_ZBW_A_UT_DA_FI_ALL
• Ability to display all Master Data related to Finance• Master Data viewable in ALL systems
3232
4 – BI Developer Role
• All authorizations to do with query development would be inherited by the power user and department administrator classifications
• BI developer roles have two different role distinctions similar to the BI Department Administrator
SAP BW developer-only: this role is not transportedALL: this role is transported and is applicable to SAP NetWeaverBI Dev, QA, and Prod environments
Due to the number of tasks and size, screenshots of this role are not included in this presentation. Refer to the take-home CD.
Role usertype_developer_all_ZBW_A_UT_DV_IT_ALLRole usertype_developer_bwd_ZBW_A_UT_DV_IT_BWD
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
3333
Organizational Hierarchy and BI User Type Impacts
1000 Corporate1001 Logistics Department
Job_11001001 Purchasing Manager1002111 Purchase Operations 11002112 Purchase Operations 2
Job_21002 Finance Department
Query User Role
MM Power User Role
MM Dept. Admin. Role
3434
What We’ll Cover …
• What makes a good BI security model?• How and why to set up a flexible position-based model
Roles for BI user typeSpecial function rolesInfoArea and Data Target-level security InfoObject-level security
• How to control ad hoc query creation using role menus• How to leverage the company organizational hierarchy• Wrap-up
3535
Special Function Roles
• Special Function roles are distinct from the main stream roles as they are functions that are assigned temporarily or address one-off scenarios
• Highly company-dependent• Examples:
Display Data Warehouse WorkbenchAssigned to BI Department Administrators during testing phase
Release TransportsWhen BI Developers are not permitted to release transports
super user reviews and releases transportsAssigned to BI Department Administrators for controlling BEx Transport releases in their area alone
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
3636
Special Function Roles (cont.)
• Examples:Delete Data from Data Targets
Assigned to control data maintenanceData is not owned nor is it the responsibility of the BI Developer; Data is owned by the responsible functional areas or business analysts assigned to the functional area
Maintenance of Master DataIn this solution, maintenance of master data is tasked under the appropriate Department’s BI AdministratorThis function could be split out to a special function depending on company requirementsEach master data is owned only by one department
3737
What We’ll Cover …
• What makes a good BI security model?• How and why to set up a flexible position-based model
Roles for BI user typeSpecial function rolesInfoArea and Data Target-level security InfoObject-level security
• How to control ad hoc query creation using role menus• How to leverage the company organizational hierarchy• Wrap-up
3838
InfoArea and Data Target-Level Security
BI Developer
MMDepartment Administrator
MM Power User
MMQueryUser
S_RS_COMP: InfoArea = 0MM*; InfoCube = *; Component = ZM*; Activity = Display ; Subobject = REP
S_RS_COMP: InfoArea = 0MM*; InfoCube = *; Component = ZM*; Activity = Create, Modify; Subobject = REP
S_RS_COMP: InfoArea = 0MM*; InfoCube = *; Component = ZM*; Activity = Delete; Subobject = REP
S_RS_COMP: n/a
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
3939
InfoArea and Data Target-Level Security (cont.)
• SAP NetWeaver BI 7.x has impacted these role classifications
• S_RS_COMP is still valid• The use of S_RS_ICUBE, S_RS_ISET, S_RS_ODSO, and
S_RS_MPRO has changed
4040
InfoArea and Data Target-Level Security (cont.)
• SAP states the following on help.sap.com:Authorization Objects for InfoProvider AccessThe authorization objects S_RS_ICUBE, S_RS_MPRO, S_RS_ISET, and S_RS_ODSO will no longer be checked during query processing. Instead, the check is performed using special characteristics 0TCAIPROV, 0TCAACTVT, and 0TCAVALID. These authorization objects are offered during migration configuration as a migration option. If you select these authorization objects, authorization for these special characteristics are generated according to the entries in the Activity and the associated field for the corresponding InfoProvider and then assigned to the users.
• What does this mean and what are the impacts?http://help.sap.com/saphelp_nw70/helpdata/en/ad/8f7842fdb70f53e10000000a155106/frameset.htm
Whereto
FIND it
Whereto
FIND it
4141
InfoArea and Data Target-Level Security (cont.)
• After you migrate to the new Reporting Analysis Authorization concept, the following authorization restriction combinations are no longer needed
S_RS_ICUBE, S_RS_IOBJ, S_RS_ISET, S_RS_MPROActivity: 03Subobject: DATA
• The above restrictions can be removed from existing roles as they have been replaced by the restrictions defined on authorization object S_RS_AUTH, created under transaction RSECADMIN (RSECADMIN replaces transaction RSSM for building InfoObject level security)
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
42
InfoArea and Data Target-Level Security (cont.)
• Pre BI 7.x – Obsolete Concept enabled the INACTIV authorization object – should be active as they are still used
• The following illustrates Post BI 7.x – new Reporting Analysis Concept enabled and thus INACTIV status:
4343
InfoArea and Data Target-Level Security (cont.)
• The InfoArea/Data Target role should be created to look like the following illustration on version BI 7.x when the Reporting Analysis Concept has been switched to the new concept
InfoArea_datatarget_fico_all_ZBW_A_DT_0FMCO_ALL
4444
InfoArea and Data Target-Level Security (cont.)
• Organizational Hierarchy
1000 Corporate1001 Logistics Department
Job_11001001 Purchasing Manager1002111 Purchase Operations 11002112 Purchase Operations 2
Job_21002 Finance Department
0SCM Supply Chain Management InfoArea
ZFPU_M01 Goods Receipts (Finance)
0FI Finance InfoArea(includes 0FICO InfoArea)
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
4545
What We’ll Cover …
• What makes a good BI security model?• How and why to set up a flexible position-based model
Roles for BI user typeSpecial function rolesInfoArea and Data Target-level security InfoObject-level security
• How to control ad hoc query creation using role menus• How to leverage the company organizational hierarchy• Wrap-up
4646
InfoObject Level Security
• Prior to SAP NetWeaver BI 7.x (SAP BW 2.x, 3.x) RSSM: Transaction used to create InfoObject level security rolesautomatically
• Now with SAP NetWeaver BI 7.xRSECADMIN: Transaction used to create InfoObject level security roles automaticallyProgram RSEC_MIGRATION: Program that assists in migrating SAP BW 3.x authorization objects to new BI 7.x format
For more information on InfoObject level security concepts for either SAP BW 3.x or SAP NetWeaver BI 7.x, please refer to presentation “Options, Strategies, and Best Practices for Migrating to and Using SAP NetWeaver Business Intelligence 7.0 Authorization Concepts”
4747
InfoObject Level Security (cont.)
• Organizational Hierarchy
1000 Corporate1001 Logistics Department
Job_11001001 Purchasing Manager1002111 Purchase Operations 11002112 Purchase Operations 2
Job_21002 Finance Department
Enterprise-wide Authorization Object (ZBI_ALL)(ZBI_ALL = 0BI_ALL – FI restriction)
Cost Center Restrictions (ALL)
Cost Center Restrictions (1001 ONLY)
Cost Center Restrictions (2* – 3*)This is based on BI 7.x concepts
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
4848
What We’ll Cover …
• What makes a good BI security model?• How and why to set up a flexible position-based model
Roles for BI user typeSpecial function rolesInfoArea and Data Target-level security InfoObject-level security
• How to control ad hoc query creation using role menus• How to leverage the company organizational hierarchy• Wrap-up
4949
How to Control Ad Hoc Query Creation Using Menus in Roles • What are menu folder roles?
Areas to define the folder structures where workbooks and queries are saved for storage in SAP NetWeaver BI and are accessed by other SAP NetWeaver BI users. They are defined by the Basis team under the PFCG transaction code in the role’s Menu tab and are separate from Authorization Roles.SAP NetWeaver BI users can access the queries and workbooks stored in the Menu roles from the BEx Analyzer under the Role tab.
5050
How to Control Ad Hoc Query Creation Using Menus in Roles (cont.)• What are menu folder roles? (cont.)
Ad hoc menu folder rolesCapture reports that users have created in the production environment directly where users want to circulate them to a greater audience (e.g., Department)
Standard (Certified) menu folder rolesCapture reports that users have created in development and transported to production. They are certified through quality, usually tested thoroughly for performance, and follow company query design standards
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
5151
How to Control Ad Hoc Query Creation Using Menus in Roles (cont.)
• Accessing Menu Folder Roles from SAPGUI
5252
How to Control Ad Hoc Query Creation Using Menus in Roles (cont.)
• Accessing Menu Folder Roles from SAP BExAnalyzer
5353
How to Control Ad Hoc Query Creation Using Menus in Roles (cont.)• Rules to prevent loss of information
Initially, both ad hoc and Standard/Certified menu roles should be created in SAP NetWeaver BI Development and transported through the system landscape On-going maintenance or adjustments to Standard/Certified Menus will still be conducted in the development environmentOn-going maintenance or adjustments to ad hoc menus will be maintained directly in the affected system and never be transported again after the initial folder setup to prevent query/folder overwriting during transport
Any additional folders need to be added manually in the Production environment
All transported queries and workbooks need a menu role assigned; otherwise, they cannot be viewed by the users
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
5454
How to Control Ad Hoc Query Creation Using Menus in Roles (cont.)• DO separate roles that have authorization objects and
menus• DO separate roles that hold reports that are transported
(standardized/certified) versus production-created reports (ad hoc)
• But why?Authorizations and menus operate on a different modification schedule: Menus get updated more frequently with queries, workbooks, and Web reportsEnsures ad hoc queries, workbooks, and Web reports created in a Production system are not overwritten by the same role after transporting from Development: Two separate roles – one ad hoc (Production developed objects) and one standard/certified (Development created objects) should be used.
55
• Ad hoc query creation controlled through menus and naming conventions under the BI User Type definitions
55
How to Control Ad Hoc Query Creation Using Menus in Roles (cont.)
BW Dev. (BWD) BW Prod. (BWP)
StandardMenu
Y* Standard Query
Standard Workbooks
Standard Web Reports
BWD Ad hocMenu
Z* Ad hoc Query
Ad hoc Workbooks
Ad hoc Web Reports
Z* Ad hoc Query
Ad hoc Workbooks
Ad hoc Web Reports
BWP Ad hocMenu
StandardMenu
Y* Standard Query
Standard Workbooks
Standard Web Reports
CorrectSetup
56Ad hoc Web Reports (BWD)Ad hoc Workbooks (BWD)
Z* Ad hoc Query (BWD)
• Incorrect setup overwrites any ad hocs created in BWP
56
How to Control Ad Hoc Query Creation Using Menus in Roles (cont.)
BWD
OneMenu
Y* Standard Query
Standard Workbooks
Standard Web Reports
IncorrectSetup
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
57Ad hoc Web Reports (BWD)Ad hoc Web Reports (BWP)
Ad hoc Workbooks (BWD)Ad hoc Workbooks (BWP)
Z* Ad hoc Query (BWD)Z* Ad hoc Query (BWP)
57
BWD BWP
OneMenu
Y* Standard Query
Standard Workbooks
Standard Web Reports
OneMenu
IncorrectSetup
How to Control Ad Hoc Query Creation Using Menus in Roles (cont.)• Incorrect setup overwrites any ad hocs created in
BWP (cont.)
Y* Standard Query
Standard Workbooks
Standard Web Reports
58
How to Control Ad Hoc Query Creation Using Menus in Roles (cont.)• Incorrect setup overwrites any ad hocs created in
BWP (cont.)
Ad hoc Web Reports (BWP)Ad hoc Workbooks (BWD)
Ad hoc Workbooks (BWP)Ad hoc Web Reports (BWD)
Z* Ad hoc Query (BWP)Z* Ad hoc Query (BWD)
58
BWD BWP
OneMenu
Y* Standard Query
Standard Workbooks
Standard Web Reports
IncorrectSetup
59
How to Control Ad Hoc Query Creation Using Menus in Roles (cont.)• How to set up Menu role in transaction PFCG
Menu light will be red if Menu folders are empty. This is okay for initial setup.Authorization light will remain red as Authorizations and Menus are defined in two separate roles
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
6060
How to Control Ad Hoc Query Creation Using Menus in Roles (cont.)• Organizational Hierarchy
1000 Corporate1001 Logistics Department
Job_11001001 Purchasing Manager1002111 Purchase Operations 11002112 Purchase Operations 2
Job_21002 Finance Department
Logistics Department Menu Folders(Both Ad hoc and Standard Menus)
Finance Department Menu Folders(Both Ad hoc and Standard Menus)
Corporate Menu Folders
6161
How to Control Ad Hoc Query Creation Using Menus in Roles (cont.)• Loss of functionality in SAP NetWeaver BI 7.x
Enter in Role feature no longer supported in BEx
GOTCHA!
6262
How to Control Ad Hoc Query Creation Using Menus in Roles (cont.)• So how can you get queries and workbooks into Menus?• Queries: can still be saved into the role. This doesn’t
create a new technical ID.• Workbooks: cannot be saved into the role, as this would
create a new technical IDWorkaround for saving reports/workbooks into menu roles
Option 1: Use the old SAP BW 3.x tools to assign them. This doesn’t affect the version the query is developed in.OROption 2: Go into transaction PFCG and assign the reports/workbooks manually. You may need to review your authorization strategy for this since transaction PFCG is usually a Security Administrator’s role only.
Tip
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
6363
How to Control Ad Hoc Query Creation Using Menus in Roles (cont.)• Go into transaction PFCG and assign the reports/
workbooks manually:
Tip
6464
What We’ll Cover …
• What makes a good BI security model?• How and why to set up a flexible position-based model
Roles for BI user typeSpecial function rolesInfoArea and Data Target-level security InfoObject-level security
• How to control ad hoc query creation using role menus• How to leverage the company organizational hierarchy• Wrap-up
6565
How to Distribute the HR Organization Structure
• Cannot use normal BI extraction toolset under the Data Warehouse Workbench (transaction RSA1)
SAP NetWeaver BI master data extraction of InfoObject 0ORGUNIT populates the data warehouseThe HR Organization Structure used for role allocation is separate from the data warehouse and thus functions differently (e.g., distribute method and loading outside of SAP NetWeaver BI ETL toolsets)
• PrerequisitesInfotype 0105 is maintainedTable T77S0, Group PLOGI, Semantic Abbreviation PLOGI has 01 Active Plan version in both systemsAll users must exist in both systems (Central User Administration [CUA] distribution)
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
6666
How to Distribute the HR Organization Structure (cont.)
• Six steps to distributionCreate the HR-ORG distribution model (view of entire tree) in the source system (e.g., SAP ERP)Generate partner profiles in SAP ERP and CUA systemsIf employee (P) object type is undefined in the source system, create an outbound filter using the customer exit in the source systemActivate the change pointers, write change pointers in Infotype 0105Distribute the initial HR-ORG hierarchyDistribute changes to the HR-ORG hierarchy
• Refer to document for greater details“Indirect Role Assignment using HR-ORG.pdf”
6767
How to Distribute the HR Organization Structure (cont.)
• Potential issuesModel doesn’t distribute. Under step “Creating an HR-ORG Distribution Model in the Sending System,” the filter definitions for the HR System as Target System may not work as documented
Solution: Create different Filter Groups, run different parameters during initialization and delta of objectsRefer to document for greater details“Indirect Role Assignment using HR-ORG Supplement.doc”
Model isn’t found in target system under CUA model, although it is successfully distributed
Solution: Plan the Report RPDAPP01 with type HRMD_ABA
6868
How to Allocate Roles Using HR Organization Structure
• Ensure the Organization Model setting is activeExecute transaction PFCGSelect Goto SettingsChoose option “Complete view (Organizational Management and workflow)”
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
6969
How to Allocate Roles Using HR Organization Structure (cont.)• Nine steps to HR-ORG role allocation
Execute transaction PFCGSpecify the role for assignment Choose the User tab page Click the Organizational Mgmt buttonClick the Assignment buttonChoose Agent Type Organizational unitEnter Search term * and select Org tree icon. HR-ORG is displayed.Select the node for allocation. Choosing a high node auto selects lower level nodes. Specify relationship validity period. Create.
70
How to Allocate Roles Using HR Organization Structure (cont.)• Step 1 – Execute transaction PFCG• Step 2 – Specify the role for assignment• Step 3 – Choose the User tab page • Step 4 – Click the Organizational Mgmt button
7171
How to Allocate Roles Using HR Organization Structure (cont.)• Step 5 – Click the Assignment button
Any user IDs that appear green in the tree have been directly assigned to the role
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
7272
How to Allocate Roles Using HR Organization Structure (cont.)• Step 6 – Choose Agent Type Organizational unit
• Step 7 – Enter Search term * and select Org tree icon
7373
How to Allocate Roles Using HR Organization Structure (cont.)• Step 8 – Select the node for allocation
7474
How to Allocate Roles Using HR Organization Structure (cont.)• Step 9 – Specify relationship validity period. Create.
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
7575
How to Allocate Roles Using HR Organization Structure (cont.)• Result of the allocation from the HR-ORG tree
perspective:
• Organization levels that appear blue in the tree have had Indirect role assignments allocated. Green highlights are Direct role assignments.
7676
How to Allocate Roles Using HR Organization Structure (cont.)• Result of the allocation from role perspective defined
under transaction PFCG
DirectIndirect
7777
What We’ll Cover …
• What makes a good BI security model?• How and why to set up a flexible position-based model
Roles for BI user typeSpecial function rolesInfoArea and Data Target-level security InfoObject-level security
• How to control ad hoc query creation using role menus• How to leverage the company organizational hierarchy• Wrap-up
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
7878
Query User Example (Direct User Assignment)
7979
Power User Example (Direct User Assignment)
8080
BI Department Administrator Example (Direct User Assignment)
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
8181
Resources
• SAP Service Marketplace note934848 “Collective note: (FAQ) BI Administration Cockpit”
• Documentation BI Administration Cockpithttp://help.sap.com/saphelp_nw70/helpdata/en/43/15c54048035a39e10000000a422035/content.htm
• Documentation BI Query Runtime Statisticshttp://help.sap.com/saphelp_nw70/helpdata/en/ef/372242c4e05033e10000000a155106/content.htm
• How to Upload Roles into your BI System“How to Upload the Roles.doc”
• Indirect Role Assignmentshttp://help.sap.com/saphelp_nw04/helpdata/en/8b/3c713eeaac5441e10000000a114084/frameset.htm
“Indirect Role Assignment Using HR-ORG.PDF”“Indirect Role Assignment Using HR-ORG Supplement.doc”
8282
Resources (cont.)
• Indirect Role Assignments (cont.)SAP Service Marketplace (https://websmp109.sap-ag.de/notes *)
SAP Note 200343: HR-CA-ALE: Composite SAP Note Re Distributing HR Master DataSAP Note 363187: HR-CA-ALE: Initial Distribution w. HRMD_A/ HRMD_ABA (hint)SAP Note 200066: HR-CA-ALE: Q&A for Setting Up HR-ALE Scenarios
This note contains links to the QuickStart documentation for ALE and the ALE HR business processes
SAP Note 581019: Distribute PFCG HR-ORG model for indirect role assignment
8383
7 Key Points to Take Home
• Use the HR Organizational Hierarchy to distribute roles across an organization
• Allocate roles to positions, jobs, and organizational unit nodes and not a user’s logon ID
• Capture common transactions at the highest point defined in the dependency of BW User Types
E.g., if an action is required by both Power User and Department Administrator, modify the Power User role
• Use Single roles and allow the hierarchy to build the combined “composite-like” authorizations
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
8484
7 Key Points to Take Home (cont. )
• More effort is required in the initial setup of a flexible model. However, an inflexible one requires higher on-going maintenance and is more prone to security inconsistencies.
• Separate roles that control user actions with roles that control viewing of data
• Separate roles that have authorizations defined within them from roles that contain only menus as they operate on a different maintenance schedule
8585
Your Turn!
How to contact me:Tracey Brookes
tbrookes@sapient.com
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Notes: ______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
Notes: ______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
Wellesley Information Services, 990 Washington Street, Suite 308, Dedham, MA 02026
Copyright © 2008 Wellesley Information Services. All rights reserved.
top related