gold client bw security guide

061212.2

powered by

Gold Client BW Security Guide

Gold Client BW 2.2 Security

© 2010-2013 Hayes Technology Group, Inc.

Copyright

© 20010 Hayes Technology Group, Inc. All rights reserved.

No part of this document may be reproduced or transmitted in any form or for any

purpose without the express permission of Hayes Technology Group, Inc.

Hayes Technology Group makes no warranties or representations with respect to the

content hereof, and assumes no responsibility for errors in this document. Hayes

Technology Group shall not be liable for special, indirect, incidental, or consequential

damages, including without limitation, lost revenues or lost profits which may result

from the use of these materials. The information contained in this document is

subject to change without notice.

Trademarks

Gold Client and the Gold Client logo are registered trademarks of Hayes Technology

Group, Inc.

SAP, SAP NetWeaver, ABAP and other SAP products and services mentioned herein

as well as their respective logos are trademarks or registered trademarks of SAP AG

in Germany and in several other countries all over the world.

All other product and company names herein may be trademarks of their respective

owners.


1 © 2010-2013 Hayes Technology Group, Inc.

Introduction

This document serves as a guide for enabling and configuring the security

authorization for use of the Gold Client BW tool. This guide will explain the Gold

Client BW authorization object and other authorizations needed to execute different

parts of the tool.

Additional security is built into the tool so when Gold Client BW is installed in

production the import functionality and selective deletion functionality is disabled.

Gold Client BW Security Object

Overview

Gold Client BW delivers its own authorization object Z_GC_BW. Each button on the

main Gold Client BW screen can be activated or deactivated with this authorization

object. Along with this object there are additional authorizations needed to enable

the Gold Client BW user to use the tool.

Enabling and Disabling Gold Client BW Security

Gold Client BW is installed with the authorization disabled. To enable the Gold Client

BW security the following program needs to be executed with transaction SE38.

/HTG/OP

To disable Gold Client BW Security execute the following.

/HTG/VAN

Note: The programs will not show a completed screen when executed.



Authorization Object Z_GC_BW

The authorization Object Z_GC_BW when added to a role gives the ability to enable

or disable certain functionality within Gold Client BW. The authorization is controlled

by enabling or disabling each button on the main screen in Gold Client BW. The

following is a screen shot of the different options for the authorization object.



Below is the main screen of Gold Client BW. Each button is controlled by the

authorization object Z_GC_BW.



Data Transfer

Data Transfer (for Master and Transaction Data) located on the right hand side of the

main Gold Client BW screen is the area that is used to define, configure, export, and

import data. Each activity is controlled by the authorization object.

40 Transactional Data Transfer: ALL

All Buttons from 41 to 44

41 Transactional Data: Export

42 Transactional Data: Import

43 Transactional Data: Scenario Create, Copy & Change

44 Transactional Data: Scenario Delete + 43



50 Gold Client Administrator

The Gold Client BW Administrator has 51, 52 and 53 assigned to enable

setting up the framework, maintain configuration, memory settings for Gold

Client BW, file path et al.

51 Setup Framework

The setup framework is required to identify and catalog all existing BW Cubes,

DSO and InfoObjects which are active and have data i.e. relevant for export.

This needs to be run each time new objects are added to the exporting

system.

52 Utilities

Utilities button will allow users to view and execute utilities as determined by

the administrator.

53 Admin Tools

Admin tools are required by the Gold Client BW Administrator to maintain

configuration, utilities, memory settings for Gold Client BW, file path et al.



54 Compare InfoProvider

This will allow users to VIEW InfoProvider structures and the differences (if

any) between BW systems.

55 Align InfoProvider

This will allow users to create/change and activate InfoProvider structures

based on the structure in a different BW system. This is NOT available in

Production system

56 Copy Queries

This will allow users to create Queries based on the structure in a different

BW system. This is NOT available in Production / source system

60 Custom Data Transfer: ALL


61 Custom Data: Export

62 Custom Data: Import



63 Custom Data: Scenario Create, Copy & Change

64 Custom Data: Scenario Delete + 43

70 Master Data Transfer: ALL


71 Master Data: Export

72 Master Data: Import

73 Master Data: Scenario Create, Copy & Change



74 Master Data: Scenario Delete + 73

75 Master Data: Enable Export

80 Delete Data

81 Delete Data: Transactional

82 Delete Data: Master



Sample Roles

Overview

The following are three sample roles for using Gold Client BW. They are examples of

how the authorizations can be configured for different users and can easily be

adjusted for different activities depending on the user’s role. During the installation

and training of the Gold Client BW software roles and responsibilities will be

discussed.



Administrator Role

A sample Administrator role would enable the BW Lead or Basis person to execute all

parts of the Gold Client BW tool. Historically, the Basis team is responsible for

moving data from a source client to the target client, but the Gold Client BW will give

the flexibility to the BW team too.



End User Role

A sample End User Role would enable the authorization to export or import the data.

This example also gives the ability to use the Utility Application, as well as compare

InfoProviders and Copy queries.



The End user role does not have the ability to create InfoProviders using the Align

InfoProvider functionality.

If this functionality is required for a particular user, it is best to assign the SUPERUSER

role instead of ENDUSER role.



Super User Role

A sample Super User role would enable the same activity the end user role has but

also enables the Gold Client BW Setup Framework function and the Align

InfoProvider functionality



Exporter Role

A sample Exporter role would enable the user role to export data and enables the

Gold Client BW Setup Framework function. This is an additional security measure to

not allow any data imports into the Source (typically Production)



Importer Role

A sample Importer role would enable the user role to import data. This is an

additional security measure to not allow any data exports from the Target systems

(typically Development, SandBox or Training)



Table Authorization Group HTG

All /HTG/ tables have been assigned to authorization group HTG. This will allow

Security to develop roles that only give table maintenance access to /HTG/ tables

without compromising access to non-Gold Client BW tables.

Additional Authorization to use Gold Client BW

Along with the Gold Client BW authorization object, additional authorization is

needed to use Gold Client BW.

Access to run transaction ZGOLDBW is needed.

S_TCODE

Ability to change and display Gold Client BW tables. All Gold Client BW tables are in

the namespace /HTG/ with authorization group HTG.

S_BTCH_ADM



Ability to run jobs in the Background.

S_BTCH_JOB

If a user has authorization to export data within Gold Client BW then authorization to

write to the Gold Client BW File Path is needed.

S_DATASET

S_GUI

S_TABU_DIS

S_ALV_LAYO



If a user has authorization to import data within Gold Client BW then authorization to

open to the Gold Client BW File Path is needed.

S_C_FUNCT

BW authorizations needed (if not already setup for user)

S_RS_ADMWB

S_RS_AUTH



The below are required for importing data.

S_RS_ISNEW

S_RS_ISOUR

S_RS_ISRCM

S_RS_COMP

S_APPL_LOG



S_RS_DS

S_RS_TR



The below are required for Comparing InfoProviders between systems, Creating

InfoProviders based on definition in other system and Copying Queries between

systems.

S_RFC_ADM

S_RS_ICUBE

S_RS_ODSO

S_TRANSLAT



S_CTS_ADMI

S_CTS_SADM

S_DOKU_AUT



Additional Authorization to Install and Configure Gold Client BW

During the installation process the Install Engineer will require additional

authorization to complete the install process. Along with all activities in the Gold

Client BW authorization object other standard authorizations will be needed.

Specifically the transactions ST05, SE11, SE16, STMS, SM30, access to maintain

tables in /HTG/* (authorization S_TABU_DIS), write authorization for the Gold Client

BW file path (authorization S_DATASET), and the ability to create transports and

release them.

Usually assigning a Basis role with the additional S_TABU_DIS and S_DATASET Gold

Client BW authorizations is sufficient for installing and configuring Gold Client BW

during the install week.

NOTE for SAP BW 7.3 systems:

SAP introduced a new table in BW release 7.3 which is updated the first time profiles

are generated. This is a way to prevent unauthorized role changes with an added

layer of security. Gold Client authorization activity fields need to be part of this table

and if missing from this table will not display the Z_GC_BW Auth. Object screen

properly (as in the screen shots in this Guide)

To resolve this, update the missing entries in this table using SAP function module

SAUT_UPD_AUTH_FLDINFO_TMP (via transaction SE37)

It has three parameters.

AUTH_FLDINFO_TMP_T – Fill the following values for field Fieldname.

"ZGCBWACTVT"

"Z_GC_BW"

LANGU – This can be left blank.

Mode – ‘M’ Modify.



Support Information

Hayes Technology Group, Inc. can be contacted either by telephone or via email. Any

support related issue regarding problems with or use of the Gold Client software and

process can be reported for resolution.

If our offices are closed, or staff is unable to directly respond to a support request,

we will respond within 24 hours of the initial call. Problems related to the export or

import processing may require code enhancements. If a code enhancement or fix is

required, resolution time may vary.

As per the maintenance agreement, any repairs or enhancements to the Gold Client

software will immediately be deployed to all customers up-to-date with their

maintenance contract. It is the choice of the customer as to if and when such

enhancements are implemented. In addition, customers may request a planning

session with Hayes Technology Group to review changes in the software and how the

changes might impact their environment.

We can also be contacted to discuss application or feasibility of using the Gold Client

process to resolve a current challenge the project team faces. When this is required,

a planning session can be scheduled in advance to ensure proper participation by

both Hayes Technology Group and the client.

Corporate Offices:

Hayes Technology Group, Inc.

Three Hawthorn Parkway

Suite 225

Vernon Hills, IL 60061

USA

Website:

www.hayestechnology.com

Contact:

[email protected]

1-877-484-8982 (Toll Free in the USA)

Phone: 847-543-8982

Fax: 847-543-9053

http://www.hayestechnology.com/

mailto:[email protected]

gold client bw security guide

Documents