This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Beginners Guide on BI Security
Applies to: SAP Business Intelligence 7.0 For more information, visit the Security homepage.
Summary In this unit we will focus only the options for securing SAP BI administrator and the system security requirements for BI.Here it will List the types of tasks required by administration users and describe how to secure those tasks.
Author: Ashok Dalai
Company: Intelligroup Inc
Created on: 06 October 2008
Author Bio Ashok Dalai has more than 3 and half years of experience. He has good understanding of SAP R3 and NetWeaver Components. He worked in r3 security, BI security and CRM security and currently working for Intelligroup Inc as a Basis Consultant.
Table of Contents Course Overview ................................................................................................................................................3 Securing Data Warehousing Workbench Objects ..............................................................................................4
Data Warehousing Objects Secured with S_RS_ADMWB.............................................................................4 Authorization Object S_RS_ICUBE ................................................................................................................6 Authorization Object S_RS_DS2 ....................................................................................................................9 Authorization Object S_RS_DTP..................................................................................................................10 Authorization Object S_RS_ISNEW .............................................................................................................11 Authorization Object S_RS_ISRCM..............................................................................................................13 Authorization Object S_RS_TR ....................................................................................................................14 Authorization Object S_RS_IOBJ .................................................................................................................15 Securing Process Chains..............................................................................................................................16 Authorization Object S_RS_OHDST.............................................................................................................17 Securing Master Data and Documents .........................................................................................................18 Securing BI Documents ................................................................................................................................20 System Communication Security ..................................................................................................................21
BI Security Setup .......................................................................................................................................................21 Other SAP Security Set Up........................................................................................................................................21 RFC Destinations.......................................................................................................................................................22 Using the <RFC_DESTINATION>_DIALOG Destination ...........................................................................................23
Related Content................................................................................................................................................24 Disclaimer and Liability Notice..........................................................................................................................25
Course Overview There are two major types of authorizations in BI. One type focuses on Administrative users and another type focuses on Reporting users. Authorizations for Administrative users in many ways Parallel to mySAP ERP security, but securing BI reporting users is much different. In this unit we will focus only the options for securing SAP BI administrator and the system security requirements for BI. Here it will List the types of tasks required by administration users and describe how to secure those tasks.
1. Explain how to secure Data Warehousing Workbench objects such as InfoProviders, Data Transfer
2. Processes, DataSources, Open Hub Destinations and Process Chains.
3. Explain how to protect maintenance of Master Data and Documents.
4. Briefly describe how to secure Information Broadcasting distribution and Data Mining Objects.
5. Explain the required security set up for communication between BI and other systems.
Securing Data Warehousing Workbench Objects BI Administrators must have access to DataWarehousing Workbench objects, such as InfoProviders, Data Transfer processes, Process Chains, Reporting Agent objects, Open Hub destinations, and DataSources. Administrators must also create and maintain many other DataWarehousing objects. Authorization object S_RS_ADMWB protects these objects. There are only 2 fields attached to this authorization object: Data Warehousing object, and activity. However, this authorization object secures many different Data Warehousing objects.
Data Warehousing Objects Secured with S_RS_ADMWB
• SourceSys Source system • InfoObject InfoObject • Monitor Monitor • ApplComp Application component • InfoArea InfoArea • Workbench Data Warehousing Workbench • Settings Settings • MetaData Metadata • InfoPackag InfoPackage and InfoPackage group • RA_Setting Reporting Agent setting • RA_Package Reporting Agent package • DOC_META Documents for metadata • DOC_MAST Documents for master data • DOC_HIER Documents for hierarchies • DOC_TRAN Documents for transaction data • DOC_ADMIN Administration of document storage • CONT_ADMIN Administration of BI Content systems • CONT_ACT Installation of BI Content • BR_SETTING Broadcast settings (not including your own settings, which have one of the following distribution
types: Broadcast E-Mail, Broadcast to Portal, Broadcast to Printer) • USE_DND Drag and drop to InfoAreas and application components
Note: For authorizations at naming convention level, you need to note the following: User A can edit InfoProviders that lie in InfoAreas with prefix /AB/. User A cannot edit an InfoProvider that lies in
InfoArea /CD/. However, if the user has drag and drop authorization, the user can move the InfoProvider from /CD/ to /AB/ and edit it from there.
• CNG_RUN Attribute change run • REMOD_RULE Modeling Rule "Modeling Rule" for the remodeling tool • IMG_BI BI-relevant activities in the IMG (Customizing) • OLAP_CACHE OLAP cache objects • BIA_ZA BI accelerator monitor checks and activities
Authorization object S_RS_ICUBE protects InfoCubes and the InfoCube sub-objects. Using this authorization object, you can restrict work with the InfoCubes or their subobjects.
The object contains four fields
• InfoArea:
o Here you enter the InfoArea key for which the user can edit InfoCubes.
• InfoCube:
o A user is permitted to edit the InfoCubes that you specify here.
• Notes on InfoCube:
o You use this subobject to specify the part of the InfoCube that the user is permitted to edit. The following subobjects exist:
o Definition - Definition
o UpdateRule - Update rules
o Aggregate - Aggregate
o Data - Data
o ExportISrc - Export DataSource
o Chavlrel - Characteristic relationships (planning relevant)
Authorization to secure datasources is S_RS_DS2. Using this authorization object, you can restrict work with the new DataSource or its subobjects.
The object contains three fields:
• DataSource: Enter the name of the DataSource that a user is allowed to edit.
• Source System: Specify the name of the source system for which a user is allowed to edit DataSources.
• DataSource Subobject: When you specify a subobject, you specify the part of the DataSource that the user is permitted to edit. There are the following subobjects:
The authorizations assigned for the Data Transfer Process (DTP) object, S_RS_DTP, have a higher priority than the authorizations for the underlying objects. Users that have a DTP authorization for a source/target combination do not need read authorization for the source object or write authorization for the target object to execute the DTP.
With this authorization object you can restrict work with the data transfer process (DTP).
The object contains seven fields:
• Type of Source: Specify the type of source here that which a user can create a DTP
• Subtype of the Source: Here, specify the subtype of the source for which a user can create a DTP.
• Source: Specify the name of the source for which a user can create a DTP
• Type of Target: Specify the type of target here for which a user can create a DTP
• Subtype of the Target: Specify the subtype of the target for which a user can create a DTP.
• Target: Specify the name of the target for which a user can create a DTP
• Activities:
o Display DTP definition (activity = 03)
o Maintain DTP definition (activity = 23)
o Execute DTP (activity = 16)
• Note that the subtypes currently only exist for the type InfoObject. Possible alternatives are ATTRIBUTES, and HIERARCHIES.
• If no InfoObject was selected as type the standard setting '*' is to be selected.
• The authorizations assigned for the DTP object have a higher priority than the authorizations for the underlying TLOGO objects. Users that have DTP authorization for a source/target combination, thus require no read authorization for the source object and no write authorization for the target object for execution of the DTP.
Authorization Object S_RS_ISNEW
Authorization to secure InfoSource is S_RS_ISNEW. (Release > BW 3.x)
The authorization object includes three fields:
• Application component: Enter the key for the application component here for which a user can edit InfoSources.
• InfoSource: Specify the InfoSources here that a user can edit.
• Activities:
Display InfoSource (Activity = 03)
Maintain InfoSource (Activity = 23)
You can use the authorization object S_RS_ISOUR to restrict the handling of InfoSources with flexible updating and their subobjects.
The authorization object contains four fields:
• Application component: Enter the application component key here for which a user is allowed to edit InfoSources.
• InfoSource: Enter the InfoSources with flexible updating the user is allowed to edit here.
• Subobject for InfoSource: You use the subobject to specify the part of the InfoSource that the user is allowed to edit.
You can use the authorization object S_RS_IOBJ to restrict how users work with InfoObjects and their sub-objects.
The object has four fields:
• InfoObjectCatalog: This is where you specify the key of the InfoObject catalog that a user is authorized to work with.
• InfoObject: A user is authorized to work with the InfoObjects that you specify here.
• Sub-object of the InfoObject: You use the sub-object to specify the parts of the InfoObject that a user is permitted to work with.
There are the following sub-objects:
o Definition
o UpdateRule
• Activity: Determines whether a user is allowed to display, delete, maintain, or update a sub-object.
o Display InfoObject-Definition (Activity = 03)
o Maintain InfoObject-Definition (Activity = 23)
o Display InfoObject-Update Rules (Activity = 03)
o Maintain InfoObject-Update Rules (Activity = 23)
Note: This authorization object is checked only if the user is not authorized to maintain or display InfoObjects (authorization object: S_RS_ADMWB-InfoObject, activity: maintain/display)
For the administration processes that are included in a process chain, authorization for authorization object S_RS_ADMWB is required.
To create and maintain process chains, authorization for authorization object S_RS_PC is required. This authorization object determines whether process chains can be displayed, changed or executed, and whether logs can be deleted.
The object includes four fields:
• Process chain:
o Here you enter the name of the process chain that a user can edit.
• Application Components:
o Here you enter the name of the application components the process chains of which a user can edit.
• Subobject of the process chain:
o With the subobject, you specify the part of the process chain that can be edited by the user. The following subobjects exist:
o Definition - Metadata of process chain
o Protocols - Protocols of process chains
o Runtime - Execution of process chain
• Activity:
Determines whether you can display, delete or maintain a subobject.
o Display process chain definition (activity = 03)
o Maintain process chain definition (activity= 23)
o Delete protocols for a process chain (activity = 06)
o Execute or schedule a process chain (activity = 16)
In order to be able to change or display master data, authorization checks are made. Authorization assignments and checks are defined by characteristic, or by characteristic value.
To grant authorizations for characteristics, activate authorization assignment by setting Authorization Check indicator in the Master Data/Texts tab page.
The next step is to create a role with the authorizations.
• S_RS_IOMAD a blanket authorization check takes place for a characteristic.
• S_TABU_LIN an authorization check takes place by characteristic value.
With authorization checks by characteristic value, the system generates an organization criterion for the characteristic. The organization criterion generates a connection between table key fields and the authorization fields for the authorization object S_TABU_LIN.
Using authorization object S_TABU_LIN you are able to enter characteristic values in each key field of the master data table for which the user is to have authorization. Do this in the profile generator in role maintenance. In this way you are able to use authorizations to protect the maintenance and display of master data/ texts for this characteristic at single record level.
Characteristic values for which the user has no authorization are then not displayed in the input helps either.
To grant authorizations for characteristics, proceed as follows:
Activate authorization assignment by characteristic value by setting the Master Data Maintenance with Authorization Check indicator in the Master Data/Texts tab page. Activate the characteristic. In Role Maintenance (Transaction PFCG): For blanket authorizations for characteristics, add authorization object S_RS_IOMAD to the role. For authorizations for single characteristic values, add authorization object S_TABU_LIN to the role.
In order to edit documents in the Documents functional area of the Data Warehousing Workbench, the user needs authorization for the authorization object S_RS_ADMWB,
Data Warehousing Workbench Object, with the following:
Metadata: DOC_META
Authorization to display or to edit a metadata object also authorizes the user to display or edit the documents for these metadata objects. Valid activities are: 03 (display), 23 (maintain)
Master data: DOC_MAST
Authorization to display or to edit in specific master data also authorized the user to display or edit the documents for these characteristic values. Valid activities are: 03 (display), 23 (maintain)
InfoProvider data: DOC_TRAN
Authorization objects for transaction data, InfoProviders, are not delivered. They are created as required using Analysis Authorizations (RSECADMIN).
Each analysis process is only valid for the application for which it was created. The authorizations are also assigned specific to an application and are protected with authorizations object RSANPR.
The only authorization necessary for the online execution of broadcasting settings is the authorization for the execution of the underlying reporting objects (for example, the Web template). Any user that has authorization to create background jobs also has authorization for direct scheduling in the background. The authorization object S_BTCH_NAM is required for regular scheduling in background jobs.
This lesson will discuss security regarding communication between BI and other systems.
As data is being extracted from source systems and transferred into BI, you want to ensure that the data is adequately protected. You need to understand the RFC destinations and how they are affected by security. To set up system security, you must set up security for all SAP source systems sending data to BI, in addition to setting up security on BI.
BI Security Setup
In BI, you should create a system (not a dialog) user called BWREMOTE.
BWREMOTE should have the authorization profile S_BI-WHM_RFC.
Note: S_BI-WHM_RFC is a profile, not a role.
This profile will give user BWREMOTE the access needed to extract from an OLTP system. The profile also provides the access required for staging steps to get the data into InfoCubes.
Other SAP Security Set Up
You must set up a user on each SAP system sending data to BI. This includes mySAP ERP, Customer Relationship Management (CRM), Supplier Relationship Management (SRM), Advanced Planning Optimizer (APO), R/3 or any other component SAP system that is sending data to BI. On each of these systems, you should create a system user called BWALEREMOTE.
This user should have the authorization profile S_BI-WX_RFC.
Note: S_BI-WX_RFC is a profile, not a role.
This profile will give user BWALEREMOTE the access needed to connect and send data to the BI system.
It is permissible to use a different name for the users BWREMOTE and BWALEREMOTE. What matters is that the user in BI has the profile S_BI-WHM_RFC and the user in the other SAP system has the profile S_BI-WX_RFC.
RFC (Remote Function Call) destinations tell BI where the source systems are physically located. RFC destinations on the SAP source system tell the source system where the BI system is physically located. RFC destinations define where the other systems reside and how to log on to the other systems.
Setting up RFC destinations is normally not the responsibility of the security administrator. However, the security administrator normally creates the user that is used in the RFC destinations.
The following graphic shows transaction code SM59 on a BI system. This RFC destination is pointing to an SAP system by providing the location of the system and details on how to log on to that system. Whenever this RFC destination is used, you see BWALEREMOTE, who is logged on to the SAP system. The extraction program that uses the RFC destination has access to all objects to which the user BWALEREMOTE has access.
The RFC destination we discussed is used for data extraction. The user IDs involved should be set up as system users. A system user ID cannot log on to a system via a normal GUI screen. The user ID is only for background communication. These user IDs are used exclusively for data extraction processes. Data extraction, however, is only one of the processes that may require communication between BI and another system. For other system-to-system communication processes in BI, there is another RFC destination defined: the <RFC_DESTINATION>_DIALOG destination.
One of the features of BI reporting that relies on system-to-system communication is Query Drill-Through (also referred to as jump targets). With Query Drill-Through, the reporting user can select a line on a BI query result and jump to other queries in BI, or even to other reports or transactions in mySAP ERP. For example, the user may run a BI query showing key figures by material. If configured properly, the user could select a particular material on the report and then ask to jump to mySAP ERP and display the material master record. In this case, BI has to be able to communicate with mySAP ERP in order to log on and execute the transaction code to display the material master record. Another case where the <RFC_DESTINATION>_DIALOG destination is required involves the monitoring of the data extracted from the source systems. The BI administrator can do this from the BI system.
Status indicators from the extraction process are stored in IDOC format. In the BI Monitoring screen, there is an OLTP button. This will connect the BI administrator to mySAP ERP so that the administrator can monitor the IDOCS on that system. Whenever the SAP BW administrator selects OLTP, the RFC destination <RFC_DESTINATION>_DIALOG is invoked. The following figure depicts the screen from the monitor function where this RFC destination is being used.
When setting up the RFC destination <RFC_DESTINATION>_DIALOG, you have some choices regarding the user ID specified: Force the user to always log on to mySAP ERP after selecting OLTP by leaving the User field blank in <RFC_DESTINATION>_DIALOG.
Create a generic user in mySAP ERP with access to monitor IDOCS; use this user in the FC_DESTINATION>_DIALOG destination.
In the RFC destination, select Current User. This will use the current BI user's user ID to log them on to mySAP ERP.
You must decide how you want the BI user to log on to mySAP ERP from BI to perform the requested task, whether that is jumping from report to report or monitoring the IDOCS generated with data extraction. If you use Current User, the system tries to use the same user ID in BI and mySAP ERP. If this is successful, the BI user can work in mySAP ERP with the usual access rights. If the user ID does not exist in mySAP ERP, then the user will be prompted for a user ID and password.
Disclaimer and Liability Notice This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade.
SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document, and anyone using these methods does so at his/her own risk.
SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document.