SlideShare a Scribd company logo

An expert guide to new sap bi security features

S
Shazia_Sultana
Technology
1 of 72
Download to read offline
An Expert Guide to New SAP BI Security Features Marc Bernard SAP Labs
© SAP AG 2006, 2 Objectives In this session you will … Learn how to grant access to data on various levels of detail Find out how the new analysis authorizations compare to the old concept based on authorization objects Understand the new options for defining authorizations See a demonstration of the new functionality Hear about migration tools Take away information about the latest monitoring and auditing capabilities for security settings
Overview of New Authorization Concept Comparison of Old and New Authorization Concepts Authorization Maintenance Generating Authorizations Automatically Assigning Authorizations to Users and Roles Monitoring, Auditing, and Test Tools Migration Summary
Overview of New Authorization Concept Comparison of Old and New Authorization Concepts Authorization Maintenance Generating Authorizations Automatically Assigning Authorizations to Users and Roles Monitoring, Auditing, and Test Tools Migration Summary
© SAP AG 2006, 5 SAP NetWeaver Security DB and OS Abstraction .NET WebSphere Secure User AccessInfrastructureSecurity Secure Collaboration SoftwareLifecycleSecurity Application Security SAP NetWeaver SecuritySAP NetWeaver Security ……
© SAP AG 2006, 6 SAP NetWeaver Roles and Authorizations 101 Application Security Based on roles and authorization concept Users are assigned to roles Roles contain authorizations Authorizations are defined for authorization objects The system checks authorization objects against the authorizations of the user
© SAP AG 2006, 7 Comparison of OLTP and OLAP Security Needs Security Needs in mySAP ERP (OLTP) Transaction-based security Driven by: Transaction codes Specific field values Which activities a user can perform Focused on getting daily work completed as quickly and efficiently as possible Security Needs in SAP NetWeaver BI (OLAP) Analysis-based security Driven by: InfoProviders Queries Data Different business purpose and goals than OLTP Focused on displaying, planning, and analyzing data
© SAP AG 2006, 8 Terminology Standard Authorizations Based on standard role and authorization concept of SAP Was and still are used for BI administrator and developer activities Reporting Authorizations Old security concept up to SAP NetWeaver ’04 (up to SAP BW 3.5) Control for which data a user has access to in a query Realized through the standard authorization concept, which has many limitations Analysis Authorizations New security concept as of SAP NetWeaver 2004s Is not based on standard authorization concept in order to overcome the limitations Takes features of reporting and analysis in BI into consideration Covered in this presentation
© SAP AG 2006, 9 Introduction to Analysis Authorizations Scenario: Sufficient Authorizations Complete selection is subset of authorizations Query results will be shown Scenario: Insufficient Authorizations Complete or part of selection is outside of authorizations Query results will not be shown at all Authorizations Query Selection Authorizations Query Selection
© SAP AG 2006, 10 Introduction to Analysis Authorizations (cont.) Exceptions for “All-or-Nothing” Rule Display hierarchies are automatically filtered by the authorization Key figure values are not displayed if the key figure is not authorized
© SAP AG 2006, 11 Authorization Levels Access Can Be Restricted by Authorizations … On InfoCube Level On Characteristic Level On Characteristic Value Level On Key Figure Level On Hierarchy Node Level Authorization Authorization Autho- rization On Key Figure LevelOn Characteristic Value Level On Characteristic Level
Overview of New Authorization Concept Comparison of Old and New Authorization Concepts Authorization Maintenance Generating Authorizations Automatically Assigning Authorizations to Users and Roles Monitoring, Auditing and Test Tools Migration Summary
© SAP AG 2006, 13 Comparing Authorization Concepts Limitations of earlier SAP BW releases Authorization objects <=SAP BW 3.x Technical Foundation Not changeable afterwards Maintenance Ten InfoObjectsNumber of InfoObjects Only on global basisNavigational Attributes Via GUID and 0TCTAUTHH Hierarchy Authorizations Only intersection of auth. objects permitted Composition of Authorizations Per InfoObject AND InfoCube Authorization Relevance Tied to role onlyValidity Separate authorization objects (S_RS_*) InfoProvider Authorizations
© SAP AG 2006, 14 Comparing Authorization Concepts (cont.) Improvements with SAP NetWeaver 2004s Analysis authorizationAuthorization objects <=SAP BW 3.x SAP NetWeaver 2004s Technical Foundation Changeable Not changeable afterwards Maintenance Number of InfoObjects not limited Ten InfoObjectsNumber of InfoObjects IndividuallyOnly on global basisNavigational Attributes Equivalent to value authorizations Via GUID and 0TCTAUTHH Hierarchy Authorizations Union “as expected” Only intersection of auth. objects permitted Composition of Authorizations Only InfoObject setting Per InfoObject AND InfoCube Authorization Relevance Flexible per authorizationTied to role onlyValidity Included in authorization Separate authorization objects (S_RS_*) InfoProvider Authorizations
© SAP AG 2006, 15 Comparing Authorization Concepts (cont.) Please see the appendix on your take-home CD for a detailed comparison
Overview of New Authorization Concept Comparison of Old and New Authorization Concepts Authorization Maintenance Generating Authorizations Automatically Assigning Authorizations to Users and Roles Monitoring, Auditing, and Test Tools Migration Summary
© SAP AG 2006, 17 Steps of Authorization Maintenance Follow these steps to create your authorizations InfoObject Maintenance (RSD1): 1. Define Authorization-Relevant Characteristics 2. Define Authorization-Relevant Attributes Management of Analysis Authorizations (RSECADMIN): 3. Authorize Characteristic Values 4. Authorize Attribute Values 5. Authorize Hierarchies 6. Add Special Authorization Characteristics 7. Add Key Figure Authorizations 8. Add Variables in Authorizations
© SAP AG 2006, 18 Business Content for Authorizations Before you get started, here are some tips: Activate all Business Content related to authorizations before you get started InfoObjects: 0TCA* (and 0TCT* if not done already) InfoCubes: 0TCA* Set the following InfoObjects as “authorization-relevant” 0TCAACTVT 0TCAIPROV 0TCAVALID 0TCAKYFNM Add 0TCAIFAREA as an external hierarchy characteristic to 0INFOPROV
© SAP AG 2006, 19 1. Authorization-Relevant Characteristics Before restricting authorizations on characteristics, you have to mark them as authorization-relevant InfoObject Maintenance (Transaction RSD1)
© SAP AG 2006, 20 2. Authorizing Navigational Attributes If you want to grant authorizations on navigational attributes, mark them in the attribute tab strip as authorization-relevant InfoObject Maintenance (Transaction RSD1)
© SAP AG 2006, 21 3. Authorizing Characteristic Values Scenario: A group of users is authorized only to specific sales organizations (e.g., Berlin and Birmingham) Central maintenance for (analysis) authorizations/ transaction RSECADMIN
© SAP AG 2006, 22 3. Authorizing Characteristic Values (cont.) A group of users is authorized only to specific sales organizations (e.g., Berlin and Birmingham) Possible Values EQ: Single value BT: Range of values CP: Contains (simple) patterns ending with * (e.g., XY*) (Berlin) (Birmingham)
© SAP AG 2006, 23 Special Authorization Value Special Authorization Values (for all characteristics) * (asterisk) Denotes a set of arbitrary characters Used alone to grant access to all values Used at the end of a value to specify a simple pattern (example: SAP*) : (colon) Allows access only to aggregated data (e.g., allows information on all sales areas only on aggregated level – not on particular sales areas) + (plus) Denotes exactly one character Used at the end of a value to specify a simple pattern (example: RED+) Used to specify date patterns (only for Validity (0TCAVALID)) # (hash) Stands for the initial or unassigned value
© SAP AG 2006, 24 4. Authorizing Navigational Attributes Navigational Attributes Can be assigned individually Tip: The referencing characteristic (here: 0D_SALE_ORG) does not need to be authorization-relevant
© SAP AG 2006, 25 5. Authorizing Hierarchies In the same way as with value authorization, you can also grant authorizations on hierarchy levels Assume you’ll have a sales organization as depicted
© SAP AG 2006, 26 5. Authorizing Hierarchies (cont.) Now you grant access for the complete Americas and France You can also use variables to flexibly and dynamically determine hierarchy nodes
© SAP AG 2006, 27 Only the selected nodes 5. Authorizing Hierarchies (cont.) Use case: Hierarchies that happen to be restructured regularly Subtree below nodes Subtree below nodes to level (incl.) Complete hierarchy Subtree below nodes to (and including) level (relative) Type of Authorization
© SAP AG 2006, 28 5. Authorizing Hierarchies (cont.) Validity Range Which authorization hierarchy is checked against the currently used hierarchy (strictness of check)? Name, Version Identical, and Key Date Less Than or Equal to Name and Version Identical Name Identical All Hierarchies Recommendation: Try to be as strict as possible!
© SAP AG 2006, 29 6. Special Authorization Characteristics Authorizations on Special Characteristics Some special characteristics can be included in an authorization. Note: They must not be included in queries! These special characteristics must be assigned to a user in at least one authorization InfoProvider Validity Activity Insert special characteristics
© SAP AG 2006, 30 6. Special Authorization Characteristics (cont.) Recommendation It is not technically necessary to include these special characteristics in every authorization, but it is considered a best practice in order to retain clarity
© SAP AG 2006, 31 6. Special Authorization Characteristics (cont.) InfoProvider Grant authorization to particular InfoProviders Technical name: 0TCAIPROV Possible values: Single value (EQ) One InfoProvider Range (BT) Range of InfoProviders Pattern (CP) Selection of InfoProviders (e.g., 0SD_*) Hierarchy node Selection of InfoProviders based on InfoArea hierarchy Default * All InfoProviders
© SAP AG 2006, 32 6. Special Authorization Characteristics (cont.) Validity Define when authorizations are valid or not valid Technical name: 0TCAVALID Possible values Include (I) Grant authorization Exclude (E) Deny authorization ^ Single value (EQ) Exactly one date Range (BT) Range of dates Less or Equal (LE) Everything <= value in FROM field ^ Greater Than (GT) Everything > value in FROM field ^ Greater or Equal (GE) Everything >= value in FROM field ^ Less Than (LT) Everything < value in FROM field ^ Pattern (CP) Selection of dates ^ + (plus) denotes exactly one character (e.g., 01.++.2005 until 10.++.2005: allows access only the first 10 days of each month in 2005) Default * Always valid ^ Exclude (E), special ranges (LE, GT, GE, LT), and the plus pattern (+) work ONLY for this special characteristic!
© SAP AG 2006, 33 6. Special Authorization Characteristics (cont.) Activity Grant authorization to different activities Technical name: 0TCAACTVT Possible values: 02 Change data (for example, for business planning) 03 Display data Default 03 Display data
© SAP AG 2006, 34 7. Key Figure Authorizations Key Figure Authorizations Grant authorization to particular key figures Technical name: 0TCAKYFNM Possible values Single value (EQ) Exactly one key figure Range (BT) Selection of key figures Pattern (CP) Selection of key figures based on pattern Default * All key figures Tip: If a particular key figure is defined as authorization-relevant, it will be checked for every InfoProvider
© SAP AG 2006, 35 8. Variables in Authorizations Variables of Type “Customer Exit” For value and/or hierarchy authorizations Determined during query runtime using custom code Example: Determine sales organization from assignments of the user master data Use enhancement RSR00001 (transaction CMOD) for the necessary coding
Overview of New Authorization Concept Comparison of Old and New Authorization Concepts Authorization Maintenance Generating Authorizations Automatically Assigning Authorizations to Users and Roles Monitoring, Auditing, and Test Tools Migration Summary
© SAP AG 2006, 37 Steps for Generating Authorizations Follow these steps to generate authorizations automatically: Data Warehouse Workbench (RSA1): 1. Activate Business Content 2. Load DataStore Objects Management of Analysis Authorizations (RSECADMIN): 3. Generate Authorizations 4. View Generation Log Tip: Especially with high user counts or very detailed authorizations, generating authorizations will save a lot of manual work
© SAP AG 2006, 38 1. Activate Business Content Business Content for Authorizations SAP delivers Business Content for storing authorizations and user assignment of authorizations Human Resources (HR) Controlling (CO)
© SAP AG 2006, 39 2. Load DataStore Objects DataStore Objects for Authorizations Fill the DataStore objects with the user data and authorizations Extract the data, for example, from an SAP R/3 source system or Load the data from a flat file Tip: You might want to add some consistency checks here to avoid errors during the generation later
© SAP AG 2006, 40 3. Generate Authorizations Generation of Authorizations from DataStore Objects Start the generation by specifying the relevant DataStore objects
© SAP AG 2006, 41 4. View Generation Log After the generation is complete, you can view a detailed log First check errors, then also look at warnings
Overview of New Authorization Concept Comparison of Old and New Authorization Concepts Authorization Maintenance Generating Authorizations Automatically Assigning Authorizations to Users and Roles Monitoring, Auditing and Test Tools Migration Summary
© SAP AG 2006, 43 Steps for Assigning Authorizations to Users Pick one of these options to assign authorizations to users: Management of Analysis Authorizations (RSECADMIN): 1. Assign Individual Authorizations 2. Assign Groups of Authorizations Role Maintenance (PFCG): 3. Assign Authorizations to Roles Tip: You can use a combination of these options. If you already have a role-based infrastructure in place, option 3 will be the best.
© SAP AG 2006, 44 1. Assigning Individual Authorizations Direct Assignment of Authorizations to Users Select a user ID and change the assignment Then insert individual authorizations to the assigned list
© SAP AG 2006, 45 2. Assigning Groups of Authorizations Assignment of Groups of Authorizations to Users You can group authorizations into a hierarchy. Use InfoObject 0TCTAUTH for this hierarchy (you’ll have to activate the content objects for this InfoObject). Then you can assign one or several authorization groups to the selected user
© SAP AG 2006, 46 Special Authorization Generated Special Authorization: 0BI_ALL Automatically generated and not changeable Grants authorizations for all values of all authorization-relevant characteristics Adjusted whenever a new InfoObject is set to authorization-relevant Simple possibility to grant authorizations to everything (e.g., via role – see next slide)
© SAP AG 2006, 47 3. Assigning Authorizations to Roles Role Maintenance Alternatively to the direct assignment, you can also assign authorizations to roles, which can then be assigned to users Use authorization object S_RS_AUTH for the assignment of authorizations to roles Maintain the authorizations as values for field BIAUTH
Overview of New Authorization Concept Comparison of Old and New Authorization Concepts Authorization Maintenance Generating Authorizations Automatically Assigning Authorizations to Users and Roles Monitoring, Auditing, and Test Tools Migration Summary
© SAP AG 2006, 49 Steps for Monitoring, Auditing, and Testing Use these tools for monitoring, auditing, and testing authorizations: 1. Authorization Monitoring 2. Legal Audit Tip: The improved monitoring capabilities are especially helpful for production support
© SAP AG 2006, 50 1. Authorization Monitoring Checking Authorizations Log on with your own user ID (production support role) Check query execution with the authorizations of a specific user Tip: There is no password required. Therefore, access to this support tool should be restricted using authorization object S_RSEC.
© SAP AG 2006, 51 1. Authorization Monitoring (cont.) Evaluate Log Protocol Turn on logging of user activities related to analysis authorizations View detailed information about authorization checks Which characteristics are relevant? Which selections are checked vs. which authorizations? And much more ...
© SAP AG 2006, 52 2. Legal Auditing Recording of Changes Activate the following VirtualProviders from the Business Content (VAL = Values, HIE = Hierarchies, UA = User Assignment) The system records all changes to authorizations and user assignments Using a query, you can easily answer questions like: How many users have access to a given InfoCube? Which users have access to company code 1000? When was authorization GIVEMEALL created, and by whom?
© SAP AG 2006, 53 2. Legal Auditing (cont.) Recording of Changes Query Example Linked into Administration Cockpit
Overview of New Authorization Concept Comparison of Old and New Authorization Concepts Authorization Maintenance Generating Authorizations Automatically Assigning Authorizations to Users and Roles Monitoring, Auditing, and Test Tools Migration Summary
© SAP AG 2006, 55 Steps for Migration of Authorizations Follow these four steps to migrate authorizations: Migration Tool (program RSEC_MIGRATION): 1. Select Users 2. Select Authorizations 3. Pick Assignment Method 4. Set Migration Mode Tip: Allocate enough time to do the migration during your system upgrade and for performing thorough tests
© SAP AG 2006, 56 Before You Start Migration Support The migration is a singular event (i.e., not to be scheduled later) During migration to the new authorization concept, the existing concept won’t be changed Semi-automatic migration The more complex the existing authorization concept, the more manual migration work might be necessary Customer-exit variables for 0TCTAUTHH cannot be migrated; the respective hierarchy nodes must be assigned manually Intensive tests are highly recommended
© SAP AG 2006, 57 Before You Start (cont.) Recommendations It is highly recommended to migrate to the new concept The former authorization concept won’t be supported any longer You can, however, switch back to the former concept – in some exceptional cases (IMG setting)
© SAP AG 2006, 58 Start the Migration Migration Step 0 Run ABAP program RSEC_MIGRATION (transaction SA38 or SE38)
© SAP AG 2006, 59 User 2 1. User Selection Migration Step 1 Choose users Migration can be done for singular user groups Prerequisite: A user group must be complete and self-contained! User 1 Authorization Object 1 Authorization Object 2 Authorization Object 3 If User 1 is chosen and Authorization Objects 1 and 2 should be migrated, you have to choose User 2 as well in order to have a complete user group Note: There might be entangled dependencies of users with respect to the authorization objects. You’ll get a message with information on the missing users in case the user group is not compete.
© SAP AG 2006, 60 2. Authorization Selection Migration Step 2 Choose authorization objects to be migrated
© SAP AG 2006, 61 3. Assignment Method Migration Step 3 Choose an assignment method Direct user assignment Migrated authorizations will be assigned to the users directly (not via roles) Migrated authorizations have prefix RSR_ and will be treated like generated authorizations Create new profiles Generation of profiles based on authorization object S_RS_AUTH that contains the new, migrated authorizations Preserves the existing role concept and adds new profiles to the role Generated profiles have prefix RSR_ Extend existing profiles Existing profiles will be extended by authorization object S_RS_AUTH containing the migrated authorizations Undo migration All migrated authorizations and profiles will be deleted; extended profiles contain empty authorization object R_RS_AUTH
© SAP AG 2006, 62 4. Migration Mode Migration Step 4 Choose details of authorization migration “expert mode” Settings for referencing navigational attributes and characteristics are only relevant for the compatibility mode setting in SAP BW 3.x Please have a look at the detailed documentation for more information
© SAP AG 2006, 63 After the Migration Run Migration Protocol At the end of the migration run, view the detailed protocol Check for warnings and errors reported during the migration Tip: The migration can be quite tricky. It helps if you have good documentation of the existing authorization setup (for example, to define user groups for the migration)
Overview of New Authorization Concept Comparison of Old and New Authorization Concepts Authorization Maintenance Generating Authorizations Automatically Assigning Authorizations to Users and Roles Monitoring, Auditing, and Test Tools Migration Summary
© SAP AG 2006, 65 sdn.sap.com Where to Find Free Public Technical Information SAP Developer Network (it’s free and public)
© SAP AG 2006, 66 service.sap.com Where to Find Application and Educational Information SAP Service Marketplace/security
© SAP AG 2006, 67 SAP Security Web Information – Link Collection http://sdn.sap.com* http://service.sap.com/security* http://service.sap.com/securityguide* http://service.sap.com/education* http://help.sap.com/nw2004s mailto:security@sap.com service.sap.com* * Requires login credentials to the SAP Service Marketplace
© SAP AG 2006, 68 For more information: Access the SAP Developer Network – www.sdn.sap.com The central hub for the SAP technology community Everyone can connect, contribute and collaborate- consultants, administrators and developers Focus around SAP NetWeaver and SAP xApps High quality of technical resources Articles, how-to guides, weblogs, collaborative areas, discussion forums and downloads, toolkits and code-samples A collaboration platform, not a one-way street SAP experts from customers, partners and SAP SDN is powered by SAP NetWeaver™ Built on the SAP Enterprise Portal Featuring collaboration capabilities of SAP Knowledge Management
© SAP AG 2006, 69 7 Key Points to Take Home BI authorizations for analysis are based on an appropriate concept for business-oriented security requirements Using the new concept for analysis authorizations is recommended The new features contain major improvements for administrators, leading to lower TCO Authorizations can be generated automatically based on various DataStores The infrastructure for maintenance and monitoring of analysis authorizations is highly integrated Take a good look at the new reporting capabilities to support usage and auditing of authorizations A migration support tool is available
© SAP AG 2006, 70 Q&A marc.bernard@sap.com Questions?
© SAP AG 2006, 71 No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C® , World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence. The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages. Copyright 2006 SAP AG. All Rights Reserved
© SAP AG 2006, 72 Demo

Recommended

SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security conceptsSiva Pradeep Bolisetti
 
SAP Security interview questions
SAP Security interview questionsSAP Security interview questions
SAP Security interview questionsSiva Pradeep Bolisetti
 
BI Security (1).ppt
BI Security (1).pptBI Security (1).ppt
BI Security (1).pptcsekar2
 
165373293 sap-security-q
165373293 sap-security-q165373293 sap-security-q
165373293 sap-security-qAnywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU)
 
Sap security tasks
Sap security tasksSap security tasks
Sap security tasksSiva Pradeep Bolisetti
 
Authorisations in SAP: best practices
Authorisations in SAP: best practicesAuthorisations in SAP: best practices
Authorisations in SAP: best practicesJonathan Eemans
 
Cua setup procedure SAP security
Cua setup procedure SAP securityCua setup procedure SAP security
Cua setup procedure SAP securitySiva Pradeep Bolisetti
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questionssumitmsn2
 

Recommended

SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security conceptsSiva Pradeep Bolisetti
 
SAP Security interview questions
SAP Security interview questionsSAP Security interview questions
SAP Security interview questionsSiva Pradeep Bolisetti
 
BI Security (1).ppt
BI Security (1).pptBI Security (1).ppt
BI Security (1).pptcsekar2
 
165373293 sap-security-q
165373293 sap-security-q165373293 sap-security-q
165373293 sap-security-qAnywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU)
 
Sap security tasks
Sap security tasksSap security tasks
Sap security tasksSiva Pradeep Bolisetti
 
Authorisations in SAP: best practices
Authorisations in SAP: best practicesAuthorisations in SAP: best practices
Authorisations in SAP: best practicesJonathan Eemans
 
Cua setup procedure SAP security
Cua setup procedure SAP securityCua setup procedure SAP security
Cua setup procedure SAP securitySiva Pradeep Bolisetti
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questionssumitmsn2
 
How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsTL Technologies - Thoughts Become Things
 
SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC FrameworkHarish Sharma
 
Sap Security Workshop
Sap Security WorkshopSap Security Workshop
Sap Security Workshoplarrymcc
 
Scalable security modeling sap bw analysis authorizations
Scalable security modeling sap bw analysis authorizationsScalable security modeling sap bw analysis authorizations
Scalable security modeling sap bw analysis authorizationsPallavi Koppula
 
Day5 R3 Basis Security
Day5 R3 Basis SecurityDay5 R3 Basis Security
Day5 R3 Basis SecurityGuang Ying Yuan
 
Travel management configuration steps
Travel management configuration stepsTravel management configuration steps
Travel management configuration stepsAbhijeet Walke
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grchkodali
 
Sap interface overview
Sap interface overviewSap interface overview
Sap interface overviewgnareshmbacwa
 
Sap system landscape best practice
Sap system landscape best practiceSap system landscape best practice
Sap system landscape best practiceAbdulrahman Abdulrahim
 
Sap security interview question & answers
Sap security interview question & answersSap security interview question & answers
Sap security interview question & answersNancy Nelida
 
Sap User Exit for Functional Consultant
Sap User Exit for Functional ConsultantSap User Exit for Functional Consultant
Sap User Exit for Functional ConsultantAnkit Sharma
 
Edit idoc , reprocess and test idoc
Edit idoc , reprocess and test idocEdit idoc , reprocess and test idoc
Edit idoc , reprocess and test idoclakshmi rajkumar
 
Creating business group in oracle apps
Creating business group in oracle appsCreating business group in oracle apps
Creating business group in oracle appsGurpreet singh
 
SAP PM Master Data Training Guide
SAP PM Master Data Training GuideSAP PM Master Data Training Guide
SAP PM Master Data Training Guidesapdocs. info
 
SAP ECC 6.0 PM Configuration Manual - www.sapdocs.info
SAP ECC 6.0 PM Configuration Manual - www.sapdocs.infoSAP ECC 6.0 PM Configuration Manual - www.sapdocs.info
SAP ECC 6.0 PM Configuration Manual - www.sapdocs.infosapdocs. info
 
Oracle R12 Multi org ivas
Oracle R12 Multi org ivasOracle R12 Multi org ivas
Oracle R12 Multi org ivasAli Ibrahim
 
SAP - Business process Automation - Accounts Receivable
SAP - Business process Automation - Accounts Receivable SAP - Business process Automation - Accounts Receivable
SAP - Business process Automation - Accounts Receivable Rui Fonseca Dias
 
Batch Expiration Date Management in SAP MRP/MPS
Batch Expiration Date Management in SAP MRP/MPS Batch Expiration Date Management in SAP MRP/MPS
Batch Expiration Date Management in SAP MRP/MPS Vijay Pisipaty
 
SAP Lock Box Process
SAP Lock Box ProcessSAP Lock Box Process
SAP Lock Box ProcessSurya Padhi
 
New gl sonda
New gl sondaNew gl sonda
New gl sondaMaria Inez Consultora SAP FI CO SR
 
SAP SECURITY GRC
SAP SECURITY GRCSAP SECURITY GRC
SAP SECURITY GRCtechgurusuresh
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsRohan Andrews
 

More Related Content

What's hot

SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC FrameworkHarish Sharma
 
Sap Security Workshop
Sap Security WorkshopSap Security Workshop
Sap Security Workshoplarrymcc
 
Scalable security modeling sap bw analysis authorizations
Scalable security modeling sap bw analysis authorizationsScalable security modeling sap bw analysis authorizations
Scalable security modeling sap bw analysis authorizationsPallavi Koppula
 
Travel management configuration steps
Travel management configuration stepsTravel management configuration steps
Travel management configuration stepsAbhijeet Walke
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grchkodali
 
Sap interface overview
Sap interface overviewSap interface overview
Sap interface overviewgnareshmbacwa
 
Sap security interview question & answers
Sap security interview question & answersSap security interview question & answers
Sap security interview question & answersNancy Nelida
 
Sap User Exit for Functional Consultant
Sap User Exit for Functional ConsultantSap User Exit for Functional Consultant
Sap User Exit for Functional ConsultantAnkit Sharma
 
Edit idoc , reprocess and test idoc
Edit idoc , reprocess and test idocEdit idoc , reprocess and test idoc
Edit idoc , reprocess and test idoclakshmi rajkumar
 
Creating business group in oracle apps
Creating business group in oracle appsCreating business group in oracle apps
Creating business group in oracle appsGurpreet singh
 
SAP PM Master Data Training Guide
SAP PM Master Data Training GuideSAP PM Master Data Training Guide
SAP PM Master Data Training Guidesapdocs. info
 
SAP ECC 6.0 PM Configuration Manual - www.sapdocs.info
SAP ECC 6.0 PM Configuration Manual - www.sapdocs.infoSAP ECC 6.0 PM Configuration Manual - www.sapdocs.info
SAP ECC 6.0 PM Configuration Manual - www.sapdocs.infosapdocs. info
 
Oracle R12 Multi org ivas
Oracle R12 Multi org ivasOracle R12 Multi org ivas
Oracle R12 Multi org ivasAli Ibrahim
 
SAP - Business process Automation - Accounts Receivable
SAP - Business process Automation - Accounts Receivable SAP - Business process Automation - Accounts Receivable
SAP - Business process Automation - Accounts Receivable Rui Fonseca Dias
 
Batch Expiration Date Management in SAP MRP/MPS
Batch Expiration Date Management in SAP MRP/MPS Batch Expiration Date Management in SAP MRP/MPS
Batch Expiration Date Management in SAP MRP/MPS Vijay Pisipaty
 
SAP Lock Box Process
SAP Lock Box ProcessSAP Lock Box Process
SAP Lock Box ProcessSurya Padhi
 

What's hot (20)

How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systems
 
SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC Framework
 
Sap Security Workshop
Sap Security WorkshopSap Security Workshop
Sap Security Workshop
 
Scalable security modeling sap bw analysis authorizations
Scalable security modeling sap bw analysis authorizationsScalable security modeling sap bw analysis authorizations
Scalable security modeling sap bw analysis authorizations
 
Day5 R3 Basis Security
Day5 R3 Basis SecurityDay5 R3 Basis Security
Day5 R3 Basis Security
 
Travel management configuration steps
Travel management configuration stepsTravel management configuration steps
Travel management configuration steps
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc
 
Sap interface overview
Sap interface overviewSap interface overview
Sap interface overview
 
Sap system landscape best practice
Sap system landscape best practiceSap system landscape best practice
Sap system landscape best practice
 
Sap security interview question & answers
Sap security interview question & answersSap security interview question & answers
Sap security interview question & answers
 
Sap User Exit for Functional Consultant
Sap User Exit for Functional ConsultantSap User Exit for Functional Consultant
Sap User Exit for Functional Consultant
 
Edit idoc , reprocess and test idoc
Edit idoc , reprocess and test idocEdit idoc , reprocess and test idoc
Edit idoc , reprocess and test idoc
 
Creating business group in oracle apps
Creating business group in oracle appsCreating business group in oracle apps
Creating business group in oracle apps
 
SAP PM Master Data Training Guide
SAP PM Master Data Training GuideSAP PM Master Data Training Guide
SAP PM Master Data Training Guide
 
SAP ECC 6.0 PM Configuration Manual - www.sapdocs.info
SAP ECC 6.0 PM Configuration Manual - www.sapdocs.infoSAP ECC 6.0 PM Configuration Manual - www.sapdocs.info
SAP ECC 6.0 PM Configuration Manual - www.sapdocs.info
 
Oracle R12 Multi org ivas
Oracle R12 Multi org ivasOracle R12 Multi org ivas
Oracle R12 Multi org ivas
 
SAP - Business process Automation - Accounts Receivable
SAP - Business process Automation - Accounts Receivable SAP - Business process Automation - Accounts Receivable
SAP - Business process Automation - Accounts Receivable
 
Batch Expiration Date Management in SAP MRP/MPS
Batch Expiration Date Management in SAP MRP/MPS Batch Expiration Date Management in SAP MRP/MPS
Batch Expiration Date Management in SAP MRP/MPS
 
SAP Lock Box Process
SAP Lock Box ProcessSAP Lock Box Process
SAP Lock Box Process
 
New gl sonda
New gl sondaNew gl sonda
New gl sonda
 

Viewers also liked

SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsRohan Andrews
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access ControlNasir Gondal
 
Extensible Authorization for SAP Applications Webinar
Extensible Authorization for SAP Applications WebinarExtensible Authorization for SAP Applications Webinar
Extensible Authorization for SAP Applications WebinarNextLabs, Inc.
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0Latha Kamal
 
SAP BW - Info object (characteristics)
SAP BW - Info object (characteristics)SAP BW - Info object (characteristics)
SAP BW - Info object (characteristics)Yasmin Ashraf
 
SAP Governance, Risk and Compliance (GRC)
SAP Governance, Risk and Compliance (GRC)SAP Governance, Risk and Compliance (GRC)
SAP Governance, Risk and Compliance (GRC)SAP Latinoamérica
 
Erp sap r3 overview introduction
Erp sap r3 overview introductionErp sap r3 overview introduction
Erp sap r3 overview introductionBunty Jain
 
Grc 10 training
Grc 10 trainingGrc 10 training
Grc 10 trainingsuresh
 
SAP Security important Questions
SAP Security important QuestionsSAP Security important Questions
SAP Security important QuestionsRagu M
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP SecurityNasir Gondal
 
Sap modules overview and business processes
Sap modules overview and business processesSap modules overview and business processes
Sap modules overview and business processessrilu999
 

Viewers also liked (16)

SAP SECURITY GRC
SAP SECURITY GRCSAP SECURITY GRC
SAP SECURITY GRC
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM Workflows
 
Practical guide for sap security
Practical guide for sap security Practical guide for sap security
Practical guide for sap security
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access Control
 
Extensible Authorization for SAP Applications Webinar
Extensible Authorization for SAP Applications WebinarExtensible Authorization for SAP Applications Webinar
Extensible Authorization for SAP Applications Webinar
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0
 
SAP BW - Info object (characteristics)
SAP BW - Info object (characteristics)SAP BW - Info object (characteristics)
SAP BW - Info object (characteristics)
 
The ABAP Query
The ABAP QueryThe ABAP Query
The ABAP Query
 
SAP Governance, Risk and Compliance (GRC)
SAP Governance, Risk and Compliance (GRC)SAP Governance, Risk and Compliance (GRC)
SAP Governance, Risk and Compliance (GRC)
 
Erp sap r3 overview introduction
Erp sap r3 overview introductionErp sap r3 overview introduction
Erp sap r3 overview introduction
 
Grc 10 training
Grc 10 trainingGrc 10 training
Grc 10 training
 
SAP grc
SAP grc SAP grc
SAP grc
 
SAP Security important Questions
SAP Security important QuestionsSAP Security important Questions
SAP Security important Questions
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP Security
 
Sap modules overview and business processes
Sap modules overview and business processesSap modules overview and business processes
Sap modules overview and business processes
 
SAP BW Introduction.
SAP BW Introduction.SAP BW Introduction.
SAP BW Introduction.
 

Similar to An expert guide to new sap bi security features

157265792-Advanced-Features-of-SAP-BW-Reporting-Authorizations.pdf
157265792-Advanced-Features-of-SAP-BW-Reporting-Authorizations.pdf157265792-Advanced-Features-of-SAP-BW-Reporting-Authorizations.pdf
157265792-Advanced-Features-of-SAP-BW-Reporting-Authorizations.pdfRobertMarcinov1
 
PART I of III: Advanced Authorization for SAP Global Deployments: September ...
PART I of III: Advanced Authorization for SAP Global Deployments: September ...PART I of III: Advanced Authorization for SAP Global Deployments: September ...
PART I of III: Advanced Authorization for SAP Global Deployments: September ...NextLabs, Inc.
 
Advanced Authorization for SAP Global Deployments Part I of III
Advanced Authorization for SAP Global Deployments Part I of IIIAdvanced Authorization for SAP Global Deployments Part I of III
Advanced Authorization for SAP Global Deployments Part I of IIINextLabs, Inc.
 
S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptx
S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptxS4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptx
S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptxITAdmin28
 
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...NextLabs, Inc.
 
Advanced Authorization for SAP Global Deployments Part III of III
Advanced Authorization for SAP Global Deployments Part III of IIIAdvanced Authorization for SAP Global Deployments Part III of III
Advanced Authorization for SAP Global Deployments Part III of IIINextLabs, Inc.
 
Introduction to the Wave Platform API
Introduction to the Wave Platform APIIntroduction to the Wave Platform API
Introduction to the Wave Platform APISalesforce Developers
 
Advanced Authorization for SAP Global Deployments Part II of III
Advanced Authorization for SAP Global Deployments Part II of IIIAdvanced Authorization for SAP Global Deployments Part II of III
Advanced Authorization for SAP Global Deployments Part II of IIINextLabs, Inc.
 
Iam suite introduction
Iam suite introductionIam suite introduction
Iam suite introductionwardell henley
 
Gain Insights, Make Decisions, and Take Action Across a Streamlined and Autom...
Gain Insights, Make Decisions, and Take Action Across a Streamlined and Autom...Gain Insights, Make Decisions, and Take Action Across a Streamlined and Autom...
Gain Insights, Make Decisions, and Take Action Across a Streamlined and Autom...Arraya Solutions
 
Increase Salesforce Performance using Platform Cache Demo
Increase Salesforce Performance using Platform Cache DemoIncrease Salesforce Performance using Platform Cache Demo
Increase Salesforce Performance using Platform Cache DemoVineet Goel ☁
 
CSI Authorization Auditor 2014 Brochure
CSI Authorization Auditor 2014 BrochureCSI Authorization Auditor 2014 Brochure
CSI Authorization Auditor 2014 BrochureCSI tools
 
Automation Desk II: Policy-Driven Automation and a Glimpse into the Future of...
Automation Desk II: Policy-Driven Automation and a Glimpse into the Future of...Automation Desk II: Policy-Driven Automation and a Glimpse into the Future of...
Automation Desk II: Policy-Driven Automation and a Glimpse into the Future of...Kaseya
 
FLS_EA_Checklist_AppName_v5.pptx
FLS_EA_Checklist_AppName_v5.pptxFLS_EA_Checklist_AppName_v5.pptx
FLS_EA_Checklist_AppName_v5.pptxssuser7b9cdf
 
Salesforce Spring 14 Release Developer Overview
Salesforce Spring 14 Release Developer OverviewSalesforce Spring 14 Release Developer Overview
Salesforce Spring 14 Release Developer OverviewRoy Gilad
 

Similar to An expert guide to new sap bi security features (20)

Casa engl
Casa englCasa engl
Casa engl
 
157265792-Advanced-Features-of-SAP-BW-Reporting-Authorizations.pdf
157265792-Advanced-Features-of-SAP-BW-Reporting-Authorizations.pdf157265792-Advanced-Features-of-SAP-BW-Reporting-Authorizations.pdf
157265792-Advanced-Features-of-SAP-BW-Reporting-Authorizations.pdf
 
PART I of III: Advanced Authorization for SAP Global Deployments: September ...
PART I of III: Advanced Authorization for SAP Global Deployments: September ...PART I of III: Advanced Authorization for SAP Global Deployments: September ...
PART I of III: Advanced Authorization for SAP Global Deployments: September ...
 
Advanced Authorization for SAP Global Deployments Part I of III
Advanced Authorization for SAP Global Deployments Part I of IIIAdvanced Authorization for SAP Global Deployments Part I of III
Advanced Authorization for SAP Global Deployments Part I of III
 
ClearPass Policy Model - An Introduction
ClearPass Policy Model - An IntroductionClearPass Policy Model - An Introduction
ClearPass Policy Model - An Introduction
 
Opa in the api management world
Opa in the api management worldOpa in the api management world
Opa in the api management world
 
S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptx
S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptxS4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptx
S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptx
 
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
 
Advanced Authorization for SAP Global Deployments Part III of III
Advanced Authorization for SAP Global Deployments Part III of IIIAdvanced Authorization for SAP Global Deployments Part III of III
Advanced Authorization for SAP Global Deployments Part III of III
 
Introduction to the Wave Platform API
Introduction to the Wave Platform APIIntroduction to the Wave Platform API
Introduction to the Wave Platform API
 
Advanced Authorization for SAP Global Deployments Part II of III
Advanced Authorization for SAP Global Deployments Part II of IIIAdvanced Authorization for SAP Global Deployments Part II of III
Advanced Authorization for SAP Global Deployments Part II of III
 
Iam suite introduction
Iam suite introductionIam suite introduction
Iam suite introduction
 
Gain Insights, Make Decisions, and Take Action Across a Streamlined and Autom...
Gain Insights, Make Decisions, and Take Action Across a Streamlined and Autom...Gain Insights, Make Decisions, and Take Action Across a Streamlined and Autom...
Gain Insights, Make Decisions, and Take Action Across a Streamlined and Autom...
 
Increase Salesforce Performance using Platform Cache Demo
Increase Salesforce Performance using Platform Cache DemoIncrease Salesforce Performance using Platform Cache Demo
Increase Salesforce Performance using Platform Cache Demo
 
Oracle_Procurement_Cloud_Release_8_Whats_New
Oracle_Procurement_Cloud_Release_8_Whats_NewOracle_Procurement_Cloud_Release_8_Whats_New
Oracle_Procurement_Cloud_Release_8_Whats_New
 
CSI Authorization Auditor 2014 Brochure
CSI Authorization Auditor 2014 BrochureCSI Authorization Auditor 2014 Brochure
CSI Authorization Auditor 2014 Brochure
 
Automation Desk II: Policy-Driven Automation and a Glimpse into the Future of...
Automation Desk II: Policy-Driven Automation and a Glimpse into the Future of...Automation Desk II: Policy-Driven Automation and a Glimpse into the Future of...
Automation Desk II: Policy-Driven Automation and a Glimpse into the Future of...
 
FLS_EA_Checklist_AppName_v5.pptx
FLS_EA_Checklist_AppName_v5.pptxFLS_EA_Checklist_AppName_v5.pptx
FLS_EA_Checklist_AppName_v5.pptx
 
Salesforce Spring 14 Release Developer Overview
Salesforce Spring 14 Release Developer OverviewSalesforce Spring 14 Release Developer Overview
Salesforce Spring 14 Release Developer Overview
 
What is sap security
What is sap securityWhat is sap security
What is sap security
 

Recently uploaded

Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 

Recently uploaded (20)

Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 

An expert guide to new sap bi security features

  • 1. An Expert Guide to New SAP BI Security Features Marc Bernard SAP Labs
  • 2. © SAP AG 2006, 2 Objectives In this session you will … Learn how to grant access to data on various levels of detail Find out how the new analysis authorizations compare to the old concept based on authorization objects Understand the new options for defining authorizations See a demonstration of the new functionality Hear about migration tools Take away information about the latest monitoring and auditing capabilities for security settings
  • 3. Overview of New Authorization Concept Comparison of Old and New Authorization Concepts Authorization Maintenance Generating Authorizations Automatically Assigning Authorizations to Users and Roles Monitoring, Auditing, and Test Tools Migration Summary
  • 4. Overview of New Authorization Concept Comparison of Old and New Authorization Concepts Authorization Maintenance Generating Authorizations Automatically Assigning Authorizations to Users and Roles Monitoring, Auditing, and Test Tools Migration Summary
  • 5. © SAP AG 2006, 5 SAP NetWeaver Security DB and OS Abstraction .NET WebSphere Secure User AccessInfrastructureSecurity Secure Collaboration SoftwareLifecycleSecurity Application Security SAP NetWeaver SecuritySAP NetWeaver Security ……
  • 6. © SAP AG 2006, 6 SAP NetWeaver Roles and Authorizations 101 Application Security Based on roles and authorization concept Users are assigned to roles Roles contain authorizations Authorizations are defined for authorization objects The system checks authorization objects against the authorizations of the user
  • 7. © SAP AG 2006, 7 Comparison of OLTP and OLAP Security Needs Security Needs in mySAP ERP (OLTP) Transaction-based security Driven by: Transaction codes Specific field values Which activities a user can perform Focused on getting daily work completed as quickly and efficiently as possible Security Needs in SAP NetWeaver BI (OLAP) Analysis-based security Driven by: InfoProviders Queries Data Different business purpose and goals than OLTP Focused on displaying, planning, and analyzing data
  • 8. © SAP AG 2006, 8 Terminology Standard Authorizations Based on standard role and authorization concept of SAP Was and still are used for BI administrator and developer activities Reporting Authorizations Old security concept up to SAP NetWeaver ’04 (up to SAP BW 3.5) Control for which data a user has access to in a query Realized through the standard authorization concept, which has many limitations Analysis Authorizations New security concept as of SAP NetWeaver 2004s Is not based on standard authorization concept in order to overcome the limitations Takes features of reporting and analysis in BI into consideration Covered in this presentation
  • 9. © SAP AG 2006, 9 Introduction to Analysis Authorizations Scenario: Sufficient Authorizations Complete selection is subset of authorizations Query results will be shown Scenario: Insufficient Authorizations Complete or part of selection is outside of authorizations Query results will not be shown at all Authorizations Query Selection Authorizations Query Selection
  • 10. © SAP AG 2006, 10 Introduction to Analysis Authorizations (cont.) Exceptions for “All-or-Nothing” Rule Display hierarchies are automatically filtered by the authorization Key figure values are not displayed if the key figure is not authorized
  • 11. © SAP AG 2006, 11 Authorization Levels Access Can Be Restricted by Authorizations … On InfoCube Level On Characteristic Level On Characteristic Value Level On Key Figure Level On Hierarchy Node Level Authorization Authorization Autho- rization On Key Figure LevelOn Characteristic Value Level On Characteristic Level
  • 12. Overview of New Authorization Concept Comparison of Old and New Authorization Concepts Authorization Maintenance Generating Authorizations Automatically Assigning Authorizations to Users and Roles Monitoring, Auditing and Test Tools Migration Summary
  • 13. © SAP AG 2006, 13 Comparing Authorization Concepts Limitations of earlier SAP BW releases Authorization objects <=SAP BW 3.x Technical Foundation Not changeable afterwards Maintenance Ten InfoObjectsNumber of InfoObjects Only on global basisNavigational Attributes Via GUID and 0TCTAUTHH Hierarchy Authorizations Only intersection of auth. objects permitted Composition of Authorizations Per InfoObject AND InfoCube Authorization Relevance Tied to role onlyValidity Separate authorization objects (S_RS_*) InfoProvider Authorizations
  • 14. © SAP AG 2006, 14 Comparing Authorization Concepts (cont.) Improvements with SAP NetWeaver 2004s Analysis authorizationAuthorization objects <=SAP BW 3.x SAP NetWeaver 2004s Technical Foundation Changeable Not changeable afterwards Maintenance Number of InfoObjects not limited Ten InfoObjectsNumber of InfoObjects IndividuallyOnly on global basisNavigational Attributes Equivalent to value authorizations Via GUID and 0TCTAUTHH Hierarchy Authorizations Union “as expected” Only intersection of auth. objects permitted Composition of Authorizations Only InfoObject setting Per InfoObject AND InfoCube Authorization Relevance Flexible per authorizationTied to role onlyValidity Included in authorization Separate authorization objects (S_RS_*) InfoProvider Authorizations
  • 15. © SAP AG 2006, 15 Comparing Authorization Concepts (cont.) Please see the appendix on your take-home CD for a detailed comparison
  • 16. Overview of New Authorization Concept Comparison of Old and New Authorization Concepts Authorization Maintenance Generating Authorizations Automatically Assigning Authorizations to Users and Roles Monitoring, Auditing, and Test Tools Migration Summary
  • 17. © SAP AG 2006, 17 Steps of Authorization Maintenance Follow these steps to create your authorizations InfoObject Maintenance (RSD1): 1. Define Authorization-Relevant Characteristics 2. Define Authorization-Relevant Attributes Management of Analysis Authorizations (RSECADMIN): 3. Authorize Characteristic Values 4. Authorize Attribute Values 5. Authorize Hierarchies 6. Add Special Authorization Characteristics 7. Add Key Figure Authorizations 8. Add Variables in Authorizations
  • 18. © SAP AG 2006, 18 Business Content for Authorizations Before you get started, here are some tips: Activate all Business Content related to authorizations before you get started InfoObjects: 0TCA* (and 0TCT* if not done already) InfoCubes: 0TCA* Set the following InfoObjects as “authorization-relevant” 0TCAACTVT 0TCAIPROV 0TCAVALID 0TCAKYFNM Add 0TCAIFAREA as an external hierarchy characteristic to 0INFOPROV
  • 19. © SAP AG 2006, 19 1. Authorization-Relevant Characteristics Before restricting authorizations on characteristics, you have to mark them as authorization-relevant InfoObject Maintenance (Transaction RSD1)
  • 20. © SAP AG 2006, 20 2. Authorizing Navigational Attributes If you want to grant authorizations on navigational attributes, mark them in the attribute tab strip as authorization-relevant InfoObject Maintenance (Transaction RSD1)
  • 21. © SAP AG 2006, 21 3. Authorizing Characteristic Values Scenario: A group of users is authorized only to specific sales organizations (e.g., Berlin and Birmingham) Central maintenance for (analysis) authorizations/ transaction RSECADMIN
  • 22. © SAP AG 2006, 22 3. Authorizing Characteristic Values (cont.) A group of users is authorized only to specific sales organizations (e.g., Berlin and Birmingham) Possible Values EQ: Single value BT: Range of values CP: Contains (simple) patterns ending with * (e.g., XY*) (Berlin) (Birmingham)
  • 23. © SAP AG 2006, 23 Special Authorization Value Special Authorization Values (for all characteristics) * (asterisk) Denotes a set of arbitrary characters Used alone to grant access to all values Used at the end of a value to specify a simple pattern (example: SAP*) : (colon) Allows access only to aggregated data (e.g., allows information on all sales areas only on aggregated level – not on particular sales areas) + (plus) Denotes exactly one character Used at the end of a value to specify a simple pattern (example: RED+) Used to specify date patterns (only for Validity (0TCAVALID)) # (hash) Stands for the initial or unassigned value
  • 24. © SAP AG 2006, 24 4. Authorizing Navigational Attributes Navigational Attributes Can be assigned individually Tip: The referencing characteristic (here: 0D_SALE_ORG) does not need to be authorization-relevant
  • 25. © SAP AG 2006, 25 5. Authorizing Hierarchies In the same way as with value authorization, you can also grant authorizations on hierarchy levels Assume you’ll have a sales organization as depicted
  • 26. © SAP AG 2006, 26 5. Authorizing Hierarchies (cont.) Now you grant access for the complete Americas and France You can also use variables to flexibly and dynamically determine hierarchy nodes
  • 27. © SAP AG 2006, 27 Only the selected nodes 5. Authorizing Hierarchies (cont.) Use case: Hierarchies that happen to be restructured regularly Subtree below nodes Subtree below nodes to level (incl.) Complete hierarchy Subtree below nodes to (and including) level (relative) Type of Authorization
  • 28. © SAP AG 2006, 28 5. Authorizing Hierarchies (cont.) Validity Range Which authorization hierarchy is checked against the currently used hierarchy (strictness of check)? Name, Version Identical, and Key Date Less Than or Equal to Name and Version Identical Name Identical All Hierarchies Recommendation: Try to be as strict as possible!
  • 29. © SAP AG 2006, 29 6. Special Authorization Characteristics Authorizations on Special Characteristics Some special characteristics can be included in an authorization. Note: They must not be included in queries! These special characteristics must be assigned to a user in at least one authorization InfoProvider Validity Activity Insert special characteristics
  • 30. © SAP AG 2006, 30 6. Special Authorization Characteristics (cont.) Recommendation It is not technically necessary to include these special characteristics in every authorization, but it is considered a best practice in order to retain clarity
  • 31. © SAP AG 2006, 31 6. Special Authorization Characteristics (cont.) InfoProvider Grant authorization to particular InfoProviders Technical name: 0TCAIPROV Possible values: Single value (EQ) One InfoProvider Range (BT) Range of InfoProviders Pattern (CP) Selection of InfoProviders (e.g., 0SD_*) Hierarchy node Selection of InfoProviders based on InfoArea hierarchy Default * All InfoProviders
  • 32. © SAP AG 2006, 32 6. Special Authorization Characteristics (cont.) Validity Define when authorizations are valid or not valid Technical name: 0TCAVALID Possible values Include (I) Grant authorization Exclude (E) Deny authorization ^ Single value (EQ) Exactly one date Range (BT) Range of dates Less or Equal (LE) Everything <= value in FROM field ^ Greater Than (GT) Everything > value in FROM field ^ Greater or Equal (GE) Everything >= value in FROM field ^ Less Than (LT) Everything < value in FROM field ^ Pattern (CP) Selection of dates ^ + (plus) denotes exactly one character (e.g., 01.++.2005 until 10.++.2005: allows access only the first 10 days of each month in 2005) Default * Always valid ^ Exclude (E), special ranges (LE, GT, GE, LT), and the plus pattern (+) work ONLY for this special characteristic!
  • 33. © SAP AG 2006, 33 6. Special Authorization Characteristics (cont.) Activity Grant authorization to different activities Technical name: 0TCAACTVT Possible values: 02 Change data (for example, for business planning) 03 Display data Default 03 Display data
  • 34. © SAP AG 2006, 34 7. Key Figure Authorizations Key Figure Authorizations Grant authorization to particular key figures Technical name: 0TCAKYFNM Possible values Single value (EQ) Exactly one key figure Range (BT) Selection of key figures Pattern (CP) Selection of key figures based on pattern Default * All key figures Tip: If a particular key figure is defined as authorization-relevant, it will be checked for every InfoProvider
  • 35. © SAP AG 2006, 35 8. Variables in Authorizations Variables of Type “Customer Exit” For value and/or hierarchy authorizations Determined during query runtime using custom code Example: Determine sales organization from assignments of the user master data Use enhancement RSR00001 (transaction CMOD) for the necessary coding
  • 36. Overview of New Authorization Concept Comparison of Old and New Authorization Concepts Authorization Maintenance Generating Authorizations Automatically Assigning Authorizations to Users and Roles Monitoring, Auditing, and Test Tools Migration Summary
  • 37. © SAP AG 2006, 37 Steps for Generating Authorizations Follow these steps to generate authorizations automatically: Data Warehouse Workbench (RSA1): 1. Activate Business Content 2. Load DataStore Objects Management of Analysis Authorizations (RSECADMIN): 3. Generate Authorizations 4. View Generation Log Tip: Especially with high user counts or very detailed authorizations, generating authorizations will save a lot of manual work
  • 38. © SAP AG 2006, 38 1. Activate Business Content Business Content for Authorizations SAP delivers Business Content for storing authorizations and user assignment of authorizations Human Resources (HR) Controlling (CO)
  • 39. © SAP AG 2006, 39 2. Load DataStore Objects DataStore Objects for Authorizations Fill the DataStore objects with the user data and authorizations Extract the data, for example, from an SAP R/3 source system or Load the data from a flat file Tip: You might want to add some consistency checks here to avoid errors during the generation later
  • 40. © SAP AG 2006, 40 3. Generate Authorizations Generation of Authorizations from DataStore Objects Start the generation by specifying the relevant DataStore objects
  • 41. © SAP AG 2006, 41 4. View Generation Log After the generation is complete, you can view a detailed log First check errors, then also look at warnings
  • 42. Overview of New Authorization Concept Comparison of Old and New Authorization Concepts Authorization Maintenance Generating Authorizations Automatically Assigning Authorizations to Users and Roles Monitoring, Auditing and Test Tools Migration Summary
  • 43. © SAP AG 2006, 43 Steps for Assigning Authorizations to Users Pick one of these options to assign authorizations to users: Management of Analysis Authorizations (RSECADMIN): 1. Assign Individual Authorizations 2. Assign Groups of Authorizations Role Maintenance (PFCG): 3. Assign Authorizations to Roles Tip: You can use a combination of these options. If you already have a role-based infrastructure in place, option 3 will be the best.
  • 44. © SAP AG 2006, 44 1. Assigning Individual Authorizations Direct Assignment of Authorizations to Users Select a user ID and change the assignment Then insert individual authorizations to the assigned list
  • 45. © SAP AG 2006, 45 2. Assigning Groups of Authorizations Assignment of Groups of Authorizations to Users You can group authorizations into a hierarchy. Use InfoObject 0TCTAUTH for this hierarchy (you’ll have to activate the content objects for this InfoObject). Then you can assign one or several authorization groups to the selected user
  • 46. © SAP AG 2006, 46 Special Authorization Generated Special Authorization: 0BI_ALL Automatically generated and not changeable Grants authorizations for all values of all authorization-relevant characteristics Adjusted whenever a new InfoObject is set to authorization-relevant Simple possibility to grant authorizations to everything (e.g., via role – see next slide)
  • 47. © SAP AG 2006, 47 3. Assigning Authorizations to Roles Role Maintenance Alternatively to the direct assignment, you can also assign authorizations to roles, which can then be assigned to users Use authorization object S_RS_AUTH for the assignment of authorizations to roles Maintain the authorizations as values for field BIAUTH
  • 48. Overview of New Authorization Concept Comparison of Old and New Authorization Concepts Authorization Maintenance Generating Authorizations Automatically Assigning Authorizations to Users and Roles Monitoring, Auditing, and Test Tools Migration Summary
  • 49. © SAP AG 2006, 49 Steps for Monitoring, Auditing, and Testing Use these tools for monitoring, auditing, and testing authorizations: 1. Authorization Monitoring 2. Legal Audit Tip: The improved monitoring capabilities are especially helpful for production support
  • 50. © SAP AG 2006, 50 1. Authorization Monitoring Checking Authorizations Log on with your own user ID (production support role) Check query execution with the authorizations of a specific user Tip: There is no password required. Therefore, access to this support tool should be restricted using authorization object S_RSEC.
  • 51. © SAP AG 2006, 51 1. Authorization Monitoring (cont.) Evaluate Log Protocol Turn on logging of user activities related to analysis authorizations View detailed information about authorization checks Which characteristics are relevant? Which selections are checked vs. which authorizations? And much more ...
  • 52. © SAP AG 2006, 52 2. Legal Auditing Recording of Changes Activate the following VirtualProviders from the Business Content (VAL = Values, HIE = Hierarchies, UA = User Assignment) The system records all changes to authorizations and user assignments Using a query, you can easily answer questions like: How many users have access to a given InfoCube? Which users have access to company code 1000? When was authorization GIVEMEALL created, and by whom?
  • 53. © SAP AG 2006, 53 2. Legal Auditing (cont.) Recording of Changes Query Example Linked into Administration Cockpit
  • 54. Overview of New Authorization Concept Comparison of Old and New Authorization Concepts Authorization Maintenance Generating Authorizations Automatically Assigning Authorizations to Users and Roles Monitoring, Auditing, and Test Tools Migration Summary
  • 55. © SAP AG 2006, 55 Steps for Migration of Authorizations Follow these four steps to migrate authorizations: Migration Tool (program RSEC_MIGRATION): 1. Select Users 2. Select Authorizations 3. Pick Assignment Method 4. Set Migration Mode Tip: Allocate enough time to do the migration during your system upgrade and for performing thorough tests
  • 56. © SAP AG 2006, 56 Before You Start Migration Support The migration is a singular event (i.e., not to be scheduled later) During migration to the new authorization concept, the existing concept won’t be changed Semi-automatic migration The more complex the existing authorization concept, the more manual migration work might be necessary Customer-exit variables for 0TCTAUTHH cannot be migrated; the respective hierarchy nodes must be assigned manually Intensive tests are highly recommended
  • 57. © SAP AG 2006, 57 Before You Start (cont.) Recommendations It is highly recommended to migrate to the new concept The former authorization concept won’t be supported any longer You can, however, switch back to the former concept – in some exceptional cases (IMG setting)
  • 58. © SAP AG 2006, 58 Start the Migration Migration Step 0 Run ABAP program RSEC_MIGRATION (transaction SA38 or SE38)
  • 59. © SAP AG 2006, 59 User 2 1. User Selection Migration Step 1 Choose users Migration can be done for singular user groups Prerequisite: A user group must be complete and self-contained! User 1 Authorization Object 1 Authorization Object 2 Authorization Object 3 If User 1 is chosen and Authorization Objects 1 and 2 should be migrated, you have to choose User 2 as well in order to have a complete user group Note: There might be entangled dependencies of users with respect to the authorization objects. You’ll get a message with information on the missing users in case the user group is not compete.
  • 60. © SAP AG 2006, 60 2. Authorization Selection Migration Step 2 Choose authorization objects to be migrated
  • 61. © SAP AG 2006, 61 3. Assignment Method Migration Step 3 Choose an assignment method Direct user assignment Migrated authorizations will be assigned to the users directly (not via roles) Migrated authorizations have prefix RSR_ and will be treated like generated authorizations Create new profiles Generation of profiles based on authorization object S_RS_AUTH that contains the new, migrated authorizations Preserves the existing role concept and adds new profiles to the role Generated profiles have prefix RSR_ Extend existing profiles Existing profiles will be extended by authorization object S_RS_AUTH containing the migrated authorizations Undo migration All migrated authorizations and profiles will be deleted; extended profiles contain empty authorization object R_RS_AUTH
  • 62. © SAP AG 2006, 62 4. Migration Mode Migration Step 4 Choose details of authorization migration “expert mode” Settings for referencing navigational attributes and characteristics are only relevant for the compatibility mode setting in SAP BW 3.x Please have a look at the detailed documentation for more information
  • 63. © SAP AG 2006, 63 After the Migration Run Migration Protocol At the end of the migration run, view the detailed protocol Check for warnings and errors reported during the migration Tip: The migration can be quite tricky. It helps if you have good documentation of the existing authorization setup (for example, to define user groups for the migration)
  • 64. Overview of New Authorization Concept Comparison of Old and New Authorization Concepts Authorization Maintenance Generating Authorizations Automatically Assigning Authorizations to Users and Roles Monitoring, Auditing, and Test Tools Migration Summary
  • 65. © SAP AG 2006, 65 sdn.sap.com Where to Find Free Public Technical Information SAP Developer Network (it’s free and public)
  • 66. © SAP AG 2006, 66 service.sap.com Where to Find Application and Educational Information SAP Service Marketplace/security
  • 67. © SAP AG 2006, 67 SAP Security Web Information – Link Collection http://sdn.sap.com* http://service.sap.com/security* http://service.sap.com/securityguide* http://service.sap.com/education* http://help.sap.com/nw2004s mailto:security@sap.com service.sap.com* * Requires login credentials to the SAP Service Marketplace
  • 68. © SAP AG 2006, 68 For more information: Access the SAP Developer Network – www.sdn.sap.com The central hub for the SAP technology community Everyone can connect, contribute and collaborate- consultants, administrators and developers Focus around SAP NetWeaver and SAP xApps High quality of technical resources Articles, how-to guides, weblogs, collaborative areas, discussion forums and downloads, toolkits and code-samples A collaboration platform, not a one-way street SAP experts from customers, partners and SAP SDN is powered by SAP NetWeaver™ Built on the SAP Enterprise Portal Featuring collaboration capabilities of SAP Knowledge Management
  • 69. © SAP AG 2006, 69 7 Key Points to Take Home BI authorizations for analysis are based on an appropriate concept for business-oriented security requirements Using the new concept for analysis authorizations is recommended The new features contain major improvements for administrators, leading to lower TCO Authorizations can be generated automatically based on various DataStores The infrastructure for maintenance and monitoring of analysis authorizations is highly integrated Take a good look at the new reporting capabilities to support usage and auditing of authorizations A migration support tool is available
  • 70. © SAP AG 2006, 70 Q&A marc.bernard@sap.com Questions?
  • 71. © SAP AG 2006, 71 No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C® , World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence. The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages. Copyright 2006 SAP AG. All Rights Reserved
  • 72. © SAP AG 2006, 72 Demo