Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

BI data level security design

Former Member
0 Kudos

Hello we have a requirement to restrict data at sales office which is part of customer hierarchy node.

User is an employee master data record which will have Sales Office as an attribute.

Sales office will be part of transaction data.

So if a User executes a report it should show only those reports that belong to his Sales Office.

User is not mandated to select Sales office as part of filter. So even if he runs with no restriction in filter it should restrict to only those transactions with his sales office.

There are more than 250 sales offices. To create a role for each may be cumbersome.

What is the best way to design and maintain BI Security for this.

I would really appreciate if anyone can give Step By Step appraoch.

I tried to search in forums but was not clear.

Thanks in advance.

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Speak to your BI team about authorization variables. If Sales Org is an attribute of the UMR then you could potentially use this to pass into the auth check. Obviously you will need to prevent users from changing that attribute etc.

There is enough to get you started in the right direction, you can get step by step instructions from your functional team, documentation or appropriate SAP training course.

12 REPLIES 12

jurjen_heeck
Active Contributor
0 Kudos

For BI security it is important to tell us which version you are using.

0 Kudos

Sorry...the BI Version we are using is BI 7.0

Thanks

Edited by: Ravi on Sep 7, 2010 2:49 AM

Former Member
0 Kudos

Speak to your BI team about authorization variables. If Sales Org is an attribute of the UMR then you could potentially use this to pass into the auth check. Obviously you will need to prevent users from changing that attribute etc.

There is enough to get you started in the right direction, you can get step by step instructions from your functional team, documentation or appropriate SAP training course.

0 Kudos

Alex,

Thanks for your response.

I am actually in the BI team. We dont have any one specifically for security. I am trying to build it myself. I am looking for pointers.

I am looking for some pointers in the design approach. How to pass Sales Office attribute as Auth Check. Do I need to use Authorization Variable. I can do research on exact steps to figure out actually building it if some one can help me give steps in the design.

Thanks

0 Kudos

Hello Gurus,

Can you help me on the appraoch .. How do I pass attribute value of User to determine the authorization.

I have read the BI Ananalysis Authorization concept documents but still not clear.

Any help in the design is greatly appreciated.

Thanks

0 Kudos

Hi Ravi,

If you are looking for authorization objects for BI users for troubleshooting, then please follow below method:

In BI system, goto transaction RSUDO, there give the test user ID, check box the logs option, make sure 1st option is selected below (RSRT report). Then execute. You need to give the query name for which the error occurs & then execute. You will then get the error as "no authorization". Go back to main page of RSUDO. Click on Analyze logs

You will find the missing authorizations shown in the logs.

Also you can check the below thread:

0 Kudos

Siddarth,

I am not looking to troubleshoot security issues for users. I am trying to build the security for our BI Reporting solution.

I have worked with Roles for restriction of displaying the report, but I am trying to understand how to design data level security where transaction data is filtered based on users authorization. The user may not do selection at the filter level but the data should be restricted based on the Sales Office Info Object.

I have not used analysis authorization before. Since Sales Office will be part of User Employee master record, I am trying to understand how to pass this dynamically to restrict data.

Thanks

0 Kudos

Hi Ravi,

I think you already know that you can achieve this with an anlysis authorizations setup where you create a different one for each sales office. Much of the task can be automated using SECATT. If you do not want to create separate roles for each user, the analysis authorizations can be directly assigned to the users as well through RSECADMIN transaction. But ensuring the correct security would certainly need some maintenance effort.

You can also investigate the use of customer exit variables in your design but will need some coding effort. First step is to create a variable of type customer exit for Sales Office and use itrestrict Sales Office in your query. You need to implement the enhancement RSR00001 and supply appropriate code in the EXIT_SAPLRRS0_001 to read the user master record for each user and restrict by sales area. As long as Sales Office is authorization relevant you would need to create a analysis authorization with this characteristic and insert the customer exit variable that you just created. You have to also ensure that users do not have access to change the parameters in their user master.

There are quite a few resources in SDN itself which talk at length on the subject. Since I have personally not used customer exit variables for security, some of the details in the process might be incorrect but this should get you started.

Regards,

Aninda

0 Kudos

Aninda,

Thanks for your response. It's very helpful. I understand with customer exit variable i can restrict the data for the sales office that user can see. I can read the user profile in cmod and pass the appropriate variable value.

What I dont understand is what is the purpose of analysis authorization in this case. What do I gain by assigning the customer exit variable in the RSECADMIN. What happens if I dont make it authorization relevant.

With analysis authorization do I still need to restrict each query with the authorization variable?

Thanks

0 Kudos

Hi Ravi,

I will try to answer your questions.

As far as I understand, the customer variable will only be called if and only if the field is restricted using the customer exit variable. If its not authorization relevant, I always have the choice to not use the variable during query definition and use it to access data that I shouldn't have access to.

Hence, in addition to using the customer exit variable, we need to make the characteristic variable authorization relevant and use the variable in the analysis authorizations. Note, that in RSECADMIN we no longer use value authorizations but the customer exit variable itself. This ensures that no user can get access to unauthorized data as an unrestricted query will return an authorization error for the values of characteristic being queried. Also, while using customer exit variables you do not need to restrict via authorization variables any more.

Hope this helps!

Regards,

Aninda

0 Kudos

Aninda,

Thanks that explains. It makes sense.

If I understand correctly.. by making the object authorization relevant and using customer exit variable in RSECADMIN it will restrict user from running any query that has no restrictions by giving the no authorization error.

The query still needs to be restricted with exit variable if the report data needs to be filtered based on that info Object.

I have assigned full points to you.

Thanks

0 Kudos

An easy way to restict users on Sales Office values is, Ask your BI Consultant(who designed the queriy), to include Sales Office field in the query.

If maintainance of 250 Sales Office is difficult, then mainatin it according to Sales Area/Zone. you need to check with superuser for giving access to Sales Area(covers multiple Sales Offices).