Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BI: Security Design Issue

Former Member

‎08-01-2011 5:51 PM

0 Kudos

Hello,

We need to design a solution for BI-Security. The requirement is to provide only a specific set of users (based on Org. Unit) to have access to Annual Salary+Employee Attributes, whereas all other users need to access only Employee Attributes.

Any kind of pointers will help

Thanks,

8 REPLIES 8

Former Member

‎08-01-2011 6:44 PM

0 Kudos

Hi Sudhir,

Identify the Info Cubes under which the data is available and provide authorization in S_RS_COMP and S_RS_COMP1 (use the bottom up approach) and ensure that you provide complete access till the Top level Info provider.

Further restrictions can be applied using Analysis authorizations, if you are on BI 7.0 and later versions.

Hope this helps!!

Regards,

Raghu

Former Member

‎08-01-2011 7:34 PM

0 Kudos

Thanks Raghu, we are on BI 7.0 and planning to use Analysis Authorization. Do you any suggestion on how to approach it using Analysis Authorization.

~Sudhir

Former Member

‎08-01-2011 8:11 PM

0 Kudos

I have pasted an EXample:

Employee Annual Salary Organization Unit Key Payscale Area

11 500 Org_1 AA

22 1500 Org_2 AA

33 2000 Org_3 BB

44 2500 Org_4 CC

Person has access to All Data:

Employee Annual Salary Organization Unit Key Payscale Area

11 500 Org_1 AA

22 1500 Org_2 AA

33 2000 Org_3 BB

44 2500 Org_4 CC

Note: He/She should be able to see ALL data.

Person has NO access to Annual Salary for Payscale Area = AA

Employee Annual Salary Organization Unit Key Payscale Area

11 Org_1 AA

22 Org_2 AA

33 2000 Org_3 BB

44 2500 Org_4 CC

Note: He/She should NOT be able to see Salary of Payscale Area = AA

Former Member
In response to Former Member

‎08-02-2011 7:04 PM

0 Kudos

Hi,

Its simple. All you need to do is, identify the infoobject that holds this data and make it authorization relevant. When an infoobject is authorization relevant, users need authorization at the data level, which you can provide using Analysis authorizations.

Your BI guy may help you in identifying the infoobjects.

Regards,

Raghu

Former Member
In response to Former Member

‎08-03-2011 3:41 PM

0 Kudos

Thanks Raghu for the comments. We cannot make Annual-Salary as authorization relevant(being an Keyfigure-attribute in Employee). We have made Employee as Authorization relevant and added Annual-Salary as well the Analysis Authorization object, as we are planning to populate the Employee values using userexit.

Just wanted to make sure that this is the right approach Or we can implement it via any other way as well.

Regards,

SC

Former Member
In response to Former Member

‎08-03-2011 3:45 PM

0 Kudos

Hi Sudhir,

0TCAKYFNM (if you want to restrict access to key figure)

You can include this in the analysis authorization.

The alternative is as you mentioned to have a user exit. Both the approaches are okay.

Regards,

Raghu

Former Member
In response to Former Member

‎08-04-2011 9:42 PM

0 Kudos

Thanks Raghu,

SC

Former Member

‎08-02-2011 3:31 PM

0 Kudos

Hello Sudheer,

I would recommend you to use Generation feature of Rsecadmin, in this you can directly connect your BI system to HR system, based on their access in HR system , Access can be generated in BI system.

Please go through below links from help.sap.com for more information on generation feature.

Single value DSO uses this SAP standard template

http://help.sap.com/saphelp_nw73/helpdata/en/46/8bbd2738fc429ee10000000a1553f7/frameset.htm

Hierarchy DSO uses this SAP standard template

http://help.sap.com/saphelp_nw73/helpdata/en/46/8bbe3b38fc429ee10000000a1553f7/frameset.htm

I hope this helps you !

Regards,

Ananth

Edited by: Anantharama Shivashankar on Aug 2, 2011 4:31 PM