Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to Upgrade BW 3.5 security design to BI 7.3 authorization design

Go to solution
Former Member

‎09-30-2012 9:02 AM

0 Kudos

Dear Experts:

Thanks in Advance.

I need to migrate current BW3.5 security design to new security ananlysis authorization design of BI 7.3. i am going to do it manually with out using the standard SAP tool RSEC_MIGRATION. Here i don't know how to create ananlysis authorizations by using existing authorization objects and thier values.

please guide me to do this activity. i have seen many threads but i could not find any... please let me know the path where i can find the stanadard documentation also.

your suggestions are very valuable for me...

1 ACCEPTED SOLUTION

Go to solution
shivraj_singh2
Active Participant

‎10-02-2012 6:26 PM

0 Kudos

http://scn.sap.com/community/data-warehousing/netweaver-bw/blog/2012/05/22/authorization-in-bi-7

This is a very good link about how to set up security in BI7.

BW 7.3 security is exactly as BI7 security, with few minor additional steps like activating the analysis authorization.

Hope it helps,

Regards,

Shivraj

11 REPLIES 11

Go to solution
shivraj_singh2
Active Participant

‎10-02-2012 6:26 PM

0 Kudos

http://scn.sap.com/community/data-warehousing/netweaver-bw/blog/2012/05/22/authorization-in-bi-7

This is a very good link about how to set up security in BI7.

BW 7.3 security is exactly as BI7 security, with few minor additional steps like activating the analysis authorization.

Hope it helps,

Regards,

Shivraj

Go to solution
Former Member
In response to shivraj_singh2

‎10-03-2012 7:28 AM

0 Kudos

Hi Shivraj,

thanks for your reply. i have situation like below

S_RS_ICUBE

ACTVT      03

RSICUBEOBJ    DATA, DEFINiTION

RSINFOAREA   AB_STATS,AB_USERS

RSINFOCUBE   0BWTC_C10, BW_SU_01, VC_ZRSPC


Please let me know how can i maintain this restriction using analysis authorization.

thanks,
Ananth.

Go to solution
shivraj_singh2
Active Participant
In response to shivraj_singh2

‎10-03-2012 5:47 PM

0 Kudos

Kishore,

For reporting S_RS_ICUBE is no longer checked under BW73 settings. It is replaced by 0TCAIPROV which you will have to maintain in analysis authorization.

One way is to create an analysis authorization with only 3 0TCA* objects - 0TCAACTVT 03 0TCAIPROV -  0BWTC_C10, BW_SU_01, VC_ZRSPC & 0TCAVAL - *. & update the S_RS_ICUBE role with that analysis authorization.

Regards,

Shivraj

Go to solution
Former Member
In response to shivraj_singh2

‎10-04-2012 6:39 AM

0 Kudos

Hi Kishore,

It seems that you are looking for designing part!  BW auth object S_RS_ICUBE is obsolete in BI 7.3.

Now try to design you analysis authorizations based on RSINFOCUBE, like Z0BWTC_C10 and maintain the field values as above. your analysis authorization structure should be based on Infoprovider OR Infocude.

The Authorizations structure from BW 3.5 inevitably changes as of BI 7.3.

Let me if any additional information required.

Thanks

Anil Surukanti

Go to solution
Former Member
In response to shivraj_singh2

‎10-05-2012 10:14 AM

0 Kudos

Hi Experts,

thanks for your reply...

i have a question.

S_RS_ICUBE

ACTVT      03

RSICUBEOBJ    DATA, DEFINiTION

RSINFOAREA   AB_STATS*, AB_USERS*

RSINFOCUBE   *

in this case how can we restricte on infoarea using analysis authorizations.

Thanks in Advance,

Kishore.

Go to solution
shivraj_singh2
Active Participant
In response to shivraj_singh2

‎10-05-2012 6:05 PM

0 Kudos

Kishore,

0TCAIFAREA can be used for this purpose.

You have to add it to 0INFOPROV as an external hier char.

Please refer to

http://scn.sap.com/thread/193027

Regards,

Shivraj

Go to solution
Former Member
In response to shivraj_singh2

‎10-15-2012 7:19 AM

0 Kudos

Hi Shivaraj,

Thank you very much for your reply...

In above case apart from adding hierarchy to 0INFOPROV..  do i need to maitain all infoproviders of those infoareas under 0TCAINPROV object.

thanks in advance.

Kishore.

Go to solution
shivraj_singh2
Active Participant
In response to shivraj_singh2

‎10-15-2012 6:56 PM

0 Kudos

Kishore,

0TCAIPROV has to be maintained all the time as it gets checked every time a query is executed.

Regards,

Shivraj

Go to solution
Former Member
In response to shivraj_singh2

‎10-17-2012 7:58 AM

0 Kudos

Hi Shivraj,

Thanks for your valueble suggestions.

in our current role design there is RSR clss object ZHR_SLRY( field 1KYFNM. ) this is added in some roles with some values.

1.So i have to mention these values in AA under 0TCAKYFNM object right!!!!

2. the roles with out this object, i am giving * for 0TCAKYFNM infoobject in AA.. is that right.

3. if a use get access to both AAs.... what is the access he is going to have for 0TCAKYFNM

* or for specific values.

or will it work individually depending on infoproviders respective to that perticular AA.

can you please suggest me.

Thanks,

Kishore.

Go to solution
shivraj_singh2
Active Participant
In response to shivraj_singh2

‎10-17-2012 6:00 PM

0 Kudos

Kishore,

1. Since you are using Key Figure Security, you will have to mark 0TCAKYFNM auth-relevant. Once it is marked auth-relevant, it will get checked for every Info-provider or another way to say it is for every  query execution.

2. For the roles with ZHR_SLRY, you will have to match the field values

3. For roles with no ZHR_SLRY, mentioning (*) in field values is not a good idea, it means access to all key-fig including salary data which is sensitive in HR.

4. Alternative is to first identify which Key-fig are sensitive and maintain a range excluding these sensitive key-figs. It is just one alternative, you will have to test if it is applicable to your scenario or not.

5. regarding # 3 on your list, AA are restricted by the Info-providers mentioned in 0TCAIPROV. And these do merge when Info-providers are same across AAs. There are examples on SAP help about the logic that governs such merging, and I think there is a note also.

Regards,

Shivraj

Go to solution
Former Member

‎10-17-2012 8:32 AM

0 Kudos

Hi Kishore,

If you want to do it manually which I think is the best way to implement security since the approach in BW and BI is entirely different.

Rather than looking into BW reporting authorization objects created and used in 3.5 version and try to create and equivalent Analysis Authorization (AA) I would suggest you to incorporate a fresh BI security strategy.

Follow this plan

  1. Get the list of all Queries to be used by end users
  2. Create AA for each query by following below steps
    • Find out Info Provider on which query is based
    • Get the list of all auth relevant characteristics inside this info provider
    • Create AA with all these characteristics
    • Put restrictions on the characteristics whereever required (value, pattern or hierarchy level as per business need)
    • Activate the AA
  3. Create Data restriction role (PFCG role) with object S_RS_AUTH and add desired AA in role under this object
  4. Create Reporting role (PFCG role) with Object S_RS_COMP/COMP1 and maintain it as per desired query (same as BW 3.5)
  5. Create Enduser Composite roles with desired data restriction and reporting roles to be assigned to end users

You may need to interact a lot with Business People and  BI team but this will give you a perfect BI security measures for your system.

Hope this helps.

Regards,

Amit