Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Implementing Security through Analysis Authorisations

Former Member
0 Kudos

Dear Friends,

Iam very new to security area in BI.

We need to define role(s) for reporting for around 100 companies.Each company will be assinged to one user.

If this is the requirement, I need to create 100 roles with 100 Analysis Authorisation objects?

Please let me know the Best of implementing the Security?

Thanks in advance.

Regards,

Kalyan

10 REPLIES 10

Former Member
0 Kudos

question here is if it is absolutely necessary to restrict that much.

What is the risk if you restrict one level higher?

Beware the fact that people need to be able to report on one company ONLY does not automatically mean they should be restricted to that one company only.

Pls use proper risk analyses to see if this is really needed, before creating 100 roles, as it is a pain to maintain.

0 Kudos

Dear Friend,

We have around 100 users and each user is responsible for one country.

In that case how i can go one level higher and secure the requirements?

I know it's a painful job of maintaining main roles.

Please share with me how i can Implement this activity in BI area with minimum set of roles?

Awaiting for your reply?

Thanks in advance

0 Kudos

Kris

you probably do not understand what i mean, question is not how to build these roles, but is it really needed.Is there a risk involved if all people can run all reports. if not give them wide access and instruct them how to run the reports for 1 of the companies only!

0 Kudos

Dear friend,

I understood your question.

As the implementation we are doing is very sensitive in terms of data.

That's why i can't have broader access at some group level.

There is no other Alternative way apart from Securing them at Company(Country) level.

Please let me know still i need to create 100 roles?

0 Kudos

Hi,

As you are aware that in BI, you have to maintain the authorztion on the infocube by the TA code rsecadmin, then you have to define the each authoriztiion object to the roles.

its means, you have to create the 100 authoriztion object for the 100 region then you will be restricted in the roles by defining the authoriztion object.

BI Analysis Authorizations in Role S_RS_AUTH

so there, you need to create/maintain 100 authorizaton and 100 roles for the 1 report.

Regards

Anwer Waseem

SAP BASIS

0 Kudos

Hi

you can avoid making 100 roles/authorisations by making use of customer exit variables in analysis authorisations.

- The customer exit is called for these variables while the authorization check is running.

- maintenance effort for authorizations and profiles may be considerably reduced

For eg: Every cost center manager should only be allowed to evaluate data for his/her cost center. Within the SAP authorization standard, a role or a profile with the authorization for the InfoObject 0COSTCENTER equal to ‘XXXX’ (XXXX stands for the particular cost center) would have to be made for every cost center manager X. This has to be entered in the user master data for the cost center manager. In organizations where cost centers change on a regular basis, this involves significant administrative effort.

Using a variable reduces the authorization maintenance workload with the InfoObject 0COSTCENTER equal to ‘$VARCOST’, as well as with the role or the profile, which is maintained for all cost center managers. The value of the variable ‘VARCOST’ is then set for runtime during the authorization check by the CUSTOMER-EXIT ‘RSR00001’.

So in your case, instead of giving a value to region and making 100 roles you can create one role & include a variable (e.g. $VARREGION ) which retrieves value from user master data at runtime.

Regards

Vinod

0 Kudos

You still need to be careful when using variables, I have seen implementations where they are no less maintenance intensive than using the auth concept. When they work well though, they are excellent.

As a concept, iot's a shame that we have to carry out significant customisation to get anything similar in R/3

0 Kudos

Dear Vinod

What about the uers is authorized more then 1 region, division and distribution channel ?

in my example here,

i have 9 companies

5 divisions

6 distribution channel

the reports are restricted by companies, divisions and distribution channel

how do we restrict by the customer exit ?

Regards

Anwer Waseem

0 Kudos

Hi Anwer

Authorised values can be mapped to user ids and these authorised values can uploaded in BI by extraction from source systems(like ECC), extraction from master data and by flat file upload to DSO or master data table.

A simple flat file can be created with fields like:

User | InfoObject1 | InfoObject2 | InfoObject3 | ....

abc | region1 | division4 |

abc | region2 | division6 | channel1

xyz | .......

This file can be uploaded in a DSO or master data table and can be updated when required without touching the authorisations.

So, whenever a query runs, the exit variable specified in analysis authorisation will fetch the authorised values from this DSO/master data table using user-id as key.

Regards

Vinod

Former Member
0 Kudos

Dear KRIS123 KRIS,

I’ll try to help you with your doubt,

For reporting user you restrict the data access by two ways. The first is trough analysis authorization and second is through reporting role.

Analysis authorization management the value data which you need to see by InfoProviders, Characteristics, Value Characteristic, Key Figure and Hierarchies.

Reporting Roles management trough Authorization Object which objects you can display and execute by Query, InfoAreas, and InfoProviders.

For you can use analysis authorization you need a role which has authorization objects for reporting like S_RS_COMP or S_RS_COMP1 for you can execute and display de query… for your case this query may be general… and you control data value access by analysis authorization and assign this for each user or building specific reporting role for each user and join each specific analysis authorization through Authorization Object S_RS_AUTH.

In first building scenario you need one role and 100 analysis authorization. For second scenario you need 100 roles and 100 analysis authorization. You design decision is regarding what do you need…

I suggest that use a general role and building 100 analysis authorization and direct join user through RSECADMIN  User  Analysis Authorization  Assignment.

I hope that can help you,

Luis