03-29-2008 4:24 PM
Dear Friends,
Iam very new to security area in BI.
We need to define role(s) for reporting for around 100 companies.Each company will be assinged to one user.
If this is the requirement, I need to create 100 roles with 100 Analysis Authorisation objects?
Please let me know the Best of implementing the Security?
Thanks in advance.
Regards,
Kalyan
03-30-2008 10:17 AM
question here is if it is absolutely necessary to restrict that much.
What is the risk if you restrict one level higher?
Beware the fact that people need to be able to report on one company ONLY does not automatically mean they should be restricted to that one company only.
Pls use proper risk analyses to see if this is really needed, before creating 100 roles, as it is a pain to maintain.
03-30-2008 1:18 PM
Dear Friend,
We have around 100 users and each user is responsible for one country.
In that case how i can go one level higher and secure the requirements?
I know it's a painful job of maintaining main roles.
Please share with me how i can Implement this activity in BI area with minimum set of roles?
Awaiting for your reply?
Thanks in advance
03-30-2008 10:26 PM
Kris
you probably do not understand what i mean, question is not how to build these roles, but is it really needed.Is there a risk involved if all people can run all reports. if not give them wide access and instruct them how to run the reports for 1 of the companies only!
03-31-2008 12:16 AM
Dear friend,
I understood your question.
As the implementation we are doing is very sensitive in terms of data.
That's why i can't have broader access at some group level.
There is no other Alternative way apart from Securing them at Company(Country) level.
Please let me know still i need to create 100 roles?
03-31-2008 10:30 AM
Hi,
As you are aware that in BI, you have to maintain the authorztion on the infocube by the TA code rsecadmin, then you have to define the each authoriztiion object to the roles.
its means, you have to create the 100 authoriztion object for the 100 region then you will be restricted in the roles by defining the authoriztion object.
BI Analysis Authorizations in Role S_RS_AUTH
so there, you need to create/maintain 100 authorizaton and 100 roles for the 1 report.
Regards
Anwer Waseem
SAP BASIS
03-31-2008 1:01 PM
Hi
you can avoid making 100 roles/authorisations by making use of customer exit variables in analysis authorisations.
- The customer exit is called for these variables while the authorization check is running.
- maintenance effort for authorizations and profiles may be considerably reduced
For eg: Every cost center manager should only be allowed to evaluate data for his/her cost center. Within the SAP authorization standard, a role or a profile with the authorization for the InfoObject 0COSTCENTER equal to XXXX (XXXX stands for the particular cost center) would have to be made for every cost center manager X. This has to be entered in the user master data for the cost center manager. In organizations where cost centers change on a regular basis, this involves significant administrative effort.
Using a variable reduces the authorization maintenance workload with the InfoObject 0COSTCENTER equal to $VARCOST, as well as with the role or the profile, which is maintained for all cost center managers. The value of the variable VARCOST is then set for runtime during the authorization check by the CUSTOMER-EXIT RSR00001.
So in your case, instead of giving a value to region and making 100 roles you can create one role & include a variable (e.g. $VARREGION ) which retrieves value from user master data at runtime.
Regards
Vinod
03-31-2008 1:21 PM
You still need to be careful when using variables, I have seen implementations where they are no less maintenance intensive than using the auth concept. When they work well though, they are excellent.
As a concept, iot's a shame that we have to carry out significant customisation to get anything similar in R/3
03-31-2008 1:23 PM
Dear Vinod
What about the uers is authorized more then 1 region, division and distribution channel ?
in my example here,
i have 9 companies
5 divisions
6 distribution channel
the reports are restricted by companies, divisions and distribution channel
how do we restrict by the customer exit ?
Regards
Anwer Waseem
04-01-2008 7:20 AM
Hi Anwer
Authorised values can be mapped to user ids and these authorised values can uploaded in BI by extraction from source systems(like ECC), extraction from master data and by flat file upload to DSO or master data table.
A simple flat file can be created with fields like:
User | InfoObject1 | InfoObject2 | InfoObject3 | ....
abc | region1 | division4 |
abc | region2 | division6 | channel1
xyz | .......
This file can be uploaded in a DSO or master data table and can be updated when required without touching the authorisations.
So, whenever a query runs, the exit variable specified in analysis authorisation will fetch the authorised values from this DSO/master data table using user-id as key.
Regards
Vinod
03-31-2008 5:12 PM
Dear KRIS123 KRIS,
Ill try to help you with your doubt,
For reporting user you restrict the data access by two ways. The first is trough analysis authorization and second is through reporting role.
Analysis authorization management the value data which you need to see by InfoProviders, Characteristics, Value Characteristic, Key Figure and Hierarchies.
Reporting Roles management trough Authorization Object which objects you can display and execute by Query, InfoAreas, and InfoProviders.
For you can use analysis authorization you need a role which has authorization objects for reporting like S_RS_COMP or S_RS_COMP1 for you can execute and display de query for your case this query may be general and you control data value access by analysis authorization and assign this for each user or building specific reporting role for each user and join each specific analysis authorization through Authorization Object S_RS_AUTH.
In first building scenario you need one role and 100 analysis authorization. For second scenario you need 100 roles and 100 analysis authorization. You design decision is regarding what do you need
I suggest that use a general role and building 100 analysis authorization and direct join user through RSECADMIN  User  Analysis Authorization  Assignment.
I hope that can help you,
Luis