Analysis Authorizations – Design

The idea for this article came to me after reading through a question from a visitor to this site. I believe the question is relevant to anyone designing Analysis Authorizations. So even though there are other posts in this blog that talk about how to actually create analysis authorization, this current article is meant to help security consultant in actually applying the concepts while designing security. I will start with reproducing the question below.

Q:  Hi Aninda,

Firstly, thanks for the helpful posts on this site.

I would like to check with you on how the system checks BI auth.
Does it check every possible combination?

For eg: user is assigned with 2 analysis auth as below:
A: plant 1000, purchasing group (PG) 100
B: plant 2000, PG 200

When the user runs a report and fills in the fields with plant : 1000, 2000 and PG: 100, 200,
he/she will actually get no authorization. When I checked the trace, it looks like the system is checking for
1) plant 1000, PG 100
2) plant 1000, PG 200
3) plant 2000, PG 100
4) plant 2000, PG 200

In this case, the authorization failed because there is no such combination for 2 and 3 in my analysis authorization. Appreciate your advice if my understanding is correct and how do we work around this apart from asking the user to run the report separately for plant 1000 and 2000? Thanks.

I will elaborate from my original answer below. Firstly I should re-iterate that SAP does indeed check for the 4 different combinations mentioned , i.e.
1) plant 1000, PG 100
2) plant 1000, PG 200
3) plant 2000, PG 100
4) plant 2000, PG 200

This may be counter intuitive to us from our experience in ECC while looking up data from SAP tables in SE16 or SUIM. However, BI reports only return data when the total result set is authorized. In other words, you need access to all possible combinations for the query to return any data at all. You get everything or nothing 🙂

So the next question that we need to answer is how to give access to plants 1000, 2000 and PG 200, 100?

Here we would need to create two new analysis authorization rather than the ones already in use
Auth 1) Plant 1000, 2000
Auth 2) PG 100, 200

However, these two authorizations end up giving access to the combinations for Plant 1000 PG 200 and Plant 2000, PG 100 in addition to the earlier values. We need to ask ourselves, Is this extra access a problem?

Like most consulting questions, there is no single correct answer to the problem. For some clients this extra access might be okay while for others it might be a strict no. I would start looking at how security is set up in ECC and try to replicate same access in BI. For example, I would think a Buyer in ECC would be assigned to one or more purchasing groups and would be responsible for one or more plants. Its far less likely that a Buyer is assigned to a different purchasing groups for different plants. So the more likely scenario tells me that the extra access with the two new authorizations are perfectly fine and in line with ECC security. However, your client might be using a different configuration for plant and purchasing group security.

In case, the extra security access is not enough, the solution would be to ask the reporter to run the BW query twice. Once for Plant 1000, PG 100 and next for Plant 2000, PG 200.

Create iView for SAP Tcode

The steps for creation of iview for a transaction are pretty self explanatory. I will copy the screens below. Hopefully these have enough information to get you going.

We start with deciding on the name and component id for the iView

Portal - Create iView for Transaction
Portal - Create iView for Transaction

Next we choose the gui type of the transaction. Full functionality for some transaction might not be available for some of these options.

Portal - Create iView for Transaction 2
Portal - Create iView for Transaction 2

Now we specify the transaction for which the iView is created. Understandable this is the linchpin of the entire process.

Portal - Create iView for Transaction 3
Portal - Create iView for Transaction 3

This is the confirmation screen of the process showing the data entered till now. Clicking the finish button will create the iView in the PCD

Portal - Create iView for Transaction 4
Portal - Create iView for Transaction 4

Once created we can open the iView in the explorer to display and further maintain its properties. The iView can now be incorporated in worksets and roles.

Portal - iView for Transaction - Final
Portal - iView for Transaction - Final

Create iView

In this post, we will go over the steps involved in creating an iView from scratch. The detailed description of what all options you have when creating an iView are out of scope for this discussion as typically a security administrator is not likely to be asked to create iViews for a productive system. However, like most other posts on this blog there is enough information to get you started and help you understand what all options are available for a portal developer.

The first step while creating new content (iview/workset/role/page) for Portal is to decide the folder in the PCD where your custom development is going to be stored. On right clicking on the appropriate directory you get the option of creating new content. We chose the option of creating a new iview.

Portal - Create iView
Portal - Create iView

The create iview screen gives you a few options – Create iview from template or for a java webdynpro or for an ABAP webdynpro. Each of these options will have their own configuration options.

Portal - Create iView 2
Portal - Create iView 2

In our case we chose the option of creating an iview from an iview template. This in turn opens up a new page with lots more options. For example iview templates are available for BEX queries, SAP transactions, etc.

Portal - Create iView from template
Portal - Create iView from template

In the next post we go through the individual steps for creating an iview based on a SAP transaction

Portal Roles

Security for Enterprise Portal is based on Portal Roles. Portal Roles are created in the Portal Content Studio and are meant to structure the content displayed to a user on the Portal. Portal Roles are assigned to users through the identity management component of the portal just like UME roles. Multiple Portal roles can be assigned to a user which will impact the display of the enterprise portal for him. We look at structure one of the standard portal roles below

Portal Role - Content Admin
Portal Role - Content Admin

Content in a Portal Role is organized in a hierarchy of folders as shown above as worksets, iViews and pages. The folders in a portal role are called worksets. Worksets can be used across many portal roles. Also there can be multiple worksets under a workset. The lowest level of content are iViews. The screen above gives an example of Portal role in the PCD and the role structure showing both worksets and iviews. Also the same role “Content_Admin” is also assigned to my user id in the system. The top level navigation showing the different tabs like Content Administration > Portal Content> Multiple Property Replacement gives an idea of how a role looks when assigned to a user.

The behaviour of the role or workset can be changed by modifying the property editor settings shown on the far right. Also important is the permissions that can be modified in the property editor settings. An example of the permissions that can be set on the property editor for Content Admin role is copied below.

Portal Role - Content Admin - Permissions
Portal Role - Content Admin - Permissions

Enterprise Portal

SAP Enterprise Portal (EP) as a component can only be installed on AS Java. Till now our discussion on AS Java security has exclusively dealt with security using the User Management Engine. We have talked about UME users, roles and groups. However, in addition to UME roles, we can also create roles for Enterprise Portal. Before we start our deep dive into security for the enterprise portal lets take a brief tour of the Enterprise Portal solution.

To a large extent the Enterprise Portal to support display of content on the various corporate intranets (portals) of SAP customers. Thus the security framework for EP is also geared towards display of static or dynamic content rather than on granular security. To look. To get an idea about the look and feel of the Enterprise Portal just log in to the SAP Service Marketplace which is also built on EP.

Enterprise Portal - Look & Feel
Enterprise Portal - Look & Feel

To create content for Enterprise Portal, you need access to the Portal Content Studio shown below. You would also need access to the content_admin portal role.

EP - Portal Content Studio
EP - Portal Content Studio

Most of the Employee Self Service, Manager Self Service Applications are based on the Enterprise Portal. In addition, EP developers also can create portal applications for displaying BI dashboards, BW reports, webviews for SAP transactions and just simple static pages.

Most clients have a dedicated portal team instead of having security develop applications for portal. But I still feel that having some knowledge of portal is always helpful. Portal development normally starts by accessing the Portal Content Studio through the Portal Content Directory (PCD). Double clicking any content – iViews, Worksets, Roles opens the content in the right hand window for modification.

April Advice

First of all, Thanks to everyone visiting this site and leaving your comments. They encourage me to keep updating the site and sometimes force me to think in new directions. So, the words of advice below are not for everyone visiting this site. But I expect that most of the visitors just starting out in SAP security and it is towards them that this post is addressed. Even for my friends starting out, please feel free to do your own thing if you feel the post is not applicable for you. At the end of the day, it is you who determines your career choices rather than someone who has not even met you 🙂

  • This blog is to help people learn SAP security. I am really not very interested in providing short cuts for passing job interview. As someone who has been actively interviewing candidates for the last four years, shortcuts don’t work if your interviewer is even remotely good at his job. Instead try learning the subject to the best of your ability. True knowledge will also help you pass any interview but answers to interview questions will not if the question is even remotely different.
  • The best resource to learn is yourself. If you have a question, please try to test out the solution in a sandbox system instead of just asking it at a forum. Its remarkable how much can be picked up by just getting your hands dirty. Often you find answers for which you were not even searching for answers.
  • An interviewer is always checking how well can you apply your technical knowledge to solve actual problems. Reading through documents about SAP security is not going to help much unless you get to apply the knowledge gained in a system.

The above few words of advice has served me well in my different projects. Hopefully they will help you too!

UME – Monitoring and Traces

Unfortunately the UME doesn’t provide as comprehensive reporting capabilities as provided by SUIM. The best bet for a security in such a case is to refer to the security log files generated by the UME and stored at the OS level. The files can off-course be checked at the OS level by someone with the appropriate permissions for the AS Java application server. More easily, they can also be viewed in the Netweaver Administrator (NWA) with the appropriate UME roles. The NWA is available at the following URL, “http://:port/nwa” or can be accessed from the app server launchpad.

AS Java - NWA
AS Java - NWA

Within the NWA, you can access the security log by following the menu path System Management > Monitoring > Logs and Traces > Expert View > Security Log. The security log can be show actions like user creation, deletion, role assignment, password lock etc.

AS Java - NWA - Security Log
AS Java - NWA - Security Log

Since the security log stores all security related log entries you can use the filters option to selection from the category that you need from the same screen.

AS Java - NWA - Security Log - Filters
AS Java - NWA - Security Log - Filters