Analysis Authorizations are used to secure individual InfoObjects during execution of queries. If we get a requirement of the form – “user should be only able to see for sales for the US companies but not for the European ones”, Analysis Authorizations are the way forward. In this post we will try to take a closer look at how these authorizations work and how to maintain them.
SAP provides the transaction RSECADMIN for working on different aspects of analysis authorizations. The different tabs of the transaction allow authorization maintenance, user assignment, transport and tracing potential errors. Analysis Authorizations are also be directly maintained through the transaction RSECAUTH. In addition to the tcodes, A person needs access to the authorization object S_RSEC to work with analysis authorizations.
The figures below shows an analysis authorization to secure 0COSTCENTER
Individual values can be maintained for 0COSTCENTER as shown below
In addition to EQ (Equals) which is used to give access to actual values as shown below, we might also use CP (Character Pattern) for wildcards or BT (Between) for ranges. Also, instead of values, individual hierarchy authorizations or user exit variables might also used for InfoObjects. In addition to actual values or hierarchies, two special characters are often used in authorizations. These are
Colon (:) – Colon is used to authorize access to aggregate data. For example, a person with : for 0COSTCENTER would be able to see aggregate data for all cost centers (cost center in the free characteristics section of the query) but would get an authorization error when trying to drill down on 0COSTCENTER. Colon (:) authorization is also needed for all authorization relevant characteristics which are not used in a query.
Hash (#) – While loading data into cubes, there might be some fields for which no values are maintained in the data source. Hash is used to authorize these undefined values as otherwise a full acces (*) would be needed for them.
If we look at the first screenshot showing the definition of the analysis authorization, we find that in addition to 0COSTCENTER, the analysis authorization uses three other characteristics. These are
0TCAACTVT (Activity in Analysis Authorizations) – Default value 03(display) is sufficient for reporting. However, 02 (change) is needed for using planning functionality of BI as planning essentially allows updation of data into InfoProviders.
0TCAIPROV (Authorizations for InfoProvider) – We maintain the InfoProviders for which the authorization is meant to give access. Default is *
0TCAVALID (Validity of an Authorization) – Default value is * but can be used to restrict analysis authorization by validity dates.
It is imperative that all three of the above InfoObjects are part of at least one of the analysis authorizations assigned to a user but its good practice to add them to each authorization that you create.
Once created, there are two ways of assigning analysis authorizations to users.
Direct Assignment – Direct assignment of analysis authorizations to users is possible by following the path RSECADMIN >> User >> Assignment which calls transaction RSU01 transaction.
Assignment through roles – SAP provides the authorization object S_RS_AUTH with the single field BIAUTH. Individual analysis authorization values can be maintained for this field and added to the users’ roles.
Query Designer, as the name suggests, is an application within SAP BW which allows us to create new queries or display/ change existing ones. It can be launched by trying to change a query in BEX analyzer or by a separate link in the SAP GUI menu. The options in query designer has changed quite a bit between BW 3.5 and BI 7. However the essential functionality remains the same. Lets start our discussion by displaying a query in the BW 3.5 designer.
The leftmost bar displays a list of InfoObjects, both characteristics and keyfigures, which are defined for the InfoProvider. The rest of the Designer display the different design areas in the query. Thus we have separate areas for filters, free characteristics, rows and columns. The bottom right area gives a pre-view of the query output. This is how the result from the query will look like once its executed through Bex. We now selectively drag InfoObjects into the different areas of the query depending on our reporting needs. In general, characteristics appear as filter criteria, free characteristics or rows while keyfigures appear as columns. Characteristics also should be restricted to particular values as otherwise all data for them will be pulled into the query result and result in long execution times for the query. Characteristics can be restricted to actual values or to input variables which prompt user for values during query execution. In the displayed query, the filter criteria calendar year/month is restricted to Aug, 2010 while material is restricted to an input variable. We also have an option of using authorization variables, where an input variable is automatically filled by the authorized values for the executing user.
Query Designer also allows the use of calculated key figures, restricted key figures and provides many different options for controlling the display of the InfoObjects. We would not get into these details as our intention is only to concentrate on the security aspects of query design. We end our brief introduction to Query Designer by opening the same query opened in Query Designer for BI 7.Though the look and feel, and certainly the features, is different it has the same basic areas. The difference which is readily observed is a separate tab to contain all the filter criteria. One important factor to note, is while queries designed in the old designer can be opened in the new version, the reverse is not true.
BEX Analyzer or Business Explorer Analyzer or Simply BEX is the core reporting tool in SAP BW.It can be launched from the Analyzer icon from the SAP GUI menu or through the transaction RRMX. Its is Add-On to microsoft excel and allows executing of reports (queries) on BW data. It has links for creation/change of queries as well, though the actual updation is done in a separate BW application, the Query Designer.
The screen below shows the BEX toolbar inside Add-Ins and the result of running a query. The different icons in the toolbar allo us to open, save, refresh and change a query. This is a simple test query which shows the amount, price and quantity of a material type sold to different customers. The results are filtered for the calendar year/month – AUG, 2010. In the report below, material and customer are characteristic infoobjects in the cube while amount, price and quantity are the keyfigures.
In addition to queries, Bex Analyzer can also be used to execute or display Workbooks. Workbooks are basically the results of execution of the query. For example, we can save the report obtained above as a workbook. In fact, the different tabs in an workbook can store the results of different queries obtaining data from completely different InfoProviders.
We can readily appreciate that since BEX is really a single application launched through a single transaction, the general transactional based security model might not be as affective to secure the multitude of different queries that can be run though it. A more logical security model for queries will be one which allows to secure on individual infoproviders, characteristics and keyfigures. SAP provides us two methodologies to do just that,reporting authorization objects as used traditionally till BW 3.5 and the newer Analysis Authorizations which were introduced as part of BI 7.
SAP Business Information Warehouse or SAP BW or SAP BI is the Business Intelligence and Data Warehousing Product in SAP Netweaver Suite. Being an OLAP system, it has it own security requirements which are often different from a standard OLTP system like SAP ECC and hence this separate discussion. However, before getting into the nitty-gritties of BW security, let us first take some time off to discuss data warehousing in general and how SAP implements it the SAP BW solution.
A data warehouse(DW) is a database used for reporting. Its usually separate from a database used to store transactional data as the goals of reporting is significantly different from OLTP systems. While OLTP systems are optimized for preservation of data integrity and speed of recording of business transactions through use of database normalization and an entity-relationship model, OLAP systems are optimized for speed of data analysis. Frequently data in data warehouses are denormalised via a dimension-based model. Also, to speed data retrieval, data warehouse data are often stored multiple times—in their most granular form and in summarized forms called aggregates. Data warehouse data are gathered from the operational systems and held in the data warehouse even after the data has been purged from the operational systems.
Having a separate data warehouse system is beneficial in many respects
A data warehouse provides a common data model for reporting irrespective of the source of data. Its common that data from multiple operational systems are loaded into a central data warehouse.
A data warehousing solutions helps in the implementation of an efficient decision support systems where key users get access to key data about the enterprise to understand past histories and make future forecasts.
Its typical that reporting on historical data is time intensive. A separate data warehouse allows execution of complex queries without unduly affecting performance of operational systems.
The structure of the SAP BW solution can be divided into the four general layers given below. Each of these layers come with their own tools and will be discussed in the next article.
Extraction, Transformation and Load (ETL) layer is used for extracting data from one or more sources, applying transformation rules on extracted data and loading it into the Data Warehouse Area.
Data Warehousing layer consists of various SAP BW specific data structures (e.g. Data Store Objects, InfoObjects, InfoCubes, etc) to store information.
Presentation layer which comes with tools to analyze data stored in the data warehouse and allows creation and presentation of reports for end users.
Planning and analysis capabilities – In addition to reporting, the latest version of SAP BW provides capabilities for the user to create planning scenarios and perform tasks such as budget calculations.
A related development in the history of SAP BW was SAP’s acquisition of Business Objects (BO). BO has introduced a number of new presentation tools into the SAP Business Intelligence landscape like Crystal Reports, Xcelcius, InfoView. Other than Crystal Reports which introduces some new security concepts, most of the other tools allows the use of the current security model used for BW in general.