SAP Authentication in CMC

Till now we have created users and group in the CMC and mapped these groups to application and content rights. All data for these users and groups are maintained in the BOBJ CMS. Since a common configuration of BOBJ reporting is to use the BOBJ frontend with a SAP BW Backend, BOBJ also allows us to import backend roles and users to the CMS. The attributes of these users and groups can not be changed in the CMC but they can be assigned to other CMS resources like groups, content and application rights. In fact, a user so imported into the CMC can login into the BOBJ launchpad or CMC with the SAP BW Backend credentials. This set up is known as SAP Authentication and this post will go over the steps that are needed to get this working. Continue reading “SAP Authentication in CMC”

RSSM – Reporting Authorizations

In all the previous articles on BW security, we have already looked the current method of BW security through analysis authorizations. However, even now its possible for customers to continue to use the old security concept using reporting authorization objects (customer created authorization objects of the RSR class). Since there are still quite a few installations that continue to run in the old model let us have a brief look at this concept of BW security.

The basic transaction for maintaining BW 3.5 security is RSSM. The initial screen of the RSSM transaction can be divide into two main areas as shown below. The upper area is used to create new authorization objects whereas as the lower area is used to configure the checks for authorization objects for the individual cubes.

RSSM - Initial Screen
RSSM - Initial Screen

It is here that we create the the RSR authorization objects. During creation we have the choice of adding any of the authorization relevant InfoObjects defined in the system. However note that since these are authorization objects ( as opposed to analysis authorizations), maximum number of fields are limited to 10.

RSSM - Create Reporting Authorizations
RSSM - Create Reporting Authorizations

Once created, the second step is to check the relevant authorizations for the individual infocubes. This activity is also performed through RSSM as shown below. Whenever a new Infocube is created in BW, by default all possible authorization objects ( these are the authorization objects which contain any of the InfoObjects defined in the cube) are shown to be checked for it. Its the security administrator’s job to un-check all the unnecessary objects.

RSSM - Check Auth Objects for InfoProviders
RSSM - Check Auth Objects for InfoProviders

Like Analysis Authorizations, checks for reporting authorization which occur during query execution can not be caught through the standard security trace (ST01). We use the transsaction RSSMTRACE to trace security checks for reporting authorization objects. For individual users to be traced, they need to be added to list below. A security trace is generated during query execution for all the listed users. Subsequently the trace can be displayed through the same transaction for analyzing possible security errors.

RSSMTRACE - Troubleshooting Reporting Authorizations
RSSMTRACE - Troubleshooting Reporting Authorizations

Authorization Trace in BW

The standard SAP authorization trace given by ST01 is not enough for troubleshooting security issues in BW reporting. A ST01 trace will show a basic reference for the two objects S_RS_COMP and S_RS_COMP1 to check access to the query and cube but nothing further than that. SAP provides a completely new authorization trace though the RSECADMIN transaction to troubleshoot analysis authorizations. The error log button gets us to the authorization trace screen.

RSECADMIN - Analysis
RSECADMIN - Analysis

Once we have “configured log recording” for the affected user, the system logs all OLAP data accesses made by the user.

RSECADMIN - Authorization Logs
RSECADMIN - Authorization Logs

Displaying the log data gets us into the following screen which shows the details of the security checks for the user.

RSECADMIN - Authorization Logs 2
RSECADMIN - Authorization Logs 2

The trace first displays the name of the InfoProvider and the query name that the user executed. Next, we have a list of characteristics in the cube for which user has non full (*) access as these need to be checked at a more detail level. Lastly we have the authorization checks for these characteristics with non full authorizations. Its this section of the trace thats typically the most helpful in troubleshooting authorization issues.

Saving Workbooks in Roles

Though creating a report in SAP BW is typically much easier than creating one in ABAP, most reporting users are involved in actually running reports and interpreting the results rather than designing them. As a result the task of designing reports is often left to a select group of power users who are well versed in the knowledge of creating queries and formatting their outputs into suitable form for the use of other users. The output of one or more queries formatted in excel, which might include charts or higlight different data rows or columns, to facilitate their use for enterprise level reporting are called “workbooks”.

Once constructed, these workbooks, or even direct queries, need to be rolled out to the end users. Since the queries and workbooks are defined on InfoProviders, exploring the InfoProviders in BEX Analyzer would show all the reports defined on them. BW also provides a way of saving queries or workbooks into select folders by the power users as shown below.

BEX - Save Workbook In Role
BEX - Save Workbook In Role

Technically the folders are implemented as SAP roles without any authorization data. The folder roles are just placeholders to store queries/workbooks. Once the folder roles are assigned to the end users, they can just look into the folders roles assigned to them rather than having to search for the individual reports under the InfoProviders. This is beneficial as typically a InfoProvider will have a huge number of reports defined on them, many of which might not be applicable for all end users. Also, saving the important reports in roles saves the user from having to remember the InfoProvider on which a report is defined. In fact, we can take this scenario a step further by actually hiding the InfoProvider button from the open query/workbook dialog so that an end user can only access the reports which are specially designed for them. Hiding of the InfoProvider button is accomplished through the use of the S_RS_FOLD authorization object. Adding the object with a value of “X” to a user master ensures that the InfoProvider button is hidden from view in the open query dialog.

To save a query or workbook two authorization objects are needed to be present with the user – S_USER_AGR and S_USER_TCD. S_USER_AGR should have change access to the roles where the reports are going to be saved. S_USER_TCD needs the value RRMX.

Since the folder roles are modified by power users rather than the security administrators, a different transport strategy should be followed for them. In case, power users design reports directly in the productive environment, folder roles should only be transported to production once during the time of their creation. Any subsequent transport will wipe out all the new reports added to them. In the second case, a report is deigned in the development environment, tested and then moved to Production. In such a case, folder roles need to transported similar to any other authorization role.

Analysis Authorizations

Analysis Authorizations are used to secure individual InfoObjects during execution of queries. If we get a requirement of the form – “user should be only able to see for sales for the US companies but not for the European ones”, Analysis Authorizations are the way forward. In this post we will try to take a closer look at how these authorizations work and how to maintain them.

SAP provides the transaction RSECADMIN for working on different aspects of analysis authorizations. The different tabs of the transaction allow authorization maintenance, user assignment, transport and tracing potential errors. Analysis Authorizations are also be directly maintained through the transaction RSECAUTH. In addition to the tcodes, A person needs access to the authorization object S_RSEC to work with analysis authorizations.

RSECADMIN - Authorizations
RSECADMIN - Authorizations

The figures below shows an analysis authorization to secure 0COSTCENTER

Analysis Authorizations 1
Analysis Authorizations 1

Individual values can be maintained for 0COSTCENTER as shown below

Analysis Authorizations 2
Analysis Authorizations 2

In addition to EQ (Equals) which is used to give access to actual values as shown below, we might also use CP (Character Pattern) for wildcards or BT (Between) for ranges. Also, instead of values, individual hierarchy authorizations or user exit variables might also used for InfoObjects. In addition to actual values or hierarchies, two special characters are often used in authorizations. These are

  • Colon (:) – Colon is used to authorize access to aggregate data. For example, a person with : for 0COSTCENTER would be able to see aggregate data for all cost centers (cost center in the free characteristics section of the query) but would get an authorization error when trying to drill down on 0COSTCENTER. Colon (:) authorization is also needed for all authorization relevant characteristics which are not used in a query.
  • Hash (#) – While loading data into cubes, there might be some fields for which no values are maintained in the data source. Hash is used to authorize these undefined values as otherwise a full acces (*) would be needed for them.

If we look at the first screenshot showing the definition of the analysis authorization, we find that in addition to 0COSTCENTER, the analysis authorization uses three other characteristics. These are

  • 0TCAACTVT (Activity in Analysis Authorizations) – Default value 03(display) is sufficient for reporting. However, 02 (change) is needed for using planning functionality of BI as planning essentially allows updation of data into InfoProviders.
  • 0TCAIPROV (Authorizations for InfoProvider) – We maintain the InfoProviders for which the authorization is meant to give access. Default is *
  • 0TCAVALID (Validity of an Authorization) – Default value is * but can be used to restrict analysis authorization by validity dates.

It is imperative that all three of the above InfoObjects are part of at least one of the analysis authorizations assigned to a user but its good practice to add them to each authorization that you create.

Once created, there are two ways of assigning analysis authorizations to users.

  • Direct Assignment – Direct assignment of analysis authorizations to users is possible by following the path RSECADMIN >> User >> Assignment which calls transaction RSU01 transaction.
  • RSECADMIN - User Actions
    RSECADMIN - User Actions
  • Assignment through roles – SAP provides the authorization object S_RS_AUTH with the single field BIAUTH. Individual analysis authorization values can be maintained for this field and added to the users’ roles.

Reporting – Basic Access

Analysis Authorizations are used to secure individual InfoObjects during execution of queries. If we get a requirement of the form – “user should be only able to see for sales for the US companies but not for the European ones”, Analysis Authorizations are the way forward. In this post we will try to take a closer look at how these authorizations work and how to maintain them.

SAP provides the transaction RSECADMIN for working on different aspects of analysis authorizations. The different tabs of the transaction allow authorization maintenance, user assignment, transport and tracing potential errors. Analysis Authorizations are also be directly maintained through the transaction RSECAUTH. In addition to the tcodes, A person needs access to the authorization object S_RSEC to work with analysis authorizations.

RSECADMIN - Authorizations
RSECADMIN - Authorizations

The figures below shows an analysis authorization to secure 0COSTCENTER

Analysis Authorizations 1
Analysis Authorizations 1

Individual values can be maintained for 0COSTCENTER as shown below

Analysis Authorizations 2
Analysis Authorizations 2

In addition to EQ (Equals) which is used to give access to actual values as shown below, we might also use CP (Character Pattern) for wildcards or BT (Between) for ranges. Also, instead of values, individual hierarchy authorizations or user exit variables might also used for InfoObjects. In addition to actual values or hierarchies, two special characters are often used in authorizations. These are

  • Colon (:) – Colon is used to authorize access to aggregate data. For example, a person with : for 0COSTCENTER would be able to see aggregate data for all cost centers (cost center in the free characteristics section of the query) but would get an authorization error when trying to drill down on 0COSTCENTER. Colon (:) authorization is also needed for all authorization relevant characteristics which are not used in a query.
  • Hash (#) – While loading data into cubes, there might be some fields for which no values are maintained in the data source. Hash is used to authorize these undefined values as otherwise a full acces (*) would be needed for them.

If we look at the first screenshot showing the definition of the analysis authorization, we find that in addition to 0COSTCENTER, the analysis authorization uses three other characteristics. These are

  • 0TCAACTVT (Activity in Analysis Authorizations) – Default value 03(display) is sufficient for reporting. However, 02 (change) is needed for using planning functionality of BI as planning essentially allows updation of data into InfoProviders.
  • 0TCAIPROV (Authorizations for InfoProvider) – We maintain the InfoProviders for which the authorization is meant to give access. Default is *
  • 0TCAVALID (Validity of an Authorization) – Default value is * but can be used to restrict analysis authorization by validity dates.

It is imperative that all three of the above InfoObjects are part of at least one of the analysis authorizations assigned to a user but its good practice to add them to each authorization that you create.

Once created, there are two ways of assigning analysis authorizations to users.

  • Direct Assignment – Direct assignment of analysis authorizations to users is possible by following the path RSECADMIN >> User >> Assignment which calls transaction RSU01 transaction.
  • RSECADMIN - User Actions
    RSECADMIN - User Actions
  • Assignment through roles – SAP provides the authorization object S_RS_AUTH with the single field BIAUTH. Individual analysis authorization values can be maintained for this field and added to the users’ roles.

Select Authorization Concept

SAP provides two different ways of securing OLAP data in BW. The first is the traditional, and till BW 3.5 the only way, using Z authorization objects for reporting. The second way, which was introduced as part of BI 7, uses analysis authorizations. So the first step in BW security, should always be to choose the concept which we want to use in our BW landscape.

We can reach the switch settings option through the transaction SPRO as shown below

SPRO - Select Authorization Concept
SPRO - Select Authorization Concept

Once inside the transaction, we just choose the appropriate authorization concept setting and save our entry. Though its appears to be a single setting, we should give some thought about which authorization concept to use as migrating from one concept to another takes a significant amount of time for design, testing and implementation.

SPRO - Select Authorization Concept 2
SPRO - Select Authorization Concept 2

SAP recommends that for new projects at least we use the concept of analysis authorizations for security as it provides significant advantages over the old concept. There is also the possibility that in the future SAP might stop supporting the old authorization concept completely in their products. Thus in our future discussions on BW security, I would concentrate on analysis authorizations.

Before going into detailed configuration for analysis authorizations, it might be worth to look at a few of the advantages of analysis authorizations over reporting authorization objects.

  • Reporting authorization objects are Z or Y objects of the RSR class (SAP Business Information Warehouse – Reporting). As authorization objects they are limited to a maximum of 10 authorization fields per object. Analysis authorizations have no such restrictions.
  • The new concept allows us to separately secure the navigational attributes used in an InfoProvider. For example, the authorization object 0COSTCENTER can have different security when it appears as an InfoObject in an InfoProvider and when it appears as a navigational attribute for another InfoObject. In the old concept, both these cases will have the same security.
    SAP Business Information Warehouse – Reporting

Query Designer

Query Designer, as the name suggests, is an application within SAP BW which allows us to create new queries or display/ change existing ones. It can be launched by trying to change a query in BEX analyzer or by a separate link in the SAP GUI menu. The options in query designer has changed quite a bit between BW 3.5 and BI 7. However the essential functionality remains the same. Lets start our discussion by displaying a query in the BW 3.5 designer.

Query Designer 35
Query Designer 35

The leftmost bar displays a list of InfoObjects, both characteristics and keyfigures, which are defined for the InfoProvider. The rest of the Designer display the different design areas in the query. Thus we have separate areas for filters, free characteristics, rows and columns. The bottom right area gives a pre-view of the query output. This is how the result from the query will look like once its executed through Bex. We now selectively drag InfoObjects into the different areas of the query depending on our reporting needs. In general, characteristics appear as filter criteria, free characteristics or rows while keyfigures appear as columns. Characteristics also should be restricted to particular values as otherwise all data for them will be pulled into the query result and result in long execution times for the query. Characteristics can be restricted to actual values or to input variables which prompt user for values during query execution. In the displayed query, the filter criteria calendar year/month is restricted to Aug, 2010 while material is restricted to an input variable. We also have an option of using authorization variables, where an input variable is automatically filled by the authorized values for the executing user.

Query Designer also allows the use of calculated key figures, restricted key figures and provides many different options for controlling the display of the InfoObjects. We would not get into these details as our intention is only to concentrate on the security aspects of query design. We end our brief introduction to Query Designer by opening the same query opened in Query Designer for BI 7.Though the look and feel, and certainly the features, is different it has the same basic areas. The difference which is readily observed is a separate tab to contain all the filter criteria. One important factor to note, is while queries designed in the old designer can be opened in the new version, the reverse is not true.

Query Designer 7 - Dislay Query Definition
Query Designer 7 - Dislay Query Definition

BEX Analyzer

BEX Analyzer or Business Explorer Analyzer or Simply BEX is the core reporting tool in SAP BW. It can be launched from the Analyzer icon from the SAP GUI menu or through the transaction RRMX. Its is Add-On to microsoft excel and allows executing of reports (queries) on BW data. It has links for creation/change of queries as well, though the actual updation is done in a separate BW application, the Query Designer.

The screen below shows the BEX toolbar inside Add-Ins and the result of running a query. The different icons in the toolbar allo us to open, save, refresh and change a query. This is a simple test query which shows the amount, price and quantity of a material type sold to different customers. The results are filtered for the calendar year/month – AUG, 2010. In the report below, material and customer are characteristic infoobjects in the cube while amount, price and quantity are the keyfigures.

BEX - Query Result
BEX - Query Result

In addition to queries, Bex Analyzer can also be used to execute or display Workbooks. Workbooks are basically the results of execution of the query. For example, we can save the report obtained above as a workbook. In fact, the different tabs in an workbook can store the results of different queries obtaining data from completely different InfoProviders.

We can readily appreciate that since BEX is really a single application launched through a single transaction, the general transactional based security model might not be as affective to secure the multitude of different queries that can be run though it. A more logical security model for queries will be one which allows to secure on individual infoproviders, characteristics and keyfigures. SAP provides us two methodologies to do just that,reporting authorization objects as used traditionally till BW 3.5 and the newer Analysis Authorizations which were introduced as part of BI 7.

Administrator Workbench – RSA1

In the present article, we will explore some of the common transactions/tools used in SAP BW. By no means is this a comprehensive list but the transactions referred to here are certainly among the more common ones and needed almost on a daily basis. We have already mentioned that BW security is different from ECC as the security requirements in an OLAP environment are significantly different from an OLTP system. However other than the reporting transactions which use the OLAP security model, SAP BW also contains a huge number of transactions, typically dealing with administration of the BW system or SAP Basis, which continue to use the conventional authorization model using authorization model.

We start our discussion by looking at the BW Administrator Workbench (transaction RSA1) – The administrator workbench is the central cockpit used for the administration of almost the entire BW system. As shown below, the RSA1 main screen can be divided into three general areas. The extreme left area, allows us to chose BW modelling components like Infoproviders, InfoObjects, InfoSources and DataSources. All of these components form part of the ETL (extraction, transformation and loading) concepts in SAP BW. Choosing any of the components, opens a view with a list of objects of the said type in the middle portion of the RSA1 screen. For example, if the component InfoProviders has been chosen, the main screen area shows a list of InfoProviders built in the specific BW installation. Individual BW components represented by different icons, the double diamonds being InfoAreas, the cubes being InfoCubes and the cylinders being Operational Data Store (ODS) objects. InfoAreas are not InfoProviders themselves but help to group similar InfoCubes under them. Other than InfoCubes, ODS objects, Multicubes and Infosets are other types of InfoProviders which can be encountered.

RSA1 - Initial Screen
RSA1 - Initial Screen

Right-clicking on an InfoProvider/InfoArea opens up a context menu which allows us to carry out different operations on the said object. For example we can create a new InfoProvider or change/display an existing one. The details of the chosen InfoProvider is now displayed in the right-most portion of the screen.

An InfoCube in general is made up of a number of information units called InfoObjects. These store data about the objects that are reported on. We can display a list of infoobjects defined in the system by choosing the InfoObjects option from the left hand screen as shown below. A right click on an individual InfoObject and following the options in the context menu allows us to display/change details for an InfoObject. InfoObjects can be of two types, Characteristics and Keyfigures. For example an InfoCube which stores sales data will store data about Customers. In this case, Customer is an characterististic which is part of the sales cube. Monthly unit of sales or similar data will be a keyfigure. As we can appreciate, Characteristic and Keyfigures store different kinds of data. They appear differently in reports and are secured through means. From the security standpoint, the fact whether we can selectively control access to an InfoObject is controlled by the contents of the Authorization Relevant flag in the explorer tab for an InfoObject. In the screen below, InfoObject 0COSTCENTER is marked as authorization relevant.

RSA1 - display infoobject
RSA1 - display infoobject

InfoObjects in turn can also have their own attributes. Following the earlier example, the InfoObject Customer would have attributes like Customer Address, Bank Details, Tax number etc. The following screen shows the the attributes of InfoObject 0COSTCENTER. We can observe that the attributes can be two types, Display attributes (DIS) and Navigational Attributes (NAV).Security for a navigational attribute can be enabled by switching on the authorization relevant flag shown in the screen below. The latest version of BW (BI 7) allows Navigational Attributes to be secured differently from the base InfoObject. Thus BI 7 can allow different security for InfoObject 0COMP_CODE and the navigational attribute 0COSTCENTER_0COMP_CODE depending on requirements.

RSA1 - Display nav attributes
RSA1 - Display nav attributes