Monday 7 December 2015

BI analysis Authorization:

BI analysis Authorization:
Analysis Authorizations are used to secure individual InfoObjects during execution of queries. If we get a requirement of the form – “user should be only able to see for sales for the US companies but not for the European ones”, Analysis Authorizations are the way forward. In this post we will try to take a closer look at how these authorizations work and how to maintain them.
SAP provides the transaction RSECADMIN for working on different aspects of analysis authorizations. The different tabs of the transaction allow authorization maintenance, user assignment, transport and tracing potential errors. Analysis Authorizations are also be directly maintained through the transaction RSECAUTH. In addition to the tcodes, A person needs access to the authorization object S_RSEC to work with analysis authorizations.
The figures below shows an analysis authorization to secure 0COSTCENTER 

Individual values can be maintained for 0COSTCENTER as shown below
Analysis Authorizations 2
In addition to EQ (Equals) which is used to give access to actual values as shown below, we might also use CP (Character Pattern) for wildcards or BT (Between) for ranges. Also, instead of values, individual hierarchy authorizations or user exit variables might also used for InfoObjects. In addition to actual values or hierarchies, two special characters are often used in authorizations. These are
  • Colon (:) – Colon is used to authorize access to aggregate data. For example, a person with : for 0COSTCENTER would be able to see aggregate data for all cost centers (cost center in the free characteristics section of the query) but would get an authorization error when trying to drill down on 0COSTCENTER. Colon (:) authorization is also needed for all authorization relevant characteristics which are not used in a query.
  • Hash (#) – While loading data into cubes, there might be some fields for which no values are maintained in the data source. Hash is used to authorize these undefined values as otherwise a full acces (*) would be needed for them.
If we look at the first screenshot showing the definition of the analysis authorization, we find that in addition to 0COSTCENTER, the analysis authorization uses three other characteristics. These are
  • 0TCAACTVT (Activity in Analysis Authorizations) – Default value 03(display) is sufficient for reporting. However, 02 (change) is needed for using planning functionality of BI as planning essentially allows updation of data into InfoProviders.
  • 0TCAIPROV (Authorizations for InfoProvider) – We maintain the InfoProviders for which the authorization is meant to give access. Default is *
  • 0TCAVALID (Validity of an Authorization) – Default value is * but can be used to restrict analysis authorization by validity dates.
It is imperative that all three of the above InfoObjects are part of at least one of the analysis authorizations assigned to a user but its good practice to add them to each authorization that you create.
Once created, there are two ways of assigning analysis authorizations to users.
  • Direct Assignment – Direct assignment of analysis authorizations to users is possible by following the path RSECADMIN >> User >> Assignment which calls transaction RSU01 transaction.









  •  Assignment through roles - SAP provides the authorization object S_RS_AUTH with the single field BIAUTH. Individual analysis authorization values can be maintained for this field and added to the users’ roles.

BW Security (Authorizations)
The following are some of the relevant SAP BW Security T- codes.
Transaction Code
Description
RSA1
Transaction RSA1 is the main transaction for administrative functions in SAP BW (Administrator Workbench)
RSD1
This transaction code can be used to mark objects as relevant for authorization (InfoObject Maintainence)
RSSM
This transaction code can be used to create and modify authorization objects in SAP BW
RSZV
This transaction code is used to create or modify the variables for authorization checks. (Variable Maintenance)
RRMX
Business Explorer is the reporting tool in SAP BW and is used for analyzing data.
GLOBAL_TEMPLATES
Templates for modelling and evaluating data


How to Activate Authorizations In BW:-
The following steps explains how to activate the authorizations in BW.
  1)  Mark InfoObject as relevant for authorization tcode => RSD1
  2)  Create report authorization object tcode => RSSM
  3)  Select InfoCubes tcode => RSSM
  4)  Manually integrate authorization object in role tcode => PFCG
  5) Change / Maintain authorization values => PFCG
  6)  Assign role to user tcode => PFCG or via Central User Administration

Hierarchical Authorizations in BW
The following steps describe the steps to control authorizations for hierarchies
  1) Transfer and activate InfoObject 0TCTAUTHH tcode => RSD1
  2) Mark InfoObject 0TCTAUTHH as relevant for authorization tcode =>RSD1
  3) Mark Leaf InfoObject as relavant for authorization tcode => RSD1
  4)  Create authorization objects with 0TCTAUTHH and Leaf InfoObject =>RSSM
  5) Define hierarchical authorizations tcode => RSSM
  6) Manual intrgration of authorization object in role tcode => PFCG
  7)  Maintain authorization values tcode => PFCG
  8)  Assign role to user tcode => PFCG or via Central User Administration
  For extracting structural authorizations from HR (mySAP ERP HCM)  and to map it in SAP BW to maintian consistency between the two systems the tables of interest are:
  1)  T77PR -for Structural Authorization profiles
  2)  T77UA -for user assignments
  3)  T77UU -for users (in this table you can select the users for extraction. You can either select all or specific users)

Structural Authorizations in SAP BW

The following steps show the way Structural Authorization is enforced in SAP BW.
The following steps to be carried out in the mySAP ERP HCM system.
1) Call program RHBAUS02 for uploading Table T77UU and enter users.
  2) Call program RHBAUUS00 for generating an index for structural authorization profile
  3)  Activate Data source 0HR_PA_2.

The following steps to be carried out in the SAP BW system

  1) Replicate Data source 0HR_PA_2
  2) Activate ODS InfoProvider 0HR_PA_2
  3) Create an InfoPackage to perform an extraction for 0HR_PA_2
  4) Load ODS data from mySAP ERP HCM
  5) Mark InfoObjects as relevant for authorization (In order to use structural authorizations in SAP BW, all characteristic values like position, employee etc. which are relevant to reporting should be marked asauthorization relevant InfoObjects.)
  6)  Create reporting authorization objects
  7)  Link authorization objects to InfoCubes
  8)  Call program RSSB_Generate_Authorizations.
Posted by at No comments:

Sunday 6 December 2015

Developer Key Generation & S User ID Creation

Developer Key Generation

1. Go to service.sap.com 
    Click SAP Support Portal

2. Select Keys & Requests

3. Select SSCR keys

4. Register Developer - to get developer key (Give your SAP user id) A developer key will be generated towards your SAP user id.
  Select Installation and click Register
(Below it shows the Register successful message)
 Click Cancel.

5. Then Go to Developers Registered by Me.

6. Register object - to get Object key ( Give your SAP user id) A object key will be generated towards your SAP user id.


S User ID Creation


1. Go to service.sap.com 
    Click SAP Support Portal

2. Select Data Administration
  
 3. Select User Data
     In User Data Maintenance
     Click Request New Users
     Give Surname, First Name, Telephone Number (It excludes Country Code, its taken from customs    Master Data ) , Email, And Click on Save.
Please note is take few hours to take replication to complete. 

Any Doubts Please Watch and like : https://youtu.be/cbFhto4sJek
Posted by at 2 comments:

Basic BI Security

Basic BI Security
The primary activates in BI are displaying data and analyzing results. The end user will only be analyzing data, not updating it.
Security for in Bi:
The security function in BI does not put the focus on transaction codes or activates. Instead it focuses on the data itself. The security function in BI focus on
·          Info Areas
·          Infoprovider ( InfoCube, DataStore Objects)
·          Queries
Bi is focused on What Data a user can access. This may be controlled at the field level, or it may be controlled at the Infoprovider  level. The Infoprovider is a category of objects that can provide data to  a query , such as InfoCube and Data Store Objects. The InfoCube or Data Store Objects holds the summarized data that the user can then analyze Query Results are based on the data in the Infoprovider.
There are two major types of authorization in BI. One type focuses on Administrative users (S_RS_ADMWB) and another type focuses on Reporting users (S_RS_COMP).
Analysis Authorization:
If you restrict user to certain InfoCube then this may be easy way to set up and maintain authorizations but this will severely restrict access. This would mean users can either access ALL the data in an InfoCube or NO data in the InfoCube.
For securing reporting Users, you may want to define authorizations at a much lower level than the InfoCube.
The Option Include for authorization
·          InfoCube Level: Restrict at the InfoCube Level
·          Characteristics Level: Restrict access to all values for a particular characteristics
·          Characteristic value level: restrict access to certain values of a particular characteristics
·          Key figure level: Restrict access to certain key figures
·          Hierarchy Node: Restrict access to certain modes of Hierarchy.
Securing Data Access for Reporting users:
You have restricted access for reporting users by InfoCube. A sales manager can run any query created for InfoCube. However, each sales manager is responsible for a specific division. Although all sales Manager can run the same query, the result should be displayed only for their assigned Division. You need to enable a reporting user to query data by their assigned Division.
Minimum Authorization Requirements for a Reporting User:
·          Analysis  authorization for an Infoprovider
·          S_RS_COMP (Activities 03,16).
·          S_RS_COMP1 (query Owner)
·          S_RFC (BEx Analyzer or BEx Browser only)
·          S_TCODE (RRMX for BEx Analyzer)
·          S_RS_AUTH
A reporting user must have authorization for the S_RS_COMP, S_RS_COMP1 authorization objects as well as analysis authorization for the Infoprovider on which the query is based.
In addition, If the reporting user will be using the BEx Analyzer reporting tool, they will need authorization for objects S_RFC and S_TCODE with authorization for transaction code RRMX.
Task 1:
Create roles Go to PFCG (eg: SALES_AUTH_MP) Click on single role
Go to authorization Tab And Select change authorization Data.
Provide details of Your Info Area, Info Cube, Query , click on Save and generate
Create user: go to su01 and create sales manager north (sales north)
Add details to user and assign Initial Password to user
In Roles Tab Assign roles to User
Log on the Bex analyzer with your user Id and execute your query in the query result, drill down by division. Notice that you have access for several divisions.
Task 2:
Ensure that InfoObject Division as a authorization relevant.
Task3:
 Go to RSECAD MIN  and select authorization Tab click on Maintenance
create  Authorization ZDIVNT and Press create button.
Enter short, medium and long text of secure by division
Insert the row By Pressing + Icon
Highlight the row with Division and chose details and Insert the row by pressing the + Icon
Select I in the Including/ Excluding Column.
Select EQ in the Operator column
Enter North in the characteristics from column
Save and press green arrow back
Choose Insert Special Character: the special Characteristics (0CTAACTVT(activity), 0TCAIPROV( Infoprovider), and 0TCAVALID( Validity)) should now be added to your analysis authorization
Save . return to management of analysis Authorization. ( Green Arrow Back)
Assign your reporting  user to your analysis authorization, Zdivnt . By passing your Reporting User to your new analysis authorization, that user will have only access to division north (Pumps)
Choose User Tab and Choose Assign
In the user field enter your reporting user Id and choose change.
In the Authorization section enter the Name ZDIVNT and press insert
Save Return Sap Menu Green arrow Back, green arrow back).
 Go to PFCG and select authorization Tab and click on change authorization data .Expand Business Information Warehouse, Expand BI analysis authorization Data and input  give for authorization Object.
Task 4:
Log in as your administration user ID log in BEx analyzer
Select your query (Z_MP_AUTH_REP) . Once open the Query, select it then choose Tools à Edit query from the BEx toolbar.
Open your Query Designer and press Filter Button.
From the context menu for division  chose restrict
In this shows choose variable
Highlight Z_DIVI ( division) and copy it to the selection list on the  right by pressing the Right arrow. Press OK and then save.
Press save the query and ok. And return to the BEX analyzer
You should leave the division blank, your query will display all the division during drill down. If we select the specific division , only that division will display during drill down. Leave Division blank. When the query results are displayed. Choose filter and double click on division. You should see all division  in the Drill down.( Division: East, West, North, South).
As your Reporting user , execute your Report Query, Z_MP_AUTH_REP . When select Pumps for the Variable Prompt. When the query displays, Drill down on Division. You should only see division North only.

Any Doubts Please Watch and like : https://youtu.be/NeKQdGnStVE
Posted by at No comments:
Subscribe to: Posts (Atom)