Sie sind auf Seite 1von 25

Beginners Guide on BI Security

Applies to:

SAP Business Intelligence 7.0 For more information, visit the Security homepage.

7.0 For more information, visit the Security homepage . Summary In this unit we will focus

Summary

In this unit we will focus only the options for securing SAP BI administrator and the system security requirements for BI.Here it will List the types of tasks required by administration users and describe how to secure those tasks.

Author: Ashok Dalai

Company: Intelligroup Inc

Created on: 06 October 2008

Author Bio

Ashok Dalai has more than 3 and half years of experience. He has good understanding of SAP R3 and NetWeaver Components. He worked in r3 security, BI security and CRM security and currently working for Intelligroup Inc as a Basis Consultant.

SAP COMMUNITY NETWORK

SDN - sdn.sap.com |

BPX - bpx.sap.com | BOC - boc.sap.com

Beginners Guide on BI Security

Table of Contents

Course

Overview

 

3

Securing Data Warehousing Workbench Objects

4

Data Warehousing Objects Secured with S_RS_ADMWB

4

Authorization

Object

S_RS_ICUBE

6

Authorization

Object

S_RS_DS2

9

Authorization

Object

S_RS_DTP

10

Authorization

Object

S_RS_ISNEW

11

Authorization Object S_RS_ISRCM

13

Authorization

Object

S_RS_TR

14

Authorization

Object

S_RS_IOBJ

15

Securing Process Chains

16

Authorization Object S_RS_OHDST

17

Securing Master Data and Documents

18

Securing BI Documents

20

System Communication Security

21

BI Security

Setup

21

Other SAP Security Set Up

21

RFC Destinations

22

Using the <RFC_DESTINATION>_DIALOG Destination

23

Related Content

24

Disclaimer and Liability Notice

25

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

Beginners Guide on BI Security

Course Overview

There are two major types of authorizations in BI. One type focuses on Administrative users and another type focuses on Reporting users. Authorizations for Administrative users in many ways Parallel to mySAP ERP security, but securing BI reporting users is much different. In this unit we will focus only the options for securing SAP BI administrator and the system security requirements for BI. Here it will List the types of tasks required by administration users and describe how to secure those tasks.

1. Explain how to secure Data Warehousing Workbench objects such as InfoProviders, Data Transfer

2. Processes, DataSources, Open Hub Destinations and Process Chains.

3. Explain how to protect maintenance of Master Data and Documents.

4. Briefly describe how to secure Information Broadcasting distribution and Data Mining Objects.

5. Explain the required security set up for communication between BI and other systems.

6. Explain the RFC destinations required.

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

Beginners Guide on BI Security

Securing Data Warehousing Workbench Objects

BI Administrators must have access to DataWarehousing Workbench objects, such as InfoProviders, Data Transfer processes, Process Chains, Reporting Agent objects, Open Hub destinations, and DataSources. Administrators must also create and maintain many other DataWarehousing objects. Authorization object S_RS_ADMWB protects these objects. There are only 2 fields attached to this authorization object: Data Warehousing object, and activity. However, this authorization object secures many different Data Warehousing objects.

object secures many different Data Warehousing objects. Data Warehousing Objects Secured with S_RS_ADMWB •
object secures many different Data Warehousing objects. Data Warehousing Objects Secured with S_RS_ADMWB •

Data Warehousing Objects Secured with S_RS_ADMWB

SourceSys Source system

InfoObject InfoObject

Monitor Monitor

ApplComp Application component

InfoArea InfoArea

Workbench Data Warehousing Workbench

Settings Settings

MetaData Metadata

InfoPackag InfoPackage and InfoPackage group

RA_Setting Reporting Agent setting

RA_Package Reporting Agent package

DOC_META Documents for metadata

DOC_MAST Documents for master data

DOC_HIER Documents for hierarchies

DOC_TRAN Documents for transaction data

DOC_ADMIN Administration of document storage

CONT_ADMIN Administration of BI Content systems

CONT_ACT Installation of BI Content

BR_SETTING Broadcast settings (not including your own settings, which have one of the following distribution types: Broadcast E-Mail, Broadcast to Portal, Broadcast to Printer)

USE_DND Drag and drop to InfoAreas and application components

Note: For authorizations at naming convention level, you need to note the following:

User A can edit InfoProviders that lie in InfoAreas with prefix /AB/. User A cannot edit an InfoProvider that lies in InfoArea /CD/. However, if the user has drag and drop authorization, the user can move the InfoProvider from /CD/ to /AB/ and edit it from there.

CNG_RUN Attribute change run

REMOD_RULE Modeling Rule "Modeling Rule" for the remodeling tool

IMG_BI BI-relevant activities in the IMG (Customizing)

OLAP_CACHE OLAP cache objects

BIA_ZA BI accelerator monitor checks and activities

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

Beginners Guide on BI Security

Activity:

Specifies whether you are permitted to display or maintain a subobject

Display Source System (Activity = 03)

Display InfoObject (Activity = 03)

Display Monitor (Activity = 03)

Display Reporting Agent Setting (Activity=03)

Display Reporting Agent Package (Activity=03)

Display Documents for Metadata (Activity=03)

Display Documents for Master Data (Activity=03)

Display Documents for Hierarchies (Activity=03)

Display Documents for Transaction Data (Activity=03)

Maintain Source System (Activity = 23)

Maintain Application Component (Activity = 23)

Maintain InfoArea (Activity = 23)

Maintain InfoObject (Activity = 23)

Maintain Settings (Activity = 23)

Maintain InfoPackage (Group) (Activity = 23)

Maintain Reporting Agent Setting (Activity=23)

Maintain Reporting Agent Package (Activity=23)

Maintain Documents for Metadata (Activity=23)

Display Documents for Metadata (Activity=03)

Maintain Documents for Master Data (Activity=23)

Display Documents for Master Data (Activity=03)

Maintain Documents for Hierarchies (Activity=23)

Display Documents for Hierarchies (Activity=03)

Maintain Documents for Transaction Data (Activity=23)

Display Documents for Transaction Data (Activity=03)

Manage Document Storage (Activity=23)

Manage Content Systems (For example, Switch to Content System) (Activity=23)

Install BI Content (Activity = 63)

Display Broadcast Settings (Activity=03)

Execute Broadcast Settings (Activity=16)

Maintain Broadcast Settings (Activity=23)

Execute Data Warehousing Workbench (Activity = 16)

Update Metadata (Activity = 66)

Drag and drop to InfoAreas and Application Components in the DW Workbench (Activity = 16)

Start Attribute Change Run (Activity = 16)

Display OLAP Cache Objects (Activity = 03)

Delete OLAP Cache Objects (Activity = 06)

Display BI Accelerator Monitor Check Results (Activity = 03)

Execute BI Accelerator Monitor Actions (Activity = 16)

Execute BI Accelerator Monitor Actions (Activity = 16 ) SAP COMMUNITY NETWORK SDN - sdn.sap.com |

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

Beginners Guide on BI Security

Beginners Guide on BI Security Authorization Object S_RS_ICUBE Authorization object S_RS_ICUBE protects Info Cubes and the
Beginners Guide on BI Security Authorization Object S_RS_ICUBE Authorization object S_RS_ICUBE protects Info Cubes and the

Authorization Object S_RS_ICUBE

Authorization object S_RS_ICUBE protects InfoCubes and the InfoCube sub-objects. Using this authorization object, you can restrict work with the InfoCubes or their subobjects.

The object contains four fields

InfoArea:

o Here you enter the InfoArea key for which the user can edit InfoCubes.

InfoCube:

o A user is permitted to edit the InfoCubes that you specify here.

Notes on InfoCube:

o

You use this subobject to specify the part of the InfoCube that the user is permitted to edit. The following subobjects exist:

o

Definition - Definition

o

UpdateRule - Update rules

o

Aggregate - Aggregate

o

Data - Data

o

ExportISrc - Export DataSource

o

Chavlrel - Characteristic relationships (planning relevant)

o

Dataslice - Data slices (planning relevant)

o

DAP - Data archiving process (modeling)

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

Beginners Guide on BI Security

Activity:

Specifies whether you are permitted to display, delete, or update a subobject.

o

Display InfoCube Definition (activity = 03)

o

Display InfoCube Update Rules (activity = 03)

o

Maintain InfoCube Data (Manage InfoCube) (activity = 23)

o

Display InfoCube Aggregate (activity = 03)

o

Delete InfoCube Data (activity = 06)

o

Maintain InfoCube Definition (activity = 23)

o

Maintain InfoCube Update Rules (activity = 23)

o

Maintain InfoCube Aggregate (activity = 23)

o

Maintain InfoCube Export DataSource (activity = 23)

o

Update InfoCube Aggregate (activity = 66)

o

Display InfoCube Characteristic Relationships (activity = 03)

o

Maintain InfoCube Characteristic Relationships (activity = 23)

o

Deactivate InfoCube Characteristic Relationships (activity = 63)

o

Display InfoCube Data Slices (activity = 03)

o

Maintain InfoCube Data Slices (activity = 23)

o

Deactivate InfoCube Data Slices (activity = 63)

o Deactivate InfoCube Da ta Slices (activity = 63 ) SAP COMMUNITY NETWORK SDN - sdn.sap.com

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

Beginners Guide on BI Security

Beginners Guide on BI Security Some other important authorization object re lated to Data Warehousing Workbench
Beginners Guide on BI Security Some other important authorization object re lated to Data Warehousing Workbench

Some other important authorization object related to Data Warehousing Workbench objects.

object re lated to Data Warehousing Workbench objects. SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

Beginners Guide on BI Security

Authorization Object S_RS_DS2

Authorization to secure datasources is S_RS_DS2. Using this authorization object, you can restrict work with the new DataSource or its subobjects.

The object contains three fields:

DataSource: Enter the name of the DataSource that a user is allowed to edit.

Source System: Specify the name of the source system for which a user is allowed to edit DataSources.

DataSource Subobject: When you specify a subobject, you specify the part of the DataSource that the user is permitted to edit. There are the following subobjects:

o

DEFINITION: Definition

o

DATA: Data

o

INFOPACK: InfoPackage

Activities:

o

Display DataSource definition (activity = 03)

o

Maintain DataSource definition (activity = 23)

o

Display PSA data (activity = 03)

o

Maintain PSA data (activity = 23)

o

Delete PSA data (activity = 23)

o

Request data (activity = 49)

o

Display DataSource InfoPackage (activity = 03)

o

Maintain DataSource InfoPackage (activity = 23)

03) o Maintain DataSource InfoPackage (activity = 23) SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

Beginners Guide on BI Security

Beginners Guide on BI Security Authorization Object S_RS_DTP The authorizations assigned for the Data Transfer Process
Beginners Guide on BI Security Authorization Object S_RS_DTP The authorizations assigned for the Data Transfer Process

Authorization Object S_RS_DTP

The authorizations assigned for the Data Transfer Process (DTP) object, S_RS_DTP, have a higher priority than the authorizations for the underlying objects. Users that have a DTP authorization for a source/target combination do not need read authorization for the source object or write authorization for the target object to execute the DTP.

With this authorization object you can restrict work with the data transfer process (DTP).

The object contains seven fields:

Type of Source: Specify the type of source here that which a user can create a DTP

Subtype of the Source: Here, specify the subtype of the source for which a user can create a DTP.

Source: Specify the name of the source for which a user can create a DTP

Type of Target: Specify the type of target here for which a user can create a DTP

Subtype of the Target: Specify the subtype of the target for which a user can create a DTP.

Target: Specify the name of the target for which a user can create a DTP

Activities:

o

Display DTP definition (activity = 03)

o

Maintain DTP definition (activity = 23)

o

Execute DTP (activity = 16)

Note that the subtypes currently only exist for the type InfoObject. Possible alternatives are ATTRIBUTES, and

HIERARCHIES.

If no InfoObject was selected as type the standard setting '*' is to be selected.

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

Beginners Guide on BI Security

The authorizations assigned for the DTP object have a higher priority than the authorizations for the underlying TLOGO objects. Users that have DTP authorization for a source/target combination, thus require no read authorization for the source object and no write authorization for the target object for execution of the DTP.

for the target object for execution of the DTP. Authorization Object S_RS_ISNEW Authorization to secure

Authorization Object S_RS_ISNEW

Authorization to secure InfoSource is S_RS_ISNEW. (Release > BW 3.x)

The authorization object includes three fields:

Application component: Enter the key for the application component here for which a user can edit InfoSources.

InfoSource: Specify the InfoSources here that a user can edit.

Activities:

Display InfoSource (Activity = 03)

Maintain InfoSource (Activity = 23)

(Activity = 03) Maintain InfoSource (Activity = 23) You can use the authorization object S_RS_ISOUR to

You can use the authorization object S_RS_ISOUR to restrict the handling of InfoSources with flexible updating and their subobjects.

The authorization object contains four fields:

Application component: Enter the application component key here for which a user is allowed to edit InfoSources.

InfoSource: Enter the InfoSources with flexible updating the user is allowed to edit here.

Subobject for InfoSource: You use the subobject to specify the part of the InfoSource that the user is allowed to edit.

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

Beginners Guide on BI Security

The following subobjects exist:

o

Definition Definition

o

CommStruc Communication structure

o

TrnsfrRule Transfer rules

o

Data Data

o

InfoPackag InfoPackage

o

MetaData Metadata

Activity: Determines whether you are allowed to display maintain, request or update a subobject:

o

Display InfoSource definition (Activity = 03)

o

Display InfoSource communication structure (Activity = 03)

o

Display InfoSource transfer rules (Activity = 03)

o

Display InfoSource data (Activity = 03)

o

Maintain InfoSource definition (Activity = 23)

o

Maintain InfoSource communication structure ,(Activity = 23)

o

Maintain InfoSource transfer rules (Activity = 23)

o

Maintain InfoSource InfoPackage (Activity = 23)

o

Maintain InfoSource data (Activity = 23)

o

Delete InfoSource data (Activity = 06)

o

Request InfoSource data (Activity = 49)

The display and maintenance of the InfoSource data is checked in the PSA tree and in the monitor.

.
.

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

Beginners Guide on BI Security

Beginners Guide on BI Security Authorization Object S_RS_ISRCM Authorization object S_RS_ISRCM you can restrict handling
Beginners Guide on BI Security Authorization Object S_RS_ISRCM Authorization object S_RS_ISRCM you can restrict handling

Authorization Object S_RS_ISRCM

Authorization object S_RS_ISRCM you can restrict handling of InfoSources with direct updating (for master data) or with their subobjects.

The object contains four fields:

Application components: Here you enter the application component key for which a user is allowed to edit master data InfoSources.

InfoSource: A user is allowed to edit the master data InfoSources you specify here.

Subobject for the InfoSource: You can use the subobject to specify the part of the InfoSource the user is allowed to edit.

The following subobjects are available:

o

TrnsfrRule Transfer rules

o

Data Data

o

InfoPackag InfoPackage

o

MetaData Metadata

Activity: Determines whether you are allowed to display, maintain, request or update a subobject:

o

Display InfoSource transfer rules (Activity = 03)

o

Display InfoSource data (Activity = 03)

o

Maintain InfoSource transfer rules (Activity = 23)

o

Maintain InfoSource InfoPackage (Activity = 23)

o

Maintain InfoSource data (Activity = 23)

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com |

BOC - boc.sap.com

Beginners Guide on BI Security

o

Delete InfoSource data (Activity = 06)

o

Request InfoSource data (Activity = 49)

Display and maintenance of InfoSource data is checked in the PSA tree and in the Monitor.

data is checked in the PSA tree and in the Monitor. Authorization Object S_RS_TR With the

Authorization Object S_RS_TR

With the authorization object S_RS_TR you can restrict working with the transformations.

The object contains seven fields:

Type of Source: Enter the type of source here for which a user can create a transformation

Subtype of Source: Specify the subtype of the source here for which a user can create transformation rules.

Source: Enter the name of the source for which a user can create a transformation.

Type of Target: Specify the type of target for which a user can create a transformation here

Subtype of Source: Specify the subtype of the target for which a user can create a transformation.

Target: Specify the name of the target for which the user can create a transformation

Activities:

o

Display transformation rules (Activity = 03)

o

Maintain transformation rules (Activity = 23)

Note: That subtypes only exist for the TLOG type InfoObject. Possible alternatives are "ATTRIBUTES", "TEXTS" and "HIERARCHIES".

If no InfoObject was selected as a TLOGO type the standard setting '*' should be selected

type the standard setting '*' should be selected SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

Beginners Guide on BI Security

Authorization Object S_RS_IOBJ

You can use the authorization object S_RS_IOBJ to restrict how users work with InfoObjects and their sub- objects.

The object has four fields:

InfoObjectCatalog: This is where you specify the key of the InfoObject catalog that a user is authorized to work with.

InfoObject: A user is authorized to work with the InfoObjects that you specify here.

Sub-object of the InfoObject: You use the sub-object to specify the parts of the InfoObject that a user is permitted to work with.

There are the following sub-objects:

o

Definition

o

UpdateRule

Activity: Determines whether a user is allowed to display, delete, maintain, or update a sub-object.

o

Display InfoObject-Definition (Activity = 03)

o

Maintain InfoObject-Definition (Activity = 23)

o

Display InfoObject-Update Rules (Activity = 03)

o

Maintain InfoObject-Update Rules (Activity = 23)

Note: This authorization object is checked only if the user is not authorized to maintain or display InfoObjects (authorization object: S_RS_ADMWB-InfoObject, activity: maintain/display)

object: S_RS_ADMWB-InfoO bject, activity: maintain/display) SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX -

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

Beginners Guide on BI Security

Securing Process Chains

For the administration processes that are included in a process chain, authorization for authorization object S_RS_ADMWB is required.

for authorization object S_RS_ADMWB is required. To create and maintain process chains, authorization for
for authorization object S_RS_ADMWB is required. To create and maintain process chains, authorization for

To create and maintain process chains, authorization for authorization object S_RS_PC is required. This authorization object determines whether process chains can be displayed, changed or executed, and whether logs can be deleted.

The object includes four fields:

Process chain:

o Here you enter the name of the process chain that a user can edit.

Application Components:

o Here you enter the name of the application components the process chains of which a user can edit.

Subobject of the process chain:

o

With the subobject, you specify the part of the process chain that can be edited by the user. The following subobjects exist:

o

Definition - Metadata of process chain

o

Protocols - Protocols of process chains

o

Runtime

- Execution of process chain

Activity:

Determines whether you can display, delete or maintain a subobject.

o

Display process chain definition (activity = 03)

o

Maintain process chain definition (activity= 23)

o

Delete protocols for a process chain (activity = 06)

o

Execute or schedule a process chain (activity = 16)

SAP COMMUNITY NETWORK

SDN - sdn.sap.com |

BPX - bpx.sap.com | BOC - boc.sap.com

Beginners Guide on BI Security

Beginners Guide on BI Security Authorization Object S_RS_OHDST With the authorization object S_RS_OHDST you can rest

Authorization Object S_RS_OHDST

With the authorization object S_RS_OHDST you can restrict working with an Open Hub Destination or its subobjects.

The object contains four fields:

Open Hub Destination:

o Here you enter the name of the Open Hub Destination that a user can edit.

Logical Target System for Open Hub:

o Here you enter the name of the logical target system for which a user can edit the Open Hub Destinations.

Subobject for Open Hub Destination:

o

With the subobject, you specify the part of the Open Hub Destination that can be edited by the user. The following subobjects exist:

o

Definition - Metadata for the Open Hub Destination

o

Data - Data

Activity:

Determines whether you are allowed to display, delete or maintain a subobject.

o

Open Hub Destination- Display definition (Activity = 03)

o

Open Hub Destination-Maintain definition (Activity= 23)

o

Display data for an Open Hub Destination (Activity = 03)

o

Maintain data for an Open Hub Destination (Activity= 23)

Maintain data for an Open Hub Destination (Activity= 23) SAP COMMUNITY NETWORK SDN - sdn.sap.com |

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

Beginners Guide on BI Security

Securing Master Data and Documents

In order to be able to change or display master data, authorization checks are made. Authorization assignments and checks are defined by characteristic, or by characteristic value.

are defined by charac teristic, or by characteristic value. To grant authorizations for characteristics, activate

To grant authorizations for characteristics, activate authorization assignment by setting Authorization Check indicator in the Master Data/Texts tab page.

The next step is to create a role with the authorizations.

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

Beginners Guide on BI Security

Two authorization objects exist for this:

S_RS_IOMAD a blanket authorization check takes place for a characteristic.

S_TABU_LIN an authorization check takes place by characteristic value.

an authorization check takes place by characteristic value. With authorization checks by characte ristic value, the

With authorization checks by characteristic value, the system generates an organization criterion for the characteristic. The organization criterion generates a connection between table key fields and the authorization fields for the authorization object S_TABU_LIN.

Using authorization object S_TABU_LIN you are able to enter characteristic values in each key field of the master data table for which the user is to have authorization. Do this in the profile generator in role maintenance. In this way you are able to use authorizations to protect the maintenance and display of master data/ texts for this characteristic at single record level.

Characteristic values for which the user has no authorization are then not displayed in the input helps either.

To grant authorizations for characteristics, proceed as follows:

Activate authorization assignment by characteristic value by setting the Master Data Maintenance with Authorization Check indicator in the Master Data/Texts tab page. Activate the characteristic.

In Role Maintenance (Transaction PFCG): For blanket authorizations for characteristics, add authorization object S_RS_IOMAD to the role. For authorizations for single characteristic values, add authorization object S_TABU_LIN to the role.

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

Beginners Guide on BI Security

Securing BI Documents

In order to edit documents in the Documents functional area of the Data Warehousing Workbench, the user needs authorization for the authorization object S_RS_ADMWB,

Data Warehousing Workbench Object, with the following:

Metadata: DOC_META

Authorization to display or to edit a metadata object also authorizes the user to display or edit the documents for these metadata objects. Valid activities are: 03 (display), 23 (maintain)

Master data: DOC_MAST

Authorization to display or to edit in specific master data also authorized the user to display or edit the documents for these characteristic values. Valid activities are: 03 (display), 23 (maintain)

InfoProvider data: DOC_TRAN

Authorization objects for transaction data, InfoProviders, are not delivered. They are created as required using Analysis Authorizations (RSECADMIN).

as required using Analysis Author izations (RSECADMIN). Each analysis process is only valid for the applicatio

Each analysis process is only valid for the application for which it was created. The authorizations are also assigned specific to an application and are protected with authorizations object RSANPR.

and are pr otected with authorizations object RSANPR. The only authorization necessary for the online execution

The only authorization necessary for the online execution of broadcasting settings is the authorization for the execution of the underlying reporting objects (for example, the Web template). Any user that has authorization to create background jobs also has authorization for direct scheduling in the background. The authorization object S_BTCH_NAM is required for regular scheduling in background jobs.

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

Beginners Guide on BI Security

System Communication Security

This lesson will discuss security regarding communication between BI and other systems.

As data is being extracted from source systems and transferred into BI, you want to ensure that the data is adequately protected. You need to understand the RFC destinations and how they are affected by security. To set up system security, you must set up security for all SAP source systems sending data to BI, in addition to setting up security on BI.

BI Security Setup

In BI, you should create a system (not a dialog) user called BWREMOTE.

BWREMOTE should have the authorization profile S_BI-WHM_RFC.

Note: S_BI-WHM_RFC is a profile, not a role.

This profile will give user BWREMOTE the access needed to extract from an OLTP system. The profile also provides the access required for staging steps to get the data into InfoCubes.

Other SAP Security Set Up

You must set up a user on each SAP system sending data to BI. This includes mySAP ERP, Customer Relationship Management (CRM), Supplier Relationship Management (SRM), Advanced Planning Optimizer (APO), R/3 or any other component SAP system that is sending data to BI. On each of these systems, you should create a system user called BWALEREMOTE.

This user should have the authorization profile S_BI-WX_RFC.

Note: S_BI-WX_RFC is a profile, not a role.

This profile will give user BWALEREMOTE the access needed to connect and send data to the BI system.

the access needed to connect and send data to the BI system. It is permissible to

It is permissible to use a different name for the users BWREMOTE and BWALEREMOTE. What matters is that the user in BI has the profile S_BI-WHM_RFC and the user in the other SAP system has the profile S_BI-WX_RFC.

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

Beginners Guide on BI Security

RFC Destinations

RFC (Remote Function Call) destinations tell BI where the source systems are physically located. RFC destinations on the SAP source system tell the source system where the BI system is physically located. RFC destinations define where the other systems reside and how to log on to the other systems.

systems reside and how to log on to the other systems. Setting up RFC destinations is

Setting up RFC destinations is normally not the responsibility of the security administrator. However, the security administrator normally creates the user that is used in the RFC destinations.

The following graphic shows transaction code SM59 on a BI system. This RFC destination is pointing to an SAP system by providing the location of the system and details on how to log on to that system. Whenever this RFC destination is used, you see BWALEREMOTE, who is logged on to the SAP system. The extraction program that uses the RFC destination has access to all objects to which the user BWALEREMOTE has access.

to all objects to which the user BWALEREMOTE has access. SAP COMMUNITY NETWORK SDN - sdn.sap.com

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

Beginners Guide on BI Security

Using the <RFC_DESTINATION>_DIALOG Destination

The RFC destination we discussed is used for data extraction. The user IDs involved should be set up as system users. A system user ID cannot log on to a system via a normal GUI screen. The user ID is only for background communication. These user IDs are used exclusively for data extraction processes. Data extraction, however, is only one of the processes that may require communication between BI and another system. For other system-to-system communication processes in BI, there is another RFC destination defined: the <RFC_DESTINATION>_DIALOG destination.

One of the features of BI reporting that relies on system-to-system communication is Query Drill-Through (also referred to as jump targets). With Query Drill-Through, the reporting user can select a line on a BI query result and jump to other queries in BI, or even to other reports or transactions in mySAP ERP. For example, the user may run a BI query showing key figures by material. If configured properly, the user could select a particular material on the report and then ask to jump to mySAP ERP and display the material master record. In this case, BI has to be able to communicate with mySAP ERP in order to log on and execute the transaction code to display the material master record. Another case where the <RFC_DESTINATION>_DIALOG destination is required involves the monitoring of the data extracted from the source systems. The BI administrator can do this from the BI system.

Status indicators from the extraction process are stored in IDOC format. In the BI Monitoring screen, there is an OLTP button. This will connect the BI administrator to mySAP ERP so that the administrator can monitor the IDOCS on that system. Whenever the SAP BW administrator selects OLTP, the RFC destination <RFC_DESTINATION>_DIALOG is invoked. The following figure depicts the screen from the monitor function where this RFC destination is being used.

monitor function where this RFC destination is being used. When setting up the RFC destination

When setting up the RFC destination <RFC_DESTINATION>_DIALOG, you have some choices regarding the user ID specified: Force the user to always log on to mySAP ERP after selecting OLTP by leaving the User field blank in <RFC_DESTINATION>_DIALOG.

Create a generic user in mySAP ERP with access to monitor IDOCS; use this user in the FC_DESTINATION>_DIALOG destination.

In the RFC destination, select Current User. This will use the current BI user's user ID to log them on to mySAP ERP.

You must decide how you want the BI user to log on to mySAP ERP from BI to perform the requested task, whether that is jumping from report to report or monitoring the IDOCS generated with data extraction. If you use Current User, the system tries to use the same user ID in BI and mySAP ERP. If this is successful, the BI user can work in mySAP ERP with the usual access rights. If the user ID does not exist in mySAP ERP, then the user will be prompted for a user ID and password.

SAP COMMUNITY NETWORK

SDN - sdn.sap.com |

BPX - bpx.sap.com | BOC - boc.sap.com

Beginners Guide on BI Security

Related Content

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

Beginners Guide on BI Security

Disclaimer and Liability Notice

This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade.

SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document, and anyone using these methods does so at his/her own risk.

SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document.

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com