Analysis Authorizations for Supporters

Peter John
Security & Development, NW BI, SAP AG

General information and comparison 3x/7x Coding and breakpoints

Authoriaztion protocol
Switch back to old authorizations

General information and comparison 3x/7x Coding and breakpoints

Authorization protocol
Switch back to old authorizations

General remarks Read the docu please Read additional docu on http://olap:1080/security/ -> 7.x stuff (steadily increasing)

Read notes 820183 (typical pit falls for beginners) and 923176 (upgrade info)

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

New infrastructure
No auth objects for reporting and analysis any more (dont use this word anymore for authorizations Authorizations are pure BI objects;
link to profiles via new auth object S_RS_AUTH (1 field only, name of the BI auth) overview in RSU01

New transactions (integrated in main tx RSECADMIN)

RSUDO (replacing RSSMQ, Execute as other user with or w/o protocol) RSU01 (user maintenace, jump to RSECAUTH possible by double click on authorizations name) RSECAUTH auth maintenance RSECPROT All activities are controlled by auth object S_RSEC (see SU21 docu to object)

New HTML/XML based authorization protocol Generation simplified Migration tool (3.x->7.0): se38->RSEC_MIGRATION

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

RSECADMIN and underlying transactions

RSUDO RSECPROT

RSECAUTH

RSU01

SU01

PFCG

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

Maintenance auths S_RSEC

SU21->Dokumentation S_RSEC

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

New All analysis auths in artificial auth 0BI_ALL (not changeable, updated after every InfoObject change-> see also note 820183)
Via S_RS_AUTH = * automatically integrated in SAP_ALL (somtimes issues: see 820183)

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

Differences I
Important differences: 3 new special characteristics
All users must have auths on them!!! Otherwise: No auth

0TCAIPROV (Which Infoprovider is authorized) cobinable with 0TCAIFAREA to define hierarchy auths on 0TCAIPROV to authorize InfoAreas
0TCAACTVT, Activity as Read (03), change (02) etc. for integrated planning (uses same auths as normal queries) 0TCAVALID, Validity, complex time period saying whether an auth is valid or not. => No check on S_RS_MPRO, S_RS_ISET, S_RS_ODSO, S_RS_ICUBE (mapped by authorizations on 0TCAIPROV)

1KYFNM replaced by 0TCAKYFNM as normal InfoObject Fully integrated hierarchy auths => No hierarchy auth definitions on 0TCTAUTHH any more No check on S_RS_HIER, (processed by hierarchy auths only)

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

Differences II No restriction in auth definition for 10 fields/InfoObjects.

number is limited however in query to 10 auth relevant chars! e.g.0BI_ALL may have many chars (have a look at it in RSECAUTH)

Experts:
No compatibility modes/switches anymore
Referencing chars with hierarchies and navigational attributes simply need their own auths (normal char assumption)

Navigational attributes are normal chars and need to be authorized as normal chars;
Also possible with hierarchy auths

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

General information and comparison 3x/7x Coding and breakpoints

Authorization protocol
Switch back to old authorizations

New Program Code Coding: Everything completely redesigned and re-coded

Package RSEC, almost everything starts with RSEC in name (transactions, function modules, programs etc.)

Structure of code entries is almost identical to 3.x Switches in old modules Default breakpoints stops in old or new coding depending on switch state Function groups
RSEC_SCREENS RSEC_CHECKS RSEC_GENERATION RSEC_MIGRATION GUI coding Auth checking Automatic Generation of BI Auths Coding for Migration 3.x ->7.0

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

Query and auth checks

Query start First call triggers buffer filling FORM fill_auth_buffer global g_thx_auth_buffer RSEC_GET_AUTH_ATR_FOR_USER Break-point 6

Usally Variables/F4
RSEC_GET_AUTH_FOR_USER RSEC_GET_AUTH_HIER_FOR_USER

break-pt 3 break-pt 4

Planning

break-pt

RRS_REPORT_INIT_CHECK RSEC_AUTHORITY_CHECK_IPROV Rough check on InfoProv (0TAIPROV) and Activity (0TCAACTVT) no auth for InfoProv = EYE 001

break-pt 1
break-pt 5 break-pt 2

RSEC_AUTH_GET_IOBJ_RELEVANT

RSEC_AUTHORITY_CHECK_SELECTION Result or no auth (EYE 007)

Detailed check on InfoObjects etc.

Navigational steps

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

Default break points

1 2 3 4 5 6

You can check whether everything goes right by looking to the break-points in the following order which corresponds to what is most relevant and to what happens in query processing: For value help issues: break-points 3 or 4 respectively For no auth issues and related: break-points 1, 5, 2 If you doubt that the buffer is wrong or want to see information fast: break-point 6 (see next pages and protocol)
SAP AG 2005, Analytics Security for Supporters / Peter John/ #

Breakpoints and performed auth checks Break point 1: (also in protocol) Rough check on acces to InfoProvider. Is there any auth on this cube at all (valid for today)? Only checks for InfoProvider 0TCAIPROV and activity in 0TCAACTVT. (more than once in planning scenarios) Detailed check may fail later Just F7 to get result in sy-subrc if no auth -> message EYE 001

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

Relevant charactersitics Break point 5: (also in protocol) RSEC_AUTH_GET_IOBJ_RELEVANT After execution (F7) in e_th_chanm there is the list of chars that must be authorized for the detailed checks. It is the list of effectively relevant chars. It is the list of auth relevant chars in the cube minus those ones the user has * auths (which need not to be checked any further) Just F7 to get result list in e_th_chanm

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

Detailed check Break point 2: (also in protocol, better readable unless dump or errors) RSEC_AUTHORITY_CHECK_SELECTION (was RSSB_AUTHORITY_IOBJVL_CHECK in 3.x) Check and preparation of comparison Selection vs Authorization Extension of selection by checks on aggregation (:) Detailed check; main processing, encapsulated function module RSEC_AUTHORITY_CHECK_SUBNR Coding and processing very different to 3.x) no auth-> message EYE 007 (golden eye)-> no BRAIN anymore Also look to parameter descriptions in function module Just F7 in a 1st run to see result, then find out why.( e.g.dump)

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

Value help Break-point 3 (Also in protocol) Value auths (usually for value help) for an Infoobject E_t_rangesid contains interval like list of authorized values. if i_separate_leaves is set to true, the leaves of an hierarchy auth are listed seperatedly as sids (>0) in e_t_leaves_sids) If ignore_hierarchy is set to true, no leaves are added Also look to parameter descriptions in function module

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

Value help for hierarchies break-point 4 (Also in protocol) e_ts_node contains authorized nodes e_ts_auth_values_hierarchy contains all hierarchy authorizations to the current InfoObject, also not displayed etc. Also look to parameter descriptions in function module

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

Fill buffer and g_thx_auth_buffer Break point 6 (also in protocol) Often called, so only if necessary. But buffer is always available Filling of the global buffer variable g_thx_auth_buffer
form fill_auth_buffer in Function group RSEC_CHECKS

g_thx_auth_buffer is available in all function modules of RSEC

Structure:
INFOCUBE
UNAME

key: authorizations for this cube

key: for this user (might be different from sy-uname!)

TH_CHANMID authorization relevant chars (same as break-point 5/RSEC_AUTHORITY_GET_RELEVANT) TH_CHANM_AST THX_AUTHS TH_COB_PRO chars where there is any * authorization for user (not necessarily everywhere) useful for value help complete relevant authorizations for today and infocube properties of all infoobjects in infocube

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

General information and comparison 3x/7x Coding and breakpoints

Authorization protocol
Switch back to old authorizations

Authorization Protocol: tx RSECPROT All process blocks that are represented in break-points are here as well in a human readable form as HTML Logging: via RSUDO and flag or RSECPROT permanently

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

RSECPROT

Select a protocol with value help or complex filters A HTML is displayed Will take some time (remark: all blocks may appear more than once as they may be called several times in a query.)

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

Authorization Protocol: content like breakpoint 1: InfoProvider check

General Header with time, query, cube executing user, restricted user

InfoProvider check block successful or not (corresponds to message EYE001)

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

Auth protocol; relevant chars

Corresponds to info in break-point 5 and RSEC_AUTHORITY_GET_RELEVANT

Also read texts!!

List of effectively relevant chars

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

Auth protocol; attributes

Authorized attributes (not auth relevant or user has * for them) RSEC_AUTHORITY_GET_AUTH_ATR_FOR_USER

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

Value auths
Value help (here [VCA_C1_1, VC_C2_2] for 0VCA_C1) List of authorized values as intervals If leaves are requested they may appear as SIDs

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

Hierarchy auths
List of nodes that are authorized.

no hierarchy auths for this char 0VCA_NC1

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

Detailed check
Correspond to break-point 2 : RSEC_AUTHORITY_CHECK_SELECTION Detailed check block preparations

Main check

auth checks for aggregation (= : ) are added

main set comparsions: selection(s) against auth(s)

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

Detailed check (complex but realistic example)

Here on the left the selected set is described. Following Set Is Checked Left: First a list of all selected chars Second a description of the selected set as SQL string. (intervals are in general not possible) Middle: The first authorization for comparison (possibly beforehand optimized and merged with others) Result: Subselection is authorized or Subselection is not authorized (no auth means: something is not shown; might be completely rejected; Message EYE007)
SAP AG 2005, Analytics Security for Supporters / Peter John/ #

Right: is this selection covered by tha auth or not.

The aggregation checks blows up the scenario very often (especially in planning)

Detailed check (complex but realistic example)

Example Not authorized Carefully looking and comparing shows a selection on

0VCA_NC1 = VCA_NC1_0
But there is only : authorization => Message EYE 007

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

Auth buffer filling: Amendment/Extension to max no of dims

How are authorizations mixed?

auth1
2001

auth2 0CALYEAR I BT [1999, 2001]

0COUNTRY

I BT [DE, FR]

1999 0CALYEAR

Auth2(mixed)
0CALYEAR 0COUNTRY I BT [1999, 2001] I BT [DE, FR]

DE

FR

0COUNTRY

0COUNTRY

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

Auth buffer filling: Amendment/Extension to max no of dims

Severel important steps in buffer filling: 1.) Amendment of auths to maximum no of dimensions (generalization) Example:
auth1 auth2 0CALEAR 0COUNTRY I BT [DE,FR] 0COUNTRY 1999 US

auth1

auth2 1999 I BT [DE,FR] 0CALEAR 0COUNTRY 1999 US

Result:

0CALEAR 0COUNTRY

Rule:

Empty (=non existing) dimensions in auths are filled from all other valid auths

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

Merging of auths
Example
0CALYEAR 0CALYEAR

2001 auth1 1999 auth2

2001

auth2 1999

DE

FR

FR

IN

0COUNTRY

DE

IN

0COUNTRY

Example

0CALYEAR

Merged to just 1 authorization:

auth1 merged with auth2
auth1

into auth2 -> not mergeable ->not mergeable into auth5 ->not mergeable into auth5 into auth5.

auth2

auth2

(new) auth2 with auth3, auth4,auth5 auth3 with auth4, auth5 auth4 merged with auth5 (new) auth2 with auth3, (new) auth5 auth3 merged with (new) auth5 (new) auth2 merged with (new) auth5

auth5
auth3

auth4

auth5

auth5
auth5

DE

IN
0COUNTRY

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

Auth Buffer Filling: Merging

2.) Authorizations are sometimes combinable, then they are merged Example:

Authrsec1

Authrsec2

New Authrsec2 (Merged)

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

Buffer: general info Buffer filling: Read from db, Filter auths that are interesting for cube, user and current date (validity), optimize and merge auths for reuse in other calls. Determine auth relevant chars Determine chars with a * in any auth Might appear several times for different cubes A call in value help is cube-independent (cube is inital)

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

General information and comparison 3x/7x Coding and breakpoints

Authorization protocol
Switch back to old authorizations

New/Old switch in coding

Switch between old and new concept encapsulated in old function modules: RSSB_AUTHORITY_IOBJVL_CHECK -> RSEC_CHECK_SELECTION RSSB_GET_AUTH_FOR_USER -> RSEC_GET_AUTH_FOR_USER

RSSB_GET_AUTH_HIER_FOR_USER -> RSEC_GET_AUTH_HIER_FOR_USER

RSSB_GET_AUTH_ATR_FOR_USER -> RSEC_GET_AUTH_ATR_FOR_USER new: in RRS_REPORT_INIT_CHECK for Icube-Checks -> switch to RSEC_AUTHORITY_CHECK_IPROV

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

Switch back at customer site Switch in tx RSCUSTV23 (never ever change it in customer system, theyll kill you) Switch to old concept possible but strongly disfavoured. (New concept is default). Transaction RSCUSTV23. New features as integrated planning need not to work completely with old concept. Always recommend to change to new concept and append note 923176

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

General information and comparison 3x/7x Coding and breakpoints

Authorization protocol
Switch back to old authorizations OLAP process steps

OLAP Initialization
Check authorizations to execute query and to read data from InfoProvider Exit for global variables before variable input Variable input ->F4 help restricted by auths Exit for global variables that failed before input Distribute variable values into fixed filter, hierarchy settings, dynamic filter, conditions & exceptions, formulas, Initialize OLAP Processor Notify presentation hierarchies (only if used) Check time stamps for OLAP cache and released request Ids

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

OLAP Processor in Detail I

1. OLAP request from client

Free characteristics dynamic filters Exceptional aggregation Elimination of internal business volume Formula variables with replacement from attribute value used in restricted key figure (RKF)

2. Add characteristics necessary for aggregation / calculation, e.g.:

3. Authorization check for navigation state (only if necessary) 4. Search for cached data in OLAP Cache

Skip steps 5-14 and go to step 15 if cached data is found

5. Request data from database

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

OLAP Processor in Detail II

6. Receive data from database

Data is comes in block up to 1000 rows Data is still separated by PartProvider of MultiProvider Data is still separated by Aggregates of InfoCube

Data is still separated into cumulative and non-cumulative key figures

7. Call BusinessAddIn virtual characteristics and key figures 8. Check global filter (if not already done by database) 9. Add attributes values for variables with replacement from attribute used in RKF 10. Separate data according to RKFs and selections in structure elements 11. Currency translation 12. Process sums and calculated key figures (CKFs) before aggregation

13. Aggregate data to detail level (see 2.)

14. Hierarchy aggregation

SAP AG 2005, Analytics Security for Supporters / Peter John/ #

OLAP Processor in Detail III

15. Filter and aggregate (result lines) 16. Elimination of internal business volume 17. Exceptional aggregation 18. Currency/Unit aggregation 19. Add attributes values for variables with replacement from attribute used in formulas 20. Calculate formulas and CKFs after aggregation

Check Currencies/Units Sort Conditions Local calculations/aggregations

21. List operations, e.g.

Cumulated values

SAP AG 2005, Analytics Security for Supporters / Peter John/ #