Transcription
Beginners Guide on BI SecurityApplies to:SAP Business Intelligence 7.0For more information, visit the Security homepage.SummaryIn this unit we will focus only the options for securing SAP BI administrator and the system securityrequirements for BI.Here it will List the types of tasks required by administration users and describe how tosecure those tasks.Author:Ashok DalaiCompany: Intelligroup IncCreated on: 06 October 2008Author BioAshok Dalai has more than 3 and half years of experience. He has good understanding of SAP R3 andNetWeaver Components. He worked in r3 security, BI security and CRM security and currently working forIntelligroup Inc as a Basis Consultant.SAP COMMUNITY NETWORK 2008 SAP AGSDN - sdn.sap.com BPX - bpx.sap.com BOC - boc.sap.com1
Beginners Guide on BI SecurityTable of ContentsCourse Overview .3Securing Data Warehousing Workbench Objects .4Data Warehousing Objects Secured with S RS ADMWB.4Authorization Object S RS ICUBE .6Authorization Object S RS DS2 .9Authorization Object S RS DTP .10Authorization Object S RS ISNEW .11Authorization Object S RS ISRCM.13Authorization Object S RS TR .14Authorization Object S RS IOBJ .15Securing Process Chains.16Authorization Object S RS OHDST.17Securing Master Data and Documents .18Securing BI Documents .20System Communication Security .21BI Security Setup .21Other SAP Security Set Up .21RFC Destinations.22Using the RFC DESTINATION DIALOG Destination .23Related Content.24Disclaimer and Liability Notice.25SAP COMMUNITY NETWORK 2008 SAP AGSDN - sdn.sap.com BPX - bpx.sap.com BOC - boc.sap.com2
Beginners Guide on BI SecurityCourse OverviewThere are two major types of authorizations in BI. One type focuses on Administrative users and anothertype focuses on Reporting users. Authorizations for Administrative users in many ways Parallel to mySAPERP security, but securing BI reporting users is much different. In this unit we will focus only the options forsecuring SAP BI administrator and the system security requirements for BI. Here it will List the types of tasksrequired by administration users and describe how to secure those tasks.1. Explain how to secure Data Warehousing Workbench objects such as InfoProviders, Data Transfer2. Processes, DataSources, Open Hub Destinations and Process Chains.3. Explain how to protect maintenance of Master Data and Documents.4. Briefly describe how to secure Information Broadcasting distribution and Data Mining Objects.5. Explain the required security set up for communication between BI and other systems.6. Explain the RFC destinations required.SAP COMMUNITY NETWORK 2008 SAP AGSDN - sdn.sap.com BPX - bpx.sap.com BOC - boc.sap.com3
Beginners Guide on BI SecuritySecuring Data Warehousing Workbench ObjectsBI Administrators must have access to DataWarehousing Workbench objects, such as InfoProviders, DataTransfer processes, Process Chains, Reporting Agent objects, Open Hub destinations, and DataSources.Administrators must also create and maintain many other DataWarehousing objects. Authorization objectS RS ADMWB protects these objects. There are only 2 fields attached to this authorization object: DataWarehousing object, and activity. However, this authorization object secures many different DataWarehousing objects.Data Warehousing Objects Secured with S RS ADMWB SourceSys Source systemInfoObject InfoObjectMonitor MonitorApplComp Application componentInfoArea InfoAreaWorkbench Data Warehousing WorkbenchSettings SettingsMetaData MetadataInfoPackag InfoPackage and InfoPackage groupRA Setting Reporting Agent settingRA Package Reporting Agent packageDOC META Documents for metadataDOC MAST Documents for master dataDOC HIER Documents for hierarchiesDOC TRAN Documents for transaction dataDOC ADMIN Administration of document storageCONT ADMIN Administration of BI Content systemsCONT ACT Installation of BI ContentBR SETTING Broadcast settings (not including your own settings, which have one of the following distribution types: Broadcast E-Mail, Broadcast to Portal, Broadcast to Printer)USE DND Drag and drop to InfoAreas and application componentsNote: For authorizations at naming convention level, you need to note the following:User A can edit InfoProviders that lie in InfoAreas with prefix /AB/. User A cannot edit an InfoProvider that lies inInfoArea /CD/. However, if the user has drag and drop authorization, the user can move the InfoProvider from /CD/to /AB/ and edit it from there. CNG RUN Attribute change runREMOD RULE Modeling Rule "Modeling Rule" for the remodeling toolIMG BI BI-relevant activities in the IMG (Customizing)OLAP CACHE OLAP cache objectsBIA ZA BI accelerator monitor checks and activitiesSAP COMMUNITY NETWORK 2008 SAP AGSDN - sdn.sap.com BPX - bpx.sap.com BOC - boc.sap.com4
Beginners Guide on BI SecurityActivity:Specifies whether you are permitted to display or maintain a subobject Display Source System (Activity 03)Display InfoObject (Activity 03)Display Monitor (Activity 03)Display Reporting Agent Setting (Activity 03)Display Reporting Agent Package (Activity 03)Display Documents for Metadata (Activity 03)Display Documents for Master Data (Activity 03)Display Documents for Hierarchies (Activity 03)Display Documents for Transaction Data (Activity 03)Maintain Source System (Activity 23)Maintain Application Component (Activity 23)Maintain InfoArea (Activity 23)Maintain InfoObject (Activity 23)Maintain Settings (Activity 23)Maintain InfoPackage (Group) (Activity 23)Maintain Reporting Agent Setting (Activity 23)Maintain Reporting Agent Package (Activity 23)Maintain Documents for Metadata (Activity 23)Display Documents for Metadata (Activity 03)Maintain Documents for Master Data (Activity 23)Display Documents for Master Data (Activity 03)Maintain Documents for Hierarchies (Activity 23)Display Documents for Hierarchies (Activity 03)Maintain Documents for Transaction Data (Activity 23)Display Documents for Transaction Data (Activity 03)Manage Document Storage (Activity 23)Manage Content Systems (For example, Switch to Content System) (Activity 23)Install BI Content (Activity 63)Display Broadcast Settings (Activity 03)Execute Broadcast Settings (Activity 16)Maintain Broadcast Settings (Activity 23)Execute Data Warehousing Workbench (Activity 16)Update Metadata (Activity 66)Drag and drop to InfoAreas and Application Components in the DW Workbench (Activity 16)Start Attribute Change Run (Activity 16)Display OLAP Cache Objects (Activity 03)Delete OLAP Cache Objects (Activity 06)Display BI Accelerator Monitor Check Results (Activity 03)Execute BI Accelerator Monitor Actions (Activity 16)SAP COMMUNITY NETWORK 2008 SAP AGSDN - sdn.sap.com BPX - bpx.sap.com BOC - boc.sap.com5
Beginners Guide on BI SecurityAuthorization Object S RS ICUBEAuthorization object S RS ICUBE protects InfoCubes and the InfoCube sub-objects. Using thisauthorization object, you can restrict work with the InfoCubes or their subobjects.The object contains four fields InfoArea:o InfoCube:o Here you enter the InfoArea key for which the user can edit InfoCubes.A user is permitted to edit the InfoCubes that you specify here.Notes on InfoCube:oYou use this subobject to specify the part of the InfoCube that the user is permitted to edit. Thefollowing subobjects exist:oDefinition - DefinitionoUpdateRule - Update rulesoAggregate - AggregateoData - DataoExportISrc - Export DataSourceoChavlrel - Characteristic relationships (planning relevant)oDataslice - Data slices (planning relevant)oDAP - Data archiving process (modeling)SAP COMMUNITY NETWORK 2008 SAP AGSDN - sdn.sap.com BPX - bpx.sap.com BOC - boc.sap.com6
Beginners Guide on BI Security Activity:Specifies whether you are permitted to display, delete, or update a subobject.oDisplay InfoCube Definition (activity 03)oDisplay InfoCube Update Rules (activity 03)oMaintain InfoCube Data (Manage InfoCube) (activity 23)oDisplay InfoCube Aggregate (activity 03)oDelete InfoCube Data (activity 06)oMaintain InfoCube Definition (activity 23)oMaintain InfoCube Update Rules (activity 23)oMaintain InfoCube Aggregate (activity 23)oMaintain InfoCube Export DataSource (activity 23)oUpdate InfoCube Aggregate (activity 66)oDisplay InfoCube Characteristic Relationships (activity 03)oMaintain InfoCube Characteristic Relationships (activity 23)oDeactivate InfoCube Characteristic Relationships (activity 63)oDisplay InfoCube Data Slices (activity 03)oMaintain InfoCube Data Slices (activity 23)oDeactivate InfoCube Data Slices (activity 63)SAP COMMUNITY NETWORK 2008 SAP AGSDN - sdn.sap.com BPX - bpx.sap.com BOC - boc.sap.com7
Beginners Guide on BI SecuritySome other important authorization object related to Data Warehousing Workbench objects.SAP COMMUNITY NETWORK 2008 SAP AGSDN - sdn.sap.com BPX - bpx.sap.com BOC - boc.sap.com8
Beginners Guide on BI SecurityAuthorization Object S RS DS2Authorization to secure datasources is S RS DS2. Using this authorization object, you can restrict work withthe new DataSource or its subobjects.The object contains three fields: DataSource: Enter the name of the DataSource that a user is allowed to edit. Source System: Specify the name of the source system for which a user is allowed to edit DataSources. DataSource Subobject: When you specify a subobject, you specify the part of the DataSource that the user ispermitted to edit. There are the following subobjects: oDEFINITION: DefinitionoDATA: DataoINFOPACK: InfoPackageActivities:oDisplay DataSource definition (activity 03)oMaintain DataSource definition (activity 23)oDisplay PSA data (activity 03)oMaintain PSA data (activity 23)oDelete PSA data (activity 23)oRequest data (activity 49)oDisplay DataSource InfoPackage (activity 03)oMaintain DataSource InfoPackage (activity 23)SAP COMMUNITY NETWORK 2008 SAP AGSDN - sdn.sap.com BPX - bpx.sap.com BOC - boc.sap.com9
Beginners Guide on BI SecurityAuthorization Object S RS DTPThe authorizations assigned for the Data Transfer Process (DTP) object, S RS DTP, have a higher prioritythan the authorizations for the underlying objects. Users that have a DTP authorization for a source/targetcombination do not need read authorization for the source object or write authorization for the target object toexecute the DTP.With this authorization object you can restrict work with the data transfer process (DTP).The object contains seven fields: Type of Source: Specify the type of source here that which a user can create a DTP Subtype of the Source: Here, specify the subtype of the source for which a user can create a DTP. Source: Specify the name of the source for which a user can create a DTP Type of Target: Specify the type of target here for which a user can create a DTP Subtype of the Target: Specify the subtype of the target for which a user can create a DTP. Target: Specify the name of the target for which a user can create a DTP Activities:oDisplay DTP definition (activity 03)oMaintain DTP definition (activity 23)oExecute DTP (activity 16) Note that the subtypes currently only exist for the type InfoObject. Possible alternatives are ATTRIBUTES, andHIERARCHIES. If no InfoObject was selected as type the standard setting '*' is to be selected.SAP COMMUNITY NETWORK 2008 SAP AGSDN - sdn.sap.com BPX - bpx.sap.com BOC - boc.sap.com10
Beginners Guide on BI Security The authorizations assigned for the DT
Beginners Guide on BI Security . Applies to: SAP Business Intelligence 7.0 For more information, visit the . Security homepage. Summary . In this unit we will focus only the options for securing SAP BI administrator and the system security requirements for BI.Here it will List the types of tasks required by administration users and describe how to secure those tasks. Author: Ashok Dalai .
