You are on page 1of 41

[

Implementing BI Security Properly,


Tips and Tricks
Rob Bishop of

[ Learning Points

Introduction to BI Security.
Tools for Administering BI Security.
Effectiveness of BI Security and Analysis Authorizations.
Real Industry Examples.

Tips throughout.

Real Experience. Real Advantage.

[ Introduction to BI Security
BI is an Online Analytical Processing (OLAP) environment
versus a traditional Online Transaction Processing
(OLTP) environment like ECC.
Access is controlled by a users data need rather than by
a discreet business process.
This means that we can allow users to run the same
query and only the appropriate data is presented to the
user.

Real Experience. Real Advantage.

[ Introduction to BI Security - Continued


Characteristics

OLTP (ECC)

OLAP (BI)

Source of Data

Original Operational Data

Data Comes from OLTP

Purpose of Data

Business Tasks

Planning, Decision Making

Amount of Data per


Transaction

Usually Small

Can be very large

Type of Data

Detailed

Summary

Timeliness of Data

Must be Current

Current and Historical

Updates to Data

Frequently

Less Frequently, new data only

Database Design

Normalized Lots of tables

De-normalized fewer tables

Number of
transaction/users

Many (100s to 1000s)

Few

Response Time

Quick

Reasonable/Slow

Queries

Standard/Simple queries

Complex/Aggregations

Database
Operations

Add, Modify, Delete, Update,


Read

Read

Type of Processing

Well-Defined

Ad hoc

Impact on security
Real Experience. Real Advantage.

[ Introduction to BI Security - Continued


BI access is granted to users in a few different ways.
This presents us with options discussed later.
Options:
Standard Authorizations
Based on Role and Authorization concept as in ECC.
Administrators and Developers

Reporting Authorizations
Granted through Standard Authorizations
Limitations

Analysis Authorizations
As of Netweaver 2004
Allows reporting and analysis in BI
5

Real Experience. Real Advantage.

[ Tools for Administering BI Security


Transactions
RSD1
RSECADMIN
RSECAUTH
RSU01
RSUDO

PFCG

Tables (via SE16, SM30, etc)


RSEC*

Real Experience. Real Advantage.

[ Tools for Administering BI Security - Continued


RSD1
InfoObjects must be
made authorization
relevant if they are to
be checked or used to
secure data.
Once this check is on,
any infoprovider
that includes this
infoObject can only be
accessed by analysis
authorizations that are
explicitly given access.

Real Experience. Real Advantage.

[ Tools for Administering BI Security - Continued


RSECADMIN
Transaction
RSECADMIN is the
portal to other
transactions
Like SU01,PFCG and
ST01 of BI all
combined
RSUDO
RSECAUTH
RSU01

Real Experience. Real Advantage.

[ Tools for Administering BI Security - Continued


RSECADMIN (Continued) - RSECAUTH
Analysis Authorizations
are the roles of BI.

Real Experience. Real Advantage.

[ Tools for Administering BI Security - Continued


RSECADMIN (Continued) RSECAUTH (Continued)
Analysis authorizations
can
be secured on many
levels:
Infocube
Characteristic
Characteristic Value
Key Figure
Hierarchy Node

Real Experience. Real Advantage.

10

[ Tools for Administering BI Security - Continued


RSECADMIN (Continued) RSECAUTH (Continued)
There are 3 special BI
Characteristics. You
will typically always
include at least one or
all of these in your
authorizations:
0TCAACTVT (Activity)
0TCAIPROV (InfoProvider)
0TCAVALID (Validity Period)

Real Experience. Real Advantage.

11

[ Tools for Administering BI Security - Continued


RSECADMIN (Continued) RSECAUTH (Continued)
Adding additional characteristics requires
knowledge of the query, data being accessed
and the organizational structure of the client.
A BI Analyst/Developer or the query owner is
required to determine these requirements.

Some possible characteristics:

Real Experience. Real Advantage.

12

[ Tools for Administering BI Security - Continued


RSECADMIN (Continued) RSECAUTH (Continued)
Drilling in to the
characteristic allows
the admin to provide
values.
3 Operators:
EQ
BT
CP
-Use CP if value is *
-Wildcards are allowed
-0SD*

Real Experience. Real Advantage.

13

[ Tools for Administering BI Security - Continued


RSECADMIN (Continued) RSU01
BI User Maintenance
happens here
SU01
ECC User
Maintenance

Real Experience. Real Advantage.

14

[ Tools for Administering BI Security - Continued


RSECADMIN (Continued) RSU01 (Continued)
Notice there is no
Create button.
Guesses?

Real Experience. Real Advantage.

15

[ Tools for Administering BI Security - Continued


RSECADMIN (Continued) RSU01 (Continued)
Assignment of
Analysis
Authorizations takes
place here.

Real Experience. Real Advantage.

16

[ Tools for Administering BI Security - Continued


RSECADMIN (Continued) RSU01 (Continued)
Analysis Authorization
are transported from
here.

User assignments can


also be transported!

Real Experience. Real Advantage.

17

[ Tools for Administering BI Security - Continued


RSECADMIN (Continued) RSUDO
BI has some very
nice analysis tools
built in. to it.
Much like the BI
equivalent of ST01
and SU53 combined.

Real Experience. Real Advantage.

18

[ Tools for Administering BI Security - Continued


PFCG as it pertains to BI (S_RS_*)
If using Standard
Authorizations, this
will take place in
PFCG using the BI
authorization objects
S_RS_*
You can control this
with analysis
authorizations, or
objects via a standard
role.

Real Experience. Real Advantage.

19

[ Tools for Administering BI Security - Continued


Tables (via SE16, SM30, etc.)
Access to certain
tables can be very
useful to BI Admins.
SUIM does not
provide the same
reporting capabilities
for Analysis
Authorizations as it
does for
Roles/Profiles.
Viewing tables RSEC*
can be very beneficial.

Real Experience. Real Advantage.

20

[ Effectiveness of BI Security and Analysis Authorizations


As compared to OLTP system security, OLAP system
security is far more effective at controlling access to data,
queries and reporting.
Users can run the same query and get different data
returned to them based on the access defined for them.

Insanity: doing the same thing over and over and


expecting different results. Albert Einstein

Real Experience. Real Advantage.

21

[ Effectiveness of BI Security and Analysis Authorizations Continued

A single query can be run by multiple users. Queries do


not have to be tailored to users/groups.
The users analysis authorizations determine what data
the users will be presented.
Analysis Authorizations restrict at different levels

InfoCube
Characteristic
Characteristic Value
Key Figure
Hierarchy Nodes

Real Experience. Real Advantage.

22

[ Effectiveness of BI Security and Analysis Authorizations Continued

Possible Arguments to restrict access (vary by level)


Include
Exclude
Single Value
Range
Less or Equal
Greater Than
Greater or Equal

I
E
EQ
BT
LE
GT
GE

Grant Authorization
Deny Authorization
Exactly one date
Range of dates
Everything value in FROM Field
Everything > value in FROM Field
Everything value in FROM Field

Less Than
Pattern
All

LT
CP
*

Everything < value in the FROM Field


Selection
All possible Values
Like a '*' but for Exactly one
character
Allows only aggregated data - no line
items

All for a specific single character

Aggregated Data

Real Experience. Real Advantage.

23

[ Effectiveness of BI Security and Analysis Authorizations Continued

Aggregate Argument (:)


Allows a user to see summary aggregated data without
viewing the with out the drill down or specific details
Example
A user can see totals for a particular sales area, but cannot see
individual sales by each sale representative.

Real Experience. Real Advantage.

24

[ Effectiveness of BI Security and Analysis Authorizations Continued

Example Analysis Authorization -

Real Experience. Real Advantage.

25

[ Effectiveness of BI Security and Analysis Authorizations Continued

Example Analysis Authorization (continued) Multiple exact values


being granted to
InfoProviders
characteristic.

Single exact value


being provided for
custom Outside Sales
Representative
characteristic.

(0TCAIPROV)
(ZSOLDTO__ZSALESEMP)

Real Experience. Real Advantage.

26

[ Effectiveness of BI Security and Analysis Authorizations Continued

As compared to OLTP system security, OLAP system


security is far more effective at controlling access to data,
queries and reporting.
Users can run the same query and get different data
returned to them based on the access defined for them.

Different levels of detail can be displayed based on what


is appropriate for the user by using some special
characters.

Real Experience. Real Advantage.

27

[ Effectiveness of BI Security and Analysis Authorizations Continued

All or Nothing

Query
Selection

Authorizations

Query
Selection
Authorizations

Authorization Check NOT OK:

Authorization Check OK:

If query selection is not a subset


of the authorization results are
not shown.

If query selection is a subset


of the authorization results are
shown.

Real Experience. Real Advantage.

[ Effectiveness of BI Security and Analysis Authorizations Continued

All or Nothing Exceptions can include the following


Hierarchies are being used and certain levels are
automatically filtered. The levels that are authorized will be
presented to the user.
Key figures are authorization relevant and a particular key
figure is not authorized. The figures that are authorized will
only be shown.

Real Experience. Real Advantage.

29

[ Effectiveness of BI Security and Analysis Authorizations Continued

Hierarchies (dependent on each organization) -

Real Experience. Real Advantage.

30

[ Effectiveness of BI Security and Analysis Authorizations Continued

In Sum
There are many ways to control the flow of data to users in
a BI system.
Fully utilizing the security tool available in a BI system can
be VERY effective for any organization.

Real Experience. Real Advantage.

31

[ Real Industry Example

Mueller Sports Medicine with

Real Experience. Real Advantage.

32

[ Real Industry Example (continued)


Scenario
Multinational Corporation
Relatively few BI users
Users need access specific to their own sales and aggregated
data to their sales areas
Sales Managers need access to sales areas to include line items
Corporate users need wide ranging access

Relatively few queries necessary


Users access nearly identical

Real Experience. Real Advantage.

33

[ Real Industry Example (continued)


Solution
Infocubes were created and/or defined that held the
necessary sales data.
Two custom characteristics were created to capitalize of the
already existing sales representative IDs.
The IDs were made part of the query and a mandatory
entry.
Analysis Authorizations were built for the sales reps that
included access to data tagged by the corresponding ID.
Aggregation of data was also made available to the rest of
the sales structure.

Real Experience. Real Advantage.

34

[ Real Industry Example (continued)


Solution (continued)

Real Experience. Real Advantage.

35

[ Real Industry Example (continued)


Solution (continued)
Analysis Authorizations were very quickly copied between
sales users.
Identical except for the ID.

Queries were built around standard set of infocubes.


Very few queries were needed.

Real Experience. Real Advantage.

36

[ Real Industry Example (continued)


Some additional Role and analysis authorization were
created using the basic available options
Options:
Standard Authorizations - Some
Based on Role and Authorization concept as in ECC.
Administrators and Developers

Reporting Authorizations - Few


Granted through Standard Authorizations
Limitations

Analysis Authorizations Most


As of Netweaver 2004
Allows reporting and analysis in BI

Real Experience. Real Advantage.

37

[ Return on Investment
To maximize the ROI in your BI system it
has to be fully utilized.
Managers can work with BI developers,
admins and query owners to develop the
most appropriate security solution for their
particular BI environment.
With a good security solution in place,
Managers can feel confident granting
access to the BI system.

Real Experience. Real Advantage.

38

[ Best Practices
Design and use your SAP BI environment the way SAP
intended by architecting an appropriate and best practice
security solution.

Real Experience. Real Advantage.

39

[ Key Learnings
You now, (if you didnt before)
understand the difference between OLAP vs OLTP systems
are familiar with the basic BI security tools
see that you can effectively secure your BI environment
while maximizing user access
have benefited from an actual industry example

Real Experience. Real Advantage.

40

Thank you for participating.


Please remember to complete and return your
evaluation form following this session.
For ongoing education on this area of focus, visit the
Year-Round Community page at www.asug.com/yrc

Real Experience. Real Advantage.

SESSION CODE:
1008

41

You might also like