Objectlevel Security in SAP BI

Hi Gurus,
Implementation of Object level security in BI system. Customer is looking to Implement BI security model for a new piece of functionality that they are setting up in BI (Commissions processing) specifically in the area of SD (Sales Distict, Office, Group, etc.).
Kindly suggest me how do i apply Object level security in BI for large number of People.
I have 3 characteristics to Restrict in Analysis Authorization.
0SALES_DIST:  300001,     300002,     300003,     300004
0SALES_OFF: 3010,     3011,     3012,     3020,     3021,     3022
0SALES_GRP: 3AA     ,3AB,     3AC,     3AF,     3AG,     3AH
Kindly suggest me the best method to Implement. System is BI 7.0.

Hi Syed,
Analaysis authorizations are more flexible than Hirerachy authorizations.
However, the solution is simple. You doesn't require to create 100s of Analysis authorization and can use the user exits, or the variables instead. The below articles provides you detailed information on implementing them, which means you can achieve with a single anaysis authorization
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/9000928e-dd3d-2e10-9ca1-a00f249305b7?quicklink=index&overridelayout=true
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b0b3fb3f-a21c-2e10-3a9c-efc3e59996a8?quicklink=index&overridelayout=true
Regards,
Raghu

Similar Messages

  • Regarding Security In SAP XI

    HI All,
    What is the Purpose of Security in SAP XI ???
    When We will USe it And How We Will Use this ????
    Regards
    Vamsi

    Krishna,
    If your user id is not secure then you can do any changes in XI. So to control this we need to have some secured roles for every user.
    It is used for message level security also. Check this document:
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
    Regards,
    ---Satish

  • Multi-level password security in sap portal

    Hi Experts,
    We have a requirement to implement Multi level password security in SAP Portal. i was looking for any expert who can share their experience how this can be achieved and skills,time and effort required for this one.
    In  one of the sdn discussion i have seen that some body tried to implement Digital certificates (X.509) AND uid/pw  , i am not sure if there were successful.
    Your help in this regard, Really appreciated.
    Thanks
    Chris.
    Edited by: chris n on Aug 26, 2009 10:14 PM

    Hi Michael
    Thanks for the help link.I am a novice wrt IdM concept ,so these queries.
    We have 2 portals and 2 ECC installation configured with IdM.User accesses everything through portal.
    My queries are :
    If the user chages its password on one portal then can same be provisioned across the entire landscape?
    How can we achieve it and where should we define our security policy?
    regards

  • Analyzer Security for SAP BPC 7.5 SP6

    Hi ,
    We have recently installed Analyzer add-in on our excel for Adhoc reporting on SAP BPC 7.5 SP6
    But analyzer is not considering the data security restricted for specific region.
    For eg: If a planner is assinged to EUROPE planning role and when he creates reports using analyzer he is able to see the data for all the regions(NA,EMEA,ASIAPAC).
    Is there anyway we can restrict the planners to see the data relevant to their role in Analyzer.
    we had a look at security in Admin client. Is there anyway to handle this.Thanks much.
    Regards,
    Sanjeev

    Hi,
    You can use Bex analyzer for detailed reporting. Both the analyzer and BPC reports can be connected using the normal excel functionalities (in a single excel workbook) so that BPC CV selection will be fed into Bex as variables and relevant data records are displayed in Bex reports. Performance of Bex analyzer is slow. That is one of the main reason it was replaced with BO reporting tools.
    If you are using BPC 7.5NW, then there is a standard functionality called DRILL THROUGH. Using this functionality you can drill down to detailed data in BW.
    Bex and BPC have different authorizations. You can maintain authorizations in BW roles and try to manually replicate same authorizations in BPC (there is also a how-to doc on automating this synchronization).

  • Difference between SAP CRM Security and SAP ECC 6.0 security

    Hi
    I have extensively worked on SAP ECC security but haven't have chance to work on CRM Security.
    Can anyone please let me know the difference between CRM security compared to  ECC security.
    Thanks...

    I am sorry to say, but instead of giving the guy a decent answer you are starting a fight or discussion about stupid forum points...
    really sad.....
    The big  difference between SAP ECC and SAP CRM Security (up to release 5.0) was the following:
    1) For sure there are very different transaction codes in SAP CRM as compared to SAP ECC in the first place
    2)  If you are familiar with R/3 or ECC authorizations; then you know that already on transaction code level, the 'allowed activity' is controlled on tcode level , whereas in SAP CRM , in most cases the 'allowed activity is not controlled by the Transaction code, but on authorization object level....
    E.g. transaction code BP allows you to create/change/display  any type of Business Partner (e.g; sold-to/ship-to/contact person/employee/customer) which is based on the business partner ROLE concept.... anyway...you can control the allowed activity based on different authorization objects.....
    another example is business transaction processing...which can be launched by:
    a very generic transaction code: CRMD_ORDER
    transaction category related transaction codes :e.g.
          > CRMD_BUS2000126 for activity management
          > CRMD_BUS200115 for Sales processes
    Again...allowed activity is not controlled by the tcode, but on authorization object level...
    3) As of the new WEBCLIENT UI (which is valid as of release CRM2006s/CRM2007/CRM7.0) SAP also invented an extra authorization layer, which is UI COMPONENT LEVEL and logical links....  controlled by object UIU_COMP.
    However, they also introduced the BUSINESS ROLE Concept (e.g; SALESPRO/MARKETINGPRO/...) which defines actually the functionalities, navigation bar, screen configuration, logical links you can use/see within the new WEBclient UI.
    Another thing is that instead of using TRANSACTION CODES, as of these new releases, you are actually using 'external services'....so you do not authorize on tcodes basically....but the logic between tcodes and external services in relation to the authorization objects that are checked is more or less the same....
    STANDARD authorization setup in the new WEBUI client is therefore controlled by both backend authorizations (not UIU component related) and the UIU_COMP (restricting access to workcenters/logical links/...)
    4) Additionally SAP also provides a concept called ACE (which stand for ACCES CONTROL ENGINE)....
    This requires a bit of customizing...and the rest is more or less pure customer development, as you will create your own methods where you'll define a logic which dynamically will verify what kind of access you have for an object....
    You should now that ACE is actually implemented on top of your 'normal' sap crm security setup....
    cheers
    Davy Pelssers

  • SAP HANA security issue: SAP DBTech JDBC: [258]

    Hello experts,
    I am trying SAP HANA security features by playing out with a test user (MYTESTUSER) I've previously created. This is the permissions detail I've granted to the mentioned user:
    Granted Roles:
    PUBLIC
    Object Privileges:
    _SYS_BIC : SELECT
    _SYS_REPO : EXECUTE, SELECT
    REPOSITORY_REST (SYS): EXECUTE
    MYSCHEMA : SELECT (Contains source tables for views)
    Package Privileges:
    TEST.MYTEST (Package containing my views)
    Analytic Privileges:
    AP_MYTEST : Contains all my views and a couple restrictions over an attribute.
    What do I expect?: when logging on as MYTESTUSER it should be able to deploy the different folders in SAP HANA Studio, dive into "Content" folder, and even more: reach the package TEST.MYTEST, once there by selecting "Calculation Views" folder then being able to open CV_MYTEST calc view (which was already added into AP_MYTEST shown above).
    What happens as is?: Running as MYTESTUSER I am able to reach the calc view, when opened it is able for view only (its design). When pushing over the button "Open in Data Preview Editor" it trhows me the error:
    Cannot get the data provider outline
    SAP DBTech JDBC: [258]: insufficient privilege: insufficient privilege: Not authorized at ptime/query/checker/query_check.cc:2418
    What is expected?: Running as MYTESTUSER "Open in Data Preview Editor" feature must return and show adequate data from calculated view.
    In consequence:
    What does this error ("Not authorized at ptime/query/checker/query_check.cc:2418") specifically means and how to start addressing it?
    I'm unable to determine what is crashing or in what point it doesn't work. Any clues?
    I've also realized that there's no way out to perform some kind of trace (at least in an easy-known-fashion). Could you also advice? it would be quite important to be able to detect what are specifically the missing authorizations for a performed action. (kinda SU53 in SAP)
    Any clues or advices are welcome. Thanks a lot in advance,
    Bernardo

    Hi Bernardo,
    Can you check whether _SYS_REPO has SELECT access on your schema. Open _SYS_REPO user and check whether your schema is listed under objects privileges or not. If not run the below query.
    GRANT SELECT ON SCHEMA <schema_name> TO _SYS_REPO WITH GRANT OPTION.
    if it doesn't work try to give SELECT and EXECUTE access on both _SYS_BI and _SYS_BIC to your schema and check. And also but default your should have all the privileges on your schema.
    Regards,
    Venkat N.

  • SSL (http https) security in SAP

    Hello. Can you help me??
    It is a scenario, that we have to enable a secure meassage communication.
    An encryption have to be used and may be authorization(log and pass) or digital certificates. Can u help me or just point the most information.
    Thanks a lot.

    Configuring the SAP Web AS for Supporting SSL-SSL
    Regards
    Kasi

  • Web services security on sap netweaver 7.0

    Hi
    can you please provide information on security of web services in sap netweaver.

    Here are a some:
    https://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/f59a21f0-0b01-0010-eeaa-b9054fc7651d&overridelayout=true
    https://www.sdn.sap.com/irj/scn/elearn?rid=/library/uuid/5027fb64-d798-2b10-d783-a55a25bc4183&overridelayout=true
    https://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/d000116f-cff9-2b10-72bd-c04d6708ddfe&overridelayout=true

  • Column level versus row level security in SAP BI

    This is a question. Sorry about the terminology clarification but it really does get to a question. Thanks for your patience and help.
    There is some confusing terminology among BI users so let me explain terms. The terms appear to have some currency in the BOBJ world.
    Row level security = the ability to control access to some data based on the values of a characteristic. Only the data authorized will be selected.
    Column level security = the ability to exclude certain characteristics from display by any user.
    In SAP BI row level security is managed by analysis authorizations (RSECADMIN).
    To the extent of my experience (and I am unable to test it for about a month) column level security can only be managed by authorization object S_RS_IOBJ excluding the infoobject to be controlled with the sub-object DATA).
    However my experience is that any query that reads an infoprovider that contains that infoobject will fail. It won't exclude and present to the user all the other infoobjects (i.e. columns).
    Is this really so and if so is there any mechanism that can exclude columns without forcing the developer to either design an infoprovider or multicube that excludes the infoobject?
    Edited by: Corwin Slack on Dec 14, 2009 2:07 PM

    Two things
    1. I would prefer not to have to rely on developers to implement a restriction in a query. Then I have to police every query.
    2. I am not certain that the authorization isn't checked anyway because the query accesses the cube. (Sorry no test environment available until mid January)
    My preference is that any queries that contain this authorization object just bypass the displaying the characteristic. My frecollection to date is that this isn't what happens. The query fails entirely.

  • How to restrict the Request and Response process in that cookies should be Secure way SAP Portal 7.0 ?

    Dear Experts,
    Please any one can help me i am getting one security issue.Some third party tools using and hacking the Request and Response of the Server.That time there taking one successfully Request (GET http://1.1 302 found)   and Response (http://1.1 200 ok).In this request based on again there giving some invalidate credential in that time server giving request replacing for success fully Request that time there login in to portal successfully(Bypassing).In this Request level only getting the information for URL and set-cookies only.Here any process is there to restrict the set cookies.like JSESSIONMARKID and JSESSIONID SAP_LB.
    We are using 7.0 Version and SP 12. Please share you are solutions because of this is very high problem here.
    Thanks for Advance
    Thanks and regrades,
    Durga Rao. 

    Dear Samuli,
    Thanks for the Replay,
    We are using HTTPS and SSL confined but man in the middle types of attack is happening here there using one tool based one there taking the Request and Response.The below given cookie are available in that request.
    According to this , set-cookie: JSESSIONMARKID , JSESSIONID and MYSAPSSO2 values are user login time it will change every time  are not.
    After  capturing above response HTTP/1.1 302 etc , when user gives valid credentials and logs in ,
    and now ill give wrong password and wrong user id and on click of log on button, i can intercept the request and response coming from the server and when i replace this valid response stil i am able to loggin in to the portal , which should not happen as JESSIONMARKID is changed , server should not allow , but it is loggin in.Standard Login page also allowing to login in this case.
    My server version is EP 7.0 SP 12.
    Please suggest a solution so that if we restric the hacker at this stage , no matter he can never hijack the sesiona and login  with invalid username and  password.
    Thanks for Advance
    Thanks and regrades,
    Durga Rao.

  • Security on SAP Logon

    Hi Guys!
    I have a question. Suppose I have user named A using a workstation named B (hostname=B) and again, I have another user named AA using a workstation named BB (hostname=BB).
    Is it possible for me to control their login accounts in such a way that my user A can only logon to SAP if he's using his workstation B? I dont want user A to logon to our system using workstation BB or any other workstation aside from his.
    Is it doable? If yes, can anybody explain how its done?
    Below is my setup:
    SYSTEMS  :  ECC6 and BW
    DATABASE:  Oracle 10g
    OS             :  IBM AIX 5.3.0.0
    Thanks in advance,
    Jun

    Hi Jun,
    I Guess this should be possible to do so but not very sure. Check with basis consultant and ask him to look into the below parameters and then confirm whether it works out or not........
    Login to SMICM transaction code and goto -> parameters -> Display
    Here you will find the parameters :
    Misc
    icm/host_name_full             = cauvery.bsnl.com
    icm/cancel_strategy            = cancel requests without session (stateless)
    HTTP settings
    icm/HTTP/max_request_size_KB   = 102400
    icm/HTTP/j2ee_0                = PREFIX=/,HOST=localhost,CONN=0-500,PORT=50000
    icm/HTTP/server_cache_0        = PREFIX=/, CACHEDIR=/usr/sap/BSD/DVEBMGS00/dat
       a/cache
    Services
    icm/server_port_0     = PROT=HTTP,PORT=8000
    icm/server_port_1     = PROT=SMTP,PORT=0
    Regards,
    Vara Prasad

  • What are the Essentials for a Sap Security Consultant.

    Hi Gurus,
    I have completed a Implementation in which I alone handled the entire Security . It is a defense client .
    Now I am technically expert at security. But I have no functional knowledge.
    Implementing Security in SAP one needs to have knowledge of funtional process as well. The course that are purely technical stuff and I have good idea of techincal stuff.
    The Question is what is a Sap Security Consultant expected to know . And how to go about acquiring that knowledge?

    Hi Hussain,
    There is a little bit of release-dependent-everything in this thread: Authorization for VAP2 in conflict with VD02 for F_KNA1_GRP
    Try solve it and you will understand that you need the requirements (without that you are anyway doomed) and the knowledge and the appropriate access to create / test it.
    BAPI's are remote enabled stable interfaces to SAP standard functionality. They are the best examples of combining functional, technical and standard skills in a sustainable way without creating a mess (a mess, way beyond the bounds of your concerns...).
    If you learn to use the available tools and information sources, then you dont need to stress about the essentials, even if your customer makes a design error before or after your advice.
    Cheers,
    Julius

  • SAP Security Notes: ABAP and Kernel Software Corrections

    Hi all,
    I have a quick question, hopefully it's just as quick an answer.
    Under the Early Watch section in the title it states
    Security-related SAP Notes cannot be checked because the results of the RSECNOTE tool are missing.
    What does this actually mean and how do I make the results of RSECNOTE available to the early watch report?
    It says this in all my systems, I can run the tool via ST13 or SE38 > RSECNOTE manually but surely it's must be referring to some automated results.
    Thanks
    Craig

    Sorry but this note is not relevant, we are using ST-A/PI 01Q_700 SP2 (SAPKITAB7L).
    It also refers to RSECNOTE not existing in the system.  As I mentioned the tool exists and I can run this manually, but as noted the Early Watch report states
    Security-related SAP Notes cannot be checked because the results of the RSECNOTE tool are missing.
    Suggesting that somehow results of the tool are held somewhere and are read by the Early Watch report processing. So my question still stands, how are these results made available to the Early Watch report, what batch job needs to be running on a regular basis for this to work?
    The very first sentence after the section says
    You have marked 2 security-related SAP Notes as not to be considered.
    So it must be reading this from somewhere!
    Thanks
    Craig

  • Career growth in SAP Security.

    Hi,
    I have done MCA.I joined MNC as a fresher. Then I got training on SAP ABAP. But I am alloted to a project and working on SOX compliance in application security (for SAP system) i.e. monitoring and internal auditing. Here I have exposer to diffrent IT application security control, GRC, etc.
    Now I am really confused with my future growth. At this stage of my start of career I am not able to decide whether I should switch to SAP security or be with SAP ABAP once I rolled off from this project.
    Will you please guide me for choosing the best career path? and future growth in SAP security?

    Hai
    Try to Work on what u got ,after 2 Years there is  a huge recruitment for SAP Supporti n BI.
    There is a lot of Benifits in BI Compared to any other module  .Since it is technofunctional module(Very Good in Market)
    Assign Points if it is Useful
    Thank u
    Naveen

  • SAP BO network security

    Hi,
    I need to raise network security in SAP systems.
    We already have SAP ERP systems and they all hidden behind saprouter in other subnet.
    But what about SAP BO?
    SAP BI platform server, FC, Intercompany, FIM, DataServices, BPC - I want to move these system to another subnet and hide behind Webdispatcher + saprouter.  
    Anyone have tried to do so?  Or please offer other variants.
    Thanks...

    Hi,
    These links can help you:
    HTTP Based tools
    https://service.sap.com/sap/support/notes/1787981
    WTS
    https://service.sap.com/sap/support/notes/605795
    If you encounter an issue with the install or configuration of SAPRouter.
    A ticket can be created under (or transferred to) CSS component: XX-SER-NET-HTL.
    Best regards,
    Siwar

Maybe you are looking for

  • DMEE: XML Encoding UTF-8/UTF-16

    Hi, I'm generating automatic payment files via program run SAPFPAYM_SCHEDULE. The file is generated under UTF-8 but when generated on SAP server become UTF-16. => When double clicking on the Z_XML20022 and clicking on glasses you can see "<?xml versi

  • Modifying a report

    How to modify an existing report?

  • In app purchase is a no show, what should I do?

    Hi, does anyone know what to do if an in app purchase doesn't show up? I purchased extra credits for a game but nothing has happened! I have closed and reopened the app, turned iPad off and on again and completed all updates but still nothing!! I can

  • I bought a year ago a Mac with Retina. Screen broke and had to be replaced. Now I am not able to login as a guest

    I have a 15 inch MacBook Pro with Retina display. Retina display broke and it had to be replaced. When I turn on my Mac now, I log in as myself and I am able to see all the icons I had before. When I log in as a guest, any icons that were there befor

  • Query on Job agent functinality in e recruitment

    <b></b> Hi All, Could any body provide me insight on the Job agent functionality in SAP E- recruitment. I need to know what is it and how is it used for and it is available in which all versions. If we are on lower versions are there any support pack