Professional Documents
Culture Documents
SAP AG
1
Overview
Defining Authorizations
Generating Authorizations
Assigning Authorizations
Monitoring & Test Tools
Comparison New Concept Former Concept
Migration
2
Overview
Defining Authorizations
Generating Authorizations
Assigning Authorizations
Monitoring & Test Tools
Comparison New Concept Former Concept
Migration
3
Authorizations Levels
Authorization
Authorization
SAP AG 2006
4
Introduction to Analysis Authorizations 1
Authorization Check ok
Query results will be shown if
query selection is a proper
subset of the authorization
Query
Selection
Authorizations
Query
Selection
Authorizations
SAP AG 2006
5
Introduction to Analysis Authorizations 2
SAP AG 2006
6
Overview
Defining Authorizations
Generating Authorizations
Assigning Authorizations
Monitoring & Test Tools
Comparison New Concept Former Concept
Migration
7
Authorization Relevant Characteristics
Before restricting
authorizations on
characteristics, you
have to mark them as
authorization-
relevant.
SAP AG 2006
8
Authorizing Characteristic Values 1
Central maintenance
for (analysis)
authorizations /
transaction
RSECADMIN
Scenario: A group of
users is authorized
only to specific sales
organizations (e.g.
Berlin and
Birmingham)
SAP AG 2006
9
Authorizing Characteristic Values 2
A group of users is
authorized only to
specific sales
organizations (e.g.
Berlin and
Birmingham)
(Berlin)
(Birmingham)
Possible Values
EQ: single value
BT: range of values
CP: contains (simple) patterns ending
with * or + (e.g. XY*)
SAP AG 2006
10
Authorizing Navigational Attributes 1
SAP AG 2006
11
Authorizing Navigational Attributes 2
Navigational Attributes
Can be assigned individually
The referencing characteristic
(here: 0D_SALE_ORG) need
not be authorization-relevant
SAP AG 2006
12
Authorizing Hierarchies 1
SAP AG 2006
13
Authorizing Hierarchies 2
SAP AG 2006
14
Authorizing Hierarchies 3
Type of Authorization
Only the Selected Nodes
Subtree Below Nodes
Subtree Below Nodes to Level (Incl.)
Complete Hierarchy
Subtree Below Nodes to (and Incl.) Use case: hierarchies that
Level (Relative) happen to be restructured
regularly.
SAP AG 2006
Hierarchieebene
Fr die Typen 2 und 4 knnen Sie bei Hierarchieebene angeben, bis zu welcher
Ebene der Anwender die Hierarchie aufblttern darf:
Beim Berechtigungstyp 2 (bis einschlielich Ebene, absolut) bedeutet die Ebene
die absolute Ebenennummer in der Hierarchie, wobei der oberste Knoten einer
Hierarchie in Ebene 1 liegt.
Beim Berechtigungstyp 4 (bis einschlielich Ebene, relativ) bezieht sich die
Ebenennummer auf die Zahl der Ebenen vom aktuell ausgewhlten Knoten aus
gezhlt, der selbst dann in der ersten Ebene liegt.
15
Authorizing Hierarchies 4
Validity Range
Which authorization hierarchy is checked against the currently
used hierarchy (strictness of check)?
Name, Version Identical and Key Date Less Than or Equal to
Name and Version Identical
Name Identical
All Hierarchies
16
Special Authorization Characteristics
Insert special
characteristics
SAP AG 2006
17
Special Authorizations
Special authorizations
* (asterisk): denotes a set of arbitrary characters
+ (plus): denotes exactly one character (e.g. 01.++.2005 until
10.++.2005 : allows access only the first 10 days of each month in
2005 - only available for time validity (0TCAVALID))
: (colon): allows only aggregated access to data (e.g. allows
information on all sales areas only on aggregated level not on
particular countries)
SAP AG 2006
18
Variables And Authorizations
SAP AG 2006
19
Selection and Authorization
Check of Authorizations
Selection of query will be checked against the union of the
authorizations
Example:
One authorization grants access to cost center 1000 for year 2004, a
second one grants access to the same cost center for year 2005
Access to a query selection with cost center 1000 and years 2004 and
2005 will be granted
Cost
Year 2004
Year 2005
Center
CC 1000
Year
SAP AG 2006
20
Overview
Defining Authorizations
Generating Authorizations
Assigning Authorizations
Monitoring & Test Tools
Comparison New Concept Former Concept
Migration
21
Generated Authorizations
SAP AG 2006
22
Generation Log
SAP AG 2006
23
Overview
Defining Authorizations
Generating Authorizations
Assigning Authorizations
Monitoring & Test Tools
Comparison New Concept Former Concept
Migration
24
Assigning Authorizations 1
SAP AG 2006
25
Assigning Authorizations 2
SAP AG 2006
26
Assigning Authorizations 3
SAP AG 2006
27
Assigning Authorizations 4
SAP AG 2006
28
Overview
Defining Authorizations
Generating Authorizations
Assigning Authorizations
Monitoring & Test Tools
Comparison New Concept Former Concept
Migration
29
Authorization Monitoring 1
Checking Authorizations
Check query execution with the authorization of a specific user
SAP AG 2006
30
Authorization Monitoring 2
SAP AG 2006
31
Legal Auditing 1
Recording of changes
Recording of authorization changes and user assignments
Technical Content RemoteProviders
0TCA_VAL
0TCA_HIE
0TCA_UA
Activate Business
Content
SAP AG 2006
32
Legal Auditing 2
Recording of changes
Query Example
SAP AG 2006
33
Overview
Defining Authorizations
Generating Authorizations
Assigning Authorizations
Monitoring & Test Tools
Comparison New Concept Former Concept
Migration
34
Comparing Authorization Concept
SAP AG 2006
35
Overview
Defining Authorizations
Generating Authorizations
Assigning Authorizations
Monitoring & Test Tools
Comparison New Concept Former Concept
Migration
36
Migration 1
Migration Support
ABAP program RSEC_MIGRATION (use transaction SA38)
No complete, automatic migration, but support
About 80% automatic migration expected
The more complex the existing authorization concept, the more
manual migration work might be necessary
Customer-exit variables for 0TCTAUTHH cannot be migrated; the
respective hierarchy nodes must be assigned manually
Intensive tests are highly recommended
Singular event, not for scheduling
During migration to the new authorization concept, the existing
concept wont be changed
SAP AG 2006
37
Migration 2
SAP AG 2006
38
Migration Steps 1
Migration Steps
Step 1: Choose users
Migration can be done for singular user groups
39
Migration Steps 2
Migration Steps
Step 2: Choose authorization objects to be migrated
SAP AG 2006
40
Migration Steps 3
Migration Steps
Step 3: Choose assignment method
Direct user assignment
z Migrated authorizations will be assigned to the users directly (not via
roles)
z Migrated authorizations have prefix RSR_ and will be treated like
generated authorizations
Create new profiles
z Generation of profiles basing on authorization object S_RS_AUTH that
contains the new, migrated authorizations
z Generated profiles have prefix RSR_
Extend existing profiles
z Existing profiles will be extended by
authorization object S_RS_AUTH
containing the migrated authorizations
z Preserves the existing role concept and
extends the role profiles
Undo migration
z All migrated authorizations and profiles
will be deleted, extended profiles contain
empty authorization object R_RS_AUTH
SAP AG 2006
41
Migration Steps 4
Migration Steps
Step 4: Choose details of authorization migration (expert mode)
Settings for referencing navigational attributes and characteristics
are only relevant for the compatibility mode setting in SAP BW 3.x
Please have a look at the detailed documentation for more
information
SAP AG 2006
42
Migration Protocol
Migration protocol
A detailed protocol reports success and error events during the
migration
SAP AG 2006
43
Additional Information
Additional Information
Release Notes
Documentation (help portal)
SAP AG 2006
44
Copyright 2006 SAP AG. All Rights Reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express
permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other
software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries,
pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or
registered trademarks of IBM Corporation in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix,
ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered
trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium,
Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScriptis a registered trademark of Sun Microsystems, Inc., used under license for technology invented and
implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned herein
as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other
countries all over the world. All other product and service names mentioned are the trademarks of their respective
companies. Data contained in this document serves informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated
companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group
shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and
services are those that are set forth in the express warranty statements accompanying such products and services, if any.
Nothing herein should be construed as constituting an additional warranty.
SAP AG 2006
45