Thursday, December 20, 2007

New Analysis Authorizations Ease Administration

A new transaction in SAP NetWeaver 2004s eases the task of creating and optionally assigning reporting authorizations to users. Get expert advice about using transaction RSECADMIN.


Key Concept

SAP BI manages two different categories of authorizations. One is warehouse level and the other is analysis authorizations (previously called reporting authorizations). Analysis authorizations focus on what information a user is allowed to see after executing a query. For example, I can limit an individual user or group of users to reports that include cost center 1000. Also, if I only am permitted to see my HR payroll data and try to navigate a query to any other employee, then I am not allowed to see any information at all.

Warehouse-level authorizations are not focused on deciding if you are allowed to see certain values of Info­Objects, but rather on what type of processing you can do with specific objects of the warehouse. For example, you might be allowed to create or even execute a specific query, change or create an InfoCube, or modify a process chain.

Authorization in BI covers a broad range of functions for very different classes of users. BI developers are users who create Info­Objects, InfoProviders, transformation logic, and process chains and coordinate load activity. Power users might be responsible for query design, runtime calculations, information broadcasting, and assigning reporting objects to end users under their area of responsibility. End users or information consumers might just execute a limited number of Web pages using predefined navigation choices, while analysts might need access to information relevant only to a specific train of thought, for some what-if scenario.

You can subdivide these classes of users even more, which is just part of the problem facing the people trying to secure the BI system. Additionally, these professionals face legal and internal control requirements such as Sarbanes-Oxley that ensure BI is not just a free-for-all access to information.

Because it is relatively easy to assign infor­mation consumers to specific areas, the complexity comes in more with the power/analyst types of users. These people constantly change responsibilities in the business and their information needs to evolve with the changes. The right level of information access control is critical. If you provide too much security, then the BI system won’t support good analysis. If you have too little focus on security, then someone might go to jail.

Transaction RSECADMIN, a new authorization tool in SAP NetWeaver 2004s, simplifies complex networks of authorization. I’ll walk you through the technical implementation of this transaction. Remember that even with this simplification, you should limit which objects are deemed sensitive and thus require authorization in the first place. If you choose too many objects, then the administration increases at a very high rate.

No comments:

Blog Archive