BW/HR AUTHORIZATION ASAP FOR BW ACCELERATOR

BUSINESS INFORMATION WAREHOUSE

An Implementation Guide for BW/HR Structural Authorizations Document Version 1.0

Applicable Releases: BW 3.0 , PI 2001.2 and above June 15, 2002

SAP (SAP America, Inc. and SAP AG) assumes no responsibility for errors or omissions in these materials. These materials are provided as is without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall not be liable for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. SAP does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within these materials. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third party web pages nor provide any warranty whatsoever relating to third party web pages. mySAP BI How-To papers are intended to simplify the product implementation. While specific product features and procedures typically are explained in a practical business context, it is not implied that those features and procedures are the only approach in solving a specific business problem using mySAP BI. Should you wish to receive additional information, clarification or support, please refer to SAP Professional Services (Consulting/Remote Consulting).

BW/HR Authorizations

Table of Contents
1. 2. 3.
3.1.1. 3.1.2.

PURPOSE ................................................................................................................. 3 SOFTWARE VERSION SUPPORTED...................................................................... 3 GENERAL BW AUTHORIZATION STRATEGY ....................................................... 3

General Considerations .................................................................................................................................... 4 Specific HR Considerations ............................................................................................................................. 4

4.

BRINGING HR STRUCTURAL AUTHORIZATIONS TO BW ................................... 5

4.1. 4.2. 4.3.1. 4.3.2. 4.4.1. 4.4.2. 4.5.1. 4.5.2. 4.5.3. 4.6.1. 4.6.2. Overview of HR Structural Authorization ......................................................................................... 5 BW/HR Structural Authorizations Architectural Description......................................................... 6

4.3. Pre-Requisites for Structural Authorization in BW .......................................................................... 6 Software Releases............................................................................................................................................. 6 R/3 Functions ................................................................................................................................................... 6 4.4. BW/HR Business Content for Structural Authorizations ................................................................. 7 Data Sources..................................................................................................................................................... 7 Info Providers and associated update rules ...................................................................................................... 7 4.5. Restrictions ............................................................................................................................................ 7 Supported Organizational Management Objects .............................................................................................. 7 Only Current Plan Version is supported (version01).................................................................................... 7 Data Source 0HR_PA_2................................................................................................................................... 7 4.6. Performance Considerations................................................................................................................ 7 The Catch 22 .................................................................................................................................................... 7 Possible Alternatives ........................................................................................................................................ 8

5.
5.1.1. 5.1.2. 5.1.3. 5.1.4.

THE STEP BY STEP SOLUTION ............................................................................. 8

5.1. Prepare Structural Authorizations to be Extracted in R/3 Environment........................................ 9 Create Structural Authorization Profile:........................................................................................................... 9 Assign User to Profile in R/3.......................................................................................................................... 10 Update T77UU table to include User Name in SAP Memory........................................................................ 11 Regeneration of INDX Table ......................................................................................................................... 11 5.2. 5.3. 5.4. Activate Structural Authorizations DataSource in R/3................................................................... 11 Activities on BW side .......................................................................................................................... 12 Create BW Authorization .................................................................................................................. 15

2002 SAP AMERICA, INC. AND SAP AG

BW/HR Authorizations

1.

PURPOSE
Human Resources is one of the R/3 functional areas that contain a considerable amount of confidential and sensitive data in terms of legality and privacy issues. Customers typically have more stringent security requirements in HR than other functional areas. This document is intended to provide customers, partners and consultants with a brief general overview of BW authorization strategy1. The emphasis of this document is primarily on the unique considerations in an HR environment focused on the new BW/HR Structural Authorizations functionality. An in-depth description of this new function, the pre-requisites, its current restrictions, and the implementation processes in a BW environment will be provided.

2.

Software Version Supported

This document is valid for BW version 3.0A with plug-in 2001.2 or above.

3.

General BW Authorization Strategy

As an analytical and information access tool, the Reporting Aspect of BW security has some fundamental differences from the OLTP (R/3 online transactional process) environment as depicted in the following tabular form: OLTP (R/3) OLAP (BW) o Clearly divided into several business areas o OLAP Benefit means combining data (Finance, Controlling, Logistics, HR) from different areas o Analytical process is not transaction o Security based on Transactions for: oriented. o Master Data o Business process data o 99% OLAP processing is Display o Data access separated into different activities: o Create o Change o Display o Delete While there are distinct differences, BW authorizations are based on the standard SAP authorization concept. R/3, BW and all new dimension products under SAP family are integrated based on SAPs Role concept and can be managed via Central User Administration function. For the BW Administration functions, the authorization concept is very close to

2002 SAP AMERICA, INC. AND SAP AG

BW/HR Authorizations

standard R/3 and SAP BW delivers pre-defined roles. Please refer to the BW Authorization White Paper on SAP Marketplace BW web site2. There is no pre-delivered BW Roles for reporting and no authorization relevant object definition as delivered. This is due to the unique reporting authorization requirements at each customer installation. However, a set of tools is embedded in SAP BW Administration Workbench to facilitate the definition of customer specified reporting authorizations. This includes the new BW/HR Structural Authorizations functionality. 3.1.1. General Considerations As a general guideline, the following basic steps should be considered when defining BW authorizations: o Identify Roles in your company o Task oriented (reporting, administration) o Functional oriented (Board, Assistant, Manager, HR Generalist, Payroll Administrators, Analyst, Employee.) o Subject oriented (FI, Sales, Recruitment, Time, Payroll etc. with cross functional considerations.) o Define responsibility for identified role o Set up role oriented authorization, with special focus on reporting objects. o Assign BW users to a role 3.1.2. Specific HR Considerations In an R/3 HR environment, customers who have implemented Organizational Management component often adopted an authorization model that is an actual model of the current organizational structure. This is the so-called Structural Authorizations in R/3 HR environment. To establish the security equivalent to R/3 HR Structural Authorizations, it would take a vast amount of effort in BW environment to reproduce such a comprehensive setup based on the R/3 organizational management. To provide a richer set of functionality, BW and HR development have taken a giant step forward to built the foundation for a technique to allow bringing detailed authorizations objects at userid level from a source system and automatically generate user profiles in a BW environment. As a part of the BW/HR business contents, SAP has delivered the extractors and data sources required to bring R/3 structural authorizations to BW environment beginning BW 3.0A and Plug-in 2001.2. Customer now has the option to bring the R/3 Structural Authorizations to BW environment using standard business content. However, there are certain restriction and preconditions, which will be discussed in section 4 of this document. In addition to structural authorizations, HR customers should also be aware the following facts and establish proper authorization as needed: o 0Employee and 0Person Master Data consists of following attributes that typically considered as sensitive information from privacy and legal perspectives. Without
2

SAP Marketplace URL: http://service.sap.com 4

2002 SAP AMERICA, INC. AND SAP AG

BW/HR Authorizations

field level reporting authorization or structural authorizations, users could access these attributes as display attribute via local change capability to gain access. o Annual Salary o Age o Nationality o Salary grade o Typical US customization for Ethnicity and SSN Please note that authorizations for display attributes are all or nothing. You are allowed either to display or not. Theres nothing in between. o To define field level reporting authorization, please refer to the BW authorization white paper on SAPNet and OSS note 315094.

4.

Bringing HR Structural Authorizations to BW

4.1. Overview of HR Structural Authorization

R/3 Organizational Management provides customer with the capability to create organizational plan that depicts the structure of the enterprise. By defining the relationships among objects such as jobs, positions, employee, cost centers and work centers, you create a network that mirrors your organizational and reporting structures. The diagram below depicts an example of a simple organizational structure in R/3 HR.

Structural Authorizations function makes it possible to link the authorization check based on the organizational reporting structure. With the legal and privacy issues when dealing with HR data, the availability of structural authorizations has been a vital function in an R/3 environment. A typical structural authorization scenario is that only the head of the organizational unit in the above diagram have authorization to access the data of employees who hold positions under his/her supervision. This is done via the Evaluation Path of O-S-P
2002 SAP AMERICA, INC. AND SAP AG 5

BW/HR Authorizations

(Organization Unit Position Person). From HR security perspectives, Structural Authorizations is one of the most requested functionality to be replicated in the BW environment. 4.2. BW/HR Structural Authorizations Architectural Description With the initial release of this functionality, the following diagram provides a basic architectural overview of this function. Structural Authorization in BW

PSA
T77PR
Transfer Rules

R/3 Org. Structure

Profile R H B A U S 0 0

Struc Auth

Security Check

INDX Cluster
(0HR_PA_2 (0HR_PA_2 & 0HR_PA_3) Data Sources

T77UA Assignment

0HR_PA_2 Data Source

Update Rules

0HR_PA_3 0HR_PA_3 Data Source

T77UU User

Struc Auth ODSs

RSSM Trans
OR
Function Modules RSSB_Generate _Authorizations

PSA PSA 0PA_DS02

0PA_DS03

R/3 OLTP

BW

As depicted in the diagram, BW/HR Structural Authorizations extracts content of R/3 Structural Authorizations using standard BW Service API into BW environment as two sets of ODS Info Providers which are used as input for generating unique profiles in each user master records in BW. If HR Structural Authorizations have been configured in R/3, then the T77PR (profile) and T77UA (user assignment) tables should have already been populated. T77UU (users) table that contains user ids for which the extraction will be performed must be updated for all users. By executing report RHBAUS00, an INDX cluster table will be regenerated for the structural authorization profiles. This INDX cluster table will be used as the base to extract HR structural authorizations datasource 0HR_PA_2. For datasource 0HR_PA_3 the customizing tables are read directly (i.e. executing RHBAUS00 isnt necessary). 4.3. Pre-Requisites for Structural Authorization in BW 4.3.1. Software Releases o BW must be at least at 3.0A level. o R/3 BW Plug-ins must be at least at 2001.2. 4.3.2. R/3 Functions o R/3 HR Organizational Management must be installed and activated.
2002 SAP AMERICA, INC. AND SAP AG 6

BW/HR Authorizations

o R/3 HR Structural Authorizations must be configured. 4.4. BW/HR Business Content for Structural Authorizations 4.4.1. Data Sources o 0HR_PA_2: Value Authorizations, which extracts specific object type and object id that a given user is authorized to access. For example, userid LOA allowed to access Organizations 50000595 and 50000603, has following entries:
Date 14.09.2001 14.09.2001 Userid Object type LOA O LOA O Object id 50000595 50000603

o 0HR_PA_3: Hierarchy Authorizations, which extracts specific object with given hierarchy name and version. For example, userid LOA is authorized to access Orgunit hierarchy for object id of 50000595.
Date-from Date-To 01.01.1999 31.12.9999 Userid Object type Object id Hierarchy Version LOA O 50000595 ORGEH 000

4.4.2. Info Providers and associated update rules o 0PA_DS02: Value Authorizations ODS used as the input to generate authorization profiles for each user for given InfoObjects. The delivered update rule translates HR object type into InfoObjects. 0PA_DS03: Hierarchy Authorizations ODS used as input to generate authorization profiles for hierarchies. 4.5. Restrictions 4.5.1. Supported Organizational Management Objects o 0HR_PA_2: all o 0HR_PA_3: only hierarchy on organizational units (O) / evaluation path ORGEH is supported. In other words, only the hierarchy with the technical name ORGEH (delivered in BCT) is supported by this DataSource 4.5.2. Only Current Plan Version is supported (version01). 4.5.3. Data Source 0HR_PA_2. The Structural Authorization brought into BW environment by this datasource is Time-Independent. Its a snapshot of the authorizations, which are valid when extraction was performed. This means that historical authorization view from R/3 will not be available. The Calday in the extract structure represents the data of extraction not the date the INDX file was built (when RHBAUS00 was executed). This may not be an issue, if daily extraction is performed. 4.6. Performance Considerations 4.6.1. The Catch 22 BW/HR structural authorizations take advantage of the flexibility of Variable filled Authorizations in BW. When accessing a query that contains more than
2002 SAP AMERICA, INC. AND SAP AG 7

BW/HR Authorizations

one authorization relevant InfoObjects (e.g. variables filled by authorizations), all combinations will be checked. In the case of a very large organization unit, this leads to many checks. For example: the common evaluation path involves Orgunit, Positions and Employees. Suppose a department manager is responsible for 10 orgunits, which has 200 positions with a total of 200 employees. This would result in 3 variables for InfoObjects 0Orgunit, 0Hrposition and 0Employee are filled by authorizations. The variables are filled by 10, 200, 200 values. This leads to 10*200*200 = 400,000 checks at the interface. The number of authorization objects to be checked will further multiply the number of other InfoObjects required in the reporting authorization object, such as Ethnicity, Annual Salary etc. However, in order to secure the data access thoroughly and to replicate the structural authorizations from R/3, it is imperative that all authorization relevant InfoObjects must be checked. The catch 22 is that the completeness of authorization checks is at the price of slow query performance. 4.6.2. Possible Alternatives While a long-term solution is being contemplated, theres no immediate technical resolution at this time. A few potential alternatives to avoid this performance issue for very large organizations are as follows. However, you must carefully evaluate the consequences for your particular installation based on your query design and business requirements. Define a special Management role for the top management with large number of organization and staff members; allow unrestricted access for management with huge organizations. This means that the reporting authorization objects will contain * for full access. If possible, use only the Orgunit value and Orgunit hierarchy authorization instead of the complete evaluation path via authorization value lists (i.e. Orgunit ->Position -> Employee). This will only be possible, if you establish a query design standard when accessing confidential HR InfoProviders, the initial screen will begin with Orgunit Hierarchy. You must not define summary (:) level of authorization.This will force end user to filter through a valid node or Orgunit value to avoid any potential loop hole for unauthorized access. Reduce the number of authorization relevant InfoObjects (used in the query) where possible without compromising the security.

5.

The Step By Step Solution

When bringing R/3 structural authorizations from R/3 to BW environment, you can bring all or selected users and profiles via the SAP delivered extractor. The following example depicts the selection of the structural authorization for user LOA. User LOA is responsible for Corporate Service organization. The objective is to allow LOA to view data for all organization units at a summary level, but can only access the detailed level of data relevant

2002 SAP AMERICA, INC. AND SAP AG

BW/HR Authorizations

to the position within her organization and the detail information about employees who are holding these positions. 5.1. Prepare Structural Authorizations to be Extracted in R/3 Environment This section describes the steps to maintain structural authorizations profile and assignment of user. If your installation has configured for HR structural authorizations, these steps should have been done. You can skip to 5.1.3. Please check the R/3 online documentation for further information on the customizing of structural authorizations in HR. https://sapneth4.wdf.sap.corp/~form/sapnet?_SHORTKEY=01100035870000344300 & 5.1.1. Create Structural Authorization Profile:
1. First you must create or maintain Structural Authorization Profile for LOA. This is done on the R/3 system -> Transaction OOSP -> Select Authority profile -> Click on New Entry push button -> Give an Authorization Profile name and description.

2002 SAP AMERICA, INC. AND SAP AG

BW/HR Authorizations

2. Within the same transaction screen > Select Authorization Profile Maintenance -> Click on New Entry push button -> For the subject Authorization profile -> enter the following: o o o o o o o Sequence number -> you assign Plan version = 01 Object type (O or S or P) Object ID -> the 8-digit orgunit ID LOA is responsible for Evaluation Path -> O-S-P You can specify depth of access The 2nd entry shows all organizations can be viewed by LOA. Save the entries.

5.1.2. Assign User to Profile in R/3

3. Assign User to Profile in R/3: Transaction OOSB -> Select New Entry push button -> enter user name -> LOA and the associated Authorization profile -> Amelia -> Save.

2002 SAP AMERICA, INC. AND SAP AG

10

BW/HR Authorizations

5.1.3. Update T77UU table to include User Name in SAP Memory.

4. Create an entry for User name LOA: Transaction SE16 -> table T77UU -> Create new entry -> LOA -> Save. Hint: You can use the report RHBAUS02 to create the entries in the table for all users (Threshold value should be 1).

5.1.4. Regeneration of INDX Table

5. Execute program RHBAUS00 to regenerate indexes for structural authorization profiles. This report can only be generator for users who has entry in T77UU table. Transaction SE38 -> Enter RHBAUS00 as program name -> Click Execute

5.2.

Activate Structural Authorizations DataSource in R/3 Two datasources (0HR_PA_2 and 0HR_PA_3) are delivered as standard HR business content that extracts Authorization Values and Hierarchy Authorizations. You must first activate them in R/3 system as follows:

2002 SAP AMERICA, INC. AND SAP AG

11

BW/HR Authorizations

6. In R/3 system, Execute Transaction SBIW. Expand and execute Transfer Business Content DataSource. Under 0PA _OS application component, check mark and click on the Transfer Data Source push button on the top of the menu bar to activate the 0HR_PA_2 and 0HR_PA_3 datasources from R/3. Respond to the transport request.

5.3.

Activities on BW side

7. Replicate DataSources for 0HR_PA_2. (Admin Workbench -> Modeling -> Source System -> SAP Appl component -> Organization Management -> right mouse click and select Replicate Datasources). Or you can just replicate data sources under 0PA_OS application components.

2002 SAP AMERICA, INC. AND SAP AG

12

BW/HR Authorizations

8. Activate the Structural Authorizations ODS Infoprovider 0PA_DS02 via Business Content Activation function. (Admin Workbench -> Business Content -> Data Target -> Human Resources >Organizational Management -> drag 0PA_DS02 to the right pane. Use Data Flow before and after option under the Grouping Icon and Install in batch on the right pane of your screen.

9. Repeat the step 7 & 8 processes for 0PA_DS03 for Structural Authorizations Hierarchy data target.

10. Check and activate Transfer rules for 0HR_PA_2, if not already activated.

2002 SAP AMERICA, INC. AND SAP AG

13

BW/HR Authorizations

11. Check and activate Transfer rules for HR_PA_3, if not already activated.

12. Create Infopackage to extract the Structural Authorization from R/3 source system to the new 0PA_DS2 data target.

2002 SAP AMERICA, INC. AND SAP AG

14

BW/HR Authorizations

13.

Verify the monitor to insure the Structural Authorization ODS data target has been successfully loaded. Repeat step 13 & 14 for 0PA_DS03 data target.

5.4.

Create BW Authorization

14. Mark the relevant InfoObjects as Authorization Relevant: o Maintain InfoObject (RSD1) -> Change InfoObject name (e.g. 0Orgunit) -> highlight Business Explorer tabstrip -> Check mark Authorization Relevant -> Activate the InfoObject. -> Repeat for other InfoObjects (0hrposition, 0employee etc.).

2002 SAP AMERICA, INC. AND SAP AG

15

BW/HR Authorizations

15. Create Authorization Objects via RSSM transaction or via Business Explorer -> Reporting Authorization Objects -> Create > give a name, such as ZBW_HR_SA with a description.

16. Move the InfoObjects from the select list on the right pane to the left using left arrow -> Save

2002 SAP AMERICA, INC. AND SAP AG

16

BW/HR Authorizations

17. Relate the Authorization Object ZBW_HR_SA to the ODS you have populated (0PA_DS02) using RSSM transaction -> enter the authorization object ZBW_HR_SA -> Select check for Infocubes button -> click Change icon ->

18. To generate Authorization Object, you go through the following path: Transaction RSSM -> go to the 3rd section Authorizations -> select Generating Authorizations -> click the change icon (yellow pencil) This will lead you to the input parameter screen in next section.

2002 SAP AMERICA, INC. AND SAP AG

17

BW/HR Authorizations

19. Select the authorization object s that you want to generate profiles for by click the appropriate box and click on generate button. HR Structural authorizations ODS are listed on the top section with unique naming convention (0PA_DS02 and 0PA_DS03).

20. Alternatively, you may generate the authorization profile for each User from HR Structural Authorizations ODS (0PA_DS02) by executing program RSSB_GENERATE_AUTHORIAZ TIONS. Transaction SE38 -> enter Program RSSB_GENERATE_AUTHORIZA TIONS -> execute. Enter the authorization object(s) as input parameter: ZBW_HR_SA

2002 SAP AMERICA, INC. AND SAP AG

18

BW/HR Authorizations

21. Verify the result: Execute transaction SLG1 or SE38 program name = RSSB_BW_SHOW_LOG_AUTH_MODIFY ->

Green lights indicated successfully generated profiles for users in user master record.

22. Create Authorization Variable to automatic loading of authorized object values for the user when executing the query. Create variable for each of the involved Infoobject. I.e. 0Orgunit, 0Hrposition and 0Empolyee. Be sure to choose Selection option as variable represents parameter.

2002 SAP AMERICA, INC. AND SAP AG

19

BW/HR Authorizations

23. Include the authorization variables in your query.

2002 SAP AMERICA, INC. AND SAP AG

20