SAP Business Objects Analysis For MS Office Authorization .
SAPBusinessObjectsAnalysis for MS OfficeAuthorization StrategyVersion: FinalBikash Mohanty1
Table of Contents1SAP BusinessObjects Analysis Authentication and Authorization31.1User types31.2Broad Category of Tasks in Business Objects Analysis41.3BW Authorization41.4Business Objects Authorization51.4.1Assignment of User Groups & Roles to the Folders in Business Objects in CMC71.4.2Relationship between Access Levels and User Groups in Business Objects CMC82Authorization Strategy103Step-by-Step SAP BusinessObjects Authorization Configuration123.1User and User Group Creation:123.2STEP 1: Creating a User:123.3STEP 2: User Group Creation133.4STEP 3: Importing Roles from the backend SAP BW system143.5STEP 4a: Automating Importing of Roles from SAP BW system into Business Objects163.6STEP 4b: Schedule a SAP Authentication Role update in Business Objects using a java program163.7STEP 5: Standard Access Levels183.8STEP 6: Custom Access Levels193.9STEP 7: Folder level Security204Top Level / Server Level Security:245Application Level Security:266Manage CMC User Security277Advance Rights298Security Query319Appendix (BW Authorization Set up in Detail)332
1 SAP BusinessObjects Analysis Authentication and Authorization Authorization is the process of verifying the user has sufficient rights to perform therequested action upon a given objects. Action means to view, refresh, edit, schedule, etc. Object means: folder, report, instance, universe, etc. Authorization is handled based on how the “access level”, “application security”, and“content security” such as users and groups, universe security, folder access, etc. aredefined using CMC.SAP BusinessObjects Authorization works differently but in conjunction with SAP BW Authorizationmodel.1.1 User typesUser TypeBEX QueryDeveloperBusiness ObjectsAnalysis ReportDevelopersReport UsersTaskAccess Requirement Develop the source queries In order to develop a report in SAPBusinessObjects Analysis for excel ;using SAP BW-BEX. Develop the reports in SAPBusinessObjects Analysis forexcel. Use the reports from SAPBusinessObjects Analysis forexcel A BW-BEX report needs tobe accessed from SAP BWand make it as data sourcefor SAP BusinessObjectsAnalysis report. SAPBusinessObjectsAnalysis report need to becreated, formatted usingexcel add-in and then besaved into a server folder. Copy Report from theapplicationfolderinBusinessObjects into own3
personalfolderandexecute reports for one ormore application areas.Power Users Develop & Execute reports inSAP BusinessObjects Analysisfor excel. Execute reports from oneor more application areasdirectlyfromtheapplication folders inBusiness Objects. Schedule report Create other SAP BusinessObjects Analysis reports.1.2 Broad Category of Tasks in Business Objects AnalysisTasksSAP BW Report Development & Sourcingfrom Business Objects platform.SAP Business Object Analysis for ExcelReport Development, Execution &Scheduling.1.3 BW AuthorizationBW Functional RolesControlled by AuthorizationControlled by SAP BW Authorization/RoleAssignmentControlled by SAP BusinessObjects AuthorizationAssignmentRole Assignment1. Wehavecreateddifferent roles in SAP BWfor different applicationareas (Such as FI, SD,MM etc).2. Chosen BW-BEX reportsfromthespecificapplication areas can besaved to the relevantroles, if we want torestrict the users inBusiness Objects to haverestricted access.3. Depending on the jobprofileandthedepartment they belong,roles are going to beassigned to BW businessusers and developers.4
Note: BW Authorization set up is covered in detailed, in appendix 4. If Business Object usersneed to have differentsection below.reportingaccessinBusinessObjectsAnalysis; in comparisonto SAP BW users; then anew set of roles can bedeveloped in SAP BW forSAPBusinsssObjectsenvironment. Throughthese new set of roles,same users can beallowed different reportaccess in BO systems toBW reports.1.4 Business Objects AuthorizationBusinessObjects AccessUser & GroupsFoldersRole Assignment1. Import “Roles” & “Users” from SAPBW.2. Create various “User groups” inSAP Business Objects CMCplatform such as “Developer” or“Administrator” or “Report Users”or “Power Users – Finance”,“Power Users – Operation”,“Power Users – Procurement”,“Power Users – CS”, “Power Users– SC”, “Power Users – AR” etc.3. Assign the imported “Roles” tovarious “User Groups” created inStep 2. Right click on the importedroles choose “Join Group” Choose the groups listed aboveone by one.4. Create various “Folders” in CMC,for report management ofdifferent application areas; such as“Finance”,Procurement”,“Operations”, “Customer Service”,“Supply Chain” & “AccountsReceivable” etc.5
Access Level5. When we create any new “Folder”,three sets of permissions areautomaticallyassigned:Administrator, Developer andEveryone. “Administrators” aregiven the access level “FullControl”. “Everyone” is given theaccesslevel“NoAccess”.“Developers” are given the accesslevel “Full Control”.6. Select each Folder Right click User Security Add Principles Select Groups. Each folder �Everyone”mandatorily. In addition, theyshould have the applicationspecific groups. For example: theFINANCE Folder should havefollowing groups; “Power user –Finance” & “Report user –Finance”,inadditionto“Administrator”, “Developer” &“Everyone”. Once a Principal /Group are assigned to a folder, wecan choose “Add/AssignSecurity”.7. At this stage, we will be required tochoose either “Generic Accesslevels” such as “Full control”,“Schedule”, “View” or “View ondemand” or we can create customaccess level or we can evenmaintain “ADVANCED accesslevel” analysing complex scenariowith set of very detailedparameters from “Advance” tab. Access Levels need to bedefined for each of the User orUser Groups assigned to thefolders. “Grant” radio button can beselected for providing variousaccesses such as to schedule areport, view, Pause and6
resume its Scheduled instancesetc.“Deny” radio button can beselected to deny access toother activities such asaccessing any folder or report,and to view, delete a report.We can also allow the rights tobe applied to a “Sub object”,by checking the Object and SubObject check boxes, next to theRights column.Only after we click grant ordeny radio button, “Object”and “Sub-object” check boxesare enabled. Now we canmaintain the scope of rights.If we want to apply a right onlyfor a “Folder” and “not for its“Sub folders”, then we canuncheck sub-object check box.Note: Unlike SAP systems, Business Object Enterprise do not comprise of Roles, Profiles andAuthorization objects. Security in Business Objects is different than SAP and it consists of: Folderlevel security, Application Security, Object Level Security and inheritance concepts.1.4.1 Assignment of User Groups & Roles to the Folders in Business Objects in CMCBusiness ObjectUser Group Assignment to the FoldersBW Role Assignment to the GroupServer FoldersFinance & Controlling DeveloperRole from SAP BW Containing allthe Finance specific reports we Administratorwant to be accessible in BO EveryoneAnalysis for excel. Power user – Finance Report user – FinanceProcurementRole from SAP BW Containing all Developerthe Procurement specific reports Administratorwe want to be accessible in BO EveryoneAnalysis for excel. Power user – Procurement Report user – ProcurementFinancial Supply Chain DeveloperRole from SAP BW Containing allManagementthe FSCM specific reports we want Administratorto be accessible in BO Analysis for Everyoneexcel. Power user – Operations Report user – OperationsCustomer ServicesRole from SAP BW Containing all Developerthe Customer Services specific Administratorreports we want to be accessible7
SupplyChain Management Accounts Receivable Plant Maintenance Sales & Distribution Materials Management 1.4.2EveryonePower user – Customer ServicesReport user – Customer ServicesDeveloperAdministratorEveryonePower user – Supply ChainReport user – Supply ChainDeveloperAdministratorEveryonePower user – Accounts ReceivableReport user – Accounts ReceivableDeveloperAdministratorEveryonePower user – Plant MaintenanceReport user – Plant MaintenanceDeveloperAdministratorEveryonePower user – Sales & DistributionReport user – Sales & DistributionDeveloperAdministratorEveryonePower user – Materials ManagementReport user – Materials Managementin BO Analysis for excel.Role from SAP BW Containing allthe Supply Chain specific reportswe want to be accessible in BOAnalysis for excel.Role from SAP BW Containing allthe Accounts Receivable specificreports we want to be accessiblein BO Analysis for excel.Role from SAP BW Containing allthe Plant Maintenance specificreports we want to be accessiblein BO Analysis for excel.Role from SAP BW Containing allthe Sales & Distribution specificreports we want to be accessiblein BO Analysis for excel.Role from SAP BW Containing alltheMaterialsManagementspecific reports we want to beaccessible in BO Analysis for excel.Relationship between Access Levels and User Groups in Business Objects CMCAccess LevelRightsUser GroupsNo AccessThe no access level may be misleading. The no accesslevel does not explicitly deny access, but rather, sets allpermissions to “Not Specified.” This can be overriddenthrough inheritance.EveryoneViewWhen set at the folder level, the user can view the folder, Occasional Users /the objects contained in the folder, and all generatedReport Usersinstances of each object.At object level, the user can view the object, history ofthe object, and all generated instances of the object.The user cannot schedule or refresh the report, howeverby default; the user can edit the report and save to apersonal folder to refresh there. We can deny users fromcopying the object by going to advanced and denying8
“Copy Objects to another folder”ScheduleA user can generate instances by scheduling the object torun against a specified data source once or on a recurringbasis. The user has full access to the scheduled instancesthat they own. They can also schedule to differentformats and destinations, set parameters, pick servers toprocess jobs, add contents to the folder, and copy theobject or folder.DevelopersAdministratorsPower-UsersView On DemandA user can refresh a report in real time. Note that if areport is a WEBI document, the user will also need ViewOn Demand access to the universe and universeconnection to perform the refresh.Power UsersFull ControlAllows users to modify all of the object’s properties. Thisis the only access level that allows users to delete objects.DevelopersAdministrators9
2 Authorization StrategyModel – Separating Functional Access Groups from Data Access Groups This model is probably the most common model to implement as it has the right balancebetween flexibility and cost of development and maintenance. Here we have 2 sets ofgroups: one that defines “functional access” and one that defines “application access”. Auser is then a member of one of the functional groups and one or more application groups;this then defines overall access strategy.Functional Groups We first define the required functional access groups. We can have 3 functional groups of“Basic” (Report Users), “Intermediate” (Power Users) and “Advanced” (Developer orAdministrators); where again we have an inheritance model of increasing rights. This, alongwith the “Everyone” group defines the ‘baseline’ security model. Users will be a member ofat most one of these 3 groups, if a user is in more than one then the resolved access will bethat of the more advanced group.BI Application Groups We also create user groups that define separate BI Applications. The BI application (FI, FI-AP,FI-AR, SD, MM, PUR etc) itself defines data access, that is, it controls access to reports anduniverses that comprise the application. Users can belong in one or more of these groups.A user then belongs to one functional group and one or more application groups. It should be notedthat a user can then only have the same functional access across applications. I.e. if a user is a“Basic” user in one application they must also be a Basic user in any other application they haveaccess to. A second similar point is that each application must reuse same functional access model,that is, we can’t have two Basic groups with different functional access in two different applications.Proposed Access Level & Data Access Profile of Various user types:Access LevelViewViewViewViewViewViewUser TypesReport UsersReport Users - FIReport Users - SDReport Users - MMReport Users -F SCMReport Users - SCMFIXXCSXARXSDXMM PM SCMXXXFSCMXProcurementXXXXX10
ViewViewViewViewView on DemandView on DemandView on DemandView on DemandView on DemandView on DemandView on DemandView on DemandView on DemandView on DemandFull AccessFull AccessReport Users -ARReport Users - CSReport Users - PRReport Users - PMPower UsersPower Users - FIPower Users - SDPower Users - MMPower Users - FSCMPower Users - SCMPower Users -ARPower Users - CSPower Users - PRPower Users - XXXXXXXXXXXXXX11
3 Step-by-Step SAP BusinessObjects Authorization ConfigurationThis document covers how to create users, user groups and ends with creating access Levels andbasic troubleshooting techniques using the Security Query.3.1User and User Group Creation:Users in Business Objects can be of various types, and a user can login to Business Objects using thatparticular authentication with which the user has been created with. The authentications are:1. Enterprise2. LDAP3. Windows AD4. SAPIn our context; “SAP” user authentication is appropriate and users are created with.3.2STEP 1: Creating a User:The example below illustrates “How to create a user” in Business Objects.Login to CMC Go to Users and Groups, by selecting appropriate iconbar.To create a new User click onORClick Manage:from left hand sideand for User group creation click onSelect the Authentication Type in the next screen and maintain the required fields.1) Authentication Type as SAP : When Authentication type is SAP, then we only need to maintain Account Name as SAPSID Client No. / SAP User ID .User will login in Business Object Using his SAP Login credentials.12
Connection Type:o Concurrent: This user belongs to a license agreement that states the number ofusers allowed to be connected at one time.o Named: This user belongs to a license agreement that associates a specificuser with a license. Named user licenses are useful for people who require access toBusiness Objects Enterprise regardless of the number of other people who arecurrently connected.Click Create & CloseNOTE: “Administrator” is the default user that comes along with the Business Objects installation.3.3STEP 2: User Group CreationThe user group is a collection of users who require same kind of authorization. So instead ofassigning authorization to every new user that is created, we can create a user group and assign therequisite authorization to it, and later simply assign the user to that particular user Group.Click Create User group:Name the User Group:Click “OK”.Once a User Group is created, we can add a user to the group click (Add member to user group); byselecting the below icon from the MENU BAR.OR13
We can add a newly created or existing group to some other group while we can also assign a user toa group. All the BW roles, once imported to BO CMC appear as User Groups as well. This is becausethey are already assigned to users from BW based on their configuration in BW. We can assign theseroles (which appear as User Groups in BO CMC) to the newly created User Groups.NOTE: Administrators and Everyone are the default groups that come along with the BusinessObjects installation.3.4STEP 3: Importing Roles from the backend SAP BW systemThis section covers ‘How to import roles’, which in turn import users from a backend SAP BW systemto the Business Objects System.14
Login to the CMC Click Authentication SAPSince our Business Objects System is connected to a Backend SAP BW System; we are able to see alist of Roles in the left Pane which belong to the SAP BW system. We can now Import the roles fromthe Backend SAP BW system to the Business Objects system, select the role in the left pane andclickto import the roles then click Update:When a role is imported all the users assigned to that role in our backend SAP BW system, will alsoget imported into the Business Objects system.Now when a new user get assigned to an existing role in backend in SAP BW, only we need toclick Update Now button under User Update tab and the user will get created in the BusinessObjects system. To automate this activity also, we have already elaborated the steps in the nextsections.Here, BWP is our SAP system Id, while 100 is the client number from where the users arrive, hencethe naming convention: BWP 100/.15
3.5STEP 4a: Automating Importing of Roles from SAP BW systeminto Business ObjectsClick the User Update tab, now we need to check the field “Update now” or “Schedule” to importthe “Role” or “Role and Alliances” information from SAP BW.Whenever a user assignment is done to a role in backend (which has already imported in BusinessObjects) and user should get created in Business Objects. To create/update them automatically weshould use Schedule button. We can also force Synchronization under User Update tab byclicking Update Now button.3.6STEP 4b: Schedule a SAP Authentication Role update inBusiness Objects using a java programTo schedule (automate) the updating of SAP Users in the Business Objects system, we need to followthe steps mentioned below:1 .Download SAP Update. jar file from SAP Note: 14060372. Unzip the file3. Login in Business Objects CMC Folders Manage New Folder name “Objects”4. Select the folder "Objects" and click on Manage Add Program File16
5. Choose as Program Type as Java and add SAPUpdate.jar from the local drive.6. Right Click on SAPUpdate within our Objects folder and choose Properties Default Settings Program Parameters Specify as "Class to run:" sapupdate.MainUse the "Run Now" or Schedule the Program Object. Recurrence for this Program can be set asdesired.Now, the SAP BW users will get imported every time when they are created and assigned to a role inthe SAP BW system which has already been imported in Business Objects CMC. As such, there is no17
need to create a user in the Business Object CMC every time a new user is created in the SAP BWsystem. .Note: The statement assumes that every user which is created in the SAP system needs to becreated in Business Objects system. Else, if all the users are not required in the Business Objectssystem, the role which is imported in the Business Objects system should not be assigned to suchusers in the SAP backend. Two different roles can be created in that case, one for BW and one forBusiness Objects.3.7STEP 5: Standard Access LevelsPre-Defined access levels:There are four default
3 1 SAP BusinessObjects Analysis Authentication and Authorization Authorization is the process of verifying the user has sufficient rights to perform the requested action upon a given objects. Action means to view, refresh, edit, schedule, etc. Object means: folder, report, instance, universe, etc. Authorization is handled based on how the “access level”, “application security”, and
SAP Certification Material www.SAPmaterials4u.com SAP Certification Material for SAP Aspirants at Low cost Home Home SAP Business Objects SAP BPC CPM SAP BPC 7.0 SAP EWM SAP GTS SAP Public Sector SAP Real Estate SAP FSCM SAP FI/CO SAP AC - FI/CO SAP BI 7.0 SAP CRM 5.0
SAP ERP SAP HANA SAP CRM SAP HANA SAP BW SAP HANA SAP Runs SAP Internal HANA adoption roadmap SAP HANA as side-by-side scenario SAP BW powered by SAP HANA SAP Business Suite powered by SAP HANA Simple Finance 1.0 2011 2013 2014 2015 Simple Finance 2.0 S/4 HANA SAP ERP sFin Add-On 2.0
SAP HANA Appliance SAP HANA DB In-Memory A io BI Client non-ABAP (SAP supported DBs) SAP Business Suite SAP Business Suite SAP Business Suite SAP Business Suite SAP Business Suite SAP Business Suite SAP Business Warehouse SAP HANA DB r In-Memory Source Systems SAP LT Replication Ser
SAP Business Suite SAP BW SAP Apps Partner Apps SAP HANA PLATFORM Planning and Calculation Engine Real-Time Replication Services Information Composer & Modeling Studio SAP UI HTML5 Mobile SAP BI 4 SAP ERP SAP CRM SAP SCM SAP PLM SAP SRM SAP Netweaver Predictive Analytics & Business Function Libraries In-Memory
SAP Master Data Governance SAP Information Steward SAP HANA smart data integration SAP Data Hub SAP Cloud Platform Big Data Services SAP HANA, platform edition SAP Vora Customer Experience IoT Workforce Engagement SAP Cloud for Customer SAP Commerce SAP Marketing SAP Asset Intelligence Network SAP Predictive Maintenance and Service SAP .
The Business Objects Products has to be installed in following order: Crystal Reports for Enterprise 4.0 SP2 SAP Dashboard Design SAP Business Objects BI 4.0 SP2 Server Setup SAP Business Objects BI 4.0 SP2 Client tools Setup SAP Business Objects Explorer 4.0 SAP Business Objects Live Office 4.0 SP2
Customer Roadmap to SAP Simple Finance - Example " Adopting SAP Simple Finance is a journey - start early" Side-by-side SAP HANA Acceleration SAP HANA accelerators, BW, BPC, GRC SAP Business Suite on SAP HANA SAP ERP on SAP HANA SAP ERP in SAP HANA Enterprise Cloud SAP Accounting Powered By SAP HANA Simple Finance add-on/
ALE/RFC Setup 88 SAP System Type 88 SAP IDoc Version 88 Program ID (SAP to e*Gate) 88 SAP Load Balancing Usage (e*Gate to SAP) 89 SAP Application Server (e*Gate to SAP) 89 SAP Router String (e*Gate to SAP) 90 SAP System Number (e*Gate to SAP) 90 SAP Gateway Ho
