|
10 months ago ::
Aug 01, 2011 - 1:33PM
#1
|
|
|
Avoid BW security pitfalls:
Ask two data security experts your questions
on protecting SAP NetWeaver BW reports Richard Hunt and Tom Venables recently took questions on security and monitoring BW reports. To review the full discussion, read the transcript or review the Forum thread below. Welcome to today's forum on securing and monitoring your BW reports. This is a great opportunity to ask your questions on the authorizations strategy introduced by SAP in BW 7.0 and coordinating security between your BW and ERP systems. Richard and Tom, thank you for joining us today! Post your questions now for data security experts Richard Hunt and Tom Venables and follow the the Forum today, August 17, from 11:00 am-12:00 pm EDT. To post your question, first log in to Insider Learning Network, and select the “Post Reply” button below. Richard and Tom will respond to questions in the Forum thread today from 11:00am – 12:00 pm EDT. If you are not yet an Insider Learning Network member, join today! If you have not yet registered for this Q&A, click here to download Richard Hunt’s presentation on BW authorizations from GRC 2011. “What Every SAP Customer Now Needs to Know About Analysis Authorizations, a New Security Concept Within SAP NetWeaver Business Warehouse 7.0,” previously only available to conference attendees, includes guidance on planning for BW 7.0 and the new authorization approach, plus detailed steps for configuring analysis authorizations. Sponsored by 
Moderated by
Kristine Erickson
on Aug 18, 2011 - 03:14PM
|
|
|
|
10 months ago ::
Aug 11, 2011 - 7:23AM
#2
|
|
|
Hi, What is the role design strategy for BI 7.0 Security including analysis authorization. What is the best recommended approach?
|
|
|
|
10 months ago ::
Aug 11, 2011 - 8:55AM
#3
|
|
|
How to download Richard Hunt's presentation on analysis authorizations?
Hi, Thanks for your posts! When you register (click here) in advance of the Forum, you'll get an email with a link to download Richard Hunt’s GRC 2011 presentation, “What Every SAP Customer Now Needs to Know About Analysis Authorizations, Security Concept Within SAP NetWeaver Business Warehouse 7.0”. I hope this helps! I you have any trouble, please don't hesitate to contact me directly here: www.insiderlearningnetwork.com/kristinei... Kristine Erickson
Managing Editor, Insider Learning Network
|
|
|
|
10 months ago ::
Aug 17, 2011 - 8:42AM
#4
|
|
|
What are the (dis)avantages of assigning analysis authorizations through a PFCG role compared to direct assignment via transaction RSECADMIN?
|
|
|
|
10 months ago ::
Aug 17, 2011 - 8:50AM
#5
|
|
|
Hi, I have below questions. 1. what are design practices (best practices) for implementing analysis authorizations and what are pros and cons over each other? 2. Is there any standard format that can act as technical spec document while implementing analysis authorization? Best Regards.
|
|
|
|
10 months ago ::
Aug 17, 2011 - 9:19AM
#6
|
|
|
Hi Why a enterprise would use the strategy to assign analysis authorization directly to a user ID rather use PFCG role? If the entreprise decide to manage the analysis authorization directly to a user ID, Can it use the CUA (central user administration) to manage the access or the acces are manage only directly in BW?
|
|
|
|
10 months ago ::
Aug 17, 2011 - 10:02AM
#7
|
|
|
HI, What is the best approach if we have to setup the authorization/securit at the Sales employee (end user) level where the user can only see his transactions or sales data ? for e.g. no. of users : 1500 Regards, RK
|
|
|
|
10 months ago ::
Aug 17, 2011 - 11:04AM
#8
|
|
|
Hi,
I have below questions.
1. what are design practices (best practices) for implementing analysis authorizations and what are pros and cons over each other?
2. Is there any standard format that can act as technical spec document while implementing analysis authorization?
Best Regards.
Hi Robert, Some answers below: 1. what are design practices (best practices) for implementing analysis authorizations and what are pros and cons over each other? This is a very broad question. I personally don’t like the term ‘best’ practice too much but I would say that there are few ‘good practices’ and in my view the most important of these are as follows: - Don’t extract sensitive data in the first place if you can avoid it. BW is probably not the most appropriate place to hold data privacy or commercially sensitive data. - Assign your analysis authorisations via a PFCG role. I really can’t see any downside to this. - Engage with your BW configuration team and architects to ensure that you understand the data model. A good BW security design will reflect a combination of the display access users have in ECC, the business’ reporting requirements, legislative/compliance issues and the BW data model itself. - Try to avoid using the migration tool unless your BW 3.x solution is very straight forwards. - Use a consistent pattern in your analysis authorisations. In the slides you’ll also find some thoughts on three different ways to design your analysis authorisations together with some thoughts on the pros and cons of each: 1. InfoProvider-Based Solution A data model with logically defined InfoProviders centered around the restrictions you wish to achieve might work better with an InfoProvider-based security design. 2. Characteristic-Based Solution A data model using a “single version of the truth” with reporting based on a small number of InfoProviders may be suited to a characteristic-based security design. 3. Report Name-Based Solution A solution using a very tight naming convention may which suit a security solution based around the report name. 2. Is there any standard format that can act as technical spec document while implementing analysis authorization? - There’s nothing available as standard but you should be able to re-use a tech spec from a custom authorisation object as a starting point for this. Alternatively you could adapt the tech spec from one of your PFCG roles in ECC.
|
|
|
|
10 months ago ::
Aug 17, 2011 - 11:07AM
#9
|
|
|
Hi,
What is the role design strategy for BI 7.0 Security including analysis authorization. What is the best recommended approach?
Hi there, You need to work with your datamodel team to ensure that
the structure of the data reflects items you need to secure as per your ERP authorisations
design. You can then structure roles and analysis authorisations to reference
this model. An example would be to keep all data-privacy relevant information in a separate infoarea, on which you can authorise in both the roles and analysis authorisations. Always try and keep the solution as simple as possible - remember
that any characteristics you define as authorisation relevant will be active
across the whole landscape. In terms of the assignment of analysis authorisations, it
is recommended to assign these via the roles themselves, not only will this
simplify administration, but also will allow for ease of reporting on
authorisations, especially if GRC is implemented on the BW system. Hope this helps, Tom
|
|
|
|
10 months ago ::
Aug 17, 2011 - 11:09AM
#10
|
|
|
The migration process is user and not role based. Since the user master data is not the same across the landscape, Dev, QA and Prod environments; should the process be run and thus the analysis authorizations created in the Production system? Thanks! Victor
|
|
|
