Various types of users access sensitive data by executing BEx queries, SAP BusinessObjects reports, or Portal iViews for SAP NetWeaver BW. The security administrator must build and sync the security setup for users in multiple applications, so that:

• An end user in SAP NetWeaver BW remains an end user in BusinessObjects and SAP NetWeaver Portal
• Users see the same data if a report is executed in SAP NetWeaver BW, BusinessObjects, or SAP NetWeaver Portal

I show a unique way of implementing security in an SAP NetWeaver BW system that is then inherited by BusinessObjects and SAP NetWeaver Portal. It ensures a common and synchronized security setup. This solution uses a concept called shell roles, which function as groups in SAP NetWeaver Portal and BusinessObjects. For more information on shell roles, see the sidebar, “Behavior of Shell Roles.”

My method secures report navigation and report data down to the InfoObject level. You can extend it to reporting on non-SAP data and data in other SAP systems, such as ERP Central Component, ERP Human Capital Management, Advanced Planning & Optimization, Customer Relationship Management, and Supplier Relationship Management.

The Behavior of Shell Roles

Shell roles are dummy roles without any authorizations. They are placeholders for users. Shell roles are created the same way as regular roles using transaction PFCG, but with no transactions or authorizations. It only has a user assignment. In other words, shell roles are regular back-end roles without transactions and authorizations. You can use shell roles for SAP and non-SAP reporting data, but in this proposed solution I use shell roles only for non-SAP reporting. For reporting from SAP data, I use the regular end-user and power-user roles built in SAP NetWeaver BW. Back-end roles in SAP NetWeaver BW including shell roles become user groups when they are imported into BusinessObjects and SAP NetWeaver Portal.

Take these steps to create shell roles:

1. Execute transaction PFCG (Figure A)
2. Enter the Role name and Description
3. Add users to this role in the User field (Figure B)

Figure A

Shell role creation initial screen

Figure B

Add users

How Roles Are Imported into BusinessObjects

A user ID with a user type of Communication or System is used to connect SAP NetWeaver BW and BusinessObjects. You configure this user ID in the Central Management Console (CMC). This user ID helps in importing SAP NetWeaver BW roles into BusinessObjects. Step 2 in the Security Setup section gives more detail about role import.

Important notes when importing roles:

• Only roles with a user assignment can be imported into BusinessObjects as a group. These groups in BusinessObjects are basically user groups.
• Content in the roles (authorizations or queries) is not carried over to BusinessObjects.
• Only roles (single roles and composite roles) with a direct user assignment become groups in BusinessObjects. Single roles inside a composite role with an indirect user assignment are not imported into BusinessObjects

How Roles Are Imported into SAP NetWeaver Portal

To import back-end roles into SAP NetWeaver Portal, a User Management Engine (UME) is configured with application server ABAP (in my example SAP NetWeaver BW) as the data source. Unlike BusinessObjects (where only user-assignment roles are imported) every role in the back end is imported as a group into the portal. Step 5 in the Security Setup section gives more detail about role imports to a portal.

Security Requirements

My example assumes you have a setup with multiple reporting tools in SAP NetWeaver BW, SAP BusinessObjects, and non-SAP systems, such as legacy systems. The security requirements and assumptions include the following:

• Security for a single user is expected to behave the same in any reporting tool. For example, a finance (FI) end user in an SAP NetWeaver BW system with company code access restricted to XXX should have the same FI end-user functionalities in BusinessObjects and SAP NetWeaver Portal systems, with the same company code access. An FI end user in BEx cannot be an FI power user in BusinessObjects. A user with XXX company code access in BEx cannot have access to YYY company code in BusinessObjects.
• A BEx query, BusinessObjects report, or a Portal iView built on an FI InfoProvider should provide access only to finance data restricted by company code XXX. It should not provide data access to any other InfoProvider.
• BEx queries and BusinessObjects reports accessed through a portal should show the same data as when accessed through other tools.

Security Setup

The following five steps are required to accomplish a security solution for the above requirement.

Step 1. Classify the types of users. Broadly classify your reporting users who access your systems based on their relationship with queries, reports, and data. Typical users are end users, power users, schedulers, developers, and administrators. You could have reporting users who need to access data from non-SAP systems directly using a BusinessObjects tool. Classify these users as non-SAP users when, for example, they access data from a legacy system or change management tools using BusinessObjects reports. This classification is used to design and create security roles in SAP NetWeaver BW. This classification also drives the number of access levels to be created in BusinessObjects.

Step 2. Connect SAP NetWeaver BW with BusinessObjects. Create a user ID with user type System user ID and assign the profiles SAP_ALL, SAP_NEW and S_RS_ALL. Take these steps to create the ID:

1. Execute transaction SU01. Enter the user ID. Click the create icon (Figure 1).
2. Go to the Logon data tab. Click the User type as System (Figure 2)
3. Next go to the Profiles tab and add profiles SAP_ALL, SAP_NEW  and S_RS_ALL  (Figure 3)

Figure 1

Enter the user ID

Figure 2

Select System as the User Type

Figure 3

Add profiles

Take these steps to create a System ID in the SAP back-end system. Configure the user ID in CMC by logging into CMC. From the drop-down menu select Authentication (Figure 4). In the Authentication screen click SAP. This opens a new window called Entitlement systems (Figure 5). In this new window, select the Entitlement Systems tab and enter the System ID and Password created earlier. Click the Update button. This ID helps in pulling and converting SAP roles to BusinessObjects groups under the Role Import tab.

Figure 4

Select Authentication

Figure 5

Enter the ID and password

Step 3. Set up your SAP NetWeaver BW system. If SAP NetWeaver Portal or the BusinessObjects tool has reports or users who access data coming from non-SAP systems, create shell roles for these users in SAP NetWeaver BW. As mentioned, in my example I use shell roles just for non-SAP users. You create reporting roles (end user and power user) for different types of users based on the functional or sub-functional area.

For example, end-user roles would have analysis authorizations for FI, sales and distribution (SD), and other process areas including Analysis Authorizations for securing InfoObjects. Create administration roles for developers, security admins, and Basis admins. Import all the reporting roles, shell roles, and admin roles to the Portal and BusinessObjects.

Step 4. Set up BusinessObjects. A security administrator should configure SAP authentication in BusinessObjects. Import back-end roles and users to BusinessObjects (Figure 6).

• Navigate to Entitlement Systems in the CMC as explained in step 2
• Click the Role Import tab and select roles, which came from the SAP NetWeaver BW system
• Click the Add button

Figure 6

Role import from the SAP back end to BusinessObjects

Map groups from the back end to corresponding groups in BusinessObjects (Figure 7).

• In the CMC, click User & Groups.
• Open up the Group Hierarchy folder and select a BusinessObjects group. Under it add the corresponding group imported from the back end. For example, add back-end group SID~XXX@FI_END_USR_ROLE  under the FI End User Grp.

Figure 7

Map back-end imported roles to BusinessObjects groups

Create mass and user-specific access levels for different types of users by combining application rights and content rights on all the objects (i.e., power-user access level, end-user access level, and developer access level). To create a new access level, on CMC home page select Access Levels. This opens Access levels page. Here you go to menu path Manage > New Access Level (Figure 8). Include required access rights under this mass access levels (Figure 9). These mass access levels have rights for multiple objects (content and application) combined in them.

Figure 8

Create a new access level

Figure 9

Custom mass access levels for the end user

Different types of users get their corresponding mass access levels on BusinessObjects universes, folders, applications, connections, and categories. These access levels, when assigned with a group on a specific object, grant rights pertaining to that object only. For example, for an end-user group, you would combine all the rights belonging to applications and content objects and create a custom access level called END USER ACCESS LEVEL. This access level, when used on an SAP BusinessObjects Web Intelligence report, only grants rights related to Web Intelligence reports.

Next come tasks for a BusinessObjects administrator, who should do the following configuration:

• Configure the default system for SAP authentication
• Configure an InfoView for single sign-on (SSO)
• Configure an open document for SSO (for URL iViews)

Step 5. Set up the SAP NetWeaver BW Portal. This step involves a portal administrator and a security administrator. A portal administrator must complete the following prerequisites:

• Configure SAP NetWeaver BW content with SAP Knowledge Management, to have all BusinessObjects InfoView content inside the SAP NetWeaver Portal.
• Create URL iViews for BusinessObjects reports and BEx queries published to the portal. (Queries and reports are created in SAP NetWeaver BW and BusinessObjects tools and are published to the portal as HTTP links. The portal developer creates iViews for these published links using a URL iView template.)
• Create a portal role called My InfoView to access BusinessObjects InfoView folders and documents.

When the above prerequisites are met, a security administrator configures the SAP NetWeaver Portal UME with AS ABAP as the DataSource for user management data. This is explained in detail in the Configure the UME section. This enables the following:

• Roles in the ABAP system appear as groups in the User Management Engine (UME)
• Users in the ABAP system are visible as users in UME and can log in with their passwords for the ABAP system

In SAP NetWeaver Portal, the security administrator must create different portal roles for end users and power users with URL iViews. In SAP NetWeaver Portal, add an InfoView portal role, a BEx portal role (end-user portal role and power-user portal role), and a URL iView portal role to the corresponding End-user portal group and Power-user portal groups that came from the back end. These groups give access to see:

• BusinessObjects documents, folders, and reports the same as in an InfoView
• BEx queries from the back end
• BusinessObjects and BEx reports published to the portal using URL iViews

For non-SAP reporting users, the shell role in the SAP NetWeaver BW system shows up as a group in SAP NetWeaver Portal. In SAP NetWeaver Portal, add an InfoView portal role and URL iView portal roles to the End-user shell portal group and Power-user shell portal groups that came from the back end. These groups give access to see:

• BusinessObjects documents, folders, and reports the same as in an InfoView
• BusinessObjects reports published to the portal using URL iViews

Configure the UME

Next you need to configure the UME to use an AS ABAP as a DataSource. The AS ABAP must be SAP NetWeaver Application Server 6.20 SPS 25 or higher. Take the following steps to configure the UME.

• Step 1. On the AS ABAP, create the system user for UME-ABAP communication. Use transaction SU01 to create user ID SAPJSF of the type System. Assign the standard role SAP_BC_JSF_COMMUNICATION_RO. Ensure that the standard role is assigned and generated. Use transaction PFCG to generate the authorization profile and assign the user.
• Step 2. On the SAP NetWeaver Portal, follow menu path System Administration > System Configuration > UME Configuration (Figure 10).

Figure 10

Configure the UME

• Step 3. Click the Data Sources tab.
• Step 4. Click the Modify Configuration button.
• Step 5. From the Data Source field, select ABAP System from the drop-down menu.
• Step 6. Click the ABAP System tab. 
• Step 7. Enter the connection data (User ID SAPJSF and password) as shown in Figure 11.

Figure 11

Add the user ID and password

Security Architecture for Data Coming from SAP Systems

Figure 12 shows the security setup to use when you are reporting on data from SAP systems.

FI queries (Query 1, Query 2, and Query 3) are built on FI InfoProviders. Query 3 is published to the portal. These queries are accessed by FI end users (U1, U2, and U3) and FI power users (U4, U5, and U6) through end-user and power-user roles in SAP NetWeaver BW.

Figure 12

Security architecture for data from SAP systems

Import these SAP NetWeaver BW roles into BusinessObjects as groups with user assignments. Map them under respective BusinessObjects group structures. BusinessObjects FI universes are built on FI SAP NetWeaver BW queries or directly on FI InfoProviders. Web Intelligence reports R1, R2, R3, and R4 are built on FI universes, of which R1 and R2 are saved in an FI folder in BusinessObjects. R3 and R4 are published to the Portal and can be accessed as URL iViews.

FI end users get the end user access level on all the applications and objects in BusinessObjects, and FI power users get power user access levels. The portal URL iView role is created with iViews for BEx Query 3 and BusinessObjects reports R3 and R4. SAP NetWeaver BW roles are also seen in SAP NetWeaver Portal as the groups Portal FI End-User Group and Portal FI Power-User Group, with user assignments coming from the back end. These portal groups have portal roles mapped. When users log in to the following, this is what they would see:

• BEx Analyzer: Queries 1, 2, and 3 
• BusinessObjects InfoView: BusinessObjects reports R1 and R2
• SAP NetWeaver Portal: InfoView tab with reports R1 and R2, BEx tab with Queries 1, 2, and 3, and another tab for Portal URL iViews for BEx Query 3 and BusinessObjects reports R3 and R4.

Figure 13 shows security setup when the data is not from an SAP system.

Figure 13

Security architecture for data from non-SAP systems

As per the setup in Figure 13, the end-user shell role and the power-user shell role are created in SAP NetWeaver BW. Shell roles are used only for non-SAP data. You create end user and power user shell roles. Assign corresponding end users and power users. These roles are imported into BusinessObjects as groups with user assignments and are mapped under the respective BusinessObjects group structures.

The BusinessObjects universe is built on data from a non-SAP system. Web Intelligence reports R5, R6, R7, and R8 are built on this universe. R5 and R6 are saved in a folder in BusinessObjects. R7 and R8 are published to the portal and can be accessed as URL iViews. End users get the end user access level on all the applications and objects in BusinessObjects, and power users get power user access level.

A portal URL iView role is created with iViews for BusinessObjects reports R7 and R8. SAP NetWeaver BW roles are also seen in SAP NetWeaver Portal as the groups Portal End-User Group and Portal Power-User Group, with user assignments coming from the back end. These portal groups have portal roles mapped as shown in Figure 13.

When users log in to the following, this is what they see:

• BusinessObjects InfoView: BusinessObjects reports R6 and R7
• SAP NetWeaver Portal: InfoView tab with reports R6 and R7, and another tab for Portal URL iViews for BusinessObjects reports R7 and R8

The above setup ensures that all the requirements mentioned in the Security Requirements section are met.

• One place for security development and user administration in the SAP NetWeaver BW system for all SAP NetWeaver Portal, BusinessObjects, and BEx queries.
• Users in different applications have the same security setup.
• Users get the same data access down to InfoObject level when reports and queries are executed. (InfoObject level security is maintained in analysis authorizations in the SAP NetWeaver BW system.)

Future Maintenance

Here is how to deal with the maintenance required by changes that occur after you complete the setup:

Manoj Kunta

Manoj Kunta is a certified SAP NetWeaver security architect specializing in security implementations for SAP NetWeaver BI, BusinessObjects, SRM, CRM, and GRC 10. He does independent consulting as a subject matter expert in SAP security and SAP GRC audit compliance and is currently working as a security architect at Mylan Inc. He worked earlier with SAP America as a senior technology consultant, and was the author of SAP NetWeaver BI Security - Best Practices, a document given to clients who implemented SAP NetWeaver BW.

If you have comments about this article or would like to submit an article idea, please contact the BI editor.

You may contact the author at mkunta@gmail.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.