SAP NetWeaver BI Security for Complex Requirements

  • by Marc Bernard, Chief Architect, NetWeaver RIG, SAP Labs
  • Shahid Manzur, BI Architect, SAP Labs
  • July 1, 2008
In SAP NetWeaver BI 7.0, you can join multiple authorizations. However, the union is only possible at an aggregated level. Find out how to implement analysis authorizations for unions and see a custom solution that helps overcome this limitation.
Key Concept

An analysis authorization is a new security concept as of SAP NetWeaver BI 7.0. It is different from the conventional authorization object concept and helps overcome limitations that existed when it comes to reporting and analysis. Enhancements include, for example, the ability to base authorizations on an unlimited number of InfoObjects and to grant access to transaction data by navigation attributes. Also, you can now set individual InfoObjects to "authorization relevant," regardless of the InfoProvider. Furthermore, you can set validity for individual authorizations instead of the entire role. Finally, you can join multiple authorizations, which is a significant improvement from the previous security model.

In SAP NetWeaver BI 7.0, SAP has made several enhancements to the BI security model. The most important one is the ability to do a union of several authorizations at an aggregated level. However, some limitations still do exist when you are working with standard analysis authorizations.

Let’s say, for example, that authorizations in a CRM pipeline analysis report are based on three objects: industry, service area, and region. The user has access to the telecom industry, plus the service area enterprise applications within the Midwest region. The requirement in this case is to show all opportunities that meet the security criteria, or, in other words, the union of all security objects. Prior to analysis authorizations it was only possible to show the intersection of all the security objects or data that meets all three requirements.

With analysis authorizations it is now possible to show the union at an aggregated level. From there, users can then drill down into individual areas and look at the details. In this case it is possible to report on the overall pipeline value for all of telecom opportunities plus enterprise application opportunities in the Midwest.

However, what if the requirement is to show a union of all the transaction level details? This is not possible using security based on analysis authorizations. For example, assume the user is an industry leader for telecom and also happens to be the service area leader for enterprise applications in the Midwest region. When this user executes the dashboard/report he expects to see details for all the opportunities that fall under his area. In such a scenario you need a custom approach because analysis authorizations only allow reporting at an aggregated level without all the transaction details.

In this article we will cover two scenarios. In the first, we create a union of transaction details, which we will show you how to implement using a custom security approach. Second, we will briefly explain how to do a union at an aggregated level using standard analysis authorizations for requirements where reporting at an aggregated level is sufficient.

Marc Bernard

Marc Bernard is a chief architect for SAP NetWeaver, specializing in SAP NetWeaver Business Intelligence, Business Planning, BI Accelerator, and Enterprise Search. In his role as chief architect, he has a strategic focus on future development topics, works closely aligned with the Development Architecture team, and is a trusted advisor for SAP’s customers. Marc has spoken at many SAP-sponsored events and is also a moderator on the SAP Developer Network.

See more by this author

Shahid Manzur

Shahid Manzur is the BI architect for the Price Optimization for Banking Solution at SAP Labs. Prior to SAP labs, Shahid has worked for Deloitte and TUI in various BI development roles. He has completed many SAP NetWeaver BI implementations and served as technical lead on several of these projects. Shahid has extensive data warehousing experience in areas such as data modeling, ETL, security, reporting, performance tuning, and cross-application integration.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.