要了解 SAP BCS/BW 的存取控制,先要對 SAP BI 的權限觀念有基本的認識。SAP BI 並不是用來建立或更新資料,而是將資料轉換成有用的資訊以提供管理當局決策之用。
1. SAP BI Authorization ConceptSecurity needs in SAP BI are not the same as security needs in R/3. SAP R/3 is an OLTP (On line transaction processing) system. This means that SAP R/3 focuses on getting the daily work of the business completed. People only need access to the specific functions they perform in their daily work. In general, R/3 security is focused on:
- Transaction code
- Specific field values
- Which activities a user can perform
On the other hand, SAP BI is an OLAP system. This means that SAP BI focuses on what data a user can access. This is may be controlled at the
field level, or it may be controlled at the
InfoProvider level. With SAP BI, authorizations can be defined and maintained by object (InfoObject, query, ODS object, InfoCube) and be applied to hierarchies. Authorizations can be added to roles that define what content is available to specific users or set of users in BI solution.
Specifics of SAP BI Security
• Security is not focused on transactions.
• Only two groups of Authorization Objects exist:
o Business Explorer
o Administrator Workbench
• Easy to extend with authorization relevant InfoObjects
2. Reporting and Analysis AuthorizationsIn SAP NetWeaver 2004s, there are two authorization concepts, one is reporting authorization, and the other is analysis authorizations.
- Traditional Reporting and Analysis Authorization concept
Reporting authorizations control for which data a user has display authorization in a query. Previous to SAP NetWeaver 2004s, authorization objects must first be created for this reporting authorization. An authorization object include up to 10 authorization fields which are used to determine whether a user is allowed to execute a specific action on a specific BW object. As soon as authorization objects were saved and assigned to a role, the authorization may be checked when executing a query. - New Reporting and Analysis Authorization concept
Analysis authorizations are not based on authorization objects. Instead you create authorizations that include a group of characteristics. Users restrict values for these characteristics. The authorizations can include any authorization-relevant characteristics and treat single values, intervals and hierarchy authorizations the same. Navigation attributes as well can be indicated as authorization-relevant in the attribute maintenance for characteristics and can be then transferred into authorizations as characteristics.
3. Restrictions on BW componentsTo restrict access SAP BW requires the definition of reporting relevant authorization objects which need to be defined individually since these reporting relevant objects cannot be predefined by SAP. Beside the majority of authorization objects which need to individually defined in the system. Beside these individual objects some standard objects need to be assigned also granting the user the right to access certain infoareas as well as to start the reporting tools.
Possible restrictions on BW components:
- Authorization on cube level
- Authorization on Characteristic level
- Authorization on Characteristic value level
- Authorization on key figure level
