Thursday, May 15, 2008

Audit of SAP multiple logons

SAP 允許重複登入(multiple logon);當使用者要重複登入時,SAP 會跳出三個選項,當中有一個訊息是這樣寫的:
If you continue with this logon without ending any existing logons to system, this will be logged in the system. SAP reserves the right to view this information.

上面說,SAP 會將重複登入的資訊記錄起來。那紀錄在哪裡呢?要怎樣看?

用 T-code: SE16 看 Table: USR41_MLD,'Counter' 這個欄位就是告訴你,使用者繼續重複登入的次數(how many times the user have done a multiple logon)。

不過,看這個有什麼用?對 FS 應該沒有什麼影響吧....

Disable SAP USERS to logon multiple times

如果要停用重複登入,要怎麼設定呢?

用 T-code: RZ10 設定參數 login/disable_multi_gui_login:

  • 0 => 不啟用,允許重複登入
  • 1 => 啟用,不允許重複登入

那如果只要對少數人開放,其他人都不允許重複登入,又該如何設定?

除了上述的參數 login/disable_multi_gui_login = 1 之外,另外設定參數 login/multi_login_users,將欲開放重複登入的使用者帳號輸入於此,每個使用者帳號之間用逗號 “,” 分隔,並且不要留空白,重開 R/3 即可。

Maximum No. of SAP Session Per User

SAP 4.6x 預設允許每個使用者開啟 6 個 session 連線,如果要修改,用 T-code: RZ10 修改參數 rdisp/max_alt_modes 即可。要生效當然要重開 R/3。


Thursday, May 8, 2008

General SAP BI Authorization Concept

要了解 SAP BCS/BW 的存取控制,先要對 SAP BI 的權限觀念有基本的認識。SAP BI 並不是用來建立或更新資料,而是將資料轉換成有用的資訊以提供管理當局決策之用。

1. SAP BI Authorization Concept

Security needs in SAP BI are not the same as security needs in R/3. SAP R/3 is an OLTP (On line transaction processing) system. This means that SAP R/3 focuses on getting the daily work of the business completed. People only need access to the specific functions they perform in their daily work. In general, R/3 security is focused on:
  • Transaction code
  • Specific field values
  • Which activities a user can perform
On the other hand, SAP BI is an OLAP system. This means that SAP BI focuses on what data a user can access. This is may be controlled at the field level, or it may be controlled at the InfoProvider level. With SAP BI, authorizations can be defined and maintained by object (InfoObject, query, ODS object, InfoCube) and be applied to hierarchies. Authorizations can be added to roles that define what content is available to specific users or set of users in BI solution.

Specifics of SAP BI Security
 • Security is not focused on transactions.
 • Only two groups of Authorization Objects exist:
  o Business Explorer
  o Administrator Workbench
 • Easy to extend with authorization relevant InfoObjects

2. Reporting and Analysis Authorizations

In SAP NetWeaver 2004s, there are two authorization concepts, one is reporting authorization, and the other is analysis authorizations.
  1. Traditional Reporting and Analysis Authorization concept
    Reporting authorizations control for which data a user has display authorization in a query. Previous to SAP NetWeaver 2004s, authorization objects must first be created for this reporting authorization. An authorization object include up to 10 authorization fields which are used to determine whether a user is allowed to execute a specific action on a specific BW object. As soon as authorization objects were saved and assigned to a role, the authorization may be checked when executing a query.
  2. New Reporting and Analysis Authorization concept
    Analysis authorizations are not based on authorization objects. Instead you create authorizations that include a group of characteristics. Users restrict values for these characteristics. The authorizations can include any authorization-relevant characteristics and treat single values, intervals and hierarchy authorizations the same. Navigation attributes as well can be indicated as authorization-relevant in the attribute maintenance for characteristics and can be then transferred into authorizations as characteristics.
3. Restrictions on BW components

To restrict access SAP BW requires the definition of reporting relevant authorization objects which need to be defined individually since these reporting relevant objects cannot be predefined by SAP. Beside the majority of authorization objects which need to individually defined in the system. Beside these individual objects some standard objects need to be assigned also granting the user the right to access certain infoareas as well as to start the reporting tools.

Possible restrictions on BW components:
  • Authorization on cube level
  • Authorization on Characteristic level
  • Authorization on Characteristic value level
  • Authorization on key figure level