SAP BW Authorization Migration BW7.

30
RKT Live Expert Session

Toni Tavric, Christoph Kretner 21.3.2011

Guiding Principals

Integrate in Your Development Life Cycle

Plan Authorizations Early on in your Development Life Cycle

Authorizations requirement collection at Blue Print Phase

Identify and Assign Data Ownership

KISS Principal (Keep it Simple and Small)

A balance act among Granularity vs. Maintenance vs. Performance (Balanced Approach)

Design for simplicity and Ease of Maintenance without compromising Mandatory data security
Divide user into Groups and manage security at InfoArea or InfoProvider level

Thorough Authorizations Testing

Must be a part of system Integration Test plan

Performance testing is a essential part of test plan!!

Staffing for BW Authorizations

R/3 Authorization expert is not equivalent to BI Authorizations Experience Segregation of Duties among BI Users and Administrator

Migration Strategy

Migration Strategy

Big Bang approach mandatory (All or nothing)

Not possible to go live with different user groups/scenarios in different phases

Need to go for new Authorization Concept as chance to review old solution Raise developers awareness of implications due to changes on InfoObjects Define the target concept first and then the migration path Choose the right approach for your new analysis authorization concept

Depending on the actual system configuration, an InfoObject-based approach, an InfoProvider-based approach or a mixture of booth would be the best solution
InfoProvider-specific Analysis Authorizations might become necessary to assure running BW 3.x scenarios Take automation into consideration

Migration Procedural Method

Analyze existing Reporting Authorizations (3.x) SAP Service Offering Analyze future authorization checks Define concept for Analysis Authorizations including naming conventions Define migration strategy First realization of the concept prototype Migrate authorizations according to the defined concept

Test the newly created authorizations

Go-live Remove old authorization objects (if necessary)

Example Project schedule Combined Upgrade & Authorization Migration

1st month

2nd month

3rd month

4th month

5th monttj

<month>

Plan phase (6 weeks)

Upgrade Authorizations Upgrade & Test Authorization migration Upgrade & Test Authorization Test Upgrade & GoLive Cutover & Golive
Duration Milestone

DEV system (4 weeks)

QAS system (5 weeks)

PRD system (1 weekend)

Legend:

KickOff

Start Upgrade

GoLive

Remark Overall project duration dependends on the system complexity. Given example is based on a higher complexity.
SAP 2009 / Page 5

Migration Analyze Existing Authorizations

1. 2. 3. 4. 5. 6. 7. 8.

Identify relevant InfoObjects Identify relevant InfoProviders Group InfoProviders by data owner (applications) Identify on which InfoProviders authorization relevant characteristics are checked Identify auth. relevant navigational attributes and where they are checked Determine which auths are needed for the different applications Compare auth checks in old and new world Clarify if there is customer specific coding which refers to the reporting authorization objects in 3.x Clarify how customer specific coding has to be adapted

One old authorization Object in a role can result in n Analysis Authorizations in that role after migration!

Our Service: BI Authorization migration

Fixed price migration

The whole planning phase is a fixed price offer based on a questionnaire. The planning phase also considers alternative ways of assigning authorizations. Based on the planning phase the migration is also a fixed price offer.

SAP Consulting Procedure

Our BI authorization migration was developed based on many BI migration concepts, which are well-established and ensure a smooth migration. The result is always an ideal, custom-tailored concept.

Tool supported Analysis

The complex analysis procedure is supported by a tool, which analyzes the data model as well as the authorization concept. Based on these results the development of the target concept is faster and more precise.

Three steps to a new analysis authorization concept BI Authorization Migration Our Service:
Step 2:

Step 3:

Implementation Test support

BI 7.x Analysis authorization

Step 1:

Know-how-Transfer First rough analysis Migration strategies

Detailed analysis (tool-supported) Target concept Migration path

BUILD-Package The Migration

PLAN-Package The Concept

PLAN-Package The Concept

DISCOVER-Package The Basics

DISCOVER-Package The Basics

DISCOVER-Package The Basics

Tool-based Analysis

Tool-based Analysis - reworked

Optional: Analysis Authorization Migration with a Migration Sandbox (SBX) system

Advantages More time for implementing the new Analysis Authorizations on the SBX (Sandbox) system with a minimized development freeze on the DEV system Possibility to test with productive data prior to the upgrade of the productive landscape (if SBX is a copy of PRD) Possibility to test the upgrade itself on a Sandbox environment Possibility to create Analysis Authorizations for the DEV system for restricted data access right after the upgrade on DEV
Disadvantages Additional hardware required Additional effort for a system copy and an upgrade Original system for Analysis Authorizations is SBX and has to be adjusted after transporting to DEV Longer period for double maintenance (old Reporting Authorizations and new Analysis Authorizations) Additional effort for parallel role maintenance (DEV and SBX)

SAP 2009 / Page 11

Contact

Christoph Kretner Toni Tavric

Senior Consultant Consultant Focus Group BI Technology
SAP Deutschland AG & Co. KG Mobile +49 160 90822314 christoph.kretner@sap.com

SAP Deutschland AG & Co. KG Mobile +49 1608896174 toni.tavric@sap.com

SAP 2007 / Page 12

SAP 2008 / Page 12

Appendix

Benefits of the Analysis authorizations

1. Analysis authorizations are custom-tailored for authorization requests from a BI system

2. Very flexible in terms of changes concerning the authorization requests or data model 3. Direct assignments of authorizations on navigational attributes 4. New functionalities like integrated planning require analysis authorizations 5. Improved usability due to a new user interface 6. Improved analysis possibilities and easy authorization trace 7. Integration of hierarchy authorizations 8. Direct and indirect user assignment

Important Preparation Steps

1. Activate all business content related to authorizations before you get started InfoObjects: 0TCA* (and 0TCT* if not done already)

InfoCubes: 0TCA* 2. Set the following InfoObjects as "authorization relevant" 0TCAACTVT 0TCAIPROV 0TCAVALID 0TCAKYFNM (optional, if key figure restriction needed) 3. Add 0TCAIFAREA as an external hierarchy characteristic to 0INFOPROV (optional)

Testing Analysis Authorizations Recommendations (1/2)

Define positive and negative tests within and across applications! Prioritize applications that have to be tested

High priority

Choose most important Queries on each InfoProvider Do tests with different types of end-users (if existing) and typical selections Spot tests: choose most important Queries

Low priority

If possible: Compare Query results of Reporting Authorizations to those of Analysis Authorizations

You can then be sure that the system behaves in the same way Choose the same selections Dont do any data loading

Testing Analysis Authorizations Recommendations (2/2)

Testing in two steps:

Technical testing of new authorizations by administrators

Testing regarding content by business users

Dont forget to test drill-down

Important:

As you as customer know your applications best, you are in charge to define and approve tests

Copyright
Copyright 2011 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty