Documente Academic
Documente Profesional
Documente Cultură
30
RKT Live Expert Session
Guiding Principals
A balance act among Granularity vs. Maintenance vs. Performance (Balanced Approach)
Design for simplicity and Ease of Maintenance without compromising Mandatory data security
Divide user into Groups and manage security at InfoArea or InfoProvider level
R/3 Authorization expert is not equivalent to BI Authorizations Experience Segregation of Duties among BI Users and Administrator
Migration Strategy
Migration Strategy
Need to go for new Authorization Concept as chance to review old solution Raise developers awareness of implications due to changes on InfoObjects Define the target concept first and then the migration path Choose the right approach for your new analysis authorization concept
Depending on the actual system configuration, an InfoObject-based approach, an InfoProvider-based approach or a mixture of booth would be the best solution
InfoProvider-specific Analysis Authorizations might become necessary to assure running BW 3.x scenarios Take automation into consideration
Analyze existing Reporting Authorizations (3.x) SAP Service Offering Analyze future authorization checks Define concept for Analysis Authorizations including naming conventions Define migration strategy First realization of the concept prototype Migrate authorizations according to the defined concept
2nd month
3rd month
4th month
5th monttj
<month>
Upgrade Authorizations Upgrade & Test Authorization migration Upgrade & Test Authorization Test Upgrade & GoLive Cutover & Golive
Duration Milestone
Legend:
KickOff
Start Upgrade
GoLive
Remark Overall project duration dependends on the system complexity. Given example is based on a higher complexity.
SAP 2009 / Page 5
1. 2. 3. 4. 5. 6. 7. 8.
Identify relevant InfoObjects Identify relevant InfoProviders Group InfoProviders by data owner (applications) Identify on which InfoProviders authorization relevant characteristics are checked Identify auth. relevant navigational attributes and where they are checked Determine which auths are needed for the different applications Compare auth checks in old and new world Clarify if there is customer specific coding which refers to the reporting authorization objects in 3.x Clarify how customer specific coding has to be adapted
One old authorization Object in a role can result in n Analysis Authorizations in that role after migration!
The whole planning phase is a fixed price offer based on a questionnaire. The planning phase also considers alternative ways of assigning authorizations. Based on the planning phase the migration is also a fixed price offer.
Our BI authorization migration was developed based on many BI migration concepts, which are well-established and ensure a smooth migration. The result is always an ideal, custom-tailored concept.
The complex analysis procedure is supported by a tool, which analyzes the data model as well as the authorization concept. Based on these results the development of the target concept is faster and more precise.
Three steps to a new analysis authorization concept BI Authorization Migration Our Service:
Step 2:
Step 3:
Step 1:
Tool-based Analysis
Advantages More time for implementing the new Analysis Authorizations on the SBX (Sandbox) system with a minimized development freeze on the DEV system Possibility to test with productive data prior to the upgrade of the productive landscape (if SBX is a copy of PRD) Possibility to test the upgrade itself on a Sandbox environment Possibility to create Analysis Authorizations for the DEV system for restricted data access right after the upgrade on DEV
Disadvantages Additional hardware required Additional effort for a system copy and an upgrade Original system for Analysis Authorizations is SBX and has to be adjusted after transporting to DEV Longer period for double maintenance (old Reporting Authorizations and new Analysis Authorizations) Additional effort for parallel role maintenance (DEV and SBX)
Contact
Appendix
1. Activate all business content related to authorizations before you get started InfoObjects: 0TCA* (and 0TCT* if not done already)
InfoCubes: 0TCA* 2. Set the following InfoObjects as "authorization relevant" 0TCAACTVT 0TCAIPROV 0TCAVALID 0TCAKYFNM (optional, if key figure restriction needed) 3. Add 0TCAIFAREA as an external hierarchy characteristic to 0INFOPROV (optional)
Define positive and negative tests within and across applications! Prioritize applications that have to be tested
High priority
Choose most important Queries on each InfoProvider Do tests with different types of end-users (if existing) and typical selections Spot tests: choose most important Queries
Low priority
You can then be sure that the system behaves in the same way Choose the same selections Dont do any data loading
Important:
As you as customer know your applications best, you are in charge to define and approve tests
Copyright
Copyright 2011 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty