Documente Academic
Documente Profesional
Documente Cultură
Peter John
Security & Development, NW BI, SAP AG
Authoriaztion protocol
Switch back to old authorizations
Authorization protocol
Switch back to old authorizations
General remarks Read the docu please Read additional docu on http://olap:1080/security/ -> 7.x stuff (steadily increasing)
Read notes 820183 (typical pit falls for beginners) and 923176 (upgrade info)
New infrastructure
No auth objects for reporting and analysis any more (dont use this word anymore for authorizations Authorizations are pure BI objects;
link to profiles via new auth object S_RS_AUTH (1 field only, name of the BI auth) overview in RSU01
New HTML/XML based authorization protocol Generation simplified Migration tool (3.x->7.0): se38->RSEC_MIGRATION
RSUDO RSECPROT
RSECAUTH
RSU01
SU01
PFCG
New All analysis auths in artificial auth 0BI_ALL (not changeable, updated after every InfoObject change-> see also note 820183)
Via S_RS_AUTH = * automatically integrated in SAP_ALL (somtimes issues: see 820183)
Differences I
Important differences: 3 new special characteristics
All users must have auths on them!!! Otherwise: No auth
0TCAIPROV (Which Infoprovider is authorized) cobinable with 0TCAIFAREA to define hierarchy auths on 0TCAIPROV to authorize InfoAreas
0TCAACTVT, Activity as Read (03), change (02) etc. for integrated planning (uses same auths as normal queries) 0TCAVALID, Validity, complex time period saying whether an auth is valid or not. => No check on S_RS_MPRO, S_RS_ISET, S_RS_ODSO, S_RS_ICUBE (mapped by authorizations on 0TCAIPROV)
1KYFNM replaced by 0TCAKYFNM as normal InfoObject Fully integrated hierarchy auths => No hierarchy auth definitions on 0TCTAUTHH any more No check on S_RS_HIER, (processed by hierarchy auths only)
Experts:
No compatibility modes/switches anymore
Referencing chars with hierarchies and navigational attributes simply need their own auths (normal char assumption)
Navigational attributes are normal chars and need to be authorized as normal chars;
Also possible with hierarchy auths
Authorization protocol
Switch back to old authorizations
Structure of code entries is almost identical to 3.x Switches in old modules Default breakpoints stops in old or new coding depending on switch state Function groups
RSEC_SCREENS RSEC_CHECKS RSEC_GENERATION RSEC_MIGRATION GUI coding Auth checking Automatic Generation of BI Auths Coding for Migration 3.x ->7.0
Usally Variables/F4
RSEC_GET_AUTH_FOR_USER RSEC_GET_AUTH_HIER_FOR_USER
break-pt 3 break-pt 4
Planning
break-pt
RRS_REPORT_INIT_CHECK RSEC_AUTHORITY_CHECK_IPROV Rough check on InfoProv (0TAIPROV) and Activity (0TCAACTVT) no auth for InfoProv = EYE 001
break-pt 1
break-pt 5 break-pt 2
RSEC_AUTH_GET_IOBJ_RELEVANT
Navigational steps
1 2 3 4 5 6
You can check whether everything goes right by looking to the break-points in the following order which corresponds to what is most relevant and to what happens in query processing: For value help issues: break-points 3 or 4 respectively For no auth issues and related: break-points 1, 5, 2 If you doubt that the buffer is wrong or want to see information fast: break-point 6 (see next pages and protocol)
SAP AG 2005, Analytics Security for Supporters / Peter John/ #
Breakpoints and performed auth checks Break point 1: (also in protocol) Rough check on acces to InfoProvider. Is there any auth on this cube at all (valid for today)? Only checks for InfoProvider 0TCAIPROV and activity in 0TCAACTVT. (more than once in planning scenarios) Detailed check may fail later Just F7 to get result in sy-subrc if no auth -> message EYE 001
Relevant charactersitics Break point 5: (also in protocol) RSEC_AUTH_GET_IOBJ_RELEVANT After execution (F7) in e_th_chanm there is the list of chars that must be authorized for the detailed checks. It is the list of effectively relevant chars. It is the list of auth relevant chars in the cube minus those ones the user has * auths (which need not to be checked any further) Just F7 to get result list in e_th_chanm
Detailed check Break point 2: (also in protocol, better readable unless dump or errors) RSEC_AUTHORITY_CHECK_SELECTION (was RSSB_AUTHORITY_IOBJVL_CHECK in 3.x) Check and preparation of comparison Selection vs Authorization Extension of selection by checks on aggregation (:) Detailed check; main processing, encapsulated function module RSEC_AUTHORITY_CHECK_SUBNR Coding and processing very different to 3.x) no auth-> message EYE 007 (golden eye)-> no BRAIN anymore Also look to parameter descriptions in function module Just F7 in a 1st run to see result, then find out why.( e.g.dump)
Value help Break-point 3 (Also in protocol) Value auths (usually for value help) for an Infoobject E_t_rangesid contains interval like list of authorized values. if i_separate_leaves is set to true, the leaves of an hierarchy auth are listed seperatedly as sids (>0) in e_t_leaves_sids) If ignore_hierarchy is set to true, no leaves are added Also look to parameter descriptions in function module
Value help for hierarchies break-point 4 (Also in protocol) e_ts_node contains authorized nodes e_ts_auth_values_hierarchy contains all hierarchy authorizations to the current InfoObject, also not displayed etc. Also look to parameter descriptions in function module
Fill buffer and g_thx_auth_buffer Break point 6 (also in protocol) Often called, so only if necessary. But buffer is always available Filling of the global buffer variable g_thx_auth_buffer
form fill_auth_buffer in Function group RSEC_CHECKS
TH_CHANMID authorization relevant chars (same as break-point 5/RSEC_AUTHORITY_GET_RELEVANT) TH_CHANM_AST THX_AUTHS TH_COB_PRO chars where there is any * authorization for user (not necessarily everywhere) useful for value help complete relevant authorizations for today and infocube properties of all infoobjects in infocube
Authorization protocol
Switch back to old authorizations
Authorization Protocol: tx RSECPROT All process blocks that are represented in break-points are here as well in a human readable form as HTML Logging: via RSUDO and flag or RSECPROT permanently
RSECPROT
Select a protocol with value help or complex filters A HTML is displayed Will take some time (remark: all blocks may appear more than once as they may be called several times in a query.)
General Header with time, query, cube executing user, restricted user
Authorized attributes (not auth relevant or user has * for them) RSEC_AUTHORITY_GET_AUTH_ATR_FOR_USER
Value auths
Value help (here [VCA_C1_1, VC_C2_2] for 0VCA_C1) List of authorized values as intervals If leaves are requested they may appear as SIDs
Hierarchy auths
List of nodes that are authorized.
Detailed check
Correspond to break-point 2 : RSEC_AUTHORITY_CHECK_SELECTION Detailed check block preparations
Main check
Here on the left the selected set is described. Following Set Is Checked Left: First a list of all selected chars Second a description of the selected set as SQL string. (intervals are in general not possible) Middle: The first authorization for comparison (possibly beforehand optimized and merged with others) Result: Subselection is authorized or Subselection is not authorized (no auth means: something is not shown; might be completely rejected; Message EYE007)
SAP AG 2005, Analytics Security for Supporters / Peter John/ #
The aggregation checks blows up the scenario very often (especially in planning)
0VCA_NC1 = VCA_NC1_0
But there is only : authorization => Message EYE 007
auth1
2001
0COUNTRY
I BT [DE, FR]
1999 0CALYEAR
Auth2(mixed)
0CALYEAR 0COUNTRY I BT [1999, 2001] I BT [DE, FR]
DE
FR
0COUNTRY
0COUNTRY
auth1
Result:
0CALEAR 0COUNTRY
Rule:
Empty (=non existing) dimensions in auths are filled from all other valid auths
Merging of auths
Example
0CALYEAR 0CALYEAR
2001
auth2 1999
DE
FR
FR
IN
0COUNTRY
DE
IN
0COUNTRY
Example
0CALYEAR
into auth2 -> not mergeable ->not mergeable into auth5 ->not mergeable into auth5 into auth5.
auth2
auth2
(new) auth2 with auth3, auth4,auth5 auth3 with auth4, auth5 auth4 merged with auth5 (new) auth2 with auth3, (new) auth5 auth3 merged with (new) auth5 (new) auth2 merged with (new) auth5
auth5
auth3
auth4
auth5
auth5
auth5
DE
IN
0COUNTRY
Authrsec1
Authrsec2
Buffer: general info Buffer filling: Read from db, Filter auths that are interesting for cube, user and current date (validity), optimize and merge auths for reuse in other calls. Determine auth relevant chars Determine chars with a * in any auth Might appear several times for different cubes A call in value help is cube-independent (cube is inital)
Authorization protocol
Switch back to old authorizations
Switch back at customer site Switch in tx RSCUSTV23 (never ever change it in customer system, theyll kill you) Switch to old concept possible but strongly disfavoured. (New concept is default). Transaction RSCUSTV23. New features as integrated planning need not to work completely with old concept. Always recommend to change to new concept and append note 923176
Authorization protocol
Switch back to old authorizations OLAP process steps
OLAP Initialization
Check authorizations to execute query and to read data from InfoProvider Exit for global variables before variable input Variable input ->F4 help restricted by auths Exit for global variables that failed before input Distribute variable values into fixed filter, hierarchy settings, dynamic filter, conditions & exceptions, formulas, Initialize OLAP Processor Notify presentation hierarchies (only if used) Check time stamps for OLAP cache and released request Ids
Free characteristics dynamic filters Exceptional aggregation Elimination of internal business volume Formula variables with replacement from attribute value used in restricted key figure (RKF)
3. Authorization check for navigation state (only if necessary) 4. Search for cached data in OLAP Cache
Data is comes in block up to 1000 rows Data is still separated by PartProvider of MultiProvider Data is still separated by Aggregates of InfoCube
7. Call BusinessAddIn virtual characteristics and key figures 8. Check global filter (if not already done by database) 9. Add attributes values for variables with replacement from attribute used in RKF 10. Separate data according to RKFs and selections in structure elements 11. Currency translation 12. Process sums and calculated key figures (CKFs) before aggregation
Cumulated values