Examples of Role-Based Access Control Scenarios in SAP BW/4HANA

Examples of Role-Based Access Control Scenarios in SAP BW/4HANA

Examples of Role-Based Access Control Scenarios in SAP BW/4HANA

To illustrate how to manage role-based access control in SAP BW/4HANA, we will provide some examples of role-based access control scenarios using the tools and features mentioned above.

Example 1: User Roles

Suppose you want to assign different user roles to different users in SAP BW/4HANA based on their roles and responsibilities in an organization. For example, you want to assign the following user roles:

  • The user John is a modeler who connects source systems, models data flows, performs data transfer processes and schedules process chains. He needs the user role SAP_BW4_MODELER.
  • The user Mary is a reporting developer who creates queries, executes queries, administrates analysis authorizations and their assignments to roles, and creates currency and unit conversion types and key data derivation types. She needs the user role SAP_BW4_REPORTING_DEVELOPER.
  • The user Bob is an administrator who loads data from the source system, monitors processes, analyzes errors in detail, and creates and executes data archiving processes. He needs the user role SAP_BW4_ADMINISTRATOR_PROD.
  • The user Alice is an operator who loads data from the source system, schedules process chains, monitors processes and performs basic troubleshooting. She needs the user role SAP_BW4_OPERATOR.

To assign the user roles to the users using the Role Maintenance transaction (PFCG), you can follow these steps:

  1. Open the Role Maintenance transaction (PFCG) in SAP BW/4HANA.
  2. Enter the user role name, such as SAP_BW4_MODELER, and click on Display.
  3. Click on the User tab and enter the user name, such as John, in the User field.
  4. Click on Save to assign the user role to the user.
  5. Repeat steps 2 to 4 for the other user roles and users.

Example 2: Analysis Authorizations

Suppose you want to restrict access to sales data based on regions for different users in SAP BW/4HANA. For example, you want to restrict access as follows:

  • The user John can access sales data for all regions.
  • The user Mary can access sales data for North America and Europe.
  • The user Bob can access sales data for Asia Pacific and Latin America.
  • The user Alice can access sales data for Middle East and Africa.

To restrict access to sales data based on regions using analysis authorizations, you can follow these steps:

  1. Open the Analysis Authorization Maintenance transaction (RSECADMIN) in SAP BW/4HANA.
  2. Click on Change to enter the change mode.
  3. Click on Create Authorization to create a new analysis authorization.
  4. Enter an authorization name and description, such as ZAUTH_ALL for John.
  5. Select the characteristic 0REGION that contains the region information for sales data.
  6. Select the authorization relevant checkbox to make the characteristic authorization relevant.
  7. Select the value * that represents all values for the characteristic 0REGION.
  8. Click on Save to save the analysis authorization.
  9. Repeat steps 3 to 8 for the other analysis authorizations and values, such as ZAUTH_NA_EU for Mary with values NAMR and EURO, ZAUTH_AP_LA for Bob with values ASPA and LATM, and ZAUTH_ME_AF for Alice with values MEAS and AFRI.
  10. Click on Assign Users to assign users to analysis authorizations.
  11. Enter the user name, such as John, and click on Assign Authorization Directly or via Role.
  12. Enter the analysis authorization name, such as ZAUTH_ALL, and click on Add Authorization or Role Assignment.
  13. Click on Save to assign the analysis authorization to the user.
  14. Repeat steps 11 to 13 for the other users and analysis authorizations.

Example 3: Data Access Controls

Suppose you want to mask the customer name in a table ZCUSTOMER that stores customer data in SAP BW/4HANA based on different roles of users in an organization. For example, you want to mask the customer name as follows:

  • The user John can see the full customer name as he is a modeler who needs to access the original data for data modeling purposes.
  • The user Mary can see the first and last character of the customer name as she is a reporting developer who needs to access some information for data analysis purposes.
  • The user Bob can see only the first character of the customer name as he is an administrator who needs to access minimal information for data administration purposes.
  • The user Alice can see only asterisks (*) instead of the customer name as she is an operator who does not need to access any information for data operation purposes.

To mask the customer name in the table ZCUSTOMER based on different roles of users using data access controls, you can follow these steps:

  1. Open the Data Access Control app in SAP BW/4HANA.
  2. Click on Create to create a new data access control.
  3. Enter a name and description, such as ZDAC_CUSTOMER for customer name masking.
  4. Select the table ZCUSTOMER as the source object.
  5. Select the column NAME as the target field.
  6. Click on Next to define the masking rules.
  7. Click on Add Rule to add a new masking rule.
  8. Enter a rule name and description, such as ZRULE_FULL for full customer name.
  9. Select the masking type Value and enter the expression NAME as the masking value.
  10. Click on Next to define the authorization condition.
  11. Select the authorization object S_RS_AUTH and enter the authorization field ACTVT with the value 98, which represents the UNMASKED object privilege for SAP HANA Data Masking.
  12. Click on Finish to save the masking rule.
  13. Repeat steps 7 to 12 for the other masking rules and values, such as ZRULE_FIRST_LAST for first and last character of customer name with masking type Pattern and expression LEFT(NAME,1) || '*****' || RIGHT(NAME,1), ZRULE_FIRST for first character of customer name with masking type Pattern and expression LEFT(NAME,1) || '*****', and ZRULE_NONE for asterisks instead of customer name with masking type Pattern and expression REPEAT('*',LENGTH(NAME)).
  14. Click on Save and Activate to save and activate the data access control.
  15. To test the masking effect, open a SQL console and execute a query on the table ZCUSTOMER. For example, you can execute SELECT * FROM ZCUSTOMER; to display all the records in the table.
  16. You will see that the customer name is masked differently for different users based on their roles and authorizations.

Example 4: Remote Authorizations

Suppose you want to leverage existing authorizations from SAP S/4HANA in SAP BW/4HANA for sales data in a table ZSALES. For example, you want to leverage the following authorizations:

  • The user John can access sales data for all regions as he has the authorization object S_SALESORG with all values for sales organization in SAP S/4HANA.
  • The user Mary can access sales data for North America and Europe as she has the authorization object S_SALESORG with values NAMR and EURO for sales organization in SAP S/4HANA.
  • The user Bob can access sales data for Asia Pacific and Latin America as he has the authorization object S_SALESORG with values ASPA and LATM for sales organization in SAP S/4HANA.
  • The user Alice can access sales data for Middle East and Africa as she has the authorization object S_SALESORG with values MEAS and AFRI for sales organization in SAP S/4HANA.

To leverage existing authorizations from SAP S/4HANA in SAP BW/4HANA using remote authorizations, you can follow these steps:

  1. Open the Remote Authorization app in SAP BW/4HANA.
  2. Click on Create Remote Authorization Project to create a new project.
  3. Enter a project name and description, such as ZPROJ_SALES for sales data authorization.
  4. Select the source system and schema that contain the table ZSALES and click on Next.
  5. Select the table ZSALES and click on Next.
  6. Select the column SALES_ORG that contains the sales organization information and click on Next.
  7. Select the authorization technique Remote Authorization and enter an authorization expression that defines how to leverage existing authorizations from SAP S/4HANA. For example, you can enter S_SALESORG-VKORG to map the column SALES_ORG to the authorization object S_SALESORG and the field VKORG in SAP S/4HANA.
  8. Click on Finish to save and activate the project.
  9. To test the authorization effect, open a SQL console and execute a query on the table ZSALES. For example, you can execute SELECT * FROM ZSALES; to display all the records in the table.
  10. You will see that the sales data is restricted based on the existing authorizations from SAP S/4HANA for different users.

Conclusion

In this blog post, we have shown you how to manage role-based access control in SAP BW/4HANA with examples. We have also explained why role-based access control is important and what tools and features are available in SAP BW/4HANA to manage role-based access control. We hope that this blog post has helped you to understand how to manage role-based access control in SAP BW/4HANA and how to use it for data security, compliance and analysis.

Disclaimer: This content is generated by AI.

Tags: , ,