SAP BW Authorization Migration

BW7.30

RKT Live Expert Session

Toni Tavric, Christoph Kretner

21.3.2011

Guiding Principals

Integrate in Your Development Life Cycle

Plan Authorizations Early on in your Development Life Cycle

Authorizations requirement collection at Blue Print Phase

Identify and Assign Data Ownership

KISS Principal (Keep it Simple and Small)

A balance act among Granularity vs. Maintenance vs. Performance (“Balanced Approach”)

Design for simplicity and Ease of Maintenance without compromising “Mandatory” data

security

Divide user into Groups and manage security at InfoArea or InfoProvider level

Thorough Authorizations Testing

Must be a part of system Integration Test plan

Performance testing is a essential part of test plan!!

Staffing for BW Authorizations

R/3 Authorization expert is not equivalent to BI Authorizations Experience

Segregation of Duties among BI Users and Administrator

Migration Strategy

Migration Strategy

Big Bang approach mandatory (“All or nothing”)

Not possible to go live with different user groups/scenarios in different phases

Need to go for new Authorization Concept as chance to review old solution

Raise developers awareness of implications due to changes on InfoObjects

Define the target concept first and then the migration path

Choose the right approach for your new analysis authorization concept

Depending on the actual system configuration, an InfoObject-based approach, an

InfoProvider-based approach or a mixture of booth would be the best solution

InfoProvider-specific Analysis Authorizations might become necessary to assure running BW

3.x scenarios

Take automation into consideration

Migration – Procedural Method

Analyze existing Reporting Authorizations (3.x) – SAP Service Offering

Analyze future authorization checks

Define concept for Analysis Authorizations including naming conventions

Define migration strategy

First realization of the concept prototype

Migrate authorizations according to the defined concept

Test the newly created authorizations

Go-live

Remove old authorization objects (if necessary)

Example Project schedule

Combined Upgrade & Authorization Migration

© SAP 2009 / Page 5

Plan phase (6 weeks)

Upgrade

Authorizations

DEV system (4 weeks)

Upgrade & Test

Authorization migration

QAS system (5 weeks)

Upgrade & Test

Authorization Test

PRD system (1 weekend)

Upgrade & GoLive

Cutover & Golive

KickOffLegend: Duration Milestone

Start Upgrade

1st month 2nd month 3rd month 4th month 5th monttj <month>

GoLive

Remark

Overall project duration dependends on the system complexity.

Given example is based on a higher complexity.

Migration – Analyze Existing Authorizations

1. Identify relevant InfoObjects

2. Identify relevant InfoProviders

3. Group InfoProviders by data owner (“applications”)

4. Identify on which InfoProviders authorization relevant characteristics are

checked

5. Identify auth. relevant navigational attributes and where they are checked

6. Determine which auths are needed for the different “applications”

Compare auth checks in old and new world

7. Clarify if there is customer specific coding which refers to the reporting

authorization objects in 3.x

8. Clarify how customer specific coding has to be adapted

One old authorization Object in a role can result in n Analysis Authorizations in

that role after migration!

© SAP 2008 /

The whole planning phase is a fixed price offer based on a

questionnaire.

The planning phase also considers alternative ways of

assigning authorizations.

Based on the planning phase the migration is also a fixed

price offer.

Our Service:

BI Authorization migration

Our BI authorization migration was developed based on

many BI migration concepts, which are well-established and

ensure a smooth migration.

The result is always an ideal, custom-tailored concept.

Fixed price migration

SAP Consulting Procedure

The complex analysis procedure is supported by a tool,

which analyzes the data model as well as the authorization

concept.

Based on these results the development of the target

concept is faster and more precise.

Tool supported Analysis

© SAP 2008 /

Three steps to a new analysis authorization

concept

DISCOVER-Package

„The Basics“

DISCOVER-Package

„The Basics“

PLAN-Package

„The Concept“

BUILD-Package

„The Migration“

DISCOVER-Package

„The Basics“

PLAN-Package

„The Concept“

Step 1:

Know-how-Transfer

First rough analysis

Migration strategies

Step 2:

Detailed analysis

(tool-supported)

Target concept

Migration path

Step 3:

Implementation

Test support

BI Authorization Migration

Our Service:BI 7.x Analysis

authorization

Tool-based Analysis

Tool-based Analysis - reworked

Optional: Analysis Authorization Migration with a

Migration Sandbox (SBX) system

© SAP 2009 / Page 11

Advantages

• More time for implementing the new Analysis Authorizations on the SBX

(Sandbox) system with a minimized development freeze on the DEV system

• Possibility to test with productive data prior to the upgrade of the productive

• landscape (if SBX is a copy of PRD)

• Possibility to test the upgrade itself on a Sandbox environment

• Possibility to create Analysis Authorizations for the DEV system for restricted

data access right after the upgrade on DEV

Disadvantages

• Additional hardware required

• Additional effort for a system copy and an upgrade

• Original system for Analysis Authorizations is SBX and has to be adjusted

after transporting to DEV

• Longer period for double maintenance (old Reporting Authorizations and new

Analysis Authorizations)

• Additional effort for parallel role maintenance (DEV and SBX)

© SAP 2008 /

Page 12

© SAP 2007 / Page 12

Contact

Christoph KretnerConsultant

Focus Group BI Technology

SAP Deutschland AG & Co. KG

Mobile +49 160 90822314

christoph.kretner@sap.com

Toni TavricSenior Consultant

SAP Deutschland AG & Co. KG

Mobile +49 1608896174

toni.tavric@sap.com

AppendixAppendix

© SAP 2008 /

Benefits of the Analysis authorizations

1. Analysis authorizations are custom-tailored for authorization requests from a BI system

2. Very flexible in terms of changes concerning the authorization requests or data model

3. Direct assignments of authorizations on navigational attributes

4. New functionalities like integrated planning require analysis authorizations

5. Improved usability due to a new user interface

6. Improved analysis possibilities and easy authorization trace

7. Integration of hierarchy authorizations

8. Direct and indirect user assignment

Important Preparation Steps

1. Activate all business content related to authorizations before you get started

InfoObjects: 0TCA* (and 0TCT* if not done already)

InfoCubes: 0TCA*

2. Set the following InfoObjects as "authorization relevant"

0TCAACTVT

0TCAIPROV

0TCAVALID

0TCAKYFNM (optional, if key figure restriction needed)

3. Add 0TCAIFAREA as an external hierarchy characteristic to 0INFOPROV

(optional)

Testing Analysis Authorizations –

Recommendations (1/2)

Define positive and negative tests within and across applications!

Prioritize applications that have to be tested

High priority

– Choose most important Queries on each InfoProvider

– Do tests with different types of end-users (if existing) and typical selections

Low priority

– Spot tests: choose most important Queries

If possible: Compare Query results of Reporting Authorizations to those of Analysis

Authorizations

You can then be sure that the system behaves in the same way

Choose the same selections

Don’t do any data loading

Testing Analysis Authorizations –

Recommendations (2/2)

Testing in two steps:

Technical testing of new authorizations by administrators

Testing regarding content by business users

Don’t forget to test drill-down

Important: As you as customer know your applications best,

you are in charge to define and approve tests

Copyright

© Copyright 2011 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information

contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries,

xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+,

POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect,

RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks

of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States

and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their

respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business

Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the

United States and in other countries. Business Objects is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational

purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational

purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only

warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if

any. Nothing herein should be construed as constituting an additional warranty.