How-to Guide SAP CPM How To… Setup Security Concept in SAP BPC Version 1.00 – March 2008 Applicable Releases: SAP BPC 5.1 © Copyright 2007 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or ® registered trademarks of W3C , World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. These materials are provided “as is” without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall not be liable for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. SAP does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within these materials. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third party web pages nor provide any warranty whatsoever relating to third party web pages. SAP CPM “How-to” Guides are intended to simplify the product implementation. While specific product features and procedures typically are explained in a practical business context, it is not implied that those features and procedures are the only approach in solving a specific business problem using SAP. Should you wish to receive additional information, clarification or support, please refer to SAP Consulting. Any software coding and/or code lines / strings (“Code”) included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, except if such damages were caused by SAP intentionally or grossly negligent. 1 (Business) Scenario 2 Introduction SAP Business Planning and Consolidation provides an easy-to-use interface for managing security. You can maintain security using SAP BPC Administration interface and it provides two major levels of protection: authentication (through Microsoft Windows) and authorization (through Microsoft SQL server and Analysis services). Authentication is the component of the security model that describes who can access the system, and is controlled by prompting users to enter credentials when accessing sensitive areas. Authorization is the component that describes which data sets authenticated users may access, and is determined by a user’s assigned task and member access profiles. Setting up Users: When setting up new users, you need to think about several topics: • • • • Is the user a domain user or a local user on the SAP BPC server? Do you want to set up teams so you can more easily assign privileges to users? Which users are administrators and which are not? To which entity members will users have access? This guide attempts to go through these security concepts and shows the process of giving user authorization in SAP Business Planning and Consolidation application. Adding Users: There are two ways to add users to the system, and the method you use depends on your network infrastructure. If your security is controlled on a domain and maintained centrally through Active directory Services, you must add users to the system with the associated domain name. If your security system maintained through Local server, you can add users with only a User ID. If you are choosing domain type user security, see that this user domain group is connected to machine domain. For issues on these settings, please contact your system administrator. The Step By Step Solution This how to guide provides guidance on the security concept of SAP Business Planning and Consolidation mainly focusing on 5.1 release but the user authorization process is same for older version of SAP BPC too. Security steps: Security in SAP BPC is based on task profiles and member access profiles. By default, even the Installation user account has no access to all tasks and all secured dimensions. This means that if you do specifically assign task profiles to users or teams, no one will have access to any SAP BPC tasks. Similarly if you do not define access to members of a secured dimension to users or teams, no one will have access to that dimension. In general if you already defined the task profile and member access profile, defining security involves following steps: • • • • Adding users Assign users to teams Assign task profiles to users or teams Assign member access to users or teams In this case we start with defining System user group, creating new task profile, member access profile and a team. Then we assign the user of this System user domain to the newly created team. 2.1 Create System user group using SAP BPC Server Manager 1. Log into the BPC server with your install user account. Go to Start>Programs->SAP->Server Manager. 2. Choose Options-> Define System User Groups. 3. Enter your system group details (in this case we use SAP_ALL domain), choose “Active Directory” and click update button. Note: Make sure that this User group domain is connected to your Machine domain, otherwise you cannot maintain this System user group and it will not be available in BPC Administration interface. For issues please contact your local system administrator. Hint: For users maintained in Local server create another system group by choosing Domain type “Local Windows” and the users will be available for selection in BPC Administration interface. 2.2 User authorization in BPC Administration console This section reviews the process of user authorization in BPC Administration interface. Tip: Typically, use the following as a basis for the order in which you define security. Create Task and Member Access Profiles Create Teams and assign the Profiles to the Teams Create Users and assign the Users to Teams 4. Launch BPC logon page. 5. Click BPC Administration icon. 6. From the Action Pane, select Manage Security option. 7. Choose your AppSet and click OK. Note: By default, after installation of SAP BPC you will see only Apshell application set. You can also perform these steps on this application set too. 8. Task Profile: From the tree view expand Security folder and click Task Profile folder. By default you should have Primary Admin and System Admin profiles. Note: Depending on your business needs you can create new task profiles or just modify existing profiles. In this case we create new General user task profile without any admin rights. 9. From the action pane, select “Add new task profile”. 10. In this task profile wizard, enter the details and click on the Next button to continue. 11. In this Profile Tasks section, select eAnalyze and Submit Data tasks from Analysis Collection interface. 12. In the same Profile Tasks section, choose Business Process Flow interface and select BPF Execution task. 13. Using same procedure, enable the tasks as mentioned here by choosing appropriate interfaces. Click on the Next button to continue. 14. Do not assign any teams or users at this moment and click on the Next button to continue. 15. A summary screen is displayed. Click on the Apply button to process the newly created task profile. When prompted “This task has successfully completed”, select OK. 16. Member Access Profile: From the tree view click Member Access Profile folder. By default you should have “AdminMbrAccPrf” profile. Note: Depending on your business needs you can create new member access profile or just modify existing profile. In this case we create new “Finance Budget” member access profile which has access to Finance application only. 17. From the action pane, select “Add new Member access profile”. 18. In this member access profile wizard, enter the details and click on the Next button to continue. 19. In this BPC Access section, choose Finance Application tab and define the settings as mentioned here. Click on the Next button to continue Note: In order to get [ALL] in the Member field, click and check mark “All members in dimension” option in the pop-up 20. Do not assign any teams or users at this moment and click on the Next button to Continue. 21. A summary screen is displayed. Click on the Apply button to process the newly created member access profile. When prompted “This task has successfully completed”, select OK. 22. Team: From the tree view click Teams folder and by default you should have “Admin Team” which has access to “Primary admin” task profile and “AdminMbrAccPrf” member access profile. Note: Depending on your business needs you can create new Team or just modify existing Team. In this case we create new Team called “General Team” which has access to the newly created “General User” task profile and “Finance Budget” member access profile. 23. From the action pane, select “Add new Team”. 24. In this Team setup wizard, enter the details and click on the Next button to continue 25. Do not include any users at this time and click on the Next button to continue. 26. In the BPC Access section, define the settings as mentioned here and Click on the Next button to continue. 27. A summary screen is displayed. Click on the Apply button to process the newly created Team. When prompted “This task has successfully completed”, select OK. 28. User: From the tree view click Users folder and by default you should have your Installation user account. Note: Depending on your business needs you can assign user from a local system group or from any user domain group connected to machine domain. In this case we assign a user from “SAP_ALL” system group which we created in the first step. 29. From the action pane, select add new user. 30. In this User Setup wizard, Select SAP_ALL from Available domains drop-down list and click on the Custom Filter button. 31. In this Custom Filter window, select Enter user ID(s) radio button and enter <domain name>\<user id> and click on the OK button. Note: See that you don’t leave space or line break after entering the user id. Otherwise you get “invalid user” error message. 32. Back in this User setup wizard, check mark the user id and move it to the “Selected for BPC access” section. Click on the Next button to continue 33. Check the User details and click on the Next button to continue. 34. In this Assignments step, see that you are in “A. Assign to teams” section and choose “General Team” from Team drop-down list and move the user id to “Selected users” section. Note: Normally you can stop the user assignment process here as you already assigned Task profile and Member access profile to this Team. 35. Optional Step: Click “B. Assign to Task profiles” and select “General User” from Task profile drop-down list. Move the user id to “Selected users” section. Note: Only if you want to further restrict the user you follow this step, but in this case it is not required. 36. Optional Step: Click “C. Assign to Member Access profiles” and select “Finance Budget” from Member access profile drop-down list. Move the user id to “Selected users” section and click on the Next button to continue. Note: Only if you want to further restrict the user you follow this step, but in this case it is not required. 37. A summary screen is displayed. Click on the Apply button to process the newly created User. When prompted “This task has successfully completed” select OK. www.sdn.sap.com/irj/sdn/bpx-cpm
© Copyright 2024