How To… Setup Security Concept in SAP BPC

How-to Guide
SAP CPM
How To…
Setup Security
Concept in SAP
BPC
Version 1.00 – March 2008
Applicable Releases:
SAP BPC 5.1
© Copyright 2007 SAP AG. All rights reserved.
No part of this publication may be reproduced or
transmitted in any form or for any purpose without the
express permission of SAP AG. The information
contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its
distributors contain proprietary software components of
other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are
registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel
Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400,
iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent
Miner, WebSphere, Netfinity, Tivoli, and Informix are
trademarks or registered trademarks of IBM Corporation
in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered
trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame,
WinFrame, VideoFrame, and MultiWin are trademarks
or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or
®
registered trademarks of W3C , World Wide Web
Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems,
Inc., used under license for technology invented and
implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, and other
SAP products and services mentioned herein as well as
their respective logos are trademarks or registered
trademarks of SAP AG in Germany and in several other
countries all over the world. All other product and
service names mentioned are the trademarks of their
respective companies. Data
contained in this document serves informational
purposes only. National product specifications may vary.
These materials are subject to change without notice.
These materials are provided by SAP AG and its affiliated
companies ("SAP Group") for informational purposes
only, without representation or warranty of any
kind, and SAP Group shall not be liable for errors or
omissions with respect to the materials. The only
warranties for SAP Group products and services are those
that are set forth in the express warranty statements
accompanying such products and services, if any.
Nothing herein should be construed as constituting an
additional warranty.
These materials are provided “as is” without a warranty
of any kind, either express or implied, including but not
limited to, the implied warranties of merchantability,
fitness for a particular purpose, or non-infringement.
SAP shall not be liable for damages of any kind including
without limitation direct, special, indirect, or
consequential damages that may result from the use of
these materials.
SAP does not warrant the accuracy or completeness of
the information, text, graphics, links or other items
contained within these materials. SAP has no control
over the information that you may access through the
use of hot links contained in these materials and does not
endorse your use of third party web pages nor provide
any warranty whatsoever relating to third party web
pages.
SAP CPM “How-to” Guides are intended to simplify the
product implementation. While specific product features
and procedures typically are explained in a practical
business context, it is not implied that those features and
procedures are the only approach in solving a specific
business problem using SAP. Should you wish to receive
additional information, clarification or support, please
refer to SAP Consulting.
Any software coding and/or code lines / strings (“Code”)
included in this documentation are only examples and
are not intended to be used in a productive system
environment. The Code is only intended better explain
and visualize the syntax and phrasing rules of certain
coding. SAP does not warrant the correctness and
completeness of the Code given herein, and SAP shall
not be liable for errors or damages caused by the usage of
the Code, except if such damages were caused by SAP
intentionally or grossly negligent.
1 (Business) Scenario
2 Introduction
SAP Business Planning and Consolidation provides an easy-to-use interface for
managing security. You can maintain security using SAP BPC Administration interface
and it provides two major levels of protection: authentication (through Microsoft
Windows) and authorization (through Microsoft SQL server and Analysis services).
Authentication is the component of the security model that describes who can access the
system, and is controlled by prompting users to enter credentials when accessing
sensitive areas.
Authorization is the component that describes which data sets authenticated users may
access, and is determined by a user’s assigned task and member access profiles.
Setting up Users:
When setting up new users, you need to think about several topics:
•
•
•
•
Is the user a domain user or a local user on the SAP BPC server?
Do you want to set up teams so you can more easily assign privileges to users?
Which users are administrators and which are not?
To which entity members will users have access?
This guide attempts to go through these security concepts and shows the process of
giving user authorization in SAP Business Planning and Consolidation application.
Adding Users:
There are two ways to add users to the system, and the method you use depends on
your network infrastructure. If your security is controlled on a domain and maintained
centrally through Active directory Services, you must add users to the system with the
associated domain name. If your security system maintained through Local server, you
can add users with only a User ID.
If you are choosing domain type user security, see that this user domain group is
connected to machine domain. For issues on these settings, please contact your system
administrator.
The Step By Step Solution
This how to guide provides guidance on the security concept of SAP Business Planning
and Consolidation mainly focusing on 5.1 release but the user authorization process is
same for older version of SAP BPC too.
Security steps:
Security in SAP BPC is based on task profiles and member access profiles. By default,
even the Installation user account has no access to all tasks and all secured dimensions.
This means that if you do specifically assign task profiles to users or teams, no one will
have access to any SAP BPC tasks. Similarly if you do not define access to members of
a secured dimension to users or teams, no one will have access to that dimension.
In general if you already defined the task profile and member access profile, defining
security involves following steps:
•
•
•
•
Adding users
Assign users to teams
Assign task profiles to users or teams
Assign member access to users or teams
In this case we start with defining System user group, creating new task profile, member
access profile and a team. Then we assign the user of this System user domain to the
newly created team.
2.1
Create System user group using SAP BPC Server Manager
1. Log into the BPC server with your
install user account. Go to Start>Programs->SAP->Server Manager.
2. Choose Options-> Define System
User Groups.
3. Enter your system group details (in
this case we use SAP_ALL domain),
choose “Active Directory” and click
update button.
Note: Make sure that this User
group domain is connected to your
Machine domain, otherwise you
cannot maintain this System user
group and it will not be available in
BPC Administration interface. For
issues please contact your local
system administrator.
Hint: For users maintained in Local
server create another system group
by choosing Domain type “Local
Windows” and the users will be
available for selection in BPC
Administration interface.
2.2 User authorization in BPC Administration console
This section reviews the process of user authorization in BPC Administration
interface.
Tip: Typically, use the following as a basis for the order in which you define
security.
Create Task and Member Access Profiles
Create Teams and assign the Profiles to the Teams
Create Users and assign the Users to Teams
4. Launch BPC logon page.
5. Click BPC Administration icon.
6. From the Action Pane, select
Manage Security option.
7. Choose your AppSet and click OK.
Note: By default, after installation of
SAP BPC you will see only Apshell
application set. You can also
perform these steps on this
application set too.
8. Task Profile: From the tree view
expand Security folder and click
Task Profile folder. By default you
should have Primary Admin and
System Admin profiles.
Note: Depending on your business
needs you can create new task
profiles or just modify existing
profiles. In this case we create new
General user task profile without any
admin rights.
9. From the action pane, select “Add
new task profile”.
10. In this task profile wizard, enter the
details and click on the Next button
to continue.
11. In this Profile Tasks section, select
eAnalyze and Submit Data tasks
from Analysis Collection interface.
12. In the same Profile Tasks section,
choose Business Process Flow
interface and select BPF Execution
task.
13. Using same procedure, enable the
tasks as mentioned here by
choosing appropriate interfaces.
Click on the Next button to continue.
14. Do not assign any teams or users at
this moment and click on the Next
button to continue.
15. A summary screen is displayed.
Click on the Apply button to process
the newly created task profile. When
prompted “This task has
successfully completed”, select OK.
16. Member Access Profile: From the
tree view click Member Access
Profile folder. By default you should
have “AdminMbrAccPrf” profile.
Note: Depending on your business
needs you can create new member
access profile or just modify existing
profile. In this case we create new
“Finance Budget” member access
profile which has access to Finance
application only.
17. From the action pane, select “Add
new Member access profile”.
18. In this member access profile
wizard, enter the details and click on
the Next button to continue.
19. In this BPC Access section, choose
Finance Application tab and define
the settings as mentioned here.
Click on the Next button to continue
Note: In order to get [ALL] in the
Member field, click
and check
mark “All members in dimension”
option in the pop-up
20. Do not assign any teams or users at
this moment and click on the Next
button to Continue.
21. A summary screen is displayed.
Click on the Apply button to process
the newly created member access
profile. When prompted “This task
has successfully completed”, select
OK.
22. Team: From the tree view click
Teams folder and by default you
should have “Admin Team” which
has access to “Primary admin” task
profile and “AdminMbrAccPrf”
member access profile.
Note: Depending on your business
needs you can create new Team or
just modify existing Team. In this
case we create new Team called
“General Team” which has access to
the newly created “General User”
task profile and “Finance Budget”
member access profile.
23. From the action pane, select “Add
new Team”.
24. In this Team setup wizard, enter the
details and click on the Next button
to continue
25. Do not include any users at this time
and click on the Next button to
continue.
26. In the BPC Access section, define
the settings as mentioned here and
Click on the Next button to continue.
27. A summary screen is displayed.
Click on the Apply button to process
the newly created Team. When
prompted “This task has
successfully completed”, select OK.
28. User: From the tree view click Users
folder and by default you should
have your Installation user account.
Note: Depending on your business
needs you can assign user from a
local system group or from any user
domain group connected to machine
domain. In this case we assign a
user from “SAP_ALL” system group
which we created in the first step.
29. From the action pane, select add
new user.
30. In this User Setup wizard, Select
SAP_ALL from Available domains
drop-down list and click on the
Custom Filter button.
31. In this Custom Filter window, select
Enter user ID(s) radio button and
enter <domain name>\<user id> and
click on the OK button.
Note: See that you don’t leave
space or line break after entering the
user id. Otherwise you get “invalid
user” error message.
32. Back in this User setup wizard,
check mark the user id and move it
to the “Selected for BPC access”
section. Click on the Next button to
continue
33. Check the User details and click on
the Next button to continue.
34. In this Assignments step, see that
you are in “A. Assign to teams”
section and choose “General Team”
from Team drop-down list and move
the user id to “Selected users”
section.
Note: Normally you can stop the
user assignment process here as
you already assigned Task profile
and Member access profile to this
Team.
35. Optional Step: Click “B. Assign to
Task profiles” and select “General
User” from Task profile drop-down
list. Move the user id to “Selected
users” section.
Note: Only if you want to further
restrict the user you follow this step,
but in this case it is not required.
36. Optional Step: Click “C. Assign to
Member Access profiles” and select
“Finance Budget” from Member
access profile drop-down list. Move
the user id to “Selected users”
section and click on the Next button
to continue.
Note: Only if you want to further
restrict the user you follow this step,
but in this case it is not required.
37. A summary screen is displayed.
Click on the Apply button to process
the newly created User. When
prompted “This task has
successfully completed” select OK.
www.sdn.sap.com/irj/sdn/bpx-cpm