0 How to Build and Integrate Security Strategy for SAP NetWeaver Business Warehouse and SAP BusinessObjects Tools Jesper Moselund Christensen COMERIT © 2010 Wellesley Information Services. All rights reserved. In This Session ... • • • Get an overview of the integration options from SAP BusinessObjects to SAP NetWeaver® Business Warehouse (SAP NetWeaver BW) Understand the security implications when integrating SAP NetWeaver BW and SAP BusinessObjects tools Get best practices for integrating SAP BusinessObjects and SAP NetWeaver BW security concepts 2 What We’ll Cover … • • • • Integration options for SAP BusinessObjects to SAP NetWeaver BW SAP NetWeaver BW and SAP BusinessObjects security overview Integrating SAP BusinessObjects and SAP NetWeaver BW security Wrap-up 3 SAP BusinessObjects and SAP NetWeaver BW Integration Explorer Source: SAP 4 Improvements in SAP NetWeaver BW Enhancement Pack 1 Source: SAP 5 The Four Integration Points from SAP BusinessObjects to SAP NetWeaver BW • • OLAP BAPI This option is the most used option. It makes use of the MDX language. It is used for SAP BusinessObjects Voyager, OLAP universes that can be used with SAP BusinessObjects Web Intelligence, and Crystal Reports Almost all the functionality available in the OLAP engine is available via this interface option BI Consumer Services (BICS) This option was originally developed for SAP BEx. It is now also used by the integration of Xcelsius into SAP NetWeaver BW. All functionality of the SAP NetWeaver BW OLAP engine is available 6 The Four Integration Points from SAP BusinessObjects to SAP NetWeaver BW (cont.) • • SQL This option is making use of the SAP BusinessObjects Data Federator The SAP BusinessObjects Data Federator reads the data from the SAP NetWeaver BW Data layer directly so options in the OLAP engine are not available Direct access to SAP NetWeaver BW Accelerator SAP BusinessObjects Explorer is using this option to ensure fast response time This option has been enhanced to support limited SAP NetWeaver BW security 7 Two Options for Universe Integration • Choose the right option for your universe integration SQL should only be used for mass data Source: SAP 8 What We’ll Cover … • • • • Integration options for SAP BusinessObjects to SAP NetWeaver BW SAP NetWeaver BW and SAP BusinessObjects security overview Integrating SAP BusinessObjects and SAP NetWeaver BW security Wrap-up 9 Security in a Reporting System • • There are four main areas that should be managed with regard to security Authentication and Single Sign-On (SSO) Roles in SAP and user groups in SAP BusinessObjects Report authorization Data authorization All of these are available in both SAP NetWeaver BW and in SAP BusinessObjects It is therefore easy to get into a situation where security is maintained in both systems or some in one system and some in the other Having a clearly defined security setup avoids this pitfall 10 SAP BusinessObjects Managed vs. Un-Managed • The SAP BusinessObjects portfolio supports both an unmanaged and a managed reporting environment The main difference is that a managed reporting environment makes use of SAP BusinessObjects Enterprise for report distribution It can make use of several authentication options that are available in SAP BusinessObjects Enterprise The unmanaged option is mainly based on standalone desktop installations of Crystal Reports, Xcelsius, Web and Desk Intelligence The unmanaged reporting environment normally requires the user to logon with user ID and password to access datasources such as SAP NetWeaver BW The exception is Crystal Reports, which can make use of 11 SNC when accessing SAP systems SAP BusinessObjects Enterprise Authentication Options • • SAP BusinessObjects has several options for authentication SAP BusinessObjects Enterprise Authentication LDAP Windows Active Directory (AD) Windows NT SAP Which options are used can be defined in the Central Management Console under Authentication 12 SAP BusinessObjects Enterprise Authentication Options (cont.) Authentication Description type Comment Enterprise The default for SAP BusinessObjects Enterprise Use the system default Enterprise Authentication if you prefer to create distinct accounts and groups for use with SAP BusinessObjects Enterprise, or if you have not already set up a hierarchy of users and groups in a Windows NT user database, an LDAP directory server, or a Windows AD server. Windows NT Reuse of NT accounts and groups If you are working in a Windows NT environment, you can use existing NT user accounts and groups in SAP BusinessObjects Enterprise. When you map NT accounts to SAP BusinessObjects Enterprise, users are able to log on to SAP BusinessObjects Enterprise applications with their NT user name and password. This can reduce the need to recreate individual user and group accounts within SAP BusinessObjects Enterprise. LDAP Use LDAP directory of users and groups If you set up an LDAP directory server, you can use existing LDAP user accounts and groups in SAP BusinessObjects Enterprise. When you map LDAP accounts to SAP BusinessObjects Enterprise, users are able to access SAP BusinessObjects Enterprise applications with their LDAP user name and password. This eliminates the need to recreate individual user and group accounts within SAP BusinessObjects Enterprise. 13 SAP BusinessObjects Enterprise Authentication Options (cont.) Authentication Description type Comment Windows AD Reuse of NT accounts and groups If you are working in a Windows 2000 or newer environment, you can use existing AD user accounts and groups in SAP BusinessObjects Enterprise. When you map AD accounts to SAP BusinessObjects Enterprise, users are able to log on to SAP BusinessObjects Enterprise applications with their AD user name and password. This eliminates the need to recreate individual user and group accounts within SAP BusinessObjects Enterprise. SAP Reuse of SAP accounts and roles (groups) If you are working in an SAP environment, you can use existing SAP user accounts and roles in SAP BusinessObjects Enterprise. When you map SAP accounts to SAP BusinessObjects Enterprise, users are able to log on to SAP BusinessObjects Enterprise applications with their SAP user name and password. This eliminates the need to recreate individual user and group accounts within SAP BusinessObjects Enterprise. Note: This option requires that the SAP Integration toolkit is installed 14 SAP NetWeaver BW Authentication Options • SAP also supports several authentication options. Some of these are: Manual entry SAP logon Windows Active Directory with Kerberos single sign-on LDAP single sign-on SAP logon ticket This option is recommended for authentication between SAP systems and should also be used for SAP BusinessObjects Enterprise when connecting to SAP via SAP NetWeaver Portal 15 SNC and Server-Side Authentication • Server-side trust or SNC enables one system to connect to another system without passing the password of the user that is connecting This is required in a use case where reports should be scheduled to run rather than run online by users SNC or server-side trust requires that the servers are configured to allow for logon with just the user ID SAP provides cryptographic libraries to ensure that the configuration is secure Ingo Hilgefort has posted a great blog on how to setup SNC between SAP BusinessObjects and SAP at http://ingohilgefort.blogspot.com/2009/07/businessobjectsand-snc-for-client.html 16 View and View On Demand Access Levels in SAP BusinessObjects • View On Demand access level On-demand reporting gives users real-time access to live data, straight from the database server Consider whether or not you want all of your users hitting the database server on a continual basis Users require View On Demand access to refresh reports against the database 17 View and View On Demand Access Levels in SAP BusinessObjects (cont.) • View access level To reduce the amount of network traffic and the number of hits on your database servers, you can schedule reports to be run at specified times. When the report has been run, users can view that report instance as needed, without triggering additional hits on the database. Minimize data transfer over the network and database server's workload Users require only View access to display report instances View On Demand ensures authentication of the user against SAP NetWeaver BW and ensures that the authorizations are taken from SAP NetWeaver. View would use the data stored in the instance on the SAP BusinessObjects Enterprise and would require data level security to be maintained in SAP BusinessObjects. 18 SAP NetWeaver BW Roles and SAP BusinessObjects User Groups • • SAP BusinessObjects user groups Users are assigned to user groups Rights can be assigned to user groups SAP NetWeaver BW roles Users are assigned to roles Authorizations are assigned to roles SAP BusinessObjects Enterprise User Groups = SAP Roles • SAP roles can be imported into SAP BusinessObjects Enterprise and turned into user groups This allows for single maintenance of user in SAP NetWeaver BW and their assignments to groups in SAP BusinessObjects Enterprise 19 Report Authorization • • SAP BusinessObjects controls report security through the folders or via specific rights at the object level within the folders The folders can be arranged as a hierarchy and access can be inherited A user can have different access for different types of reports within one folder SAP NetWeaver BW controls report access via ABAP security and, to some extent, roles in SAP NetWeaver Portal ABAP Security that controls report access S_RS_COMP and S_RS_COMP1 – Reporting components S_RS_BTMP – Web Templates S_RS_ERPT – Reports 20 Controlling Data Access • • SAP BusinessObjects There are several options to build data level security in SAP BusinessObjects Use the source DBMS access controls Use the Source OLAP controls Build profiles in SAP BusinessObjects Enterprise Build access into Crystal Reports or Universes SAP NetWeaver BW Uses analysis authorizations to control data access by row and column Analysis authorizations can be assigned Directly to users To users via roles 21 Security Comparison SAP NetWeaver BW SAP Comment BusinessObjects Enterprise Authorization Objects Rights Individual actions and activities that can be performed for an object Profiles Access Levels A collection of activities and actions Analysis Authorizations Profiles Controls access to specific dataslices E.g., Country = USA Worksets Folders A collection of objects, reports, and documents Roles Groups A collections of users who share the same account privileges. Both SAP and SAP BusinessObjects support a hierarchy of roles or groups. 22 Things to Remember … • • SAP BusinessObjects Enterprise Allows for very granular security maintained at each object (folder, report, etc.) This can be useful in some instances, but if used extensively could cause a very complex and hard-to-maintain security setup Denied rights overwrite granted rights Denied or not maintained = not authorized SAP NetWeaver BW Allows for very granular security but object security is maintained within the roles and not at each object It is not possible to deny access. Only granted accesses are maintained. Not maintained = not authorized 23 What We’ll Cover … • • • • Integration options for SAP BusinessObjects to SAP NetWeaver BW SAP NetWeaver BW and SAP BusinessObjects security overview Integrating SAP BusinessObjects and SAP NetWeaver BW security Wrap-up 24 Integrating Authentication Can Be Complex • Authentication complexities between SAP BusinessObjects and SAP systems SAP Systems SAP BusinessObjects Enterprise Server Authentication Users User Authentication Single Sign On (LDAP) Multiple SAP systems Ticket User Authentication Single Sign On (AD) Encryption and SNC SAP NetWeaver Portal 25 The Authentication Flow • • • Client connection to SAP BusinessObjects Enterprise options User name/password SAP token (MYSAPSSO2 ticket/cookie) Trusted authentication CMS managed sessions Logon request is validated by SAP system User validation against default logical system as a fallback User aliases are maintained in CMS repository Data retrieval from SAP NetWeaver BW User name/password Impersonation using SNC server-side trust SAP token (MYSAPSSO2 ticket/cookie) 26 Authentication Integration Options Source: SAP 27 Integrating Authentication — Best Practice • • Use SAP Authentication in SAP BusinessObjects Enterprise together with SAP NetWeaver Portal. This allows for: Single Sign On using LDAP or AD to the SAP NetWeaver Portal. The Portal issues an SAP Logon Ticket. The SAP Logon Ticket is used for authentication to SAP BusinessObjects Enterprise and all underlying SAP systems Import roles and users from SAP NetWeaver BW into SAP BusinessObjects Enterprise (one-time maintenance) Imported SAP users are qualified with logical system name Logical system name derived from SAP System ID and Client number <SYSID>CLNT<CLIENT> Imported roles from SAP become user groups in SAP BusinessObjects Enterprise Also, set up server-side trust to allow for scheduling of reports Logon ticket expires and can’t be used for scheduling 28 The 10-Step Implementation Guide • SAP BusinessObjects Enterprise Server setup 1. Install SAP Front End (SAP GUI) 2. Install SAP Java Connector 3. Install SAP BusinessObjects XI Integration Solution for SAP 4. Set up SAP system as authentication in SAP BusinessObjects Enterprise 5. Import SAP roles and users from SAP ABAP systems into SAP BusinessObjects Enterprise Define and assign access levels to imported roles Define alias users from multiple logical SAP systems (optional) 6. Configure SNC server-side authentication (optional) 7. Configure Web application server hosting SAP BusinessObjects Enterprise for SSO and SNC 29 The 10-Step Implementation Guide (cont.) • SAP NetWeaver Server setup 8. Install the SAP authentication helper transport from the SAP BusinessObjects XI Integration Kit for SAP (optional) 9. Ensure that users are assigned to SAP roles 10. Configure SAP NetWeaver Portal and SAP ABAP trust for token or SNC validation 30 Thin and Thick Clients Require Additional Steps • • Thick client (Crystal Reports and Universe Designer, etc.) Install SAP Front End (SAP GUI) Install SAP BusinessObjects XI Integration Solution for SAP Enable client side SNC for Crystal Reports (optional) Thin client Configure SAP BusinessObjects Enterprise Web Application Server for SNC (optional) 31 SAP System Setup for Authentication in SAP BusinessObjects Enterprise • The SAP system is defined in the Central Management Console in SAP BusinessObjects Enterprise under Authentication Both Message server and Application server scenarios are supported The password used should be UPPER CASE in both systems. Passwords are case sensitive in SAP NetWeaver 7.0. 32 Importing SAP Roles into SAP BusinessObjects Enterprise • The role import is done from the Central Management Console in SAP BusinessObjects Enterprise under Authentication SAP System Go to the SAP system and choose Role Import Select the roles that you want to transfer to SAP BusinessObjects Enterprise 33 Importing SAP Users into SAP BusinessObjects Enterprise • Additional options Set the option to automatically import the users You can define a default system to be used for authentication of SAP users 34 Two Options for Integrating Report Security • • Reuse the SAP NetWeaver BW security 100% by granting access to all reports in SAP BusinessObjects Enterprise and use the View On Demand access level to ensure that users are executing the SAP NetWeaver BW queries and thereby getting the S_RS_COMP authorization invoked Pros: No dual maintenance, fast to implement Cons: Less intuitive for the users as they will see reports that they are not authorized to execute Create a few user-friendly groups in SAP BusinessObjects Enterprise containing access only to the reports that the users are authorized to execute Pros: Users will see only the reports they can execute, View access level could be used for report without data security Cons: Users can’t see reports that they are not authorized to execute (report inventory), more maintenance 35 Additional Setup Still Required in SAP BusinessObjects Enterprise • Importing the SAP NetWeaver BW roles does not mean that they can be used without modifications Rights and access levels must be assigned to the imported roles Use a group hierarchy to handle this by assigning the imported role as a child to an existing group in SAP BusinessObjects Enterprise Access is then maintained at the parent group level for all objects in SAP BusinessObjects Enterprise as needed 36 Integrating Data Security • Data security can be fully integrated as long as the ―View On Demand‖ access level is used for all reports in SAP BusinessObjects Always use ―View On Demand‖ access right for SAP Integration unless there is no data security requirement View On Demand will force the data to be fetched from SAP NetWeaver BW by each user and hence force the user’s data security to be invoked Consider performance impacts when this option is used 37 Integrating Security in BEx Queries • • • The recommended option for integrating from SAP BusinessObjects to SAP NetWeaver BW is to use a BEx query as the source for a Universe This option can make use of: The SAP NetWeaver BW OLAP engine capabilities Security defined at InfoProvider as well and query level in SAP NetWeaver BW SAP NetWeaver BW Accelerator Security integration can be made easier by implementing a few simple design standards to BEx queries 38 1. Use Navigational Attributes for Security • Use specific Security InfoObjects in your SAP NetWeaver BW system E.g., Do not use 0COMP_CODE, instead create a reference InfoObject (e.g., SECCOMPCD) that you add as a navigational attribute of 0COMP_CODE It has the same values as the base object but can be chosen to be assigned only in the InfoProviders that require security by the object 39 2. Use Authorization Variables in the BEx Queries • • To avoid problems with mandatory variables in the SAP BusinessObjects tools, you should always pre-filter the queries using the authorization of the user This is easily done by using authorization variables that are not ready for input in the queries 40 What We’ll Cover … • • • • Integration options for SAP BusinessObjects to SAP NetWeaver BW SAP NetWeaver BW and SAP BusinessObjects security overview Integrating SAP BusinessObjects and SAP NetWeaver BW security Wrap-up 41 Resources • • • Ingo Hilgefort, Integrating SAP BusinessObjects XI 3.1 Tools with SAP NetWeaver (SAP Press, 2009). www.sap-press.com/product.cfm?account=&product=H3034 Mike Seblani and Boris Kovacevic, ―Business Objects XI Integration for SAP Solutions: SAP Security Integration‖ www.sdn.sap.com/irj/boc/index?rid=/library/uuid/9095a5b077e0-2b10-fd8e-aad948b16fde BusinessObjects Enterprise XI 3 – Administration Guide http://help.sap.com/businessobject/product_guides/boexir3/en/ xi3_bip_admin_en.pdf 42 Resources (cont.) • • • Ned Falk, ―SAP NetWeaver 2004s: New Analysis Authorizations Ease Administration‖ (BI Expert, June 2007). BusinessObjects Integration Kit for SAP – Installation and Configuration www.sdn.sap.com/irj/boc/go/portal/prtroot/docs/library/uuid/a00 ee3b2-5283-2b10-f1bf-8c6413e0898f?nbsp=&QuickLink=index &overridelayout=true Marc Bernard, ―An Expert Guide to New SAP BI Security Features‖ www.sdn.sap.com/irj/scn/events?rid=/library/uuid/659fa0a20a01-0010-b39c-8f92b19fbfea 43 7 Key Points to Take Home • • • It is possible to integrate SAP BusinessObjects and SAP NetWeaver BW security The good integration was one reason for SAP to buy SAP BusinessObjects Use the native integration from SAP BusinessObjects to SAP NetWeaver BW to gain full access to the SAP NetWeaver BW OLAP engine functionality Use SAP Logon tickets via an SAP NetWeaver Portal with single sign-on to support seamless SAP BusinessObjects and SAP NetWeaver BW BEx reporting 44 7 Key Points to Take Home (cont.) • • • Avoid dual maintenance by using SAP NetWeaver BW as the source system for your users and groups Import and use the SAP NetWeaver BW roles in your SAP BusinessObjects Enterprise system to manage security across the systems Assign SAP BusinessObjects Access Levels to the SAP NetWeaver BW roles inside SAP BusinessObjects Enterprise Be careful if you decide to use deny rights in SAP BusinessObjects Enterprise – it overrules granted accesses Use the ―View On Demand‖ in SAP BusinessObjects Enterprise access level by default to ensure that users get access to the correct data from SAP NetWeaver BW 45 7 Key Points to Take Home (cont.) • Use authorization variables instead of user entry variables for data security in your SAP NetWeaver BW queries that are used in Universes and Xcelsius 46 Your Turn! How to contact me: Jesper Moselund Christensen jesper@comerit.net 47 Disclaimer SAP, R/3, mySAP, mySAP.com, SAP NetWeaver®, Duet™, PartnerEdge, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP. 48
© Copyright 2024