0

0
How to Build and
Integrate Security
Strategy for SAP
NetWeaver Business
Warehouse and SAP
BusinessObjects Tools
Jesper Moselund Christensen
COMERIT
© 2010 Wellesley Information Services. All rights reserved.
In This Session ...
•
•
•
Get an overview of the integration options from SAP
BusinessObjects to SAP NetWeaver® Business Warehouse (SAP
NetWeaver BW)
Understand the security implications when integrating SAP
NetWeaver BW and SAP BusinessObjects tools
Get best practices for integrating SAP BusinessObjects and SAP
NetWeaver BW security concepts
2
What We’ll Cover …
•
•
•
•
Integration options for SAP BusinessObjects to SAP NetWeaver
BW
SAP NetWeaver BW and SAP BusinessObjects security overview
Integrating SAP BusinessObjects and SAP NetWeaver BW
security
Wrap-up
3
SAP BusinessObjects and SAP NetWeaver BW Integration
Explorer
Source: SAP
4
Improvements in SAP NetWeaver BW Enhancement Pack 1
Source: SAP
5
The Four Integration Points from SAP BusinessObjects to
SAP NetWeaver BW
•
•
OLAP BAPI
 This option is the most used option. It makes use of the MDX
language.
 It is used for SAP BusinessObjects Voyager, OLAP universes
that can be used with SAP BusinessObjects Web Intelligence,
and Crystal Reports
 Almost all the functionality available in the OLAP engine is
available via this interface option
BI Consumer Services (BICS)
 This option was originally developed for SAP BEx. It is now
also used by the integration of Xcelsius into SAP NetWeaver
BW.
 All functionality of the SAP NetWeaver BW OLAP engine is
available
6
The Four Integration Points from SAP BusinessObjects to
SAP NetWeaver BW (cont.)
•
•
SQL
 This option is making use of the SAP BusinessObjects Data
Federator
 The SAP BusinessObjects Data Federator reads the data from
the SAP NetWeaver BW Data layer directly so options in the
OLAP engine are not available
Direct access to SAP NetWeaver BW Accelerator
 SAP BusinessObjects Explorer is using this option to ensure
fast response time
 This option has been enhanced to support limited SAP
NetWeaver BW security
7
Two Options for Universe Integration
•
Choose the right option for your universe integration
 SQL should only be used for mass data
Source: SAP
8
What We’ll Cover …
•
•
•
•
Integration options for SAP BusinessObjects to SAP NetWeaver
BW
SAP NetWeaver BW and SAP BusinessObjects security overview
Integrating SAP BusinessObjects and SAP NetWeaver BW
security
Wrap-up
9
Security in a Reporting System
•
•
There are four main areas that should be managed with regard to
security
 Authentication and Single Sign-On (SSO)
 Roles in SAP and user groups in SAP BusinessObjects
 Report authorization
 Data authorization
All of these are available in both SAP NetWeaver BW and in SAP
BusinessObjects
 It is therefore easy to get into a situation where security is
maintained in both systems or some in one system and some in
the other
 Having a clearly defined security setup avoids this pitfall
10
SAP BusinessObjects Managed vs. Un-Managed
•
The SAP BusinessObjects portfolio supports both an unmanaged
and a managed reporting environment
 The main difference is that a managed reporting environment
makes use of SAP BusinessObjects Enterprise for report
distribution
 It can make use of several authentication options that are
available in SAP BusinessObjects Enterprise
 The unmanaged option is mainly based on standalone desktop
installations of Crystal Reports, Xcelsius, Web and Desk
Intelligence
 The unmanaged reporting environment normally requires the
user to logon with user ID and password to access
datasources such as SAP NetWeaver BW
 The exception is Crystal Reports, which can make use of
11
SNC when accessing SAP systems
SAP BusinessObjects Enterprise Authentication Options
•
•
SAP BusinessObjects has several options for authentication
 SAP BusinessObjects Enterprise Authentication
 LDAP
 Windows Active Directory (AD)
 Windows NT
 SAP
Which options are used can be defined in the Central Management
Console under Authentication
12
SAP BusinessObjects Enterprise Authentication Options
(cont.)
Authentication Description
type
Comment
Enterprise
The default for SAP
BusinessObjects
Enterprise
Use the system default Enterprise Authentication if you prefer to
create distinct accounts and groups for use with SAP
BusinessObjects Enterprise, or if you have not already set up a
hierarchy of users and groups in a Windows NT user database, an
LDAP directory server, or a Windows AD server.
Windows NT
Reuse of NT accounts
and groups
If you are working in a Windows NT environment, you can use
existing NT user accounts and groups in SAP BusinessObjects
Enterprise. When you map NT accounts to SAP BusinessObjects
Enterprise, users are able to log on to SAP BusinessObjects
Enterprise applications with their NT user name and password. This
can reduce the need to recreate individual user and group accounts
within SAP BusinessObjects Enterprise.
LDAP
Use LDAP directory of
users and groups
If you set up an LDAP directory server, you can use existing LDAP
user accounts and groups in SAP BusinessObjects Enterprise.
When you map LDAP accounts to SAP BusinessObjects
Enterprise, users are able to access SAP BusinessObjects
Enterprise applications with their LDAP user name and password.
This eliminates the need to recreate individual user and group
accounts within SAP BusinessObjects Enterprise.
13
SAP BusinessObjects Enterprise Authentication Options
(cont.)
Authentication Description
type
Comment
Windows AD
Reuse of NT accounts
and groups
If you are working in a Windows 2000 or newer environment, you
can use existing AD user accounts and groups in SAP
BusinessObjects Enterprise. When you map AD accounts to SAP
BusinessObjects Enterprise, users are able to log on to SAP
BusinessObjects Enterprise applications with their AD user name
and password. This eliminates the need to recreate individual user
and group accounts within SAP BusinessObjects Enterprise.
SAP
Reuse of SAP
accounts and roles
(groups)
If you are working in an SAP environment, you can use existing
SAP user accounts and roles in SAP BusinessObjects Enterprise.
When you map SAP accounts to SAP BusinessObjects Enterprise,
users are able to log on to SAP BusinessObjects Enterprise
applications with their SAP user name and password. This
eliminates the need to recreate individual user and group accounts
within SAP BusinessObjects Enterprise.
Note: This option requires that the SAP Integration toolkit is
installed
14
SAP NetWeaver BW Authentication Options
•
SAP also supports several authentication options. Some of
these are:
 Manual entry SAP logon
 Windows Active Directory with Kerberos single sign-on
 LDAP single sign-on
 SAP logon ticket
 This option is recommended for authentication between SAP
systems and should also be used for SAP BusinessObjects
Enterprise when connecting to SAP via SAP NetWeaver
Portal
15
SNC and Server-Side Authentication
•
Server-side trust or SNC enables one system to connect to
another system without passing the password of the user that is
connecting
 This is required in a use case where reports should be
scheduled to run rather than run online by users
 SNC or server-side trust requires that the servers are
configured to allow for logon with just the user ID
 SAP provides cryptographic libraries to ensure that the
configuration is secure
Ingo Hilgefort has posted a great blog on how to setup
SNC between SAP BusinessObjects and SAP at
http://ingohilgefort.blogspot.com/2009/07/businessobjectsand-snc-for-client.html
16
View and View On Demand Access Levels in SAP
BusinessObjects
•
View On Demand access level
 On-demand reporting gives users real-time access to live data,
straight from the database server
 Consider whether or not you want all of your users hitting the
database server on a continual basis
 Users require View On Demand access to refresh reports
against the database
17
View and View On Demand Access Levels in SAP
BusinessObjects (cont.)
•
View access level
 To reduce the amount of network traffic and the number of hits
on your database servers, you can schedule reports to be run
at specified times. When the report has been run, users can
view that report instance as needed, without triggering
additional hits on the database.
 Minimize data transfer over the network and database server's
workload
 Users require only View access to display report instances
View On Demand ensures authentication of the user
against SAP NetWeaver BW and ensures that the
authorizations are taken from SAP NetWeaver.
View would use the data stored in the instance on the SAP
BusinessObjects Enterprise and would require data level
security to be maintained in SAP BusinessObjects.
18
SAP NetWeaver BW Roles and SAP BusinessObjects User
Groups
•
•
SAP BusinessObjects user groups
 Users are assigned to user groups
 Rights can be assigned to user groups
SAP NetWeaver BW roles
 Users are assigned to roles
 Authorizations are assigned to roles
SAP BusinessObjects Enterprise User Groups = SAP Roles
•
SAP roles can be imported into SAP BusinessObjects Enterprise
and turned into user groups
 This allows for single maintenance of user in SAP NetWeaver
BW and their assignments to groups in SAP BusinessObjects
Enterprise
19
Report Authorization
•
•
SAP BusinessObjects controls report security through the folders
or via specific rights at the object level within the folders
 The folders can be arranged as a hierarchy and access can be
inherited
 A user can have different access for different types of reports
within one folder
SAP NetWeaver BW controls report access via ABAP security
and, to some extent, roles in SAP NetWeaver Portal
 ABAP Security that controls report access
 S_RS_COMP and S_RS_COMP1 – Reporting components
 S_RS_BTMP – Web Templates
 S_RS_ERPT – Reports
20
Controlling Data Access
•
•
SAP BusinessObjects
 There are several options to build data level security in SAP
BusinessObjects
 Use the source DBMS access controls
 Use the Source OLAP controls
 Build profiles in SAP BusinessObjects Enterprise
 Build access into Crystal Reports or Universes
SAP NetWeaver BW
 Uses analysis authorizations to control data access by row and
column
 Analysis authorizations can be assigned
 Directly to users
 To users via roles
21
Security Comparison
SAP NetWeaver BW
SAP
Comment
BusinessObjects
Enterprise
Authorization Objects
Rights
Individual actions and activities that can be
performed for an object
Profiles
Access Levels
A collection of activities and actions
Analysis Authorizations
Profiles
Controls access to specific dataslices
E.g., Country = USA
Worksets
Folders
A collection of objects, reports, and
documents
Roles
Groups
A collections of users who share the same
account privileges.
Both SAP and SAP BusinessObjects
support a hierarchy of roles or groups.
22
Things to Remember …
•
•
SAP BusinessObjects Enterprise
 Allows for very granular security maintained at each object
(folder, report, etc.)
 This can be useful in some instances, but if used extensively
could cause a very complex and hard-to-maintain security
setup
 Denied rights overwrite granted rights
 Denied or not maintained = not authorized
SAP NetWeaver BW
 Allows for very granular security but object security is
maintained within the roles and not at each object
 It is not possible to deny access. Only granted accesses are
maintained.
 Not maintained = not authorized
23
What We’ll Cover …
•
•
•
•
Integration options for SAP BusinessObjects to SAP NetWeaver
BW
SAP NetWeaver BW and SAP BusinessObjects security overview
Integrating SAP BusinessObjects and SAP NetWeaver BW
security
Wrap-up
24
Integrating Authentication Can Be Complex
•
Authentication complexities
between SAP BusinessObjects
and SAP systems
SAP
Systems
SAP BusinessObjects
Enterprise Server Authentication
Users
User Authentication
Single Sign On (LDAP)
Multiple SAP systems
Ticket
User Authentication
Single Sign On (AD)
Encryption and SNC
SAP NetWeaver
Portal
25
The Authentication Flow
•
•
•
Client connection to SAP BusinessObjects Enterprise options
 User name/password
 SAP token (MYSAPSSO2 ticket/cookie)
 Trusted authentication
CMS managed sessions
 Logon request is validated by SAP system
 User validation against default logical system as a fallback
 User aliases are maintained in CMS repository
Data retrieval from SAP NetWeaver BW
 User name/password
 Impersonation using SNC server-side trust
 SAP token (MYSAPSSO2 ticket/cookie)
26
Authentication Integration Options
Source: SAP
27
Integrating Authentication — Best Practice
•
•
Use SAP Authentication in SAP BusinessObjects Enterprise
together with SAP NetWeaver Portal. This allows for:
 Single Sign On using LDAP or AD to the SAP NetWeaver Portal.
The Portal issues an SAP Logon Ticket.
 The SAP Logon Ticket is used for authentication to SAP
BusinessObjects Enterprise and all underlying SAP systems
 Import roles and users from SAP NetWeaver BW into SAP
BusinessObjects Enterprise (one-time maintenance)
 Imported SAP users are qualified with logical system name
 Logical system name derived from SAP System ID and
Client number <SYSID>CLNT<CLIENT>
 Imported roles from SAP become user groups in SAP
BusinessObjects Enterprise
Also, set up server-side trust to allow for scheduling of reports
 Logon ticket expires and can’t be used for scheduling
28
The 10-Step Implementation Guide
•
SAP BusinessObjects Enterprise Server setup
1. Install SAP Front End (SAP GUI)
2. Install SAP Java Connector
3. Install SAP BusinessObjects XI Integration Solution for SAP
4. Set up SAP system as authentication in SAP BusinessObjects
Enterprise
5. Import SAP roles and users from SAP ABAP systems into SAP
BusinessObjects Enterprise
 Define and assign access levels to imported roles
 Define alias users from multiple logical SAP systems
(optional)
6. Configure SNC server-side authentication (optional)
7. Configure Web application server hosting SAP
BusinessObjects Enterprise for SSO and SNC
29
The 10-Step Implementation Guide (cont.)
•
SAP NetWeaver Server setup
8. Install the SAP authentication helper transport from the SAP
BusinessObjects XI Integration Kit for SAP (optional)
9. Ensure that users are assigned to SAP roles
10. Configure SAP NetWeaver Portal and SAP ABAP trust for
token or SNC validation
30
Thin and Thick Clients Require Additional Steps
•
•
Thick client (Crystal Reports and Universe Designer, etc.)
 Install SAP Front End (SAP GUI)
 Install SAP BusinessObjects XI Integration Solution for SAP
 Enable client side SNC for Crystal Reports (optional)
Thin client
 Configure SAP BusinessObjects Enterprise Web Application
Server for SNC (optional)
31
SAP System Setup for Authentication in SAP
BusinessObjects Enterprise
•
The SAP system is defined in the Central Management Console in
SAP BusinessObjects Enterprise under Authentication
 Both Message server and Application server scenarios are
supported
The password used should be UPPER CASE in both
systems. Passwords are case sensitive in SAP NetWeaver
7.0.
32
Importing SAP Roles into SAP BusinessObjects Enterprise
•
The role import is done from the Central Management Console in
SAP BusinessObjects Enterprise under Authentication  SAP
System
 Go to the SAP system and choose Role Import
 Select the roles that you want to transfer to SAP
BusinessObjects Enterprise
33
Importing SAP Users into SAP BusinessObjects Enterprise
•
Additional options
 Set the option to automatically import the users
 You can define a default system to be used for authentication of
SAP users
34
Two Options for Integrating Report Security
•
•
Reuse the SAP NetWeaver BW security 100% by granting access
to all reports in SAP BusinessObjects Enterprise and use the View
On Demand access level to ensure that users are executing the
SAP NetWeaver BW queries and thereby getting the S_RS_COMP
authorization invoked
 Pros: No dual maintenance, fast to implement
 Cons: Less intuitive for the users as they will see reports that
they are not authorized to execute
Create a few user-friendly groups in SAP BusinessObjects
Enterprise containing access only to the reports that the users are
authorized to execute
 Pros: Users will see only the reports they can execute, View
access level could be used for report without data security
 Cons: Users can’t see reports that they are not
authorized to execute (report inventory), more
maintenance
35
Additional Setup Still Required in SAP BusinessObjects
Enterprise
•
Importing the SAP NetWeaver BW roles does not mean that they
can be used without modifications
 Rights and access levels must be assigned to the imported
roles
 Use a group hierarchy to handle this by assigning the
imported role as a child to an existing group in SAP
BusinessObjects Enterprise
 Access is then maintained at the parent group level for all
objects in SAP BusinessObjects Enterprise as needed
36
Integrating Data Security
•
Data security can be fully integrated as long as the ―View On
Demand‖ access level is used for all reports in SAP
BusinessObjects
 Always use ―View On Demand‖ access right for SAP Integration
unless there is no data security requirement


View On Demand will force the data to be fetched from SAP
NetWeaver BW by each user and hence force the user’s data
security to be invoked
Consider performance impacts when this option is used
37
Integrating Security in BEx Queries
•
•
•
The recommended option for integrating from SAP
BusinessObjects to SAP NetWeaver BW is to use a BEx query as
the source for a Universe
This option can make use of:
 The SAP NetWeaver BW OLAP engine capabilities
 Security defined at InfoProvider as well and query level in SAP
NetWeaver BW
 SAP NetWeaver BW Accelerator
Security integration can be made easier by implementing a few
simple design standards to BEx queries
38
1. Use Navigational Attributes for Security
•
Use specific Security InfoObjects in your SAP NetWeaver BW
system
 E.g., Do not use 0COMP_CODE, instead create a reference
InfoObject (e.g., SECCOMPCD) that you add as a navigational
attribute of 0COMP_CODE
 It has the same values as the base object but can be chosen to
be assigned only in the InfoProviders that require security by
the object
39
2. Use Authorization Variables in the BEx Queries
•
•
To avoid problems with mandatory variables in the SAP
BusinessObjects tools, you should always pre-filter the queries
using the authorization of the user
This is easily done by using authorization variables that are not
ready for input in the queries
40
What We’ll Cover …
•
•
•
•
Integration options for SAP BusinessObjects to SAP NetWeaver
BW
SAP NetWeaver BW and SAP BusinessObjects security overview
Integrating SAP BusinessObjects and SAP NetWeaver BW
security
Wrap-up
41
Resources
•
•
•
Ingo Hilgefort, Integrating SAP BusinessObjects XI 3.1 Tools with
SAP NetWeaver (SAP Press, 2009).
 www.sap-press.com/product.cfm?account=&product=H3034
Mike Seblani and Boris Kovacevic, ―Business Objects XI
Integration for SAP Solutions: SAP Security Integration‖
 www.sdn.sap.com/irj/boc/index?rid=/library/uuid/9095a5b077e0-2b10-fd8e-aad948b16fde
BusinessObjects Enterprise XI 3 – Administration Guide
 http://help.sap.com/businessobject/product_guides/boexir3/en/
xi3_bip_admin_en.pdf
42
Resources (cont.)
•
•
•
Ned Falk, ―SAP NetWeaver 2004s: New Analysis Authorizations
Ease Administration‖ (BI Expert, June 2007).
BusinessObjects Integration Kit for SAP – Installation and
Configuration
 www.sdn.sap.com/irj/boc/go/portal/prtroot/docs/library/uuid/a00
ee3b2-5283-2b10-f1bf-8c6413e0898f?nbsp=&QuickLink=index
&overridelayout=true
Marc Bernard, ―An Expert Guide to New SAP BI Security
Features‖
 www.sdn.sap.com/irj/scn/events?rid=/library/uuid/659fa0a20a01-0010-b39c-8f92b19fbfea
43
7 Key Points to Take Home
•
•
•
It is possible to integrate SAP BusinessObjects and SAP
NetWeaver BW security
 The good integration was one reason for SAP to buy SAP
BusinessObjects
Use the native integration from SAP BusinessObjects to SAP
NetWeaver BW to gain full access to the SAP NetWeaver BW
OLAP engine functionality
Use SAP Logon tickets via an SAP NetWeaver Portal with single
sign-on to support seamless SAP BusinessObjects and SAP
NetWeaver BW BEx reporting
44
7 Key Points to Take Home (cont.)
•
•
•
Avoid dual maintenance by using SAP NetWeaver BW as the
source system for your users and groups
 Import and use the SAP NetWeaver BW roles in your SAP
BusinessObjects Enterprise system to manage security across
the systems
 Assign SAP BusinessObjects Access Levels to the SAP
NetWeaver BW roles inside SAP BusinessObjects Enterprise
Be careful if you decide to use deny rights in SAP
BusinessObjects Enterprise – it overrules granted accesses
Use the ―View On Demand‖ in SAP BusinessObjects Enterprise
access level by default to ensure that users get access to the
correct data from SAP NetWeaver BW
45
7 Key Points to Take Home (cont.)
•
Use authorization variables instead of user entry variables for
data security in your SAP NetWeaver BW queries that are used in
Universes and Xcelsius
46
Your Turn!
How to contact me:
Jesper Moselund Christensen
jesper@comerit.net
47
Disclaimer
SAP, R/3, mySAP, mySAP.com, SAP NetWeaver®, Duet™, PartnerEdge, and other SAP products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product
and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by
SAP.
48