Restricting Secured Myself Datasources Selectively from being extracted in the Target BI Systems after Replication
Introduction to the situation
We create many datamart/export datasources in our BI systems to send data say from one DSO to another, Master data to DSO or to Cube etc. This method was particularly used in older versions in BW where no DTP concept was there.
Also, there’s number of other myself datasources in BI systems to fetch data from the Database tables (custom or system) lying in the same system. BI statistics cubes or Authorization generating DSOs mostly rely on these kinds of datasources.
Whatever be the purpose, we mostly don’t want to send all of these datasources to the target BI systems (systems that add the current BI system as a source system). But seemingly, we don’t have any control to that as when the target system replicates datasources using IDs similar to ALEREMOTE, all of them gets replicated and anyone in the target system can create infopackage, infosource, DTP etc on them to pull data from the source system. This can be a vulnerable situation for many legacy source BI systems that hold secured data.
Thankfully, BI system is equipped to deal with this scenario though the finding the solution needs a bit of a time. Objective of this blog is to inform developers & support members to show that very place where the settings need to be changed. Another beauty of this feature is one can allow extraction in one system and can restrict in the other system for the same datasource, this completes the sound data security in the systems.
The Step-by-step procedure :
1. Identify the myself datasources which you want to restrict in the target systems.
2. Identify the Target Systems for which you want to restrict data extraction (Tcode SM59 will show all RFCs and choose from that).
3. Go to TCode SBIW –> Data Transfer to the SAP Business Information Warehouse –> General Settings –> Limit Authorizations for Extraction –> Click Execute
4.Press Continue to the message of Cross Client Table (here it’s important that Cross Client Table should be made modifiable from SCC4 & SE06 and the person making the changes should have Auth Objs S_TABU_DIS & S_TABU_CLI or S_ADMI_FCD assigned with proper parameters to his roles).
5. You are now being taken to Table maintenance screen (this table is ROAUTH).
6. Put the datasource name in the first column, the target system RFC name in the second & flag ‘X’ in the third column named Exclude Extraction. All fields are F4 help enabled for your ease. This table can be transported but in that case maintain all the target productive systems in the list as well.
7. Now logon to the Target System where the myself datasources are already replicated (if not then you can replicate). In case they are already replicated & activated, you try to create infopackage on them. Or in case Infopackages also exist, try to schedule extraction using that. Or if you tried to replicate then in all cases you get a message like below, saying activation/extraction not allowed from the source system. In this way, the objective can be achieved easily.