SAP BI 4.1 IDT SP5 Business Security & Data Security Profile Filter Implementation
SAP BO 4.1 SP5
IDT – Single Source UNX
Windows 2008 Server
My project has a requirement where we need to implement Security on top of the Universe Class/Objects, such a way that certain Departmental users will have only access to subset of objects of their department say eg: Purchase, Receipts. Now, we want to use the same universe for other users who is not in any department but need access to all the Classes/Objects. Now the catch is that those department users will have an extra filter condition in the definition of Security Profiles.
I will explain this scenario with the actual problem I faced and how I did a work around to overcome that issue ! Initially my assumption was this is Column/Object level secuirity can be achieved thru Business Security Profiles ONLY if you have filters required on top of Class/Objects. Which turned to be FALSE ! Some play around with the security profiles helped me understand the reason(s) behind it. I covered it in later part of this blog..
To start with I defined 2 Business security Profiles
1. Created View with Purchase Only objects in IDT on my Single Source UNX.
2. Created another View with Receipts Only Objects in the same universe.
Created 2 Security Profiles
1. BS_Purch_Only_Profile with filter PO_Type = ‘BULK’
– GRANT Purch_only object
2. BS_Receipt_Only_Profile with filter R_PO_Type=’BULK’
– Grant Receipt Only object
My requirement is that I want to define Business Security Profiles in IDT such a way that USER1 in both the above profiles need to have above filters separated in the WebI Query. Currently the Net Business Security Profile Query with the above approach result in PO_Type = ‘BULK’ AND R_PO_Type=’BULK’ in WHERE Clause of WebI report on either Purchases OR Receipts.
This generation of ‘AND’ for the filter is by SAP’s Design(for Business Security profiles) and can be handled thru Data Security Profile.
Observations and Work around:
i) Filters in Business Security Profile always comes with ‘AND’ in the Where clause(Net Profile Security) if the user is in multiple Business Security Profiles. So, there is no other way to overcome this issue as this is by SAP Design.
The reason for this sort of design is that Classes and Objects can spread across Subject areas. So, these filters primarily helps at the Classes and filter levels irrespective of tables that are hitting the database. If you have further level of security requirement you need to control at the Row level fetch which is nothing but the Data security Profile.
ii) I used Data Security Profile to apply Filters and Business Security Profile to Display subset of Objects say Eg: Purchase vs Receipts Class Objects; in IDT as per the requirements.
Steps in Detail:
– Create Data Security Profile on top of the Purchase Only View.
– Add filter to the Data Security Profile: DS_PO -> Rows -> Add PO_Type = ‘BULK’ condition.
– Similarly Create Data Security Profile for Receipts Only View DS_Receipts -> Add R_PO_Type=’BULK’ condition;
Now USER1 is assigned both the Data(DS_PO & DS_Receipts) and Business Security Profiles(BS_Purch_Only_Profile & BS_Receipt_Only_Profile).
The Net Security Profile gives my expected results !
NOTE: You cannot test Security profiles in IDT -> Business Layer -> Queries but you can check the Net Security Profile in Security Editor, by selecting the Universe on which Profiles are defined and the User together !
In WebI, when USER1
Query1: Creates a query with Purchases ONLY View, this will generate ONLY PO_Type = ‘BULK’ filter instead of both the filters as in the initial problem
Query2: Create a query with Receipt ONLY view, will result ONLY R_PO_Type=’BULK’ filter
Both the Queries executes in One Report and give me two separate tables.
The above 2 steps helped to implement my requirement.
– Some Users are only in One Group they will have only one required filter instead of all the filters in the WHERE clause !
– Users not in any Security Profile will have NO Filter conditions. This is awesome feature as per me !!
– Replace my USER1 with a Purchase Or Receipts Department Group created in CMC. So, the entire department’s security is controlled !
Hope this helps who want similar security implementations ! Encourage you to add Questions/comments on similar issues.