BPC Data Manager Package Security Settings
After migrating from BPC 7.5 NW to BPC NW 10/10.1, some customers found BPC users can’t trigger BW process chain, especially when tasks to interact with BW are involved. In next sections, I’ll give more information about this change.
1. How does BPC trigger job? with which user?
In BPC 10/10.1, most data manager packages are triggered as background jobs. The program flow is like this:
The job is triggered with BPC system user,so you will find all BPC jobs are under BPC service user in SM37, as shown below:
Note: If you find BPC jobs are under specific user’s name, you need to check the RFC setting and BPC global parameter RFC_DESTINATION.
2. Which user’s authorization will be checked in the background job?
The user who starts DM package in EPM Add-in will be checked. Job is created by BPC service user, but it doesn’t mean the authorization of this user is used inside the job. As the highlighted code shows: when the job is submitted, SY-UNAME is used instead of BPC Service user.
In BPC 7.5, BPC jobs are triggered by BPC service user, and the security check inside the job is also performed on BPC Service user. So, it is unnecessary to assign BW or other authorizations to BPC users in BPC 7.5, but it is not the same case in BPC 10/10.1.
3. What’s the purpose to specify user name in UJD_TEST_PACKAGE?
As shown in below figure, we could specify User ID when running UJD_TEST_PACKAGE, so what does that mean?
Let say we have two users in this case: ADMIN and TESTBPC. ADMIN logs on BW and starts to run UJD_TEST_PACKAGE, and he inputs TESTBPC in the User ID field and starts to run the package asynchronously.
The user specified here (TESTBPC) will be checked whether he/she has the authorization to run current package. If yes, the backend job will be triggered under SY-UNAME user (ADMIN) by BPC Service user.
So the user specified in UJD_TEST_PACKAGE is only used for security check before the job triggered.
After job starts, SY-UNAME will be checked.
4. For more information about the security design in BPC NW 10/10.1 (Standard Model), please refer to following notes:
- 1613125 – Planning and Consolidation 10.0 NW Security Design & Limits
- 1613620 – Security issue when loading data from InfoProvider
- 1744312 – Not able to list InfoProviders in Data Manager Package “Load Transaction Data from BW InfoProvider UI” (Process Chain