Security in BPC Embedded – Q&A
There is very good and detailed SAP help documentation covering technical design of SAP Business Planning and Consolidation, Embedded Model (BPC Embedded) data security.
However, during projects implementation it becomes evident that because of the detailed technical nature of such documentation, some questions may not be addressed directly, and answers may be spread across multiple sections.
That’s why I thought it would be good to write this Q&A post and give answers to some potential questions that consultants may have. This is not a comprehensive guide, but I would have found it useful for myself several years ago.
- Q: How do data access privileges/restrictions work in BPC Embedded at a very high level?
A: Business Warehouse (BW) Authorizations are always respected, and BPC Data Access Profiles (DAP) can be applied on top of it to further restrict access, if needed.
- Q: I want to keep my security model as simple as possible. Do I have to use BPC Data Access Profile in BPC Embedded or can choose not to?
A: It is not mandatory, if your solution design meets one of the below 2 conditions:
- You choose not to assign a BPC Model to Analysis for Office (AFO) planning workbooks.
- You assign a BPC Model to a workbook, but the users, who access the workbook, will have 0BI_ALL privilege in Analysis Authorizations. This is interesting, but actually a fact, that exactly 0BI_ALL is required in such a case. This option effectively means that you can avoid using DAPs, but still be able to utilise some useful BPC-specific features in AFO, e.g. Business Rules.
- Q: In my solution I want to use features of BPC, such as Work Statuses or Business Rules linked to Analysis for Office workbooks, and also want to be able to control access to data at a granular level. How is it achieved?
A: In such a case you’ll have to assign a BPC Model to AFO Workbooks. It also means that Data Access Profiles have to be configured for Data Access control. The latter will give a benefit for a power user / BPC administrator from a business unit to control data access for teams to some extent going forward.
- Q: If I choose to use BPC DAPs, do I have to assign a BPC Model to each and every AFO Analysis Workbook to make the DAPs effective when using those workbooks?
- Q: If I choose to use BPC DAPs, do I also have to assign and maintain analysis authorization to the user’s BW Role in PFCG?
A: No, if you have assigned necessary analysis authorizations (very often 0BI_ALL) to the BPC Environment in RSECENVI transaction. In such case the intersection of Environment authorization and user’s DAP will be used.
- Q: In case I don’t use BPC DAPs, how is data security controlled?
A: BW Authorizations become solely effective. They are assigned to Roles in the PFCG transaction. Analysis authorizations that are created in RSECADMIN transaction are the main method of controlling data access at BW level. Along with other Authorization Objects covered below, Analysis Authorizations need to be assigned in PFCG to a Role.
- Q: In purely BW-controlled security model (without DAPs), how do I restrict access to data inputs by a particular authorization-relevant Characteristic, such as Profit Centre?
A: BW Analysis Authorizations is the tool for this. They are configured in RSECADMIN transaction and then assigned to the authorization object S_RS_AUTH in transaction PFCG. Please note that Analysis Authorizations in spite of being called “Analysis”, do differentiate between Read and Write, which means, for instance, that 0BI_ALL will potentially give access to data input into any planning-enabled BW InfoProvider.
- Q: In a purely BW-controlled security model (without DAPs), I don’t want to go down the path of configuring restrictive analysis authorizations, since there’s no requirement of data restriction by Characteristic value. Can I give some generic Analysis Authorization to all end users?
A: Yes. And you have 2 other methods that enable you to further control access to some extent. They can be used alone or in combination:
- Restrict access to BW Queries in S_RS_COMP authorization object, so that certain queries, including Input queries, belonging to certain (functional) areas of the solution are not allowed for a particular Role.
- Restrict access to certain Analysis for Office workbooks, again, based on (functional) area of the solution using the object S_RS_AO. Note that in this case a user can theoretically create a new workbook and insert a query into it, if the S_RS_COMP object is not restrictive enough.
- Q: Is a user able to open a workbook that is not saved in their respective Role?
A: Yes, if S_RS_AO object is not restrictive enough. They will be able to find the workbook using search in the AFO ‘Open workbook’ dialog.
- Q: How does the Aggregation Level authorization object (S_RS_ALVL) affect end user data access?
A: It is only relevant for specific scenarios where Local Queries are used. Otherwise it does not restrict user access to data.
Below decision tree formalises the choice of possible solutions:
Conclusion: in BPC Embedded, which is deeply integrated in BW, you have various options to control access to data that can meet very complicated requirements. Out of provided solutions, the most comprehensive one would be using the combination of BW analysis authorizations, access restriction to queries / workbooks along with BPC DAPs, which is solution 3 on the diagram. The benefit of utilising BPC DAPs is the ability of a power user to assign, change or remove data access for existing users or teams without involving IT. But the downside of it is extra effort in maintenance of the solution, because roles assignments have to be done twice for new users – in BW and BPC.
Not every project though would impose such requirements, and other simplified options are there for the project team.