Authorizations in SAP Datasphere are implemented using Data Access Controls. This blog post gives a great overview of the functionality and how to create and apply authorizations.
Data Access Controls are a very generic concept, and this is good, because SAP Datasphere integrates data from different kinds of system, which all have their own authorization concept. Generic also means open and that’s the idea behind it.
Does this mean I have to implement all my authorizations again? How can I ensure that changes to authorizations in the sources are updated to SAP Datasphere?
In this blog post I describe an approach for an S/4HANA system, which should answer those questions. And which is also valid for SAP ECC.
The general approach is simple:
It’s obvious that step 1 is the relevant and very likely most complex one, because this must be done for each system type. The integration using remote tables helps fulfil the requirement to have an automatic synchronization of the authorizations.
For SAP BW/4HANA and SAP BW we provide the Remote Authorization feature that takes care of the authorization integration.
My example is about integrating the authorizations for sales organizations from an SAP S/4HANA system for usage in SAP Datasphere. This approach is also valid when you want to integrate the authorizations from several source systems
The first step is to define how the authorization can be derived from the existing SAP S/4HANA authorizations. For this you need to define which authorization object(s) are relevant for your scenario.
To integrate the authorization values and user assignments into SAP Datasphere we need to combine the following three objects from the source system:
This can be achieved in a graphical view that uses joins to build a structure with the username and the corresponding authorization values:
Since authorization values can contain wildcards, we need to convert the wildcards into individual values as the Data Access Controls currently do not support wildcards.
For this we need to do two things:
Finally, we combined the two views with a join. To allow for the wildcards we need to use the LIKE predicate and apply all relevant filters (role, auth. object, field name, validity, …).
We do this in a scripted SQL view:
The result of this view gives a list of all users and the sales organizations they are currently authorized for:
And you can easily imagine that this approach can also be used to combine authorization data from several source systems by combining the authorization values and master data from those systems.
Now we are ready to create the Data Access Control based on the scripted SQL view and sales organization column as data entity:
The identifier column must be set to the username and you are ready to go:
The Data Access Control is now ready and provides real-time authorizations from the source system.
This approach is a real-time access to the S/4HANA system. And if you are worried about putting more load on your source system or the impact on the response times then you can of course also use the data replication functionality for remote tables offered in the Data Integration Monitor in SAP Datasphere.
The final step is of course to assign the newly created Data Access Control to the relevant views. Relevant meaning all views that shall be protected via the authorizations for sales organization.
The SAP Datasphere help documentation contains a good example on how it is possible how the space concept can be used to ensure a segregation of application data from the authorizations if you wonder how this could be set up.
What have we achieved?
What does this mean for you? Hopefully I was able to demonstrate how a flexible authorization integration can be achieved and that you can use this approach in your SAP Datasphere projects.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
13 | |
10 | |
10 | |
7 | |
6 | |
5 | |
5 | |
5 | |
4 | |
4 |