Motivation
Ensuring secure access to data is key for any system landscape may it be on-premise or in the cloud. Especially in Datasphere environments where various data sources are consolidated and centrally managed to build the single version of truth.
In historically grown environments and due to existence of different concepts to define and secure access to data on row-level users end up in a situation to implement row-level security concepts for each system which is a huge effort in development and administration keeping the security consistent and up to date.
So - the central question is how to leverage existing authorizations in SAP Datasphere?
*) Data Access Control
Potentially there are two common possibilities to achieve this with SAP Datasphere:
Both options make sense and are -in the one or other way- already available/supported in various applications. However, looking at SAP Datasphere as a central Data Warehouse application to consolidate different sources of data it makes sense to also have a central common concept of row-level security by reducing implementation effort at the same time by leveraging existing authorizations from the sources.
This blog should share some more detailed information how the new functionality of Remote Authorization works for SAP BW/4HANA as a first integration scenario to be supported.
Introduction to Remote Authorizations for SAP Datasphere from SAP BW/4HANA
Replicating Authorizations from SAP BW/4HANA to SAP Datasphere is a process which starts obviously in SAP BW/4HANA and continues in SAP Datasphere. Result is to leverage existing Analysis Authorizations from SAP BW/4HANA in SAP Datashpere.
To achieve this three Objects are generated in SAP Datasphere for each InfoProvider selected in SAP BW/4HANA to replicate its associated Analysis Authorizations:
Let me share a more detailed view on the process before sharing some insight from a system perspective:
Step 1 - in SAP BW/4HANA
Definition of the scope of Analysis Authorizations (User, InfoProvider) to be exported into the Permission Table in SAP BW/4HANA (Transaction: RSDWC_DAC_RSEC_GEN; technical name of Permission Table: RSDWC_RSEC_DAC). This table is basis for replicating Analysis Authorizations to SAP BW/4HANA.
Step 2 - in SAP Datasphere
On SAP Datashpere side, the process to import the Permission Table from SAP BW/4HANA which is supported by a wizard.
In this step, the BW User is exchanged by the User in Datasphere. Typically, the Username which is used in SAP Datasphere is the eMail address. The eMail address is in most cases part of the user profile in SAP BW/4HANA so that the names can easily be exchanged. For the remaining cases (e.g. where the eMail address is not maintained) a BAdI can be used to derive this information. Technical Name of the BAdI is RSDWC_DAC_RSEC_USER_UPDATE (see also note 3062381).
Important note: Each of the objects which are generated as part of this process are imported metadata-wise with remote connections to the original objects in SAP BW/4HANA. This is true for the Permission Table as well as the protected view of the InfoProviders.
Recommendation for the remote Permission Table on SAP Datasphere side is to keep on using the default federated (remote) access to the Permission Table in SAP BW/4HANA. If a replication of the Permission Table to SAP Datasphere is considered a daily upload (refresh) should be scheduled to keep the data in sync and up to date.
Step 3 - in SAP Datasphere
The SAP BW/4HANA InfoProvider(s) for which the relevant Analysis Authorizations should be imported must be imported into SAP Datsphere (via Data Builder) as well. They must be imported & Deployed (again: metadata-wise). This Step could be done as a prerequisite step before starting the Wizard.
Step 4 - in SAP Datasphere
An Input Permission View is generated by applying the Filter Clause (in terms of a generated SQL Script) where each authorized value a user is allowed to see is represented in a list by one record. Analysis Authorizations on hierarchy nodes are flattened. If a user should be able to see all values (represented by a ‘*’ (Asterix) in Analysis Authorizations) a filter string will be generated which contains all values of the authorization relevant InfoObject.
Step 5 - in SAP Datasphere
The Data Accress Control is generated whereas the SQL Script from the step before serves as the ‘Data Entity’ for the Data Access Control (carrying the list of all users and their authorized values based on the Analysis Authorizations they have in SAP BW/4HANA).
Step 6 - in SAP Datasphere
A protected view with a remote connection to the original InfoProvider is generated with the Data Access Control attached. This View can be shared with other Spaces for further usage/consumption.
Look & Feel Remote Authorizations
Let us now take a look to the system and see how this process flows in SAP Datasphere as well as in SAP BW/4HANA.
1. Populating the Permission Table in SAP BW/4HANA
2. Import Analysis Authorizations into SAP Datasphere
Conclusion
Remote Authorizations for SAP Datasphere from SAP BW/4HANA should reduce development effort with regards to row-level security by being able to leverage investments already made in SAP BW/4HANA with more source systems (i.e. SAP S/4HANA, SAP NetWeaver BW 7.5) planned as potential further candidates to be supported.
Update January 2022:
Besides SAP BW/4HANA we also want to support SAP NetWeaver BW 7.5 as a source for existing Analysis Authorizations to be imported into SAP Datasphere. Please implement SAP Note 3123815 to get the SAP NetWeaver BW specific functionality of Remote Authorizations.
Update February 2022:
With Wave 2022.03 Remote authorizations have been integrated into the SAP BW/4HANA Model Transfer of SAP Datashere do whenever data models from SAP BW/4HANA into SAP Datasphere the corresponding authorizations can also be leveraged
Ensuring secure access to data is key for any system landscape may it be on-premise or in the cloud. Especially in Datasphere environments where various data sources are consolidated and centrally managed to build the single version of truth.
In historically grown environments and due to existence of different concepts to define and secure access to data on row-level users end up in a situation to implement row-level security concepts for each system which is a huge effort in development and administration keeping the security consistent and up to date.
So - the central question is how to leverage existing authorizations in SAP Datasphere?
*) Data Access Control
Potentially there are two common possibilities to achieve this with SAP Datasphere:
- Accessing the data in the source system in a federated way where either a technical user (with a well-defined set of authorizations) can be used to access the data from a given source as it is today.
- A second option is to leverage existing authorizations from the source by replicating them to SAP Datasphere, generate corresponding Authorizations (in case of SAP Datasphere ‘Data Access Controls’) and apply them in SAP Datasphere.
Both options make sense and are -in the one or other way- already available/supported in various applications. However, looking at SAP Datasphere as a central Data Warehouse application to consolidate different sources of data it makes sense to also have a central common concept of row-level security by reducing implementation effort at the same time by leveraging existing authorizations from the sources.
This blog should share some more detailed information how the new functionality of Remote Authorization works for SAP BW/4HANA as a first integration scenario to be supported.
Introduction to Remote Authorizations for SAP Datasphere from SAP BW/4HANA
Replicating Authorizations from SAP BW/4HANA to SAP Datasphere is a process which starts obviously in SAP BW/4HANA and continues in SAP Datasphere. Result is to leverage existing Analysis Authorizations from SAP BW/4HANA in SAP Datashpere.
To achieve this three Objects are generated in SAP Datasphere for each InfoProvider selected in SAP BW/4HANA to replicate its associated Analysis Authorizations:
- The Data Access Control(s) based on the associated Analysis Authorizations for a given InfoProvider in SAP BW/4HANA
- An SQL Script doing the magic of providing the list of authorized values for each user
- Finally, a protected view on the InfoProvider where the generated DAC is assigned. This view can be shared to other Spaces for further usage.
Let me share a more detailed view on the process before sharing some insight from a system perspective:
Step 1 - in SAP BW/4HANA
Definition of the scope of Analysis Authorizations (User, InfoProvider) to be exported into the Permission Table in SAP BW/4HANA (Transaction: RSDWC_DAC_RSEC_GEN; technical name of Permission Table: RSDWC_RSEC_DAC). This table is basis for replicating Analysis Authorizations to SAP BW/4HANA.
Step 2 - in SAP Datasphere
On SAP Datashpere side, the process to import the Permission Table from SAP BW/4HANA which is supported by a wizard.
In this step, the BW User is exchanged by the User in Datasphere. Typically, the Username which is used in SAP Datasphere is the eMail address. The eMail address is in most cases part of the user profile in SAP BW/4HANA so that the names can easily be exchanged. For the remaining cases (e.g. where the eMail address is not maintained) a BAdI can be used to derive this information. Technical Name of the BAdI is RSDWC_DAC_RSEC_USER_UPDATE (see also note 3062381).
Important note: Each of the objects which are generated as part of this process are imported metadata-wise with remote connections to the original objects in SAP BW/4HANA. This is true for the Permission Table as well as the protected view of the InfoProviders.
Recommendation for the remote Permission Table on SAP Datasphere side is to keep on using the default federated (remote) access to the Permission Table in SAP BW/4HANA. If a replication of the Permission Table to SAP Datasphere is considered a daily upload (refresh) should be scheduled to keep the data in sync and up to date.
Step 3 - in SAP Datasphere
The SAP BW/4HANA InfoProvider(s) for which the relevant Analysis Authorizations should be imported must be imported into SAP Datsphere (via Data Builder) as well. They must be imported & Deployed (again: metadata-wise). This Step could be done as a prerequisite step before starting the Wizard.
Step 4 - in SAP Datasphere
An Input Permission View is generated by applying the Filter Clause (in terms of a generated SQL Script) where each authorized value a user is allowed to see is represented in a list by one record. Analysis Authorizations on hierarchy nodes are flattened. If a user should be able to see all values (represented by a ‘*’ (Asterix) in Analysis Authorizations) a filter string will be generated which contains all values of the authorization relevant InfoObject.
Step 5 - in SAP Datasphere
The Data Accress Control is generated whereas the SQL Script from the step before serves as the ‘Data Entity’ for the Data Access Control (carrying the list of all users and their authorized values based on the Analysis Authorizations they have in SAP BW/4HANA).
Step 6 - in SAP Datasphere
A protected view with a remote connection to the original InfoProvider is generated with the Data Access Control attached. This View can be shared with other Spaces for further usage/consumption.
Look & Feel Remote Authorizations
Let us now take a look to the system and see how this process flows in SAP Datasphere as well as in SAP BW/4HANA.
1. Populating the Permission Table in SAP BW/4HANA
- In this example, the Advanced DataStoreObject (ADSO) ‘ZSALES’ should be made available in SAP Data Warehouse Cloud and protected by Data Access Controls
- On Characteristic (InfoObject) ‘SALESORG’ there is an Analysis Authorization defined
- User ‘DAC01’ has this Analysis Authorization assigned to his profile
2. Import Analysis Authorizations into SAP Datasphere
- Before starting the Wizard to import Remote Authorizations, the InfoProviders to be protected and used in SAP Datashere should be imported into SAP Datasphere
- The import can be done in the Data Builder by importing the InfoProvider from the BW Connection (In ‘Extractors’ section: Folder ‘BW’) into the canvas of the graphical view modelling.
- The table needs to be imported&deployed
- The import functionality for Analysis Authorizations from SAP BW/4HANA can be found on the landing page of Data Access Controls in SAP Datasphere
- In the first step of the wizard, a valid SAP BW/4HANA Connection must be selected
- Secondly (if not available already) a name must be entered for the Permission Table
- In the third step the InfoProvider(s) must be selected for which protected views and respectively the corresponding DACs should be generated
- In the last step of the wizard, a summary is displayed with all objects which will be generated: a Data Access Control, the protected view and the SQL script which delivers the authorized values for each user, based on the SAP BW/4HANA Authorizations.
- The generated objects at a glance 🙂
Conclusion
Remote Authorizations for SAP Datasphere from SAP BW/4HANA should reduce development effort with regards to row-level security by being able to leverage investments already made in SAP BW/4HANA with more source systems (i.e. SAP S/4HANA, SAP NetWeaver BW 7.5) planned as potential further candidates to be supported.
Update January 2022:
Besides SAP BW/4HANA we also want to support SAP NetWeaver BW 7.5 as a source for existing Analysis Authorizations to be imported into SAP Datasphere. Please implement SAP Note 3123815 to get the SAP NetWeaver BW specific functionality of Remote Authorizations.
Update February 2022:
With Wave 2022.03 Remote authorizations have been integrated into the SAP BW/4HANA Model Transfer of SAP Datashere do whenever data models from SAP BW/4HANA into SAP Datasphere the corresponding authorizations can also be leveraged
- SAP Managed Tags:
1 Comment
