0

How to Build and Integrate Security Strategy for SAP NetWeaver Business Warehouse and SAP BusinessObjects Tools
Jesper Moselund Christensen COMERIT
2010 Wellesley Information Services. All rights reserved.

In This Session ...

Get an overview of the integration options from SAP BusinessObjects to SAP NetWeaver Business Warehouse (SAP NetWeaver BW) Understand the security implications when integrating SAP NetWeaver BW and SAP BusinessObjects tools Get best practices for integrating SAP BusinessObjects and SAP NetWeaver BW security concepts

What Well Cover

Integration options for SAP BusinessObjects to SAP NetWeaver BW SAP NetWeaver BW and SAP BusinessObjects security overview Integrating SAP BusinessObjects and SAP NetWeaver BW security Wrap-up

SAP BusinessObjects and SAP NetWeaver BW Integration

Explorer

Source: SAP

Improvements in SAP NetWeaver BW Enhancement Pack 1

Source: SAP

The Four Integration Points from SAP BusinessObjects to SAP NetWeaver BW

OLAP BAPI This option is the most used option. It makes use of the MDX language. It is used for SAP BusinessObjects Voyager, OLAP universes that can be used with SAP BusinessObjects Web Intelligence, and Crystal Reports Almost all the functionality available in the OLAP engine is available via this interface option BI Consumer Services (BICS) This option was originally developed for SAP BEx. It is now also used by the integration of Xcelsius into SAP NetWeaver BW. All functionality of the SAP NetWeaver BW OLAP engine is available
6

The Four Integration Points from SAP BusinessObjects to SAP NetWeaver BW (cont.)

SQL This option is making use of the SAP BusinessObjects Data Federator The SAP BusinessObjects Data Federator reads the data from the SAP NetWeaver BW Data layer directly so options in the OLAP engine are not available Direct access to SAP NetWeaver BW Accelerator SAP BusinessObjects Explorer is using this option to ensure fast response time This option has been enhanced to support limited SAP NetWeaver BW security

Two Options for Universe Integration

Choose the right option for your universe integration SQL should only be used for mass data

Source: SAP

What Well Cover

Integration options for SAP BusinessObjects to SAP NetWeaver BW SAP NetWeaver BW and SAP BusinessObjects security overview Integrating SAP BusinessObjects and SAP NetWeaver BW security Wrap-up

Security in a Reporting System

There are four main areas that should be managed with regard to security Authentication and Single Sign-On (SSO) Roles in SAP and user groups in SAP BusinessObjects Report authorization Data authorization All of these are available in both SAP NetWeaver BW and in SAP BusinessObjects It is therefore easy to get into a situation where security is maintained in both systems or some in one system and some in the other Having a clearly defined security setup avoids this pitfall
10

SAP BusinessObjects Managed vs. Un-Managed

The SAP BusinessObjects portfolio supports both an unmanaged and a managed reporting environment The main difference is that a managed reporting environment makes use of SAP BusinessObjects Enterprise for report distribution It can make use of several authentication options that are available in SAP BusinessObjects Enterprise The unmanaged option is mainly based on standalone desktop installations of Crystal Reports, Xcelsius, Web and Desk Intelligence The unmanaged reporting environment normally requires the user to logon with user ID and password to access datasources such as SAP NetWeaver BW The exception is Crystal Reports, which can make use of 11 SNC when accessing SAP systems

SAP BusinessObjects Enterprise Authentication Options

SAP BusinessObjects has several options for authentication SAP BusinessObjects Enterprise Authentication LDAP Windows Active Directory (AD) Windows NT SAP Which options are used can be defined in the Central Management Console under Authentication

12

SAP BusinessObjects Enterprise Authentication Options (cont.)

Authentication Description type
Enterprise The default for SAP BusinessObjects Enterprise Reuse of NT accounts and groups

Comment
Use the system default Enterprise Authentication if you prefer to create distinct accounts and groups for use with SAP BusinessObjects Enterprise, or if you have not already set up a hierarchy of users and groups in a Windows NT user database, an LDAP directory server, or a Windows AD server. If you are working in a Windows NT environment, you can use existing NT user accounts and groups in SAP BusinessObjects Enterprise. When you map NT accounts to SAP BusinessObjects Enterprise, users are able to log on to SAP BusinessObjects Enterprise applications with their NT user name and password. This can reduce the need to recreate individual user and group accounts within SAP BusinessObjects Enterprise. If you set up an LDAP directory server, you can use existing LDAP user accounts and groups in SAP BusinessObjects Enterprise. When you map LDAP accounts to SAP BusinessObjects Enterprise, users are able to access SAP BusinessObjects Enterprise applications with their LDAP user name and password. This eliminates the need to recreate individual user and group accounts within SAP BusinessObjects Enterprise.

Windows NT

LDAP

Use LDAP directory of users and groups

13

SAP BusinessObjects Enterprise Authentication Options (cont.)

Authentication Description type
Windows AD Reuse of NT accounts and groups

Comment
If you are working in a Windows 2000 or newer environment, you can use existing AD user accounts and groups in SAP BusinessObjects Enterprise. When you map AD accounts to SAP BusinessObjects Enterprise, users are able to log on to SAP BusinessObjects Enterprise applications with their AD user name and password. This eliminates the need to recreate individual user and group accounts within SAP BusinessObjects Enterprise. If you are working in an SAP environment, you can use existing SAP user accounts and roles in SAP BusinessObjects Enterprise. When you map SAP accounts to SAP BusinessObjects Enterprise, users are able to log on to SAP BusinessObjects Enterprise applications with their SAP user name and password. This eliminates the need to recreate individual user and group accounts within SAP BusinessObjects Enterprise. Note: This option requires that the SAP Integration toolkit is installed

SAP

Reuse of SAP accounts and roles (groups)

14

SAP NetWeaver BW Authentication Options

SAP also supports several authentication options. Some of these are: Manual entry SAP logon Windows Active Directory with Kerberos single sign-on LDAP single sign-on SAP logon ticket This option is recommended for authentication between SAP systems and should also be used for SAP BusinessObjects Enterprise when connecting to SAP via SAP NetWeaver Portal

15

SNC and Server-Side Authentication

Server-side trust or SNC enables one system to connect to another system without passing the password of the user that is connecting This is required in a use case where reports should be scheduled to run rather than run online by users SNC or server-side trust requires that the servers are configured to allow for logon with just the user ID SAP provides cryptographic libraries to ensure that the configuration is secure

Ingo Hilgefort has posted a great blog on how to setup SNC between SAP BusinessObjects and SAP at http://ingohilgefort.blogspot.com/2009/07/businessobjectsand-snc-for-client.html
16

View and View On Demand Access Levels in SAP BusinessObjects

View On Demand access level On-demand reporting gives users real-time access to live data, straight from the database server Consider whether or not you want all of your users hitting the database server on a continual basis Users require View On Demand access to refresh reports against the database

17

View and View On Demand Access Levels in SAP BusinessObjects (cont.)

View access level To reduce the amount of network traffic and the number of hits on your database servers, you can schedule reports to be run at specified times. When the report has been run, users can view that report instance as needed, without triggering additional hits on the database. Minimize data transfer over the network and database server's workload Users require only View access to display report instances View On Demand ensures authentication of the user against SAP NetWeaver BW and ensures that the authorizations are taken from SAP NetWeaver.

View would use the data stored in the instance on the SAP BusinessObjects Enterprise and would require data level security to be maintained in SAP BusinessObjects.

18

SAP NetWeaver BW Roles and SAP BusinessObjects User Groups

SAP BusinessObjects user groups Users are assigned to user groups Rights can be assigned to user groups SAP NetWeaver BW roles Users are assigned to roles Authorizations are assigned to roles
SAP BusinessObjects Enterprise User Groups = SAP Roles

SAP roles can be imported into SAP BusinessObjects Enterprise and turned into user groups This allows for single maintenance of user in SAP NetWeaver BW and their assignments to groups in SAP BusinessObjects Enterprise
19

Report Authorization

SAP BusinessObjects controls report security through the folders or via specific rights at the object level within the folders The folders can be arranged as a hierarchy and access can be inherited A user can have different access for different types of reports within one folder SAP NetWeaver BW controls report access via ABAP security and, to some extent, roles in SAP NetWeaver Portal ABAP Security that controls report access S_RS_COMP and S_RS_COMP1 Reporting components S_RS_BTMP Web Templates S_RS_ERPT Reports

20

Controlling Data Access

SAP BusinessObjects There are several options to build data level security in SAP BusinessObjects Use the source DBMS access controls Use the Source OLAP controls Build profiles in SAP BusinessObjects Enterprise Build access into Crystal Reports or Universes SAP NetWeaver BW Uses analysis authorizations to control data access by row and column Analysis authorizations can be assigned Directly to users To users via roles
21

Security Comparison
SAP NetWeaver BW SAP Comment BusinessObjects Enterprise
Rights Access Levels Individual actions and activities that can be performed for an object A collection of activities and actions

Authorization Objects Profiles

Analysis Authorizations
Worksets Roles

Profiles
Folders Groups

Controls access to specific dataslices E.g., Country = USA

A collection of objects, reports, and documents A collections of users who share the same account privileges. Both SAP and SAP BusinessObjects support a hierarchy of roles or groups.
22

Things to Remember

SAP BusinessObjects Enterprise Allows for very granular security maintained at each object (folder, report, etc.) This can be useful in some instances, but if used extensively could cause a very complex and hard-to-maintain security setup Denied rights overwrite granted rights Denied or not maintained = not authorized SAP NetWeaver BW Allows for very granular security but object security is maintained within the roles and not at each object It is not possible to deny access. Only granted accesses are maintained. Not maintained = not authorized
23

What Well Cover

Integration options for SAP BusinessObjects to SAP NetWeaver BW SAP NetWeaver BW and SAP BusinessObjects security overview Integrating SAP BusinessObjects and SAP NetWeaver BW security Wrap-up

24

Integrating Authentication Can Be Complex

Authentication complexities between SAP BusinessObjects and SAP systems

SAP BusinessObjects Enterprise Server Authentication

SAP Systems

Users
User Authentication Single Sign On (LDAP) Multiple SAP systems

Ticket

User Authentication Single Sign On (AD)

Encryption and SNC

SAP NetWeaver Portal

25

The Authentication Flow

Client connection to SAP BusinessObjects Enterprise options User name/password SAP token (MYSAPSSO2 ticket/cookie) Trusted authentication CMS managed sessions Logon request is validated by SAP system User validation against default logical system as a fallback User aliases are maintained in CMS repository Data retrieval from SAP NetWeaver BW User name/password Impersonation using SNC server-side trust SAP token (MYSAPSSO2 ticket/cookie)

26

Authentication Integration Options

Source: SAP

27

Integrating Authentication Best Practice

Use SAP Authentication in SAP BusinessObjects Enterprise together with SAP NetWeaver Portal. This allows for: Single Sign On using LDAP or AD to the SAP NetWeaver Portal. The Portal issues an SAP Logon Ticket. The SAP Logon Ticket is used for authentication to SAP BusinessObjects Enterprise and all underlying SAP systems Import roles and users from SAP NetWeaver BW into SAP BusinessObjects Enterprise (one-time maintenance) Imported SAP users are qualified with logical system name Logical system name derived from SAP System ID and Client number <SYSID>CLNT<CLIENT> Imported roles from SAP become user groups in SAP BusinessObjects Enterprise Also, set up server-side trust to allow for scheduling of reports Logon ticket expires and cant be used for scheduling 28

The 10-Step Implementation Guide

SAP BusinessObjects Enterprise Server setup 1. Install SAP Front End (SAP GUI) 2. Install SAP Java Connector 3. Install SAP BusinessObjects XI Integration Solution for SAP 4. Set up SAP system as authentication in SAP BusinessObjects Enterprise 5. Import SAP roles and users from SAP ABAP systems into SAP BusinessObjects Enterprise Define and assign access levels to imported roles Define alias users from multiple logical SAP systems (optional) 6. Configure SNC server-side authentication (optional) 7. Configure Web application server hosting SAP BusinessObjects Enterprise for SSO and SNC
29

The 10-Step Implementation Guide (cont.)

SAP NetWeaver Server setup 8. Install the SAP authentication helper transport from the SAP BusinessObjects XI Integration Kit for SAP (optional) 9. Ensure that users are assigned to SAP roles 10. Configure SAP NetWeaver Portal and SAP ABAP trust for token or SNC validation

30

Thin and Thick Clients Require Additional Steps

Thick client (Crystal Reports and Universe Designer, etc.) Install SAP Front End (SAP GUI) Install SAP BusinessObjects XI Integration Solution for SAP Enable client side SNC for Crystal Reports (optional) Thin client Configure SAP BusinessObjects Enterprise Web Application Server for SNC (optional)

31

SAP System Setup for Authentication in SAP BusinessObjects Enterprise

The SAP system is defined in the Central Management Console in SAP BusinessObjects Enterprise under Authentication Both Message server and Application server scenarios are supported

The password used should be UPPER CASE in both systems. Passwords are case sensitive in SAP NetWeaver 7.0.

32

Importing SAP Roles into SAP BusinessObjects Enterprise

The role import is done from the Central Management Console in SAP BusinessObjects Enterprise under Authentication SAP System Go to the SAP system and choose Role Import Select the roles that you want to transfer to SAP BusinessObjects Enterprise

33

Importing SAP Users into SAP BusinessObjects Enterprise

Additional options Set the option to automatically import the users You can define a default system to be used for authentication of SAP users

34

Two Options for Integrating Report Security

Reuse the SAP NetWeaver BW security 100% by granting access to all reports in SAP BusinessObjects Enterprise and use the View On Demand access level to ensure that users are executing the SAP NetWeaver BW queries and thereby getting the S_RS_COMP authorization invoked Pros: No dual maintenance, fast to implement Cons: Less intuitive for the users as they will see reports that they are not authorized to execute Create a few user-friendly groups in SAP BusinessObjects Enterprise containing access only to the reports that the users are authorized to execute Pros: Users will see only the reports they can execute, View access level could be used for report without data security Cons: Users cant see reports that they are not authorized to execute (report inventory), more maintenance

35

Additional Setup Still Required in SAP BusinessObjects Enterprise

Importing the SAP NetWeaver BW roles does not mean that they can be used without modifications Rights and access levels must be assigned to the imported roles Use a group hierarchy to handle this by assigning the imported role as a child to an existing group in SAP BusinessObjects Enterprise Access is then maintained at the parent group level for all objects in SAP BusinessObjects Enterprise as needed

36

Integrating Data Security

Data security can be fully integrated as long as the View On Demand access level is used for all reports in SAP BusinessObjects Always use View On Demand access right for SAP Integration unless there is no data security requirement

View On Demand will force the data to be fetched from SAP NetWeaver BW by each user and hence force the users data security to be invoked Consider performance impacts when this option is used
37

Integrating Security in BEx Queries

The recommended option for integrating from SAP BusinessObjects to SAP NetWeaver BW is to use a BEx query as the source for a Universe This option can make use of: The SAP NetWeaver BW OLAP engine capabilities Security defined at InfoProvider as well and query level in SAP NetWeaver BW SAP NetWeaver BW Accelerator Security integration can be made easier by implementing a few simple design standards to BEx queries

38

1. Use Navigational Attributes for Security

Use specific Security InfoObjects in your SAP NetWeaver BW system E.g., Do not use 0COMP_CODE, instead create a reference InfoObject (e.g., SECCOMPCD) that you add as a navigational attribute of 0COMP_CODE It has the same values as the base object but can be chosen to be assigned only in the InfoProviders that require security by the object

39

2. Use Authorization Variables in the BEx Queries

To avoid problems with mandatory variables in the SAP BusinessObjects tools, you should always pre-filter the queries using the authorization of the user This is easily done by using authorization variables that are not ready for input in the queries

40

What Well Cover

Integration options for SAP BusinessObjects to SAP NetWeaver BW SAP NetWeaver BW and SAP BusinessObjects security overview Integrating SAP BusinessObjects and SAP NetWeaver BW security Wrap-up

41

Resources

Ingo Hilgefort, Integrating SAP BusinessObjects XI 3.1 Tools with SAP NetWeaver (SAP Press, 2009). www.sap-press.com/product.cfm?account=&product=H3034 Mike Seblani and Boris Kovacevic, Business Objects XI Integration for SAP Solutions: SAP Security Integration www.sdn.sap.com/irj/boc/index?rid=/library/uuid/9095a5b077e0-2b10-fd8e-aad948b16fde BusinessObjects Enterprise XI 3 Administration Guide http://help.sap.com/businessobject/product_guides/boexir3/en/ xi3_bip_admin_en.pdf

42

Resources (cont.)

Ned Falk, SAP NetWeaver 2004s: New Analysis Authorizations Ease Administration (BI Expert, June 2007). BusinessObjects Integration Kit for SAP Installation and Configuration www.sdn.sap.com/irj/boc/go/portal/prtroot/docs/library/uuid/a00 ee3b2-5283-2b10-f1bf-8c6413e0898f?nbsp=&QuickLink=index &overridelayout=true Marc Bernard, An Expert Guide to New SAP BI Security Features www.sdn.sap.com/irj/scn/events?rid=/library/uuid/659fa0a20a01-0010-b39c-8f92b19fbfea

43

7 Key Points to Take Home

It is possible to integrate SAP BusinessObjects and SAP NetWeaver BW security The good integration was one reason for SAP to buy SAP BusinessObjects Use the native integration from SAP BusinessObjects to SAP NetWeaver BW to gain full access to the SAP NetWeaver BW OLAP engine functionality Use SAP Logon tickets via an SAP NetWeaver Portal with single sign-on to support seamless SAP BusinessObjects and SAP NetWeaver BW BEx reporting

44

7 Key Points to Take Home (cont.)

Avoid dual maintenance by using SAP NetWeaver BW as the source system for your users and groups Import and use the SAP NetWeaver BW roles in your SAP BusinessObjects Enterprise system to manage security across the systems Assign SAP BusinessObjects Access Levels to the SAP NetWeaver BW roles inside SAP BusinessObjects Enterprise Be careful if you decide to use deny rights in SAP BusinessObjects Enterprise it overrules granted accesses Use the View On Demand in SAP BusinessObjects Enterprise access level by default to ensure that users get access to the correct data from SAP NetWeaver BW

45

7 Key Points to Take Home (cont.)

Use authorization variables instead of user entry variables for data security in your SAP NetWeaver BW queries that are used in Universes and Xcelsius

46

Your Turn!

How to contact me: Jesper Moselund Christensen jesper@comerit.net

47

Disclaimer
SAP, R/3, mySAP, mySAP.com, SAP NetWeaver, Duet, PartnerEdge, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP.

48