Question:
Hello all,
If anyone could provide a recommendation to the following scenerio, it would be greatly appreciated:
Customer wants to activate HR cubes and build queries off of them in BW. They have not implemented HR Structural in R3, however they would like to protect data in BW just like they are protecting InfoTypes 0002, 0003, 0008 etc in R3.
Are there a couple of key InfoTypes like 0employee or 0salary that should be made into custom auth objects to accomplish this or would anyone recommend something different.
Thanks,
Answer:
Here is a high level overview of the steps.
You need to look at the InfoObjects you will be using in your InfoCube - i.e. 0EMPLOYEE - and review the characteristics in that InfoObject and determine which are the sensitive or confidential data objects you want to secure.
Then you flag the selected characteristics as "Authorization Relevant" and create a custom authorization object for these characteristics using RSSM. You can then maintain and assign this auth object using RSSM or PFCG.
Then you must switch on the InfoProvider check by assigning this auth object to the InfoCube containing your 0EMPLOYEE data, again in RSSM. From that point on, this forces the auth object to be checked when ANY query tied to the InfoCube is executed.
You can find some further information in the Application Help under Setting Up Reporting Authorizations.
Mike
Answer:
Thanks Mike,
I'm very familiar with the steps involved in setting up BW Security, I was just curious as to the overall approach of implementing HR in BW. Especially when on the R3 side, they may not have implented HR to it's fullest...complete position based security..etc.
More like...would I incorporate using a flat file or transfer the HR to BW into an ODS and implement..etc.
But, I will take your first sentence about 0EMPLOYEE and go with that for now.
Thanks.
Answer:
You would be using the extractors to pull the data from R/3 into BW to populate the ODS or Cubes. Once the data is in BW, you would need to keep on top of that data if you want to control it, as the security over it is quite different and separate from that in R/3. If the sensitive data in the cube is not secured, anyone with access to the cube to run a query could potentially access all the data in the cube, even if a query was built to give them only "non-confidential" data fields from the cube.
You control your data by marking your selected infoobjects as auth-relevant, and then you can grant access to certain data using authorizations in your custom authorization objects, such as by Personnel Area, Employee Group, SubGroup, etc.
This is certainly not all of it, and is only a part of how you need to plan your processes and procedures to control the data in BW that you want to secure.
Mike