SAP BW Administration Guide
SAP BW Administration Guide
The documentation may have changed since you downloaded the PDF. You can always find the latest information on SAP Help Portal.
Note
This PDF document contains the selected topic and its subtopics (max. 150) in the selected structure. Subtopics from other structures are not included.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose
without the express permission of SAP SE. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE
and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by
SAP SE and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be
liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express
warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other
SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE in Germany and other
countries. Please see www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.
Table of content
PUBLIC Page 1 of 12
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
Table of content
1 Security Guide for SAP NetWeaver BW
2 User Management and Authentication
2.1 User Management
2.2 Authentication and Single Sign-On
2.2.1 Calling BEx Web Applications from the Portal
2.2.2 Information Broadcasting as Background Processing
2.2.3 Information Broadcasting in the Web
2.2.4 Publishing to the Portal
3 Authorizations
3.1 Authorization Log for Analysis Authorizations
3.2 Checking Analysis Authorizations as Another User
3.3 Using ABAP Routines in the Analysis Process Designer
4 Network and Communication Security
4.1 Communication Channel Security
4.2 Communication Destinations
4.3 Network Security
4.4 Web Services und ICF Services in BW
5 Security for Data Storage
6 Minimum Installation
7 Security-Related Logging and Tracing
8 Further Security-Relevant Information
8.1 BW Security Manager for Documents
PUBLIC Page 2 of 12
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
Security Guide for SAP NetWeaver BW
Use
Caution
This guide does not replace the manual for daily operations, which customers should create for their own productive operations.
Target Group
Technical Consultants
System Administration
Why is Security Necessary?
SAP NetWeaver BW integrates, transforms, and consolidates data from all areas of an enterprise so that it can then provide this information for analysis,
interpretation and distribution. This includes confidential corporate data, such as personal data from personnel administration. This data forms the basis of
decisions and target-oriented actions in all enterprise areas. Secure data access and data integrity are therefore of paramount importance.
The following examples illustrate some of the risks that the BW system can be exposed to:
Attacks from the Internet or intranet when using SAP BEx Web functionality and Web services
Infringement of data protection guidelines as a result of unauthorized access to personal data
About this Guide
This guide describes the security-related aspects of the usage types BW ABAP and BI Java, which are based on the usage types AS ABAP and AS Java. The
guide describes additional security information or security information that deviates from the information that applies to the usage types AS ABAP and AS Java.
The table below provides an overview of other relevant security guides:
Application Server ffor ABAP SAP NetWeaverSAP NetWeaver Application Server ABAP Security Guide
Application Server ffor Java SAP NetWeaver Application Server JavaSAP NetWeaver Application Server Java
Security Guide
Use
BW uses the user management function that is delivered for the ABAP and Java SAP NetWeaver Application Platforms.
For more information, see User Administration and Authentification User Management in the SAP NetWeaver Security Guide.
Users
Standard users that are created when the BW system is installed
More information: Protecting Special Users .
Caution
Change initial passwords after installation to ensure that standard users cannot be misused.
Standard users that are specified when Application Server Java is installed.
For more information, see User Administration and Authentification User Administration and Standard Users in the SAP NetWeaver Application Server
Java Security Guide.
Caution
Change initial passwords after installation to prevent misuse of standard users.
PUBLIC Page 3 of 12
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
communication with the BW source
systems, for the extraction of data, and for
background processes in BW. You create
the background user in Customizing in
SAP NetWeaver BW and assign it a
password (under Automated
Processes Create User for Background
Processes ). The system prompts the
user to enter a background user password
when connecting to the source system. The
authorization profile for the background user
is S_BI-WHM_RFC (see Authorization
Profiles for Background Users ).
SAP Source System Background Users in the SAP Source Technical User The background user in the SAP source
System system is used for communication with
BW and for the extraction of data.
If you connect an SAP source system to
BW, the background user is to be created in
the source system. You can create the user
directly in the source system in user
maintenance. In BW Customizing, you can
enter a name in the Implementation Guide
to use as the default name for the
background user when connecting a new
source system (under Connections to
Other Systems Connections Between
SAP Systems and BW Systems
Maintain Proposal for Users in the Source
System (ALE Communication) ). If the
source system you are using is also a BW
system, SAP recommends that you create
the background user for BW and the
background user for the (BW) source
system completely separately. The
authorization profile for the background user
in the source system is S_BI-WX_RFC
(see Authorization Profiles for Background
Users ).
BW Authors and Analysts Individual User Authors and analysts require advanced
analysis functionality and the ability to
perform special data analysis. To perform
their tasks, they need useful, manageable
reporting and analysis tools.
More information:
Authorizations for Query Definition and
Information Broadcasting
BW Executives and Knowledge Workers Individual User Executives and knowledge workers require
personalized, context-related information
provided in an intuitive user interface. They
generally work with pre-defined navigation
paths, but sometimes need to perform
deeper data analyses.
More information:
Analysis Authorizations
Use
The authentication process makes it possible to check a user's identity before granting them access to BW or BW data. SAP NetWeaver supports various
authentication mechanisms.
For more information, see User Administration and Authentification User Administration and Single Sign-On in the SAP NetWeaver Security Guide.
PUBLIC Page 4 of 12
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
Integration in Single Sign-On Environments
User ID and Password
BW uses a user ID and a password for logon (see Logon and Password Protection in SAP Systems ).
Secure Network Communications (SNC)
BW supports Secure Network Communications (SNC) .
SAP Logon Tickets
BW supports SAP login tickets. To make Single Sign-On available for several systems, users can obtain an SAP logon ticket after logging on to the SAP system.
The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password
for authentication but can access the system directly after the system has checked the logon ticket.
More information: SAP Logon Tickets .
Client Certificates
As an alternative to user authentication with user ID and passwords, users with Internet applications via the Internet Transaction Server (ITS) can provide X.509
client certificates. User authentication then takes place on the Web Server using the Secure Sockets Layer Protocol (SSL Protocol). No passwords have to be
transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.
More information: X509 Client Certificates .
Integration into the SAP NetWeaver Single Sign-On Environment
The portal is the central entry point for users in SAP NetWeaver. It supports and issues SAP logon tickets. BEx Web applications are usually called from the
portal. The integration of BW and the portal enables access from BW too, where Single Sign-On is also supported.
The following graphic illustrates the interaction between BW and the portal in terms of single sign-on:
Portal (explicit authentication at the portal; Web browser → BEx Web application (implicit authentication in BW with
receives portal ticket) portal ticket)
The following settings have to be made for Single Sign-On when calling BEx Web applications from the portal:
BW system must accept tickets
BW system must have imported the portal certificate in order to authenticate tickets from the portal
See also:
SAP Customizing Implementation Guide → SAP NetWeaver → SAP NetWeaver Business Warehouse → Settings for Reporting and Analysis → BEx Web →
Integration into the Portal
→ Configuring Single Sign-On in the BW System
→ Exporting the Portal Certificate in the Portal
PUBLIC Page 5 of 12
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
→ Import the Portal Certificate to the BW System
Precalculation and generation of documents (explicit → Storage of documents in Knowledge Management (implicit
authentication in the BW occurs during job scheduling) authentication in the Portal with BW ticket)
BEx Broadcaster (explicit authentication in BW, Web → Input help (explicit authentication in the portal because the
browser receives BW ticket) portal does not accept a BW ticket)
Portal (explicit authentication at → BEx Broadcaster (implicit → Input help (implicit authentication
the portal; Web browser receives authentication in BW with portal at the portal with portal ticket)
portal ticket) ticket)
BEx Broadcaster (explicit authentication in BW, Web → Input help (implicit authentication at the portal because the
browser receives BW ticket) portal does not accept a BW ticket)
Multiple portals can be connected to a BW system. See SAP Customizing Implementation Guide → SAP NetWeaver → SAP NetWeaver Business Warehouse
→ Settings for Reporting and Analysis → BEx Web → Integration into the Portal → Maintain Portal Server Settings for the Portal. The portal that is designated as
the standard portal is used when the input help for the KM folder is called.
PUBLIC Page 6 of 12
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
Authentication takes place using the BW ticket that BEx Web Application Designer receives during explicit logon. The portal requires the BW certificate to validate
the BW tickets.
Overview
BEx Web Application Designer (explicit authentication in → Portal (implicit authentication on the portal with BW ticket)
BW system, BW ticket available)
For publication to the portal in BEx Web Application Designer, the following settings must be made:
The BW system must generate tickets
The portal must have imported the BW system BW certificate, in order to authenticate tickets from BW
You must configure the user assignment in the portal if the technical user names are not the same.
See also:
SAP Customizing Implementation Guide → SAP NetWeaver → Business Intelligence → Settings for Reporting and Analysis → BEx Web → Integration into the
Portal
→ Configuring Single Sign-On in the BW System
→ Exporting the BW Certificate in the BW System
→ Importing the BW Certificate into the Portal
→ Configuring User Assignments in the Portal
3 Authorizations
Use
To ensure that SAP NetWeaver BW represents the structure of your company and meets your company's requirements, you have to define who has access to
what data. There are two different authorization concepts for this depending on the role and tasks of the user:
Standard Authorizations
You use these authorizations for the various SAP NetWeaver BW tools, in the Data Warehousing Workbench or in BEx Query Designer for example. The
authorization concept for standard authorizations is based on the AS ABAP authorization concept.
Analysis Authorizations
You use these authorizations to provide access to transaction data belonging to authorization-relevant characteristics, to sales data for example.
Authorizations of this type are not based on the AS ABAP authorization concept. They use their own concept based on the needs of BW reporting and
analysis instead.
Critical Authorizations
Critical Analysis Authorizations
Authorization Description
0BI_ALL (authorization for all values of all authorization-relevant characteristics) Every user with this authorization can access all the data at any time. Every user who
has a profile containing authorization object S_RS_AUTH and who has entered 0BI_ALL
(or has included it using an asterisk (*), for example), has complete access to all data.
For more information, see the documentation for analysis authorizations, under
Assigning Authorizations to Users.
S_RS_RDEAD (BW Role: Administrator (Development System)) These authorization templates contain wide-ranging authorizations on authorization
object S_RFC.
S_RS_RDEMO (BW Role: Modeler (Development System)) These authorization templates contain authorizations for all InfoProviders on
authorization object S_RS_COMP.
More Information
Authorizations in the Documentation for SAP NetWeaver BW
Authorization Log for Analysis Authorizations
Checking Analysis Authorizations as Another User
Using ABAP Routines in Analysis Process Designer
Use
A tool is available for analysis authorizations, which enables you to analyze authorization checks. It provides detailed information on authorization-relevant data
access instances. This check can be switched on or off permanently, or as and when required - depending on the users involved. Access to this analysis tool
PUBLIC Page 7 of 12
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
should be protected using transaction RSECPROT and authorization object S_RSEC. Only authorized users should have access to the tool.
More information: Error Log
Use
On the analysis authorization management screen, you can call specific transactions as another user by choosing Execute as... on the Analysis tab page. All
checks for analysis authorizations (and only these authorizations) are run for the specified user. This makes it possible for a user to gain access to more
authorizations than s/he would normally have. This transaction should therefore be specially protected using authorization object S_RSEC.
More information:
Management of Analysis Authorizations
Overview: Authorization Objects
Use
In the Analysis Process Designer, you can transform data using an ABAP routine.
Note that when you create and edit the ABAP routine in an analysis process, S_DEVELOP is not checked. You need authorization for the authorization object
RSANPR and activity 36 (extended maintenance).
In productive systems in particular, this can result in a situation where unauthorized users can edit and execute ABAP routines.
Use
The following table provides you with an overview of the communication channels and the technology used for each channel:
Front end and application server RFC See Security Guide RFC/ICF
Application server and application server RFC See Security Guide RFC/ICF
SAP J2EE Engine and application server RFC See Security Guide RFC/ICF
When using Web applications, we recommend that you switch on encryption for HTTPS.
Use
Connection destinations are required in the following BI areas:
BEx Web
RFC destination on the Application Server Java
RFC destination for portal
For more information, see Automatically Configuring BI Java .
Using TREX
RFC destination on BW system
For more information, see BW Customizing under TREX Connection .
Connecting data sources to the BW system
These destinations are not usually shipped with the software. Instead, they are created on the customer's system.
If you want to connect SAP systems and non-SAP data sources (as source systems) to BW, you usually need RFC destinations.
To use UD Connect, you need an RFC destination to the Application Server Java. For more information, see BW Customizing under UDI Settings by
User Scenarios UD Connect Settings .
The Myself BW destination is automatically created when the BW Data Warehousing Workbench is opened for the first time.
The background user and the background user in the source system are responsible for communication between BW and source systems (in the case of
SAP source systems). The BW background user requires the S_BI-WHM_RFC authorization profile. The background user requires the S_BI-WX_RFC
authorization profile in the SAP source system. For more information, see Authorization Profiles for Background Users .
PUBLIC Page 8 of 12
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
Use
For information about network security aspects when using BW, see Network and Communication Security in the SAP NetWeaver Security Guide.
We recommend using firewalls to control the network traffic in your system landscape. A firewall comprises hardware and software components that specify which
connections are permitted between communication partners. The firewall only allows the specified connections to be used. All other others are blocked by the
firewall. For more information, see Using Firewall Systems for Access Control in the SAP NetWeaver Security Guide.
To secure RFC connections or connections with Internet protocols, we recommend using Secure Network Communications (SNC) or Secure Sockets Layer (SSL).
Use
Various different Web services and ICF services are delivered with SAP NetWeaver Business Warehouse.
ICF Services
ICF services are based on the Internet Communication Framework (ICF) of the SAP NetWeaver Application Server. ICF services are HTTP services that are used
to execute HTTP request handlers. The BW HTTP services allow you to display or exchange BW data using a URL. Some of these services are implemented as
Web services.
Structure of the URL
The URL of an HTTP service delivered in a BW namespace has the following structure:
<Protocol>://<Server>:<Port>/sap/bw/<Service>
URL Prefix
The values used for the place holder in the specified URL schema depend on the installation. For <Protocol>, http and https can be selected. For <Server>, enter
your message server.
You can check which URL prefix your BW system has generated as follows:
1. Call Function Builder (transaction SE37).
2. Enter RSBB_URL_PREFIX_GET as the function module.
3. Choose Test/Execute. The Test Function Module screen appears.
4. As import parameter I_HANDLERCLASS, enter the name of the ICF handler (HTTP Request Handler) for the required service.
Note
You can find out the name of the ICF handler in the Maintenance of Services (transaction SICF). Navigate to the required service component in the HTTP
service tree. Double-click to open the Change/Create a Service dialog box. The HTTP request handler for the service is displayed on the Handler List
tab page.
5. Choose Execute. Export parameter E_URL_PREFIX contains the generated URL prefix.
Service:
Enter the technical name of the required service here. The name comprises all the elements of the path in the HTTP service tree (transaction SICF).
Prerequisites for Using the Service
The required HTTP service must be active.
Note
To check this, navigate to the required service component in Service Maintenance (transaction SICF). If the service is active, you cannot select the Activate
Service entry in the context menu.
Delivered Service
The following service is implemented as a Web service:
Open Analysis Interfaces (see XML for Analysis)
Use
Data Storage
In BW, data is stored on the application server database.
PUBLIC Page 9 of 12
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
If end users evaluate data using Microsoft EXCEL, they can also store data locally. The end user has to make sure that no unauthorized person can access the
locally stored data.
If evaluations and analyses are called using BEx Web applications, the data is displayed in a Web Browser. The data is then stored in a browser cache. We
recommend always deleting the browser cache after evaluating data.
You can protect the data from being accessed by unauthorized end users by assigning analysis authorizations. In the default setting, data is not protected. You
can flag InfoObjects in BW as authorization-relevant however (see Tab Page: Business Explorer). Data can then only be accessed if the user has the required
authorizations.
Data in BW is mainly accessed for read purposes. In planning however, data is also modified. More information: Planning Engine.
Protecting Access to the File System Using Logical Paths and File Names
In transaction RSCRM_BAPI, query extracts can be created by writing the query results to files on the application server. To maintain system integrity, it is
important to specify where these files will be explicitly stored. This is done by specifying logical paths and file names that are assigned to the physical paths.
This assignment is validated at runtime to ensure that files are generated in the correct name range.
The following lists show the logical file names and paths used in this context and the programs that these file names and paths apply to:
Logical File Name Used in this Application
The following logical file name has been created in order to enable validation of physical file names:
RSCRM_FILE_EXTRACT_PATH
Programs that use this logical path name and the parameters used in this context:
RSCRM_BAPI_REMOTE
CL_RSCRMBW_TOOLS
Logical Path Names Used in this Application
The logical file name listed above uses the logical path name RSCRM_FILE_EXTRACT_PATH.
We recommend defining the physical path that is assigned to the temporary directory.
Activate Validation of Logical Paths and File Names
These logical paths and file names are specified in the system for the corresponding programs. To ensure downward compatibility, validation at runtime is
deactivated by default. To activate validation at runtime, specify the physical path with transactions FILE (non-client specific) and SF01 (client-specific). To find
out which paths are used by your system, you can activate the relevant settings in the security audit log.
More information:
Logical File Names
Protecting Access to the File System Using Logical Path and File
Security Audit Log
Data Protection
Using BEx Tools in SAP NetWeaver 2004
If using BEx tools in SAP NetWeaver 2004, note the following:
BEx Web applications can be implemented either as stateful or stateless applications. Use the BEx Web runtime for Web application session cookies with a
state to combine independent requests (the function calls in a Web application, navigation steps for example) for a session. These cookies are called sap-
contextid. The cookie contains a generated ID as a value. This ID allows the relevant session to be identified on the server. The session cookie is a temporary
cookie. It is deleted automatically when the browser window is closed. The server also has a timeout parameter. The session cookie is invalid after the timeout and
can no longer be used for navigating in a Web application. Using Web template attribute NO-SESSION_COOKIE, you can use the session coding in the URL
for the Web application. In this case, no session cookies are generated. To ensure that the Web application uses the session coding in the URL, set X for the NO-
SESSION_COOKIE attribute.
LOPD Access Logging in Reporting and Planning Applications
The Spanish data protection law L ey O rgánica de P rotección de D atos de Carácter Personal (LOPD) stipulates certain rules that companies have to observe
when processing, saving and handling personal data. These rules involve logging all access to highly-sensitive personal data. SAP NetWeaver BW provides a
mechanism for LOPD logging of access to data in reporting and planning applications. For more information, see SAP Note 933441 .
6 Minimum Installation
Use
SAP BEx uses JavaScript in the Web Browser when executing Web Applications. For minimum configuration, you have the option of deactivating JavaScript.
However, we recommend that you do not deactivate JavaScript. Deactivating JavaScript means that it is no longer possible to use all of the Web items and
dialogs on the Web. Navigation options in Web applications would also be considerably restricted.
Use
Logging Security-Related Changes and Authorization-Related Activities
The following tables are used to log changes to analysis authorizations and other authorization-related activities:
RSUDOLOG
This table contains log information about execution of a query (or other transaction) in the administration transaction for analysis authorizations in Query Monitor
(transaction RSRT) by one user for another.
For further information about executing transactions (especially RSRT) with another user, see Management of Analysis Authorizations and Checking Analysis
Authorizations as Another User.
The log data includes the following:
User name of the user who has executed a transaction under another user name
PUBLIC Page 10 of 12
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
User name of the other user
The transaction that was executed
Password prompt flag
Flag to show correct password entered
Session ID
Time stamp
RSECVAL_CL
This table contains log information about changes to value authorizations. The log data includes the following:
The authorization that was changed
The characteristic that the authorization was changed for
Object version of the characteristic
Session ID
Time stamp for the change
RSECHIE_CL
This table contains log information about changes to hierarchy authorizations. The log data includes the following:
The authorization that was changed
The characteristic that the authorization was changed for
Object version of the characteristic
Hierarchy-specific data
Session ID
Time stamp for the change
RSECUSERAUTH_CL
This table contains log information about the assignment of analysis authorizations by users in the administration transaction for analysis authorizations.
More information: Assigning Information to Users
The log data includes the following:
Authorization
Use name of the user whom the authorization was assigned to
Time stamp
Session ID
Note
You can analyze changes to value and hierarchy authorizations and to user-user authorization assignments using InfoProviders from the technical
content. More information: Change Documents (Legal Auditing).
RSECTXT_CL
This table contains log information about changes to authorization texts. The log data includes the following:
The authorization that was changed
The authorization's short, medium and long text
Session ID
Time stamp for the change:
RSECSESSION_CL
This table contains log information about user activities in the session, including the date and time of any changes made. You can use this table to find out which
user values, hierarchy authorizations or authorization texts have been changed.
Logging LOPD-Relevant Access in Reporting and Planning Applications
SAP NetWeaver BW provides a mechanism for logging access in reporting and planning applications, which are security-related in accordance with the Spanish
data protection law L ey O rgánica de P rotección de D atos de Carácter Personal (LOPD) sicherheitsrelevant sind. For more information, see SAP Note 933441
.
Use
Use of active code
SAP BEx uses JavaScript on the client computer in the Web browser, when executing Web applications.
More information: Minimum Installation
E-mail encryption when distributing BEx objects
Information broadcasting uses SAP NetWeaver interface SAPconnect to create and send e-mails with BEx objects. This interface does not support encryption or
certificates. E-mails created in the SAP system using Information Broadcasting are therefore not encrypted and do not have certificates.
However, SAP supplies you with an additional product from another provider (the Secure Email Proxy), which allows you to encrypt e-mails.
More information: SAPconnect . In particular, see the information under Secure E-Mail .
Use
The BW Security Manager for Documents protects and controls access to BW documents in Knowledge Management. It can be used for the CM repository, that
is, for documents stored on the portal, and for the BW Document Repository Manager, that is, for documents stored on the BW server.
PUBLIC Page 11 of 12
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
Features
The BW Security Manager for Documents ensures secure access to documents in the portal by creating a connection to the BW system and checking the user
access authorizations in the back end. This means that you do not need to maintain any additional authorization in KM and can ensure that users in KM can only
display documents for which they have authorization.
The authorization checks performed by the BW Security Manager for Documents can reduce system performance.
The standard ACL Security Manager is faster in terms of performance, but is not suitable since it requires that the authorizations in the portal and in the BW
system are maintained twice.
If you only want to use documents within BW applications, you do not need a security manager. In the dropdown box, choose "Not Set".
In KM you are using an iView for the document search. There are 20 documents in your BW system; ten of these however contain confidential information that
should not be accessed by all users. If you choose the BW Security Manager for Documents for the CM repository, authorization checks are performed for all 20
documents. If users do not have authorization for the ten confidential documents, they are denied access to these documents and can only display the ten
documents that do not contain confidential information in KM.
Activities
To call the BW Security Manager for Documents configuration, choose System Administration System Configuration Knowledge Management
Repository Managers CM Repository .
1. Set the indicator for the CM repository for which authorizations are to be checked in the BW system when documents are accessed.
2. Then choose Edit .
The properties of the CM repository are displayed in the lower area of the screen.
3. In the dropdown box for the security manager, choose BW Document Security Manager .
PUBLIC Page 12 of 12
© 2014 SAP SE or an SAP affiliate company. All rights reserved.