In this blog I will show you a possible approach to implement a matrix security based on 2 different hierarchies in the same dimension.
In particular I will describe how you can use Business Add-Ins (BADI) for BPC to enhance the standard security model:
Many organizations use a group level matrix with two reporting lines by geography and by functions. Therefore, in our BPC’s entity dimension there will be a geographic hierarchical view and a functional hierarchical view.
E.g.: we can consider a computer retailer company which operates in Europe and America selling and providing assistance on Personal Computers.
In our Profit Centre dimension we can describe this by having 2 different hierarchies:
a. Geographic Hierarchy where company’s profit centres report to their region
b. Functional Hierarchy where company’s profit centres report to their function
If we need a role for the Europe’s Sales Manager, we won’t have any total node available for him, because he will need access only nodes highlighted in light blue.
The standard model is able to cover the most of possible scenarios and we can choose between different kinds of approach.
b. Update the dimension in order to merge the two hierarchies: in our example it will mean to create new nodes for Europe Sales and America Sales.
c. Put the second hierarchy in a different dimension: first hierarchy (usually the geographic one) remains in the Entity dimension, but the second one (the functional) is moved to a user defined dimension.
So in our example we will have to duplicate profit centres bas members in 2 dimensions and then build our 2 hierarchies.
Members shown in grey will be restricted to Europe Sales Manager with a “Deny” Rule in Data Access Profiles.
We will need a custom solution, if we have a big entity dimension, with many different hierarchical nodes in the 2 hierarchies.
In this section, I will assume you are already confident in creating BADI and writing ABAP for BPC.
As explained before, I will also assume that we have an entity dimension with thousands of members and many different hierarchical levels between the 2 hierarchies.
As explained in the introduction, I want to dynamically generate a deny rule for every member that is not visible in the intersection of the two members.
E.g.: Access will be given to Europe and PC Sales and the badi will automatically add the deny rule for Europe PC Services and America Sales for Business.
In this way, user will be able to see only:
In the Dynamic DAP badi implementation I will maintain a filter to activate the enhancement only for the profile ids that require the hierarchy matrix security.
E.g.
ENVIRONMENT = SALES_PC
PROFILE_ID = GEO_FUNC_USER (the dynamic Data Access Profile ID)
In the implementing class instead, I will call the method to generate the Deny rules.
Following this approach only the profile IDs that start with A_ENT_D_FUNC will apply the new rules; all the others will work applying the standard behaviour.
The “ct_access” internal table will already contain the member access rules defined in the Data Access Profile, which in our example will consists of:
In “exclude_method”, we will have to add the Deny rules, in order to give access only to the intersection of bas members visible in both hierarchies.
For each access rule, I will perform following steps:
The totals, shown in BPC reports, will still include the value on Denied Members: therefore we need to use the Shared Query Badi to recalculate them.
In the filter of the badi we can only specify the Environment and the Model; therefore in the ABAP we will have to force the badi to work only for users who have a data access profile starting with A_ENT_D_FUNC assigned.
Therefore in method IF_UJQ_SQE_POST_PROCESS~POST_PROCESS you will have find if the user has the Hierarchy Security Matrix Data Access Profile and execute a different logic for this kind of users.
The post process method will execute an additional read to get the value of denied members and then it will remove this value from the total. Below the steps in details:
I wanted to give an example of the flexibility offered from SAP BPC as a planning tool, which provides you the possibility to implement complicated scenarios as the one described above.
As a tool it provides so many ways to reach a business requirement and it is up to the solution architect to choose the one to achieve the best result in term of usability, performances and maintenance cost.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |