
As more and more customers are leveraging the capabilities of SAP Datasphere with SAP S/4HANA, the role of authorisations is also becoming more important. With the newly released enhancement of Data Access Controls in SAP Datasphere there is an easier way to integrate authorizations than previously described in my previous blog post. This approach is valid for SAP S/4HANA Cloud Private Edition and SAP S/4HANA On-Premise.
The goal is to provide a generic approach to integrate authorizations from SAP S/4HANA that allows you to implement row-level security with the necessary overview of what authorizations are assigned to which object.
The approach is based on the authorization objects from SAP S/4HANA and the idea is to reuse authorizations that are already maintained in SAP S/4HANA in SAP Datasphere for row-level security with Data Access Controls.
A connection named “SAP_S4H” to your SAP S/4HANA system with remote tables enabled must be created. The technical user must be authorized to access the following tables:
The approach described in this blog post is a generic approach that can be used for various scenarios. To apply the generic scenario to a specific scenario you need to define which authorization object(s) are relevant for your case. There are many authorization objects in SAP S/4HANA and therefore in table AGR_1251 and maintaining the relevant authorization objects allows to reduce the data volume and increase overview.
Example: you want to integrate authorizations for sales organizations, however there are many different authorisation objects related to the sales organisation (e. g. V_KONH_VKO, V_KNA_VKO, V_VBAK_VKO, …).
Based on the authorization data from SAP S/4HANA a view has to be created that performs the following processing steps:
The output of the view looks like this:
This view will be the central integration path for all standard authorization concept based approaches and the basis for all Data Access Controls.
As mentioned before maintaining the authorization objects and fields that are relevant for your environment in local table SAP_CC_S4AUTH_REL_OBJECTS serves both performance optimization and the selection of the relevant authorization values.
What has to be maintained? In example 1 you want to integrate company code authorizations and together with the authorization experts from SAP S/4HANA you determined authorization object F_BKPF_BUK as relevant. This object has two authorization fields: activity (ACTVT) and company code (BUKRS). Since the activity is usually not relevant for analytical scenarios, you would maintain object F_BKPF_BUK and field BUKRS in local table SAP_CC_S4AUTH_REL_OBJECTS.
In example 2 you want to integrate the authorized combinations of distribution channel and sales organization. Authorization object V_KONH_VKO was selected, which has the fields activity (ACTVT), division (SPART), sales organization (VKORG) and distribution channel (VTWEG).
For your requirements the two fields sales organization (VKORG) and distribution channel (VTWEG) were defined and therefore you maintain two entries in local table SAP_CC_S4AUTH_REL_OBJECTS for the two fields.
The next step is to create the required Data Access Controls. Instead of having one Data Access Control for many different scenarios, this approach uses different Data Access Controls for different scenarios (company code, sales organization, …).
You create the initial one and then only copy and adapt this Data Access Control.
In this example the first Data Access Control is based on the company code and authorization. You create a Data Access Control with structure “Operator and Values” and map the fields from the view:
(please map either USERNAME or SMTP_ADDR as Identifier, depending on the settings of your SAP Datasphere tenant. You are shown an exemplary identifier to understand which of the two is required).
You can see that the view SAP_CC_AUTHORIZATION_VALUES concatenates the authorization object + authorization field in the technical name of the CRITERION. This allows you to understand which criteria belong togehter.
I recommend maintaining the business name for the relevant entries as this simplifies the association of Data Access Controls.
When creating the Data Access Control for example 2 you do the same, but you select both fields of V_KONH_VKO and maintain the descriptions:
By separating the authorization scenarios into different Data Access Controls you gain a good overview of which scenario is applied to which view:
Alternatively you could keep all scenarios in one Data Access Control and then associate this generic Data Access Control to all relevant views. While you save the time to create the Data Acess Control, you do lose the easy overview on which scenario (“criterium” from the Data Access Control) is used for a view.
Once everything has been set up it is time to check and validate that everything works as required and intended.
This means analyzing the authorization values in view SAP_CC_AUTHORIZATION_VALUES, but it also means checking the result for specific users.
The data preview in the view builder provides just the right option for this: you can now use the "view as user" option. Simply open the data preview in a view with assigned Data Access Control, click on the icon with the lock and then select of the SAP Datasphere users:
As a result you will see the data just like the selected user would. Please be aware of the restrictions described in the the SAP documentation.
With this approach you can easily integrate authorizations from SAP S/4HANA into SAP Datasphere. It provides flexibility and is easy to use and should enable you to set up a concept quite easily.
And if you want to use this approach you can get the objects as part of our SAP Community Content that you can find here.
Update 29th July 2024: the community content has been udpated to version 2 to support multi-dimensional authorizations.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
14 | |
12 | |
12 | |
9 | |
9 | |
7 | |
6 | |
6 | |
6 | |
5 |