Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
JensBraun
Product and Topic Expert
Product and Topic Expert
7,405

Introduction

As more and more customers are leveraging the capabilities of SAP Datasphere with SAP S/4HANA, the role of authorisations is also becoming more important. With the newly released enhancement of Data Access Controls in SAP Datasphere there is an easier way to integrate authorizations than previously described in my previous blog post. This approach is valid for SAP S/4HANA Cloud Private Edition and SAP S/4HANA On-Premise.

The goal is to provide a generic approach to integrate authorizations from SAP S/4HANA that allows you to implement row-level security with the necessary overview of what authorizations are assigned to which object.

The approach is based on the authorization objects from SAP S/4HANA and the idea is to reuse authorizations that are already maintained in SAP S/4HANA in SAP Datasphere for row-level security with Data Access Controls.

 

Prerequisites

A connection named “SAP_S4H” to your SAP S/4HANA system with remote tables enabled must be created. The technical user must be authorized to access the following tables:

  1. AGR_USERS = user assignments to roles
  2. SUIM_AGR_1251_52 = authorization values (both directly maintained & organizational levels)
  3. PUSER002 = assignment of mail address to user ID

The approach described in this blog post is a generic approach that can be used for various scenarios. To apply the generic scenario to a specific scenario you need to define which authorization object(s) are relevant for your case. There are many authorization objects in SAP S/4HANA and therefore in table AGR_1251 and maintaining the relevant authorization objects allows to reduce the data volume and increase overview.

Example: you want to integrate authorizations for sales organizations, however there are many different authorisation objects related to the sales organisation (e. g. V_KONH_VKO, V_KNA_VKO, V_VBAK_VKO, …).

 

Preparation of Authorization Data

Based on the authorization data from SAP S/4HANA a view has to be created that performs the following processing steps:

  1. Restrict authorization values to the relevant authorization objects to reduce data volume
    (JOIN of SUIM_AGR_1251_52 with local table SAP_CC_S4AUTH_REL_OBJECTS)
  2. Add role assignments to users from table AGR_USERS and also add mail addresses of users from table PUSER002
    (this way both user ID and mail addresses are available. Use the relevant one for your tenant).
  3. Derive the option column based on the maintained authorization values
    (derived formats are ALL, EQ, BT and CP)
  4. Concatenate authorization object and authorization field to have a unique identifier
  5. Hide not relevant columns and rename the columns to match the terminology in the Data Access Controls.

The output of the view looks like this:

Data_Preview.png

 

This view will be the central integration path for all standard authorization concept based approaches and the basis for all Data Access Controls.

 

Maintaining relevant authorization objects and fields

As mentioned before maintaining the authorization objects and fields that are relevant for your environment in local table SAP_CC_S4AUTH_REL_OBJECTS serves both performance optimization and the selection of the relevant authorization values.

What has to be maintained? In example 1 you want to integrate company code authorizations and together with the authorization experts from SAP S/4HANA you determined authorization object F_BKPF_BUK as relevant. This object has two authorization fields: activity (ACTVT) and company code (BUKRS). Since the activity is usually not relevant for analytical scenarios, you would maintain object F_BKPF_BUK and field BUKRS in local table SAP_CC_S4AUTH_REL_OBJECTS.

In example 2 you want to integrate the authorized combinations of distribution channel and sales organization. Authorization object V_KONH_VKO was selected, which has the fields activity (ACTVT), division (SPART), sales organization (VKORG) and distribution channel (VTWEG).
For your requirements the two fields sales organization (VKORG) and distribution channel (VTWEG) were defined and therefore you maintain two entries in local table SAP_CC_S4AUTH_REL_OBJECTS for the two fields.

 

Creation of Data Access Controls

The next step is to create the required Data Access Controls. Instead of having one Data Access Control for many different scenarios, this approach uses different Data Access Controls for different scenarios (company code, sales organization, …).

You create the initial one and then only copy and adapt this Data Access Control.

In this example the first Data Access Control is based on the company code and authorization. You create a Data Access Control with structure “Operator and Values” and map the fields from the view:

DAC Company Code.png

 

(please map either USERNAME or SMTP_ADDR as Identifier, depending on the settings of your SAP Datasphere tenant. You are shown an exemplary identifier to understand which of the two is required).

You can see that the view SAP_CC_AUTHORIZATION_VALUES concatenates the authorization object + authorization field in the technical name of the CRITERION. This allows you to understand which criteria belong togehter.
I recommend maintaining the business name for the relevant entries as this simplifies the association of Data Access Controls.

When creating the Data Access Control for example 2 you do the same, but you select both fields of V_KONH_VKO and maintain the descriptions:

DAC Sales Area.png

 

By separating the authorization scenarios into different Data Access Controls you gain a good overview of which scenario is applied to which view:

Lineage.png

Alternatively you could keep all scenarios in one Data Access Control and then associate this generic Data Access Control to all relevant views. While you save the time to create the Data Acess Control, you do lose the easy overview on which scenario (“criterium” from the Data Access Control) is used for a view.

 

Validate the authorization implementation

Once everything has been set up it is time to check and validate that everything works as required and intended.

This means analyzing the authorization values in view SAP_CC_AUTHORIZATION_VALUES, but it also means checking the result for specific users. 
The data preview in the view builder provides just the right option for this: you can now use the "view as user" option. Simply open the data preview in a view with assigned Data Access Control, click on the icon with the lock and then select of the SAP Datasphere users:

View as user.png

 

As a result you will see the data just like the selected user would. Please be aware of the restrictions described in the the SAP documentation.

Summary

With this approach you can easily integrate authorizations from SAP S/4HANA into SAP Datasphere. It provides flexibility and is easy to use and should enable you to set up a concept quite easily.

And if you want to use this approach you can get the objects as part of our SAP Community Content that you can find here.

Update 29th July 2024: the community content has been udpated to version 2 to support multi-dimensional authorizations.

8 Comments
paulvatter
Participant
0 Kudos

Great @JensBraun!

do you see any chance to get from your S/4-colleagues somehow released, data-extraction enabled CDS-views, so that we do not need to create them on our own?

Thanks in advance and best regards Paul

AndreasDietz
Explorer
0 Kudos

Well explained, thanks @JensBraun 

Best regards

Andreas

JensBraun
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hello @paulvatter ,

you will not have to build the view yourself - the objects will soon be released as community content. I will update this blog post with the links and then you can use the view and don't have to implement it yourself.

Best regards,
Jens

JensBraun
Product and Topic Expert
Product and Topic Expert

Dear all,

the objects described in this blog post have now been released as SAP Community Content and can be found here.

BenedictV
Active Contributor
0 Kudos

Hello @JensBraun ,

I do not understand the purpose of the local table SAP_CC_S4AUTH_REL_OBJECTS. Can you please explain?

-Benedict

JensBraun
Product and Topic Expert
Product and Topic Expert

Hello @BenedictV ,

the reasons are peformance and filtering of relevant authorization values.

If you integrate all authorization values from the source system there will be loads of data which will at some point impact performance. And secondly you want to control exactly which authorization values are used in SAP Datasphere.

Best regards,
Jens

MikailErkus
Discoverer
0 Kudos

Dear expert,

Thank you for your blog, but the DS package is no longer compatible with the new version. @JensBraun  Do you know if it's possible to get a new version?

Thank you in advance.
Mikail

BhanuKancharla
Newcomer
0 Kudos

Dear JensBraun,

Thank you for such a nice blog. I have tried to import Community package provided in this blog, but am facing issue while deploying one of the object i.e. SUIM_AGR_1251_52, which is not available in my S/4 HANA. Please guide me, if am doing anything wrong here.

 

BhanuKancharla_1-1737732104833.png

 

Thanks,

Bhanu