cancel
Showing results for 
Search instead for 
Did you mean: 

Security Question

sap_cohort
Active Contributor
0 Kudos

I am planning a move to "Analysis Authorizations" and I'm doing some analysis on the current security environment. I notice that it is fairly simple where they only have about 50 Roles that Restrict on Sales Office. Instead of creating that many new Roles is it possible to create a Single Role for Sales Office Authorization and Maintain the users and values in a DSO?

What's the best approach in my simple case?

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos
sap_cohort
Active Contributor
0 Kudos

Thanks for that information. Anyone know if this would be a wise approach to use with "Analysis Authorizations"?

Thanks,!

Answers (2)

Answers (2)

christopherdcosta
Participant
0 Kudos

Hi Kenneth

You are correct in you main assumption that one role is required, but you need to make the distinction between the purpose of Roles in an R3 system and the purpose of roles in a BI system.

In an r3 system the role refers to the particular job that the person does. This is relevant because you are dealing with an operational environment where individuals actually have specific tasks which more or less relates to the notion of the transaction (screen), and you can apply 1 task = 1 role logic.

In a reporting and analysis tool like BI - there is only one job - reporting on the data. It is not task based, so the emphasis is on providing access to specific sets of data rather than access to multiple tasks.

Because the data changes all the time in a datawarehouse, and because users may need to look across business areas, analysis authorizations allows you to give access to all business areas but filter the data that can be seen. Giving access to a cube is not the same as allowing the user to see the data, and by definition it prevents access to new types of data until your security team has had a chance to look at the impact.

It makes for a very simple role administration (allow create queries for example across the board) and the new transactions allow you to specify the data filters you want, and then apply to one or more users. I suggest you use the transactions because in any event this data is also held in flat tables like the DSO you suggest. The difference is that the DSO does not have a nice GUI to allow you easy maintenance.

sap_cohort
Active Contributor
0 Kudos

Helpful Answer