ABCDSAP Business Intelligence White Paper v1.0.doc SAP Business Intelligence (BI) SAP Business Intelligence Overview of Authorizations & Controls Author: Jared D. Krueger
[email protected] March 11, 2009 Version 1.0 Page 1 of 32 © 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. For internal use only. ABCD SAP Business Intelligence White Paper v1.0.doc Table of Contents 1. Overview ....................................................................................................................................................................3 2. BI Security Overview ..............................................................................................................................................4 3. BI Benefits .................................................................................................................................................................5 4. BI Authorizations Overview ..................................................................................................................................6 5. BI Building Blocks ...................................................................................................................................................7 InfoArea ..................................................................................................................................................................7 InfoProvider ...........................................................................................................................................................7 DataSources ..........................................................................................................................................................7 InfoSources............................................................................................................................................................7 ODS Objects ..........................................................................................................................................................7 InfoCubes ...............................................................................................................................................................8 Subobject ...............................................................................................................................................................8 InfoSet .....................................................................................................................................................................8 Component Types ................................................................................................................................................8 Component Type Activities ...............................................................................................................................8 6. Data Extraction .........................................................................................................................................................8 7. BI Authorization Objects & Security ...................................................................................................................9 S_RS_COMP ........................................................................................................................................................10 S_RS_COMP1 ......................................................................................................................................................12 S_RS_FOLD .........................................................................................................................................................13 S_RS_ADMWB ....................................................................................................................................................13 S_RS_IOBJ ...........................................................................................................................................................16 S_RS_ISOUR .......................................................................................................................................................17 S_RS_ISRCM .......................................................................................................................................................18 S_RS_IOMAD .......................................................................................................................................................19 S_RS_ICUBE........................................................................................................................................................20 S_RS_ODSO ........................................................................................................................................................21 S_RS_HIER ..........................................................................................................................................................22 S_RS_TOOLS ......................................................................................................................................................23 S_RS_MPRO ........................................................................................................................................................23 S_RS_ISET ...........................................................................................................................................................24 S_RFC....................................................................................................................................................................24 8. Reporting Security Strategy ...............................................................................................................................24 1 Securing by InfoCube ..............................................................................................................................24 2 Securing by Query ....................................................................................................................................25 3 Securing at the InfoObject Level ..........................................................................................................25 9. BI Audit Program Guide - Suggested Controls ............................................................................................26 10. Version History ....................................................................................................................................................31 11. Sources: .................................................................................................................................................................32 Page 2 of 32 © 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. For internal use only. ABCD 1. Overview SAP Business Intelligence White Paper v1.0.doc The purpose of this document is to discuss different aspects of SAP Business Intelligence (BI), functionality, security, and building blocks that make it one of the leading reporting applications on the market. SAP Business Intelligence (BI) is a reporting system used to consolidate and view a company’s financial and operational data. It is primarily used to retrieve and report on data from SAP systems, but can also be used to report on data which is part of nonSAP systems. BI uses the Netweaver SAP Enterprise Portal, this means that it uses the standard backend GUI for administration and development, however uses a web-based GUI for end-users utilizing Internet Explorer, and MS Excel to generate reports. SAP BI integrates data from across a company(s), and then transforms it into practical, timely information to drive sound decision-making, targeted action, and solid business results. Key areas BI supports: • Data warehousing – Data warehouse management; business modeling; and extraction, transformation, and loading enable you to build data warehouses, model information architecture according to business structure, and manage data from multiple sources. Business intelligence – Online analytical processing, data mining, and alerts provide a foundation for accessing and presenting data, searching for patterns, and identifying exceptions. Business planning – A BI planning framework with secure workflow capabilities supports Microsoft Excel or Web-based planning and budgeting based on consolidated corporate data for bottom-up or top-down planning. Business insights – Query design, reporting and analysis, and Web application design allow you to create analysis reports, support decisions at every level, and present business intelligence applications on the Web. Measurement and management – Business-content management, metadata management, and collaborative business intelligence monitor progress, provide reporting templates, ensure consistent data, and help decision-makers work together. Open hub services – Open hub services features enable the delivery of high-quality, audited enterprise information through Web services to applications. Bulk data exchange, change data capture (CDC), and modeling features streamline deployment and enable cost-effective operations. Information broadcasting – Information broadcasting features support the distribution of mass information to large audiences in a personalized and secure manner. You can broadcast information as an offline document or live report through personalized e-mail or the Internet, according to a schedule or based on key events. Accelerated business intelligence – Based on compressions, parallel in-memory processing, and search technologies, the SAP NetWeaver BW Accelerator functionality improves the performance of queries, reduces administration tasks, and shortens batch processes. Developed as an appliance on Intel processors, the accelerator provides consistently fast response times, even as data volumes, number of users, and analytics increase. When looking at BI there are 3 major areas: 1. Administrative/Security: This is the area responsible for maintaining the application for user access, developing roles, access to queries, system connections, authorization objects, info providers, info objects, info systems and source systems. This area should be restricted to Basis and Security personnel. 2. Development – This area is responsible for designing queries using info-cubes. Since SAP BI is used for reporting purposes, the primary development is building reports and queries. Primarily this area should be locked down in production so any new development of queries must take place in development environment. • • • • • • • Page 3 of 32 © 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. For internal use only. doc 3. You can also process the queries further in Microsoft Excel or display them in the Web browser in a default view. Front-end – This area is where the user logs into BI and executes queries & reports. it is about converting data into knowledge. This enables accurate near real-time reporting based on data stored in the BI warehouse. a U. How are reports generated? Analyzing reports in BI is the main function performed using this application. in order to define queries. You can also save the workbook locally on your computer. KPMG and the KPMG logo are registered trademarks of KPMG International. The Business Explorer Analyzer (BEx Analyzer) is the analysis and reporting tool of the Business Explorer that is embedded in Microsoft Excel. These reports are generated by extracting master data and transactional data from the SAP production system (source system) and loading it into the warehouse for reporting purposes only.ABCD SAP Business Intelligence White Paper v1. Custom and standard reports are generated using the BEx Analyzer. navigate within them and refresh the data. . Beyond that.0. you can analyze the selected InfoProvider data by navigation to the query created in the Query Designer and create different query views of the data. You can call up the BEx Query Designer in the BEx Analyzer. SAP BI is not about creating and updating data. you can precalculate the workbook and distribute it by e-mail to recipients or you can export it to the Enterprise Portal and make it accessible to other employees in the company. Multiple roles may have been designed to limit which users have access to specified queries. For internal use only. You can save the workbook in your favorites or in your role on the BW Server. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International. In the BEx Analyzer. a Swiss cooperative. BI Security Overview Page 4 of 32 © 2009 KPMG LLP. you can add queries to workbooks. 2. You can add the different query views for a query or for different queries to a work book and save them there. All rights reserved. Below is a diagram of the SAP BI Data Warehousing and Business Explorer Suite which provides an accurate breakdown of the BI structure and where all pieces of the application reside. The BEx Analyzer offers convenient functions for evaluating and presenting InfoProvider data interactively.S. Subsequently. a Swiss cooperative. which is used to execute queries (reports) for end-users. InfoCubes. Page 5 of 32 © 2009 KPMG LLP.ABCD SAP Business Intelligence White Paper v1.S. they can only view specified queries based on their access. a U.doc When securing BI Data you determine what data users can view and access. information models. with third-party reporting and analysis tools. . It closes the loop as it provide a seamless links to planning and execution applications that allow you to act instantly on the insight you gain to improve the performance of your business processes. KPMG and the KPMG logo are registered trademarks of KPMG International. and Queries Transaction RRMX Launches the BEx Analyzer. All rights reserved. standardize and synchronize data across business workstreams Centralized reporting mechanism Reporting with no risk to master data changes SAP Business Warehouse is ships with "Business Content". It comes with ready-made extraction routines. • • • BI security is focused on: InfoAreas. meta-data. InfoProviders (InfoCubes. transaction codes are fewer and are not used as the primary means of controlling what data a user can access. security can be designed so that when an end-user logs in. ODS. The flexibility of SAP BW is that it is a ready-to-go solution but easy to adapt. a Swiss cooperative. which is used by SAP BI administrators. objects). You are used to transaction codes serving as your first line of defense in R/3. or planning and execution applications. Transaction RSA1 Launches the Administrator Workbench. metadata. including existing data marts. operational overhead costs. Integrate. *For further information on security see Section 7 3. developers should never have this access since reporting output could be altered. Further example of the benefits of SAP can be seen from the diagram below. BI Benefits • • • • • • • • Increased business visibility and performance to make faster decisions. It openness ensure that SAP BW is ideal for SAP R/3Æ and other SAP solutions but not limited to them. InfoCubes and reports as and when you need to. You can combine it easily with practically any internal or external data source. reports and channels that guarantee analysis and reporting capabilities out of the box.0. a Swiss cooperative. For internal use only. This diagram details how you can combine data to report on planning and actual costs to help determine P&L of sales vs. In BI. You can modify or add data sources. You can use the reporting mechanisms to plan your strategic growth and long-term financial planning by analyzing real-time data. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International. access to this transaction should be highly restricted to only authorized users. a Swiss cooperative. For internal use only. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International. a U.S. .doc 4. All rights reserved. BI Authorizations Overview • BI Authorizations BI has two authorization object classes: 1 Business Information Warehouse Reporting – Object class used for field level security in reporting • • 2 No authorization objects are delivered in this object class Authorization objects for field level security in reporting are created as needed Business Information Warehouse – authorization object class which is used to secure BI objects for administration • Authorization objects are delivered to protect all major administration and planning functions in SAP BI Page 6 of 32 © 2009 KPMG LLP. KPMG and the KPMG logo are registered trademarks of KPMG International.ABCD SAP Business Intelligence White Paper v1.0. a Swiss cooperative. transparent database tables that are used for preparing reports and quality assurance purposes. a Swiss cooperative.0. DataSources DataSources are flat data structures containing data that logically belongs together.doc SAP’s BI information model is based on the core building block of InfoObjects which are used to describe business processes and information requirements. You may have only one InforArea or you may have an InfoArea for each application area. a U. and so on. which remain unchanged for longer time period. ODS Objects An ODS object is a dataset which is formed as a result of merging data from one or more info sources. etc. They are responsible for extracting and staging data from various source systems.ABCD 5. financials. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International. currencies. InfoSources InfoSources are the group of InfoObjects that belong together from a business point of view. All rights reserved. such as sales. In it information is stored in the form of flat. The InfoCube or ODS object holds the summarized data that the user can analyze. HR. hierarchy. units of measure. Query results are based on the data in the InfoCube or ODS object. InfoProvider This is the category of objects that can provide data to a query.S. KPMG and the KPMG logo are registered trademarks of KPMG International. The key elements in the SAP’s BI information model are: • • • • • • • • • InfoArea DataSources InfoSources ODS Objects InfoCubes InfoProviders MultiProviders Subobject InfoSet InfoArea InfoAreas are logical groups of InfoProviders. They provide basis for setting up complex information models in multiple languages. a Swiss cooperative. . For internal use only. BI Building Blocks SAP Business Intelligence White Paper v1. It contains the transactional data obtained from the transactions in online transactional processes (OLTP) and master data such as addresses of customers and organizations. Page 7 of 32 © 2009 KPMG LLP. such as InfoCubes and ODS objects. in the required format. This is populated using data extraction programs that read data from extract structures and send it. a Swiss cooperative. InfoSet An InfoSet gives you a view of a dataset that you report on using the InfoSet Query. All rights reserved. If you have an InfoArea for each application area. in an InfoArea for FI could be an InfoCube for accounts receivable data and another for accounts payable data. extraction programs can be implemented with the help of third party providers. they are generated using data stored in a data warehouse/repository.S. they hold the actual data used for reporting. Data Extraction So where does the data for BI reports come from? Simple. When running a query you can restrict users from viewing certain fields within an InfoSet. then you may have only on InfoProvider in that InfoArea or you could have several InfoProviders. To use data from other non-SAP applications.0. The below image highlights how InfoSource’s which were discussed above have data extracted and populated into InfoCubes: Page 8 of 32 © 2009 KPMG LLP. These then collect the requested data and send it in the required transfer format using BAPIs to the SAP Business Information Warehouse. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. . Component Types Component Type Activities • • • • • REP: Entire query STR: Structure CKF: Calculated key figure RKF: Restricted key figure VAR: Variables • • • • 01 Create 02 Change 03 Display 06 Delete 6. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International. to the Business Information Warehouse.ABCD InfoCubes SAP Business Intelligence White Paper v1.doc InfoCubes are multidimensional data storage containers for reporting and analysis of data. They consist of keys figures and characteristics of which latter is organized as dimensions facilitating users to analyze data from various business perspectives such as geographical area or types of sales channel. For example. a Swiss cooperative. Subobject This is part of an InfoSet that can be selected to be edited “by user” as a security function. a U. Reports are generated from pulling data defined by the InfoCube key figures which are mapped to warehouse data. The InfoSet determines which tables or fields within a table an InfoSet Query refers to. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International.S. a Swiss cooperative. a Swiss cooperative. For internal use only. BI Authorization Objects & Security Authorization Objects in BI: • Objects used for REPORTING users • • • • • • • • • • • S_RS_COMP S_RS_COMP1 S_RS_FOLD Objects used by ADMINISTRATION users S_RS_ADMWB S_RS_IOBJ S_RS_ISOUR S_RS_ISRCM S_RS_IOMAD Objects used by both REPORTING & ADMINISTRATION users • S_RS_ICUBE Page 9 of 32 © 2009 KPMG LLP. a U. KPMG and the KPMG logo are registered trademarks of KPMG International.doc 7. All rights reserved. .ABCD SAP Business Intelligence White Paper v1.0. Component type: Determines which components a given user is allowed to process. You could also use S_RS_COMP if you want to protect by query name. you can restrict a user to only those queries written for the sales InfoCube or the financial InfoCube. you have an InfoCube for sales data. For internal use only. However. a Swiss cooperative. Every sales manager needs access to this InfoCube. S_RS_COMP Overview Authorizations for using different components for the query definition. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International. KPMG and the KPMG logo are registered trademarks of KPMG International. So restricting by transaction code alone is not sufficient to limit reporting capabilities.0. you can restrict the components that you work with in the Business Explorer query definition. a U. sales managers in different lines of business are not allowed to execute the same query. a Swiss cooperative.S. o o Calculated key figure (Type = CKF) Restricted key figure (Type = RKF) Page 10 of 32 © 2009 KPMG LLP. If your company has one InfoCube for sales information and another for financial data. . it restricts if someone can create queries. For example. InfoProvider: Determines which InfoProviders a given user is allowed to process. You can restrict query creation. Security must be taken one step further at the object level. change queries. and execution by the InfoArea and InfoCube. Using this authorization object. As mentioned earlier. You can secure based on query name schema or InfoCube name (Important for reporting). All rights reserved. or execute queries. transaction RRMX launches the BEx Analyzer which is used for reporting purposes. Below are the authorization objects that you will find in the BI system and what they are used to control user access. Defined fields The object contains four fields: • • • InfoArea: Determines which InfoAreas a given user is allowed to process. change. For example.doc Other objects S_RS_TOOLS S_RS_MPRO S_RS_ISET S_RFC Reporting Security Authorization Objects BI does not have many transactions so it is important to understand how to enforce security at the object level.ABCD • • • • • • • S_RS_ODSO S_RS_HIER SAP Business Intelligence White Paper v1. 0. Example #1 With InfoArea 0001 in InfoProvider 0002. .ABCD o o o o • • Template structure Query (Type = STR) (Type = REP) SAP Business Intelligence White Paper v1. user A is allowed to create. a U. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International. change and delete the queries that start with A1 and A6.. For internal use only.doc Variable.'02'.'A6*' '01'. Relevant authorization for user A: InfoArea: InfoProvider: Component type: Component: Activity: InfoArea: InfoProvider: Component type: Component: '*' '*' '0002' 'STR'. or 06 'Delete' are currently checked. a Swiss cooperative. only the activities 01 'Create'. a Swiss cooperative. With query view..(Type = QVW) Name (ID) of a reporting component: Determines which components (according to name) a given user is allowed process.. All rights reserved. 'CKF' '0001' '0002' 'REP' 'A1*'... and 22 'Save for reuse' are not currently checked by the query definition. KPMG and the KPMG logo are registered trademarks of KPMG International.. The user can change the structures (templates) and calculated key figures already defined in this InfoProvider. Activity: Determines whether the user is allowed to o o o o o Create Change Display Delete (Activity =01) (Activity =02) (Activity =03 ) or (Activity =06) a component. 02 'Change'. The activities 16 'Execute'..S.(Type = VAR) Query View.'06' Page 11 of 32 © 2009 KPMG LLP.. All rights reserved. a Swiss cooperative. in accounts receivables all queries must start with “AR”). you are a manager for a local sales team. KPMG and the KPMG logo are registered trademarks of KPMG International. This can be used to limit. by the query owner. Defined Fields The object contains four fields: • • Name (ID) of a reporting component: determines which components (according to name) are allowed to be edited by the user Type of reporting component: determines which component types are allowed to be edited by the user o o o o Calculated key figure (Type = CKF) Restricted key figure (Type = RKF) Structure Query (Type = STR) (Type = REP) Page 12 of 32 © 2009 KPMG LLP. which queries a user can see. then a user can only change their queries and cannot change any other queries. S_RS_COMP1 limits both what queries you can see in the BEx Analyzer tool. Authorization object S_RS_COMP1 secures the list of queries seen by the user via the BEx Analyzer or Web-based reporting and can limit the list of queries by the query owner. . You are using a naming convention for each area.S. If the special value $USER is entered as an authorization value for the Owner field. For internal use only.ABCD Activity: '02' SAP Business Intelligence White Paper v1. a Swiss cooperative. You can only run queries created by the power user for your geographic region. A user must have access to both objects. what queries you can display. This authorization object is checked in conjunction with the authorization object S_RS_COMP.0. Authorization objects S_RS_COMP and S_RS_COMP1 are evaluated together. The actions you can take related to a query in S_RS_COMP are complemented by the owner field in S_RS_COMP1. a U. and what queries you can execute. The $USER will also limit the queries the user can see and display in the analyzer tool. you can restrict query component authorization with regards to the owner. This can also enforce users to only create queries for “their” InfoCubes S_RS_COMP1 Overview With this authorization object. For example. The Owner field in S_RS_COMP1 works in conjunction with the fields in S_RS_COMP. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International.doc Example #2 Your company decides that each power user can create queries only for their application area. S_RS_COMP can be used to enforce this policy (for example. a Swiss cooperative.Folder. KPMG and the KPMG logo are registered trademarks of KPMG International. then the InfoAreas button will not appear in the BEx Analyzer Open → Queries dialog box When a user brings up the BEx Analyzer or uses the Query Designer for Web-based reporting. The view of the InfoAreas is hidden. . Push button. You only need to use this object it if you do not want users to see the InfoAreas listing of queries. Then only the favorites and roles appear in the BEx open dialog for queries. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International.doc Query View (Type = QVW): Authorizations for S_RS_COMP1 are not Currently checked for query views. there are four categories from which they may choose existing queries: History. For internal use only. a U. If a user chooses to open up a new query while in the BEx Analyzer. only the queries created by their power users should appear in the query list.Hide .ABCD o o o • • Variable (Type = VAR) SAP Business Intelligence White Paper v1. All rights reserved. They cannot look at the other InfoAreas to which they have not been granted access. meaning that the 'InfoAreas' file is not hidden. and InfoAreas. If this field is set to X (True). S_RS_FOLD Overview With this authorization object. If both 'True' and 'False' is selected ('All Values').S. Roles. Example #1 The reporting user should only be able to see their “Favorites” folder and their assigned roles in the BEx Analyzer. the value 'False' is valid. Favorites. S_RS_ADMWB Page 13 of 32 © 2009 KPMG LLP.0. a Swiss cooperative. Authorization object S_RS_FOLD will allow you to disable the InfoAreas category Defined Fields The object contains a field: • SUP_FOLDER: Hide the file view if the field is set to 'True' ('X'). you can deactivate the general view of the 'InfoArea' folder. The object has one field . Reporting component owner: determines whose components are allowed to be edited by the user Activity: determines whether the user o o o Example #1 is allowed to change a component is allowed to display a component is allowed to delete a component (Activity = 02) (Activity = 03) (Activity = 06) Power users create queries for various application areas. maintaining InfoObjects Monitor: monitoring data brought over from the source systems Workbench: Checked as you execute transaction code RSA1 InfoArea:Creating and maintaining InfoAreas ApplComp: Limiting which application components you can access InfoPackage: Creating and scheduling InfoPackages for data extraction Metadata: Replication and management of the metadata repository Defined Fields The object contains two fields: • Administrator Workbench object: Here you enter the name of the object of the Administrator Workbench that a user is allowed to edit. InfoObjects. It includes dealing with source systems. master data. Authorization object S_RS_ADMWB is the most critical authorization object in administration protection. Each of the two fields can have a variety of values. metadata.0. It covers many administrative tasks. a U. application components. This object is used throughout transaction code RSA1. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. The following objects are possible: o o o o o o o o SourceSys Source system InfoObject InfoObject Monitor Monitor ApplComp Application component InfoArea InfoArea Workbench Administrator Workbench Settings Settings MetaData Meta data Page 14 of 32 © 2009 KPMG LLP. and InfoPackage groups. InfoAreas. All rights reserved.ABCD Overview SAP Business Intelligence White Paper v1. InfoObjects. a Swiss cooperative. .doc Using this authorization object you can limit the work done with certain objects in the Administrator Workbench. and transaction data. The possible values for the Administrator Workbench field are: • • • • • • • • SourceSys: Working with a source system InfoObject:Creating. It protects working with individual objects of the Administrator Workbench such as sources system. object S_RS_ADMWB is the first object checked. a Swiss cooperative.S. monitoring. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International. settings. There are two fields in this object: Activity and Administrator Workbench Object. InfoPackages. InfoPackages. When you do anything in transaction code RSA1. For internal use only. All rights reserved.ABCD o o o o o o o o • InfoPackag InfoPackage and InfoPackage group RA_Setting Reporting Agent setting RA_Package Reporting Agent package DOC_META Meta data documents DOC_MAST Master data documents DOC_HIER Hierarchy documents DOC_TRAN Transaction data documents DOC_ADMIN Document storage administration SAP Business Intelligence White Paper v1. .S. KPMG and the KPMG logo are registered trademarks of KPMG International. a Swiss cooperative. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International.doc Activity: determines whether you are allowed to display or maintain a sub-object o o o o o o o o o o o o o o o o o o Display source system (activity = 03) Display InfoObject (activity = 03) Display Monitor (activity = 03) Display Reporting Agent setting (activity=03) Display Reporting Agent package (activity=03) Display meta data documents (activity=03) Display master data documents (activity=03) Display hierarchy documents (activity=03) Display transaction data documents (activity=03) Maintain source system (activity = 23) Maintain application component (activity = 23) Maintain InfoArea (activity = 23) Maintain InfoObject (activity = 23) Maintain settings (activity = 23) Maintain InfoPackage (group) (activity = 23) Maintain Reporting Agent package (activity=23) Maintain Reporting Agent setting (activity=23) Maintain meta data documents (activity=23) Page 15 of 32 © 2009 KPMG LLP. a U.0. a Swiss cooperative. a U. KPMG and the KPMG logo are registered trademarks of KPMG International. It includes dealing with source systems.0. For internal use only. then you can give them S_RS_IOBJ in lieu of S_RS_ADMWB. but they do not need other administration functions granted in S_RS_ADMWB. a Swiss cooperative. Activity: Determines whether you can display or maintain an InfoObject catalog. o o Display InfoObject Catalog (Activity = 03) Maintain InfoObject Catalog (Activity = 23) This authorization object is only checked if the user has neither general maintenance authorization nor display authorization for InfoObjects (Authorization Object: S_RS_ADMWB InfoObject. and transaction data.S. master data. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International. a Swiss cooperative. .ABCD o o o o o o o o o o Example #1 Display meta data documents (activity=03) Maintain master data documents (activity=23) Display master data documents (activity=03) Maintain hierarchy documents (activity=23) Display hierarchy documents (activity=03) Maintain transaction data documents (activity=23) Display transaction data documents (activity=03) Administer document storage (activity=23) Execute Administrator Workbench (activity = 16) Update Metadata (activity = 66) SAP Business Intelligence White Paper v1. InfoObjects. Page 16 of 32 © 2009 KPMG LLP.doc This object is used in transaction code RSA1 and covers numerous administrative tasks. InfoObject catalog: Here you can specify the key for the InfoObject catalog that a user can edit. Defined Fields The object includes three fields: • • • InfoArea: Here you can specify the key for the InfoArea for which a user can edit the InfoObject catalog. It will provide access to InfoObjects only. Working with the InfoObject catalog can be restricted with this authorization object. InfoPackages. Activity: Maintain/Display). All rights reserved. This authorization object is only checked if the user is NOT authorized to maintain or display InfoObjects. If someone needs to update InfoObjects. S_RS_IOBJ Overview Authorizations for working with individual InfoObjects and their sub-objects. KPMG and the KPMG logo are registered trademarks of KPMG International.ABCD SAP Business Intelligence White Paper v1. a Swiss cooperative.(Activity = 23) Maintain InfoSource transfer rules (Activity = 23) Maintain InfoSource InfoPackage (Activity = 23) Maintain InfoSource Data (Aktivität = 23) o o o o o o o o o Page 17 of 32 © 2009 KPMG LLP. All rights reserved. The following sub-objects exist: o o o o o o • Activity: Definition Definition CommStruc Communication structure TrnsfrRule Transfer rules Data Data InfoPackag InfoPackage MetaData Metadata Determines whether you are allowed to displaymaintain. a U. . Subobject for InfoSource: You use the sub-object to specify the part of the InfoSource that the user is allowed to edit. For internal use only.S. Enter the InfoSources with flexible updating the user is allowed to edit here. a Swiss cooperative.doc S_RS_ISOUR Overview You can use this authorization object to restrict the handling of InfoSources with flexible updating and their subobjects.0. Defined Fields The authorization object contains four fields: • • • Application component: InfoSource: Enter the application component key here for which a user is allowed to edit InfoSources. request or update a sub-object: Display InfoSource definition (Activity = 03) Display InfoSource communication structure (Activity = 03) Display InfoSource transfer rules (Activity = 03) Display InfoSource data (Activity = 03) Maintain InfoSource definition (Activity = 23) Maintain InfoSource communication structure . limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International. InfoSource: A user is allowed to edit the master data InfoSources you specify here.ABCD o Request InfoSource data (Activity = 49) SAP Business Intelligence White Paper v1. S_RS_ISRCM Overview With this authorization object you can restrict handling of InfoSources with direct updating (for master data) or with their sub-objects. but not request. Subobject for the InfoSource: You can use the sub-object to specify the part of the InfoSource the user is allowed to edit. maintain. a U. For internal use only. Defined Fields The object contains four fields: • • • Application components: Here you enter the application component key for which a user is allowed to edit master data InfoSources. . This object protects access to the source systems and managing the transfer rules. The following sub-objects are available: o o o o • TrnsfrRule Transfer rules Data Data InfoPackag InfoPackage MetaData Metadata Activity: Determines whether you are allowed to display.S. a Swiss cooperative. a Swiss cooperative. Example #1 If you want to allow a user to maintain.0. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International. KPMG and the KPMG logo are registered trademarks of KPMG International.doc The display and maintenance of the InfoSource data is checked in the PSA tree and in the Monitor. All rights reserved. the master data for all InfoSources delivered with the application component CO-PA. request or update a sub-object: Page 18 of 32 © 2009 KPMG LLP. assign him or her the following authorizations: • • • • Application component: CO-PA InfoSource: 0* Subobject: * Activity: 23 Example #2 You have an administrator who defines what data needs to be extracted from what source systems. doc Display and maintenance of InfoSource data is checked in the PSA tree and in the Monitor. but not request. can be found under • Page 19 of 32 © 2009 KPMG LLP. component.ABCD o o o o o o Display InfoSource transfer rules (Activity = 03) Display InfoSource data (Activity = 03) Maintain InfoSource transfer rules (Activity = 23) Maintain InfoSource InfoPackage (Activity = 23) Maintain InfoSource data (Activity = 23) Request InfoSource data (Activity = 49) SAP Business Intelligence White Paper v1. S_RS_IOMAD Overview With this authorization object you can restrict the editing of master data in the Administrator Workbench. which the user is allowed to edit. For internal use only. a Swiss cooperative. All rights reserved. This object protects access to the source systems and managing the transfer rules. which are not assigned to an InfoObject catalog and thus are assigned to an InfoArea. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International.0. With the question whether master data for an InfoObject of a particular InfoArea is allowed to be edited. InfoObjects. a Swiss cooperative. which a user is allowed to InfoArea: You enter here the key of the InfoArea. the master data for all InfoSources delivered with the application component CO-PA. An InfoArea. assign him or her the following authorizations: • • • Application component: CO-PA InfoSource: 0* Subobject: * Activity: 23 • Example #2 You have an administrator who defines what data needs to be extracted from what source systems. Defined Fields The authorization object contains four fields: • • Application component: You enter here the key of the application edit. a U. must be assigned to this InfoObject catalog.S. that the user is allowed to edit. KPMG and the KPMG logo are registered trademarks of KPMG International. Example #1 If you want to allow a user to maintain. . a check is carried out to see to which InfoObject catalog the InfoObject is assigned. then assign this person the following authorizations: • • Application component: CO-PA InfoArea: <DUMMY> InfoObject: 0* • S_RS_ICUBE Overview Using this authorization object you can restrict working with InfoCubes or their sub-objects. For internal use only. The activity 06 (delete master data) authorizes the user to carry out mass deletion of master data for an InfoObject. for which a user is allowed to edit InfoCubes. : determines whether master data may be maintained. or displayed.0. The following sub-objects exist: o o o o Definition Definition UpdateRule Update rules Aggregate Aggregate Data Data Page 20 of 32 © 2009 KPMG LLP. a Swiss cooperative. Subobject for InfoCube: Using the sub-object you specify the part of the InfoCube that the user is to edit. KPMG and the KPMG logo are registered trademarks of KPMG International. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International. InfoCube: The InfoCubes that you enter here can be edited by a user. which the user is allowed to edit. Only those master data values that have not been used are deleted.S. You get to this function in the Administrator Workbench via InfoObject tree -> your InfoObject -> Context menu (right mouse button) -> Delete master data. . o o o Display master data (activity = 03) Maintain master data (activity = 23) Delete master data (activity = 06) Using activity 23 (maintain master data) you can authorize the user to maintain master data manually and to delete single records.doc • • InfoObject Activity : You enter here the key of the InfoObject. SAP Business Intelligence White Paper v1.ABCD Nodes not assigned. Defined Fields The object contains four fields: • • • InfoArea: You enter the key of the InfoArea. All rights reserved. Example #1 If a user is to be allowed to maintain the master data of all InfoObjects delivered with the application component CO-PA. deleted. a U. a Swiss cooperative. All rights reserved. maintain or delete sub-objects o o o o o o o o o o Display InfoCube definition (Activity = 03) Display InfoCube update rules (Activity = 03) Maintain InfoCube data (Manage Cube) (Activity = 03) Display InfoCube aggregate (Activity = 03) Delete InfoCube data Maintain InfoCube definition Maintain InfoCube update rules Maintain InfoCube aggregate (Activity =06 ) (Activity = 23) (Activity = 23) (Activity = 23) (Activity = 23) Maintain InfoCube export DataSource Update InfoCube aggregate (Activity = 66) Example #1 Your SAP BI administrator creates InfoCubes. You have a regional manager who needs access to the data in one of the InfoCubes. S_RS_ODSO Overview Using this authorization object you can restrict working ODS objects and their sub-objects Defined Fields The object includes four fields: • • • InfoArea: Here you specify the key for the InfoArea. There are the following sub-objects: o o Definition Definition ExportDS Export-DataSource Page 21 of 32 © 2009 KPMG LLP. a Swiss cooperative. For internal use only. .doc Activity: Determines whether you are allowed to display. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International.S. The regional manager will need access to S_RS_ICUBE and the respective InfoCube that holds the data.ABCD o • ExportISrc Export DataSource SAP Business Intelligence White Paper v1. KPMG and the KPMG logo are registered trademarks of KPMG International. a U. a Swiss cooperative. for which a user is allowed to edit the MultiProvider MultiProvider: The MultiProviders that you specify here are allowed to be edited by a user. Subobject for the Multiprovider: With this sub-object you specify the part of the MutliProvider that the user is allowed to edit.0. Activity: Determines whether the user is allowed to o o o Example #1 Display (activity = 03) or Maintain (Activity = 23) a hierarchy or if he or she is allowed to display data along the hierarchy (activity = 71). o o o Display MultiProvider definition Maintain MultiProvider definition (Activity = 03) (Activity = 23) Maintain MultiProvider Export-DataSource (Activity = 23) Example #1 Same as S_RS_ICUBE except for ODS objects S_RS_HIER Overview Authorizations for working with hierarchies. assign him or her the following authorizations: • • • InfoObject: 0COSTCENTER Hierarchy Name: * Activity: 23 Example #2 Page 22 of 32 © 2009 KPMG LLP. Hierarchy version: Enter to which version of the hierarchy the authorization refers here. or update a sub-object. a Swiss cooperative. who can create hierarchies and run queries that use hierarchies. Hierarchy name: Enter the name of the hierarchies that a user is allowed to edit.0. All rights reserved. maintain. For internal use only. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International.S. Defined Fields The object contains four fields: • • • • InfoObject: You enter the key of the InfoObject here. If you want a user to maintain all hierarchies for the InfoObject 0COSTCENTER. for which a user is allowed to edit hierarchies.ABCD • SAP Business Intelligence White Paper v1. Using this authorization object you can restrict the working with hierarchies in the Administrator Workbench. a U. a Swiss cooperative.doc Activity: determines whether you are allowed to display. . KPMG and the KPMG logo are registered trademarks of KPMG International. delete. At the moment the authorization object only has an effect if you activate it with a source code modification (see note 332738 in OSS / SAPNet).0. This is the minimal authorization profile needed for a user to execute transaction RRMX and run the BEx queries. KPMG and the KPMG logo are registered trademarks of KPMG International.ABCD SAP Business Intelligence White Paper v1. o o o Display MultiProvider definition Maintain MultiProvider definition (Activity = 03) (Activity = 23) Maintain MultiProvider Export-DataSource (Activity = 23) Example: Page 23 of 32 © 2009 KPMG LLP. For internal use only. or update a sub-object. The BI administrator must have S_RS_HIER to execute queries that use hierarchies. for which a user is allowed to edit the MultiProvider MultiProvider: The MultiProviders that you specify here are allowed to be edited by a user. delete. The regional manager for the “Southwest” needs access to all cost centers in the Southwest. Cost centers are set up in a hierarchy. All rights reserved. S_RS_MPRO Overview With this authorization object you can restrict working with MultiProviders or their sub-objects. a Swiss cooperative.doc Manager needs to access data by cost centers. There are the following sub-objects: o o • Definition Definition ExportDS Export-DataSource Activity: determines whether you are allowed to display. S_RS_TOOLS Overview You use the authorization object to limit your user group for individual Business Explorer tools. maintain. a Swiss cooperative. a U. Within the “Southwest” hierarchy are cost centers for each region in that area. . Subobject for the Multiprovider: With this sub-object you specify the part of the MutliProvider that the user is allowed to edit.S. Defined Fields The object includes four fields: • • • InfoArea: Here you specify the key for the InfoArea. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International. then they can only make business decisions based on that one company code. they may need to see data from all company codes. 8. InfoSet: Enter the name of the InfoSet here. There are the following sub-objects: o o S_RFC Overview Definition: Definition Data: Data You use the authorization object to perform RFC (remote function call) for the BEx Analyzer or BEx Browser only.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International. It may be important for users to view more results in BI than they can see in R/3. delete. a Swiss cooperative. plants. 1 Securing by InfoCube Page 24 of 32 © 2009 KPMG LLP. or maintain the InfoSet. KPMG and the KPMG logo are registered trademarks of KPMG International. This would also be for the following: S_RS_ICUBE for an InfoCube or S_RS_MPRO for a MultiProvider. a Swiss cooperative.doc • • • InfoArea: Enter the key of the InfoArea for which a user may edit Infosets here. or business areas. company codes. the level of security needs to be in line with the goals of the business. change) (Activity = 23) Subobject for InfoSet: With the sub-object you specify the part of the InfoSet that is edited by the user. Any role for a reporting user must have the S_RS_COMP and S_RS_COMP1 authorization objects. a U. Activity: Define if you may display.ABCD S_RS_ISET Overview You can restrict working with InfoSets with this authorization object.0. o o • Display the InfoSet object definition (Activity = 03) Maintain the InfoSet object definition (create. For internal use only. delete. In order to discover important trends. cost centers. Reporting Security Strategy In R/3. as well as the authorization objects related to the InfoProvider on which the query is based. Defined Fields The object contains four fields: SAP Business Intelligence White Paper v1. If a user executes a query and only receives results from company code 1000. Before implementing security. . All rights reserved. These are key fields that may be an integral part of a security strategy. security is focused around detailed information in purchasing groups. ABCD SAP Business Intelligence White Paper v1. the query must be able to restrict data by division. Creating a customer reporting authorization object • Since there are no reporting authorization objects provided for InfoObjects. This is done using a variable. 2 Securing by Query This option would be to use the InfoCube in conjunction with the query name. a Swiss cooperative. All rights reserved. or some other InfoObject. • 2 This setting can be selected in the InfoObject definition on the Business Explorer tab. 3 Securing at the InfoObject Level If securing users by InfoCube or Queries is not sufficient. • The reason the variable is required is sometimes unclear. a U. it is optional to secure down to the InfoObject level. but to get different results based on their assigned division. 3B Creating Authorizations in Role Maintenance 1 2 3 Transaction code PFCG. The business needs to drive which InfoObjects should be relevant for security. When creating a reporting authorization object. For internal use only. This will impact people currently executing queries for the InfoProvider that is now related to the reporting authorization object that was just created. This option is the closest parallel to the field-level security that is traditional to R/3. This linkage forces the reporting authorization object to be checked when ANY query tied to the InfoProvider is executed. This is done using transaction RSSM. 4 Link the reporting authorization object to an InfoProvider • This is a very critical step. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International. Roles can be created that allow you to run queries from specified InfoCubes. Strict naming conventions should be in place so that security does not have to be updated when queries are created. Business ExplorerAuthorizationsReporting Authorization Objects • 3 Add a variable to the query. you will have to create your own reporting authorization object for any InfoObject you decide to secure. If we want a query to only provide results based on the division. Optimal if the authorizations only need to be checked at the InfoCube level.S. This security method is if you want two users to execute the same query. cost center. Generate Page 25 of 32 © 2009 KPMG LLP. then the query itself needs the ability to filter specific division values. a Swiss cooperative.doc This option is for securing reporting users by dividing them into groups. KPMG and the KPMG logo are registered trademarks of KPMG International. . specify roles to be changed. Before you can secure on division. Authorizations TabChange authorization dataEnter authorization objects manually Enter the appropriate field values for the authorization objects that were added. 3A Steps to Implement InfoObject Security 1 Define the InfoObject as authorization relevant. you select which fields to put in the authorization object from a list of authorization relevant InfoObjects (see #1).0. a Swiss cooperative.doc Activity Secure BW Reporting Users Control Access to modify sensitive BW Reporting is restricted Risk Users can maintain queries and generate inaccurate results Testing Identify queries that should have restricted access. a U.Suggested Controls SAP Business Intelligence White Paper v1. KPMG and the KPMG logo are registered trademarks of KPMG International. BI Audit Program Guide . limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International. For internal use only. All rights reserved.ABCD 9. .S.0. Access to the following authorization objects and values allows a user to maintain queries Execute SUIM for the following objects: S_RS_COMP1 Activity: 2 (change) Name (ID) of a reporting component: “query name” or ‘*’ for all queries S_RS_COMP Activity: 2 (change) Name (ID) of a reporting component: “query name” Page 26 of 32 © 2009 KPMG LLP. a Swiss cooperative. KPMG and the KPMG logo are registered trademarks of KPMG International. a Swiss cooperative. a Swiss cooperative. however you must exclude users identified in the list above) Guidance: This list should be relatively low.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International. a U. For internal use only. 06 (maintain all objects) Guidance: This list should contain a very low number of users. All rights reserved. only system administrators Test 2: Execute SUIM for the following: Transaction: RSA1 Authorization object: S_RS_IOBJ Activity 23.doc Control Control Objective: Controls should be in place to ensure that BW Administration Users have appropriate access.ABCD Activity Secure BW Administration Users SAP Business Intelligence White Paper v1. only users who manage their own info objects Secure User BWREMOTE Access to User BWREMOTE is correct to receive data from an OLTP system BW connections may change and generate inaccurate reporting Execute SUIM and determine which uses have Profile: S_BI-WHM_RFC Guidance: List should be low and restricted to system administrators Secure User BWALEREMOT E Access to User BWREMOTE is correct to connect and send to the BW system BW connections may change and generate inaccurate reporting Execute SUIM and determine which uses have Profile: S_BI-WX_RFC Guidance: List should be low and restricted to system administrators Page 27 of 32 © 2009 KPMG LLP.0. . 06 (displays a list of users who can maintain info objects only. Risk Unauthorized changes to objects may result in inaccurate queries Testing Test 1: Execute SUIM for the following: Transaction: RSA1 Authorization object: S_RS_ADMWB Activity 23. a Swiss cooperative. For internal use only. Execute SUIM and determine which uses have access to Transaction RSSM Info Object S_RS_HIER Activity: 23 (maintain) Guidance: No users should have access to change heirarchy or maintain authorization objects in Production.0. BW Hierarchies & Authorization Objects BW authorization objects are configured and controlled correctly BW authorization objects may not be checked when users execute transaction codes. a U.doc Control BW developers have appropriate access in the Production system. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International. KPMG and the KPMG logo are registered trademarks of KPMG International. a Swiss cooperative. .S.ABCD Activity Secure BW developers SAP Business Intelligence White Paper v1. All rights reserved. Execute SUIM and determine which uses have access to Transaction RSD1 Info Object S_RS_HIER Activity: 23 (maintain) Guidance: List should be low and restricted to system administrators or security Page 28 of 32 © 2009 KPMG LLP. Risk BW Developers may generate roles and authorizations bypassing the transport process Testing Execute SUIM and determine which uses have access to transaction: PFCG S_USER_GRP Activity: 02 S_USER_PRO Activity: 02 Guidance: No users should have access to change roles in Production. Access should only be allowed in Development Info Object Maintenance Only authorized users have access to mark objects as relevant for authorization (InfoObject Maintenance) BW authorization objects may not be checked when users execute transaction codes. a Swiss cooperative. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only.doc Control Only authorized users have access to maintain tables Risk Unauthorized changes to SAP tables may lead to inaccurate data Testing Step1: Execute SUIM and determine which uses have access to Transaction LISTCUBE Step2: Execute SUIM and determine which uses have access to Transaction: SE16 or SM31 Auth Object: S_TABU_DIS Activity: 02 Guidance: No user should have access to maintain tables in production BW Access Only authorized users have the ability to maintain users and user access Unauthorized user access may result in inaccurate system data Execute SUIM and determine which uses have access to Transaction: SU01 Auth Object: S_USER_GRP Activity 01. a U.0.06 (create.02. STMS Authorization Object: S_TRANSPRT Activities: 1. 60 Guidance: Should be restricted to basis admins who are responsible for performing transports Page 29 of 32 © 2009 KPMG LLP.2. a Swiss cooperative.change. 43. .S. All rights reserved. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International.ABCD Activity BW Workbooks SAP Business Intelligence White Paper v1.delete) Guidance: Should be restricted to security administrators Transport Organizer Only authorized users can transport development objects Unauthorized changes may be transported to production Execute SUIM and determine which uses have access to Transactions: SE01. For internal use only. . This goes together with the system change settings control below. KPMG and the KPMG logo are registered trademarks of KPMG International. Programs The ability to run system programs is restricted Unauthorized use of executing or changing programs may impact system credibility. Page 30 of 32 © 2009 KPMG LLP.S. data integrity and system performance Execute SUIM and determine which uses have access to Transaction SE38 Auth Object: S_DEVELOP Activity 01 or 02 And Auth Object: S_PROGRAM User Action: SUBMIT Guidance: Access should be restricted to system administrators or a limited number of users. a U. All rights reserved. If system change is incorrect. a Swiss cooperative. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International.ABCD Activity Configuration SAP Business Intelligence White Paper v1.0. unauthorized changes could occur in SPRO. a Swiss cooperative. Best if no users have access in Production. System Connections Only authorized users have ability to maintain system connections is restricted based on business need: System reporting may be inaccurate if system connections to host SAP data system is incorrect Execute SUIM and determine which uses have access to Transaction SM59 Auth Object: S_ADMI_FCD Activity value NADM Guidance: Should be restricted to system administrators.doc Control Access to configure the IMG is restricted Risk Unauthorized changes to the system configuration IMG could occur and provide inaccurate data Testing Execute SUIM and determine which uses have access to Transaction: SPRO Auth Object: S_IMG_ACTV Activity: 02 Authorization: ACT Auth Object: S_PROJECT Activity 01 or 02 Guidance: Access should be restricted to display only in Production. 0 Date 3/11/2009 Version History First Version for Publication Author Jared D. 02 And review access for: Transaction: SCC4 Auth Object S_TABU_DIS Activity: 02 Guidance: Access should be restricted to system administrators only and should have an audit log attached to determine when the system is opened and changed. Determine if client made a copy of SAP_ALL and is using similar access under another role or profile. Version History Version # 1. Risk Incorrect system global settings may allow unauthorized changes in the production environment that will impact data integrity Testing Execute SUIM and determine which uses have access to Transaction SE06.ABCD Activity System Change Option SAP Business Intelligence White Paper v1. a Swiss cooperative.S. KPMG and the KPMG logo are registered trademarks of KPMG International. Krueger Page 31 of 32 © 2009 KPMG LLP. a U. All rights reserved. a Swiss cooperative. Auth Object: S_TRANSPRT Activities: 01. . Execute SUIM and determine which uses have access to Profile: SAP_ALL Guidance: No users under any circumstances should have access to SAP_ALL if they are a dialogue user ID. For internal use only.doc Control Global system change option is appropriately configured. SAP ALL No users should have access to SAP_ALL Profile User will have no restrictions and may cause data integrity issues 10.0. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International. com http://sap.S. Sources: 1 2 3 4 5 SAP Training Class TBI40 Data Modeling and Security SAP Business Intelligence Security by Gary Morris http://help. a Swiss cooperative.com Page 32 of 32 © 2009 KPMG LLP. All rights reserved. .sapsecurityonline.ittoolbox. KPMG and the KPMG logo are registered trademarks of KPMG International.sap. a U.doc ____________________________________________________________________________________________________________________ 11.ABCD SAP Business Intelligence White Paper v1.com http://www.0. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International. For internal use only. a Swiss cooperative.