Ensuring secure access to data is key for any system landscape may it be on-premise or in the cloud. Especially in Data Warehouse environments where various data sources are consolidated and centrally managed to build the single version of truth.
In historically grown environments and due to existence of different concepts to define and secure access to data on row-level users end up in a situation to implement row-level security concepts for each system which is a huge effort in development and administration keeping the security consistent and up to date.
So – the central question is how to leverage existing authorizations in SAP Data Warehouse Cloud?
*) Data Access Control
Potentially there are two common possibilities to achieve this with SAP Data Warehouse Cloud:
- Accessing the data in the source system in a federated way where either a technical user (with a well-defined set of authorizations) can be used to access the data from a given source as it is today.
- A second option is to leverage existing authorizations from the source by replicating them to SAP Data Warehouse Cloud, generate corresponding Authorizations (in case of SAP Data Warehouse Cloud ‘Data Access Controls’) and apply them in SAP Data Warehouse Cloud.
Both options make sense and are -in the one or other way- already available/supported in various applications. However, looking at SAP Data Warehouse Cloud as a central Data Warehouse application to consolidate different sources of data it makes sense to also have a central common concept of row-level security by reducing implementation effort at the same time by leveraging existing authorizations from the sources.
This blog should share some more detailed information how the new functionality of Remote Authorization works for SAP BW/4HANA as a first integration scenario to be supported.
Introduction to Remote Authorizations for SAP Data Warehouse Cloud from SAP BW/4HANA
Replicating Authorizations from SAP BW/4HANA to SAP Data Warehouse Cloud is a process which starts obviously in SAP BW/4HANA and continues in SAP Data Warehouse Cloud. Result is to leverage existing Analysis Authorizations from SAP BW/4HANA in SAP Data Warehouse Cloud.
To achieve this three Objects are generated in SAP Data Warehouse Cloud for each InfoProvider selected in SAP BW/4HANA to replicate its associated Analysis Authorizations:
- The Data Access Control(s) based on the associated Analysis Authorizations for a given InfoProvider in SAP BW/4HANA
- An SQL Script doing the magic of providing the list of authorized values for each user
- Finally, a protected view on the InfoProvider where the generated DAC is assigned. This view can be shared to other Spaces for further usage.
Let me share a more detailed view on the process before sharing some insight from a system perspective:
Step 1 – in SAP BW/4HANA
Definition of the scope of Analysis Authorizations (User, InfoProvider) to be exported into the Permission Table in SAP BW/4HANA (Transaction: RSDWC_DAC_RSEC_GEN; technical name of Permission Table: RSDWC_RSEC_DAC). This table is basis for replicating Analysis Authorizations to SAP BW/4HANA.
Step 2 – in SAP Data Warehouse Cloud
On SAP Data Warehouse Cloud side, the process to import the Permission Table from SAP BW/4HANA which is supported by a wizard.
In this step, the BW User is exchanged by the User in Data Warehouse Cloud. Typically, the Username which is used in SAP Data Warehouse Cloud is the eMail address. The eMail address is in most cases part of the user profile in SAP BW/4HANA so that the names can easily be exchanged. For the remaining cases (e.g. where the eMail address is not maintained) a BAdI can be used to derive this information. Technical Name of the BAdI is RSDWC_DAC_RSEC_USER_UPDATE (see also note 3062381).
Important note: Each of the objects which are generated as part of this process are imported metadata-wise with remote connections to the original objects in SAP BW/4HANA. This is true for the Permission Table as well as the protected view of the InfoProviders.
Recommendation for the remote Permission Table on SAP Data Warehouse Cloud side is to keep on using the default federated (remote) access to the Permission Table in SAP BW/4HANA. If a replication of the Permission Table to SAP Data Warehouse Cloud is considered a daily upload (refresh) should be scheduled to keep the data in sync and up to date.
Step 3 – in SAP Data Warehouse Cloud
The SAP BW/4HANA InfoProvider(s) for which the relevant Analysis Authorizations should be imported must be imported into SAP Data Warehouse Cloud (via Data Builder) as well. They must be imported & Deployed (again: metadata-wise). This Step could be done as a prerequisite step before starting the Wizard.
Step 4 – in SAP Data Warehouse Cloud
An Input Permission View is generated by applying the Filter Clause (in terms of a generated SQL Script) where each authorized value a user is allowed to see is represented in a list by one record. Analysis Authorizations on hierarchy nodes are flattened. If a user should be able to see all values (represented by a ‘*’ (Asterix) in Analysis Authorizations) a filter string will be generated which contains all values of the authorization relevant InfoObject.
Step 5 – in SAP Data Warehouse Cloud
The Data Accress Control is generated whereas the SQL Script from the step before serves as the ‘Data Entity’ for the Data Access Control (carrying the list of all users and their authorized values based on the Analysis Authorizations they have in SAP BW/4HANA).
Step 6 – in SAP Data Warehouse Cloud
A protected view with a remote connection to the original InfoProvider is generated with the Data Access Control attached. This View can be shared with other Spaces for further usage/consumption.
Look & Feel Remote Authorizations
Let us now take a look to the system and see how this process flows in SAP Data Warehouse Cloud as well as in SAP BW/4HANA.
1. Populating the Permission Table in SPA BW/4HANA
- In this example, the Advanced DataStoreObject (ADSO) ‘ZSALES’ should be made available in SAP Data Warehouse Cloud and protected by Data Access Controls
- On Characteristic (InfoObject) ‘SALESORG’ there is an Analysis Authorization defined
- User ‘DAC01’ has this Analysis Authorization assigned to his profile
2. Import Analysis Authorizations into SAP Data Warehouse Cloud
- Before starting the Wizard to import Remote Authorizations, the InfoProviders to be protected and used in SAP Data Warehouse Cloud should be imported into SAP Data Warehouse Cloud
- The import can be done in the Data Builder by importing the InfoProvider from the BW Connection (In ‘Extractors’ section: Folder ‘BW’) into the canvas of the graphical view modelling.
- The table needs to be imported&deployed
- The import functionality for Analysis Authorizations from SAP BW/4HANA can be found on the landing page of Data Access Controls in SAP Data Warehouse Cloud
- In the first step of the wizard, a valid SAP BW/4HANA Connection must be selected
- Secondly (if not available already) a name must be entered for the Permission Table
- In the third step the InfoProvider(s) must be selected for which protected views and respectively the corresponding DACs should be generated
- In the last step of the wizard, a summary is displayed with all objects which will be generated: a Data Access Control, the protected view and the SQL script which delivers the authorized values for each user, based on the SAP BW/4HANA Authorizations.
- The generated objects at a glance 🙂
Remote Authorizations for SAP Data Warehouse Cloud from SAP BW/&4HANA should reduce development effort with regards to row-level security by being able to leverage investments already made in SAP BW/4HANA with more source systems (i.e. SAP S/4HANA, SAP NetWeaver BW 7.5) planned as potential further candidates to be supported.