Sunday, 12 May 2019

SAP BW/4HANA Migration – Authorisation

The simplification of object types in SAP BW/4HANA has an impact on authorisation objects. When converting a SAP BW system to a SAP BW/4HANA, authorizations for object types that are not available in SAP BW/4HANA (like InfoCubes) must be replaced by authorizations for corresponding object types (like ADSO).

This article covers my experience of the impact on authorisation by migrating BW classic objects to BW/4HANA compatible objects in a BW 7.5 system (HANA DB) along with a review of what tools are available to assist with the authorisation process.

The following are the six aspects of authorisation that this article will cover:

1. Authorisation required for the BW/4HANA transfer toolbox (In-Place)
2. SAP defined action types
3. Authorisation impact to the BI business users by the BW/4HANA transfer toolbox on a BW 7.5 system.
4. Authorisation impact to the BI support users by the BW/4HANA transfer toolbox on a BW 7.5 system.
5. Transfer Authorisation Tool in BW/4HANA transfer cockpit (RSB4HCONV).
6. Authorisation impact once the BW system (7.x) is converted to a SAP BW/4HANA.

1. Authorisation required for the BW/4HANA transfer toolbox (In-Place)


Systems running on SAP BW 7.50 powered by SAP HANA can be converted in-place keeping their SID. In the realization phase of the conversion project, classic objects must be transferred into their HANA optimized replacements using the Transfer Toolbox (RSB4HTRF). This transfer can be performed scenario-by-scenario. When all classic objects have been replaced, the system conversion to BW/4HANA can be triggered.

To execute the object conversion process using the BW/4HANA transfer toolbox (transaction RSB4HTRF), I suggest that you create a new role that contains the following authorisation objects and values (reference note 2383530 for more information). This role will be required in all BW systems in the landscape as the BW/4HANA conversion needs to be executed manually in each system. Once implemented, please assign only to support/project team members responsible for the conversion of the BW objects.

SAP BW/4HANA, SAP HANA Certifications, SAP HANA Learning, SAP HANA Guides, SAP HANA Study Materials

2. SAP defined action types


SAP have defined four types of actions that need to be applied for respective authorization objects impacted by the conversion process using the BW/4HANA transfer toolbox and the migration to BW/4HANA:

◈ Assume – Nothing to do. Authorizations will continue to work after conversion
◈ Adjust – Check and adapt values of authorization objects
◈ Replace – Change authorization object and adapt its values
◈ Obsolete – Not needed/supported authorization object that should be remove

The following sections will refer to these action types (reference note 2468657 for more information).

3. Authorisation impact to the BI business user by the BW/4HANA transfer toolbox on a BW 7.5 system.


As mentioned, my experience is based off a BW 7.5 (DB HANA) scenario. The data level security is based off analysis authorisation objects (RSECADMIN) in conjunction with the authorisation object S_RS_AUTH. Before migration each BI report is based off a multiprovider.

SAP note 2468657 (BW4SL – Standard Authorizations) confirms that there is no impact on the S_RS_AUTH authorisation object (i.e. no changes are required after migration objects to BW/4HANA compatible objects).

SAP BW/4HANA, SAP HANA Certifications, SAP HANA Learning, SAP HANA Guides, SAP HANA Study Materials

After converting a data flow to a BW/4HANA compatible data flow – I executed a BI report (impacted by this conversion) using a test user (copy of an existing business user). The result was that there was no impact on the data level authorisation (as expected).

If your data level authorisation is configured in the same way as this scenario (i.e. BI reports based off multiproviders only along with analysis authorisation (S_RS_AUTH)) then converting your BW multiproviders to composite providers via the BW/4HANA toolbox (RSB4HTRF) will have no impact to the BI business user. I would still recommend to do a sanity check with a test user on a sub-set of the BI reports after converting the multiprovider to a composite provider.

If you don’t have analysis authorisation in place, I suggest that you review the possibility of implementing it before starting the conversion of any data flows using the BW/4HANA transfer toolbox.

4. Authorisation impact to the BI support user by the BW/4HANA transfer toolbox on a BW 7.5 system.


From a BI support users perspective, you need to review the authorisation objects that have the action type of replace and adjust. The following are a list of authorisation objects that have these action types (from SAP OSS note 2468657):

SAP BW/4HANA, SAP HANA Certifications, SAP HANA Learning, SAP HANA Guides, SAP HANA Study Materials

The main two replace object types are for ADSO (S_RS_ADSO) and composite provider (S_RS_HCPR). Based on my scenario, as part of a previous BW 7.4 upgrade on to HANA DB, the security team manually included these objects (S_RS_ADSO & S_RS_HCPR) into all our support roles that had the existing support roles S_RS_ODSO, S_RS_HYPER, S_RS_ICUBE, S_RS_MPRO and S_RS_ISNEW.

For the remaining replace authorisation objects (S_RS_IOBJA (replacing S_RS_IOBJ) and S_RS_TRCS (replacing S_RS_ISNEW)) and all the adjust objects there are two options available to update the support roles (these options are also applicable for S_RS_ADSO and S_RS_HCPR):

◈ Manually update the security roles.
◈ Transfer Authorisation Tool (RSB4HCONV) – creates a new role with all the necessary updates (covered in the next section).

5. Transfer Authorisation Tool in BW/4HANA transfer cockpit (RSB4HCONV).


The Authorization Transfer Tool uses the existing roles in your system. It will create copies of these roles while preserving original ones. Conversion rules for authorization objects are then applied on top of these role copies. After the conversion of objects using the Scope Transfer Tool, both original and created roles will be assigned to the users. After confirmation of authorization object conversion and a successful system conversion to SAP BW/4HANA, you can then remove original roles manually.

Any required actions on the authorization objects can be carried out only after the transfer of their corresponding SAP BW objects is done in the system via the BW/4HANA transfer toolbox. (especially for object types adjust and replace). The transfer of the SAP BW object must be done using the Scope Transfer Tool. The transfer runs will provide the information required to adjust or replace the authorization objects in the selected roles:

◈ Mapping of new names and types of converted InfoProviders, transformations, etc.
◈ Names of additional InfoProviders created (e.g. Composite Provider for DataStore objects (advanced) with navigational attributes)

The following is the example provided in the BW/4HANA conversion guide:

SAP BW/4HANA, SAP HANA Certifications, SAP HANA Learning, SAP HANA Guides, SAP HANA Study Materials

SAP BW/4HANA, SAP HANA Certifications, SAP HANA Learning, SAP HANA Guides, SAP HANA Study Materials

The following is an overview of the above example.

A. Execute the transaction RSB4HCONV (BW/4HANA transfer cockpit) and select the Transfer Standard Authorizations (initial run) radio button

SAP BW/4HANA, SAP HANA Certifications, SAP HANA Learning, SAP HANA Guides, SAP HANA Study Materials

B. Then enter a run ID and select create button:

SAP BW/4HANA, SAP HANA Certifications, SAP HANA Learning, SAP HANA Guides, SAP HANA Study Materials

C. Add the support roles required to be reviewed by selecting the Add roles button and select each role required. For this example – the role TEST_CONV_AUTH was selected (same name as Run ID – please don’t let this confuse you).

SAP BW/4HANA, SAP HANA Certifications, SAP HANA Learning, SAP HANA Guides, SAP HANA Study Materials
SAP BW/4HANA, SAP HANA Certifications, SAP HANA Learning, SAP HANA Guides, SAP HANA Study Materials

D. Execute the initial run radio button. For each role, a new role is created, and the existing role is scanned for authorization objects with defined “assume” or “obsolete” rules. This is also called the Preparation Phase. It’s not dependent on BW/4HANA migration been executed. If this is successfully, green icons will appear in the first status column.

SAP BW/4HANA, SAP HANA Certifications, SAP HANA Learning, SAP HANA Guides, SAP HANA Study Materials

E. Assuming the BW/4HANA object migration has been executed, execute the Delta run radio button. The system will retrieve the details of related scope transfer runs and scan the original roles for authorization objects with defined “adjust” or “replace” rules. Authorization objects with “replace” rule is checked for conflicts. Then the roles copies are adjusted according to the defined rules. If this is successfully, green icons will appear in the second status column

SAP BW/4HANA, SAP HANA Certifications, SAP HANA Learning, SAP HANA Guides, SAP HANA Study Materials

Please note in RSB4HCONV (BW/4HANA transfer cockpit) there are two radio buttons – Transfer Standard Authorizations (initial run) and Transfer Standard Authorizations (delta run) – this step and steps below can be executed in either option (once the BW/4HANA object migration has been executed) .

F. Now review the prepared mapped roles and authorizations on right hand side under New Objects:

SAP BW/4HANA, SAP HANA Certifications, SAP HANA Learning, SAP HANA Guides, SAP HANA Study Materials

G. If you’re satisfied with the new objects, execute the Generate Target Roles run radio button. The system will generate the new roles and assign them to the same users as the corresponding original roles. The new role name will be name in the Cnv. Name column – in this example this is TEST_CONV_AUTH_BW4H. Please not this name can be changed before this step by selecting the change icon (in change column) and entering an alternative name.

SAP BW/4HANA, SAP HANA Certifications, SAP HANA Learning, SAP HANA Guides, SAP HANA Study Materials
SAP BW/4HANA, SAP HANA Certifications, SAP HANA Learning, SAP HANA Guides, SAP HANA Study Materials

H. Once the BW system is converted to SAP BW/4HANA, you should remove the original roles (they are inconsistent anyway, since they contain obsolete authorization objects). In this example, the role TEST_CONV_AUTH should be removed from all users manually.

6. Authorisation impact once the BW system (7.x) is converted to SAP BW/4HANA.


Once the system is on BW/4HANA, the following authorisation objects are no longer required (action type obsolete).If you used the Authorization Transfer Tool (step 5 – above) then you need to manually remove all the old roles (keeping the newly generated roles) from all users. If you did not use this approach, you need to work with the security team to manually remove the authorisation objects below from all impacted roles.

SAP BW/4HANA, SAP HANA Certifications, SAP HANA Learning, SAP HANA Guides, SAP HANA Study Materials

SAP BW/4HANA, SAP HANA Certifications, SAP HANA Learning, SAP HANA Guides, SAP HANA Study Materials

No comments:

Post a Comment