-
Welcome to the Security lesson for SAP BusinessObjects Planning
and
Consolidation 10.0, version for SAP NetWeaver.
1
-
After completing this lesson, you will be able to perform the
actions listed
above.
2
-
You can access all the views related to the security topics
under the Security
domain in the left side panel of the Administration
workspace.
Users
Teams
Task Profiles
Data Access Profiles (Member Access Profiles in 7.5)
3
-
List of all the users assigned to the environment.
From this list, you can add or remove some users (multiple
deletion is allowed).
You can also edit a user. Multiple edition of users is allowed
to enable to modify
several users simultaneously (mass maintenance).
You can see in this list the IDs of the users, their last and
first names and also
their email address.
These properties are those from the NW users and cannot be
changed in BPC.
4
-
5
-
6
-
From 10.0, NW version is directly using NW user to logon BPC
application from web client or excel client. Windows AD user or CMS
users are no longer supported. In 7.5,a user can either use windows
AD user/password or CMS user/password on BPC logon screen, in BPC
10.0, NW user should be used instead. For upgrade customers, all
users from 7.5 (no matter if its windows AD user or CMS user)
should be migrated, and all task profiles and data access profiles
assigned to windows AD users (or CMS users) will be assigned to NW
users instead after migration. To migrate user/security, a customer
should create each windows AD user or CMS user a NW user, and
create a 1:1 mapping between windows AD user (or CMS user) and NW
user to enable migration. For customers still using CMS, CMS side
did some development for BPC 10.0 NW where customer can customize
for each CMS user a NW user with which CMS user could directly
logon to BPC application.
There are two roles parts to be assigned to a BPC business user
in BW endStatic assigned role s(/POA/BUI_FLEX_CLIENT and
/POA/BUI_UM_USER) when each user is created in NW, both roles are
required by BUI layer and its NOT environment related. Dynamic
assigned roles when user is added to any environment or user is
assigned with any BPC security task from admin console. Please note
that both part of roles are all backend NW roles, which should be
transparent to BPC business users. BPC business users only have
task profiles and data access profiles.
Task profile is really using NW authorization objects. While
detail of data access profiles are really stored in BPC specific
tables; same as what was done in 7.5.
7
-
8
-
If multiple users, you cannot manage this setting.
But, as for the teams, you can distinguish in this tab the teams
to which all the
edited users are assigned (All users value).From this tab, you
can also use the Assign to all function to assign all the edited
users to a team.
9
-
In the Task Profiles tab, in case of a single user, you can see
the task profiles assigned to this user
Directly
But also through the teams he/she is assigned to Inherited
10
-
In case of multiple users, you do not have this information of
inherited task
profiles. Same principle in this case, you can see the list of
all the task profiles
assigned to one user in the selection at least and distinguish
those that are
assigned to all the edited users.
Assign to all in this tab enables also assigns a task profile to
all the edited users.
You can of course add task profiles to assign them to all the
selected users.
11
-
12
-
Here is the list of all the teams of the environment.
From this list, you can create or delete a team (multiple
deletion is allowed).
You can also edit multiple teams simultaneously (mass
maintenance).
In addition to the ID and the description of the teams, you see
how many users
are assigned to each of them as well as the number of task
profiles and data
access profiles.
13
-
You can edit and change multiple teams simultaneously.
Only the common changes made during the edition will be applied
to the set of
teams (For example, all things that have not been changed in
each team is
kept).
14
-
In the Users tab, you can see the list of all the users assigned
to the selection of teams.
You can add a new user that will therefore be assigned to all
edited teams.
See the value All teams in the Assigned to column.In the same
way, you can assign a set of task profile to the selection of
teams.
15
-
Same principle as in the Users tab for the Assigned to column.If
a task profile is assigned to all the edited teams All teams
value.If a task profile is not assigned to all the edited teams
Some teams only value.
In this case, Assign to all function enables to assign the task
profile to all the edited teams.
16
-
17
-
Here is the list of all the task profiles created in the
environment.
18
-
Exactly the same behavior as in the Users and Task Profiles is
implemented in the Data Access Profiles tab.
19
-
20
-
Click the Add button to create a new task profile.This command
opens a wizard that enables to create a team through 3 distinct
steps.
In the first step, you must specify an ID and you can also add a
description
(optional).
21
-
You can also select a node in the list to add all its tasks
simultaneously to the
selection. Multiple selection is also allowed for the nodes.
22
-
23
-
24
-
25
-
This command directly opens the data access profile editor.
You can set all the settings and configure the data access for
all models in this
page.
You must enter an ID and can add a description (optional).
In the left pane, are listed all the models of the environment
and, for each of
them you can see the current status of its access rights.
None means that access right can be specified for the model,
since some dimensions are secured, but none has been defined or
completed yet.
Restricted access means that some access rights have been
specified for the model.
Full (Unsecured Model) means that there are no secured
dimensions in this model. Therefore, unable to specify any access
rights for this model.
26
-
27
-
If no hierarchy exists it is a flat list.
28
-
29
-
30
-
You should now be able to perform the actions listed above.
31
-
32
