With
SAP BW/4HANA, SAP has re-architected its solution for modern data warehousing
processes that the ever-increasing digitization of the world demands.
Re-architecting a solution that has been growing over the past 20 years and
has, at points, evolved into different data structures and architectures means
that we also have to decide on one data structure and architecture as we move
forward. This is the only way that we can prepare the solution for increased
simplicity and faster innovation cycles.
The
purpose of this document is to explain the end-to-end Authorization conversion
process with which you can transition from your existing SAP Business Warehouse
to the next-generation data warehouse solution: SAP BW/4HANA.
SAP
provides three paths for the conversion from SAP BW to SAP BW/4HANA, the
so-called “In-place Conversion”, “Remote Conversion”, and “Shell Conversion”.
The
Remote Conversion approach enables you to move whole data flow or transfer only
selected data flows including the data from SAP BW 7.3 with any DB to a new
installation of SAP BW/4HANA. You are able decide whether you want to build a
clean system, leave old and unused objects behind, and reduce unnecessary
layers of your data warehouse. If applicable, the Remote Conversion process
includes a Unicode conversion. Carve-out scenarios are also supported.
The
Remote Conversion is available for SAP BW 7.3 and later releases. Among other
ad- vantages, this approach only includes objects that will remain relevant
going forward and saves you the effort of converting your database. It thus
represents the chance to build a clean system, leave old and unused objects
behind while migrating to SAP BW/4HANA system.
The simplification of object types in SAP
BW/4HANA has an impact on authorization objects. When converting a SAP BW system to a SAP
BW/4HANA, authorizations for object types that are not available in SAP
BW/4HANA (like Info Cubes) must be replaced by authorizations for corresponding
object types (like ADSO).
The
Authorization Transfer Tool uses the existing roles in your system. It will
create copies of these roles while preserving original ones. Conversion rules
for authorization objects are then applied on top of these role copies. After
the conversion of objects using the Scope Transfer Tool, both original and
created roles will be assigned to the users. After confirmation of
authorization object conversion and a successful system conversion to SAP
BW/4HANA, you can then remove original roles manually.
Any
required actions on the authorization objects can be carried out only after the
transfer of their corresponding SAP BW objects is done in the system via the
BW/4HANA transfer toolbox. (especially for object types adjust and replace).
The transfer of the SAP BW object must be done usi7ng the Scope Transfer Tool.
The transfer runs will provide the information required to adjust or replace
the authorization objects in the selected roles:
·
Mapping
of new names and types of converted Info Providers, transformations, etc.
·
Names
of additional Info Providers created (e.g., Composite Provider for Datastore
objects (advanced) with navigational attributes)
|
Sender system Name
|
BW 7.4
|
|
Receiver system Name
|
BW4HANA
|
|
Target OS version
|
SLES 15 Sp01
|
|
Hana DB version (Target DB)
|
HANA 2.0 SP05 Rev 53
|
|
Source System Application
|
NETWEAVER 7.4
|
|
Target System Application
|
BW/4HANA 2.0 SP08
|
User Master data details to be
exported in excel to replicate in Target Sandbox from Sender system like user
address data, user role mapping sheet, list of analysis authorizations
To execute the object conversion
process using the BW/4HANA transfer toolbox (transaction RSB4HTRF), SAP
recommend adding few authorization objects and values as in reference note
2383530.This SAP template role will be required in all BW systems in the landscape
as the BW/4HANA conversion needs to be executed.
Master Role will contain all DMIS
related Authorization that is requires in Sender system environment for running
BW4HANA Cockpit Once implemented, please assign only to project team members responsible
for the conversion of the BW objects.
The SAP template role details in
present in note 2280336. For our project we have created custom role below
SAP BW/4HANA Conversion Cockpit Execution
user access required for the SAP BW/4HANA Conversion Cockpit. This is a
composite role for execution expert users with complete project administration
authorizations. It contains the authorizations required in source environment
by project Team members
The SAP BW/4HANA Conversion
Cockpit does not come with fixed destinations or usernames. An RFC destination
from the original SAP BW system and target SAP BW/4HANA system needs to be
created using process tree step “Define RFC Destination”. Users in RFC
destinations need to have the require authorizations in sender and target as specified
in the Excel
SAP BW needs to open SAP
connection to connect to SAP for that creation of SAPOSS User id and Role as
per suggestion given by SAP in sender. Refer link
http://wiki.scn.sap.com/wiki/x/EQlSGQ for details Auth required.
Several Delta Authorizations created
as part of migration activity in Target environment that is required by
developer to work for the scope collection and remediation task. These are created
based on the requirement from BW and BPC project admin Team.
The BW/4HANA Modeler connects
source systems, model’s data flows, performs data transfer processes, and
schedules process chains. This takes place in the development system.
The BW/4HANA Modeler role has
the following authorizations:
•
Create/change/delete
data flows, Info Objects, Info Providers (Datastore object, Composite Provider,
Open ODS view), transformations, data transfer processes and process chains in
the BW Modeling tools and on the back end
•
Administration
of Info Providers
•
Execute
data transfer processes
•
Schedule
process chains
•
Transport
objects on existing transport requests
The role is required to use the
BW Modeling Tools. Role that contains all authorizations to display and browse
ABAP development objects. it is mainly used by BW and BPC folks for Remediation
purpose in the Target Environment. This role can only be assigned to folks involving
in Remediation.
There are several Authorizations
which are not present in Modeler either in BW support maintenance and those are
required as part of migration for Scope collection, Migration and Remediation
Purpose of BW/BPC Developer. Those all authorizations are collected in BW delta
role and BPC Delta Role which will finally merge in Modeler role for BW and BPC
respectively
Conversion from SAP BW to SAP
BW/4HANA also requires conversion of authorization objects, SAP have defined
four types of actions that need to be applied for respective authorization
objects impacted by the conversion process using the BW/4HANA transfer toolbox
and the migration to BW/4HANA:
·
Assume – Nothing to do.
Authorizations will continue to work after conversion
·
Adjust – Check and adapt
values of authorization objects
·
Replace – Change
authorization object and adapt its values
·
Obsolete – Not
needed/supported authorization object that should be remove
SAP NOTE 2468657 shows the
authorizations objects used in SAP BW and not available in SAP BW/4HANA. The
SAP BW/4HANA Transfer Cockpit provides an Authorization Transfer Tool to
automate the transfer of existing security roles
The Authorization Transfer Tool
uses already existing roles in your system. It will create copies of these
roles while preserving original ones. Conversion rules for authorization
objects are then applied on top of these role copies. After the conversion of
objects using the Scope Transfer Tool, both original and created roles will be
assigned to the users. After confirmation of authorization object conversion
and a successful system conversion to SAP BW/4HANA, you can remove original
roles.
When a user accesses the SAP
HANA database using a client interface (for example, ODBC, JDBC, or HTTP), his
or her ability to perform database operations on database objects is determined
by the privileges that he or she has been granted.
All the privileges granted to a
user, either directly or indirectly through roles, are combined. This means
that whenever a user tries to access an object, the system performs an
authorization check on the user, the user's roles, and directly granted
privileges. It is not possible to explicitly deny privileges. This means that
the system does not need to check all the user's privileges. As soon as all
requested privileges have been found, the system skips further checks and
grants access. Several privilege types are used in SAP HANA (system, object,
analytic, package, and application)
Transport the user master data from
Sender system – Sender systems new target sandbox BW/4HANA along with user
assignment.
Check and confirm if all Auth
Relevant Characteristics and roles exist in Target Environment also make sure
all AA is activated in Target system.
Execute program
RS_B4HTAU_CREATE_RUN for creation of run Id and execution of Standard Transfer
Authorizations using SE38
Create a Run ID (Reciever_RUNID1)
run id is a name for bunch of roles we need to convert at a same time
Perform the initial setting for
user assignment and the suffix to be used for newly created roles. Here we have
used BW4 as suffix for new roles
Select and upload original roles
(SAP BW Roles) that needs to be converted. Below are the roles
For each role, a new mapping
name is created, and the role is scanned for authorization objects with defined
“assume” or “obsolete” rules.
Wait for the BW team for
completion of the BW/4HANA object migration before starting Delta Execution
After the successful transfer of
objects using the Scope Transfer Tool, the transfer of standard authorizations
must be completed using a delta run.
The system will retrieve the
details of related scope transfer runs and scan the original roles for
authorization objects with defined “adjust” or “replace” rules. Authorization
objects with “replace” rule are checked for conflicts. Then the roles copies
are adjusted according to the defined rules.
The
system will generate the new roles and offers the possibility assign them to
the same users as the corresponding original roles. the newly created roles
with Suffix B4H in Target BW/4HANA system.
Review and compare the roles
which are newly created vs the once present in sender BW system. Also check and
confirm the necessary actions have been taken on objects in SAP Note 2468657
Once the complete system is
converted to SAP BW/4HANA, you should delete the original roles (they are
inconsistent anyway, since they contain obsolete authorization objects).
Adjust the newly created BW objects
(Info Providers) in Analysis Authorization manually in converted security BW4Hana
support roles.
Once the complete system is
converted to SAP BW/4HANA, you should delete the original roles (they are
inconsistent anyway, since they contain obsolete authorization objects).
All
the SECURITY activities for Remote Conversion have been captured in this
document.
10.
References
SAP
BW4HANA 2.0 Conversion Guide and Experience
https://help.sap.com/doc/999ae5f8c578402dab1fea94fa4599f9/2.0/en-US/SAP_BW4HANA_20_Conversion_Guide.pdf
Please Comment for feedback :)
