You can create SAP BPC security in a few simple steps. Based on my recent experience, I will show you how to expedite the security setup by using teams to assign security rather than giving individual security objects to each user. I'll also offer tips about what to watch out for as you follow the process. Although these processes were developed in SAP BPC 5.1, they apply to newer releases as well. You should be able to complete this setup quickly, in two days or fewer.

SAP BPC Security Console

Log on to the SAP BPC system. This takes you to the Admin Console Tasks. Click Manage Security. A dialog box appears in which you select an AppSet. Click the drop-down menu and select ApShellTest2. You are now logged on to SAP BPC and can see the Security console (Figure 1).

Figure 1

SAP BPC Security console

The SAP BPC Security console consists of the following:

• Users: Create users from the active directory
• Teams: Assign various users with security access to teams
• Task Profiles: Outline which type of activity users perform in SAP BPC
• Member Access Profiles: Define which dimensions you want to protect to secure data

The Four-Step Process

To create security I undertook the following steps:

Step 1: Create users

Step 2: Create task profiles

Step 3: Create the member access profile

Step 4: Create teams, assign tasks and access, and then assign users to teams

Step 1. Create users within the SAP BPC system based on Windows Active Directory. You can only create users in SAP BPC if they already have a Windows user ID.

Click the Users folder in Figure 1. From the menu on the right side of the screen, click Add new user. In the next screen that appears, select a domain and user (Figure 2). Click the Next button to finish creating the user in SAP BPC.

Figure 2

Select the domain name and user to create the user in SAP BPC

• Administration team: Responsible for managing and developing the SAP BPC system
• Support team: Responsible for the first level of support for BPC users. These users should only be able to undertake reporting — they cannot undertake any admin-based activities.
• End users: Responsible for executing reports and using input schedules to send data to SAP BPC. They cannot undertake any admin-based activities.

First, let me show you how I set up task profiles for the administrators. I used the standard SAP BPC task profiles PrimaryAdmin and SystemAdmin, which provide default security to administer the SAP BPC system.

In Figure 1, click Task Profiles, and then click Add new task profile from the menu on the right side of the screen. In the screen that appears enter a Profile name and Profile description (Figure 3). Click the Next button to assign tasks to the profile.

Figure 3

Define the new task profile

In the next screen, click View tasks by interface to review the tasks that are available (Figure 4). Select tasks from the left and click the arrow icon to move them to the Selected interface tasks. In my example, with the task profile AnalysisCollection, a user can manage a template and submit data via the input template.

Figure 4

Add tasks to task profile

After you select the tasks, click the Next button to finish creating the task profile. You assign the task profiles to the relevant teams in a later step.

In the next screen, click the Planning Application tab and then click the application for which you want to define access (Figure 5). In my example, I want two profiles: one for users who can access salary data and one for users who cannot.

Figure 5

Assign dimensions to profiles

Regardless of the data you want to restrict within a dimension, you need to ensure that you first create the dimension with full open access. Then you can restrict data within the dimension, taking away access that's not required.

To do this, first indicate what kind of access is required, such as Read Only, Read & Write, or Denied. Then enter the dimension, such as Account or Category. Finally, enter the values for the dimension in the Member column. In my example, I first gave full access to the Account dimension and then I took away access to all accounts that contain salary data. Click the Next button to finish creating member access profiles.

Step 4. Create teams, assign tasks and access, and then assign users to the teams. In my example, I brought together users, task profiles, and member access profiles in one location via teams. This step allows you to complete the security setup more quickly and it is much easier to manage.

Click Teams from the SAP BPC menu in Figure 1. Then click Add New Team from the SAP BPC menu on the right side of the screen. Provide a team name and description (Figure 6). In my example, I created an admin team and a config team to manage the SAP BPC configuration activities. I also created a revenue team that consists of users who can only access revenue staff plans and cannot access salary data. Finally I created a staff plan team with access to salary data only and a support team that can only execute reports (no access to salary data). When you finish setting up teams, click the Next button.

Figure 6

Define the team

In the next screen you assign the users you created in step 1 to teams. Select the users from the Available column on the left to add them to the Selected column on the right to add them to a given team. When you are finished, click the Next button. Then assign the tasks and access to the teams by enabling the relevant member access profiles (Figure 7). Click the Next button to finish the process.

Figure 7

Select the profiles for the team

Security Reports

SAP BPC offers a variety of pre-designed security reports. They are presented by user, team, member access profile, and task profile. You can use these reports to understand the security configuration within SAP BPC or you can use these reports to present to your audit department. These reports are available without any configuration and data in these reports is available when you complete the user security setup. To access the reports, log on to SAP BPC and click Security Reports.

User report: Select the user report to view data on each user added to SAP BPC and to which team they belong (Figure 8). In my example, the Task Profile and Member Access Profile columns are empty because this configuration is undertaken at a team level rather than an individual user level.

Figure 8

Security report by user ID

Team report: Select the team report to view the relevant team information and which task profile and member access profile is associated with this team (Figure 9). Note that this report does not show any users — look at the user report for this information.

Figure 9

Security report by team profile

Member access profile report: This report provides the member access configuration details (Figure 10).

Figure 10

Security report by member access profile

Task profile report: This report provides information about what each task can accomplish (Figure 11).

Figure 11

Security report by task profile

Uday Gupta

Uday Gupta has more than eight years of experience with SAP, including SAP NetWeaver BW, SAP BusinessObjects Planning and Consolidation, SAP R/3, and system analysis. He is also knowledgeable in software design and implementation methodologies, including SAP’s ASAP methodology. He has completed more than eight full life cycle SAP R/3, SAP NetWeaver BW, and SAP BusinessObjects Planning and Consolidation implementations. He has worked with PricewaterhouseCoopers and IBM in North America and Australia. Uday has worked in various industry sectors including media, pharmaceutical, consumer packaged goods, high tech, utilities, public sector, banking, telecommunications, and advertising. He is currently working with one of the largest retail organizations as a business intelligence lead responsible for the SAP NetWeaver BW system.

You may contact the author at editor@BI-expertOnline.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.