The final principle of secure and compliant data provisioning is: only present the reports to correct groups of users.
Again, this seems an obvious principle which many of us in the security space take for granted, but it is a common occurrence for Management Information programmes to focus on the functional split of data and associated reports, without thinking of the authorisation setup in terms of roles and user groups involved.
To overcome this, all reporting requirements should be linked to business processes, in that it should be possible to identify a step in the process for which the report is providing key information and support. With this in mind we can relate the reports to the jobs, for which roles have been created, and ensure that roles are consistently applied across landscape.
If you can achieve a consistent role design between ERP systems and your BI landscape, it is also possible to automate the allocation of authorisations in your BW analysis authorisations, based on the contents of the equivalent ERP roles. This can be achieved through the use of variables in analysis authorisations and by performing an extraction of the authorised values from the ERP roles assigned to the users. These values can then be referenced at runtime of reports to present only data for which the user is authorised in the ERP system.
Your company employs accounts payable clerks to process payments and, to support their business processes, a suite of reports has been developed. These accounts payable users have an AP clerk role for one company code in ERP and an equivalent AP clerk role in BW. You have used variables in the analysis authorisations to provide the company code access, in alignment with that which is allocated in the ERP system and the role provides access to the multiproviders which store the reports for the AP function.
This can be further extended into Business Objects (BO) reporting suite, where roles from the BW system can be imported as user groups and a folder or universe structure created which mirrors the job-aligned roles in the BW and ERP systems. In this way, provision of a role in ERP can logically extended into BW and BO systems to provide consistent, business process aligned access across the landscape and provision the reports which support that job function.
To continue the example above, our AP clerk would then have access to folders or universes in BO which provides the reports and the data which support their job, plus the access in BW to provide commensurate data access with that allocated in ERP.
If you bear in mind these principles in the design of your Management Information systems authorisation concepts, you can make life much easier and provide business focussed reporting, while ensuring compliance with your security objectives for data.
If you have any comments or questions, please feel free to use the comment submission below.