Security in SAP BPC

Security

You can access all the views related to the security topics under the “Security” domain in the left side panel of the Administration workspace.

Users

Teams

Task Profiles

Data Access Profiles (Member Access Profiles in .)

From a functional perspective, the main changes in the security configuration are related to the new user experience which enables to improve the way to manage users, teams, and profiles and also allows mass maintenance.

Inclined to build a profession as SAP BPC Developer? Then here is the blog post on, explore "SAP BPC Training"

From a technical perspective, BPC security is roughly mapped to the SAP NetWeaver user management capabilities.

List of all the users assigned to the environment.

From this list, you can add or remove some users (multiple deletions are allowed).

You can also edit a user. Multiple editions of users are allowed to enable to modification of several users simultaneously (mass maintenance).

You can see in this list the IDs of the users, their last and first names, and also their email address.

These properties are those from the NW users and cannot be changed in BPC.

User Management

From ., the NW version is directly using NW user to logon BPC application from the web client or excel client. Windows AD users or CMS users are no longer supported. In ., a user can either use windows AD user/password or CMS user/password on BPC logon screen, in BPC .,

NW users should be used instead. For upgrade cust windows AD user or CMS user) should be migrated, and all task profiles and data access profiles assigned to windows AD users (or CMS users) will be assigned to NW users instead after migration. To migrate user/security, a customer should create each windows AD user or CMS user an NW user, and create a: mapping between windows AD user (or CMS user) and NW user to enable migration.

For customers still using CMS, the CMS side did some development for BPC. NW where customers can customize for each CMS user an NW user with which CMS user could directly login to BPC application.

There are two roles parts to be assigned to a BPC business user in BW end Statically assigned roles(/POA/BUI_FLEX_CLIENT and /POA/BUI_UM_USER) when each user is created in NW, both roles are required by BUI la Dynamic assigned roles when the user is added to any environment or user is assigned with any BPC security task from the admin console.

Please note that both parts of roles are all backend NW roles, which should be transparent to BPC business users. BPC business users only have task profiles and data access profiles.

The Task profile is really using NW authorization objects. While the detail of data access profiles is really stored in BPC specific tables; same as what was done in.

If multiple users, you cannot manage this setting.

But, as for the teams, you can distinguish in this tab the teams to which all the edited users are assigned („All users‟ v From this tab, you can also use the “Ass edited users to a team.

In the “Task Profiles”single-user tab, you can see the case task of profiles assigned to this user

Directly

But also through the teams, he/she is assigned to Inherited”

In the case of multiple users, you do not have this information on inherited task profiles. In the same principle, in this case, you can see the list of all the task profiles assigned to one user in the selection at least, and distinguish those that are assigned to all the edited users.

“Assign to all” in this tab enables also users.

You can of course add task profiles to assign them to all the selected users.

Team Management  

Here is the list of all the teams of the environment.

From this list, you can create or delete a team (multiple deletions are allowed). You can also edit multiple teams simultaneously (mass maintenance).

In addition to the ID and the description of the teams, you see how many users are assigned to each of them as well as the number of task profiles and data accesses profiles.

You can edit and change multiple teams simultaneously.

Only the common changes made during the edition will be applied to the set of teams (For example, all things that have not been changed in each team is kept).

In the “Users” tab, a list of all you users assigned can see to the selection of teams. You can add a new user that will, therefore, be assigned to all edited teams. See the value„All teams‟  in the   “Assign, In the same way, you can assign a set of task profile to the selection of teams.

Same principle as in the” Users” column tab. 

If a task profile is assigned to all the edited teams è „All teams‟ value

If a task profile is not assigned to all the edited teams è „Some teams on value.

In this case, “Assign to all” function edited teams.

Here is the list of all the task profiles created in the environment.

Exactly the same behavior as in the “Users” and “ in the “Data access. Profiles”

Click the  “Add”  button profile.  to  create a  new  team

This command opens a wizard that enables to create a team through distinct steps.

In the first step, you must specify an ID and you can also add a description (optional).

You can also select a node in the list to add all its tasks simultaneously to the selection. Multiple selections are also allowed for the nodes.

Data Access Profile Management

This command directly opens the data access profile editor.

You can set all the settings and configure the data access for all models on this page.

You must enter an ID and can add a description (optional).

In the left pane, are listed all the models of the environment, and, for each of them, you can see the current status of its access rights.

“None” means that access right can be sp dimensions are secured, but none has been defined or completed yet.

“Restricted access” means that some access the model.

“Full (Unsecured Model) means that there are no secured dimensions in this model. Therefore, unable to specify any access rights for this model.

If no hierarchy exists it is a flat list.