Winshuttle Community
Vikram's Blog » Preserving SAP Organization Level Security in Data Extracts
Preserving SAP Organization Level Security in Data Extracts

I recently created a short demo with voice-over showing the security limitations of SAP's SE16/SE16n (Table Browser) or SQVI (Quick Viewer) tools and how our querySHUTTLE product can overcome these limitations.

You can watch this querySHUTTLE security demo here

This blog gives a little more insight into the security aspects of SE16/SQVI and querySHUTTLE.

The standard SAP security model allows SAP administrators to setup security at an organization level; for example, an accounting person in an SAP company code US07 should be able to view, create, or edit documents that are relevent only the company code US07. In SAP, this is handled through a variety of authorization objects, such as F_BKPF_BUK for company codes or M_MATE_WRK for plants. An example authorization profile for a user with access only to plant 3000 in SAP is shown in the screenshot below:

If this same user, however, had access the view the material master table via SE16/SE16n or SQVI, this organization authorization restriction is not respected. These tools only look at the user's access to a table and if a user has access to that table, he/she can see every record of that table, even if the standard SAP security profile does not allow them to.

This is one area where querySHUTTLE really shine - it not only looks at the users' table-level access but also looks the users' organization-level access and filters query results to only show records that the user has access to. querySHUTTLE ships with a customizable list of authorization objects and tables for which these authorization objects needs to be checked as shown below:

 

So, for example if a querySHUTTLE user tries to query the MARC table, querySHUTTLE automatically checks the user's M_MATE_WRK authorization profile and based on values in the WERKS (Plant) field for that table, it filters out the data for plants that the user does not have access to.

The list of these authorization objects and tables is fully customizable in querySHUTTLE and values can be added or removed as needed.

Questions? Comments? Please feel free to let me know what you think.

 

Posted 06-26-2009 1:25 PM by Vikram Chalana
Filed under: , , , ,