Authorization for SAP HANA Live for SAP SCM

Access to planning data and master data in the SAP Advanced Planning and Optimization (SAP APO) system is controlled by the APO authorization framework. The same level of authorization must be available to users accessing the SAP APO planning data and master data through the analytic applications of SAP Supply Chain Info Center as to the users working with the data in SCM Server. Users of the analytic applications of SAP Supply Chain Info Center accessing the planning data and master data replicated from the SAP APO system use SAP HANA studio users. There is no direct relationship between an application user (in SCM Server) and the corresponding user in the SAP HANA studio accessing the analytic applications. Therefore, it is necessary to configure various authorization-relevant settings in the SAP HANA studio to restrict access to the replicated data.

Authorization Settings

Prerequisites

You must ensure that users have the right level of authorization to access planning data replicated from SAP APO, and that it is available in the analytic applications of SAP Supply Chain Info Center. To do so, ensure that the following authorization-relevant settings have been made:

To enable access to the analytic user interfaces of SAP Supply Chain Info Center, an administrator has created user accounts in the SAP HANA studio.
You have installed and activated the virtual data model views for SAP Supply Chain Management (SAP SCM) in the SAP HANA studio.
You have configured data replication between the SCM server and the SAP HANA server. For more information, see the Installation chapters in this guide, as well as the documentation available on SAP Help Portal at http://help.sap.com/hba Application Help SAP HANA Live for SAP SCM .

Settings for Planners

Grant authorization to users that only need to access the analytic application, such as a demand planner, or supply network planner, as follows:

Create a new role that will be assigned to the planners. This role can be based on the template role sap.hba.apps.apoan.roles::Planner. If the created role is based on this template, step 2 can be skipped.
Assign the following SQL privileges to the created role:
- SELECT, INSERT and, DELETE privileges for the following table:
  - SAP_HBA.sap.hba.apps.apoan.db::APOAN_SDP_SELECTION
- SELECT privilege on the following sequences:
  - SAP_HBA.sap.hba.apps.apoan.db::APOAN_UI_SELECTION_ID
  - SAP_HBA.sap.hba.apps.apoan.db::APOAN_SDP_SELECTION_ID
- SELECT privilege on the following tables:
  - _SYS_BI.BIMC_PROPERTIES
  - _SYS_REPO.ACTIVE_OBJECT
  - _SYS_REPO.INACTIVE_OBJECT
  - SAP_HBA.sap.hba.apps.apoan.db::APOAN_CUSTOM_MEASURES
  - SAP_HBA.sap.hba.apps.apoan.db::APOAN_CUSTOM_MEASURES_TEXT
  - SAP_HBA.sap.hba.apps.apoan.db::APOAN_CUSTOM_MEASURES_PARAMS
- SELECT privilege on the following runtime objects:
  - _SYS_BIC.sap.hba.apps.apoan.views/SupportedMeasuresMetadata
  - _SYS_BIC.sap.hba.apps.apoan.views/SupportedScenariosMetadata
  - _SYS_BIC.sap.hba.apps.apoan.views/CustomMeasuresMetadata
  - _SYS_BIC.sap.hba.apps.apoan.views/NavigationTargets
  - _SYS_BIC.sap.hba.apps.apoan.views/AttributesMetadata
- SELECT privilege on the following calculation views:
  - _SYS_BIC.sap.hba.scm-apo/Location
  - _SYS_BIC.sap.hba.scm-apo/Product
Create new analytic privileges for granting full access (empty analytic privilege) to the following calculation views from the package sap.hba.apps.apoan.views:
- SupportedMeasuresMetadata
- SupportedScenariosMetadata
- CustomMeasuresMetadata
- NavigationTargets
- AttributesMetadata
Note
You can create the analytic privilege in any package. You must then assign the created analytic privileges to the role that is used for the planners.
Assign the SELECT SQL privileges to the created role for the runtime objects that are generated when you activate a replication model. These SELECT privileges must be assigned only to the query views. The SELECT SQL privilege must be granted to all views for a particular replication model; they are in the package sap.hba.apps.apogo.REPLICATIONMODELNAME, where REPLICATIONMODELNAME is the name of the replication model. You must grant SELECT privilege only to the views with the suffix “query”. The runtime objects are in the schema _SYS_BIC. An example of such a runtime object for a Demand Planning replication model is _SYS_BIC.sap.hba.apps.apogo.REPLICATIONMODELNAME/SCICDemandPlanQuery.
Note
You must assign the SELECT SQL privilege to all of the following views that the planner would like to use:
- views that have the suffix “query”
- views that have been generated for specific replication models
Create new analytic privileges granting either full or limited access to the calculation views that are generated in the system when you activate a new replication model. The views that are authorization-relevant can be found in the package sap.hba.apps.apogo.REPLICATIONMODELNAME, where REPLICATIONMODELNAME is the name of the replication model that you used. For all the views included in these packages ending with the suffix “query” , you should create analytic privileges. The analytic privilege should define the restrictions. You can also use empty analytic privileges that grant full access to the planning data of these replication models.

Note
You can create the analytic privilege in any package. You must then assign the created analytic privileges to the role that is used for the planners. Repeat this step for each replication model that the planner would like to use.

Settings for System Administrators

To grant additional authorization to administrator users so that they can import and activate the generated virtual data model views from the XML files that the system generates, proceed as follows:

Assign them to the standard MODELING role or its equivalent
Ensure that administrator users have the following privileges for the package sap.hba.scm-apo:
- REPO.EDIT_IMPORTED_OBJECTS
- REPO.ACTIVATE_IMPORTED_OBJECTS
- REPO.MAINTAIN_IMPORTED_PACKAGES
Ensure they are enabled to grant the roles and authorization to the users of the analytic applications of the SAP Supply Chain Info Center.
Ensure that the _SYS_REPO user has SELECT, INSERT and UPDATE object privileges for the SAP_SCM schema

In addition to the authorization that is relevant for planners, you must also do the following:

Create a new role to be assigned to the administrators. This role can be based on the template role sap.hba.apps.apoan.roles::Administrator. If the created role is based on this template, you can skip steps 2, 3 and 4.
Assign the SQL privileges SELECT, INSERT, UPDATE, and DELETE for the following tables to the created role:
- SAP_HBA.sap.hba.apps.apoan.db::APOAN_CUSTOM_MEASURES
- SAP_HBA.sap.hba.apps.apoan.db::APOAN_CUSTOM_MEASURES_TEXT
- SAP_HBA.sap.hba.apps.apoan.db::APOAN_CUSTOM_MEASURES_PARAMS
To the created role, assign the application privilege sap.hba.apps.apoan.WebContent.admin::Execute.
Assign SELECT privilege on the following calculation views:
- _SYS_BIC.sap.hba.scm-apo/Location
- _SYS_BIC.sap.hba.scm-apo/Product

Recommendation

SAP recommends that you define the authorizations as SAP HANA roles, which can then be more easily assigned to existing and new users. Such a role can, for example, contain the necessary SQL privileges for accessing the application-specific tables, the metadata views, and for assigning analytic privileges to the metadata calculation views. Additional roles can include analytic privileges assigned to the generated views (see the Process section).

Note

It is possible to use the special analytic privilege _SYS_BI_CP_ALL to grant full access to the metadata views and all generated replication model views (see the Process section).

SAP recommends that you use this special privilege in exceptional cases only, and create separate analytic privileges instead for each calculation view that is relevant for reporting for the particular planner.

For more information, see SAP Help Portal at http://help.sap.com/hana_appliance, Start of the navigation path Security Information Next navigation step SAP HANA Security Guide End of the navigation path .

Caution

This special analytic privilege will also grant full access to all other activated views with granted SELECT object privileges.

Defining Restrictions on Views in the SAP HANA Studio

After the system administrator has activated and replicated a replication model in the SAP APO system and imported the generated views to the SAP HANA studio, the next step is defining restrictions on these views so that the users accessing the data through the analytical applications of SAP Supply Chain Info Center have the right levels of authorization.

Access to the data for users of the analytical applications of SAP Supply Chain Info Center can be restricted as follows:

By restricting the range of “planning book”, “data view” and “planning version” combinations that a particular user can see.
By defining a restriction for a subset of planning data that a particular user can access through the analytical applications.

Restricting the Range of Planning Book, Data View and Planning Version Combinations

Analytic privileges for the metadata views can be created with restrictions that are defined, for example, on the attributes PlanningBook, DataView and PlanningVersion, or on Product, Location and Customer. Alternatively, one analytic privilege can be created with no restriction, which makes it possible to select all combinations.

Note

This does not mean that the user automatically has access to the underlying data as well.

Restricting for a Subset of Planning Data

To restrict a subset of planning data, the system administrator must define a restriction in the form of analytic privileges of the query views for each generated replication model. For each replication model, the analytic privileges must be defined for the views in the package sap.hba.apps.apogo.REPLICATIONMODELNAME, where REPLICATIONMODELNAME is the name of the replication model. The views for which the analytic privileges are to be defined are the ones with the suffix “query”.