Managing Authorizations, Data Security and Data Privacy


After completing this lesson, you will be able to:

  • Explain how SAP BW/4HANA supports authorizations, data security and data privacy

Authorizations in SAP BW/4HANA

SAP BW/4HANA usually manages a lot of sensitive data. We need to ensure that we take steps to safeguard the data. This means providing a robust authorization mechanism that controls what developers and business users can and can't do, and which data they are allowed to access.

SAP BW/4HANA provides tools to define authorizations. There are two type of authorization that every SAP BW/4HANA user needs. Tools are provided to create both types.

We need to ensure users do not perform activities that they are not authorized to, for example, deleting data, executing data loads or creating or executing queries.

Clearly, we need to protect these activities so we assign the authorizations to the relevant users in the team.

An Authorization Object consists of fields where the authorized settings are specified. SAP provides many Authorization Objects to secure common activities across SAP BW/4HANA.

Here is an example of the Authorization Object : S_RS_COMP which is used to provide authorizations for working with BW Queries:

Notice how we define the allowed action such as create, execute etc. For a business user to execute a query, they simply need the Execute (16) authorization, they do not need Display (03) unless you would like them to be able to open the query definition to view the settings.

Notice we then specify the type of objects the action applies to, for example REP is the code for a BW Query. There is a code for every type of object in SAP BW/4HANA. Finally, you see the value of the object, in this case the * means any query. But notice that the InfoProvider P_V_SO_1 is specified which means any query can be displayed or executed as long as it was built on the specified InfoProvider.

So that is the authorization of a task taken care of. We now come to the Analysis Authorization setup. This is all about data access.

To set up an Analysis Authorization we need to perform three steps:

Not all data in SAP BW/4HANA is relevant for authorization. For example, color or weight of product. In this case you would not enable the setting for Authorization Relevance. Once you enable this setting, each user must have an Analysis Authorization assigned to their user profile to grant access to the data of the object.

So, with the combination of the two types of authorization we have seen how our user could now execute any query (as long as it is based on the CompositeProvider P_V_SO_1) and display the data only for company code 1000, 2000, 2200 and 3000.

Data Security and Privacy


The General Data Protection Regulation (GDPR), is a regulation of the European Union on data protection and privacy in EU member countries and the European Economic Area (EEA). It addresses the management and transfer of personal data. GDPR's primary aim is to enhance individuals' control and rights over their personal data and to simplify the regulatory environment especially for business. It often requires that personal information has to be deleted at the end of its business purpose or if an individual has requested erasure ("right to be forgotten").

GDPR can have a crucial impact on SAP systems, as those systems often manage processes with reference to personal data and GDPR regulates how long this personal data must be maintained, when it needs to be deleted and in what manner it can be kept in a depersonalized way.

In technical terms this means, whenever personal data is deleted in a source system of SAP BW/4HANA, it is an obvious expectation to handle the replicated data in SAP BW/4HANA accordingly in order to comply with legal requirements; as a consequence, the personal data in SAP BW/4HANA needs to be deleted or depersonalized (anonymized) as well.

GDPR Adoption in SAP ERP Systems based on SAP ILM

SAP ERP systems are typical examples of source systems that replicate data to SAP BW/4HANA. The recommended approach for GDPR adoption in these systems is based on SAP Information Life-cycle Management (ILM). This component is a powerful and integrated solution able to orchestrate archiving and deletion processes for sensible data. It provides a broad range of advanced capabilities, including blocking and deletion, residence and retention management, consolidation of legacy data, and more – some of which are relevant to regulatory demands.

During the typical SAP data life-cycle from data creation to data destruction, the data is first active in the database. When it turns inactive it qualifies for archiving once the data surpasses the resident time and the archived data qualifies for destruction at the end of a retention period. With the GDPR compliance requirement, it is mandatory to comply with the critical requirement of deletion of data that is no longer required for the given business purpose. This mandates an additional control in the system that would allow defining a status "End-of-Purpose". SAP ILM with enhanced feature addresses this requirement and it blocks and deletes the data that are no longer required in the system and has reached this "End-of-Purpose" status.

Having successfully configured SAP ILM for a given data object, a Notification for each SAP BW/4HANA Characteristic value which has been deleted will be triggered. Those notifications are collected and persisted centrally and can be extracted based on the technical content of the SAP BW/4HANA Data Protection Workbench.

SAP BW/4HANA Data Protection Workbench

Data that is deleted in the SAP ERP systems at the end of the usage purpose when the retention period expires, must also be deleted or anonymized in the connected SAP BW/4HANA environment. For this reason, SAP BW/4HANA has been integrated with SAP ILM of the connected SAP ERP systems. This means, whenever sensible bits of data are deleted in SAP sources, SAP BW/4HANA can trigger corresponding follow-up activities to mirror this adjustment.

In SAP BW/4HANA, there is a component called Data Protection Workbench providing such capabilities. This workbench is an integrated solution for selective deletion of transactional data, deletion of master data, and creating anonymized of personal data which was originally replicated data from supported connected SAP source systems.

The SAP BW/4HANA Data Protection Workbench has a modern UI which is part of the SAP BW/4HANA Cockpit and grouped under the term "Data Protection and Privacy".

Log in to track your progress & complete quizzes