SAP Authentication in CMC
Till now we have created users and group in the CMC and mapped these groups to application and content rights. All data for these users and groups are maintained in the BOBJ CMS. Since a common configuration of BOBJ reporting is to use the BOBJ frontend with a SAP BW Backend, BOBJ also allows us to import backend roles and users to the CMS. The attributes of these users and groups can not be changed in the CMC but they can be assigned to other CMS resources like groups, content and application rights. In fact, a user so imported into the CMC can login into the BOBJ launchpad or CMC with the SAP BW Backend credentials. This set up is known as SAP Authentication and this post will go over the steps that are needed to get this working.
To start with we would need to login to the CMC with an administrator account and then navigate to Authentication section and double click on the SAP entry.
To start configuration for a new backend BW system, we click the new button in the Entitlement System tab where we would need to fill up the details shown below associated with the BW system.
The User name given here is a system user which must exist in the BW system and is used to read the backend user and role details. The user needs authorizations for the objects S_RFC, S_USER_GRP and S_DATASET. Once the full system details are specified we would click the update button.
If the user and application server details are correct BOBJ should be able to coonect to BW and retrieve user and role details. The list of the roles which can be potentially imported will be populated in the “Role Import” tab. Only roles which have been assigned to at least one user are available for import. To import the roles, we would select the ones we need and click the add button to move them to the right window. Finally to import the roles and the users assigned to them, we click the update button.
The imported roles appear in CMC as groups. The name of these user groups take the form “system id”~”client”@”role name in SAP”. Similarly theimported users take the form of “System id”~”client”/”SAP user id”.. So if a sap user BWUSER is assigned to the role Y_BW_Reporting in BW1 system client 200, after import we will have the user BW1~200/BWUSER assigned to the group BW1~200@Y_BW_Reporting
To ensure that new user/role assignments in the backend system are refelected in the BOBJ system we can shedule a job to import the roles and/or users into the CMC. The job scheduling is available from the last tab of the SAP authentication screen.
The same jobs can be manually triggered when required by clicking the update now buttons.
explain the purpose to mark Authorization relevant ” in analysis authorization in BI ?
really informative
Hi Aninda,
Wanted to know if any of the earlier versions of BO supported only 3 authentication : Enterprise , LDAP and AD . Current versions has SAP authentication also . From which version is it introduced ??
Hi Aninda,
Nice article. I have a query. In our project, we are importing users from BW 7.4, as well as from Windows AD (via SSO). Now a user imported from BW doesn’t come with id as “System id”~”client”/”SAP user id”. Instead it only appear as “SAP user id”, and then it has an alias for SAP authentication. Do you know how this is done?
I assume Windows AD authentication has nothing to do with it.
Thanks.