QuickViewer Security Considerations
An important security distinction that applies to the QuickViewer does not apply to the InfoSet (Ad Hoc) Query tool or the SAP Query tool: the dynamic declaration of the data source.
If you think about the recommended strategies for deploying and configuring the data source with the SAP Query tool and the InfoSet (Ad Hoc) Query tool, you will recall that the configuration of the data source happens only in the development environment. A technical professional trained in your development environment must configure the InfoSet (data source) for reporting with the InfoSet (Ad Hoc) Query tool and the SAP Query tool. Furthermore, when creating InfoSets (data sources) with those tools, you should use logical databases to provide security. When a logical database is used within a data source and a user writes a query-based report by using that data source, the SAP solution is smart enough to determine who the user is and what the user has access to; it then restricts the user's reporting results accordingly.
A QuickView's data source is declared when the QuickView is built. So, for example, you can say you want to create a QuickView that uses a table. Doing so ensures that every field and every record in the table is available to you. This raises a security concern, however. With the ability to directly read tables, you can bypass traditional security concepts and have access to all data.
Let's look at a real-world example from the Human Capital Management (HCM) module. In the HCM module, users commonly have access to different things. One level of access can be based on location. For example, some users would have access to all associates in New York, and others would have access to associates in California. When any SAP Query report is created that uses a logical database within its data source, the security settings specify which users can see which locations. For example, if Jim had access only to New York, his executed report would contain only New York associates, and if Dan had access only to California associates, upon execution of the same report, Dan would see only the California associates.
If a user created a QuickView by using the QuickViewer tool and specified the employee table directly (rather than the logical database that includes it), the user would see all associates (from New York, California, North Carolina, and so on) in his or her report output, bypassing security.
It is a best practice to choose one reporting solution and use it exclusively. Considering the security limitations of the QuickViewer, best practice dictates that it should not be the tool of choice.
Things to Remember
Chapter 21. SAP Reporting with Microsoft Excel
In this chapter
This chapter describes how to maximize the use of the Microsoft Excel application in query reporting. This chapter is designed for those who are currently using some form of reporting that they wish to transmit and share with Microsoft Excel for further charting or pivot table analysis. You can use this chapter even if you do not create any SAP reports but can execute reports in SAP and have access to Microsoft Excel.