QuickViewer Security Considerations


An important security distinction that applies to the QuickViewer does not apply to the InfoSet (Ad Hoc) Query tool or the SAP Query tool: the dynamic declaration of the data source.

If you think about the recommended strategies for deploying and configuring the data source with the SAP Query tool and the InfoSet (Ad Hoc) Query tool, you will recall that the configuration of the data source happens only in the development environment. A technical professional trained in your development environment must configure the InfoSet (data source) for reporting with the InfoSet (Ad Hoc) Query tool and the SAP Query tool. Furthermore, when creating InfoSets (data sources) with those tools, you should use logical databases to provide security. When a logical database is used within a data source and a user writes a query-based report by using that data source, the SAP solution is smart enough to determine who the user is and what the user has access to; it then restricts the user's reporting results accordingly.

A QuickView's data source is declared when the QuickView is built. So, for example, you can say you want to create a QuickView that uses a table. Doing so ensures that every field and every record in the table is available to you. This raises a security concern, however. With the ability to directly read tables, you can bypass traditional security concepts and have access to all data.

Let's look at a real-world example from the Human Capital Management (HCM) module. In the HCM module, users commonly have access to different things. One level of access can be based on location. For example, some users would have access to all associates in New York, and others would have access to associates in California. When any SAP Query report is created that uses a logical database within its data source, the security settings specify which users can see which locations. For example, if Jim had access only to New York, his executed report would contain only New York associates, and if Dan had access only to California associates, upon execution of the same report, Dan would see only the California associates.

If a user created a QuickView by using the QuickViewer tool and specified the employee table directly (rather than the logical database that includes it), the user would see all associates (from New York, California, North Carolina, and so on) in his or her report output, bypassing security.

It is a best practice to choose one reporting solution and use it exclusively. Considering the security limitations of the QuickViewer, best practice dictates that it should not be the tool of choice.






SAP Query Reporting
SAP Query Reporting
ISBN: 0672329026
EAN: 2147483647
Year: 2006
Pages: 161
Similar book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net