You can use two methods to ensure security for the SAP Query tool: query groups and authorizations. The following sections describe these two methods. Using Query Groups to Provide Security for the SAP Query ToolChapter 2 mentions that a query group (known as a user group in versions of SAP prior to version 4.6) is a collection of SAP users who are grouped. A user's assignment to a query group determines which queries he or she can execute or maintain. It also designates which InfoSets (that is, data sources) the user can access. Basically, query groups permit users to create, modify, and execute reports in a certain area within SAP R/3. Using query groups is an easy way to group and segregate report users and reports. You can also use query groups as an avenue for security. For example, if a user is not placed in any query group, he or she cannot create or maintain queries. If you decide a user should not have access to SAP queries (via the Query tool's initial entry screen, which you reach by using transaction code SQ01), you should simply not assign that user to any query groups. A user who is not assigned to any query groups cannot create, execute, or change any queries, because he or she is unable to access the screen to do so by using transaction code SQ01. SAP Query reports can also be assigned to transaction codes so that users who do not belong to a query group and/or do not have access to transaction code SQ01 can access them. Using Authorizations to Provide Security for the SAP Query ToolThe specific authorization object for the SAP Query tool is S_QUERY. The security administrator can set the field ACTVT for the authorization object to designate that a user can create, configure, or translate (for multiple language configurations) SAP queries. A security administrator can use the information shown in Table 18.1 to assign authorizations specific to the ACTVT authorization object. These authorizations are valid within both standard and global query areas. (See Chapter 1, "Getting Started with the SAP R/3 Query Reporting Tools," for more information on application areas.)
Authorizations for Creating or Changing Queries (ACTVT= 02)Users need the ACTVT value set to 02 to create new SAP queries and/or modify existing queries via the main SAP Query tool screen found via transaction code SQ01. Authorizations for Maintaining Configuration of SAP Query (Query Groups and InfoSets) (ACTVT = 23)As discussed in Chapters 1 and 2, the process of configuring the SAP Query tool, including the creation of query groups and InfoSets, is very easy to do but should be done only by a trained technical person within the development environment of a SAP solution. A user who will be responsible for this configuration needs to have the ACTVT value set to 23. If a technical developer will be expanding the use of the logical database to include any custom programs or ABAP, he or she needs to have authorization for maintaining the authorization object S_DEVELOP with the value PROG for field OBJTYPE and the value AQ* for the field OBJNAME. This authorization should be given only to trained ABAP programmers in the development environment. It is the same authorization that a user needs to access the ABAP Editor (via transaction code SE38) to create or change programs whose names begin with AQ. Users who can create and maintain InfoSets without this special designation can only select fields, connect additional tables or structures, and define parameters and selection criteria. Authorizations for Language ComparisonSAP's language translation capabilities make it possible for end users to customize the text elements (named objects) within their SAP solution for multiple languages. When a user creates an SAP query, he or she begins by inputting a title in the language the user logged in with. As with all other named objects entered by the user, these objects exist in SAP in the user's logon language. Language translation is possible such that a user can enter the equivalent named object text in another language to accommodate a user who will be logging on to the solution in a different language. Users need the ACTVT value set to 67 to utilize the language comparison utility. Users who have authorization for the authorization object S_QUERY with both the values 02 and 23 have authorization to access all queries of all query groups without being explicitly entered in each query group. Helpful Hint If a query accesses a certain table when it is run, the user needs display authorization for authorization object S_TABU_DIS. The field DICBERCLS must contain the table's authorization groups. This sophisticated authorization object protects SAP tables from unauthorized access. It is important to note that this is the same authorization that you need to be able to display tables using either the Data Browser (transaction SE16) or the initial table maintenance screen (transaction SM31). |