SAP BI Blog is a community network sponsored by Decision First Technologies. The purpose of this blog site is to provide an unbiased source of information regarding SAP BusinessObjects and everything Business Intelligence.
With the evolution of SAP HANA, Business Warehouse (BW) has undergone significant transformation. The addition of SAP HANA as the database layer enables better integration, vastly improved performance and better business outcomes.
Companies that implemented BW before HANA and haven’t upgraded may experience challenges such as additional persistent layers, complex reconciliation issues, longer nightly batch data management, and lack of real-time data due to inflexible data loads in their BW system. Other companies may be considering an updated SAP HANA BW solution to harness the power of their data, increase innovation and decrease data management costs, among other benefits.
It may be time to rethink your BW strategy and move to a different offering that provides more of the technology capabilities you need.
Why SAP HANA?
SAP’s HANA software is designed to make the most of today’s hardware capabilities. It provides modeling abilities and other functionality that Oracle and SQL Server don’t offer, as well as tight integration with applications such as SLT and PI that pull information from the SAP system to transform it into a usable business format. It has a built-in web application server, data extraction engine, data federation engine, statistical engine, semantic layer and more.
But HANA’s biggest advantage is its speed and agility. HANA uses an in-memory and column-oriented database that provides faster data access, which enables more efficient querying and processing for better performance and analytics capabilities.
Which HANA Option is Right for Your Organization?
Choosing the right HANA solution requires an understanding of the capabilities of each offering and what it can do for your organization.
SAP BW on HANA
SAP BW on HANA is targeted to BW clients who installed BW prior to 2010, have a large number of data assets on BW, and can’t take BW out of their business landscape. It allows BW customers to migrate their legacy database platforms to HANA’s new architecture, leveraging the raw processing power and speed of the in-memory analytic platform without disrupting existing content or requiring costly redevelopment. BW on HANA eases the user into using some of HANA’s functionality, and uses HANA-specific operations to speed things up even more. However, while BW on HANA is fast, provides real-time data, and is more flexible, it is not fully integrated with HANA at the application level and doesn’t fully realize the benefits of the cutting-edge platform.
SAP BW/4HANA, released in mid-2016, is significantly different from BW on HANA. BW/4HANA is completely optimized for the HANA system, and combines the capabilities of SAP BW on HANA and SAP HANA Enterprise. It lets you benefit from HANA technology even before you’re able to migrate your data.
SAP BW/4HANA allows you to model data coming from SAP using a streamlined BW methodology and combine it with third-party data in either the BW/4 layer or native HANA. It then exposes the data, using a variety of methods, to BusinessObjects or any of the business reporting solutions you might have. BW/4HANA also drastically reduces the quantity of data objects, requiring less maintenance and storage. All future innovations will happen in SAP BW/4HANA.
Comparing BW on HANA and BW/4HANA
SAP BW on HANA and SAP BW/4HANA are different application suites running on the same database. BW on HANA uses SAP’s legacy BW software, but moves it to the HANA database, while BW/4HANA uses a reengineered software suite designed to fully harness the power of the HANA database. Because BW/4HANA is completely optimized for HANA, it brings a much faster response than BW on HANA, which still has older, slower functionality.
Both applications let you pull data from other systems, but BW on HANA has fewer options available for data ingestion than BW/4HANA.
BW on HANA provides accelerated analytics and real-time reporting without requiring companies to commit to a complete system transformation. BW/4HANA provides a range of additional benefits on top of those performance improvements.
Can you use BW on HANA and BW/4HANA together?
If you aren’t able to take BW out of your business landscape for any number of reasons, you can use BW on HANA and BW/4HANA in combination. However, we recommend you implement SAP HANA Enterprise instead, as the new technology will let you do things faster and more efficiently.
SAP HANA Enterprise
SAP HANA Enterprise runs completely on HANA, pulling raw data tables from SAP into HANA. It’s a strong solution for companies that need to combine data from SAP and non-SAP systems. Because it’s implemented as a sidecar engagement, it offers the advantage of being able to continue using your existing system while using HANA as a secondary database.
HANA Enterprise uses traditional, or native, HANA modeling, which incorporates calculation views, but it also provides Core Data Services (CDS). We recommend users continue with calculation views for all but a few specific, non-traditional events, such as operational reporting in your existing S4/HANA processing system, as calculation views offer easier modeling and are better supported by the HANA promotion system. If you are looking to develop more complex data models that combine data from multiple sources or tables, including non-SAP data, we recommend you use HANA models on BW/4HANA or HANA Enterprise.
There are other issues to keep in mind as you’re deciding which HANA system is best for your company. Is your in-house experience deeper in BW or in SQL knowledge? You can leverage your existing resources most effectively if you take advantage of existing capabilities. If your organization is a full SAP shop, then BW/4HANA may be the most attractive choice. But if you are integrating several different software applications, then HANA Enterprise could be a better choice due to its extensive integration options. Third-party technology and heavy integration can make an important difference in your selection.
Also, understand the impact of the technology on your organization. If you’ve wanted to get into HANA or expand your workforce’s skills into HANA, this a perfect opportunity to move away from BW and train your workforce to meet future demand.
The core question is whether you go down the pure BW path or the SAP HANA path. Assessing the best use and most effective implementation of SAP HANA based on your company’s unique needs is the most important consideration. As an SAP Gold partner with noteworthy SAP HANA expertise including data provisioning, Protiviti has the experience to help you choose and deploy the best solution to meet your specific needs and gain value from your SAP investment.
This is the first in a series of blogs about security in the SAP BI Platform.
The SAP BI Platform comes with a set of five default access levels:
View on Demand
Full Control (owner)
However, there are many situations where these either give too much access or not enough for a given situation. While it is possible to use an access level to assign security and then to add “advanced rights” on top of it, best practice is to create custom access levels to use when assigning security.
When designing custom access levels, it’s important to understand the different types of access rights that are available and how individual rights work.
Types of Access Rights
There are four major types of access rights:
General rights apply to most or all of the objects in the BI Platform, although there are a couple, like “Change Preferences” or “Change user password” that are fairly limited in their scope. Probably the most used right in the General rights is “View object,”, because it applies to every object in the system.
Content rights apply to folders and various types of reports and other documents. Many of these rights are the same as the General rights, but they apply only to one type of object and can override the General rights. These rights basically answer the question, “What can I see and work with?”
Application rights apply to the various applications within the BI Platform. These include things like Web Intelligence, BI Launchpad, the IDT, etc. These rights are specific to the application they apply to and answer the question, “What can I do?”
System rights come in two general types:
Data Access rights apply to various types of data connections and the ability to use universes to access data. They answer the question, “What data can I use?”
All other system rights apply to various system level objects like access levels, servers, profiles, etc.
Each access right might have two versions – a “full” version that applies the right for every object to which it is applied and a “that the user owns” or “owner” version that applies the right only to objects which the user owns. If both the full version and the user owns/owner version are granted within a single access level, the user owns/owner version is redundant and doesn’t do anything because the full version of the right already includes access to the objects the user owns.
When adding rights to an access level, there are several columns on the screen
The first column is the name of the right
The green circle with a checkmark means “Granted”
The red circle with an “x” means “Denied”
The yellow triangle with a “?” means “Not Assigned”
The single page means “Apply to this object”
The two linked pages means “Apply to sub-objects”
Granted, Denied and Not Assigned are mutually exclusive for a right. Apply to this object and Apply to sub-objects can be used singly or as a pair.
Deleted, Granted, and Not Assigned
When a right is set to Denied, it will almost always override any other access.
When a right is set to Granted, it will be granted unless it is combined with something where the access is denied.
When a right is set to Not Assigned, it will be effectively denied unless it is combined with something where the access is granted and not denied.
For example, if the View Object right is assigned as shown in the table below:
If a user is a member of Group X and Y, the user will be able to see both folders.
If a user is a member of just Group Y, the user will only be able to see Folder A because access to Folder B has not been assigned.
If a user is a member of Group X and Z, the user will be able to see only Folder A because access to Folder B has been denied through membership in Group Z.
Another example occurred several years ago when a user posted a question to the SAP Community saying that he had set an advanced right to deny the Everyone user group access to view a specific folder, not understanding that the Administrator account is also a member of the Everyone group. The folder disappeared, but he couldn’t add a new folder with the same name because the folder was still in the system, even though no one could view it.
It is very important to remember that Denied will override Granted. Use denied very sparingly and with forethought to the consequences.
This Object vs. Sub-Objects
The last two columns specify how the right is applied. “Apply to this object” means that the right assignment only applies to the object where it was assigned. “Apply to sub-objects” means that the right assignment applies to the sub-objects of the object where it was assigned – such as the reports in a folder.
One example of how this can be used is with an access level we commonly configure with our clients. The level is usually called “This Level Only”. The only right it contains is the General View Object right, which is granted and only “Apply to this object” is checked. We use this access level to give the Everyone user group access to view the top level of Public Folders. This means that everyone can access the Public Folders root folder, but not any of the sub-folders. From here, user groups are granted access to specific folders inside the Public Folders. If the Everyone user group was given access to view the top level folder and its sub-folders, many times the system administrator has to remember to set the group to “No Access” for any of the sub-folders where access is restricted. It is much easier and makes more sense to grant access to specific folders instead of first removing access and then granting it to specific groups when a new folder is added to the system. This access level can be used in other places as well.
There are several best practices around the configuration and use of access rights and Custom Access Levels.
Avoid explicitly denying an access right because it can have unintended consequences. Instead, use “Not Assigned” to effectively deny access.
Create access levels that contain only one type of rights plus applicable General rights. This means having separate access levels for Content, Application, and System rights.
All access levels should have the General View Object right granted because users have to be able to view an object (connection, universe, application, folder, etc.) in order to be able to use it.
Create two “Data” access levels. One that provides permissions for various connection types and universes so that the user can view/refresh reports and another that provides the additional rights to create queries so that users can create reports. These access levels will be used to assign access to connections and universes only.
Have a separate access level for each Application. For Webi, there might be two access levels – one that will allow users to view and refresh reports in the Webi application and another that will contain all of the view and refresh rights along with additional rights to create and modify reports. There might be a third Webi access level that will provide users access to view, refresh, and work with filters or alerts in a report.
For Content access levels, use the General rights when possible and avoid overriding the general rights that are available within each Content type’s rights.
When assigning most types of access, use a custom access level instead of using “Advanced” security. Custom access levels are reusable and make it easier to understand what type of access is being granted.
With careful planning and awareness of how access rights work, it is possible to configure SAP BI Platform security in a way that is easy to understand and to maintain.
The next blog post in this series will discuss User Group configuration and assignment.
About the Author
Dell Stinnett-Christy is a Senior Manager in Technology Consulting/BI. She has been working with Crystal Reports for over 20 years and with SAP BusinessObjects (BOBJ) for 14 years, including time in industry prior to becoming a consultant. She currently does BOBJ security reviews, custom application design and implementation using the Crystal and BOBJ APIs, and the occasional BOBJ install or upgrade.
Developing an organizational culture that recognizes and respects the value of using data to drive business is a concept most clients hope to embrace. Great in theory but in reality, most companies are spread across the success spectrum, with few finding just the right mix of factors enabling them to accomplish amazing things.
National Vision, a long-time Protiviti client, is widely recognized as a company that has effectively engaged the entire organization in a strategic approach that has data at its very core. Recently, National Vision’s Kara Bevelhimer, vice president of retail operations, shared her secrets to success in a blog posted to the Americas’ SAP® User Group (ASUG) website. Bevelhimer outlined the steps she took to develop a data-driven enterprise, including:
Get your C-suite on board
Demonstrate what data can do
Find common ground
Choose metrics that matter
Identify your stewards early
Keep developing your data
Work your data so it can work for you
Set yourself up for self-serve success
Let the data lead the story
From implementation to reporting, keeping data at the forefront allows National Vision to strike the right balance between the business and IT’s needs. Read Bevelhimer’s full blog post here.
Join Protiviti’s John Harris as he presents two dynamic webinars that will help you make the most of your data using advanced analytics. From developing a customer analytics strategy to how to capture the vast amounts of information in your production systems to make prescriptive decisions, John’s sessions will give you insight into what’s happening now in data analytics.
Register for one or both!
How CX Information Can Accelerate Your Customer Analytics Journey
Wednesday, Oct 3 @ 2:00 pm ET
Often, companies struggle with maximizing the value of the huge amount of customer data they capture and retain, yet some are leveraging customer analytics to begin tapping into the value of that information. In this session, attendees will learn how to align customer experience information with a customer analytics framework to accelerate their journey to meaningful and actionable customer insights.
Key Learning Points:
Review the overall purpose and framework of a customer analytics strategy
Learn the difference between a Customer Analytics and Customer Experience program
Discover with CX information is critical to a customer analytics strategy
Leveraging Advanced Analytics & ERP Data for Production Optimization, Capacity Analysis and Scenario Production Planning
Wednesday, Oct 10 @ 2:00 pm ET
Consumer packaging and manufacturing companies capture vast amounts of information with their production ERP systems. In most cases, this information is primarily used for reporting and ad hoc queries on things that have already happened. The information is rarely used to make prescriptive decisions on how to optimize production processes and planning decisions.
This customer case study will illustrate how Protiviti demonstrated the value of leveraging advanced analytics to a large manufacturing client, using their ERP data to create optimized daily production schedules, increase plant capacity, and execute scenario planning analysis. This capability was not available from their ERP system or any of their plant-shop floor accessory software packages. Attendees will learn how Protiviti used optimization modeling to accomplish a number of objectives including reduction production coasts, determining the impact of each customer’s order patterns on resource utilization and evaluating the ability to absorb new customer demand.
Key Learning Points:
Discover ways to leverage advanced analytics to maximize the value of ERP data
Learn how to identify analytics-based projects of utmost interest to senior management
See how to leverage optimization for operation and strategic planning decisions
Join Protiviti’s John Harris as he presents two dynamic webinars that will help you make the most of your data using advanced analytics. From developing a customer analytics strategy to how to capture the vast amounts of information in your production systems to make prescriptive decisions, John’s sessions will give you insight into what’s happening […]
We invite you to join experts from Protiviti’s Data Management and Advanced Analytics team for this three-part webinar series. Join us on consecutive Wednesdays in September at 2:00 pm eastern to learn how to take your BI programs to the next level. Register for one or all three! A How-To Guide for Creating a Global […]
Five of Protiviti’s Data Management and Advanced Analytics practice SAP experts have come together to write a 375-page guide, Data Provisioning for SAP HANA. Before making data available in SAP HANA, the data must be standardized, integrated and secured. This book details the options to accomplish that data provisioning, introducing readers to the various tools … …