OpenSQL Editor - Security overview

Authorization concept

Hovitaga OpenSQL Editor uses multiple authority objects provided by SAP and used by most of the customers worldwide. This means that if those authority objects are already configured in an SAP system, no additional effort is required. Additionally any number of authorization objects can be assigned to database tables, so every query will check if the user has the necessary authorizations to work with the required data.

All the row and column level authorization checks are integrated to the queries sent to the database server to make sure only the necessary data is transferred to the client side.

Security overview of Hovitaga OpenSQL Editor

Record level authorizations

While the tools mostly used by consultants and developers (SE16 and SAP Query) only use table group level authorizations to filter query results, Hovitaga OpenSQL Editor can be controlled in a much more sophisticated way. This means that besides defining which tables can be read, you can control which records can be read from a table. A generic standard SAP authority object (S_TABU_LIN) is used to filter the query results based on any organizational criteria defined in customizing. For example a scenario can be set up easily where certain users only see data for their company code (or country or any organizational level).

This row level authorization concept is part of every SAP system and can be maintained within customizing (SPRO). If it has been already set up, then the queries will filtered accordingly.

Additionally any number of authority objects can be assigned to tables within a customizing transaction. A field mapping between the authority object and the table must be made that is used when filtering query results.

For example to filter entries in the VBAK table (Order headers) by sales organization simply assign authority object V_VBAK_VK0 to the table. To filter entries by plant in table MARC (Plant data), assign authority object M_MATE_WRK to table MARC. If these authority objects were already used in the SAP system, then the roles, profiles etc. do not need to be changed, no other user maintenance effort is required.Field and record level autorizations can be set up


Field level authorizations

In addition to the record level authorization query results can be filtered on field level also. For example, certain users could see the contents of the salary field in a table, others could not, depending on the authorizations.

There is an authority object that controls what columns may a user access in a database table. This can be maintained with the standard SAP tools without any special customizing effort.

Table group level authorizations

Hovitaga OpenSQL Editor also uses the SAP standard authority objects S_TABU_DIS to control access to table groups and S_TABU_CLI to control maintenance of client-independent tables.




See Hovitaga's facebook page See Hovitaga's youtube channel