Query: Description of security and maintaining the security table
Data security in Query is built around the custom security table /WINSHTLQ/QRSAOB, which is installed on the SAP system that stores the data to be queried. In this table, the IT/SAP administrator for the customer can specify the authorization checks on the data that users are trying to access.
The Winshuttle custom security table consists of the following fields:
- Table name: SAP Table name to be secured
- Authorization object: Assigned authorization object to be checked
- Authorization Field name: Field in the SAP table to be used for authorization check
- Authorization Field text: Text description of the field
- Authorization object text: Text description of the authorization object
You can maintain this security table by using the SAP transaction code SM30.
Note: The security table works in addition to the standard SAP user security defined for the table. If the user wants to place a further restriction on rows, you need to enter that table in the security table.
Query processing
During query creation and execution, Query performs a number of steps to restrict data access to exactly what the user is supposed to see. Query uses the Winshuttle custom security table as another security layer in which the user’s accessible Authorization objects are checked. If in a user’s SAP profile the authorization object is used and a value specified, checks are made against this value.
In the Winshuttle custom security table along with the authorization objects, the SAP table and SAP field meant for data restriction is retrieved during query processing. Authorization checks are made on the values retrieved for the SAP username and records with failed authorization are removed from the output.
Winshuttle custom security table: an example
In this screenshot, eight Authorization objects have been defined in the Winshuttle security table, with the SAP Tables and SAP Fields specified for data restriction.
Winshuttle provides certain default values in this table during the installation of the Winshuttle Function Module. The following table shows the default Authorization objects that are provided by Winshuttle.
SAP TABLE |
Object |
Field |
Field Description |
Auth. object text |
BKPF |
F_BKPF_BUK |
BUKRS |
Company Code |
Accounting Document: Authorization for Company Codes |
KNB1 |
F_KNA1_BUK |
BUKRS |
Company Code |
Customer: Authorization for Company Codes |
KNKK |
F_KNKA_KKB |
KKBER |
Credit Control area |
Credit Management: Authorization for Credit Control Area |
LFB1 |
F_LFA1_BUK |
BUKRS |
Company Code |
Vendor: Authorization for Company Codes |
SKB1 |
F_SKA1_BUK |
BUKRS |
Company Code |
G/L Account: Authorization for Company Codes |
EKKO |
M_BEST_EKO |
EKORG |
Purchasing Organization |
Purchasing Organization in Purchase Order |
EKPO |
M_BEST_WRK |
WERKS |
Plant |
Plant in Purchase Order |
MARC |
M_MATE_WRK |
WERKS |
Plant |
Material Master: Plants |
KNVV |
V_KNA1_VKO |
VKORG |
Sales organization |
Customer: Authorization for Sales Organizations |
VBAK |
V_VBAK_VKO |
VKORG |
Sales organization |
Sales Document: Authorization for Sales Areas |
VBRK |
V_VBRK_VKO |
VKORG |
Sales organization |
Billing: Authorization for Sales Organizations |
For the complete list of objects and an example, see All objects.