Query: Description of security and maintaining the security table

Data security in Query is built around the custom security table /WINSHTLQ/QRSAOB, which is installed on the SAP system that stores the data to be queried. In this table, the IT/SAP administrator for the customer can specify the authorization checks on the data that users are trying to access.

The Winshuttle custom security table consists of the following fields:

  • Table name: SAP Table name to be secured
  • Authorization object: Assigned authorization object to be checked
  • Authorization Field name: Field in the SAP table to be used for authorization check
  • Authorization Field text: Text description of the field
  • Authorization object text: Text description of the authorization object

You can maintain this security table by using the SAP transaction code SM30.

Note: The security table works in addition to the standard SAP user security defined for the table. If the user wants to place a further restriction on rows, you need to enter that table in the security table.

Query processing

During query creation and execution, Query performs a number of steps to restrict data access to exactly what the user is supposed to see. Query uses the Winshuttle custom security table as another security layer in which the user’s accessible Authorization objects are checked. If in a user’s SAP profile the authorization object is used and a value specified, checks are made against this value.

In the Winshuttle custom security table along with the authorization objects, the SAP table and SAP field meant for data restriction is retrieved during query processing. Authorization checks are made on the values retrieved for the SAP username and records with failed authorization are removed from the output.

Winshuttle custom security table: an example

In this screenshot, eight Authorization objects have been defined in the Winshuttle security table, with the SAP Tables and SAP Fields specified for data restriction.

Winshuttle provides certain default values in this table during the installation of the Winshuttle Function Module. The following table shows the default Authorization objects that are provided by Winshuttle.

SAP TABLE

Object

Field

Field Description

Auth. object text

BKPF

F_BKPF_BUK

BUKRS

Company Code

Accounting Document: Authorization for Company Codes

KNB1

F_KNA1_BUK

BUKRS

Company Code

Customer: Authorization for Company Codes

KNKK

F_KNKA_KKB

KKBER

Credit Control area

Credit Management: Authorization for Credit Control Area

LFB1

F_LFA1_BUK

BUKRS

Company Code

Vendor: Authorization for Company Codes

SKB1

F_SKA1_BUK

BUKRS

Company Code

G/L Account: Authorization for Company Codes

EKKO

M_BEST_EKO

EKORG

Purchasing Organization

Purchasing Organization in Purchase Order

EKPO

M_BEST_WRK

WERKS

Plant

Plant in Purchase Order

MARC

M_MATE_WRK

WERKS

Plant

Material Master: Plants

KNVV

V_KNA1_VKO

VKORG

Sales organization

Customer: Authorization for Sales Organizations

VBAK

V_VBAK_VKO

VKORG

Sales organization

Sales Document: Authorization for Sales Areas

VBRK

V_VBRK_VKO

VKORG

Sales organization

Billing: Authorization for Sales Organizations

For the complete list of objects and an example, see All objects.