Description of security and maintaining security table

Data security in QUERY is built around a custom security table (/WINSHTLQ/QRSAOB) which is installed on the SAP system in which QUERY will be used. In this table, the IT/SAP administrator for the customer can specify authorization checks on the data that users are trying to accessed. The Winshuttle custom security table consists of the following fields:

Table name = SAP Table name to be secured
Authorization object = Assigned authorization object to be checked
Authorization Field name = Field in the SAP table to be used for authorization check
Authorization Field Text = Text description of the field
Authorization object text = Text description of the authorization object

This security table can be maintained through the SAP transaction code SM30.

Note:The security table works over the standard SAP user security defined for the table. If the user wants to place a further restriction on rows, you need to enter that table in the security table.

Query processing in QUERY

During query creation and query execution, QUERY performs a number of steps to restrict data access to exactly what the user is supposed to see. QUERY uses the Winshuttle custom security table as another security layer in which the user’s accessible "Authorization objects" are checked. If the authorization object is used and a value is specified in a user’s SAP profile, checks are made against that value.

In the Winshuttle custom security table, along with the authorization objects, the SAP table and SAP field meant for data restriction is retrieved during query processing. Authorization checks are made on the values retrieved for the SAP username and records with failed authorization are removed from the output.

Winshuttle custom security table (Example)

The screenshot below shows an example of how the Winshuttle custom security table can be defined. Eight authorization Objects have been used in this example with the SAP Tables and SAP Fields specified for data restriction.

By default, Winshuttle will provide certain default values in this table during the installation of the Winshuttle Function Module. Please refer to the table below for the default "Authorization Objects’" provided by Winshuttle.

SAP TABLE	Object	Field	Field Description	Auth. object text
BKPF	F_BKPF_BUK	BUKRS	Company Code	Accounting Document: Authorization for Company Codes
KNB1	F_KNA1_BUK	BUKRS	Company Code	Customer: Authorization for Company Codes
KNKK	F_KNKA_KKB	KKBER	Credit Control area	Credit Management: Authorization for Credit Control Area
LFB1	F_LFA1_BUK	BUKRS	Company Code	Vendor: Authorization for Company Codes
SKB1	F_SKA1_BUK	BUKRS	Company Code	G/L Account: Authorization for Company Codes
EKKO	M_BEST_EKO	EKORG	Purchasing Organization	Purchasing Organization in Purchase Order
EKPO	M_BEST_WRK	WERKS	Plant	Plant in Purchase Order
MARC	M_MATE_WRK	WERKS	Plant	Material Master: Plants
KNVV	V_KNA1_VKO	VKORG	Sales organization	Customer: Authorization for Sales Organizations
VBAK	V_VBAK_VKO	VKORG	Sales organization	Sales Document: Authorization for Sales Areas
VBRK	V_VBRK_VKO	VKORG	Sales organization	Billing: Authorization for Sales Organizations

For the complete list of objects and an example, see All objects.