Lumira Security Aspects

Anja Rusch CEG
November, 2014

Public

Legal disclaimer
The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the
permission of SAP. This presentation is not subject to your license agreement or any other service or subscription
agreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any related
presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation
and SAP's strategy and possible future developments, products and or platforms directions and functionality are all
subject to change and may be changed by SAP at any time for any reason without notice. The information in this
document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This
document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied
warranties of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational
purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this
document, except if such damages were caused by SAP´s willful misconduct or gross negligence.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements,
which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

2

All rights reserved. Public 3 .Agenda DataSet Security Lumira Desktop Governance Lumira Document Security on  Cloud  Server  BI Platform © 2014 SAP SE or an SAP affiliate company.

on any device BI Platform publish publish publish Lumira Server Lumira Desktop Lumira Cloud (on HANA) (local) (on HANA) Excel / CSV Excel / CSV © 2014 SAP SE or an SAP affiliate company.in the cloud .SAP Lumira: Server – Desktop – Cloud On premise . All rights reserved. Clipboard RDBMS Universes HANA BW* Excel / CSV *Desktop Visualization only Public 4 .

DataSet Security .

Lumira Datasets Download Approach keeps creator‘s access rights  MS Excel. Clipboard  SAP HANA  Universe – Context and Prompt selection  Query with SQL Connect Approach respects user rights  SAP HANA  SAP Business Warehouse (with limitations)  Forced BI server side refresh for universes © 2014 SAP SE or an SAP affiliate company. All rights reserved. Text. Public 6 .

Lumira Desktop Governance .

Configuring Desktop Governance Desktop governance allows BI platform administrators to enforce security on SAP Lumira for     Data source type user can import from Destinations user can share to Configurability of URLs Handling of updates Enabling Desktop Governance     BI Platform with Lumira BI Add-on installed Create a configuration file on each user’s machine Define each user's settings in the Central Management Console (CMC) SAP Lumira enforces desktop governance by contacting the BI platform at startup and querying for the user's rights and settings. © 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 8 .

Example: http://vmboesrvr:6405/biprws <useSSO> true = use Single Sign On to contact the BI platform false = user will be prompted for their BI platform credentials To use SSO.Creating a Desktop Governance Configuration File Create a configuration file called LumiraGovernance. secWinAD.sapvi with the following parameters: Parameter Description <enable> true = desktop governance enforced false = desktop governance not enforced <adapter.type> boe = system type that will be contacted to enforce desktop governance <authentication. secSAPR3 <rest.properties in C:\Users###BOT_TEXT###lt;user>\. Public 9 . secLDAP. All rights reserved. it must be configured on user machine's domain and the BI platform deployment © 2014 SAP SE or an SAP affiliate company.url> BI platform rest access URL.type> Allowed BI platform authentication types: secEnterprise.

All rights reserved.properties Logon Popup after restart © 2014 SAP SE or an SAP affiliate company.LumiraGovernance. Public 10 .

Public 11 . or to enforce system security  Allow users to maintain Sharing URLs for – Lumira Cloud – Lumira Server – BI Server  Turn automatic updates on or off © 2014 SAP SE or an SAP affiliate company. All rights reserved.Defining SAP Lumira Properties Set default values for SAP Lumira in order to improve user experience.

Before and after applying Lumira Properties Before After © 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 12 .

All rights reserved.Defining Access Rights to SAP Lumira Features Use BI platform rights to control which data sources and destinations each user or group can access © 2014 SAP SE or an SAP affiliate company. Public 13 .

Public 14 .All selectable Rights for SAP Lumira © 2014 SAP SE or an SAP affiliate company. All rights reserved.

Public 15 . All rights reserved.Before and After applying DataSource Rights Before After denied denied © 2014 SAP SE or an SAP affiliate company.

All rights reserved.Before and After applying Sharing Rights Before Share Datasets Share Stories denied After Share Datasets Share Stories © 2014 SAP SE or an SAP affiliate company. Public 16 .

like for Everyone. those will apply then © 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 17 .Maintaining Access Rights for Groups / Everyone Specific User rights have priority over group rights     Your Desktop user needs to be created in BOE It is automatically assigned to the Everyone group and cannot be removed Specific user rights will always apply first If there are no user rights maintained for your user but group rights.

All rights reserved. Public 18 .DEMO © 2014 SAP SE or an SAP affiliate company.

Lumira Document Security on Cloud. BI Platform . Server.

Infographics: Refresh Page on Open Option Refreshes infographic page each time you open the infographic  Dynamical update according to data available  Can be used to secure dashboard after sharing – If eg. removing dataset access  Static Infographics will not be affected from any dataset refreshes © 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 20 .

All rights reserved. Dataset sharing stopped Public 21 .SAP Lumira Cloud® Security Level of protection of data  Sharing a story with your team or others will share the full dataset as well  You can stop sharing items that you shared  All users must sign in to view private items  Users can access stories publicized through public URLs without signing into SAP Lumira Cloud © 2014 SAP SE or an SAP affiliate company.

Set up HANA Users to Access Lumira Server HANA admin needs to assign BI_DATA_CONSUMER or BI_DATA_ANALYST role for users BI_DATA_CONSUMER BI_DATA_ANALYST © 2014 SAP SE or an SAP affiliate company. Public 22 . All rights reserved.

Share your Stories and Datasets on Lumira Server Stories & Dataset can be shared with  Roles you have access to  Roles which have access to the underlying data – Members see the dataset based on their privileges You will not be able to share to roles that do not have authorization 1 2 © 2014 SAP SE or an SAP affiliate company. Public 23 . All rights reserved.

Public 24 .BI Platform Security for Lumira Documents Control a user's access to datasets & stories by setting rights on the dataset and story objects in the Central Management Console (CMC) Datasets are stored under Lumira Datasets Stories are stored under Folders © 2014 SAP SE or an SAP affiliate company. All rights reserved.

All rights reserved. ensuring your stories contain the most up-to-date data on demand refresh     using the rights of the user doing the refresh Maintain the Refresh on Open flag creates a transient table per refreshing user disables the schedule option for that dataset scheduled refresh  using the rights of the user who published the dataset  creates a permanent table in SAP HANA © 2014 SAP SE or an SAP affiliate company. Universe specific settings Public 25 .Universe Security on the BI Platform Security during a Dataset Refresh Datasets based on universes can be refreshed.

rusch@sap.Thank you anja. .com © 2014 SAP SE or an SAP affiliate company. All rights reserved.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only. and SAP SE’s or its affiliated companies’ strategy and possible future developments. and they should not be relied upon in making purchasing decisions. code. . Nothing herein should be construed as constituting an additional warranty. The information in this document is not a commitment. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries.epx for additional trademark information and notices. promise. Please see http://global12. Readers are cautioned not to place undue reliance on these forward-looking statements. All rights reserved. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations.com/corporate-en/legal/copyright/index. All rights reserved. This document. without representation or warranty of any kind. or to develop or release any functionality mentioned therein. or legal obligation to deliver any material. which speak only as of their dates. if any. products. or any related presentation. In particular.© 2014 SAP SE or an SAP affiliate company. and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. or functionality. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. © 2014 SAP SE or an SAP affiliate company. SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation. National product specifications may vary. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services. and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice.sap.