BusinessObjects Enterprise™ XI Administrator’s Guide BusinessObjects Enterprise XI Patents Business Objects owns the following U.S. patents, which may cover products that are offered and sold by Business Objects: 5,555,403, 6,247,008 B1, 6,578,027 B2, 6,490,593 and 6,289,352. Business Objects, the Business Objects logo, Crystal Reports, and Crystal Enterprise are trademarks or registered trademarks of Business Objects SA or its affiliated companies in the United States and other countries. All other names mentioned herein may be trademarks of their respective owners. Copyright © 2004 Business Objects. All rights reserved. Trademarks Copyright Contents Chapter 1 Introduction to BusinessObjects Enterprise XI Administrator’s Guide 21 About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Who should use this guide? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Business Objects information resources . . . . . . . . . . . . . . . . . . . . . . . 22 Chapter 2 What’s New in BusinessObjects Enterprise 25 Welcome to BusinessObjects Enterprise XI . . . . . . . . . . . . . . . . . . . . . . . . 26 About this version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Supported products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 New features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 End-user experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Report design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Developer flexibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 System administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Chapter 3 Administering BusinessObjects Enterprise 35 Administration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Central Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Logging on to the Central Management Console . . . . . . . . . . . . . . . . 37 Navigating within the Central Management Console . . . . . . . . . . . . . . 38 Setting console preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Setting the Query size threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Logging off of the Central Management Console . . . . . . . . . . . . . . . . 41 Using the Central Configuration Manager . . . . . . . . . . . . . . . . . . . . . . . . . 42 Accessing the CCM for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Accessing the CCM for UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Making initial security settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Setting the Administrator password . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Disabling the Guest account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 BusinessObjects Enterprise Administrator’s Guide 3 Contents Modifying the default security levels . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Managing universes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Managing universe connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Managing InfoView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Managing Web Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Managing Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Accessing the Discussions page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Searching for discussion threads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Sorting search results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Deleting discussion threads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Setting user rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Chapter 4 BusinessObjects Enterprise Architecture 53 Architecture overview and diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Client tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 InfoView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Central Management Console (CMC) . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Central Configuration Manager (CCM) . . . . . . . . . . . . . . . . . . . . . . . . . 57 Publishing Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Import Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Application tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Application tier components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Web development platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Web application environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Intelligence tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Central Management Server (CMS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 File Repository Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Event Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Processing tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Report Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Program Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Web Intelligence Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 4 BusinessObjects Enterprise Administrator’s Guide Contents Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Report Application Server (RAS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Destination Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 List of Values Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Page Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Data tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Report viewers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Information flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 What happens when you schedule an object? . . . . . . . . . . . . . . . . . . 70 What happens when you view a report? . . . . . . . . . . . . . . . . . . . . . . . 71 Choosing between live and saved data . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Live data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Saved data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Chapter 5 Managing and Configuring Servers 77 Server management overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Viewing current metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Viewing current server metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Viewing system metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Viewing and changing the status of servers . . . . . . . . . . . . . . . . . . . . . . . . 82 Starting, stopping, and restarting servers . . . . . . . . . . . . . . . . . . . . . . 82 Stopping a Central Management Server . . . . . . . . . . . . . . . . . . . . . . . 84 Enabling and disabling servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Printing, copying, and refreshing server status . . . . . . . . . . . . . . . . . . 86 Configuring the application tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Configuring the Web Component Adapter . . . . . . . . . . . . . . . . . . . . . . 89 Configuring the intelligence tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Clustering Central Management Servers . . . . . . . . . . . . . . . . . . . . . . . 92 Copying data from one CMS database to another . . . . . . . . . . . . . . . . 98 Deleting and recreating the CMS database . . . . . . . . . . . . . . . . . . . . 108 Selecting a new or existing CMS database . . . . . . . . . . . . . . . . . . . . 109 Setting root directories and idle times of the File Repository Servers 110 Modifying Cache Server performance settings . . . . . . . . . . . . . . . . . 112 BusinessObjects Enterprise Administrator’s Guide 5 Contents Modifying the polling time of the Event Server . . . . . . . . . . . . . . . . . . 114 Configuring the processing tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Modifying Page Server performance settings . . . . . . . . . . . . . . . . . . . 115 Modifying database settings for the RAS . . . . . . . . . . . . . . . . . . . . . . 118 Modifying performance settings for the RAS . . . . . . . . . . . . . . . . . . . . 120 Modifying performance settings for job servers . . . . . . . . . . . . . . . . . 121 Configuring the Web Intelligence Report Server . . . . . . . . . . . . . . . . . 122 Configuring the destinations for job servers . . . . . . . . . . . . . . . . . . . . 125 Configuring Windows processing servers for your data source . . . . . 132 Configuring UNIX processing servers for your data source . . . . . . . . 133 Logging server activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Advanced server configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Changing the default server port numbers . . . . . . . . . . . . . . . . . . . . . 140 Configuring a multihomed machine . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Adding and removing Windows server dependencies . . . . . . . . . . . . 144 Changing the server startup type . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Changing the server user account . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Configuring servers for SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Chapter 6 Managing Server Groups 151 Server group overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Creating a server group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Working with server subgroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Modifying the group membership of a server . . . . . . . . . . . . . . . . . . . . . . 155 Chapter 7 Scaling Your System 157 Scalability overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Common configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 One-machine setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Three-machine setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Six-machine setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 General scalability considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Increasing overall system capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 6 BusinessObjects Enterprise Administrator’s Guide Contents Increasing scheduled reporting capacity . . . . . . . . . . . . . . . . . . . . . . 163 Increasing on-demand viewing capacity for Crystal reports . . . . . . . 164 Increasing prompting capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Delegating XSL transformation to Internet Explorer . . . . . . . . . . . . . 165 Enhancing custom web applications . . . . . . . . . . . . . . . . . . . . . . . . . 166 Improving web response speeds . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Getting the most from existing resources . . . . . . . . . . . . . . . . . . . . . 167 Adding and deleting servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Adding a server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Deleting a server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Chapter 8 Managing BusinessObjects Enterprise Repository 173 BusinessObjects Enterprise Repository overview . . . . . . . . . . . . . . . . . . 174 Copying data from one repository database to another . . . . . . . . . . . . . . 174 Importing data from a Crystal Enterprise 10 or BusinessObjects Enterprise XI CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Copying data from a Crystal Enterprise 9 repository database . . . . . 176 Copying data from a Crystal Reports 9 repository database . . . . . . . 177 Refreshing repository objects in published reports . . . . . . . . . . . . . . . . . 179 Chapter 9 Working with Firewalls 181 Firewalls overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 What is a firewall? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Firewall types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Understanding firewall integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Communication between servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Firewall configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Typical firewall scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Configuring the system for firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Configuring for Network Address Translation . . . . . . . . . . . . . . . . . . 190 Configuring for packet filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Configuring for SOCKS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 BusinessObjects Enterprise Administrator’s Guide 7 Contents Chapter 10 Managing Auditing 203 Auditing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 How does auditing work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Which actions can I audit? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Configuring the auditing database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Enabling auditing of user and system actions . . . . . . . . . . . . . . . . . . . . . . 210 Controlling synchronization of audit actions . . . . . . . . . . . . . . . . . . . . . . . 212 Optimizing system performance while auditing . . . . . . . . . . . . . . . . . . . . . 213 Using sample audit reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Creating custom audit reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Auditing database schema reference . . . . . . . . . . . . . . . . . . . . . . . . . 218 Chapter 11 BusinessObjects Enterprise Security Concepts 227 Security overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Authentication and authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Primary authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Secondary authentication and authorization . . . . . . . . . . . . . . . . . . . . 230 About single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 Security management components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Web Component Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Central Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Security plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Processing extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Active trust relationship . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 Logon tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Ticket mechanism for distributed security . . . . . . . . . . . . . . . . . . . . . . 243 Sessions and session tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 WCA session tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 CMS session tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 Environment protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 Web browser to web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 Web server to BusinessObjects Enterprise . . . . . . . . . . . . . . . . . . . . . 246 Auditing web activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 8 BusinessObjects Enterprise Administrator’s Guide Contents Protection against malicious logon attempts . . . . . . . . . . . . . . . . . . . . . . 247 Password restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 Logon restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 User restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Guest account restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Chapter 12 Managing User Accounts and Groups 249 What is account management? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 Default users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 Default users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 Default groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 Available authentication types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Managing Enterprise and general accounts . . . . . . . . . . . . . . . . . . . . . . . 253 Creating an Enterprise user account . . . . . . . . . . . . . . . . . . . . . . . . . 254 Adding a user to groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 Modifying a user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 Deleting a user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 Changing password settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Creating a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 Adding users to a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 Modifying a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Viewing group members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Deleting a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Disabling the Guest account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Granting access to users and groups . . . . . . . . . . . . . . . . . . . . . . . . 262 Managing LDAP accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 Configuring LDAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Mapping LDAP groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Unmapping LDAP groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Viewing mapped LDAP users and groups . . . . . . . . . . . . . . . . . . . . . 272 Changing LDAP connection parameters and member groups . . . . . 272 Managing multiple LDAP hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 Troubleshooting LDAP accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 BusinessObjects Enterprise Administrator’s Guide 9 Contents Managing AD accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Mapping AD accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Unmapping AD groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Viewing mapped AD users and groups . . . . . . . . . . . . . . . . . . . . . . . . 280 Troubleshooting AD accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Setting up AD single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Managing NT accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Mapping NT accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Unmapping NT groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Viewing mapped NT users and groups . . . . . . . . . . . . . . . . . . . . . . . . 289 Troubleshooting NT accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Setting up NT single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Managing aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Creating a user and a third-party alias . . . . . . . . . . . . . . . . . . . . . . . . 294 Creating an alias for an existing user . . . . . . . . . . . . . . . . . . . . . . . . . 296 Assigning an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 Reassigning an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Deleting an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Disabling an aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 Configuring Kerberos single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Setting up a service account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Configuring the servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 Configuring the Windows AD plug-in for Kerberos authentication . . . 301 Configuring the cache expiry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 Configuring the IIS and browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 Configuring IIS for end-to-end single sign-on . . . . . . . . . . . . . . . . . . . 305 Configuring IIS for single sign-on to databases only . . . . . . . . . . . . . . 309 Configuring BusinessObjects Enterprise web applications . . . . . . . . . 312 Mapping AD accounts for Kerberos single sign-on . . . . . . . . . . . . . . . 313 Configuring the databases for single sign-on . . . . . . . . . . . . . . . . . . . 313 10 BusinessObjects Enterprise Administrator’s Guide Contents Chapter 13 Controlling User Access 315 Controlling user access overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 Controlling users’ access to objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 Setting object rights for users and groups . . . . . . . . . . . . . . . . . . . . . 317 Viewing object rights settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 Setting common access levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 Setting advanced object rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 Using inheritance to your advantage . . . . . . . . . . . . . . . . . . . . . . . . . 325 Inheritance with advanced rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 Customizing a ‘top-down’ inheritance model . . . . . . . . . . . . . . . . . . . 331 Controlling access to applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349 Controlling administrative access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 Controlling access to users and groups . . . . . . . . . . . . . . . . . . . . . . . 352 Controlling access to user inboxes . . . . . . . . . . . . . . . . . . . . . . . . . . 352 Controlling access to servers and server groups . . . . . . . . . . . . . . . . 353 Controlling access to universes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Controlling access to universe connections . . . . . . . . . . . . . . . . . . . . 355 Chapter 14 Organizing Objects 357 Organizing objects overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 About folders and categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 Working with folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 Creating and deleting folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 Copying and moving folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361 Adding a report to a new folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 Specifying folder rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364 Setting limits for folders, users, and groups . . . . . . . . . . . . . . . . . . . . 365 Managing User Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367 Working with categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 Creating and deleting categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 Moving categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 Adding an object to a new category . . . . . . . . . . . . . . . . . . . . . . . . . . 370 Removing or deleting objects from a category . . . . . . . . . . . . . . . . . . 370 BusinessObjects Enterprise Administrator’s Guide 11 Contents Specifying category rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 Managing personal categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 Chapter 15 Publishing Objects to BusinessObjects Enterprise 373 Publishing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 Publishing options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 Publishing with the Publishing Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 Logging on to BusinessObjects Enterprise . . . . . . . . . . . . . . . . . . . . . 376 Adding objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 Creating and selecting a folder on the CMS . . . . . . . . . . . . . . . . . . . . 377 Moving objects between folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 Duplicating the folder structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 Adding objects to a category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 Changing scheduling options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 Refreshing repository fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 Selecting a program type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 Specifying program credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 Changing default values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 Changing object properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382 Entering database logon information . . . . . . . . . . . . . . . . . . . . . . . . . 382 Setting parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 Setting the schedule output format . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 Adding extra files for programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 Specifying command line arguments . . . . . . . . . . . . . . . . . . . . . . . . . 384 Finalizing the objects to be added . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 Publishing with the Central Management Console . . . . . . . . . . . . . . . . . . 385 Saving objects directly to the CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 Chapter 16 Importing Objects to BusinessObjects Enterprise 389 Importing information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Importing information from BusinessObjects Enterprise 6.x . . . . . . . . . . . 390 Before importing from BusinessObjects Enterprise 6.x . . . . . . . . . . . . 391 Importing objects from BusinessObjects Enterprise 6.x . . . . . . . . . . . 392 12 BusinessObjects Enterprise Administrator’s Guide Contents Importing information from Crystal Enterprise . . . . . . . . . . . . . . . . . . . . . 396 Importing objects from Crystal Enterprise . . . . . . . . . . . . . . . . . . . . . 397 Importing information from Crystal Info . . . . . . . . . . . . . . . . . . . . . . . . . . 400 Importing objects from Crystal Info . . . . . . . . . . . . . . . . . . . . . . . . . . 400 Importing with the Import Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 Specifying the source and destination environments . . . . . . . . . . . . . 402 Selecting information to import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 Importing objects with rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 Choosing an import scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 Importing specific objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Finalizing the import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 Chapter 17 Managing Objects 415 Managing objects overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 General object management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 Copying, moving, or creating a shortcut for an object . . . . . . . . . . . . 417 Deleting an object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419 Searching for an object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419 Sending an object or instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Changing properties of an object . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 Assigning an object to categories . . . . . . . . . . . . . . . . . . . . . . . . . . . 424 Report object management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425 What are report objects and instances? . . . . . . . . . . . . . . . . . . . . . . 425 Setting report refresh options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426 Viewing the universes for a Web Intelligence document . . . . . . . . . . 427 Setting report processing options . . . . . . . . . . . . . . . . . . . . . . . . . . . 428 Applying processing extensions to reports . . . . . . . . . . . . . . . . . . . . 443 Working with hyperlinked reports . . . . . . . . . . . . . . . . . . . . . . . . . . . 447 Program object management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451 What are program objects and instances? . . . . . . . . . . . . . . . . . . . . 451 Setting program processing options . . . . . . . . . . . . . . . . . . . . . . . . . 453 Object package management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 What are object packages, components, and instances? . . . . . . . . . 460 BusinessObjects Enterprise Administrator’s Guide 13 Contents Creating an object package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460 Adding objects to an object package . . . . . . . . . . . . . . . . . . . . . . . . . 461 Configuring object packages and their objects . . . . . . . . . . . . . . . . . . 462 Authentication and object packages . . . . . . . . . . . . . . . . . . . . . . . . . . 463 Chapter 18 Scheduling Objects 465 Scheduling objects overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Scheduling objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 About the scheduling options and parameters . . . . . . . . . . . . . . . . . . 468 Scheduling objects using object packages . . . . . . . . . . . . . . . . . . . . . 471 Scheduling an object with events . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473 Setting the scheduling options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 Setting notification for an object’s success or failure . . . . . . . . . . . . . 476 Specifying alert notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479 Selecting a destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 Choosing a format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 Selecting cache options for Web Intelligence documents . . . . . . . . . . 493 Scheduling an object for a user or group . . . . . . . . . . . . . . . . . . . . . . 493 Managing instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495 Managing and viewing the history of instances . . . . . . . . . . . . . . . . . . 495 Setting instance limits for an object . . . . . . . . . . . . . . . . . . . . . . . . . . . 498 Chapter 19 Managing Calendars 501 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502 Creating calendars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502 Adding dates to a calendar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503 Deleting calendars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507 Specifying calendar rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508 Chapter 20 Managing Events 509 Managing events overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510 File-based events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 Schedule-based events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512 Custom events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 14 BusinessObjects Enterprise Administrator’s Guide Contents Specifying event rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 Chapter 21 General Troubleshooting 517 Troubleshooting overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 Documentation resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 Web accessibility issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 Using an IIS web site other than the default . . . . . . . . . . . . . . . . . . . 519 Unable to connect to CMS when logging on to the CMC . . . . . . . . . . 520 Windows NT authentication cannot log you on . . . . . . . . . . . . . . . . . 520 Report viewing and processing issues . . . . . . . . . . . . . . . . . . . . . . . . . . . 521 Troubleshooting reports with Crystal Reports . . . . . . . . . . . . . . . . . . 521 Troubleshooting reports and looping database logon prompts . . . . . 523 Ensuring that server resources are available on local drives . . . . . . . 526 Page Server error when viewing a report . . . . . . . . . . . . . . . . . . . . . 527 InfoView considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527 Supporting users in multiple time zones . . . . . . . . . . . . . . . . . . . . . . 527 Setting default report destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . 527 Chapter 22 Licensing Information 529 Licensing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530 Accessing license information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531 Adding a license key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532 Viewing current account activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532 Appendix A From BusinessObjects 6.x to BusinessObjects XI 535 Product offering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537 BusinessObjects 6.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537 BusinessObjects XI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538 Basic terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539 Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542 Migration and mapping of specific objects . . . . . . . . . . . . . . . . . . . . . 542 Migration of user rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545 BusinessObjects Enterprise Administrator’s Guide 15 Contents Installation, configuration, and deployment . . . . . . . . . . . . . . . . . . . . . . . . 547 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551 Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554 Reporting, analysis, information sharing . . . . . . . . . . . . . . . . . . . . . . . . . . 558 SDK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562 Appendix B Rights and Access Levels 563 Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564 Access levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565 No Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565 View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565 View On Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566 Full Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567 Default rights on the top-level folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567 Object rights for the Report Application Server . . . . . . . . . . . . . . . . . . . . . 568 Appendix C Configuring NTFS Permissions 569 Configuring NTFS permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570 Configuring NTFS permissions for BusinessObjects Enterprise components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570 Appendix D Customizing the appearance of Web Intelligence documents 575 Customizing the appearance of Web Intelligence documents . . . . . . . . . 576 What you can do with the defaultconfig.xml file . . . . . . . . . . . . . . . . . 577 Locating and modifying defaultconfig.xml . . . . . . . . . . . . . . . . . . . . . . 578 List of key values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580 Example: Modifying the default font in table cells . . . . . . . . . . . . . . . . 581 Appendix E Server Command Lines 583 Command lines overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584 Standard options for all servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585 Central Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586 Page Server and Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588 Job servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590 16 BusinessObjects Enterprise Administrator’s Guide Contents Report Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591 Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593 Input and Output File Repository Servers . . . . . . . . . . . . . . . . . . . . . . . . 594 Event Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595 Appendix F UNIX Tools 597 UNIX tools overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598 Script utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598 ccm.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598 cmsdbsetup.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601 configpatch.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601 serverconfig.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602 sockssetup.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603 uninstallBOBJE.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604 Script templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604 startservers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 stopservers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 silentinstall.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 Scripts used by BusinessObjects Enterprise . . . . . . . . . . . . . . . . . . . . . . 606 bobjerestart.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606 env.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606 env-locale.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606 initlaunch.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606 patchlevel.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 postinstall.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 setup.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 setupinit.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 Appendix G International Deployments 609 International deployments overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610 Deploying BusinessObjects Enterprise internationally . . . . . . . . . . . . . . . 610 Planning an international BusinessObjects Enterprise deployment . . 611 Providing a client tier for multiple languages . . . . . . . . . . . . . . . . . . . 613 BusinessObjects Enterprise Administrator’s Guide 17 Contents Appendix H Creating Accessible Reports 615 About accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616 Benefits of accessible reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616 About the accessibility guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617 Accessibility and Business Objects products . . . . . . . . . . . . . . . . . . . 618 Improving report accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619 Placing objects in reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619 Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621 Color . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625 Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626 Parameter fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627 Designing for flexibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628 Accessibility and conditional formatting . . . . . . . . . . . . . . . . . . . . . . . 629 Accessibility and suppressing sections . . . . . . . . . . . . . . . . . . . . . . . . 630 Accessibility and subreports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631 Improving data table accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631 Text objects and data table values . . . . . . . . . . . . . . . . . . . . . . . . . . . 632 Other data table design considerations . . . . . . . . . . . . . . . . . . . . . . . . 636 Accessibility and BusinessObjects Enterprise . . . . . . . . . . . . . . . . . . . . . . 637 Setting accessible preferences for BusinessObjects Enterprise . . . . . 637 Accessibility and customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640 Appendix I Business Objects Information Resources 641 Documentation and information services . . . . . . . . . . . . . . . . . . . . . . . . . 642 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642 What’s in the documentation set? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642 Where is the documentation? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642 Send us your feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643 Customer support, consulting and training . . . . . . . . . . . . . . . . . . . . . . . . 643 How can we support you? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643 Looking for the best deployment solution for your company? . . . . . . . 644 Looking for training options? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644 18 BusinessObjects Enterprise Administrator’s Guide Contents Useful addresses at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644 Index 647 BusinessObjects Enterprise Administrator’s Guide 19 Contents 20 BusinessObjects Enterprise Administrator’s Guide Introduction to BusinessObjects Enterprise XI Administrator’s Guide chapter Contents About this guide This guide provides you with information and procedures covering a wide range of administrative tasks. Procedures are provided for common tasks. Conceptual information and technical details are provided for all advanced topics. BusinessObjects Enterprise is a flexible, scalable, and reliable solution for delivering powerful, interactive reports to end users via any web application— intranet, extranet, Internet or corporate portal. Whether it is used for distributing weekly sales reports, providing customers with personalized service offerings, or integrating critical information into corporate portals, BusinessObjects Enterprise delivers tangible benefits that extend across and beyond the organization. As an integrated suite for reporting, analysis, and information delivery, BusinessObjects Enterprise provides a solution for increasing enduser productivity and reducing administrative efforts. Who should use this guide? This guide is intended for system administrators who are responsible for configuring, managing, and maintaining a BusinessObjects Enterprise installation. Familiarity with your operating system and your network environment is certainly beneficial, as is a general understanding of web server management and scripting technologies. However, in catering to all levels of administrative experience, this guide aims to provide sufficient background and conceptual information to clarify all administrative tasks and features. For more information about the product, consult the BusinessObjects Enterprise Getting Started Guide, the BusinessObjects Enterprise Installation Guide, and the BusinessObjects Enterprise User’s Guide. Online versions of these guides are included in the doc directory of your product distribution. Once you install BusinessObjects Enterprise, they are also accessible from the BusinessObjects Enterprise Launchpad. Business Objects information resources For more information and assistance, see Appendix I: Business Objects Information Resources. This appendix describes the Business Objects documentation, customer support, training, and consulting services, with links to online resources. 22 BusinessObjects Enterprise Administrator’s Guide Contents BusinessObjects Enterprise Administrator’s Guide 23 Contents 24 BusinessObjects Enterprise Administrator’s Guide What’s New in BusinessObjects Enterprise chapter 2 What’s New in BusinessObjects Enterprise Welcome to BusinessObjects Enterprise XI Welcome to BusinessObjects Enterprise XI BusinessObjects Enterprise XI is the business intelligence platform that supports the entire range of reporting, querying, and analysis. It also provides platform-level support for semantic layers, data integration, and security. BusinessObjects Enterprise provides full web-based administration and configuration of the entire system. This release extends the robust information infrastructure provided by earlier versions of BusinessObjects Enterprise and Crystal Enterprise. BusinessObjects Enterprise XI brings together features from across the Business Objects product line to meet the diverse needs of users, from presentation-quality reporting to in-depth data analysis. This version includes a variety of major enhancements spread across our data access methods, administration capabilities, and report design options. This chapter provides an overview of the new features and enhancements available in this version of BusinessObjects Enterprise. About this version BusinessObjects Enterprise provides an industry-standard, proven architecture based largely on an enhanced version of the Crystal Enterprise architecture, supplemented by powerful query and analysis, and data integration capabilities from the Business Objects product line. BusinessObjects Enterprise is designed to integrate seamlessly with existing data, web, and application investments without imposing a new set of standards and processes. Thanks to the extensive upgrade and content migration support provided in BusinessObjects Enterprise XI, existing customers can leverage their current investments in Business Objects and Crystal technology. Supported products All Business Objects products are now available under the same platform. BusinessObjects Enterprise XI provides full support for the management, security, delivery, and interaction for the following products and versions: • • • • Crystal Reports XI BusinessObjects Web Intelligence XI BusinessObjects OLAP Intelligence XI BusinessObjects Data Integrator XI 26 BusinessObjects Enterprise Administrator’s Guide What’s New in BusinessObjects Enterprise New features 2 For information about these products, consult the documentation provided with each component. BusinessObjects Enterprise XI also supports the following add-in components: • BusinessObjects Enterprise Live Office XI Use Live Office to embed your business intelligence data into Word documents, Excel spreadsheets, and PowerPoint presentations. Then you can share the resulting Office documents securely using BusinessObjects Enterprise. By taking advantage of the security and management features of BusinessObjects Enterprise, you can manage your Office documents the same way you manage your business intelligence documents. New features BusinessObjects Enterprise XI represents the full integration of traditional Business Objects and Crystal products, combining the best features of each product line. Whether you have an existing BusinessObjects Enterprise system or a Crystal Enterprise system, you will notice a wide range of new features in BusinessObjects Enterprise XI. End-user experience BusinessObjects Enterprise XI provides a significantly enhanced user experience for all customers. Categories If you are upgrading or migrating from an existing Crystal Enterprise deployment, you will notice the addition of categories to BusinessObjects Enterprise XI. If you’re migrating from BusinessObjects Enterprise 6.5, you can import your existing categories with the Import Wizard. Folders and categories work together to provide strong navigation capabilities. Folders are used as a location to store documents. Complimentary to folders, categories are used for classifying documents in BusinessObjects Enterprise. Categories provide an effective way of classifying documents that makes it easier for users to organize documents. The categorization of documents enables users to locate information more easily regardless of where it is stored within the system. Users can classify documents by using categories created by themselves and by others. By creating a combination of folders and categories, and setting appropriate rights for them, you can organize documents according to multiple criteria and improve both security and navigation. BusinessObjects Enterprise Administrator’s Guide 27 2 What’s New in BusinessObjects Enterprise New features For example, if you currently organize your files into departmental folders, you could use categories to create an alternate filing system that divides content according to different roles in your organization, such as managers or VPs. You can associate documents with multiple categories, and you can create subcategories within categories. Discussions Discussions provide threaded notes on all documents within BusinessObjects XI, allowing users to add comments to documents in BusinessObjects Enterprise. In BusinessObjects Enterprise XI, you can add discussions to any document in the system either by selecting it from the document list or while the user is viewing the document. By adding discussions to documents, you can share knowledge about the information in the documents. You can grant other users access to the threaded discussions to allow new users to keep track of historical comments added to the documents. InfoView BusinessObjects Enterprise XI introduces a new InfoView, a completely updated business intelligence portal. InfoView has been designed to allow users to do most tasks within the BI environment without the need of IT intervention. Users familiar with previous versions of InfoView or ePortfolio will see that old features have been fully updated and improved. New features allow users to be even more productive. Through extensive testing and design, the new look and feel is designed for intuitive user interaction, combined with comprehensive support for the entire product line. From a single web environment, users can view, create, and interact with information. InfoView is available as a .NET (ASPX) version or a J2EE version (JSP). The delivery of both .NET and J2EE versions gives the customer the flexibility of deploying InfoView in their established environment. Publishing In BusinessObjects Enterprise 6 systems, the term publishing is related to sending a document to multiple users containing different information depending on the user rights. This functionality, traditionally provided by the Broadcast Agent Publisher and is now part of BusinessObjects Enterprise XI itself. The important features provided by the Broadcast Agent Publisher are provided in BusinessObjects Enterprise XI, including scheduling to different formats, and scheduling directly to email or printers. For more information on migrating documents, see the BusinessObjects Enterprise Installation Guide. 28 BusinessObjects Enterprise Administrator’s Guide What’s New in BusinessObjects Enterprise New features 2 Scheduling BusinessObjects Enterprise XI provides scheduling capabilities for both Crystal reports and Web Intelligence documents. If you are migrating from an existing BusinessObjects Enterprise 6.x deployment, note that the Broadcast Agent Scheduler is no longer required. You will also notice that scheduling is more integrated in Business Objects XI and includes new features such as business calendars. BusinessObjects Enterprise XI also provides the ability to schedule documents on behalf of others. This secure mechanism allows a single report to serve the needs of multiple users by delivering only the specific subsets of information to each user according to their security profile. Unlike other techniques that require special programming efforts, this solution is more manageable and can be applied to all documents designed from secured Universes or Business Views. Report design BusinessObjects XI includes Crystal Reports, the leading report design tool in the market. Crystal ReportsXI provides improved report design, usability, and processing, including significant enhancements to parameters to allow for the dynamic generation of lists of values. Semantic Layer BusinessObjects Enterprise XI includes both Universes and Business Views, to help make the report design process even simpler. Universes Universes are patented Business Objects technology. They act as a semantic layer between the user and a database. All universe objects and their associated connections are stored and secured in the repository of BusinessObjects Enterprise XI itself. If you’re migrating from an existing BusinessObjects Enterprise deployment, you can use Import Wizard to import your existing universes and their connection objects. Business Views Business Views is a flexible and reliable multi-tier system that enables companies to build detailed and specific Business Views objects that help report designers and end users access the information they require. Note: Business Views can be used only by Crystal Reports, while Universes are accessible by both Crystal Reports as well as Web Intelligence. BusinessObjects Enterprise Administrator’s Guide 29 2 What’s New in BusinessObjects Enterprise New features Dynamic prompts and cascading lists of values Dynamic prompts and cascading lists are now available in Crystal Reports, allowing prompt values to be populated from values in a database. Prompts can be arranged in a cascade, where one value in a prompt constrains values in subsequent picklists. Report designers no longer need to maintain static prompt lists in individual reports. A single prompt definition can be stored in the repository and shared among multiple reports, improving both runtime scalability and design time productivity. Developer flexibility BusinessObjects Enterprise development tools BusinessObjects Enterprise provides SDKs for enterprise application developers to build application and portal integration on top of the platform. Recognizing the need for comprehensive support for different development environments, BusinessObjects Enterprise XI provides extensive .NET and Java SDKs. Note: BusinessObjects Enterprise also continues to support existing development in COM, although we recommend migrating to .NET or Java. BusinessObjects Enterprise XI includes an enhanced version of the Unified Web Services provided with the BusinessObjects Crystal Integration Pack. Unified Web Services includes server components (the providers) and both .NET and Java APIs that are used to write applications that consume the provided web services. The consumers simplify application development. Web Services The integration pack Web Services have been updated to support the new BusinessObjects XI platform features: • • • The Web Intelligence documents are served by the BusinessObjects XI Web Intelligence report engine. The LDAP authentication is natively supported. Web Farm is support. As in the integration pack, the BusinessObjects XI Web Services deliver a Session service (Session management, authentication, and so on), a BICatalog service (InfoObject list, category management, and so on), and a ReportEngine service (Crystal Reports and Web Intelligence document viewing including prompt and drill management). 30 BusinessObjects Enterprise Administrator’s Guide What’s New in BusinessObjects Enterprise New features 2 BusinessObjects Enterprise SDK BusinessObjects Enterprise SDK has been enhanced to include: • • • • JavaServer Faces for BusinessObjects Enterprise XI. Support for Web Intelligence, Inbox, Categories, Universes. Java and Web Farms support. Improved query language. System administration BusinessObjects Enterprise provides an efficient and scalable architecture for processing, managing, and delivering information to your users. Management The Central Management Console provides users with a centralized point for administering a variety of details including scheduling, security, and auditing. Architecture If you are upgrading from an existing BusinessObjects Enterprise 6.5 system, you will notice key differences in the architecture of BusinessObjects Enterprise XI. BusinessObjects Enterprise XI is built on a component- or services-based architecture. As a services-oriented architecture, it provides better flexibility, scalability, fault tolerance, and extensibility. BusinessObjects Enterprise XI inherits most of the new platform services from the proven Crystal Enterprise architecture, widely recognized as a highly scalable, reliable, and powerful platform by customers and industry experts alike. The service-oriented platform allows current Business Objects products such as Web Intelligence to plug directly into the framework without requiring extensive configuration. Enhanced Page Server One of the many improvements in BusinessObjects Enterprise XI is the enhanced Page Server. The Page Server has the ability to grow and create sub processes as required, offering dynamic growth, improved reliability, and the smart use of resources. This leads to an increase in efficiency and performance. Auditing Instead of using a separate auditing component, BusinessObjects Enterprise XI features built-in auditing features. BusinessObjects Enterprise Administrator’s Guide 31 2 What’s New in BusinessObjects Enterprise New features The auditing functionality of BusinessObjects Enterprise XI focuses on enabling administrators to gain a better understanding of the users accessing the system and the documents they are interacting with. The auditing functionality within BusinessObjects Enterprise has been implemented with the concept of a central auditor and individual server auditees, The auditor role is fulfilled by the Central Management Server (CMS), while individual services with auditing functionality are considered the auditees. This means that the overall system, as well as the individual services, can be audited depending on the level of detail required. The CMS collects and collates the auditing data from the system interactions and writes the information into the auditing database. You can then create reports based on this auditing data. There is no migration or integration of the BusinessObjects Auditor product. For more information on auditing, see the auditing chapter of the BusinessObjects Enterprise Administrator’s Guide. Fault tolerance BusinessObjects Enterprise provides fail-over at the system management level (for scheduling, security, and authentication, for example). The system also provides full support for replication of all server components. Redundant components automatically take over the load if the system encounters a hardware failure or excessive wait times. BusinessObjects Enterprise XI includes enhanced support for session-level failover. If a processing service fails, another service identifies the failure and continues the processing. The enhanced fault tolerance ensures seamless reporting and query analysis for your users. Load balancing Intelligent load balancing algorithms eliminate bottlenecks and maximize hardware efficiency. In a multi-server environment, you need to balance the load across multiple machines, in order to enhance scalability and maintain efficient server performance. BusinessObjects Enterprise XI includes built-in load balancing across all system management and report processing functions. It applies a mixture of active and passive approaches to maximize server availability and minimize response time for your users. Security BusinessObjects Enterprise XI provides all of the existing security features currently supported in Crystal Enterprise. User, group, and object level security is controlled using Access Control Lists (ACL), an industry standard 32 BusinessObjects Enterprise Administrator’s Guide What’s New in BusinessObjects Enterprise New features 2 method for controlling cascading security access. Security can be applied at the object level to all documents, categories, connections, universes, and universe restriction sets. The Central Management Console is a centralized management tool that can be used to administer security. For details on how rights are mapped, please see the BusinessObjects Enterprise XI Installation Guide. Business Objects XI now provides single sign-on with Active Directory authentication using the Kerberos protocol. By combining single sign-on and report viewing, you can provide end-to-end single sign-on, which allows a user’s security context to be retrieved from the host operating system and be used to access BusinessObjects Enterprise and the underlying databases for the reports and documents in the system. These capabilities require the system to run all components on the Windows operating system and for the users to use Internet Explorer with Active Directory authentication. Please see platforms.txt for more information on supported platforms. Business Objects XI has introduced single sign-on for LDAP authentication. When LDAP authentication is enabled, the administrator has the option to use Siteminder as an external system for authentication providing single sign-on capabilities to BusinessObjects Enterprise. Also, you can now configure your deployment to use the Secure Sockets Layer (SSL) protocol for all network communication between your BusinessObjects Enterprise XI servers. Migration An administrator will be able to create users and groups, and import users and groups from existing BusinessObjects Enterprise and Crystal Enterprise deployments into BusinessObjects Enterprise XI using the Import Wizard. The Import Wizard maps most security rights from current systems directly to new users and groups in BusinessObjects Enterprise XI. For details on how rights are mapped or for more information on the Import Wizard, please see the BusinessObjects Enterprise XI Installation Guide. BusinessObjects Enterprise Administrator’s Guide 33 2 What’s New in BusinessObjects Enterprise New features 34 BusinessObjects Enterprise Administrator’s Guide Administering BusinessObjects Enterprise chapter 3 Administering BusinessObjects Enterprise Administration overview Administration overview The regular administrative tasks associated with BusinessObjects Enterprise can be roughly divided into three major categories: user management, content management, and server management. The remainder of this guide provides technical and procedural information corresponding to each of these management categories. This chapter briefly introduces new BusinessObjects Enterprise administrators to some of the available management tools. It also shows you how to make initial security settings, such as setting the password for the system’s default Administrator account. You will typically use the following applications to manage BusinessObjects Enterprise: • Central Management Console (CMC) This web application is the most powerful administrative tool provided for managing a BusinessObjects Enterprise system. It offers you a single interface through which you can perform almost every task related to user management, content management, and server management. For an introduction to the CMC, see “Central Management Console” on page 37. • Central Configuration Manager (CCM) This server administration tool is provided in two forms. In a Windows environment, the CCM allows you to manage local and remote servers through its Graphical User Interface (GUI) or from a command line. In a UNIX environment, the CCM shell script (ccm.sh) allows you to manage servers from a command line. For an introduction to the CCM, see “Using the Central Configuration Manager” on page 42. • Publishing Wizard This application allows you to publish your reporting content to BusinessObjects Enterprise quickly. It also allows you to specify a number of options on each report that you publish. Although this application runs only on Windows, you can use it to publish reports to BusinessObjects Enterprise servers that are running on Windows or on UNIX. For more information on publishing content to BusinessObjects Enterprise, see “Publishing overview” on page 374. 36 BusinessObjects Enterprise Administrator’s Guide Administering BusinessObjects Enterprise Central Management Console 3 Central Management Console You will use the Central Management Console (CMC) extensively to manage your BusinessObjects Enterprise system. This tool allows you to perform user management tasks such as setting up authentication and adding users and groups. And it allows you to publish, organize, and set security levels for all of your BusinessObjects Enterprise content. Additionally, the CMC enables you to manage servers and create server groups. Because the CMC is a webbased application, you can perform all of these administrative tasks remotely. Any user with valid credentials to BusinessObjects Enterprise can log on to the CMC and set his or her preferences. However, users who are not members of the Administrators group cannot perform any of the available management tasks unless they have been granted rights to do so. For complete details about object rights, see “Controlling User Access” on page 315. Logging on to the Central Management Console There are two ways to access the CMC: type the name of the machine you are accessing directly into your browser, or select BusinessObjects Enterprise Administration Launchpad from the program group on the Windows Start menu. 1. To log on to the CMC Go to the following page: http://webserver/businessobjects/Enterprise11/WebTools/ adminlaunch/default.aspx Replace webserver with the name of the web server machine. If you changed this default virtual directory on the web server, you will need to type your URL accordingly. Tip: On Windows, you can click Start > Programs > BusinessObjects XI> BusinessObjects Enterprise > BusinessObjects Enterprise .NET Administration Launchpad (or Java Administration Launchpad). 2. 3. Click Central Management Console. Type your User Name and Password. For this example, type Administrator as the User Name. This default Enterprise account does not have a password until you create one. For details, see “Setting the Administrator password” on page 44. If you’re using LDAP or Windows NT authentication, you may log on using an account that has been mapped to the BusinessObjects Enterprise Administrators group. 4. Select Enterprise in the Authentication Type list. BusinessObjects Enterprise Administrator’s Guide 37 3 Administering BusinessObjects Enterprise Central Management Console Windows AD, Windows NT and LDAP authentication also appear in the list; however, you must map your third-party user accounts and groups to BusinessObjects Enterprise before you can use these types of authentication. 5. Click Log On. The CMC Home page appears. Navigating within the Central Management Console Because the CMC is a web-based application, you can navigate through its areas and pages in a number of ways: • • Click the links or icons on the Home page to go to specific “management areas.” Select the same “management areas” from the drop-down list in the title area of the window. Click Go if your browser doesn’t take you directly to the new page. Once you leave the Home page, your location within the CMC is indicated by a path that appears above the title of each page. For example, Home > Users > New User indicates that you’re on the New User page. You can click the hyperlinked portions of the path to jump quickly to different parts of the application. In this example, you could click Home or Users to go to the corresponding page. Setting console preferences The Preferences area of the CMC allows you to customize your administrative view of BusinessObjects Enterprise. 1. 2. 3. To set the console preference Log on to the CMC and click the Preferences button in the upper-right corner of the CMC. Set the preference as required. See “CMC preferences” on page 39. Click OK. 38 BusinessObjects Enterprise Administrator’s Guide Administering BusinessObjects Enterprise Central Management Console 3 CMC preferences Viewer This list sets the default report viewer that is loaded when you view a report in the CMC. To set the available and default viewers for all users, see “Configuring the processing tier” on page 115. Maximum number of objects per page This option limits the number of objects listed on any page or tab in the CMC. Note: This setting does not limit the number of objects displayed, simply the number displayed per page. For details about limiting the number of objects displayed on a page or in a search, see “Setting the Query size threshold” on page 40. Maximum number of characters for each page index When a list of objects spans multiple pages, the full list is sorted alphanumerically and indexed before being subdivided. At the top of every page, hyperlinks are displayed as an index to each of the remaining pages. This setting determines the number of characters that are included in each hyperlink. In this example, the maximum number of characters is set to 3, so threecharacter hyperlinks are used to index the report objects on each page. Note: To specify an unlimited maximum number of characters, select the Unlimited check box. Measuring units for report page layout Specify inches or millimeters as the measuring units used by default when you customize a report’s page layout on the report object’s Print Setup tab. Time zone If you are managing BusinessObjects Enterprise remotely, use this list to specify your time zone. BusinessObjects Enterprise synchronizes scheduling patterns and events appropriately. For instance, if you select Eastern Time BusinessObjects Enterprise Administrator’s Guide 39 3 Administering BusinessObjects Enterprise Central Management Console (US & Canada), and you schedule a report to run at 5:00 a.m. every day on a server that is located in San Francisco, then the server will run the report at 2:00 a.m. Pacific Time. For more information about time zones, see “Supporting users in multiple time zones” on page 527. My Password Click the Change Password link to change the password for the account under which you are currently logged on. Setting the Query size threshold By default, when you go to the Objects, Folders, Groups, or Users management areas of the CMC, a list of objects in that management area is displayed. Because BusinessObjects Enterprise loads each of the objects in the list, if you have numerous objects this can heavily tax your system resources. You can modify the number of objects displayed by setting the Query size threshold in the Business Objects Applications management area of the CMC. By default the Query size threshold value is 500. This means that BusinessObjects Enterprise prompts users to use the search function of the CMC if the return size exceeds 500 objects. Modify this value to specify the maximum number of objects that displayed on the initial pages of the Objects, Folders, Groups, and Users management areas of the CMC and when displaying search results in these management areas. 1. 2. To set the Query size threshold Go to the BusinessObjects Enterprise Applications management area of the CMC. Click the BusinessObjects Enterprise Central Management Console link. 40 BusinessObjects Enterprise Administrator’s Guide Administering BusinessObjects Enterprise Central Management Console 3 The Query size threshold page appears. 3. In the Prompt for search if the return size exceeds field, type the maximum number of objects you want to be returned in searches and on the initial pages of the Objects, Folders, Groups, and Users management areas. In the CMC Access URL field, type the URL for the CMC. Specifying the URL here allows Crystal Reports to get this URL from the CMS in order to call pages in the CMC. It needs to call these pages in order to support the previewing of reports and to enable administration tasks to be performed from Crystal Reports. 4. 5. Click Update. Note: To modify the number of objects displayed on a page (rather than the total number of objects displayed), see “Setting console preferences” on page 38. Logging off of the Central Management Console When you have finished using the CMC, end the session by logging off. The Logoff button is located in the upper-right corner of the console. BusinessObjects Enterprise Administrator’s Guide 41 3 Administering BusinessObjects Enterprise Using the Central Configuration Manager Using the Central Configuration Manager The Central Configuration Manager (CCM) is a server-management tool that allows you to configure each of your BusinessObjects Enterprise server components. This tool allows you to start, stop, enable, and disable servers. It also allows you to view and to configure advanced server settings such as default port numbers, CMS database and clustering details, SOCKS server connections, and more. To access the CCM, see: • “Accessing the CCM for Windows” on page 42 Accessing the CCM for Windows From a Windows machine, use the CCM to manage BusinessObjects Enterprise server components that are running locally or on a remote Windows machine. To run the CCM, you must have NT administrator rights on the local machine. If you are managing servers on a remote machine, you must also have NT administrator rights on the machine you are connecting to. Depending on the configuration of your network, you might be prompted to enter a user name and password. To start the CCM From the BusinessObjects Enterprise program group, click Central Configuration Manager. The servers that are available on the local machine appear in the list. A status icon is displayed for each server: • • • A green arrow indicates the server is running. A yellow arrow indicates the server is starting. A red arrow indicates the server is not running. Note: The status icons do not indicate whether servers are enabled or disabled. Servers must be enabled before they will respond to BusinessObjects Enterprise requests. Click Enable/Disable on the toolbar to log on and enable or disable servers. For details, see “Enabling and disabling servers” on page 85. 1. To connect to servers on a remote machine Once you have started the CCM, you can connect to a remote machine in several ways: • In the Computer Name field, type the name of the machine you want to connect to; then press Enter. 42 BusinessObjects Enterprise Administrator’s Guide Administering BusinessObjects Enterprise Making initial security settings 3 • • 2. In the Computer Name field, select a remote machine from the list. On the toolbar, click Browse. Select the appropriate computer; then click OK. If prompted, log on to the remote machine with an account holding administrative rights. Note: You may need to type your user name as domain\username. The CCM lists the servers associated with this machine. Accessing the CCM for UNIX Run the CCM on your UNIX server to manage BusinessObjects Enterprise server components that are running on that machine. You can run the CCM remotely through a telnet session or locally through a terminal window. To run the CCM, you must have execute permissions on the ccm.sh script and on its parent Business Objects directory. 1. To run the CCM Go to the Business Objects directory that was created by the BusinessObjects Enterprise installation: cd INSTALL_ROOT/bobje 2. Run ccm.sh with command-line options to manage one or more servers. For instance, the following set of commands starts the BusinessObjects Enterprise servers and enables each server on its default port: ./ccm.sh -start all ./ccm.sh -enable all Note: The main options for the CCM are covered in more detail in “UNIX Tools” on page 597. To view additional help on ccm.sh The ccm.sh script also provides a detailed description of its command-line options. To see the command-line help, issue the following command: ./ccm.sh -help | more Making initial security settings To ensure system security, you may want to configure the following security settings before you publish content or provide users with access to BusinessObjects Enterprise: • • “Setting the Administrator password” on page 44 “Disabling the Guest account” on page 44 BusinessObjects Enterprise Administrator’s Guide 43 3 Administering BusinessObjects Enterprise Making initial security settings • • • • “Modifying the default security levels” on page 45 Chapter 11: BusinessObjects Enterprise Security Concepts “Available authentication types” on page 252 “Controlling User Access” on page 315 For additional security information, you may also want to refer to: Setting the Administrator password As part of the installation, BusinessObjects Enterprise creates an Administrator account and a Guest account that do not have passwords. Log on to the Central Management Console (CMC) with the Administrator account and use the following procedure to create a secure password for the Administrator account. Note: Do not create a password for the Guest account if you plan to use the anonymous single sign-on or the Sign Up features available in BusinessObjects Enterprise. To disable these features, see “Disabling the Guest account” on page 44. 1. 2. 3. 4. 5. To change the Administrator password Go to the Users management area of the CMC. Click the link for the Administrator account. In the Enterprise Password Settings area, enter and confirm the new password. If it is selected, clear the “User must change password at next logon” check box. Click Update. Disabling the Guest account By disabling the Guest account, you ensure that no one can log on to BusinessObjects Enterprise with this account. In doing so, you also disable the anonymous single sign-on functionality of BusinessObjects Enterprise, so users will be unable to access InfoView without providing a valid user name and password. 1. 2. 3. To disable the Guest account Go to the Users management area of the CMC. In the Account Name column, click Guest. On the Properties tab, select the Account is disabled check box. 44 BusinessObjects Enterprise Administrator’s Guide Administering BusinessObjects Enterprise Managing universes 3 4. 5. Click Update. If you are prompted for confirmation, click OK. For more information about user accounts, see “Managing Enterprise and general accounts” on page 253. Modifying the default security levels This procedure shows where you can modify the default object rights that users are granted to the top-level BusinessObjects Enterprise folder. Initially, the Everyone group is granted Schedule access to the top-level folder, and the Administrators group is granted Full Control. You can change these default security levels to suit your needs. For a full description of object rights and inheritance patterns, see “Controlling users’ access to objects” on page 317. 1. 2. 3. To modify top-level security settings Go to the Settings management area of the CMC. Click the Rights tab. As required, change the entry in the Access Level list for each user or group that is displayed. For detailed information, see “Controlling users’ access to objects” on page 317. 4. 5. Click Update. Click Add/Remove to grant different levels of security to additional users or groups. Managing universes Web Intelligence users connect to a universe, and run queries against a database. They can do data analysis and create reports using the objects in a universe, without seeing, or having to know anything about, the underlying data structures in the database. You create a universe by using the Designer. For complete information, see the Designer’s Guide. Using CMC, you can view and delete universes. You can also control who has access rights to a universe. See “Controlling access to universes” on page 354. 1. To view a universe Go to the Universes management area of the CMC. BusinessObjects Enterprise Administrator’s Guide 45 3 Administering BusinessObjects Enterprise Managing universe connections The Universes page appears. 2. Click the link for the universe you want to view. The properties page for the universe appears. 1. 2. 3. To delete a universe Go to the Universes management area of the CMC. The Universes page appears. Select the universe you want to delete. Click Delete. Managing universe connections A connection is a named set of parameters that defines how a BusinessObjects application accesses data in a database file. A connection links Web Intelligence to your middleware. You must have a connection to access data. You must select or create a connection when you create a universe. For complete information, see the Designer’s Guide. Using CMC, you can view and delete connections. You can also control who has access rights to a connection. See “Controlling access to universe connections” on page 355. 1. 2. To view connections Go to the Universe Connections management area of the CMC. The Connections page appears. Click the link for the connection you want to view. The properties page for the connection appears. 1. 2. 3. To delete a universe connection Go to the Universe Connections management area of the CMC. The Universe Connections page appears. Select the connection you want to delete. Click Delete. 46 BusinessObjects Enterprise Administrator’s Guide Administering BusinessObjects Enterprise Managing InfoView 3 Managing InfoView You can use the Business Objects Applications area of the Central Management Console to make minor changes to the appearance and functionality of InfoView, without doing any programming. You can also configure settings that control which viewers are available to users. When users view a report using the Advanced DHTML viewer, the report is processed by the Report Application Server. If you are using the Java version of InfoView and want users to be able to use the Active X or Java viewers, you must enter the context path of the Web Component Adapter. Consult the BusinessObjects Enterprise Installation Guide for more information. BusinessObjects Enterprise Administrator’s Guide 47 3 Administering BusinessObjects Enterprise Managing Web Intelligence 1. 2. 3. 4. To manage settings for InfoView Go to the BusinessObjects Enterprise Applications management area of the CMC. Click InfoView. On the Properties tab, select the options that you want. Click Update. Managing Web Intelligence For the Web Intelligence application, make sure you grant access to the “Allows interactive HTML viewing (as per license)” option in order for users to be able use the Interactive view format and use the Query HTML panel. The user can select this view format and report panel option in the Web Intelligence Document Preferences tab in InfoView. 1. 2. 3. 4. To manage settings for Web Intelligence Go to the BusinessObjects Enterprise Applications management area of the CMC. Click Web Intelligence. On the Properties tab, select the options that you want. Click Update. Managing Discussions BusinessObjects Enterprise administrators are responsible for maintaining the discussion threads and for granting the appropriate access rights to BusinessObjects Enterprise users. Managing Discussions includes the following tasks: • • • • • “Accessing the Discussions page” on page 49 “Searching for discussion threads” on page 49 “Sorting search results” on page 51 “Deleting discussion threads” on page 51 “Setting user rights” on page 51 48 BusinessObjects Enterprise Administrator’s Guide Administering BusinessObjects Enterprise Managing Discussions 3 Accessing the Discussions page 1. 2. To access the Discussions page Go to the BusinessObjects Enterprise Applications management area of the CMC. Click Discussions. The Discussions page appears. Searching for discussion threads By default, the Discussions page displays the titles of all discussion threads. Only the root level threads are displayed. Branches from the root level thread are not displayed. Use the Previous and Next buttons to page through the list of discussion threads. You can search for a specific thread or group of threads. Note: To cancel a search and reset the search values back to the default settings, click Cancel. 1. 2. To search for a discussion thread Go to the BusinessObjects Enterprise Applications management area of the CMC. Click Discussions. The Discussions page appears. BusinessObjects Enterprise Administrator’s Guide 49 3 Administering BusinessObjects Enterprise Managing Discussions 3. In the Field name list, select which of the following criteria you want to search by: • • • • 4. Thread title. Search by the title of a thread. Creation date. Search by the date the thread was created. Last modified date. Search based on the date a thread was last modified. Author. Search by the author of a specific thread. From the second list, refine your search. If you search by Thread title or Author, the second field provides you with the following options. • • • • is: The DMC searches for any discussion threads where the thread title, or the author name, exactly match the text that you type into the third field. Searches are not case sensitive. is not: The DMC searches for any discussion threads where the thread title, or the author name, do not exactly match the text that you type into the third field. contains: The DMC searches for any discussion threads that contain the search text string within any part of the thread title or the author’s name. does not contain: The DMC searches for any discussion threads that do not contain the text string within any part of the thread title. If you search by Creation date or Last modified date, there are the following options. • • • 5. before: The DMC searches for any discussion threads that were created or modified before the search date. after: The DMC searches for any discussion threads that were created or modified after the search date. between: The DMC searches for any discussion threads that were created or modified between the two search dates. Use the third field to further refine your search. If you selected a text-based search in the first two fields, type in the text string. If you selected a date-based search, enter the date or dates in the appropriate fields. 6. Click Search to display all the records that match your search criteria. 50 BusinessObjects Enterprise Administrator’s Guide Administering BusinessObjects Enterprise Managing Discussions 3 Sorting search results You can select how you want your search results to display. For example you can display them in ascending alphabetical order, and choose how many results to display per page. 1. To sort your results In the Sort by list, select which of the following criteria you want to display: • • • • 2. 3. 4. Thread title. Sort by the title of a thread. Creation date. Sort by the date the thread was created. Last modified date. Sort based on the date a thread was last modified. Author. Sort by the author of a specific thread. In the second list, select whether you want the records to be displayed in ascending or descending order. In the third category, enter how many results you want to be displayed on each page. Click Search. Deleting discussion threads You can delete any discussion thread. 1. To delete a discussion thread On the Discussions page, select which threads you want to delete in the results list. For details, see “Accessing the Discussions page” on page 49. Tip: You can use the Select All and Clear All buttons to select or clear all the threads displayed on the page. 2. Click Delete. The selected threads are deleted. Setting user rights Users of the Discussions feature must have the right to view a report in order to create a discussion thread, or add a note to a report. For more information on setting user rights to reports and report objects, see Chapter 13: Controlling User Access. BusinessObjects Enterprise Administrator’s Guide 51 3 Administering BusinessObjects Enterprise Managing Discussions 52 BusinessObjects Enterprise Administrator’s Guide BusinessObjects Enterprise Architecture chapter 4 BusinessObjects Enterprise Architecture Architecture overview and diagram Architecture overview and diagram BusinessObjects Enterprise is a multi-tier system. Although the components are responsible for different tasks, they can be logically grouped based on the type of work they perform. If you are new to BusinessObjects Enterprise, use this chapter to gain familiarity with the BusinessObjects Enterprise framework, its components, and the general tasks that each component performs. In BusinessObjects Enterprise, there are five tiers: the client tier, the application tier, the intelligence tier, the processing tier, and the data tier. To provide flexibility, reliability, and scalability the components that make up each of these tiers can be installed on one machine, or spread across many. The following diagram illustrates how each of the components fits within the multi-tier system. Other Business Objects products, such as OLAP Intelligence and Report Application Server, plug in to the BusinessObjects Enterprise framework in various ways. This chapter describes the framework itself. Consult each product’s installation or administration guides for details about how it integrates with the BusinessObjects Enterprise framework. The “servers” run as services on Windows machines. On UNIX, the servers run as daemons. These services can be “vertically scaled” to take full advantage of the hardware that they are running on, and they can be “horizontally scaled” to take advantage of multiple computers over a network environment. This means that the services can all run on the same machine, or they can run on separate machines. The same service can also run in multiple instances on a single machine. For example, you can run the Central Management Server and the Event Server on one machine, while you run the Report Application Server on a separate machine. This configuration is called “horizontal scaling.” If the Report Application Server is running on a multi-processor computer, then you may choose to run multiple Report Application Servers on it. This configuration is called “vertical scaling.” The important thing to understand is that, even though these are called servers, they are actually services and daemons that do not need to run on separate computers. Note: BusinessObjects Enterprise Standard requires all of the components to be installed on one machine. 54 BusinessObjects Enterprise Administrator’s Guide BusinessObjects Enterprise Architecture Architecture overview and diagram 4 The remainder of this chapter describes each tier, the key BusinessObjects Enterprise components, and their primary responsibilities: • • • • “Client tier” on page 56 “Application tier” on page 58 “Processing tier” on page 64 “Data tier” on page 68 Tip: When you are familiar with the architecture and want to customize your system configuration, see Chapter 5: Managing and Configuring Servers and Chapter 7: Scaling Your System. Note: BusinessObjects Enterprise supports reports created in versions 6 through XI of Crystal Reports. Once published to BusinessObjects Enterprise, reports are saved, processed, and displayed in version XI format. BusinessObjects Enterprise Administrator’s Guide 55 4 BusinessObjects Enterprise Architecture Client tier Client tier The client tier is the only part of the BusinessObjects Enterprise system that administrators and end users interact with directly. This tier is made up of the applications that enable people to administer, publish, and view reports and other objects. The client tier includes: • • • • • “InfoView” on page 56 “Central Management Console (CMC)” on page 56 “Central Configuration Manager (CCM)” on page 57 “Publishing Wizard” on page 57 “Import Wizard” on page 57 InfoView BusinessObjects Enterprise comes with InfoView, a web-based interface that end users access to view, schedule, and keep track of published reports. Each BusinessObjects Enterprise request that a user makes is directed to the BusinessObjects Enterprise application tier. The web server forwards the user request directly to an application server where the request is processed by the WCA. InfoView also serves as a demonstration of the ways in which you can use the BusinessObjects Enterprise Software Development Kit (SDK) to create a custom web application for end users. In the case of .NET, InfoView also demonstrates how you can use the BusinessObjects Enterprise .NET Server Components. For more information, see the developer documentation available on your product CD. Central Management Console (CMC) The Central Management Console (CMC) allows you to perform user management tasks such as setting up authentication and adding users and groups. It also allows you to publish, organize, and set security levels for all of your BusinessObjects Enterprise content. Additionally, the CMC enables you to 56 BusinessObjects Enterprise Administrator’s Guide BusinessObjects Enterprise Architecture Client tier 4 manage servers and create server groups. Because the CMC is a web-based application, you can perform all of these administrative tasks remotely. For more information, see “Central Management Console (CMC)” on page 56. The CMC also serves as a demonstration of the ways in which you can use the administrative objects and libraries in the BusinessObjects Enterprise SDK to create custom web applications for administering BusinessObjects Enterprise. For more information, see the developer documentation available on your product CD. Central Configuration Manager (CCM) The Central Configuration Manager (CCM) is a server-management tool that allows you to configure each of your BusinessObjects Enterprise server components. This tool allows you to start, stop, enable, and disable servers, and it allows you to view and to configure advanced server settings. On Windows, these settings include default port numbers, CMS database and clustering details, SOCKS server connections, and more. In addition, on Windows the CCM allows you to add or remove servers from your BusinessObjects Enterprise system. On UNIX, some of these functions are performed using other tools. For more information, see “Using the Central Configuration Manager” on page 42 and Chapter 5: Managing and Configuring Servers. Publishing Wizard The Publishing Wizard is a locally installed Windows application that enables both administrators and end users to add reports to BusinessObjects Enterprise. By assigning object rights to BusinessObjects Enterprise folders, you control who can publish reports and where they can publish them to. For more information, see “Publishing overview” on page 374 and “Controlling users’ access to objects” on page 317. The Publishing Wizard publishes reports from a Windows machine to BusinessObjects Enterprise servers running on Windows or on UNIX. Import Wizard The Import Wizard is a locally installed Windows application that guides administrators through the process of importing users, groups, reports, and folders from an existing BusinessObjects Enterprise, Crystal Enterprise, or Crystal Info implementation to BusinessObjects Enterprise. For more information, see “Importing with the Import Wizard” on page 402. BusinessObjects Enterprise Administrator’s Guide 57 4 BusinessObjects Enterprise Architecture Application tier The Import Wizard runs on Windows, but you can use it to import information into a new BusinessObjects Enterprise system running on Windows or on UNIX. Application tier The application tier hosts the server-side components that process requests from the client tier as well as the components that communicate these requests to the appropriate server in the intelligence tier. The application tier includes support for report viewing and logic to understand and direct web requests to the appropriate BusinessObjects Enterprise server in the intelligence tier. The application tier includes: • • • “Application tier components” on page 58 “Web development platforms” on page 59 “Web application environments” on page 60 Application tier components For both the Java and .NET platforms, the application tier includes the following components: • • “Application server and BusinessObjects Enterprise SDK” on page 59 “Web Component Adapter (WCA)” on page 59 Note: In Crystal Enterprise 10 on Windows, the communication between the web server and the application server was handled through the Web Connector; the functionality of the Web Component Adapter (WCA) was provided through the Web Component Server (WCS). In BusinessObjects Enterprise XI, the web server communicates directly with the application server and the WCA handles the WCS functionality, both on Windows and Unix platforms. 58 BusinessObjects Enterprise Administrator’s Guide BusinessObjects Enterprise Architecture Application tier 4 Application server and BusinessObjects Enterprise SDK BusinessObjects Enterprise systems that use the BusinessObjects Enterprise Java SDK or the BusinessObjects Enterprise .NET SDK run on a third party application server. See the Platforms.txt file included with your product distribution for a complete list of tested application servers and version requirements. The application server acts as the gateway between the web server and the rest of the components in BusinessObjects Enterprise. The application server is responsible for processing requests from your browser. It also supports InfoView and other Business Objects applications, and uses the SDK to convert report pages (.epf files) to HTML format when users view pages with a DHTML viewer. Web Component Adapter (WCA) The web server communicates directly with the application server that hosts the BusinessObjects Enterprise SDK. The Web Component Adapter (WCA) runs within the application server and provides all services that are not directly supported by the BusinessObjects Enterprise SDK. The web server passes requests directly to the application server, which then forwards the requests on to the WCA. The WCA has two primary roles: • • It processes ASP.NET (.aspx) and Java Server Pages (.jsp) files It also supports Business Objects applications such as the Central Management Console (CMC) and Crystal report viewers (that are implemented through viewrpt.aspx requests). Note: In Crystal Enterprise 10 on Windows, the communication between the web server and the application server was handled through the Web Connector; the functionality of the Web Component Adapter (WCA) was provided through the Web Component Server (WCS). In BusinessObjects Enterprise XI, the web server communicates directly with the application server and the WCA handles the WCS functionality, both on Windows and Unix platforms. Web development platforms BusinessObjects Enterprise supports the following web development platforms: • • “Java platform” on page 60 “Windows .NET platform” on page 60 BusinessObjects Enterprise Administrator’s Guide 59 4 BusinessObjects Enterprise Architecture Application tier Java platform All UNIX installations of BusinessObjects Enterprise include a Web Component Adapter (WCA). In this configuration, a Java application server is required to host the WCA and the BusinessObjects Enterprise Java SDK. The use of a web server is optional as you may choose to have static content hosted by the application server. Windows .NET platform BusinessObjects Enterprise installations that use the .NET Framework include Primary Interop Assemblies (PIAs) that allow you to use the BusinessObjects Enterprise .NET SDK with ASP.NET, and a set of .NET Server Components that you can optionally use to simplify the development of custom applications. This configuration requires the use of a Microsoft Internet Information Services (IIS) web server. Note: In Crystal Enterprise 10 on Windows, the communication between the web server and the application server was handled through the Web Connector; the functionality of the Web Component Adapter (WCA) was provided through the Web Component Server (WCS). In BusinessObjects Enterprise XI, the web server communicates directly with the application server and the WCA handles the WCS functionality, both on Windows and Unix platforms. You do not need a Web Component Adapter for custom ASP.NET applications. Web application environments BusinessObjects Enterprise supports Java Server Pages (.jsp) and ASP.NET (.aspx) pages. BusinessObjects Enterprise includes web applications developed in .aspx, such as InfoView and the sample applications available via the BusinessObjects Enterprise Launchpad. Java Server Pages (.jsp) and ASP.NET (.aspx) pages allow you to develop cross-platform J2EE and ASP.NET applications that use the BusinessObjects Enterprise SDKs in conjunction with third party APIs. Note: For backward compatibility, BusinessObjects Enterprise continues to l support Crystal Server Pages (.csp) and Active Server Pages (.asp). BusinessObjects Enterprise also includes Primary Interop Assemblies (PIAs) that enable you to use the BusinessObjects Enterprise SDK and Report Application Server SDK with ASP.NET. It also includes a set of .NET Server Components which simplify development of custom BusinessObjects Enterprise applications in ASP.NET. For more information, see the developer documentation available on your product CD. 60 BusinessObjects Enterprise Administrator’s Guide BusinessObjects Enterprise Architecture Intelligence tier 4 Intelligence tier The intelligence tier manages the BusinessObjects Enterprise system. It maintains all of the security information, sends requests to the appropriate servers, manages audit information, and stores report instances. For more information, refer to the following sections: • • • • “Central Management Server (CMS)” on page 61 “Cache Server” on page 63 “File Repository Servers” on page 63 “Event Server” on page 64 Central Management Server (CMS) The CMS is responsible for maintaining a database of information about your BusinessObjects Enterprise system, which other components can access as required. The data stored by the CMS includes information about users and groups, security levels, BusinessObjects Enterprise content, and servers. The CMS also maintains the BusinessObjects Enterprise Repository, and a separate audit database of information about user actions. This data allows the CMS to perform its four main tasks: • Maintaining security By maintaining a database of users and their associated object rights, the CMS enforces who has access to BusinessObjects Enterprise and the types of tasks they are able to perform. These tasks include enforcing and maintaining the licensing policy of your BusinessObjects Enterprise system. • Managing objects The CMS keeps track of the location of objects and maintains the containment hierarchy, which includes folders, categories, and inboxes. By communicating with the Job Servers and Program Job Servers, the CMS is able to ensure that scheduled jobs run at the appropriate times. BusinessObjects Enterprise Administrator’s Guide 61 4 BusinessObjects Enterprise Architecture Intelligence tier • Managing servers By staying in frequent contact with each of the servers in the system, the CMS is able to maintain a list of server status. Report viewers access this list, for instance, to identify which Cache Server is free to use for a report viewing request. • Managing auditing By collecting information about user actions from each BusinessObjects Enterprise server, and then writing these records to a central audit database, the CMS acts as the system auditor. This audit information allows system administrators to better manage their BusinessObjects Enterprise deployment. Note: In previous versions of Crystal Enterprise, the Central Management Server (CMS) was known as the Crystal Management Server, and also as the Automated Process Scheduler (APS). Typically, you provide the CMS with database connectivity and credentials when you install BusinessObjects Enterprise, so the CMS can create its own system database and BusinessObjects Enterprise Repository database using your organization’s preferred database server. For details about setting up CMS databases, see the BusinessObjects Enterprise Installation Guide, and “Configuring the auditing database” on page 209. See the Platforms.txt file included with your product distribution for a complete list of tested database software and version requirements. Note: • It is strongly recommended that you back up the CMS system database, and the audit database frequently. The backup procedure depends upon your database software. If you are unsure of the procedure, consult with your database administrator. The CMS database should not be accessed directly. System information should only be retrieved using the calls that are provided in the BusinessObjects Enterprise Software Development Kit (SDK). For more information, see the developer documentation available on your product CD. You can access the audit database directly to create custom audit reports. See “Creating custom audit reports” on page 217 for more information. • • On Windows, the Setup program can install and configure its own Microsoft Data Engine (MSDE) database if necessary. MSDE is a client/server data engine that provides local data storage and is compatible with Microsoft SQL Server. If you already have the MSDE or SQL Server installed, the installation program uses it to create the CMS system database. You can migrate your default CMS system database to a supported database server later. 62 BusinessObjects Enterprise Administrator’s Guide BusinessObjects Enterprise Architecture Intelligence tier 4 For details about configuring the CMS, its system database, and CMS clusters, see “Configuring the intelligence tier” on page 92. For more information about Auditing, see “Managing Auditing” on page 203. Cache Server The Cache Server is responsible for handling all report viewing requests. The Cache Server checks whether or not it can fulfill the request with a cached report page. If the Cache Server finds a cached page that displays exactly the required data, with data that has been refreshed from the database within the interval that you have specified as the default, the Cache Server returns that cached report page. If the Cache Server cannot fulfil the request with a cached report page, it passes the request along to the Page Server. The Page Server runs the report and returns the results to the Cache Server. The Cache Server then caches the report page for future use, and returns the data to the viewer. By storing report pages in a cache, BusinessObjects Enterprise avoids accessing the database each and every time a report is requested. If you are running multiple Page Servers for a single Cache Server, the Cache Server automatically balances the processing load across Page Servers. For more information, see “Modifying Cache Server performance settings” on page 112. File Repository Servers There is an Input and an Output File Repository Server in every BusinessObjects Enterprise implementation. The Input File Repository Server manages all of the report objects and program objects that have been published to the system by administrators or end users (using the Publishing Wizard, the Central Management Console, the Import Wizard, or a Business Objects designer component such as Crystal Reports or the Web Intelligence Java or HTML Report Panels). Tip: If you use the BusinessObjects Enterprise SDK, you can also publish reports from within your own code. The Output File Repository Server manages all of the report instances generated by the Report Job Server or the Web Intelligence Report Server, and the program instances generated by the Program Job Server. The File Repository Servers are responsible for listing files on the server, querying for the size of a file, querying for the size of the entire file repository, adding files to the repository, and removing files from the repository. BusinessObjects Enterprise Administrator’s Guide 63 4 BusinessObjects Enterprise Architecture Processing tier Note: • • The Input and Output File Repository Servers cannot share the same directories. This is because one of the File Repository Servers could then delete files and directories belonging to the other. In larger deployments, there may be multiple Input and Output File Repository Servers, for redundancy. In this case, all Input File Repository Servers must share the same directory. Likewise, all Output File Repository Servers must share a directory. Objects with files associated with them, such as text files, Microsoft Word files, or PDFs, are stored on the Input File Repository Server. • Event Server The Event Server manages file-based events. When you set up a file-based event within BusinessObjects Enterprise, the Event Server monitors the directory that you specified. When the appropriate file appears in the monitored directory, the Event Server triggers your file-based event: that is, the Event Server notifies the CMS that the file-based event has occurred. The CMS then starts any jobs that are dependent upon your file-based event. After notifying the CMS of the event, the Event Server resets itself and again monitors the directory for the appropriate file. When the file is newly created in the monitored directory, the Event Server again triggers your file-based event. Note: Schedule-based events, and custom events are managed by the Central Management Server. Processing tier The processing tier accesses the data and generates the reports. It is the only tier that interacts directly with the databases that contain the report data. The processing tier includes: 64 BusinessObjects Enterprise Administrator’s Guide BusinessObjects Enterprise Architecture Processing tier 4 • • • • • • • • “Report Job Server” on page 65 “Program Job Server” on page 65 “Web Intelligence Job Server” on page 66 “Web Intelligence Report Server” on page 66 “Report Application Server (RAS)” on page 66 “Destination Job Server” on page 67 “List of Values Job Server” on page 67 “Page Server” on page 67 Report Job Server A Job Server processes scheduled actions on objects at the request of the CMS. You can configure a Job Server to process either report objects or program objects when you add it to your BusinessObjects Enterprise system. If you configure a Job Server to process report objects, it becomes a Report Job Server. The Report Job Server processes scheduled reports, as requested by the CMS, and generates report instances (instances are versions of a report object that contain saved data). To generate a report instance, the Report Job Server obtains the report object from the Input FRS and communicates with the database to retrieve the current data. Once it has generated the report instance, it stores the instance on the Output FRS. Program Job Server A Job Server processes scheduled actions on objects at the request of the CMS. You can configure a Job Server to process either report objects or program objects when you add it to your BusinessObjects Enterprise system. If you configure a Job Server to process program objects, it becomes a Program Job Server. Program objects allow you to write, publish, and schedule custom applications, including scripts, Java programs or .NET programs that run against, and perform maintenance work on, BusinessObjects Enterprise. The Program Job Server processes scheduled program objects, as requested by the CMS. To run a program, the Program Job Server first retrieves the files from storage on the Input File Repository Server, and then runs the program. By definition, program objects are custom applications. Therefore the outcome of running a program will be dependent upon the particular program object that is run. BusinessObjects Enterprise Administrator’s Guide 65 4 BusinessObjects Enterprise Architecture Processing tier Unlike report instances, which can be viewed in their completed format, program instances exist as records in the object history. BusinessObjects Enterprise stores the program’s standard out and standard error in a text output file. This file appears when you click a program instance in the object History. Web Intelligence Job Server The Web Intelligence Job Server processes scheduling requests it receives from the CMS for Web Intelligence documents. It forwards these requests to the Web Intelligence Report Server, which will generate the instance of the Web Intelligence document. The Web Intelligence Job Server does not actually generate object instances. Web Intelligence Report Server The Web Intelligence Report Server is used to create, edit, view, and analyze Web Intelligence documents. It also processes scheduled Web Intelligence documents and generates new instances of the document, which it stores on the Output File Repository Server (FRS). Depending on the user’s access rights and the refresh options of the document, the Web Intelligence Report Server will use cached information, or it will refresh the data in the document and then cache the new information. Report Application Server (RAS) The Report Application Server (RAS) processes reports that users view with the Advanced DHTML viewer. The RAS also provides the ad hoc reporting capabilities that allow users to create and modify reports over the Web. The RAS is very similar to the Page Server: it too is primarily responsible for responding to page requests by processing reports and generating EPF pages. However, the RAS uses an internal caching mechanism that involves no interaction with the Cache Server. As with the Page Server, the RAS supports COM, ASP.NET, and Java viewer SDKs. The Report Application Server also includes an SDK for reportcreation and modification, providing you with tools for building custom report interaction interfaces. 66 BusinessObjects Enterprise Administrator’s Guide BusinessObjects Enterprise Architecture Processing tier 4 Destination Job Server When you add a job server to your BusinessObjects Enterprise system, you can configure it to process report objects or program objects, or to send objects or instances to specified destinations. If you configure it to send objects or instances, it become a Destination Job Server. A Destination Job Server processes requests that it receives from the CMS and sends the requested objects or instances to the specified destination: • • If the request is for an object, it retrieves the object from the Input File Repository Server. If the request is for a report or program instance, it retrieves the instance from the Output File Repository Server. The Destination Job Server can send objects and instances to destinations inside the BusinessObjects Enterprise system, for example, a user’s inbox, or outside the system, for example, by sending a file to an email address. The Destination Job Server does not run the actual report or program objects. It only handles objects and instances that already exist in the Input or Output File Repository Servers. For more information, see “Sending an object or instance” on page 420. List of Values Job Server The List of Values Job Server processes scheduled list-of-value objects. These are objects that contain the values of specific fields in a Business View. Lists of values are use to implement dynamic prompts and cascading lists of values within Crystal Reports. List-of-value objects do not appear in CMC or InfoView. For more information, see the Business Views Administrator’s Guide. The List of Values Job Server behaves similarly to the Report Job Server in that it retrieves the scheduled objects from the Input File Repository Server (FRS) and saves the instance it generates to the Output FRS. There is never more than one instance of a list-of-values object. On demand list of value objects are processed by the Report Application Server. Page Server The Page Server is primarily responsible for responding to page requests by processing reports and generating Encapsulated Page Format (EPF) pages. The EPF pages contain formatting information that defines the layout of the report. The Page Server retrieves data for the report from an instance or directly from the database (depending on the user’s request and the rights he or she has to the report object). When retrieving data from the database, the BusinessObjects Enterprise Administrator’s Guide 67 4 BusinessObjects Enterprise Architecture Data tier Page Server automatically disconnects from the database after it fulfills its initial request and reconnects if necessary to retrieve additional data. (This behavior conserves database licenses.) The Cache Server and Page Server work closely together. Specifically, the Page Server responds to page requests made by the Cache Server. The Page Server and Cache Server also interact to ensure cached EPF pages are reused as frequently as possible, and new pages are generated as soon as they are required. BusinessObjects Enterprise takes advantage of this behavior by ensuring that the majority of report-viewing requests are made to the Cache Server and Page Server. (However, if a user’s default viewer is the Advanced DHTML viewer, the report is processed by the Report Application Server.) The Page Server also supports COM, ASP.NET, and Java viewer Software Development Kits (SDKs). Data tier The data tier is made up of the databases that contain the data used in the reports. BusinessObjects Enterprise supports a wide range of corporate databases. See the Platforms.txt file included with your product distribution for a complete list of tested database software and version requirements. Report viewers BusinessObjects Enterprise includes report viewers that support different platforms and different browsers in the client tier, and which have different report viewing functionality. (For more information on the specific functionality or platform support provided by each report viewer, see the BusinessObjects Enterprise User’s Guide or the Crystal Reports Developer’s Guide.) All of the viewers fall into two categories: • client-side viewers Client-side viewers are downloaded and installed in the users’ web browser. 68 BusinessObjects Enterprise Administrator’s Guide BusinessObjects Enterprise Architecture Information flow 4 • zero client viewers The code to support zero client viewers resides in the application tier. client-side viewers Active X viewer Java viewer zero client viewers DHTML viewer Advanced DHTML viewer All report viewers help process requests for reports, and present report pages that appear in the user’s browser. Client-side viewers Client-side viewers are downloaded and installed in the user’s browser. When a user requests a report, the application server processes the request, and retrieves the report pages in .epf format from the BusinessObjects Enterprise framework. The application server then passes the .epf file to the client-side viewer, which processes the .epf files and displays them directly in the browser. Zero client viewers Zero client viewers reside on the application server. When a user requests a report, the application server processes the request, and then retrieves the report pages in .epf format from the BusinessObjects Enterprise framework. The SDK creates a viewer object on the application server which processes the .epf and creates DHTML pages that represent both the viewer controls and the report itself. The viewer object then sends these pages through the web server to the user’s web browser. Installing viewers If they haven’t already done so, users are prompted to download and install the appropriate viewer software before the report is displayed in the browser. The Active X viewer is downloaded the first time a user requests a report, and then remains installed on the user’s machine. The user will be prompted to reinstall the ActiveX viewer only when a new version becomes available on the server. Information flow This section describes the interaction of the server components in order to demonstrate how report-processing is performed. This section covers two different scenarios: • • “What happens when you schedule an object?” on page 70 “What happens when you view a report?” on page 71 BusinessObjects Enterprise Administrator’s Guide 69 4 BusinessObjects Enterprise Architecture Information flow What happens when you schedule an object? When you schedule an object, you instruct BusinessObjects Enterprise to process an object at a particular point in time, or on a recurring schedule. For example, if you have a report that is based on your web server logs, you can schedule the report to run every night on a recurring basis. Tip: BusinessObjects Enterprise also allows you to schedule jobs that are dependent upon other events. For details, see “Managing events overview” on page 510. When a user schedules an object using InfoView, the following happens: 1. 2. 3. 4. 5. 6. InfoView sends the request to the web server. The web server passes the web request directly to the application server, where it is evaluated by the BusinessObjects Enterprise SDK. The SDK passes the request to the Central Management Server. The CMS checks to see if the user has sufficient rights to schedule the object. If the user has sufficient rights, the CMS schedules the object to be run at the specified time(s). When the time occurs, the CMS passes the job to the appropriate job server. Depending on the type of object, the CMS will send the job to one of the following job servers: • • • 7. If the object is Web Intelligence document, it sends the job to the Web Intelligence Job Server, which sends the request to the Web Intelligence Report Server. If the object is a report, it sends the job to the Report Job Server. If the object is program, it sends the job to the Program Job Server. The job server retrieves the object from the Input File Repository Server and runs the object against the database, thereby creating an instance of the object. The job server then saves the instance to the Output File Repository Server, and tells the CMS that it has completed the job successfully. If the job was for a Web Intelligence document, the Web Intelligence Report Server notifies the Web Intelligence Job Server. The Web Intelligence Job Server then notifies the CMS that the job was completed successfully. 8. Tip: For details about multiple time zones, see “Supporting users in multiple time zones” on page 527. Note: 70 BusinessObjects Enterprise Administrator’s Guide BusinessObjects Enterprise Architecture Information flow 4 • The Cache Server and the Page Server do not participate in scheduling reports or in creating instances of scheduled reports. This can be an important consideration when deciding how to configure BusinessObjects Enterprise, especially in large installations. See “Scaling Your System” on page 157. When you schedule program objects or object packages, the interaction between servers follows the same pattern as it does for reports. • Users without schedule rights on an object will not see the schedule option in BusinessObjects Enterprise. What happens when you view a report? This section describes the viewing mechanisms that are implemented in InfoView. The processing flow for custom applications may differ. When you view a report through BusinessObjects Enterprise, the processing flow varies depending upon your default report viewer, the type of report, and the rights you have to the report. In all cases, however, the request that begins at the web server must be forwarded to the application server. The actual request is constructed as a URL that includes the report’s unique ID. This ID is passed as a parameter to a server-side script that, when evaluated by the application server, verifies the user’s session and retrieves the logon token from the browser. The script then checks the user’s InfoView preferences and redirects the request to the viewing mechanism that corresponds to the user’s default viewer. Different report viewers require different viewing mechanisms: • The zero-client DHTML viewer is implemented through report_view_dhtml.aspx. When evaluated by the application server, this script communicates with the framework (through the published SDK interfaces) in order to create a viewer object and retrieve a report source from the Cache Server and Page Server. • The zero-client Advanced DHTML viewer is implemented through report_view_advanced.aspx. When evaluated by the application server, this script communicates with the framework (through the published SDK interfaces) in order to create a viewer object and retrieve a report source from the Report Application Server. • The client-side report viewers (the ActiveX and Java viewers) are implemented through viewrpt.aspx, hosted by the WCA. BusinessObjects Enterprise Administrator’s Guide 71 4 BusinessObjects Enterprise Architecture Information flow The Crystal Web Request is executed internally through viewer code on the application server. The viewer code communicates with the framework in order to retrieve a report page in .epf format from the Cache Server and Page Server. If they haven’t already done so, users are prompted to download and install the appropriate viewer software. Report viewing with the Cache Server and Page Server This section describes the process for viewing a Crystal report when using the zero-client DHTML, ActiveX, or Java viewer. This process uses the Cache Server and the Page Server. 1. Upon receiving a report-viewing request, the Cache Server checks to see if it has the requested pages cached. Cached pages are stored as Encapsulated Page Format (.epf) files. If a cached version of the .epf file is available: a. b. 3. The Cache Server checks with the CMS to see if the user has rights to view the report. If the user is granted the right to view the report, the Cache Server sends the .epf file to the application server. The Cache Server requests new .epf files from the Page Server. The Page Server checks with the CMS to see if the user has rights to view the report. If the user is granted the right to view the report, the Page Server retrieves the report from the Input File Repository Server. If the report is an instance, and the user only has View rights, the Page Server will generate pages of the report instance using the data stored in the report instance. That is, the Page Server will not retrieve the latest data from the database. If the report is an object, the user must have View On Demand rights to view the report successfully (because the Page Server needs to retrieve data from the database). e. f. g. 4. If the user has sufficient rights, the Page Server generates the .epf pages and forwards them to the Cache Server. The Cache Server then caches the .epf files. The Cache Server sends the .epf files to the application server. 2. If a cached version of the .epf file is unavailable: a. b. c. d. The application server sends the report to the user’s Web browser in one of two ways, depending on how the initial request was made: 72 BusinessObjects Enterprise Administrator’s Guide BusinessObjects Enterprise Architecture Information flow 4 • If the initial request was made through a DHTML viewer (report_view_dhtml.aspx), the viewer SDK (residing on the application server) is used to generate HTML that represents both the DHTML viewer and the report itself. The HTML pages are then returned through the web server to the user’s web browser. If the initial request was made through an Active X or Java viewer (viewrpt.aspx), the application server forwards the .epf pages through the web server to the report viewer software in the user’s web browser. • Report viewing with the Report Application Server (RAS) This section describes the process for viewing a Crystal report when using the Advanced DHTML viewer. This process flow uses the Report Application Server (RAS). 1. Upon receiving a report-viewing request, the RAS checks to see if it has the requested report data in cache. (The RAS has its own caching mechanism, which is separate from the Cache Server.) If a cached version of the .epf file is available: a. b. 3. The RAS checks with the CMS to see if the user has rights to view the report. If the user is granted the right to view the report, the RAS returns .epf pages to the application server. The RAS checks with the CMS to see if the user has rights to view the report. If the user is granted the right to view the report, the RAS retrieves the report object from the Input File Repository Server. The RAS then processes the report object, obtains the data from the database, generates the .epf pages, caches the .epf pages and sends the .epf pages to the application server. If the user is granted View rights to the report object, then the RAS will only ever generate pages of the latest report instance. That is, the RAS will not retrieve the latest data from the database. If the user is granted View On Demand rights to the report object, then the RAS will refresh the report against the database. Note: The interactive search and filter features provided by the Advanced DHTML viewer are available only if the user has View On Demand rights (or greater) to the report object. 2. If a cached version of the .epf file is unavailable: a. b. c. d. BusinessObjects Enterprise Administrator’s Guide 73 4 BusinessObjects Enterprise Architecture Information flow 4. When the application server receives the .epf pages from the RAS, the viewer SDK generates HTML that represents both the Advanced DHTML viewer and the report itself. The application server sends the HTML pages through the web server to the user’s web browser. 5. Viewing Web Intelligence documents This section describes the process for viewing a Web Intelligence document. 1. 2. 3. 4. 5. InfoView sends the request to the web application server. The web application server sends the request to the application server, which creates a new session with the Web Intelligence Report Server. The Web Intelligence Report Server checks if the user has rights to use the Web Intelligence application. The web application server then sends the request to the Web Intelligence Report Server. The Web Intelligence Report Server contacts the CMS to check whether the user has the right to view the document, and to check when the document was last updated. If the user has the right to view the document, the Web Intelligence Report Server checks whether it has up-to-date cached content for the document. If cached content is available, the Web Intelligence Report Server sends the cached document information to the SDK. If cached content is not available, the following happens: a. The Web Intelligence Report Server obtains the document information from the CMS and checks what rights the user has on the document. The Web Intelligence Report Server obtains the Web Intelligence document from either the Input or Output File Repository Server and loads the document file. Note: Which FRS is used depends on whether the request was for a Web Intelligence document that was saved to BusinessObjects Enterprise or for an instance of the document. Documents are stored on the Input FRS. Instances are generated when an object is run according to a schedule, and they are stored on the Output FRS. c. If the document is set to “refresh on open” and the user has the View On Demand rights, the Web Intelligence Report Server refreshes the data in the document with data from the database. 6. 7. b. 74 BusinessObjects Enterprise Administrator’s Guide BusinessObjects Enterprise Architecture Choosing between live and saved data 4 Note: If the document is set to “refresh on open” but the user does not have View On Demand rights, an error message is displayed. d. e. 8. 9. The Web Intelligence Report Server stores the document file and the new document information in cache. The Web Intelligence Report Server sends the document information to the SDK. The viewer script calls the SDK to get the requested page of the document. The request is passed to the Web Intelligence Report Server. If the Web Intelligence Report Server has cached content for the page, it returns the cached XML to the SDK. If the Web Intelligence Report Server does not have the cached content for the page, it renders the page to XML using the current data for the document. It then returns the XML to the SDK. 10. The SDK applies an XSLT style sheet to the XML to transform it to HTML. 11. The viewer script returns the HTML to the browser. Choosing between live and saved data When reporting over the Web, the choice to use live or saved data is one of the most important decisions you’ll make. Whichever choice you make, however, BusinessObjects Enterprise displays the first page as quickly as possible, so you can see your report while the rest of the data is being processed. Live data On-demand reporting gives users real-time access to live data, straight from the database server. Use live data to keep users up-to-date on constantly changing data, so they can access information that’s accurate to the second. For instance, if the managers of a large distribution center need to keep track of inventory shipped on a continual basis, then live reporting is the way to give them the information they need. Before providing live data for all your reports, however, consider whether or not you want all of your users hitting the database server on a continual basis. If the data isn’t rapidly or constantly changing, then all those requests to the database do little more than increase network traffic and consume server resources. In such cases, you may prefer to schedule reports on a recurrent basis so that users can always view recent data (report instances) without hitting the database server. BusinessObjects Enterprise Administrator’s Guide 75 4 BusinessObjects Enterprise Architecture Choosing between live and saved data For more information about optimizing the performance of reports that are viewed on demand, see the “Designing Optimized Web Reports” section in the Crystal Reports User’s Guide (version 8.5 and later). Tip: Users require View On Demand access to refresh reports against the database. Saved data To reduce the amount of network traffic and the number of hits on your database servers, you can schedule reports to be run at specified times. When the report has been run, users can view that report instance as needed, without triggering additional hits on the database. Report instances are useful for dealing with data that isn’t continually updated. When users navigate through report instances, and drill down for details on columns or charts, they don’t access the database server directly; instead, they access the saved data. Consequently, reports with saved data not only minimize data transfer over the network, but also lighten the database server’s workload. For example, if your sales database is updated once a day, you can run the report on a similar schedule. Sales representatives then always have access to current sales data, but they are not hitting the database every time they open a report. Tip: Users require only View access to display report instances. 76 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers chapter 5 Managing and Configuring Servers Server management overview Server management overview This chapter provides information on a range of server tasks that allow you to customize the behavior of BusinessObjects Enterprise. It also includes information on the server settings that you can alter to accommodate the needs of your organization. The default values for these settings have been chosen to maximize the reliability, predictability, and consistency of operation of a typical BusinessObjects Enterprise installation. The default settings guarantee the highest degree of data accuracy and timeliness. For example, by default, data sharing between reports is disabled. When running reports on demand, disabling data sharing means that every user can always assume that they will receive the latest data. If you prefer to place more emphasis on the efficiency, economy, and scalability of BusinessObjects Enterprise, you can tune server settings to set your own balance between system reliability and performance. For example, enabling data sharing between reports markedly increases system performance when user loads are heavy. To take advantage of this feature while ensuring that every user receives data that meets your criteria for timeliness, you can also specify how long data will be shared between users. BusinessObjects Enterprise administrative tools BusinessObjects Enterprise includes two key administrative tools that allow you to view and to modify a variety of server settings: • Central Management Console (CMC) The CMC is the web-based administration tool that allows you to view and to modify server settings while BusinessObjects Enterprise is running. For instance, you use the CMC to change the status of a server, change server settings, access server metrics, or create server groups. Because the CMC is a web-based interface, you can configure your BusinessObjects Enterprise servers remotely over the Internet or through your corporate intranet. • Central Configuration Manager (CCM) The CCM is a program that allows you to view and to modify server settings while Business Objects servers are offline. For instance, you use the CCM to stop servers, to modify performance settings, and to change the default server port numbers. With BusinessObjects Enterprise, the CCM allows you to configure BusinessObjects Enterprise remotely over your corporate network You can accomplish some configuration tasks with both tools, while other tasks must be performed with a specific tool. 78 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Viewing current metrics 5 Related topics: • • • For an overview of the multi-tier architecture and the BusinessObjects Enterprise server components, see “BusinessObjects Enterprise Architecture” on page 53. For information about creating groups of servers, see “Managing Server Groups” on page 151. With the BusinessObjects Enterprise Software Development Kit (SDK), you can now access and modify server metrics and settings from your own web applications. For more information, see the developer documentation available on your product CD. Viewing current metrics The CMC allows you to view server metrics over the Web. These metrics include general information about each machine, along with details that are specific to the type of server. The CMC also allows you to view system metrics, which include information about your product version, your CMS, and your current system activity. Tip: For an example of how to use server metrics in your own web applications, see the “View Server Summary” sample on the BusinessObjects Enterprise Admin Launchpad. Viewing current server metrics The Servers management area of the CMC displays server metrics that provide statistics and information about each BusinessObjects Enterprise server. The general information displayed for each server includes information about the machine that the server is running on—its name, operating system, total hard disk space, free hard disk space, total RAM, number of CPUs, and local time. The general information also includes the time the server started and the version number of the server. 1. 2. 3. To view server metrics Go to the Servers management area of the CMC. Click the link to the server whose metrics you want to view. Click the Metrics tab. BusinessObjects Enterprise Administrator’s Guide 79 5 Managing and Configuring Servers Viewing current metrics This example shows the metrics for an Event Server that is running on a machine called Crystal-E501888.crystald.net. The Metrics tabs for the following servers include additional, server-specific information: Input and Output File Repository Servers The Metrics tab of each File Repository Server lists the root directory of the files that the server maintains, indicates the maximum idle time, and displays the number of active files and active client connections. It also lists the total available hard disk space, as well as the number of bytes sent and received. Each File Repository Server also has an Active Files tab, which lists the filename, the number of readers, and the number of writers for each active file. Cache Server The Metrics tab of the Cache Server displays the maximum number of processing threads, the maximum cache size, the minutes before an idle job is closed, the minutes between refreshes from the database, whether or not the database is accessed whenever a viewer’s file (object) is refreshed, the location of the cache files, the total threads running, the number of requests served, the number of bytes transferred, the cache hit rate, the number of current connections, and the number of requests that are queued. The Metrics tab also provides a table that lists the Page Servers that the Cache server has connections to, along with the number of connections made to each Page Server. Event Server The Metrics tab of the Event Server contains statistics on the files that the server is monitoring. This tab includes a table showing the file name and the last time the event occurred. 80 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Viewing current metrics 5 Page Server The Metrics tab of the Page Server contains information on how the server is running. It lists the maximum number of simultaneous report jobs, the location of temporary files, the number of minutes before an idle connection is closed, the minutes before a report job is closed, the maximum number of database records shown when previewing or refreshing a report, the oldest processed data given to a client, whether a viewer refresh always hits the database, and the setting for the Report Job Database Connection. It also shows the number of current connections, the number of requests queued, the current number of processing threads running, the total number of requests served, and the total bytes transferred. Report Application Server The Metrics tab of the Report Application Server (RAS) shows the number of reports that are open, and the number of reports that have been opened. It also shows the number of open connections, along with the number of open connections that have been created. Job servers and Web Intelligence servers The Metrics tabs of theses servers lists the current number of jobs that are being processed, the total number of requests received, the total number of failed job creations, the processing mode, and the location of its temporary files. Central Management Server The Metrics tab of the CMS lists only the general information about the machine it is running on. The Properties tab, however, shows a list of users who have active sessions on the system. Click any user’s link to view the associated account details. Viewing system metrics The Settings management area of the CMC displays system metrics that provide general information about your BusinessObjects Enterprise installation. The Properties tab includes information about the product version and build. It also lists the data source, database name, and database user name of the CMS database. The Metrics tab lists current account activity, along with statistics about current and processed jobs. The Cluster tab lists the name of the CMS you are connected to, the name of the CMS cluster, and the names of other cluster members. 1. 2. To view system metrics Go to the Settings management area of the CMC. View the contents of the Properties, Metrics, and Cluster tabs. BusinessObjects Enterprise Administrator’s Guide 81 5 Managing and Configuring Servers Viewing and changing the status of servers Related topics: • • For more information about licenses and account activity, see Licensing overview. For information about CMS clusters, see Clustering Central Management Servers. Viewing and changing the status of servers The status of a server is its current state of operation: a server can be started, stopped, enabled, or disabled. To respond to BusinessObjects Enterprise requests, a server must be started and enabled. A server that is disabled is still running as a process; however, it is not accepting requests from the rest of BusinessObjects Enterprise. A server that is stopped is no longer running as a process. This section shows how to modify the status of servers with the CMC and the CCM. It includes: • • • “Starting, stopping, and restarting servers” on page 82 “Enabling and disabling servers” on page 85 “Printing, copying, and refreshing server status” on page 86 Starting, stopping, and restarting servers Starting, stopping, and restarting servers are common actions that you perform when you configure servers or take them offline for other reasons. The remainder of this chapter tells you when a certain configuration change requires that you first stop or restart the server. However, because these tasks appear frequently, the concepts and differences are explained first, and the general procedures are provided for reference. Action Stopping a server Description You must stop BusinessObjects Enterprise servers before you can modify certain properties and settings. If you have stopped a server to configure it, you need Starting a server to start it to effect your changes and to have the server resume processing requests. Restarting a server Restarting a server is a shortcut to stopping a server completely and then starting it again. You can change certain settings without stopping the server; however, the changes typically do not take effect until your restart the server. 82 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Viewing and changing the status of servers 5 For example, if you want to change the name of a CMS, then you must first stop the server. Once you have made your changes, you start the server again to effect your changes. Tip: When you stop (or restart) a server, you terminate the server’s process, thereby stopping the server completely. If you want to prevent a server from receiving requests without actually stopping the server process, you can also enable and disable servers. We recommend that you disable Job Servers and Program Job Servers before stopping them so that they can finish processing any jobs they have in progress before stopping. For details, see “Enabling and disabling servers” on page 85. To start, stop, or restart servers with CMC Note: You cannot use CMC to stop the CMS. You must use the CCM instead. See “Stopping a Central Management Server” on page 84 for more information. 1. Go to the Servers management area of the CMC. A list of servers appears. The icon associated with each server identifies its status: • • • Running is indicated by a server with a green arrow. Stopped is indicated by a server with a red arrow. Disabled is indicated by a server with a red circle. In this example, the Page Server Server is stopped, the Event Server is disabled, and the remaining servers are running and enabled. 2. 3. Select the check box for the server whose status you want to change. Depending upon the action you need to perform, click Start, Stop, or Restart. You may be prompted for network credentials that allow you to start and stop services running on the remote machine. 4. Click Refresh to update the page. BusinessObjects Enterprise Administrator’s Guide 83 5 Managing and Configuring Servers Viewing and changing the status of servers 1. 2. 3. To start, stop, or restart a Windows server with the CCM Start the CCM. Select the server that you want to start, stop, or restart. On the toolbar, click the appropriate button. Toolbar Action Icon Start the selected server. Stop the selected server. Restart the selected server. You may be prompted for network credentials that allow you to start and stop services. Note: When you provide your network credentials, they are first checked against the machine hosting the CMS. If the server that you want to start, stop, or restart is located on another machine, the same credentials are used to access the other machine. If you supply credentials that are valid on the remote machine but not on the machine running the CMS, then you receive an error message. The CCM performs the action and refreshes the list of servers. To start, stop, or restart a UNIX server with the CCM Use the ccm.sh script. For reference, see “ccm.sh” on page 598. Stopping a Central Management Server If your BusinessObjects Enterprise installation has a single Central Management Server (CMS), shutting it down will make BusinessObjects Enterprise unavailable to your users and will interrupt the processing of reports and programs. Before stopping your CMS, you may wish to disable your processing servers so that they can finish any jobs in progress before BusinessObjects Enterprise shuts down. See “Enabling and disabling servers” on page 85 for more information. If you have a CMS cluster consisting of more than one active CMS, you can shut down a single CMS without losing data or affecting system functionality. The other CMS in the cluster will assume the workload of the stopped server. 84 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Viewing and changing the status of servers 5 Using a CMS cluster enables you to perform maintenance on each of your Central Management Servers in turn without taking BusinessObjects Enterprise out of service. For more information on CMS clusters, see “Clustering Central Management Servers” on page 92. Enabling and disabling servers When you disable a BusinessObjects Enterprise server, you prevent it from receiving and responding to new BusinessObjects Enterprise requests, but you do not actually stop the server process. This is especially useful when you want to allow a server to finish processing all of its current requests before you stop it completely. For example, you may want to stop a Job Server before rebooting the machine it is running on. However, you want to allow the server to fulfill any outstanding report requests that are in its queue. First, you disable the Job Server so it cannot accept any additional requests. Next, go to the Central Management Console to monitor when the server completes the jobs it has in progress. (From the Servers management area, choose the server name and then the metrics tab). Then, once it has finished processing current requests, you can safely stop the server. Note: The CMS must be running in order for you to enable and/or disable other servers. 1. To enable and disable servers with CMC Go to the Servers management area of the CMC. The icon associated with each server identifies its status. In this example, the Event Server is disabled (but not stopped), and the remaining servers are running and enabled. BusinessObjects Enterprise Administrator’s Guide 85 5 Managing and Configuring Servers Viewing and changing the status of servers 2. 3. 1. 2. 3. 4. Select the check box for the server whose status you want to change. Depending upon the action you need to perform, click Enable or Disable. To enable or disable a Windows server with the CCM Start the CCM. On the toolbar, click Enable/Disable. When prompted, log on to your CMS with the credentials that provide you with administrative privileges to BusinessObjects Enterprise. Click Connect. The Enable/Disable Servers dialog box appears. This dialog box lists all of the BusinessObjects Enterprise servers that are registered with your CMS, including servers running on remote machines. By default, servers running on remote machines are displayed as MACHINE.servertype. In this example, all of the listed servers are currently enabled. 5. 6. To disable a server, clear the check box in the Server Name column. Click OK to effect your changes and return to the CCM. To enable or disable a UNIX server with the CCM Use the ccm.sh script. For reference, see “ccm.sh” on page 598. Printing, copying, and refreshing server status When using the CCM on Windows, you can print and copy the properties of a server, and refresh the list of servers. 86 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Viewing and changing the status of servers 5 1. 2. To print the status of a server Start the CCM. Select the server(s). BusinessObjects Enterprise Administrator’s Guide 87 5 Managing and Configuring Servers Configuring the application tier 3. 4. Click Print. The Print dialog box appears. Click OK. A brief listing of the server’s properties is printed, including the Display Name, Version, Command Line, Status, and so on. To copy the status of a server To save the status of a server, you can copy the details from the CCM to a document or to an email message (if you want to send the status information to someone else). 1. 2. 3. 4. Start the CCM. Select the server(s). Click Copy. Paste the information into a document for future reference. To refresh the list of servers To ensure you are looking at the latest information, click Refresh. • Note: Disabled servers may not appear in this list. Click Enable/Disable to view a list of servers and ensure that each is enabled. Configuring the application tier This section includes technical information and procedures that show how you can modify settings for the application tier. The majority of the settings discussed here allow you to integrate BusinessObjects Enterprise more effectively with your current hardware, software, and network configurations. Consequently, the settings that you choose will depend largely upon your own requirements. 88 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Configuring the application tier 5 Note: This section does not show how to configure your Web application server to deploy BusinessObjects Enterprise applications. This task is typically performed when you install BusinessObjects Enterprise. For details, see the BusinessObjects Enterprise Installation Guide. For further troubleshooting, see “Working with Firewalls” on page 181. Configuring the Web Component Adapter The WCA provides support for the Central Management Console and CSP applications. The Web Component Adapter is a web application. It does not appear as a server in the Central Management Console or in the Central Configuration Manager. To configure the WCA, edit either of the following files, depending on whether you are running the system on a Java or .NET platform: • • On a Java platform edit the web.xml file associated with the WCA. See “Configuring the Java Web Component Adapter” on page 89. On a .NET platform edit the web.config file associated with the WCA. See “Configuring the .NET Web Component Adapter” on page 91. Configuring the Java Web Component Adapter To configure the Java WCA you edit the web.xml file associated with the WCA: • • Windows: C:\Program Files\Business Objects\BusinessObjects Enterprise 11\java\applications directory UNIX: WEB-INF subdirectory of the webcompadapter.war archive file stored in the bobje_root/enterprise11/java/applications directory For example, the context parameter that controls whether a group tree will be generated looks like this: viewrpt.groupTreeGenerate true ”true” or “false” value determining whether a group tree will be generated. To change the value of a context parameter, edit the value between the tags. To configure web.xml Note: Your Java Web Application Server may provide tools to allow you to edit web.xml directly from an administrative console.Otherwise use the following procedure to configure web.xml. BusinessObjects Enterprise Administrator’s Guide 89 5 Managing and Configuring Servers Configuring the application tier 1. 2. 3. 4. Stop your application server. Extract the web.xml file from the webcompadapter.war archive. Edit the file by using a text editor such as Notepad or vi. Reinsert the file into the WEB-INF directory in webcompadapter.war. Tip: To reinsert web.xml into WEB-INF using WinZip, right-click on the WEB-INF directory that contains your edited web.xml file and select “Add to Zip File...”. Adding the file in this way ensures that it is placed in the correct directory inside the archive. 5. Restart your application server. When you install more than one WCA, each webcomponentadapter.war file contains its own web.xml file containing configuration parameters for that WCA. However, you can only set the parameters listed in the following table individually for each WCA. The remaining parameters must be the same for all WCA in your system. Context Parameter display-name cspApplication.defaultPage Description Equivalent to WCA name. The default page that will be loaded if no filename is specified in a particular request. This is the real path to the directory containing the CSP/WAS application(s) that you would like to host. This is a required field. This is the name (or name and port number) of the CMS that you would like your application(s) to connect to. This field defaults to the port that the WCA related servlets are running on. Filename of the logfile including full real path to file, excluding extension. Defaults to WCA with no path File extension of logfile, defaults to .log Determines whether or not the logs will be rotated, defaults to true. If log rolling is turned on, this will govern the max size before logfile is rotated. Accepted suffix: MB, KB and GB. cspApplication.dir connection.cms connection.listeningPort log.file log.ext log.isRolling log.size 90 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Configuring the application tier 5 Context Parameter log.level log.entryPattern Description The default loglevel is “error.” Please refer to log4j documentation for accepted log entry patterns. Configuring the .NET Web Component Adapter To configure the .NET WCA you edit the web.config file associated with the the WCA. This file is located in the following directory: C:\Program Files\Business Objects\BusinessObjects Enterprise 11\Web Content\application For example, the context parameter that controls whether a group tree will be generated looks like this: To configure web.config Note: Your .NET Web Application Server may provide tools to allow you to edit web.config directly from an administrative console. 1. 2. 3. Stop your application server. Edit the web.config file by using a text editor such as Notepad. Restart your application server. Description Equivalent to WCA name. The default page that will be loaded if no filename is specified in a particular request. This is the name (or name and port number) of the CMS that you would like your application(s) to connect to. This field defaults to the port that the WCA related servlets are running on. Filename of the logfile including full real path to file, excluding extension. Defaults to WCA with no path File extension of logfile, defaults to .log Determines whether or not the logs will be rotated, defaults to true. Parameter display-name cspApplication.defaultPage connection.cms connection.listeningPort log.file log.ext log.isRolling BusinessObjects Enterprise Administrator’s Guide 91 5 Managing and Configuring Servers Configuring the intelligence tier Parameter log.size Description If log rolling is turned on, this will govern the max size before logfile is rotated. Accepted suffix: MB, KB and GB. The default loglevel is “error.” Please refer to log4j documentation for accepted log entry patterns. log.level log.entryPattern Configuring the intelligence tier This section includes technical information and procedures that show how you can modify settings for the BusinessObjects Enterprise servers that make up the intelligence tier. The majority of the settings discussed here allow you to integrate BusinessObjects Enterprise more effectively with your current hardware, software, and network configurations. Consequently, the settings that you choose will depend largely upon your own requirements. Configuring the intelligence tier includes the following tasks: • • • • • • • “Clustering Central Management Servers” on page 92 “Copying data from one CMS database to another” on page 98 “Deleting and recreating the CMS database” on page 108 “Selecting a new or existing CMS database” on page 109 “Setting root directories and idle times of the File Repository Servers” on page 110 “Modifying Cache Server performance settings” on page 112 “Modifying the polling time of the Event Server” on page 114 Clustering Central Management Servers If you have a large or mission-critical implementation of BusinessObjects Enterprise, you will probably want to run several CMS machines together in a CMS cluster. A CMS cluster consists of two or more CMS servers working together to maintain the system database. If a machine that is running one CMS fails, a machine with another CMS will continue to service 92 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Configuring the intelligence tier 5 BusinessObjects Enterprise requests. This “failover” support helps to ensure that BusinessObjects Enterprise users can still access information when there is equipment failure. This section shows how to add a new CMS cluster member to a production system that is already up and running. When you add a new CMS to an existing cluster, you instruct the new CMS to connect to the existing CMS database and to share the processing workload with any existing CMS machines. For information about your current CMS and CMS cluster, go to the Settings management area of the CMC and click the Cluster tab. Before clustering CMS machines, you must make sure that each CMS is installed on a system that meets the detailed requirements (including version levels and patch levels) for operating system, database server, database access method, database driver, and database client outlined in the platforms.txt file included in your product distribution. In addition, you must meet the following clustering requirements: • For best performance, the database server that you choose to host the system database must be able to process small queries very quickly. The CMS communicates frequently with the system database and sends it many small queries. If the database server is unable to process these requests in a timely manner, BusinessObjects Enterprise performance will be greatly affected. For best performance, run each CMS cluster member on a machine that has the same amount of memory and the same type of CPU. Configure each machine similarly: • • • • • • • • • Install the same operating system, including the same version of operating system service packs and patches. Install the same version of BusinessObjects Enterprise (including patches, if applicable). Ensure that each CMS connects to the CMS database in the same manner: whether you use native or ODBC drivers, ensure that the drivers are the same on each machine, and are a supported version. Ensure that each CMS uses the same database client to connect to its system database, and that it is a supported version. Check that each CMS uses the same database user account and password to connect to the CMS database. This account must have create, delete, and update rights on the system database. Run each CMS service/daemon under the same account. (On Windows, the default is the “LocalSystem” account.) Verify that the current date and time are set correctly on each CMS machine (including settings for daylight savings time). BusinessObjects Enterprise Administrator’s Guide 93 5 Managing and Configuring Servers Configuring the intelligence tier • • Ensure that each and every CMS in a cluster is on the same Local Area Network. If you wish to enable auditing, each CMS must be configured to use the same auditing database and to connect to it in the same manner. The requirements for the auditing database are the same as those for the system database in terms of database servers, clients, access methods, drivers, and user IDs. See also Chapter 10: Managing Auditing. Tip: By default, a CMS cluster name reflects the name of the first CMS that you install, but the cluster name is prefixed by the @ symbol. For instance, if your existing CMS is called BUSINESSOBJECTSCMS, then the default cluster name is @BUSINESSOBJECTSCMS. To modify the default name, see “Changing the name of a CMS cluster” on page 96. There are two ways to add a new CMS cluster member. Follow the appropriate procedure, depending upon whether or not you have already installed a second CMS: • • “Installing a new CMS and adding it to a cluster” on page 94 See this section if you have not already installed the new CMS on its own machine. “Adding an installed CMS to a cluster” on page 95 Follow this procedure if you have already installed a second, independent CMS on its own machine. While testing various server configurations, for instance, you might have set up an independent BusinessObjects Enterprise system with its own CMS. Follow this procedure when you want to incorporate this independent CMS into your production system. Note: Back up your current CMS database before making any changes. If necessary, contact your database administrator. Installing a new CMS and adding it to a cluster When you install a new CMS, you can quickly cluster it with your existing CMS. Run the BusinessObjects Enterprise installation and setup program on the machine where you want to install the new CMS cluster member. The setup program allows you to perform an Expand installation. During the Expand installation, you specify the existing CMS whose system you want to expand, and you select the components that want to install on the local machine. In this case, specify the name of the CMS that is running your existing system, and choose to install a new CMS on the local machine. Then provide the Setup program with the information it needs to connect to your existing CMS database. When the Setup program installs the new CMS on the local machine, it automatically adds the server to your existing CMS cluster. 94 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Configuring the intelligence tier 5 For complete requirements for CMS added to a cluster, see “Clustering Central Management Servers” on page 92. For complete information on running the Setup program and performing the Expand installation, see the BusinessObjects Enterprise Installation Guide. Adding an installed CMS to a cluster In these steps, the independent CMS refers to the one that you want to add to a cluster. You will add the independent CMS to your production CMS cluster. By adding an independent CMS to a cluster, you disconnect the independent CMS from its own database and instruct it to share the system database that belongs to your production CMS. Before starting this procedure, ensure that you have a database user account with Create, Delete, and Update rights to the database storing the BusinessObjects Enterprise tables. Ensure also that you can connect to the database from the machine that is running the independent CMS (through your database client software or through ODBC, according to your configuration). Also ensure that the CMS you are adding to the cluster meets the requirements outlined in “Clustering Central Management Servers” on page 92. Note: Back up your current CMS database before beginning this procedure. If necessary, contact your database administrator. 1. 2. To add an installed CMS to a cluster on Windows Use the CCM to stop the independent Central Management Server. With the CMS selected, click Specify CMS Data Source on the toolbar. The CMS Database Setup dialog box appears. 3. Click Select a Data Source; then click OK. BusinessObjects Enterprise Administrator’s Guide 95 5 Managing and Configuring Servers Configuring the intelligence tier 4. In the Select Database Driver dialog box, specify whether you want to connect to the production CMS database through ODBC, or through one of the native drivers. Click OK. The remaining steps depend upon the connection type you selected: 5. 6. • If you selected ODBC, the Windows “Select Data Source” dialog box appears. Select the ODBC data source that corresponds to your production CMS database; then click OK. If prompted, provide your database credentials and click OK. The CCM connects to the database server and adds the new CMS to the cluster. If you selected a native driver, you are prompted for your database Server Name, your Login ID, and your Password. Once you provide this information, the CCM connects to the database server and adds the new CMS to the cluster. • The SvcMgr dialog box notifies you when the CMS database setup is complete. 7. 8. Click OK. Start the Central Management Server. To add an installed CMS to a cluster on UNIX Use the cmsdbsetup.sh script. For reference, see “cmsdbsetup.sh” on page 601. Changing the name of a CMS cluster By default, a CMS cluster name reflects the name of the first CMS that you install, but the cluster name is prefixed by the @ symbol. For instance, if your existing CMS is called BUSINESSOBJECTSCMS, then the default cluster name is @BUSINESSOBJECTSCMS. This procedure allows you to change the name of a cluster that is already installed and running. To change the cluster name, you need only stop one of the CMS cluster members. The remaining CMS cluster members are dynamically notified of the change. For optimal performance, after changing the name of the CMS cluster reconfigure each Business Objects server so that it registers with the CMS cluster, rather than with an individual CMS. 1. 2. To change the cluster name on Windows Use the CCM to stop any Central Management Server that is a member of the cluster. With the CMS selected, click Properties on the toolbar. 96 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Configuring the intelligence tier 5 3. 4. 5. 6. Click the Configuration tab. Select the Change Cluster Name to check box. Type the new name for the cluster. Click OK and then start the Central Management Server. The CMS cluster name is now changed. All other CMS cluster members are dynamically notified of the new cluster name (although it may take several minutes for your changes to propagate across cluster members). 7. Go to the Servers management area of the CMC and check that all of your servers remain enabled. If necessary, enable any servers that have been disabled by your changes. To change the cluster name on UNIX Use the cmsdbsetup.sh script. For reference, see “cmsdbsetup.sh” on page 601. 1. 2. 3. 4. To register servers with the CMS cluster on Windows Use the CCM to stop a Business Objects server. Select the server from the list, and then click Properties. Click the Configuration tab. In the CMS Name box, type the name of the cluster. The name of the cluster begins with the @ symbol. For example, if the cluster name was changed to ENTERPRISE, type @ENTERPRISE in the box. 5. Click OK, and then start the server. Repeat for each Business Objects server in your installation. To registers servers with the CMS cluster on UNIX Use ccm.sh to stop each server. Use a text editor such as vi to open the ccm.config file found in the root directory of your BusinessObjects Enterprise installation. Find the -ns command in the launch string for each server, and change the name of the CMS to the name of the CMS cluster. The name of the cluster begins with the @ symbol. For example, if the cluster name was changed to ENTERPRISE, type @ENTERPRISE. Do not include a port number with the cluster name. 4. Save the file, and then use ccm.sh to restart the servers. 1. 2. 3. BusinessObjects Enterprise Administrator’s Guide 97 5 Managing and Configuring Servers Configuring the intelligence tier Copying data from one CMS database to another BusinessObjects Enterprise enables you to copy the contents of one CMS database into another database. This procedure is also referred to as migrating a CMS database. You can migrate CMS data from a different CMS database (versions 8.5 through 10 of Crystal Enterprise and version XI of BusinessObjects Enterprise) into your current CMS database. Or, you can migrate the data from your current CMS database into a different data source. Throughout this section, the source CMS database refers to the database that holds the data you are copying; this data is copied into the destination database. The destination database is initialized before the new data is copied in, so any existing contents of the destination database are permanently deleted (all BusinessObjects Enterprise tables are destroyed permanently and then recreated). Once the data has been copied, the destination database is established as the current database for the CMS. Note: Prior to BusinessObjects Enterprise XI, the CMS was known as Crystal Management Server, and also as the Automated Process Scheduler (APS). Tip: If you want to import users, groups, folders, and reports from one system to another, without deleting the contents of the current CMS database, see “Importing with the Import Wizard” on page 402. Depending on the platform of your system and the version of your CMS database, migrating a CMS database will include several of the following tasks: • • • • “Preparing to migrate a CMS database” on page 98 “Copying data from a CMS on Windows” on page 100 “Copying data from a Crystal Enterprise 8 APS on Windows” on page 101 “Completing a CMS database migration” on page 104 Preparing to migrate a CMS database Before migrating a CMS database, take the source and the destination environments offline by disabling and subsequently stopping all servers. Back up both CMS databases, and back up the root directories used by all Input and Output File Repository Servers. If necessary, contact your database or network administrator. Ensure that you have a database user account that has permission to read all data in the source database, and a database user account that has Create, Delete, and Update rights to the destination database. Ensure also that you can connect to both databases—through your database client software or through ODBC, according to your configuration—from the CMS machine whose database you are replacing. 98 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Configuring the intelligence tier 5 Make a note of the license keys you purchased for the current version of BusinessObjects Enterprise. During migration, license keys that are present in the destination database are retained only if the source database contains no license keys that are valid for the current version of BusinessObjects Enterprise. License keys in the destination database are replaced with license keys from the source database when the source license keys are valid for the current version of BusinessObjects Enterprise. License keys from earlier versions of Crystal Enterprise are not copied. If you are copying CMS data from a different CMS database (version 8.0, 8.5, 9, or 10 of Crystal Enterprise or version XI of BusinessObjects Enterprise) into your current CMS database, your current CMS database is the destination database whose tables are deleted before they are replaced with the copied data. In this scenario, make note of the current root directories used by the Input and Output File Repository Servers in the source environment. The database migration does not actually move report files from one directory location to another. After you migrate the database, you will connect your new Input and Output File Repository Servers to the old root directories, thus making the report files available for the new system to process. Log on with an administrative account to the CMS machine whose database you want to replace. Complete the procedure that corresponds to the version of the source environment: • • “Copying data from a CMS on Windows” on page 100 “Copying data from a Crystal Enterprise 8 APS on Windows” on page 101 If you are copying a CMS database from its current location to a different database server, your current CMS database is the source environment. Its contents are copied to the destination database, which is then established as the active database for the current CMS. This is the procedure to follow if you want to move the default CMS database on Windows from the local Microsoft Data Engine (MSDE) to a dedicated database server, such as Microsoft SQL Server, Informix, Oracle, DB2, or Sybase. Log on with an administrative account to the machine that is running the CMS whose database you want to move. Complete the following procedure: • • • • “Copying data from a CMS on Windows” on page 100 “Copying data from a CMS installed on UNIX” on page 103 When you migrate a CMS database from an earlier version of Crystal Enterprise, the database and database schema are upgraded to the format required by the current version of BusinessObjects Enterprise. When you copy data from one database to another, the destination database is initialized before the new data is copied in. That is, if your destination database does not contain the four BusinessObjects Note: BusinessObjects Enterprise Administrator’s Guide 99 5 Managing and Configuring Servers Configuring the intelligence tier Enterprise XI system tables, these tables are created. If the destination database does contain BusinessObjects Enterprise XI system tables, the tables will be permanently deleted, new system tables will be created, and data from the source database will be copied into the new tables. Other tables in the database, including previous versions of Crystal Enterprise system tables, are unaffected. Copying data from a CMS on Windows Use this procedure if your CMS is installed on Windows and you are copying data from versions 8.5, 9, or 10 of Crystal Enterprise or from version XI of BusinessObjects Enterprise. If you are copying data from version 8 of Crystal Enterprise, please see “Copying data from a Crystal Enterprise 8 APS on Windows” on page 101. 1. 2. 3. To copy data from a CMS on Windows Use the CCM to stop the Central Management Server. With the CMS selected, click Specify CMS Data Source on the toolbar. Click Copy data from another Data Source; then click OK. The Specify Data Source dialog box appears. 4. In the “Source contains data from version” list, click Autodetect (or explicitly select the version of the source CMS database). You must now specify the source CMS database whose contents you want to copy. 5. 6. Click Specify. In the Select Database Driver dialog box, specify whether you want to connect to the source CMS database through ODBC, Informix, or through one of the native drivers. Click OK. The next steps depend upon the connection type you selected: 7. 8. 100 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Configuring the intelligence tier 5 • If you selected ODBC or Informix, the Windows “Select Data Source” dialog box appears. Select the data source that corresponds to the source CMS database; then click OK. If prompted, provide your database credentials and click OK. If you selected a native driver, provide your database Server Name, your Login ID, and your Password; then click OK. • You are returned to the Specify Data Source dialog box. You must now specify the destination CMS database whose contents you want to replace with the copied data. Tip: If the correct destination database already appears in the “Copy to the following data source” field, proceed to step 13. 9. Click Browse. 10. In the Select Database Driver dialog box, specify whether you want to connect to the destination CMS database through ODBC, or through one of the native drivers. 11. Click OK. 12. The next steps depend upon the connection type you selected: • If you selected ODBC, the Windows “Select Data Source” dialog box appears. Select the ODBC data source that corresponds to the destination CMS database; then click OK. If prompted, provide your database credentials and click OK. If you selected a native driver, provide your database Server Name, your Login ID, and your Password; then click OK. • You are returned to the Specify Data Source dialog box. You are now ready to copy the CMS data. 13. Click OK and, when prompted to confirm, click Yes. The SvcMgr dialog box notifies you when the CMS database setup is complete. 14. Click OK. 15. Proceed to “Completing a CMS database migration” on page 104. Copying data from a Crystal Enterprise 8 APS on Windows Note: Prior to BusinessObjects Enterprise XI, the CMS was known as Crystal Management Server, and also as the Automated Process Scheduler (APS). Use this procedure if your CMS is installed on Windows, and you are copying data from a Crystal Enterprise 8 APS system database. BusinessObjects Enterprise Administrator’s Guide 101 5 Managing and Configuring Servers Configuring the intelligence tier 1. 2. 3. 4. To copy data from a Crystal Enterprise 8 APS on Windows Use the CCM to stop the Central Management Server. With the CMS selected, click Specify CMS Data Source on the toolbar. Click Copy data from another Data Source; then click OK. The Specify Data Source dialog box appears. In the “Source contains data from version” list, click Crystal Enterprise 8.0. You must now specify the source CMS database whose contents you want to copy. 5. 6. Click Specify. In the “Browse data” dialog box, click one of the following: • CMS machine name Click this option if you have administrative rights to the Crystal Enterprise 8 CMS machine. Your administrative rights allow the CCM to read the data source information from the Windows Registry on the CMS machine. Click OK and use the Browse for Computer dialog box to specify the CMS machine. • CMS ODBC data source Click this option if you do not have administrative rights to the Crystal Enterprise 8 CMS machine. Use the Windows “Select Data Source” dialog box to select (or create) an ODBC data source that provides the local machine with access to the Crystal Enterprise 8 CMS database. If prompted, provide your database credentials and click OK. You are returned to the Specify Data Source dialog box. You must now specify the destination CMS database whose contents you want to replace with the copied data. Tip: If the correct destination database already appears in the “Copy to the following data source” field, proceed to step 11. 7. 8. Click Browse. In the Select Database Driver dialog box, specify whether you want to connect to the destination CMS database through ODBC, or through one of the native drivers. Click OK. 9. 10. The next steps depend upon the connection type you selected: • If you selected ODBC, the Windows “Select Data Source” dialog box appears. Select the ODBC data source that corresponds to the destination CMS database; then click OK. If prompted, provide your database credentials and click OK. 102 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Configuring the intelligence tier 5 • If you selected a native driver, provide your database Server Name, your Login ID, and your Password; then click OK. You are returned to the Specify Data Source dialog box. You are now ready to copy the CMS data. 11. Click OK and, when prompted to confirm, click Yes. The SvcMgr dialog box notifies you when the CMS database setup is complete. Note: Migration of a large source database could take several hours. 12. Click OK. 13. Proceed to “Completing a CMS database migration” on page 104. Copying data from a CMS installed on UNIX Note: Prior to BusinessObjects Enterprise XI, the CMS was known as Crystal Management Server, and also as the Automated Process Scheduler (APS). Use this procedure if your CMS is installed on UNIX and you are copying data from versions 8.5, 9, or 10 of Crystal Enterprise or from version XI of BusinessObjects Enterprise. Then proceed to “Completing a CMS database migration” on page 104. Note: • On UNIX you can not migrate directly from a source environment that uses an ODBC connection to the CMS database. If your source CMS database uses ODBC, you must first migrate that system to a supported native driver. (See “Copying data from a CMS on Windows” on page 100.) If your CMS is installed on UNIX, you cannot migrate directly from a Crystal Enterprise version 8 APS. To copy data from a CMS installed on UNIX Use ccm.sh to stop the Central Management Server. See “ccm.sh” on page 598. Run cmsdbsetup.sh. When prompted, enter the name of your CMS or press enter to select the default name. Tip: For information on finding the name of your CMS, see “ccm.sh” on page 598. • 1. 2. 3. 4. Type copy to begin the database migration. The script prompts you to confirm that all data in the destination database will deleted. Type yes, and then press enter to proceed. BusinessObjects Enterprise Administrator’s Guide 103 5 Managing and Configuring Servers Configuring the intelligence tier 5. Next the script asks you for the version of your source Crystal Enterprise installation. You can also select autodetect to have the version of the source detected automatically. Press Enter. Now the script asks you if you want to use the current CMS database as your destination. If you type no, you are first asked for information about the new destination database, and are then prompted for information on the source database. If you type yes, you are prompted for information about the source CMS database. 6. 7. After entering the source information, the script will begin the migration process. Note: Migration of a large source database could take several hours. The script notifies you when migration is complete. If errors occurred during the migration, the script gives you the location of a log file explaining the migration results. 8. 9. Proceed to “Completing a CMS database migration” on page 104. Completing a CMS database migration When you finish copying data from the source database to the destination database, complete these steps before allowing users to access the system. When migrating from an older version of Crystal Enterprise, servers that existed in the source installation do not appear in the migrated install. This occurs because there cannot be a mix of old and new servers in a BusinessObjects Enterprise installation. Server groups from the old installation appear in the new system, but they will be empty. New servers are automatically detected and added to the servers list (outside of any group) in a disabled state. You must enable these servers before they can be used. You may add the new servers to the imported groups as appropriate. Reports that depend on a particular server group for scheduled processing will not execute until a job server is added to that group. Reports that depend on a particular server group for processing are not available until servers are added to that group. 1. To complete a CMS database migration on Windows If errors occurred during migration, a db_migration log file was created in the logging directory on the machine where you ran the CCM to carry out the migration. The CCM will notify you if you need to check the log file. The default logging directory is: 104 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Configuring the intelligence tier 5 C:\Program Files\Business Objects\BusinessObjects Enterprise 11\Logging\ 2. If you migrated CMS data from a different CMS database into your current CMS database, you need to make your old input and output directories available to the new Input and Output File Repository Servers. You can do this in several ways: • Copy the contents of the original input root directory into the root directory that the new Input File Repository Server is already configured to use. Then copy the contents of the original output directory into the root directory that the new Output File Repository is already configured to use. Reconfigure the new Input and Output File Repository Servers to use the old input and output root directories. If the old Input and Output File Repository Servers are running on a dedicated machine, you can run the BusinessObjects Enterprise setup program to upgrade the servers directly. Then you need not move the input and output directories. Instead, modify the -ns option in both servers’ command lines to have them register with your new CMS. See Appendix E: Server Command Lines for more information. • • For more information, see “Setting root directories and idle times of the File Repository Servers” on page 110. 3. 4. 5. Use the Central Configuration Manager (CCM) to start the CMS on the local machine. Make sure your web application server is running. Log on to the Central Management Console with the default Administrator account, using Enterprise authentication. Tip: If you just replaced your CMS database with data from an older system, keep in mind that you now need to provide the Administrator password that was valid in the older system. 6. 7. 8. Go to the Authorization management area and check that your BusinessObjects Enterprise license keys are entered correctly. In the CCM, start and enable the Input File Repository Server and the Output File Repository Server. Go to the Servers management area of the Central Management Console and verify that the Input File Repository Server and the Output File Repository Server are both started and enabled. Click the link to each File Repository Server and, on the Properties tab, check that the Root Directory points to the correct location. 9. 10. Return to the Central Configuration Manager. BusinessObjects Enterprise Administrator’s Guide 105 5 Managing and Configuring Servers Configuring the intelligence tier 11. If objects in your source database require updating, the Update Objects button on the toolbar contains a flashing red exclamation mark. Click Update Objects. 12. When prompted, log on to your CMS with credentials that provide you with administrative privileges to BusinessObjects Enterprise. The Update Objects dialog box tells you how many objects require updating. Objects typically require updating because their internal representation has changed in the new version of BusinessObjects Enterprise, or because the objects require new properties to support the additional features offered by BusinessObjects Enterprise XI. Because your Central Management Server was stopped when the migration occurred, you need to update the objects now. 13. If there are objects that require updating, click Update, otherwise click Cancel. 14. Start and enable the remaining BusinessObjects Enterprise servers. 15. Verify that BusinessObjects Enterprise requests are handled correctly, and check that you can view and schedule reports successfully. 1. To complete a CMS database migration on UNIX If errors occurred during migration, a db_migration log file was created in the logging directory on the machine where you ran cmsdbsetup.sh to carry out the migration. The script will notify you if you need to check the log file. The default logging directory is: BusinessObjects_root/logging where BusinessObjects_root is the absolute path to the root Business Objects directory of your BusinessObjects Enterprise installation. 2. If you migrated CMS data from a different CMS database into your current CMS database, you need to make your old input and output directories available to the new Input and Output File Repository Servers. You can do this in several ways: • Copy the contents of the original input root directory into the root directory that the new Input File Repository Server is already configured to use. Then copy the contents of the original output directory into the root directory that the new Output File Repository is already configured to use. Reconfigure the new Input and Output File Repository Servers to use the old input and output root directories. • 106 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Configuring the intelligence tier 5 • If the old Input and Output File Repository Servers are running on a dedicated machine, you can run the BusinessObjects Enterprise setup program to upgrade the servers directly. Then you need not move the input and output directories. Instead, modify the -ns option in both servers’ command lines to have them register with your new CMS. See Appendix E: Server Command Lines for more information. For more information, see “Setting root directories and idle times of the File Repository Servers” on page 110. 3. 4. 5. Use the ccm.sh script to start the CMS on the local machine. See “ccm.sh” on page 598 for more information. Ensure that the Java web application server that hosts your Web Component Adapter is running. Log on to the Central Management Console with the default Administrator account, using Enterprise authentication. Tip: If you just replaced your CMS database with data from an older system, keep in mind that you now need to provide the Administrator password that was valid in the older system. 6. 7. 8. Go to the Authorization management area and check that your BusinessObjects Enterprise license keys are entered correctly. Use the ccm.sh script to start and enable the Input File Repository Server and the Output File Repository Server. Go to the Servers management area of the Central Management Console and verify that the Input File Repository Server and the Output File Repository Server are started and enabled. Click the link to each File Repository Server and, on the Properties tab, check that the Root Directory points to the correct location. 9. 10. Run the ccm.sh script again. If you migrated a source database from an earlier version of BusinessObjects Enterprise, enter the following command: ./ccm.sh -updateobjects authentication info See Appendix F: UNIX Tools for information on the authentication information required by ccm.sh. Objects typically require updating because their internal representation has changed in the new version of BusinessObjects Enterprise, or because the objects require new properties to support the additional features offered by BusinessObjects Enterprise XI. 11. Use ccm.sh to start and enable the remaining BusinessObjects Enterprise servers. BusinessObjects Enterprise Administrator’s Guide 107 5 Managing and Configuring Servers Configuring the intelligence tier 12. Verify that BusinessObjects Enterprise requests are handled correctly, and check that you can view and schedule reports successfully. Deleting and recreating the CMS database This procedure shows how to recreate (re-initialize) the current CMS database. By performing this task, you destroy all data that is already present in the database. This procedure is useful, for instance, if you have installed BusinessObjects Enterprise in a development environment for designing and testing your own, custom web applications. You can re-initialize the CMS database in your development environment every time you need to clear the system of absolutely all its data. When you recreate the CMS database with the CCM, your existing license keys should be retained in the database. However, if you need to enter license keys again, log on to the CMC with the default Administrator account (which will have been reset to have no password). Go to the Authorization management area and enter your information on the License Keys tab. Note: Remember that all data in your current CMS database will be destroyed if you follow this procedure. Consider backing up your current CMS database before beginning. If necessary, contact your database administrator. 1. 2. 3. 4. To recreate the CMS database on Windows Use the CCM to stop the Central Management Server. With the CMS selected, click Specify CMS Data Source on the toolbar. In the CMS Database Setup dialog box, click Recreate the current Data Source. Click OK and, when prompted to confirm, click Yes. The SvcMgr dialog box notifies you when the CMS database setup is complete. 5. 6. Click OK. You are returned to the CCM. Start the Central Management Server. While it is starting, the CMS writes required system data to the newly emptied data source. You may need to click the Refresh button in the CCM to see that the CMS has successfully started. To recreate the CMS database on UNIX Use the cmsdbsetup.sh script. For reference, see “cmsdbsetup.sh” on page 601. 108 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Configuring the intelligence tier 5 Selecting a new or existing CMS database Follow this procedure if you want to disconnect a CMS from its current database and connect it to an alternate database. When you complete these steps, none of the data in the current database is copied into the alternate database. If the alternate database is empty, the CCM initializes it by writing system data that is required by BusinessObjects Enterprise. If the alternate database already contains BusinessObjects Enterprise system data, the CMS uses that data when it starts. Generally, there are only a few times when you need to complete these steps: • • • If you have changed the password for the current CMS database, these steps allow you to disconnect from, and then reconnect to, the current database. When prompted, you can provide the CMS with the new password. If you want to select and initialize an empty database for BusinessObjects Enterprise, these steps allow you to select that new data source. If you have restored a CMS database from backup (using your standard database administration tools and procedures) in a way that renders the original database connection invalid, you will need to reconnect the CMS to the restored database. (This might occur, for instance, if you restored the original CMS database to a newly installed database server.) Note: These steps are essentially the same as adding a CMS to an existing cluster; in this case, however, there are no other CMS machines already maintaining the database. For complete details about CMS clusters, see “Clustering Central Management Servers” on page 92. 1. 2. To select a new or existing database for a CMS on Windows Use the CCM to stop the Central Management Server. With the CMS selected, click Specify CMS Data Source on the toolbar. The CMS Database Setup dialog box appears. 3. 4. 5. 6. Click Select a Data Source; then click OK. In the Select Database Driver dialog box, specify whether you want to connect to the new database through ODBC, or through one of the native drivers. Click OK. The remaining steps depend upon the connection type you selected: • If you selected ODBC, the Windows “Select Data Source” dialog box appears. Select the ODBC data source that you want to use as the CMS database; then click OK. (Click New to configure a new DSN.) When prompted, provide your database credentials and click OK. BusinessObjects Enterprise Administrator’s Guide 109 5 Managing and Configuring Servers Configuring the intelligence tier • If you selected a native driver, you are prompted for your database Server Name, your Login ID, and your Password. Provide this information and then click OK. The SvcMgr dialog box notifies you when the CMS database setup is complete. 7. 8. Click OK. Start the Central Management Server. To select a new or existing database for a CMS on UNIX Use the cmsdbsetup.sh script. For reference, see “cmsdbsetup.sh” on page 601 Setting root directories and idle times of the File Repository Servers The Properties tabs of the Input and Output File Repository Servers enable you to change the locations of the default root directories. These root directories contain all of the report objects and instances on the system. You may change these settings if you want to use different directories after installing BusinessObjects Enterprise, or if you upgrade to a different drive (thus rendering the old directory paths invalid). Note: • The Input and Output File Repository Servers must not share the same root directory, because modifications to the files and subdirectories belonging to one server could have adverse effects on the other server. In other words, if the Input and Output File Repository Servers share the same root directory, then one server might damage files belonging to the other. 110 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Configuring the intelligence tier 5 • If you run multiple File Repository Servers, all Input File Repository Servers must share the same root directory, and all Output File Repository Servers must share the same root directory (otherwise there is a risk of having inconsistent instances). It is recommended that you replicate the root directories using a RAID array or an alternative hardware solution. The root directory should be on a drive that is local to the server. • • You can also set the maximum idle time of each File Repository Server. This setting limits the length of time that the server waits before it closes inactive connections. Before you change this setting, it is important to understand that setting a value too low can cause a user's request to be closed prematurely. Setting a value that is too high can result the uneasier consumption of system resources such as processing time and disk space. 1. 2. To modify settings for a File Repository Server Go to the Servers management area of the CMC. Click the link to the File Repository Server you want to change. By default, the File Repository Servers are named Input and Output, respectively. If you run multiple instances of each server, their names should be prefixed with “Input.” and “Output.” as appropriate. 3. Make your changes on the Properties tab. In this example, the Input File Repository Server is set to use D:\InputFRS\ as its root directory. The server will remain idle for a maximum of 15 minutes. 4. Click either Apply or Update: • • Click Apply to submit changes and restart the server so that the changes take effect immediately. Click Update to save the changes. You must restart the server for the changes to take effect. BusinessObjects Enterprise Administrator’s Guide 111 5 Managing and Configuring Servers Configuring the intelligence tier Modifying Cache Server performance settings The Properties tab of the Cache Server allows you to set the location of the cache files, the maximum cache size, the maximum number of simultaneous processing threads, the number of minutes before an idle job is closed, and the number of minutes between refreshes from the database. 1. 2. 3. To modify Cache Server performance settings Go to the Servers management area of the CMC. Click the link to the Cache Server whose settings you want to change. Make your changes on the Properties tab. In this example, the Cache Server retains most of the default settings, but the “Maximum Simultaneous Processing Threads” is increased to 50. 112 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Configuring the intelligence tier 5 4. Click either Apply or Update: • • Click Apply to submit changes and restart the server so that the changes take effect immediately. Click Update to save the changes. You must restart the server for the changes to take effect. Location of the Cache Files The “Location of the Cache Files” setting specifies the absolute path to the directory on the Cache Server machine where the cached report pages (.epf files) are stored. Note: The cache directory must be on a drive that is local to the server. Maximum Cache Size Allowed The “Maximum Cache Size Allowed” setting limits the amount of hard disk space (in KBytes) that is used to cache reports. When the Cache Server has to handle large numbers of reports, or reports that are especially complex, a larger cache size is needed. The default value is 5000 Kbytes, which is large enough to optimize performance for most installations. Maximum Simultaneous Processing Threads The “Maximum Simultaneous Processing Threads” setting limits the number of concurrent reporting requests that the Cache Server processes. The default value is set to “Automatic”, and is acceptable for most, if not all, reporting scenarios. With this setting, the Cache Server sets the maximum number of threads using the number of processors in your system as a guide. If your Cache Server responds slowly under high load, and resource utilization on the machine is high (that is, either memory usage is high or CPU utilization is high, particularly in the kernel), you may wish to decrease the number of threads to improve performance. If the Cache Server is slow under high load but CPU utilization is low, increasing the number of threads may improve performance. However, the ideal setting for your reporting environment is highly dependent upon your hardware configuration, your database software, and your reporting requirements. Thus, it is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects services consultant can then assess your reporting environment and assist you in customizing these advanced configuration and performance settings. Minutes Before an Idle Connection is Closed The “Minutes Before an Idle Connection is Closed” setting alters the length of time that the Cache Server waits for further requests from an idle connection. Before you change this setting, it is important to understand that setting a BusinessObjects Enterprise Administrator’s Guide 113 5 Managing and Configuring Servers Configuring the intelligence tier value too low can cause a user’s request to be closed prematurely, and setting a value that is too high can cause requests to be queued while the server waits for idle jobs to be closed. Oldest On-Demand Data Given To a Client (in minutes) The “Oldest On-Demand Data Given To a Client (in minutes)” setting determines how long cached report pages are used before new data is requested from the database. This setting is respected for report instances with saved data, and for report objects that do not have on-demand subreports or parameters and that do not prompt for database logon information. Generally, the default value of 15 minutes is acceptable: as with other performance settings, the optimal value is largely dependent upon your reporting requirements. Viewer Refresh Always Yields Current Data When enabled, the “Viewer Refresh Always Yields Current Data” setting ensures that, when users explicitly refresh a report, all cached pages are ignored, and new data is retrieved directly from the database. When disabled, this setting prevents users from retrieving new data more frequently than is permitted by the time specified in the “Minutes Between Refreshes from Database” setting. Modifying the polling time of the Event Server The Properties tab of the Event Server allows you to change the frequency with which the Event Server checks for file events. This “File Polling Interval in Seconds” setting determines the number of seconds that the server waits between polls. The minimum value is 1 (one). It is important to note that, the lower the value, the more resources the server requires. Tip: On Windows, you can also change this setting in the CCM. Stop the Event Server and view its Properties. Then click the Configuration tab. 1. 2. 3. 4. 5. To modify the polling time Go to the Servers management area of the CMC. Click the link to the Event Server whose settings you want to change. Make your changes on the Properties tab. The value that you type must be 1 or greater. Click Update. Return to the Servers management area of the CMC. 114 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Configuring the processing tier 5 Configuring the processing tier This section includes technical information and procedures that show how you can modify settings for the BusinessObjects Enterprise servers that make up the processing tier. The processing tier includes different job servers, Page Servers, Report Application Servers, and Web Intelligence Job Servers and Web Intelligence Report Servers. The majority of the settings discussed here allow you to integrate BusinessObjects Enterprise more effectively with your current hardware, software, and network configurations. Consequently, the settings that you choose will depend largely upon your own requirements. Configuring the processing tier includes: • • • • • • • • “Modifying Page Server performance settings” on page 115 “Modifying database settings for the RAS” on page 118 “Modifying performance settings for the RAS” on page 120 “Modifying performance settings for job servers” on page 121 “Configuring the Web Intelligence Report Server” on page 122 “Configuring the destinations for job servers” on page 125 “Configuring Windows processing servers for your data source” on page 132 “Configuring UNIX processing servers for your data source” on page 133 Modifying Page Server performance settings The Properties tab of the Page Server in the Central Management Console lets you set the location of temporary files, the maximum number of simultaneous report jobs, the minutes before an idle connection is closed, the minutes before a processing job is closed, the number of database records to read when previewing or refreshing a report, the oldest processed data to give a client, and when to disconnect from the report job database. BusinessObjects Enterprise Administrator’s Guide 115 5 Managing and Configuring Servers Configuring the processing tier 1. 2. 3. 4. To modify Page Server performance settings Go to the Servers management area of the CMC. Click the link to the Page Server whose settings you want to change. Make your changes on the Properties tab. Click either Apply or Update: • • Click Apply to submit changes and restart the server so that the changes take effect immediately. Click Update to save the changes. You must restart the server for the changes to take effect. Location of Temp Files The “Location of Temp Files” setting specifies the absolute path to a directory on the Page Server machine.This directory must have plenty of free hard disk space. If not enough disk space is available, job processing may be slower than usual, or job processing may fail. Maximum Simultaneous Report Jobs The “Maximum Simultaneous Report Jobs” setting limits the number of concurrent reporting requests that any single Page Server processes. The default value of 75 is acceptable for most, if not all, reporting scenarios. The ideal setting for your reporting environment, however, is highly dependent upon your hardware configuration, your database software, and your 116 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Configuring the processing tier 5 reporting requirements. Thus, it is difficult to discuss the recommended or optimum settings in a general way. It is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects services consultant can then assess your reporting environment and assist you in customizing these advanced configuration and performance settings. Minutes Before an Idle Connection is Closed The “Minutes Before an Idle Connection is Closed” setting alters the length of time that the Page Server waits for further requests from an idle connection. Before you change this setting, it is important to understand that setting a value too low can cause a user’s request to be closed prematurely. Setting a value that is too high can cause system resources to be consumed for longer than necessary. Minutes before an Idle Report Job is Closed The “Minutes before an Idle Report Job is Closed” setting alters the length of time that the Page Server keeps a report job active. Before you change this setting, it is important to understand that setting a value too low can cause a user’s request to be closed prematurely. Setting a value that is too high can cause system resources to be consumed for longer than necessary. (Note that this setting works in conjunction with the “Report Job Database Connection” setting.) Database Records to Read When Previewing Or Refreshing a Report The “Database Records to Read When Previewing Or Refreshing a Report” area allows you to limit the number of records that the server retrieves from the database when a user runs a query or report. This setting is useful when you want to prevent users from running on-demand reports containing queries that return excessively large record sets. You may prefer to schedule such reports, both to make the reports available more quickly to users and to reduce the load on your database from these large queries. Oldest On-Demand Data Given to a Client (in minutes) The “Oldest On-Demand Data Given To a Client (in minutes):” setting controls how long the Page Server uses previously processed data to meet requests. If the Page Server receives a request that can be met using data that was generated to meet a previous request, and the time elapsed since that data was generated is less than the value set here, then the Page Server will reuse this data to meet the subsequent request. Reusing data in this way significantly improves system performance when multiple users need the same information. When setting the value of the “oldest processed data given to a client” consider how important it is that your users receive up-to-date data. If it is very important that all users receive fresh data (perhaps because important data changes very frequently) you may need to disallow this kind of data reuse by setting the value to 0. BusinessObjects Enterprise Administrator’s Guide 117 5 Managing and Configuring Servers Configuring the processing tier Viewer Refresh Always Yields Current Data When enabled, the “Viewer Refresh Always Yields Current Data” setting ensures that, when users explicitly refresh a report, all previously processed data is ignored, and new data is retrieved directly from the database. When disabled, the setting ensures that the Page Server will treat requests generated by a viewer refresh in exactly the same way as it treats as new requests. Report Job Database Connection The “Report Job Database Connection” settings can be used to make a tradeoff between the number of database licenses you use and the performance you can expect for certain types of reports. If you select “Disconnect when all records have been retrieved or the job is closed”, the Page Server will automatically disconnect from the report database as soon as it has retrieved the data it needs to fulfill a request. Selecting this option limits the amount of time that Page Server stays connected to your database server, and therefore limits the number of database licenses consumed by the Page Server. However, if the Page Server needs to reconnect to the database to generate an on-demand sub-report or to process a group-by-on-server command for that report, performance for these reports will be significantly slower than if you had selected “Disconnect when the job is closed”. (The latter option ensures that Page Server stays connected to the database server until the report job is closed. Note that you can set the “Minutes before a Report Job is Closed” above.) Modifying database settings for the RAS The Database tab of the Report Application Server (RAS) in the Central Management Console lets you modify the way the server runs reports against your databases. 1. 2. 3. 4. To modify database interaction settings for the RAS Go to the Servers management area of the CMC. Click the link to the RAS whose settings you want to change. Make your changes on the Database tab. Click either Apply or Update: • • Click Apply to submit changes and restart the server so that the changes take effect immediately. Click Update to save the changes. You must restart the server for the changes to take effect. 118 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Configuring the processing tier 5 Tip: On Windows, you can also change these settings in the CCM. Stop the RAS and view its Properties. Click the Parameters tab. From the Option Type list, select Database. Number of database records to read when previewing or refreshing a report The “Number of database records to read when previewing or refreshing a report” area allows you to limit the number of records that the server retrieves from the database when a user runs a query or report. This setting is particularly useful if you provide users with ad hoc query and reporting tools, and you want to prevent them from running queries that return excessively large record sets. When the RAS retrieves records from the database, the query results are returned in batches. The “Number of records per batch” setting allows you to determine the number of records that are contained in each batch. The batch size cannot be equal to or less than zero. Number of records to browse The “Number of records to browse” setting allows you to specify the number of distinct records that will be returned from the database when browsing through a particular field’s values. The data will be retrieved first from the client’s cache—if it is available—and then from the server’s cache. If the data is not in either cache, it is retrieved from the database. Oldest on-demand data given to a client (in minutes) The “Oldest on-demand data given to a client (in minutes)” setting controls how long the RAS uses previously processed data to meet requests. If the RAS receives a request that can be met using data that was generated to meet a previous request, and the time elapsed since that data was generated is less than the value set here, then the RAS will reuse this data to meet the subsequent request. Reusing data in this way significantly improves system performance when multiple users need the same information. When setting the value of the “oldest on-demand data given to a client” consider how important it is that your users receive up-to-date data. If it is very important that all users receive fresh data (perhaps because important data changes very frequently) you may need to disallow this kind of data reuse by setting the value to 0. This is the default on the RAS, to support the data needs of users performing ad hoc reporting. Report Job Database Connection The “Report Job Database Connection” settings can be used to make a tradeoff between the number of database licenses you use and the performance you can expect for certain types of reports. BusinessObjects Enterprise Administrator’s Guide 119 5 Managing and Configuring Servers Configuring the processing tier If you select “Disconnect when all records have been retrieved or the job is closed”, the Report Application Server will automatically disconnect from the report database as soon as it has retrieved the data it needs to fulfill a request. Selecting this option limits the amount of time that RAS stays connected to your database server, and therefore limits the number of database licenses consumed by the RAS. However, if the RAS needs to reconnect to the database to generate an ondemand sub-report or to process a group-by-on-server command for that report, performance for these reports will be significantly slower than if you had selected “Disconnect when the job is closed”. (The latter option ensures that RAS stays connected to the database server until the report job is closed.) Modifying performance settings for the RAS The Server tab of the Report Application Server (RAS) in the Central Management Console allows you to modify the number of minutes before an idle connection is closed, and the maximum number of simultaneous processing threads. Note: The RAS server must have been installed and configured in order to use the List of Values Job Server. For more information, see “Processing tier” on page 64. 1. 2. 3. 4. To modify performance settings for the RAS Go to the Servers management area of the CMC. Click the link to the RAS whose settings you want to change. Make your changes on the Server tab. Click either Apply or Update: • • Click Apply to submit changes and restart the server so that the changes take effect immediately. Click Update to save the changes. You must restart the server for the changes to take effect. Tip: On Windows, you can also change these settings in the CCM. Stop the RAS and view its Properties. Click the Parameters tab. From the Option Type list, select Server. Minutes Before an Idle Connection is Closed The “Minutes Before an Idle Connection is Closed” setting alters the length of time that the RAS waits for further requests from an idle connection. Before you change this setting, it is important to understand that setting a value too low can cause a user’s request to be closed prematurely, and setting a value 120 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Configuring the processing tier 5 that is too high can affect the server’s scalability (for instance, if the ReportClientDocument object is not closed explicitly, the server will be waiting unnecessarily for an idle job to close). Maximum Simultaneous Report Jobs The “Maximum Simultaneous Report Jobs” setting limits the number of concurrent reporting requests that a RAS processes. The default value is acceptable for most, if not all, reporting scenarios. The ideal setting for your reporting environment, however, is highly dependent upon your hardware configuration, your database software, and your reporting requirements. Thus, it is difficult to discuss the recommended or optimum settings in a general way. It is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects services consultant can then assess your reporting environment and assist you in customizing these advanced configuration and performance settings. Modifying performance settings for job servers By default, the job servers run jobs as independent processes rather than as threads. This method allows for more efficient processing of large, complex reports. Use the following procedure to modify the performance settings for any of the job servers, that is the Report Job Server, Program Job Server, Destination Job Server, List of Values Job Server, and the Web Intelligence Job Server. 1. 2. 3. 4. 5. To modify performance settings for job servers Go to the Servers management area of the CMC. Click the link to the job server whose settings you want to change. Make your changes on the Properties tab. Click Update. Return to the Servers management area of the CMC. Maximum Jobs Allowed The “Maximum Jobs Allowed” setting limits the number of concurrent independent processes (child processes) that the server allows—that is, it limits the number of scheduled objects that the server will process at any one time. You can tailor the maximum number of jobs to suit your reporting environment. BusinessObjects Enterprise Administrator’s Guide 121 5 Managing and Configuring Servers Configuring the processing tier The default “Maximum Jobs Allowed” setting is acceptable for most, if not all, reporting scenarios. The ideal setting for your reporting environment, however, is highly dependent upon your hardware configuration, your database software, and your reporting requirements. Thus, it is difficult to discuss the recommended or optimum settings in a general way. It is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects services consultant can then assess your reporting environment and assist you in customizing these advanced configuration and performance settings. Temp Directory You can also change the default directory where the server stores its temporary files. Configuring the Web Intelligence Report Server Use the following procedure to configure the performance settings for the Web Intelligence Report Server. 1. 2. 3. 4. To modify performance settings for the Web Intelligence report server Go to the Servers management area of the CMC. Click the link to the Web Intelligence Report Server whose settings you want to change. Make your changes on the Properties tab. Click either Apply or Update: • • 5. Click Apply to submit changes and restart the server so that the changes take effect immediately. Click Update to save the changes. You must restart the server for the changes to take effect. Return to the Servers management area of the CMC and restart the Job Server. 122 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Configuring the processing tier 5 Maximum Simultaneous Connections The maximum number of simultaneous connections that the server allows at one time, from sources such the Web Intelligence SDK or the Web Intelligence Job Server. If this limit is reached, the user will receive an error message, unless another server is available to handle the request. Connection Time Out The number of minutes before an idle connection to the Web Intelligence Report Server will be closed. List of Values Batch Size The maximum number of values that can be returned per list of values batch. For example, if the number of values in a list of values exceeds this size, then the list of values will be returned to the user in several batches of this size or less. The minimum value that you can enter is 10. Although there is no limit on the maximum value, Business Objects recommends that you limit it to 30000. Universe Cache Size The number of universes to be cached on the Web Intelligence Report Server. List of Values Caching Enables or disables caching per user session of list of values in Web Intelligence Report Server. The default is for the feature to be on. BusinessObjects Enterprise Administrator’s Guide 123 5 Managing and Configuring Servers Configuring the processing tier Enable Viewing Caching When this parameter is on, real-time caching is possible for Web Intelligence documents when they are viewed, or when they are generated as a result of having been run as a scheduled job. When this parameter is off both real-time caching of Web Intelligence documents and viewing of cached Web Intelligence documents is impossible. Real-time caching is done only if both this parameter and the Enable Real Time Caching parameters are on. Enable Real Time Caching When this parameter is on, the Web Intelligence Report Server caches Web Intelligence documents when the documents are viewed. The server also caches the documents when they are run as a scheduled job, provided the pre-cache was enabled in the document. When the parameter is off, the Web Intelligence Report Server does not cache the Web Intelligence documents when the documents are viewed. Nor does it cache the documents when they are run as a scheduled job. This parameter is taken into account only when the Enable Viewing Caching is set to on. Note: To improve system performance, set the Maximum Number Of Downloaded Documents To Cache to zero when this option is selected, but enter a value for Maximum Number Of Downloaded Documents To Cache when this option deselected. Document Cache Duration The amount of time (in minutes) that content is stored in cache. Document Cache Size The size (in kilobytes) of the document cache. Amount of Cache To Keep When Document Cache is Full If the storage size is bigger than the allocated storage size, the system will delete documents with the oldest “last accessed time.” Then if the cache size is still exceeds the maximum storage size, the Web Intelligence Report Server will clean up the cache until the amount of cache percentage is reached. Document Cache Scan Interval The number of minutes that the system waits before checking the document cache for cleanup. Maximum Number of Downloaded Documents To Cache The number of Web Intelligence documents that can be stored in cache. 124 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Configuring the processing tier 5 Note: To improve system performance, set this value to zero when Enable Real Time Caching is selected, but enter a value when Enable Real Time Caching is deselected. Configuring the destinations for job servers By default, when the system runs a scheduled report or a program object, it stores the output instance it creates on the Output File Repository Server (FRS). However, you can specify a different destination. If you do, the system will store one output instance on the Output FRS, and one at the specified destination. You also specify a destination when you use the Send to feature, which sends an existing object to a specified destination. In order for the system to work with destinations other than the default, the destination must have been enabled and configured on the respective job server. For example, to be able to schedule a report object for output to an unmanaged disk, you have to enable and configure the Unmanaged Disk destination on the Job Server. To send a report instance by email, you have to configure the Email (SMTP) destination on the Destination Job Server. Configuring destinations for job servers includes: • • • • “Enabling or disabling destinations for job servers” on page 125 “Configuring the destination properties for job servers” on page 126 “Selecting a destination” on page 481 “Sending an object or instance” on page 420 For information about selecting destinations for objects see: Enabling or disabling destinations for job servers This procedure applies to the Job Server, Program Job Server, Destination Job Server, List of Values Job Server, and Web Intelligence Job Server. For a job server to store output instances in a destination other than the default, you have to enable and configure the other destinations on the job servers. See also “Configuring the destination properties for job servers” on page 126. Note: On the Destination Job Server, the Inbox destination is enabled by default. This allows you to use the “Send to” feature and to distribute reports to users within the BusinessObjects Enterprise system. If you want, you can enable and configure additional destinations on the Destination Job Server. BusinessObjects Enterprise Administrator’s Guide 125 5 Managing and Configuring Servers Configuring the processing tier 1. 2. 3. 4. To enable or disable destinations for a job server Go to the Servers management area of the CMC. Click the link for the job server for which you want to enable or disable a destination. Select the check box for each destination you want to support. Click Enable. To disable destinations, click Disable. When a destination is disabled a red circle is shown beside the name. 5. If you enabled the destination, you must also configure the destination. See “Configuring the destination properties for job servers” on page 126. Configuring the destination properties for job servers This procedure applies to the Job Server, Program Job Server, Destination Job Server, List of Values Job Server, and Web Intelligence Job Server. For a job server to store output instances in a destination other than the default, you have to enable and configure the other destinations on the job servers. See also “Enabling or disabling destinations for job servers” on page 125. 1. 2. 3. 4. 5. To set the destination properties for a job server Go to the Servers management area of the CMC. Click the link for the job server whose setting you want to change. Click the Destinations tab. Click the link for the destination whose setting you want to set, for example, FTP. Set the properties for the destination. For information about the properties for each destination, see: • • • • 6. 7. “Inbox destination properties” on page 127 “Unmanaged Disk destination properties” on page 131 “FTP destination properties” on page 130 “Email (SMTP) destination properties” on page 128 Click Update. Make sure the destination has been enabled. See “Enabling or disabling destinations for job servers” on page 125. 126 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Configuring the processing tier 5 Inbox destination properties The Inbox destination stores an object or instance in the user inboxes on the BusinessObjects Enterprise system. A user inbox is automatically created when you add a user. For more information, see “Configuring the destination properties for job servers” on page 126 and “Controlling access to user inboxes” on page 352. Note: On the Destination Job Server, the Inbox destination is enabled by default. This allows you to use the “Send to” feature and to distribute reports to users within the BusinessObjects Enterprise system. If you want, you can enable and configure additional destinations on the Destination Job Server. Send document as Select the option you want: • • Shortcut—The systems sends a shortcut to the specified destination. Copy—The system sends a copy of the instance, for example, the .rpt file, to the destination. Send List Specify which users or user groups you want to receive instances that have been generated or processed by the job server. BusinessObjects Enterprise Administrator’s Guide 127 5 Managing and Configuring Servers Configuring the processing tier Email (SMTP) destination properties In this example, the SMTP server resides in the businessobjects.com domain. Its name is EMAIL_SERV and it is listening on the standard SMTP port. Plain text authentication is being used, and an account called BusinessObjectsJobAccount has been created on the SMTP server for use by the Job Server. See also “Configuring the destination properties for job servers” on page 126. Domain Name Enter the fully qualified domain of the SMTP server. Server Name Enter the name of the SMTP server. Port Enter the port that the SMTP server is listening on. (This standard SMTP port is 25.) Authentication Select Plain or Login if the job server must be authenticated using one of these methods in order to send email. SMTP User Name Provide the Job Server with a user name that has permission to send email and attachments through the SMTP server. SMTP Password Provide the Job Server with the password for the SMTP server. 128 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Configuring the processing tier 5 From Provide the return email address. Users can override this default when they schedule an object. To, Cc, Subject, and Message Set the default values for users who schedule reports to this SMTP destination. Users can override these defaults when they schedule an object. Add viewer hyperlink to message body Click Add if you want to add the URL for the viewer in which you want the email recipient to view the report. You can set the default URL by clicking Object Settings on the main page of the Objects management area of the CMC. If you send a hyperlink, the email recipient must log on to BusinessObjects Enterprise to see the report.) Users can override this default when they schedule an object. Attach report instance to email message Clear this check box if you do not want to attach a copy of the report or program instance attached to the email. Users can override these defaults when they schedule an object. Default File Name (randomly generated) Select this option if you want BusinessObjects Enterprise to generate a random file name. Specified File Name Select this option if you want to enter a file name. You can also add a variable to the file name. To add a variable, choose a placeholder for a variable property from the list and click Add. Add file extension Adds the .%EXT% extension to the specified filename. This is similar to selecting File Extension from the list and clicking Add. By adding an extension to the file name, Windows will know which program to use to open the file when users want to view the file. BusinessObjects Enterprise Administrator’s Guide 129 5 Managing and Configuring Servers Configuring the processing tier FTP destination properties In this example, reports scheduled to this destination are randomly named and uploaded to the ftp.businessobjects.com site. See also “Configuring the destination properties for job servers” on page 126. Host Enter your FTP host information. Port Enter the FTP port number (the standard FTP port is 21). FTP User Name Specify a user who has the necessary rights to upload a report to the FTP server. FTP Password Enter the user’s password. Account Enter the FTP account information, if required. Account is part of the standard FTP protocol, but it is rarely implemented. Provide the appropriate account only if your FTP server requires it. 130 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Configuring the processing tier 5 Destination Directory Enter the FTP directory that you want the object to be saved to. A relative path is interpreted relative to the root directory on the FTP server. Default File Name (randomly generated) Select this option if you want BusinessObjects Enterprise to generate a random file name. Specified File Name Select this option if you want to enter a file name—you can also add a variable to the file name. To add a variable, choose a placeholder for a variable property from the list and click Add. Unmanaged Disk destination properties An unmanaged disk is disk on a system outside the BusinessObjects Enterprise system. See also “Configuring the destination properties for job servers” on page 126. Destination Directory Type the absolute path to the directory. The directory can be on a local drive of the Job Server machine, or on any other machine that you can specify with a UNC path. Default File Name (randomly generated) Select this option if you want BusinessObjects Enterprise to generate a random file name. BusinessObjects Enterprise Administrator’s Guide 131 5 Managing and Configuring Servers Configuring the processing tier Specified File Name Select this option if you want to specify a file name—you can also add a variable to the file name. To add a variable, choose a placeholder for a variable property from the list and click Add. When each instance runs, the variable is replaced with the appropriate information. For example, when you add the variable “Owner,” the file name of each object includes the object owner’s name. User Name Specify a user who has permission to write files to the destination directory. Password Type the password for the user. In this example, the destination directory is on a network drive that is accessible to the Job Server machine through a UNC path. Each file name will be randomly generated, and a user name and password have been specified to grant the Job Server permission to write files to the remote directory. Configuring Windows processing servers for your data source When started on Windows, the report processing servers by default log on to the local system as services with the Windows “LocalSystem” account. This account determines the permissions that each service is granted on the local machine. This account does not grant the service any network permissions. In the majority of cases, this account is irrelevant in relation to the server’s task of processing reports against your data source. (The database logon credentials are stored with the report object.) Thus, you can usually leave each server’s default logon account unchanged or, if you prefer, you can change it to a Windows user account with the appropriate permissions. However, there are certain cases when you must change the logon account used by the processing servers. These cases arise either because the server needs additional network permissions to access the database, or because the database client software is configured for a particular Windows user account. This table lists the various database/ driver combinations and shows when you must complete additional configuration. Tip: Running a service under an Administrator account does not inadvertently grant administrative privileges to another user, because users cannot impersonate services. For details on changing the user accounts, see “Changing the server user account” on page 146. For a complete list of supported databases and drivers, refer to the platform.txt file included with your installation. 132 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Configuring the processing tier 5 Configuring UNIX processing servers for your data source The Job Servers and Page Server support native and ODBC connections to a number of reporting databases. This section discusses the environment variables, software, and configuration files that must be available to the servers in order for them to process reports successfully. Whether your reports use native or ODBC drivers, ensure that the reporting environment configured on the server accurately reflects the reporting environment configured on the Windows machine that you use when designing reports with Crystal Reports. See the Platforms.txt file included with your product distribution for a complete list of tested database software and version requirements. Click the appropriate link to jump to that section: • • Native drivers “Native drivers” on page 133 “ODBC drivers” on page 134 If you design reports using native drivers, you must install the appropriate database client software on each Job Server and/or Page Server machine that will process the reports. The server loads the client software at runtime in order to access the database that is specified in the report. The server locates the client software by searching the library path environment variable that corresponds to your operating system (LD_LIBRARY_PATH on Sun Solaris, LIBPATH on IBM AIX, and so on), so this variable must be defined for the login environment of each Job Server and Page Server. Depending on your database, additional environment variables may be required for the Job Server and Page Server to use the client software. These include: • • Oracle The ORACLE_HOME environment variable must define the top-level directory of the Oracle client installation. Sybase The SYBASE environment variable must define the top-level directory of the Sybase client installation. The SYBPLATFORM environment variable must define the platform architecture. • DB2 The DB2INSTANCE environment variable must define the DB2 instance that is used for database access. Use the DB2 instance initialization script to ensure that the DB2 environment is correct. BusinessObjects Enterprise Administrator’s Guide 133 5 Managing and Configuring Servers Configuring the processing tier Note: For complete details regarding these and other required environment variables, see the documentation included with your database client software. As an example, suppose that you are running reports against both Sybase and Oracle. The Sybase database client is installed in /opt/sybase, and the Oracle client is installed in /opt/oracle/app/oracle/product/8.1.7. You installed BusinessObjects Enterprise under the crystal user account (as recommended in the BusinessObjects Enterprise Installation Guide). If the crystal user’s default shell is a C shell, add these commands to the crystal user’s login script: setenv LD_LIBRARY_PATH /opt/oracle/app/oracle/product/8.1.7/ lib:opt/sybase/lib:$LD_LIBRARY_PATH setenv ORACLE_HOME /opt/oracle/app/oracle/product/8.1.7 setenv SYBASE /opt/sybase setenv SYBPLATFORM sun_svr4 If the crystal user’s default shell is a Bourne shell, modify the syntax accordingly: LD_LIBRARY_PATH=/opt/oracle/app/oracle/product/8.1.7/ lib:opt/sybase/lib:$LD_LIBRARY_PATH;export LD_LIBRARY_PATH ORACLE_HOME=/opt/oracle/app/oracle/product/8.1.7;export ORACLE_HOME SYBASE=/opt/sybase;export SYBASE SYBPLATFORM=sun_svr4;export SYBPLATFORM ODBC drivers If you design reports off ODBC data sources (on Windows), you must set up the corresponding data sources on the Job Server and Page Server machines. In addition, you must ensure that each server is set up properly for ODBC. During the installation, BusinessObjects Enterprise installs ODBC drivers for UNIX, creates configuration files and templates related to ODBC reporting, and sets up the required ODBC environment variables. This section discusses the installed environment, along with the information that you need to edit. Note: • Detailed documentation covering the various ODBC drivers is included in the Merant Connect ODBC Reference (odbcref.pdf). This is installed below the crystal/enterprise/platform/odbc directory; it is also located in the doc directory of your product distribution. If you report off DB2 using ODBC, your database administrator must first bind the UNIX version of the driver to every database that you report against (and not just each database server). The bind packages are installed below the crystal/enterprise/platform/odbc/lib directory; their filenames are iscsso.bnd, iscswhso.bnd, • 134 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Configuring the processing tier 5 isrrso.bnd, isrrwhso.bnd, isurso.bnd, and isurwhso.bnd. Because Crystal Reports runs on Windows, ensure also that the Windows version of the driver has been bound to each database. • On UNIX, BusinessObjects Enterprise does not include the Informix client-dependent ODBC driver (CRinf16) that is installed on Windows. The UNIX version does, however, include the clientless ODBC driver for Informix connectivity. ODBC environment variables The environment variables related to ODBC reporting are: the library path that corresponds to your operating system (LD_LIBRARY_PATH on Sun Solaris, LIBPATH on IBM AIX, and so on), ODBC_HOME, and ODBCINI. The BusinessObjects Enterprise installation includes a file called env.csh that is sourced automatically every time you start the BusinessObjects Enterprise servers with the CCM. Thus, the environment for the Job Server and Page Server is set up automatically: • • • The INSTALL_ROOT/bobje/enterprise11/platform/odbc/lib directory of your installation is added to the library path environment variable. The ODBC_HOME environment variable is set to the INSTALL_ROOT/ bobje/enterprise11/platform/odbc directory of your installation. The ODBCINI environment variable is defined as the path to the .odbc.ini file that was created by the BusinessObjects Enterprise installation. Modify the environment variables in the env.csh script only if you have customized your configuration of ODBC. The main ODBC configuration file that you need to modify is the system information file. Working with the ODBC system information file The system information file (.odbc.ini) is created in the HOME directory of the user account under which you installed BusinessObjects Enterprise (typically the crystal user account). In this file, you define each of the ODBC data sources (DSNs) that the Job Server and Page Server need in order to process your reports. The BusinessObjects Enterprise installation completes most of the required information—such as the location of the ODBC directory and the name and location of each installed ODBC driver—and shows where you need to provide additional information. bobje/defaultodbc.ini Tip: A template of the system information file is installed to INSTALL_ROOT/ BusinessObjects Enterprise Administrator’s Guide 135 5 Managing and Configuring Servers Configuring the processing tier The following example shows the contents of a system information file that defines a single ODBC DSN for servers running on UNIX. This DSN allows the Job Server and Page Server to process reports based on a System DSN (on Windows) called CRDB2: [ODBC Data Sources] CRDB2=MERANT 3.70 DB2 ODBC Driver [CRDB2] Driver=/opt/bobje/enterprise11/platform/odbc/lib/crdb216.so Description=MERANT 3.70 DB2 ODBC Driver Database=myDB2server LogonID=username [ODBC] Trace=0 TraceFile=odbctrace.out TraceDll=/opt/bobje/enterprise11/platform/odbc/lib/ odbctrac.so InstallDir=/opt/bobje/enterprise11/platform/odbc As shown in the example above, the system information file is structured in three major sections: • The first section, denoted by [ODBC Data Sources], lists all the DSNs that are defined later in the file. Each entry in this section is provided as dsn=driver, and there must be one entry for every DSN that is defined in the file. The value of dsn must correspond exactly to the name of the System DSN (on Windows) that the report was based off. The second section sequentially defines each DSN that is listed in the first section. The beginning of each definition is denoted by [dsn]. In the example above, [CRDB2] marks the beginning of the single DSN that is defined in the file. Each DSN is defined through a number of option=value pairs. The options that you must define depend upon the ODBC driver that you are using. These pairs essentially correspond to the Name=Data pairs that Windows stores for each System DSN in the registry: \\HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\odbc.ini\dsn However, the options for a particular ODBC driver on UNIX may not correspond by name to the options available for a Windows version of the same driver. For example, some Windows drivers store a UID value in the registry, and on UNIX you may need to specify this value with the LogonID option. Note: For detailed documentation on each ODBC driver, see the Merant Connect ODBC Reference (odbcref.pdf). The PDF is installed below the crystal/enterprise/platform/odbc directory; it is also located in the doc directory of your product distribution. • 136 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Configuring the processing tier 5 • The final section of the file, denoted by [ODBC], includes ODBC tracing information. You need not modify this section. When the installation creates the system information file, it completes some fields and sets up a number of default DSNs—one for each of the installed ODBC drivers. The standard options that are commonly required for each driver are included in the file (Database=, LogonID=, and so on). Edit the file and provide the corresponding values that are specific to your reporting environment. This example shows the entire contents of a system information file created when BusinessObjects Enterprise was installed to the /usr/local directory. [ODBC Data Sources] CRDB2=MERANT 3.70 DB2 ODBC Driver CRINF_CL=MERANT 3.70 Informix Dynamic Server ODBC Driver CROR8=MERANT 3.70 Oracle8 ODBC Driver CRSS=MERANT 3.70 SQL Server ODBC Driver CRSYB=MERANT 3.70 Sybase ASE ODBC Driver CRTXT=MERANT 3.70 Text ODBC Driver [CRDB2] Driver=/usr/local/bobje/enterprise11/platform/odbc/lib/ crdb216.so Description=MERANT 3.70 DB2 ODBC Driver Database= LogonID= [CRINF_CL] Driver=/usr/local/bobje/enterprise11/platform/odbc/lib/ crifcl16.so Description=MERANT 3.70 Informix Dynamic Server ODBC Driver ServerName= HostName= PortNumber= Database= LogonID= [CROR8] Driver=/usr/local/bobje/enterprise11/platform/odbc/lib/ cror816.so Description=MERANT 3.70 Oracle8 ODBC Driver ServerName= ProcedureRetResults=1 LogonID= [CRSS] Driver=/usr/local/bobje/enterprise11/platform/odbc/lib/ crmsss16.so Description=MERANT 3.70 SQL Server ODBC Driver Address= Database= QuotedId=Yes LogonID= BusinessObjects Enterprise Administrator’s Guide 137 5 Managing and Configuring Servers Configuring the processing tier [CRSYB] Driver=/usr/local/bobje/enterprise11/platform/odbc/lib/ crase16.so Description=MERANT 3.70 Sybase ASE ODBC Driver NetworkAddress= Database= LogonID= [CRTXT] Driver=/usr/local/bobje/enterprise11/platform/odbc/lib/ crtxt16.so Description=MERANT 3.70 Text ODBC Driver Database= [ODBC] Trace=0 TraceFile=odbctrace.out TraceDll=/usr/local/bobje/enterprise11/platform/odbc/lib/ odbctrac.so InstallDir=/usr/local/bobje/enterprise11/platform/odbc Adding a DSN to the default ODBC system information file When you need to add a new DSN to the installed system information file (.odbc.ini) file, first add the new DSN to the bottom of the [ODBC Data Sources] list. Then add the corresponding [dsn] definition just before the [ODBC] section. For example, suppose that you have a Crystal report that uses ODBC drivers to report off your Oracle8 database. The report is based off a System DSN (on Windows) called SalesDB. To create the corresponding DSN, first append this line to the [ODBC Data Sources] section of the system information file: SalesDB=MERANT 3.70 Oracle8 ODBC Driver Then define the new DSN by adding the following lines just before the system information file’s [ODBC] section: [SalesDB] Driver=/usr/local/bobje/enterprise11/platform/odbc/lib/ cror816.so Description=MERANT 3.70 Oracle8 ODBC Driver ServerName=MyServer ProcedureRetResults=1 LogonID=MyUserName Once you have added this information, the new DSN is available to the Job Server and Page Server, so they can process reports that are based off the SalesDB System DSN (on Windows). 138 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Logging server activity 5 Logging server activity BusinessObjects Enterprise allows you to log specific information about BusinessObjects Enterprise web activity. For details on locating and customizing the web activity logs, see “Configuring the Web Component Adapter” on page 89. • In addition, each of the BusinessObjects Enterprise servers is designed to log messages to your operating system’s standard system log.On Windows NT/2000, BusinessObjects Enterprise logs to the Event Log service. You can view the results with the Event Viewer (in the Application Log). On UNIX, BusinessObjects Enterprise logs to the syslog daemon as a User application. Each server prepends its name and PID to any messages that it logs. This example shows two messages logged to the syslog daemon on UNIX: • Each server also logs assert messages to the logging directory of your product installation. The programmatic information logged to these files is typically useful only to Business Objects support staff for advanced debugging purposes. The location of these log files depends upon your operating system: • • On Windows, the default logging directory is C:\Program Files\Business Objects\BusinessObjects Enterprise 11\Logging On UNIX, the default logging directory INSTALL_ROOT/bobje/logging directory of your installation. The important point to note is that these log files are cleaned up automatically, so there will never be more than approximately 1 MB of logged data per server. BusinessObjects Enterprise Administrator’s Guide 139 5 Managing and Configuring Servers Advanced server configuration options Advanced server configuration options This section includes additional configuration tasks that you may want to perform, depending upon your reporting environment. It includes: • • • • • • “Changing the default server port numbers” on page 140 “Configuring a multihomed machine” on page 143 “Adding and removing Windows server dependencies” on page 144 “Changing the server startup type” on page 145 “Changing the server user account” on page 146 “Configuring servers for SSL” on page 146 Changing the default server port numbers During installation, the CMS is set up to use default port numbers. The default CMS port number is 6400. This ports fall within the range of ports reserved by Business Objects (6400 to 6410). Thus, BusinessObjects Enterprise communication on these ports should not conflict with third-party applications that you have in place. (Although unlikely, it is possible that your custom applications use these ports. If so, you can change the default CMS port.) The Web Component Adapter is not a server. However, you can configure its listening port by changing the connection.listeningPort context parameter in web.xml. See “Configuring the Web Component Adapter” on page 89. When started and enabled, each of the other BusinessObjects Enterprise servers dynamically binds to an available port (higher than 1024), registers with this port on the CMS, and then listens for BusinessObjects Enterprise requests. If necessary, you can instruct each server component to listen on a specific port (rather than dynamically selecting any available port). On Windows, you view and modify server command lines with the CCM. The Command field appears on each server’s Properties tab. On UNIX, you view and modify server command lines (also referred to as launch strings) in the ccm.config file, which is installed in the crystal directory. 140 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Advanced server configuration options 5 This table summarizes the command-line options as they relate to port usage for specific server types. For more information, see Appendix E: Server Command Lines. Option -port CMS Specifies the primary BusinessObjects Enterprise port on which the CMS listens for requests from all other servers. The default is 6400. Other Servers Used only in multihomed environments or for certain NAT firewall environments. In both cases, specify -port interface only. (-port number has no meaning for these servers). the server listens for BusinessObjects Enterprise requests. The server registers this port with the CMS. Selected dynamically if unspecified. Specifies the CMS that the server will register with. -requestPort Specifies the secondary port Specifies the port on which that the CMS uses for identifying other servers and for registering with itself and/ or a cluster. Selected dynamically if unspecified. n/a -ns Before modifying any port numbers, consider the following: • CMS port number, you must change the -ns option in every other server’s command line, to ensure that each server connects to the appropriate port of the CMS. (The -ns option stands for “nameserver.” The CMS functions as the nameserver in BusinessObjects Enterprise, because it maintains a list that includes the host name and port number of each server that is started, enabled, and thus available to accept BusinessObjects Enterprise requests.) You must also set the name and port number of the CMS with the connection.cms context parameter in web.xml. See “Configuring the Web Component Adapter” on page 89. If you are working with multihomed machines or in certain NAT firewall configurations, you may wish to specify -port interface:number for the CMS and -port interface for the other servers. For details, see “Configuring a multihomed machine” on page 143 or “Configuring for Network Address Translation” on page 190. On Windows, the CCM displays default port numbers on each server’s Configuration tab. This displayed port corresponds to the -port option. For servers other than the CMS, this default port is not actually in use (each server registers its -requestPort number with the CMS instead). • • BusinessObjects Enterprise Administrator’s Guide 141 5 Managing and Configuring Servers Advanced server configuration options 1. 2. To change the default CMS port for BusinessObjects Enterprise servers Use the CCM (on Windows) or ccm.sh (on UNIX) to stop all the BusinessObjects Enterprise servers. Add (or modify) the following option in the CMS command line: -port number Replace number with the port that you want the CMS to listen on. (The default port is 6400.) 3. Add (or modify) the following option in the command line of all of the remaining non-CMS BusinessObjects Enterprise servers: -ns hostname:number Replace hostname with the host name of the machine that is running the CMS. The host name must resolve to a valid IP address within your network. Replace number with the port that the CMS is listening on. 4. Start and enable all the BusinessObjects Enterprise servers. The CMS begins listening on the port specified by number, and the non-CMS servers broadcast to that port when attempting to register with the CMS. 5. Set the name and port number of the CMS with the connection.cms context parameter in web.xml. See “Configuring the Web Component Adapter” on page 89. To change the port a server registers with the CMS Use the CCM (on Windows) or ccm.sh (on UNIX) to stop the server. Add (or modify) the following option in the server’s command line: -requestPort number 1. 2. Replace number with the port that you want the server to listen on. 3. Start and enable the server. The server binds to the new port specified by number. It then registers with the CMS and begins listening for BusinessObjects Enterprise requests on the new port. By default, each server registers itself with the CMS by IP address, rather than by name. This typically provides the most reliable behavior. If you need each server to register with the CMS by fully qualified domain name instead, use the -requestPort option in conjunction with -port interface (where interface is the server’s fully qualified domain name). Having the servers register by name can be useful if a NAT firewall resides between the server and the CMS. For more information, see “Configuring for Network Address Translation” on page 190. 142 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Advanced server configuration options 5 You may also need to specify -port interface when BusinessObjects Enterprise is running on a multihomed machine. Configuring a multihomed machine A multihomed machine is one that has multiple network addresses. You may accomplish this with multiple network interfaces, each with one or more IP addresses, or with a single network interface that has been assigned multiple IP addresses. If you have multiple interface cards, each with a single IP address, change the binding order so that the card at the top of the binding order is the one you want the BusinessObjects Enterprise servers to bind to. If your interface card has multiple IP addresses, use the -port command-line option to specify a IP address for the BusinessObjects Enterprise server. Tip: This section shows how to restrict all servers to the same network address, but it is possible to bind individual servers to different addresses. For instance, you might want to bind the File Repository Servers to a private address that is not routable from users’ machines. Advanced configurations such as this require your DNS configuration to route communications effectively between all the BusinessObjects Enterprise server components. In this example, the DNS must route communications from the other BusinessObjects Enterprise servers to the private address of the File Repository Servers. Configuring the CMS to bind to a network address When you use the -port command-line option to configure the CMS to bind to a specific IP address, you must also include the port number these servers use (even if the server is using the default port). Add the following option to both of their command lines: -port interface:port If the machine has multiple network interfaces, interface can be the fully qualified domain name or the IP address of the interface that you want the server to bind to. If the machine has a single network interface, interface must be the IP address that you want the server to bind to. Note: • To retain the default port numbers, replace port with 6400 for the CMS. If you change the default port numbers, you will need to make additional configuration changes. For details, see “Changing the default server port numbers” on page 140. To configure the WCA, use interface:port when setting the connection.listeningPort context parameter in web.xml. (See “Configuring the Web Component Adapter” on page 89.) • BusinessObjects Enterprise Administrator’s Guide 143 5 Managing and Configuring Servers Advanced server configuration options Configuring the remaining servers to bind to a network address The remaining BusinessObjects Enterprise servers select their ports dynamically by default, so you need only add the following option to their command lines: -port interface Replace interface with the same value that you specified for the CMS. Ensure that each server’s -ns parameter points to the CMS, and that the DNS resolves the value to the appropriate network address. Adding and removing Windows server dependencies When installed on Windows, each server in BusinessObjects Enterprise is dependent on at least three services: the Event Log, NT LM Security Support Provider, and Remote Procedure Call (RPC) services. If you are having problems with a server, check to ensure that all three services appear on the server’s Dependency tab. 1. 2. 3. To add and remove server dependencies Use the CCM to stop the server whose dependencies you want to modify. With the server selected, click Properties on the toolbar. Click the Dependency tab. As shown here, at least three services should be listed: Event Log, NT LM Security Support Provider, and Remote Procedure Call (RPC). 4. To add a dependency to the list, click Add. 144 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Advanced server configuration options 5 The Add Dependency dialog box provides you with a list of all available dependencies. Select the dependency or dependencies, as required, and then click Add. 5. 6. 7. To remove a dependency from the list, select it and click Remove. Click OK. Restart the server. Changing the server startup type When installed on Windows, each server is configured to start automatically. As with other Windows services, there are three startup types: • • • Automatic starts the server each time the machine is started. Manual requires you to start the server before it will run. Disabled requires you to change the startup type to automatic or manual before it can run. BusinessObjects Enterprise Administrator’s Guide 145 5 Managing and Configuring Servers Advanced server configuration options 1. 2. 3. 4. 5. 6. To change the server startup type on Windows Start the CCM. Stop the server whose startup type you want to modify. With the server selected, click Properties on the toolbar. Click the Startup Type list and select Automatic, Disabled, or Manual. Click OK. Restart the server. To change the server startup type on UNIX On UNIX, this requires root privileges. See “setupinit.sh” on page 607. Changing the server user account If the incorrect user account is running on a server on Windows, change it in the Central Configuration Manager (CCM). Tip: The Program Job Server must be configured to use the Local System account, or a user account that has the right “Act as part of the operating system”. 1. 2. 3. 4. To change a server’s user account Use the CCM to stop the server. Click Properties. Clear the System Account check box. Enter the Windows user name and password information. When started, the server process will log on to the local machine with this user account. In addition, all reports processed by this server will be formatted using the printer settings associated with the user account that you enter. 5. 6. Click Apply, and then click OK. Start the server. Configuring servers for SSL You can use the Secure Sockets Layer (SSL) protocol for all network communication between clients and servers in your BusinessObjects Enterprise deployment. To set up SSL for all server communication you need to perform the following steps: 146 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Advanced server configuration options 5 • • • Deploy BusinessObjects Enterprise with SSL enabled. Create key and certificate files for each machine in your deployment. Configure the location of these files in the Central Configuration Manager (CCM) and your web application server. Creating key and certificate files To set up SSL protocol for your se.rver communication, use the SSLC command line tool to create a key file and a certificate file for each machine in your deployment. Note: For more information about using the SSLC command line tool, consult the SSLC documentation. 1. To create key and certificate files for a machine Run the SSLC.exe command line tool. The SSLC tool is installed with your BusinessObjects Enterprise software. (On Windows, for example, it is installed by default in C:\Program Files\Business Objects\BusinessObjects Enterprise 11\win32_x86.) 2. Type the following command: sslc req -config sslc.cnf -new -out cacert.req This command creates two files, a Certificate Authority (CA) certificate request (cacert.req) and a private key (privkey.pem). 3. To decrypt the private key, type the following command: sslc rsa -in privkey.pem -out cakey.pem This command creates the decrypted key, cakey.pem. 4. To sign the CA certificate, type the following command: sslc x509 -in cacert.req -out cacert.pem -req -signkey cakey.pem -days 365 This command creates a self-signed certificate, cacert.pem, that expires after 365 days. Choose the number of days that suits your security needs. 5. Open the sslc.cnf file, stored in the same folder as the SSLC command line tool. Perform the following steps based on settings in the sslc.cnf file. • Place the cakey.pem and cacert.pem files in the directories specified by sslc.cnf file's certificate and private_key options. By default, the settings in the sslc.cnf file are: certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem BusinessObjects Enterprise Administrator’s Guide 147 5 Managing and Configuring Servers Advanced server configuration options • • Create a file with the name specified by the sslc.cnf file's database setting. Note: By default, this file is $dir/index.txt. The file can be empty. Create a file with the name specified by the sslc.cnf file's serial setting. Ensure that this file provides an octet-string serial number (in hexadecimal format). Note: To ensure that you can create and sign more certificates, choose a large number, such as 11111111111111111111111111111111.) • 6. Create the directory specified by the sslc.cnf file's new_certs_dir setting. To create a certificate request and a private key, type the following command: sslc req -config sslc.cnf -new -out servercert.req 7. 8. Make a copy of the private key copy privkey.pem server.key To sign the certificate with the CA certificate, type the following command: sslc ca -config sslc.cnf -days 365 -out servercert.pem in servercert.req This command creates the servercert.pem file, which contains the signed certificate. 9. Use the following commands to convert the certificates to DER encoded certificates: sslc x509 -in cacert.pem -out cacert.der -outform DER sslc x509 -in servercert.pem -out servercert.der -outform DER 10. Create a text file for storing the plain text passphrase used for decrypting the generated private key. 11. Store the following key and certificate files in a secure location (under the same directory) that can be accessed by the machines in your BusinessObjects Enterprise deployment: • • • • the trusted certificate file (cacert.der) the generated server certificate file (servercert.der) the server key file (server.key) the passphrase file 148 BusinessObjects Enterprise Administrator’s Guide Managing and Configuring Servers Advanced server configuration options 5 This location will be used to configure SSL for the CCM and your web application server. Configuring the SSL protocol After you create keys and certificates for each machine in your deployment, and store them in a secure location, you need to provide the Central Configuration Manager (CCM) and your web application server with the secure location. 1. 2. 3. To configure the SSL protocol in the CCM In the CCM, right-click a server and choose Properties. In the Properties dialog box, click the Protocol tab. Provide the file path for the directory where you stored the key and certificate files. Note: Make sure you provide the directory for the machine that the server is running on. 4. 1. Repeat steps 1 to 3 for all servers. To configure the SSL protocol for the web application server If you have a J2EE web application server, run the Java SDK with the following system properties set: -Dbusinessobjects.orb.oci.protocol=ssl -DcertDir=d:\ssl -DtrustedCert=cacert.der -DsslCert=clientcert.der -DsslKey=client.key -Dpassphrase=passphrase.txt 2. If you have an IIS web application server, run the sslconfig tool from the command line and follow the configuration steps. BusinessObjects Enterprise Administrator’s Guide 149 5 Managing and Configuring Servers Advanced server configuration options 150 BusinessObjects Enterprise Administrator’s Guide Managing Server Groups chapter 6 Managing Server Groups Server group overview Server group overview Server groups provide a way of organizing your BusinessObjects Enterprise servers to make them easier to manage. That is, when you manage a group of servers, you need only view a subset of all the servers on your system. More importantly, server groups are a powerful way of customizing BusinessObjects Enterprise to optimize your system for users in different locations, or for objects of different types. If you group your servers by region, you can easily set up default processing settings, recurrent schedules, and schedule destinations that are appropriate to users who work in a particular regional office. You can associate an object with a single server group, so the object is always processed by the same servers. And you can associate scheduled objects with a particular server group to ensure that scheduled objects are sent to the correct printers, file servers, and so on. Thus, server groups prove especially useful when maintaining systems that span multiple locations and multiple time zones. If you group your servers by type, you can configure objects to be processed by servers that have been optimized for those objects. For example, processing servers need to communicate frequently with the database containing data for published reports. Placing processing servers close to the database server that they need to access improves system performance and minimizes network traffic. Therefore, if you had a number of reports that ran against a DB2 database, you might want to create a group of Page Servers that process reports only against the DB2 database server. If you then configured the appropriate reports to always use this Page Server group for viewing, you would optimize system performance for viewing these reports. After creating server groups, configure objects to use specific server groups for scheduling, or for viewing and modifying reports. For details, see “Specifying servers for scheduling” on page 430 or “Specifying servers for viewing and modification” on page 432. You can change the status, obtain metrics, and configure your servers in the organize Server Groups area—just as you would in the organize Servers area. The only difference is that you see only the servers that you added to the server group. Creating a server group To create a server group, you need to specify the name and description of the group, and then add servers to the group. 152 BusinessObjects Enterprise Administrator’s Guide Managing Server Groups Creating a server group 6 1. 2. To create a server group Go to the Server Groups management area of the CMC. Click New Server Group. The New Server Group Properties tab appears. 3. 4. 5. 6. 7. In the Server Group Name field, type a name for the new group of servers. Use the Description field to include additional information about the group. Click OK. On the Servers tab, click Add/Remove Servers. Select the servers that you want to add to this group; then click the > arrow. Tip: Use CTRL+click to select multiple servers. 8. Click OK. BusinessObjects Enterprise Administrator’s Guide 153 6 Managing Server Groups Working with server subgroups This example adds the servers to a server group called Northern Office Servers. You are returned to the Servers tab, which now lists all the servers that you added to the group. You can now change the status, view server metrics, and change the properties of the servers in the group. For more information, see “Server management overview” on page 78. Working with server subgroups Subgroups of servers provide you with a way of further organizing your servers. A subgroup is just a server group that is a member of another server group. For example, if you group servers by region and by country, then each regional group becomes a subgroup of a country group. To organize servers in this way, first create a group for each region, and add the appropriate servers to each regional group. Then, create a group for each country, and add each regional group to the corresponding country group. There are two ways to set up subgroups: you can modify the subgroups of a server group, or you can make one server group a member of another. The results are the same, so use whichever method proves most convenient. 1. 2. 3. 4. 5. To add subgroups to a server group Go to the Server Groups management area of the CMC. Click the group that you want to add subgroups to. This group is the parent group. On the Subgroups tab, click Add/Remove Groups. In the Available server groups list, select the server groups that you want to add as subgroups; then click the > arrow. Click OK. You are returned to the Subgroups tab, which now lists all the server groups that you added to the parent group. 1. 2. 3. 4. To make one server group a member of another Go to the Server Groups management area of the CMC. Click the group that you want to add to another group. On the Member of tab, click the Member of button. In the Available server groups list, select the server groups that should include your group as a member; then click the > arrow. 154 BusinessObjects Enterprise Administrator’s Guide Managing Server Groups Modifying the group membership of a server 6 This example makes the Job Servers group a member subgroup of the Northern Office Servers group. 5. Click OK. You are returned to the “Member of” tab, which now lists all the server groups that the initial group is now a member of. Modifying the group membership of a server You can modify a server’s group membership to quickly add the server to (or remove it from) any group or subgroup that you have already created on the system. For example, suppose that you created server groups for a number of regions. You might want to use a single Central Management Server (CMS) for multiple regions. Instead of having to add the CMS individually to each regional server group, you can click the server’s “Member of” link to add it to all three regions at once. 1. 2. 3. To modify a server’s group membership Go to the Servers management area of the CMC. Locate the server whose membership information you want to change. In the Server Group column, click the server’s Member of link. The “Member of” page lists any server groups that the server currently belongs to. 4. 5. 6. Click the Member of button. The “Modify Member Of” page appears. Move server groups from one list to another to specify which groups the server is a member of. Click OK. BusinessObjects Enterprise Administrator’s Guide 155 6 Managing Server Groups Modifying the group membership of a server 156 BusinessObjects Enterprise Administrator’s Guide Scaling Your System chapter 7 Scaling Your System Scalability overview Scalability overview The BusinessObjects Enterprise architecture is scalable in that it allows for a multitude of server configurations, ranging from stand-alone, single-machine environments, to large-scale deployments supporting global organizations. The flexibility offered by the product’s architecture allows you to set up a system that suits your current reporting requirements, without limiting the possibilities for future growth and expansion. This chapter details common scalability scenarios for administrators who want to expand beyond a stand-alone installation of BusinessObjects Enterprise. These three scenarios have received the most testing, and are recommended for the majority of deployments. For details, see “Common configurations” on page 159. It must be emphasized, however, that the optimal configuration for your deployment will vary depending upon your hardware configuration, your database software, and your reporting requirements. It is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects Services consultant can then assess your reporting environment and assist in determining the configuration that will best integrate with your current environment. Note: If you customize or expand your system beyond these common configurations without first contacting Business Objects Services, your deployment may not be officially supported. This chapter also provides the related procedures for adding and deleting servers from your BusinessObjects Enterprise installation. Follow these steps when you need to add server components to a machine that is already running BusinessObjects Enterprise. Tip: If you are adding new hardware to BusinessObjects Enterprise by installing server components on additional machines, run the BusinessObjects Enterprise installation and setup program. The setup program allows you to perform an Expand installation. During the Expand installation, you specify the existing CMS whose system you want to expand, and you select the components that want to install on the local machine. For details, see the BusinessObjects Enterprise Installation Guide. 158 BusinessObjects Enterprise Administrator’s Guide Scaling Your System Common configurations 7 Common configurations This section details the common ways in which you should begin to scale, or expand, your BusinessObjects Enterprise system. The scenarios described are those that have been most thoroughly tested by Business Objects. As a baseline, this section assumes that you have not yet distributed the BusinessObjects Enterprise servers across multiple machines; however, this section does assume familiarity with the BusinessObjects Enterprise architecture, installation, and server configuration. For preliminary installation information, see the BusinessObjects Enterprise Installation Guide. Tip: If you are deploying multi-processor machines, you may also want to run one or more BusinessObjects Enterprise servers in multiple instances on that machine. For details, see “Adding a server” on page 169. This section describes the following common configurations: • • • “One-machine setup” on page 159 “Three-machine setup” on page 160 “Six-machine setup” on page 160 One-machine setup This basic configuration separates the BusinessObjects Enterprise servers from the rest of your reporting environment and from your web server, and installs all BusinessObjects Enterprise servers on a single machine. This grants the BusinessObjects Enterprise servers their own set of processing resources, which they do not have to share with database and web server processes. These are the general steps to setting up this configuration for the default Windows installation of BusinessObjects Enterprise: • • Install all of the BusinessObjects Enterprise servers on a single, dedicated machine. Run the CMS database on your database server. If you are still using the MSDE CMS database on Windows, migrate the CMS database to a supported database server. See the Platforms.txt file included with your product distribution for a list of supported database servers. For a UNIX installation (or for a Windows installation that uses the BusinessObjects Enterprise Java SDK), install your BusinessObjects Enterprise servers on the same machine as your Java web application server and the Web Component Adapter. BusinessObjects Enterprise Administrator’s Guide 159 7 Scaling Your System Common configurations Three-machine setup This second configuration divides the BusinessObjects Enterprise processing load in a logical manner, based on the types of work performed by each server. In this way, you prevent the server components from having to compete with each other for the same hardware and processing resources. In addition, this scenario prepares your system for further expansion to provide redundancy. Note: It is recommended that you use three multi-processor machines (dualCPU or better), with at least 2 GB RAM installed on each machine. These are the general steps to setting up this configuration for the default Windows installation of BusinessObjects Enterprise: • Install the CMS and the Event Server on one machine. Tip: Here, the Event Server is installed on the same machine as the CMS. In general, however, the Event Server should be installed on the machine where your monitored, file-based events occur. • • Install the application server, the Web Component Adapter and the Cache Server on the second machine. Install the Page Server, the Report Job Server, Program Job Server, Destination Job Server, List of Values Job Server, Web Intelligence Job Server, the Web Intelligence Report Server, the Report Application Server (RAS), and the Input and Output File Repository Servers on the third machine. For a UNIX installation (or for a Windows installation that uses the BusinessObjects Enterprise Java SDK), install the Java web application server and the Web Component Adapter on the same machine as your Cache Server. Note: As with the one-machine setup, install your BusinessObjects Enterprise servers on machines that are separate from your web server and database servers. This grants the BusinessObjects Enterprise servers their own set of processing resources, which they do not have to share with database and web server processes. Six-machine setup This third configuration mirrors the three-machine setup. You maintain the logical breakdown of processing based on the types of work performed by each server, but you increase the number of available machines and servers for redundancy and fault-tolerance. For instance, if a server stops responding, or if you need to take one or two machines offline completely, you need not interrupt BusinessObjects Enterprise requests in order to service the system. 160 BusinessObjects Enterprise Administrator’s Guide Scaling Your System Common configurations 7 This tested configuration is designed to meet the reporting requirements of 85% of all deployment scenarios. If you have further requirements or more advanced configuration needs, contact your Business Objects sales representative for additional assistance. Note: It is recommended that you use six multi-processor machines (dualCPU or better), with at least 2 GB RAM installed on each machine. These are the general steps to setting up this configuration for the default Windows installation of BusinessObjects Enterprise: • • Install the three-machine setup first. Verify that BusinessObjects Enterprise is functioning correctly. For details, see “Three-machine setup” on page 160. Install a second CMS/Event Server pair on the fourth machine. This machine must have a fast network connection (minimum 10 Mbps) to the CMS that you have already installed. Cluster the two CMS services, so they share the task of maintaining the CMS database. Ensure that each CMS accesses the CMS database in exactly the same manner (the same database client software, the same database user name and password, and so on). Tip: Here, the Event Server is installed on the same machine as the CMS. In general, however, the Event Server should be installed on the machine where your monitored, file-based events occur. • Install a second application server and Web Component Adapter on the fifth machine, along with a second Cache Server. Consult your web application server documentation for information on load-balancing and clustering your application servers. Ensure that the web.xml file is configured correctly for each WCA. Install a second Page Server, Report Job Server, Program Job Server, Destination Job Server, List of Values Job Server, Web Intelligence Job Server, Web Intelligence Report Server, and RAS on the remaining machine, along with a pair of Input and Output File Repository Servers. Ensure that all Page Servers and job servers, including the Web Intelligence Report Server, can access your reporting database in exactly the same manner. Install and configure any required database client software similarly on each machine, along with any ODBC DSNs that are required for your reports. • Note: As with the one-machine setup, install your BusinessObjects Enterprise servers on machines that are separate from your web server and database servers. This grants the BusinessObjects Enterprise servers their own set of processing resources, which they do not have to share with database and web server processes. BusinessObjects Enterprise Administrator’s Guide 161 7 Scaling Your System General scalability considerations General scalability considerations This section provides information about system scalability and the BusinessObjects Enterprise servers that are responsible for particular aspects of your system. Each subsection focuses on one aspect of your system’s capacity, discusses the relevant components, and provides a number of ways in which you might modify your configuration accordingly. Before modifying these aspects of your system, it is strongly recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects Services consultant can then assess your reporting environment and assist in determining the configuration that will best integrate with your current environment. General scalability considerations include the following: • • • • • • • “Increasing overall system capacity” on page 162 “Increasing scheduled reporting capacity” on page 163 “Increasing on-demand viewing capacity for Crystal reports” on page 164 “Increasing prompting capacity” on page 165 “Enhancing custom web applications” on page 166 “Improving web response speeds” on page 166 “Getting the most from existing resources” on page 167 Increasing overall system capacity As the number of report objects and users on your system increases, you can increase the overall system capacity by clustering two (or more) Central Management Servers (CMS). You can install multiple CMS services/daemons on the same machine. However, to provide server redundancy and faulttolerance, you should ideally install each cluster member on its own machine. CMS clusters can improve overall system performance because every BusinessObjects Enterprise request results, at some point, in a server component querying the CMS for information that is stored in the CMS database. When you cluster two CMS machines, you instruct the new CMS to share in the task of maintaining and querying the CMS database. For more information, see “Clustering Central Management Servers” on page 92. 162 BusinessObjects Enterprise Administrator’s Guide Scaling Your System General scalability considerations 7 Increasing scheduled reporting capacity Increasing Crystal reports processing capacity All Crystal reports that are scheduled are eventually processed by a Job Server. You can expand BusinessObjects Enterprise by running individual Report Job Servers on multiple machines, or by running multiple Report Job Servers on a single multi-processor machine. If the majority of your reports are scheduled to run on a regular basis, there are several strategies you can adopt to maximize your system’s processing capacity: • Install the Job Server in close proximity to (but not on the same machine as) the database server against which the reports run. Ensure also that the File Repository Servers are readily accessible to all Job Server (so they can read report objects from the Input FRS and write report instances to the Output FRS quickly). Depending upon your network configuration, these strategies may improve the processing speed of the Job Server, because there is less distance for data to travel over your corporate network. Verify the efficiency of your reports. When designing reports in Crystal Reports, there are a number of ways in which you can improve the performance of the report itself, by modifying record selection formulas, using the database server’s resources to group data, incorporating parameter fields, and so on. For more information, see the “Designing Optimized Web Reports” section in the Crystal Reports User’s Guide (version 8.5 and later). Use event-based scheduling to create dependencies between large or complex reports. For instance, if you run several very complex reports on a regular, nightly basis, you can use Schedule events to ensure that the reports are processed sequentially. This is a useful way of minimizing the processing load that your database server is subject to at any given point in time. If some reports are much larger or more complex than others, consider distributing the processing load through the use of server groups. For instance, you might create two server groups, each containing one or more Job Servers. Then, when you schedule recurrent reports, you can specify that it be processed by a particular server group to ensure that especially large reports are distributed evenly across resources. Increase the hardware resources that are available to a Job Server. If the Job Server is currently running on a machine along with other BusinessObjects Enterprise components, consider moving the Job • • • • BusinessObjects Enterprise Administrator’s Guide 163 7 Scaling Your System General scalability considerations Server to a dedicated machine. If the new machine has multiple CPUs, you can install multiple Job Servers on the same machine (typically no more than one service/daemon per CPU). Increasing Web Intelligence document processing capacity All Web Intelligence documents that are scheduled are eventually processed by a Web Intelligence Job Server and Web Intelligence Report Server. You can expand BusinessObjects Enterprise by running individual Web Intelligence Report Servers on multiple machines, or by running multiple Web Intelligence Report Servers on a single multi-processor machine. When running multiple Web Intelligence Report Servers, you don’t need to duplicate the Web Intelligence Job Server. One Web Intelligence Job Server can be used to drive multiple Web Intelligence Report Servers. However, if you are working with server groups, a Web Intelligence Job Server must exist in the same group as the Web Intelligence Report Servers. Note: When deciding whether to increase the number Web Intelligence Report Servers, keep in mind that Web Intelligence Report Server processes both scheduling and viewing requests, whereas requests for Crystal reports are processed by three separate servers, the Report Job Server, the Cache Server and Page Server. Increasing on-demand viewing capacity for Crystal reports When you provide many users with View On Demand access to reports, you allow each user to view live report data by refreshing reports against your database server. For most requests, the Page Server retrieves the data and performs the report processing, and the Cache Server stores recently viewed report pages for possible reuse. However, if users use the Advanced DHTML viewer, the Report Application Server (RAS) processes the request. If your reporting requirements demand that users have continual access to the latest data, you can increase capacity in the following ways: • • Increase the maximum allowed size of the cache. For details, see “Modifying Cache Server performance settings” on page 112. Verify the efficiency of your reports. When designing reports in Crystal Reports, there are a number of ways in which you can improve the performance of the report itself, by modifying record selection formulas, using the database server’s resources to group data, incorporating parameter fields, and so on. For more information, see the “Designing Optimized Web Reports” section in the Crystal Reports User’s Guide (version 8.5 and later). 164 BusinessObjects Enterprise Administrator’s Guide Scaling Your System General scalability considerations 7 • Increase the number of Page Servers that service requests on behalf of Cache Servers. You can do this by installing additional Page Servers on multiple machines. However, do not install more than one Page Server per machine. The Page Server has been re-designed to optimize the processing capability of a machine. It is therefore no longer recommended that you install multiple Page Servers on one machine. Increase the number of Page Servers, Cache Servers, and Report Application Servers on the system, and then distribute the processing load through the use of server groups. For instance, you might create two server groups, each containing one or more Cache Server/Page Server pairs along with one or more Report Application Servers. You can then specify individual reports that should always be processed by a particular server group. • Increasing prompting capacity When reports use a list of values, the RAS processes the list-of-values objects for the report when the report is being viewed. It does this regardless of whether the list-of-value object was scheduled or whether data needs to be retrieved from the data base. To avoid contention with other applications that use the RAS, you can add a RAS server that will be dedicated to processing list-of-value objects. In CMC you can then create a RAS server group and assign the dedicated RAS to the RAS server group. In Business View Manager, you then assign the list-ofvalues objects to be processed by the RAS server group. Delegating XSL transformation to Internet Explorer If your users access InfoView via the Internet Explorer 6.0 browser, you can instruct the Web Intelligence Report Server to delegate the transformation of XML to XSL to the browser. This substantially decreases the load on the server, primarily during document display, but also during display of the portal itself. By default, the XSL transformation delegation is not activated. 1. To delegate XSL transformation to the browser for document display: On the application server, set the CLIENT_XSLT variable in webiviewer.properties, located in the WEB-INF\classes subfolder of the application server as follows: CLIENT_XSLT=Y 2. Restart the application server. BusinessObjects Enterprise Administrator’s Guide 165 7 Scaling Your System General scalability considerations Enhancing custom web applications If you are developing your own custom desktops or administrative tools with the BusinessObjects Enterprise Software Development Kit (SDK), be sure to review the libraries and APIs. You can now, for instance, incorporate complete security and scheduling options into your own web applications. You can also modify server settings from within your own code in order to further integrate BusinessObjects Enterprise with your existing intranet tools and overall reporting environment. To improve the scalability of your system, consider distributing administrative efforts by developing web applications for delegated content administration. You can grant select users the ability to manage particular BusinessObjects Enterprise folders, content, users, and groups on behalf of their team, department, or regional office. In addition, be sure to check the developer documentation available on your BusinessObjects Enterprise product CD for performance tips and other scalability considerations. The query optimization section in particular provides some preliminary steps to ensuring that custom applications make efficient use of the query language. Improving web response speeds Because all user interaction with BusinessObjects Enterprise occurs over the Web, you may need to investigate a number of areas to determine exactly where you can improve web response speeds. These are some common aspects of your deployment that you should consider before deciding how to expand BusinessObjects Enterprise: • Assess your web server’s ability to serve the number of users who connect regularly to BusinessObjects Enterprise. Use the administrative tools provided with your web server software (or with your operating system) to determine how well your web server performs. If the web server is indeed limiting web response speeds, consider increasing the web server’s hardware. If web response speeds are slowed only by report viewing activities, see “Increasing scheduled reporting capacity” on page 163 and “Increasing on-demand viewing capacity for Crystal reports” on page 164. Take into account the number of users who regularly access your system. If you are running a large deployment, ensure that you have set up a CMS cluster. For details, see “Increasing overall system capacity” on page 162. • • 166 BusinessObjects Enterprise Administrator’s Guide Scaling Your System General scalability considerations 7 If you find that a single application server inadequately services the number of scripting requests made by users who access your system on a regular basis, consider the following options: • Increase the hardware resources that are available to the application server. If the application server is currently running on the web server, or on a single machine with other BusinessObjects Enterprise components, consider moving the application server to a dedicated machine. If the new machine has multiple CPUs, you can install multiple application servers on the same machine (typically no more than one per CPU). If you are using the default Windows installation of BusinessObjects Enterprise, set up two (or more) WCS machines to take advantage of the dynamic load balancing that is built into the Web Connector components. The Web Connector distributes the processing load evenly across WCS hosts: each new BusinessObjects Enterprise session is sent to the least used WCS. This also provides you with the benefits of being able to take one WCS machine offline for service, without bringing down the entire system. Consider setting up two (or more) application servers. Consult the documentation for your web application server for information on loadbalancing, clustering, and scalability. Note: BusinessObjects Enterprise does not support the sessionreplication functionality provided by some Java web application servers. • • Getting the most from existing resources One of the most effective ways to improve the performance and scalability of your system is to ensure that you get the most from the resources that you allocate to BusinessObjects Enterprise. Optimizing network speed and database efficiency When thinking about the overall performance and scalability of BusinessObjects Enterprise, don’t forget that BusinessObjects Enterprise depends upon your existing IT infrastructure. BusinessObjects Enterprise uses your network for communication between servers and for communication between BusinessObjects Enterprise and client machines on your network. Make sure that your network has the bandwidth and speed necessary to provide BusinessObjects Enterprise users with acceptable levels of performance. Consult your network administrator for more information. BusinessObjects Enterprise Administrator’s Guide 167 7 Scaling Your System General scalability considerations BusinessObjects Enterprise processes reports against your database servers. If your databases are not optimized for the reports you need to run, then the performance of BusinessObjects Enterprise may suffer. Consult your database administrator for more information. Using the appropriate processing server When users view a report using the Advanced DHTML viewer, the report is processed by the Report Application Server rather than the Page Server and Cache Server. The Report Application Server is optimized for report modification. For simple report viewing you can achieve better system performance if users select the DHTML viewer, the Active X viewer, or the Java viewer. These report viewers process reports against the Page Server. If the ability to modify reports is not needed at your site, you can disable the Advanced DHTML viewer for all users of BusinessObjects Enterprise. 1. 2. 3. 4. Disabling the Advanced DHTML Viewer In the Central Management Console, select Business Objects Applications. Select Web Desktop. On the Properties tab, go to the Viewers area. Clear the option labeled Allow users to use the Advanced DHTML Viewer. Click Update. Optimizing BusinessObjects Enterprise for report viewing BusinessObjects Enterprise allows you to enable data sharing, which permits different users accessing the same report object to use the same data when viewing a report on demand or when refreshing a report. Enabling data sharing reduces the number of database calls, thereby reducing the time needed to provide report pages to subsequent users of the same report while greatly improving overall system performance under load. However, to get full value from data sharing, you must permit data to be reused for some period of time. This means that some users may see “old” data when they view a report on demand, or refresh a report instance that they are viewing. For details on data sharing options for reports, see “Setting report viewing options” on page 428. For more information on configuring BusinessObjects Enterprise to optimize report viewing in your system, see the planning chapter in the BusinessObjects Enterprise Installation Guide. 168 BusinessObjects Enterprise Administrator’s Guide Scaling Your System Adding and deleting servers 7 Adding and deleting servers This section shows how to add and delete servers from a machine that is already running BusinessObjects Enterprise components. It includes the following sections: • • “Adding a server” on page 169 “Deleting a server” on page 171 Tip: If you are adding new hardware to BusinessObjects Enterprise by installing server components on new, additional machines, run the BusinessObjects Enterprise installation and setup program from your product distribution. The setup program allows you to perform an Expand installation. During the Expand installation, you specify the existing CMS whose system you want to expand, and you select the components that you want to install on the local machine. For details, see the BusinessObjects Enterprise Installation Guide. Adding a server These steps add a new instance of a server to the local machine. You can run multiple instances of the same BusinessObjects Enterprise server on the same machine. To add a Windows server Note: To complete this procedure, you must log on as an Administrator of the local machine. 1. 2. 3. Start the CCM on the BusinessObjects Enterprise machine upon which you want to install a new server. On the toolbar, click Add Server. The Add Business Objects Server Wizard displays its Welcome dialog box. Click Next. BusinessObjects Enterprise Administrator’s Guide 169 7 Scaling Your System Adding and deleting servers The “Server Type and Display Name Configuration” dialog box appears. 4. 5. Click the Server Type list and select the kind of server you want to add. Change the default Display Name field if you want a different name to appear in the list of servers in the CCM. Note: The display name for each server on the local machine must be unique. 6. Change the default Server Name field if required. Each server on the system must have a unique name. The default naming convention is HOSTNAME.servertype (a number is appended if there is more than one server of the same type on the same host machine). This Server Name is displayed when you manage servers over the Web in the Central Management Console (CMC). When you add Input or Output File Repository Servers, the wizard always precedes the server name you type with an “Input.” or “Output.” prefix. So, if you add an Input FRS with the name SERVER02, the CCM actually names the server Input.SERVER02. This “Input.” prefix is required by the system. If you subsequently modify the server’s name through its command line, do not remove the prefix. 7. Click Next. The “Set Configuration for this server” dialog box appears. The contents of this dialog vary slightly, depending upon the type of server that you are installing. 170 BusinessObjects Enterprise Administrator’s Guide Scaling Your System Adding and deleting servers 7 8. Type the name of the CMS that you want the server to communicate with. If your CMS is not listening on the default port (6400), include the appropriate port number, as in CMSname:port# 9. Click Next to accept any other default values, or modify them to suit your environment. Note: If port number options are displayed in this dialog box, do not modify them. Instead, change ports through each server’s command line. For details, see “Changing the default server port numbers” on page 140. 10. Confirm the summary information is correct; then click Finish. The new server appears in the list, but it is neither started nor enabled automatically. 11. Use the CCM (or the CMC) to start and then to enable the new server when you want it to begin responding to BusinessObjects Enterprise requests. For details, see “Viewing and changing the status of servers” on page 82. Tip: Auditing in BusinessObjects Enterprise is enabled on a per server basis. If you add a new server to your BusinessObjects Enterprise installation you must enable auditing of actions on each new server. If you do not, the actions performed on the new server will not be audited. See “Enabling auditing of user and system actions” on page 210 for more information. To add a UNIX server Use the serverconfig.sh script. For reference, see “serverconfig.sh” on page 602. Deleting a server 1. 2. 3. 4. To delete a Windows server Start the CCM on the BusinessObjects Enterprise machine that you want to delete a server from. Stop the server that you want to delete from the system. With the server selected, click Delete Server on the toolbar. When prompted for confirmation, click Yes. To delete a UNIX server Use the serverconfig.sh script. For reference, see “serverconfig.sh” on page 602. BusinessObjects Enterprise Administrator’s Guide 171 7 Scaling Your System Adding and deleting servers 172 BusinessObjects Enterprise Administrator’s Guide Managing BusinessObjects Enterprise Repository chapter 8 Managing BusinessObjects Enterprise Repository BusinessObjects Enterprise Repository overview BusinessObjects Enterprise Repository overview The BusinessObjects Enterprise Repository is a database in which you manage shared report elements such as text objects, bitmaps, custom functions, and custom SQL commands. When you save any Business View, it is also saved to the BusinessObjects Enterprise Repository. You can refresh a report’s repository objects with the latest version from your BusinessObjects Enterprise Repository when you publish reports to BusinessObjects Enterprise. Alternatively, you can refresh a report’s repository objects on demand over the Web. The BusinessObjects Enterprise Repository is now hosted by the Central Management Server (CMS) system database. Before publishing reports that reference repository objects, move your existing Crystal Repository to the Central Management Server database. See the rest of this chapter for details. Copying data from one repository database to another BusinessObjects Enterprise enables you to copy the contents of one repository database into another database. This procedure is also referred to as migrating a BusinessObjects Enterprise Repository database. You can migrate repository data from a different repository database (from version 10 of Crystal Reports, or version 10 of Crystal Enterprise) into your current CMS database. Or, you can migrate the repository data from your current CMS database into a different data source. Throughout this section, the source CMS database refers to the database that holds the data you are copying; this data is copied into the destination database. Importing data from a Crystal Enterprise 10 or BusinessObjects Enterprise XI CMS You may want to import repository objects from a Crystal Enterprise 10 installation, or you may want to import repository objects from one BusinessObjects Enterprise XI installation to another. For example, you may have repository data on a test system that you want to move onto a production server. 174 BusinessObjects Enterprise Administrator’s Guide Managing BusinessObjects Enterprise Repository Copying data from one repository database to another 8 Use the Import Wizard to copy repository data from the source CMS. You can choose to merge the contents of the source repository into the destination repository, or you can update the destination with the contents of the source CMS. Merging repositories When you merge the contents of the source repository with the destination repository, you add all repository objects from the source CMS into the destination CMS without overwriting objects in the destination. This is the safest import option. All of the objects in the destination repository are preserved. Also, at a minimum, all repository objects from the source system with a unique title are copied to the destination repository. If an object from the source has the same title as an object in the destination, the object is imported to the destination repository if: • • The object is not a Business View. You have selected “Automatically rename top-level folders that match top-level folders on the destination system.” The end result is a destination repository that contains all objects from the source repository that have unique titles, copies of all non-Business View objects from the source repository that have titles that match titles of objects in the destination, and all objects originally in the destination repository. When an object is copied from the source CMS to the destination CMS, the folder or folders that contain the object are also copied, replicating the folder hierarchy of the source system on the destination. However, the names of top-level folders must be unique. Selecting “Automatically rename top-level folders that match top-level folders on the destination system” allows these folders to be renamed on the destination repository, and the objects in such folders to be copied to these renamed folders. Note: Top-level folders containing Business Views are not renamed, regardless of the options set. Renaming these folders would change the unique identifier associated with the Business View, causing the Business View functionality to fail. Updating the destination repository When you update the contents of the destination repository using the source repository as a reference, you add all objects in the source CMS to the destination CMS. If an object in the source repository has the same unique identifier as an object in the destination, the object in the destination is overwritten. BusinessObjects Enterprise Administrator’s Guide 175 8 Managing BusinessObjects Enterprise Repository Copying data from one repository database to another All object titles in a folder must be unique. By default, if copying an object from the source CMS to the destination CMS would result in more than one object in a folder with the same title, the copy fails. If you want these objects to be copied, select the check box “Automatically rename objects if an object with that title already exists in the destination folder.” Note: System Objects (users, user groups, servers, server groups, events, and calendars), are not renamed when you import them from one CMS to another, regardless of the options set. Changing the names of these objects would cause user management, server management, and event management for these objects to fail. See “Importing with the Import Wizard” on page 402 for full instructions on using the Import Wizard to copy objects from one BusinessObjects Enterprise XI repository to another. Copying data from a Crystal Enterprise 9 repository database In Crystal Enterprise 9, the Crystal Repository database was hosted on a separate database server that you could connect to through ODBC. In a BusinessObjects Enterprise environment, begin by making a backup copy of the source repository database. Then replace the repository by importing its contents into the CMS database using the Repository Migration Wizard. When you use the Repository Migration Wizard, neither the source nor the destination database is overwritten. Objects from the source repository will be added to the destination repository database. If the Wizard finds identical objects (that is, objects with the same unique identifier) in the source and destination repositories, the source objects will not be copied. When you copy repository objects into BusinessObjects Enterprise XI, only the most recent version of each object is copied. Note: Reports configured to use the source repository will now refer to the destination data source. 1. To copy repository data from Crystal Enterprise 9 From the BusinessObjects Enterprise program group, click Repository Migration Wizard. You must run the wizard on the machine containing your source repository. From the Source list in the Select Source Repository dialog, click the name of the repository that you want to import. 2. 176 BusinessObjects Enterprise Administrator’s Guide Managing BusinessObjects Enterprise Repository Copying data from one repository database to another 8 3. 4. 5. Type the UserID and Password of a user with administrative rights to the repository database. Click Next. The Select Destination Data Source dialog appears. In the CMS field, type the name of the destination data source’s Central Management Server. Type the User Name and Password of an Enterprise account that provides you with administrative rights to the CMS; then click Next. 6. From the “Source Repository Objects” list, select the items that you want to copy to your BusinessObjects Enterprise repository database. Click Next. BusinessObjects Enterprise exports the selected repository objects from your BusinessObjects Enterprise Repository, reporting success or failure for each object. 7. Click Next, and then Finish to complete the transfer and close the Repository Migration Wizard. Copying data from a Crystal Reports 9 repository database The Crystal Repository shipped with Crystal Reports 9 was an Access database (Repository.mdb). By default, it was located in the following directory of your Crystal Reports installation: C:\Program Files\Common Files\Crystal Decisions\2.0\bin\ BusinessObjects Enterprise Administrator’s Guide 177 8 Managing BusinessObjects Enterprise Repository Copying data from one repository database to another Begin by making a backup copy of this default database. Then replace the default repository by importing its contents into the CMS database using the Repository Migration Wizard. When you use the Repository Migration Wizard, neither the source nor the destination database is overwritten. Objects from the source repository will be added to the destination repository database. If the Wizard finds identical objects in the source and destination repositories, the source objects will not be copied. When you copy repository objects into BusinessObjects Enterprise XI, only the most recent version of each object is copied. Note: Reports configured to use the source repository will now refer to the destination data source. 1. To copy repository data from Crystal Reports 9 From the BusinessObjects Enterprise program group, click Repository Migration Wizard. You must run the wizard on the machine containing your source repository. From the Source list in the Select Source Repository dialog, click the name of the repository that you want to import. If you created security for your repository database, type a User id and Password valid for the repository database. 3. 4. 5. Click Next. Log on to the CMS using a user name with administrative rights to BusinessObjects Enterprise. From the “Source Repository Objects” list, select the items that you want to copy to your BusinessObjects Enterprise repository database. Click Next. 2. 178 BusinessObjects Enterprise Administrator’s Guide Managing BusinessObjects Enterprise Repository Refreshing repository objects in published reports 8 6. Select the folder in your destination repository where objects from your source directory will be placed. • To add objects to a new folder, select “Insert a new folder”, and then type the name of the folder. • 7. To delete an existing folder from your repository, select it, and then click “Delete the item/folder”. Click Next. BusinessObjects Enterprise exports the selected repository objects from your Crystal Reports repository, reporting success or failure for each object. 8. Click Next, and then Finish to complete the transfer and close the Repository Migration Wizard. Refreshing repository objects in published reports As you update objects stored in your BusinessObjects Enterprise Repository, you will want to update the published Crystal reports that reference those repository objects. When you refresh a report in this way, the old repository objects stored in the report are replaced with the latest versions from the BusinessObjects Enterprise Repository. BusinessObjects Enterprise Administrator’s Guide 179 8 Managing BusinessObjects Enterprise Repository Refreshing repository objects in published reports Note: Although refreshing with the repository is faster, you can also refresh reports by setting options that compare reports to their original source .rpt files. For more information, see “Setting report refresh options” on page 426. Tip: If you use Crystal Reports to open reports directly from your BusinessObjects Enterprise folders, you can update repository objects at that time. You can also refresh repository objects when you publish reports. For details, see “Publishing Objects to BusinessObjects Enterprise” on page 373. 1. 2. 3. 4. To refresh a published report’s repository objects Go to the Objects management area of the CMC. Click the link to the report you want to refresh. On the Properties tab, click the Refresh Options link. Verify that the Use Object Repository when refreshing report check box is selected. Note: If the check box is cleared, select it now and click Update. 5. Click Refresh Report. Tip: Once you have enabled repository refresh for each report, you can refresh multiple reports simultaneously using the Report Repository Helper. The Report Repository Helper is available from Administrative Tools area in the BusinessObjects Enterprise Admin Launchpad. 180 BusinessObjects Enterprise Administrator’s Guide Working with Firewalls chapter 9 Working with Firewalls Firewalls overview Firewalls overview BusinessObjects Enterprise works with firewall systems to provide reporting across intranets and the Internet without compromising network security. This chapter provides general information about what a firewall is and types of firewalls: • • “What is a firewall?” on page 182 “Firewall types” on page 183 If you are already familiar with firewalls and the configuration used in your network, proceed directly to “Understanding firewall integration” on page 186. What is a firewall? A firewall is a security system that protects one or more computers from unauthorized network access. A firewall restricts people to entering and leaving your network at a carefully controlled point. It also prevents attackers from getting close to your other defenses. Typically, a firewall protects a company’s intranet from being improperly accessed through the Internet. A firewall can enforce a security policy, log Internet activity, and be a focus for security decisions. A firewall can’t protect against malicious insiders or connections that don’t go through it. A firewall also can’t set itself up correctly or protect against completely new threats. To help explain how firewalls work, some basic networking terms are described here: • • “TCP/IP and packets” on page 182 “Ports” on page 183 If you are already familiar with these topics see “Understanding firewall integration” on page 186. TCP/IP and packets TCP/IP (Transmission Control Protocol/Internet Protocol) is the communications protocol used on the Internet. The units of data transmitted through a TCP/IP network are called packets. Packets are typically too small to contain all the data that is sent at any one time, so multiple packets are required, each containing a portion of the overall data. When data is sent by TCP/IP, the packets are constructed such that a layer for each protocol is wrapped around each packet. Typically, TCP/IP packets have the following layers: • Application layer (for example, FTP, telnet, and HTTP). 182 BusinessObjects Enterprise Administrator’s Guide Working with Firewalls Firewalls overview 9 • • • Transport layer (TCP or UDP). Internet layer (IP). Network Access layer (for example, ethernet and ATM). At the application layer, the packet consists simply of the data to be transferred. As the packet moves through the layers, each layer adds a header to the packet, preserving the data from the previous level. These headers are used to determine the packet’s destination and to ensure that it arrives intact. When the packet reaches its destination, the process is reversed: the layers are sequentially removed until the transferred data is available to the destination application. Ports Ports are logical connection points that a computer uses to send and receive packets. With TCP/IP, ports allow a client program to specify a particular server program on a computer in a network. High-level applications that use TCP/IP have ports with pre-assigned numbers. For instance, when you visit a typical HTTP site over the Web, you communicate with the web server on port 80, which is the pre-assigned port for HTTP communication. Other application processes are given port numbers dynamically for each connection. When a service or daemon initially is started, it binds to its designated port number. When any client program wants to use that server, it must also request to bind to the designated port number. Valid port numbers range from 0 to 65536, but ports 0 to 1024 are reserved for use by certain privileged services. Firewall types Firewalls primarily function using at least one of the following methods: • • • “Packet filtering” on page 184 “Network Address Translation” on page 184 “SOCKS proxy servers” on page 185 BusinessObjects Enterprise works with these firewall types. Note: Business Objects will be moving away from supporting SOCKS proxy servers. As a result SOCKS proxy servers are still supported in BusinessObjects Enterprise XI. SOCKS proxy servers will be deprecated in a future release of BusinessObjects Enterprise. If you are using SOCKS proxy servers now, we recommend you switch to a different firewall method. BusinessObjects Enterprise Administrator’s Guide 183 9 Working with Firewalls Firewalls overview Packet filtering Packet filtering rejects TCP/IP packets from unauthorized hosts and rejects connection attempts to unauthorized services. Packet filtering can reject packets based on the following: • • • • • The address the data is coming from. The address the data is going to. The session and application ports being used to transfer the data. The data contained within the packet. Stateful packet filters remember the state of connections at the network and session layers by recording the established session information that passes through the filter gateway. The filter then uses that information to discriminate valid return packets from invalid connection attempts. Stateless packet filters do not retain information about connections in use; instead, they make determinations packet-by-packet based only on the information contained within the packet. Firewalls that employ packet filtering will work with BusinessObjects Enterprise. Typically there are two types of packet filtering: • Network Address Translation Network Address Translation (NAT) converts private IP addresses in a private network to globally unique, public IP addresses for use external to that network. NAT is also called IP masquerading. The main purpose of NAT is to hide internal hosts. As outgoing packets are routed through the firewall, NAT hides internal hosts by converting their IP addresses to an external address. Once the translation is complete, the firewall sends the data payload on to its original destination; thus, NAT makes it appear that all traffic from your site comes from one (or more) external IP addresses. The firewall maintains a translation table to keep track of the address conversions that it has performed. When an incoming response arrives at the firewall, the firewall uses this translation table to determine which internal host should receive the response. Because this type of firewall essentially sends and receives data on behalf of internal hosts, NAT can also be described as a simple proxy. 184 BusinessObjects Enterprise Administrator’s Guide Working with Firewalls Firewalls overview 9 There are two basic types of NAT: • Static translation (port forwarding) grants a specific internal host a fixed translation that never changes. For example, if you run an email server inside a firewall, you can establish a static route through the firewall for that service. Dynamic translation (automatic, hide mode, or IP masquerade) shares a small group of external IP addresses amongst a large group of internal clients for the purpose of expanding the internal network address space. Because a translation entry does not exist until an internal client establishes a connection out through the firewall, external computers have no way to address an internal host that is protected using a dynamically translated IP address. Note: Some protocols do not function correctly when the port is changed. These protocols will not work through a dynamically translated connection. • BusinessObjects Enterprise and static translation NAT can be configured so that they work together. SOCKS proxy servers Note: Business Objects will be moving away from supporting SOCKS proxy servers. As a result SOCKS proxy servers are still supported in BusinessObjects Enterprise XI. SOCKS proxy servers will be deprecated in a future release of BusinessObjects Enterprise. If you are using SOCKS proxy servers now, we recommend you switch to a different firewall method. SOCKS is a networking protocol that enables computers on one side of a SOCKS server to access computers on the other side of a SOCKS server without requiring a direct IP connection. A SOCKS server redirects connection requests from computers on one side of it to computers on the other side of it. A SOCKS server typically authenticates and authorizes requests, establishes a proxy connection, and relays data between the internal and external networks. BusinessObjects Enterprise supports and works with SOCKS servers. SOCKS servers work by listening for service requests from internal clients. When an external request is made, the SOCKS server sends the requests to the internal network as if the SOCKS server itself was the originating client. When the SOCKS server receives a response from the internal server, it returns that response to the original client as if it were the originating external server. This effectively hides the identity and the number of clients on the internal network from examination by anyone on the external network. BusinessObjects Enterprise Administrator’s Guide 185 9 Working with Firewalls Understanding firewall integration Understanding firewall integration This section gives a conceptual overview of internal communications between BusinessObjects Enterprise servers and the implications for firewall configuration. It also reviews the most common firewall scenarios. It includes: • • “Communication between servers” on page 186 “Typical firewall scenarios” on page 188 For detailed step-by-step instructions on how to configure your system to work in a firewalled environment, see “Configuring the system for firewalls” on page 190. Communication between servers It is helpful to understand the basics of internal communications between BusinessObjects Enterprise servers before configuring your BusinessObjects Enterprise system to work with firewalls. BusinessObjects Enterprise connections include: • • “Communication between servers and the CMS directory listing service” on page 186 “Communication between the application tier and CMS” on page 187 Some examples also apply to communications between a BusinessObjects Enterprise server and the BusinessObjects Enterprise SDK (or other BusinessObjects Enterprise SDKs, such as the Report Application Server SDK or the Viewer SDK). Where applicable, these examples are indicated in the descriptions. Communication between servers and the CMS directory listing service The Central Management Server (CMS) manages a directory listing service for the application server and the servers in the Intelligence tier and the Processing tier. See “Architecture overview and diagram” on page 54 for a listing of these servers. When a BusinessObjects Enterprise server first connects to the BusinessObjects Enterprise framework, it registers its IP address and port number with the CMS. By default this port number is dynamically chosen. When one BusinessObjects Enterprise server needs to communicate with another, it contacts the directory listing service on the CMS to obtain the connection information. The first server then uses this information to communicate directly with the second server. 186 BusinessObjects Enterprise Administrator’s Guide Working with Firewalls Understanding firewall integration 9 For example, before running a scheduled report, the Job Server must communicate with the Input File Repository Server (FRS) to obtain the report object. To do so: 1. 2. 3. The Job Server contacts the CMS and requests connection information for the Input FRS. The CMS replies to the Job Server with the IP address and port number of the Input FRS. The Job Server uses this information to connect directly to the Input FRS. All subsequent communications between the two servers continues using the same address and port. This communication model is also used when a BusinessObjects Enterprise SDK or the WCA communicates directly with a server in the Intelligence tier or the Processing tier. Communications between the CMS and the BusinessObjects Enterprise SDK and WCA follow another model. See “Communication between the application tier and CMS” on page 187. Using the -requestport command, you can configure any BusinessObjects Enterprise server to register a fixed port number with the CMS, rather than using one that is dynamically selected. Note: • • • Communication between the application tier and CMS Not all BusinessObjects Enterprise components use the directory listing service on the CMS to make their initial connections with other elements of BusinessObjects Enterprise. The WSA contacts the CMS using a pre-defined address and port number. The CMS replies with its address and a second port number, which by default is selected dynamically. Subsequent communications continue using this address and second port number. You can use the -requestport command to configure the CMS to reply with a fixed port number for subsequent communications, rather than one that is dynamically selected. Using the -port option, you can also customize the CMS to listen on a specific port for initial communications, rather than using the pre-defined default value (port 6400 for the CMS). Note: • Before changing the default port numbers, see “Changing the default server port numbers” on page 140 for additional configuration information. BusinessObjects Enterprise Administrator’s Guide 187 9 Working with Firewalls Understanding firewall integration • You may also change the default port that the CMS uses to listen for initial communications from the Configuration tab of the Properties dialog in the Central Configuration Manager. Firewall configuration overview By default BusinessObjects Enterprise uses dynamically chosen port numbers for communications between components. You must change this default when you place a stateful firewall that uses packet filtering or Network Address Translation (NAT) between BusinessObjects Enterprise components because these firewalls provide protection by permitting communications from outside the firewall with only specified addresses and ports inside the firewall. To enable BusinessObjects Enterprise to communicate across such a firewall, you must: 1. 2. Configure its components to use fixed addresses and ports. Configure your firewall to allow communications to the services behind the firewall using these addresses and ports. The process is similar when you configure your BusinessObjects Enterprise system to communicate across SOCKS proxy filters. But BusinessObjects Enterprise provides direct support for SOCKS proxy filters, so you need only configure each component to be aware of the location and type of the proxies that they communicate with. Note: When this section mentions firewalling different BusinessObjects Enterprise components, it assumes that the components reside on separate computers. If the components reside on the same computer, their communication is uninterrupted by firewalls, and no additional configuration is required. Typical firewall scenarios If all users of your BusinessObjects Enterprise system are on your internal network, there is no need to perform any special configuration of your firewalls or of BusinessObjects Enterprise. Simply place all BusinessObjects Enterprise components on computers inside your firewall. However, if you need to provide access to BusinessObjects Enterprise to external users, you must consider where to place each BusinessObjects Enterprise component, and how to configure both BusinessObjects Enterprise and your firewalls in order to provide this access. This section outlines the following common firewall scenarios: • • 188 “Application tier separated from the CMS by a firewall” on page 189 “Thick client separated from the CMS by a firewall” on page 189 BusinessObjects Enterprise Administrator’s Guide Working with Firewalls Understanding firewall integration 9 These scenarios are general cases: once you understand the firewalling issues involved, you should be able to support BusinessObjects Enterprise in wide variety of contexts. Application tier separated from the CMS by a firewall In most cases, clients access protected information through a web server running in a Demilitarized Zone (DMZ). A DMZ is a network area that is neither part of the internal network nor directly part of the Internet. Typically, the DMZ is set up between two firewalls: an outer firewall and an inner firewall. You may chose to place your application server in the DMZ, while placing the CMS and all other BusinessObjects Enterprise servers on the internal network. BusinessObjects Enterprise requires that the CMS and the remaining server components are not separated from one another by firewalls. Note: Placing your application server in the DMZ is less secure than placing it on your internal network. For maximum security, you may prefer to place your BusinessObjects Enterprise application server on your internal network. For more information, see: • • • “Configuring NAT when application tier is separated from the CMS” on page 190 “Configuring packet filtering when application tier is separated from CMS” on page 196 “Configuring for SOCKS servers” on page 199 Thick client separated from the CMS by a firewall You can publish reports or analytic objects to BusinessObjects Enterprise by saving these objects to BusinessObjects Enterprise from within Crystal Reports or OLAP Intelligence, or by using the Import Wizard or Publishing Wizard. However, the thick clients communicate directly with the CMS. This means that if there is a firewall between the computer running one of these thick clients and the CMS, this operation fails. You must configure your CMS, your File Repository Servers, and your firewall if you want to support this network configuration. For more information, see: • • “Configuring NAT when thick client is separated from the CMS” on page 195 “Configuring packet filtering when thick client is separated from the CMS” on page 198 BusinessObjects Enterprise Administrator’s Guide 189 9 Working with Firewalls Configuring the system for firewalls Configuring the system for firewalls This section gives practical step-by-step instructions for configuring your BusinessObjects Enterprise system to work in a firewalled environment. It includes: • • • “Configuring for Network Address Translation” on page 190 “Configuring for packet filtering” on page 195 “Configuring for SOCKS servers” on page 199 For a conceptual overview of communications between BusinessObjects Enterprise components and of supported firewall configurations, see “Understanding firewall integration” on page 186. Note: If you have multiple BusinessObjects Enterprise servers of a given type, the overall procedure for configuring your system to work with firewalls will not change. Configure each server as described in the section that describes your firewall environment, and then specify a firewall rule for the server. Configuring for Network Address Translation If you use Network Address Translation (NAT) only on the outer firewall of the DMZ, then no special configuration is required for BusinessObjects Enterprise to communicate properly. However, if you separate BusinessObjects Enterprise components using NAT, you need to configure these components to communicate properly through the firewall. Note: You can configure BusinessObjects Enterprise to communicate properly across NAT firewalls that use static IP translation; however, BusinessObjects Enterprise cannot communicate across a firewall whose IP translation is dynamic. Depending on your system configuring, configuring for Network Address Translation can include one or both of the following tasks: • • “Configuring NAT when application tier is separated from the CMS” on page 190 “Configuring NAT when thick client is separated from the CMS” on page 195 Configuring NAT when application tier is separated from the CMS If the application server is separated from the CMS and other BusinessObjects Enterprise servers by NAT, you must ensure that whenever a BusinessObjects Enterprise server passes an address across the firewall to the application server, it passes a fully qualified domain name (FQDN) that is routable by the firewall. 190 BusinessObjects Enterprise Administrator’s Guide Working with Firewalls Configuring the system for firewalls 9 Ports The application server must be able to communicate with every BusinessObjects Enterprise server behind the firewall. Therefore, you must open a port on the firewall for each server. The application server must be a Tomcat or IIS server. Configuring BusinessObjects Enterprise for Network Address Translation when the application tier is separated from the CMS by a firewall includes: • • • • “Configuring the CMS” on page 191 “Configuring the BusinessObjects Enterprise servers” on page 192 “Configuring the hosts files” on page 193 “Specifying firewall rules for NAT” on page 194 Configuring the CMS 1. 2. 3. 4. To configure the CMS on Windows Start the CCM. Stop the Central Management Server. On the toolbar, click Properties. In the Command box, add the following option: -port FQDN:6400 -requestport portnum For the -port command, replace FQDN with the fully qualified domain name of the machine that is running the CMS. This machine must be routable from the application server. For the -requestport command, substitute any valid free port number for portnum. Tip: If you want to customize the CMS so that it listens on a port other than the default, substitute your new port number for the default value of 6400. If you change the default port number of the CMS you must perform additional system configuration. Before changing the port number, see “Changing the default server port numbers” on page 140. 5. 6. 1. Click OK to return to the CCM. Start the Central Management Server. To configure the CMS on UNIX Run ccm.sh. By default the script and the ccm.config file are installed in the Business Objects install directory, for example /export/home/ businessobjects. BusinessObjects Enterprise Administrator’s Guide 191 9 Working with Firewalls Configuring the system for firewalls 2. 3. Stop the Central Management Server. Edit the ccm.config file to insert the following command line: -port FQDN:6400 -requestport portnum For the -port command, replace FQDN with the fully qualified domain name of the machine that is running the CMS. This machine must be routable from the application server. For the -requestport command, substitute any valid free port number for portnum. 4. Use ccm.sh to start the Central Management Server. Configuring the BusinessObjects Enterprise servers The procedure for configuring the BusinessObjects Enterprise servers varies for Windows and UNIX. • • 1. 2. 3. 4. “To configure BusinessObjects Enterprise servers on Windows” on page 192 “To configure BusinessObjects Enterprise servers on UNIX” on page 192 To configure BusinessObjects Enterprise servers on Windows Start the CCM. Stop the server. On the toolbar, click Properties. In the Command box, add the following option: -port FQDN -requestport portnum For the -port command, replace FQDN with the fully qualified domain name of the machine that is running the server. This machine must be routable from the application server. For the -requestport command, substitute any valid free port number for portnum. If more than one server is installed on the same machine, each server on that machine must use a unique port number. 5. 6. 7. 1. Click OK to return to the CCM. Start the server. Repeat for each BusinessObjects Enterprise server. To configure BusinessObjects Enterprise servers on UNIX Run ccm.sh. By default the script and the ccm.config file are installed in the Business Objects install directory, for example /export/home/ businessobjects. 192 BusinessObjects Enterprise Administrator’s Guide Working with Firewalls Configuring the system for firewalls 9 2. 3. Stop the server. Edit the ccm.config file to insert the following command line: -port FQDN -requestport portnum For the -port command, replace FQDN with the fully qualified domain name of the machine that is running the server. This machine must be routable from the application server. For the -requestport command, substitute any valid free port number for portnum. If more than one server is installed on the same machine, each server on that machine must use a unique port number. 4. 5. Use ccm.sh to start the server. Repeat for each BusinessObjects Enterprise server. Configuring the hosts files On each machine running a BusinessObjects Enterprise server, you must configure the hosts file so that the server can map the FQDN it receives from the Central Management Server (CMS) to an internally routable IP address. This is necessary to enable communication between servers inside the firewall. The procedure for configuring the hosts file is different for Windows and UNIX. See: • • 1. 2. “To configure the hosts files on Windows” on page 193 “To configure the hosts files on UNIX” on page 193 To configure the hosts files on Windows Open the hosts file using a text editor like Notepad. The hosts file is located at \WINNT\system32\drivers\etc\hosts. Follow the instructions in the hosts file to add an entry for each machine behind the firewall that is running a BusinessObjects Enterprise server or servers. Use the internally routable IP address of the machine and its externally routable fully qualified domain name. Save the hosts file. 3. To configure the hosts files on UNIX Note: Your UNIX operating system must be configured to first consult the hosts file to resolve domain names, before consulting DNS. Consult your UNIX systems documentation for details. 1. Open the hosts file using an editor like vi. The hosts file is located at \etc\hosts. BusinessObjects Enterprise Administrator’s Guide 193 9 Working with Firewalls Configuring the system for firewalls 2. Add an entry for each machine behind the firewall that is running a BusinessObjects Enterprise server. Use the translated IP address of the machine and its fully qualified domain name. Save the hosts file. On the firewall machine, add a route from the translated IP address to the actual internal IP address: route add translatedIPaddress actualIPaddress 3. 4. Where translatedIPDaddress is the actual translated IP address, and actualIPaddress is the actual internal IP address for the a server. Specifying firewall rules for NAT When there is a firewall between the application server and the rest of the BusinessObjects Enterprise servers you need to specify the inbound access rules and one outbound rule. The outbound rule is needed because the application server may register listeners with any of the BusinessObjects Enterprise servers For details of how to specify these rules, consult your firewall documentation. For details about the rules see: • • “Inbound Rules” on page 194 “Outbound Rules” on page 195 The fixed port numbers specified in the chart are the port numbers you specify for servers using -requestport. See “Configuring the CMS” on page 191, and “Configuring the BusinessObjects Enterprise servers” on page 192 for details. Inbound Rules Source Computer Application server Application server Application server Any Any Port Any Any Any Any Any Destination Computer Port CMS CMS Other BusinessObjects Enterprise server CMS Other BusinessObjects Enterprise Server 6400 Action Allow Allow Allow Reject Reject fixed fixed Any Any Note: There must be one inbound firewall rule for each BusinessObjects Enterprise server behind the firewall. Whenever more than one server is installed on the same machine, each server on that machine must use a unique port number. 194 BusinessObjects Enterprise Administrator’s Guide Working with Firewalls Configuring the system for firewalls 9 Outbound Rules Source Computer Machines hosting BusinessObjects Enterprise server Port Any Destination Computer Port Application server Any Action Allow This outbound rule is needed because the application server may register listeners on servers behind the firewall. These listeners may initiate communication with the application server. Configuring NAT when thick client is separated from the CMS You can publish reports or analytic objects to BusinessObjects Enterprise by saving these objects to BusinessObjects Enterprise from within Crystal Reports or OLAP Intelligence, or by using the Import or Publishing Wizards. However, if there is a firewall between the computer running one of these thick clients and the Central Management Server (CMS), this operation fails. Configuring your BusinessObjects Enterprise system to support this configuration when the firewall uses Network Address Translation (NAT) is very similar to configuring your system to support a NAT firewall between the application tier and the Central Management Server. For full instructions, follow the detailed steps in “Configuring NAT when application tier is separated from the CMS” on page 190 but: • • Configure only the Central Management Server and the Input File Repository Server. Establish inbound firewall rules for communication between the Crystal Reports or OLAP Intelligence machine and the CMS and Input File Repository Server. You do not need to establish an outbound firewall rule. Configuring for packet filtering If you use packet filtering only on the outer firewall of the DMZ, then no special configuration is required for BusinessObjects Enterprise to communicate properly. However, if you separate BusinessObjects Enterprise components using packet filtering, you need to configure them to communicate properly through the firewall. This section includes: • • “Configuring packet filtering when application tier is separated from CMS” on page 196 “Configuring packet filtering when thick client is separated from the CMS” on page 198. BusinessObjects Enterprise Administrator’s Guide 195 9 Working with Firewalls Configuring the system for firewalls Configuring packet filtering when application tier is separated from CMS If your firewall performs packet filtering, you must configure the CMS and every BusinessObjects Enterprise server inside the inner firewall to respond to communications from the application server on a fixed port. This includes: • • “Configuring the BusinessObjects Enterprise servers” on page 196 “Specifying firewall rules for packet filtering” on page 197 Configuring the BusinessObjects Enterprise servers The procedure for configuring the BusinessObjects Enterprise servers varies for Windows and UNIX. See: • • 1. 2. 3. 4. “To configure BusinessObjects Enterprise servers on Windows” on page 196 “To configure BusinessObjects Enterprise servers on UNIX” on page 196 To configure BusinessObjects Enterprise servers on Windows Start the CCM. Stop the first server. On the toolbar, click Properties. In the Command box, add the following option: -requestport portnum For the -requestport command, substitute any valid free port number for portnum. If more than one server is installed on the same machine, each server on that machine must use a unique port number. Tip: If you want to customize the CMS so that it listens on a port other than the default, also add -port cmsport to the command line, where cmsport is the new port number for the default value of 6400. For example: -port cmsport -requestport portnum If you change the default port number of the CMS you must perform additional system configuration. Before changing the port number, see “Changing the default server port numbers” on page 140. 5. 6. 7. 1. Click OK to return to the CCM. Start the server. Repeat for each BusinessObjects Enterprise server behind the firewall. To configure BusinessObjects Enterprise servers on UNIX Run ccm.sh. By default the script and the ccm.config file are installed in the BusinessObjects install directory, for example /export/home/ businessobjects. 196 BusinessObjects Enterprise Administrator’s Guide Working with Firewalls Configuring the system for firewalls 9 2. 3. Stop the server. Edit the ccm.config file to insert the following command line: -requestport portnum For the -requestport command, substitute any valid free port number for portnum. If more than one server is installed on the same machine, each server on that machine must use a unique port number. Tip: If you want to customize the CMS so that it listens on a port other than the default, also add -port 6400 to the command line, substituting your new port number for the default value of 6400. If you change the default port number of the CMS you must perform additional system configuration. Before changing the port number, see “Changing the default server port numbers” on page 140. 4. 5. Use ccm.sh to start the server. Repeat for each BusinessObjects Enterprise server. Specifying firewall rules for packet filtering When there is a firewall between the application server and the rest of the BusinessObjects Enterprise servers you need to specify the inbound access rules and one outbound rule. The outbound rule is needed because the application server may register listeners with any of the BusinessObjects Enterprise servers. For details of how to specify these rules, consult your firewall documentation. For details about the rules see: • • “Inbound Rules” on page 198 “Outbound Rules” on page 198 The fixed port numbers specified in the chart are the port numbers you specify for the CMS and other BusinessObjects Enterprise servers using -requestport. BusinessObjects Enterprise Administrator’s Guide 197 9 Working with Firewalls Configuring the system for firewalls Inbound Rules Source Computer Application server Application server Application server Any Any Port Any Any Any Any Any Destination Computer Port CMS CMS Other BusinessObjects Enterprise server CMS Other BusinessObjects Enterprise servers 6400 Action Allow Allow Allow Reject Reject fixed fixed Any Any Note: There must be an inbound firewall rule for each BusinessObjects Enterprise server behind the firewall. Whenever more than one server is installed on the same machine, each server on that machine must use a unique port number. Outbound Rules Source Computer Machines hosting BusinessObjects Enterprise server Port Any Destination Computer Port Application server Any Action Allow This outbound rule is needed because the application server may register listeners on servers behind the firewall. These listeners may initiate communication with the application server. Configuring packet filtering when thick client is separated from the CMS You can publish reports or analytic objects to BusinessObjects Enterprise by saving these objects to BusinessObjects Enterprise from within Crystal Reports or OLAP Intelligence, or by using the Import or Publishing Wizards. However, if there is a firewall between the computer running one of these thick clients and the CMS, this operation fails. Configuring your BusinessObjects Enterprise system to support this configuration when the firewall uses packet filtering is very similar to configuring your system to support a packet filtering firewall between the application tier and the Central Management Server (CMS). For full instructions, follow the detailed steps in “Configuring packet filtering when application tier is separated from CMS” on page 196 but: • Configure only the Central Management Server and the Input File Repository Server to use fixed port numbers for communication. 198 BusinessObjects Enterprise Administrator’s Guide Working with Firewalls Configuring the system for firewalls 9 • Establish inbound firewall rules for communication between the Crystal Reports or OLAP Intelligence machine and the CMS and Input File Repository Server. You do not need to establish an outbound firewall rule. Configuring for SOCKS servers Note: Business Objects will be moving away from supporting SOCKS proxy servers. As a result SOCKS proxy servers are still supported in BusinessObjects Enterprise XI. SOCKS proxy servers will be deprecated in a future release of BusinessObjects Enterprise. If you are using SOCKS proxy servers now, we recommend you switch to a different firewall method. BusinessObjects Enterprise provides direct support for SOCKS proxy server firewalls on Windows installations that use the BusinessObjects Enterprise .NET SDK. There is limited support of SOCKS for the UNIX installation of BusinessObjects Enterprise, or for a Windows installation that uses the BusinessObjects Enterprise Java SDK. You can configure the Web Component Adapter to communicate through a SOCKS server, but the Java SDK has no support for SOCKS. Therefore you may be able to configure your system to support a custom CSP application and SOCKS, but you cannot use JSP pages through a SOCKS firewall. Note: The EBUS layer of the Java SDK does not support communications using the SOCKs protocol. The means that applications written using the Java SDK cannot be on the outside of a firewall from any components that must be accessed, if the only means of traversing the firewall is using the SOCKs protocol. Therefore only perform the test cases that utilize socks when using IIS on a windows deployment This list describes when to use the procedures that are provided in the remainder of this section: • • Configuring the CMS for SOCKS Servers Complete these steps if one or more SOCKS servers separate the WCA from the CMS. Configuring the WCA for SOCKS servers When configuring your WCA for SOCKS, complete these steps regardless of the location of your SOCKS server(s). BusinessObjects Enterprise requires that the CMS and the remaining server components are not separated from one another by firewalls. The remaining server components automatically obtain their SOCKS configuration from the CMS, as required, so you don’t need to configure them separately. BusinessObjects Enterprise Administrator’s Guide 199 9 Working with Firewalls Configuring the system for firewalls Configuring the CMS for SOCKS Servers Complete these steps if one or more SOCKS servers separate the application server from the CMS. The remaining BusinessObjects Enterprise servers automatically obtain their SOCKS configuration from the CMS, as required, so you don’t need to configure them separately. 1. 2. 3. 4. 5. 6. 7. To configure the CMS on Windows Start the CCM. Stop all of the Business Objects servers, including the Central Management Server. Select the CMS and, on the toolbar, click Properties. On the Connection tab, click Add. In the SOCKS Proxy dialog box, type the Server Name or IP Address of your SOCKS server. In the Server Port field, type the number of the port that the SOCKS server is listening on. Select the SOCKS version that you are running (Ver 4 or Ver 5). If you are using version 5 and you would like to secure access to the server, select the authentication check box, and then enter your user name and password. 8. Click OK. If you have more than one SOCKS server, repeat steps 4 to 8 for each additional server. Then click Up and Down to order the SOCKS servers from the outermost (closest to the application server or Web Component Server) to the innermost (closest to the CMS). 9. Click OK in all three dialog boxes to return to the CCM. 10. Start the BusinessObjects Enterprise server components. To configure the CMS on UNIX The UNIX version of BusinessObjects Enterprise includes a utility that allows you to configure BusinessObjects Enterprise servers to work with SOCKS servers. For details, see “For more information about each of these topics, see “Scalability overview” on page 158.” on page 602. Configuring the WCA for SOCKS servers Complete these steps if one or more SOCKS servers separates the Web Component Adapter (WCA) from the Central Management Server (CMS). These steps provide the WCA with the required information about each SOCKS server, in order, from the outermost to the innermost. 200 BusinessObjects Enterprise Administrator’s Guide Working with Firewalls Configuring the system for firewalls 9 The outermost SOCKS server is the one closest to the web server. The innermost SOCKS server is the last SOCKS server that the WCA communicates with before the CMS. The procedure for configuring the WCA is different for Windows and Unix. See: • • 1. “To configure the WCA on UNIX” on page 201 “To configure the WCA on Windows” on page 201 To configure the WCA on UNIX Run the sockssetup.sh script to configure the BusinessObjects Enterprise servers and WCA to work with the SOCKS servers. For details, see “sockssetup.sh” on page 603. To configure the WCA on Windows Add the SOCKS information to the WCA. Edit the web.xml deployment descriptor file associated with the webcompadapter.war to insert a SOCKS URI (universal resource identifier). This URI tells your WCA how to contact the CMS through your SOCKS server(s). See “Configuring the Web Component Adapter” on page 89 for details on editing web.xml. 1. 2. Edit the file C:\Inetpub\wwwroot\Web.config. a. b. Go to the line: Add the following SOCKS server information: *Socks://Version;User:Password@SOCKSserver:Port/ CMSmachine:Port c. 3. a. b. c. d. e. f. g. Save the file. Start the CCM. Stop the CMS. Double-click the CMS. The Properties dialog box appears. Click Configuration tab. Enter the SOCKS information. Start the server again. Repeat step 3 for all the BusinessObjects Enterprise server. Configure the BusinessObjects Enterprise server: BusinessObjects Enterprise Administrator’s Guide 201 9 Working with Firewalls Configuring the system for firewalls 202 BusinessObjects Enterprise Administrator’s Guide Managing Auditing chapter 10 Managing Auditing Auditing overview Auditing overview Auditing allows you to monitor and record key facts about your BusinessObjects Enterprise system. Having information about who is using your system and which objects they are accessing allows you to answer system-level questions like “which groups within the company use our BusinessObjects Enterprise system the most?” or “how many concurrent user licenses are we using at any given time?” Auditing also allows you to better administer individual user accounts and reports by giving you more insight into what actions users are taking and which reports they are accessing. This information lets you be more proactive in managing the operation and deployment of your BusinessObjects Enterprise system, while helping you better evaluate the value that BusinessObjects Enterprise provides to your organization. How does auditing work? The Central Management Server (CMS) acts as the system auditor, while each BusinessObjects Enterprise server that controls actions that you can monitor is an auditee. To audit an action in BusinessObjects Enterprise, you must first determine which server controls that action. Then you must enable auditing of that action in the Servers management area of the Central Management Console. As the auditee, the BusinessObjects Enterprise server will then begin to record these audit actions in a local log file. As the auditor, the CMS controls the overall audit process. Each server writes audit records to a log file local to the server. At regular intervals the CMS communicates with the auditee servers to request copies of records from the auditee’s local log files. When the CMS receives these records it writes data from the log files to the central auditing database. The CMS also controls the synchronization of audit actions that occur on different machines. Each auditee provides a time stamp for the audit actions that it records in its log file. To ensure that the time stamps of actions on different servers are consistent, the CMS periodically broadcasts its system time to the auditees. The auditees then compare this time to their internal clocks. If differences exist, they make a correction to the time stamp they record in their log files for subsequent audit actions. Once the data is in the auditing database you can run pre-configured reports against the database or design custom reports to suit your own needs. 204 BusinessObjects Enterprise Administrator’s Guide Managing Auditing Auditing overview 10 Note: • • • You must configure the auditing database on the CMS before you can begin to audit. See “Configuring the auditing database” on page 209. The CMS acts as both an auditor and as an auditee when you configure it to audit an action that the CMS itself controls. In a CMS cluster, the cluster will nominate one CMS to act as system auditor. If the machine that is running this CMS fails, another CMS from the cluster will take over and begin acting as auditor. Which actions can I audit? You can use auditing to track the actions of individual users of BusinessObjects Enterprise as they log in and out of the system, access data, or create file-based events. You can also monitor system actions like the success or failure of scheduled objects. (For a complete list of auditable actions, see “Reference list of auditable actions” on page 205). For each action, BusinessObjects Enterprise records the time of the action, the name and user group of the user who initiated the action, the server where it was performed, and a variety of other parameters more fully documented in “Auditing database schema reference” on page 218. Once you have collected this data, you can use a custom or pre-configured report to view the raw data, or to answer more complex queries such as “how many concurrent licenses are we using at a given time?”. See “Using sample audit reports” on page 214 or “Creating custom audit reports” on page 217 for more information. Reference list of auditable actions This list contains a complete list of the audit actions you can enable in BusinessObjects Enterprise. It is organized according to the types of actions that you can audit, to help you find the server where you enable auditing of these actions. For step by step instructions on how to enable audit actions, see “Enabling auditing of user and system actions” on page 210. For more information about the actions that are audited, and the data that is recorded for each audit action, see the “Auditing database schema reference” on page 218. BusinessObjects Enterprise Administrator’s Guide 205 10 Managing Auditing Auditing overview User Actions Actions Folders A folder is created. A folder is deleted. BusinessObjects Enterprise Server CMS Crystal reports A folder is modified. (The name, location, or description of a folder is modified.) A report has been viewed successfully. Cache Server A report could not be viewed. • • A report is opened successfully using: the Advanced DHTML viewer. a custom application that uses RAS SDK. RAS A report fails to open. A report has been created successfully using: • a custom application that uses the RAS SDK. A report fails to be created. A report is saved successfully (using a custom application based on the RAS SDK). A report fails to save using a custom application based on the RAS API. Get list of universes. Web Intelligence Web Report Server Intelligence • A user has begun creating a new Web Intelligence documents document, which triggers a request to the server for the list of available universes. Save document to repository. • • • A user has saved a Web Intelligence document within BusinessObjects Enterprise. Read Document. User opens an existing Web Intelligence document. A user has selected a universe as they create a new Web Intelligence document, or as they edit an existing Web Intelligence document. Selection of universe. 206 BusinessObjects Enterprise Administrator’s Guide Managing Auditing Auditing overview 10 Actions Refresh document. Web Intelligence • User manually refreshes a Web Intelligence documents document, or the user opens a Web Intelligence document that is set to “refresh on open”. Edit document. BusinessObjects Enterprise Server Web Intelligence Report Server • • User enters “Edit document” mode for an existing Web Intelligence document. Apply format. User applies a formatting change to an existing Web Intelligence document in a query panel. Get page. • Server renders the pages of a Web Intelligence document in response to a user request to display all or part of a document. Generate SQL. • Server generates an SQL query in response to a user action that requires data to be retrieved from a database. Drill out of scope. • User drills past the scope of the data currently in memory, and triggers a call to the database for more data. List of values. • Users A list of values is retrieved from the database to populate a picklist associated with a prompt used to filter the data in a document. A concurrent user logon succeeds. A named user logon succeeds. A user logon fails. A user’s password is changed. User logs off. A job has been run successfully. (A user has successfully sent an object to a destination.) A job has failed to run. (An object has failed to be sent to a destination.) A job failed but will try to run again. CMS Send an object to a destination Destination Job Server BusinessObjects Enterprise Administrator’s Guide 207 10 Managing Auditing Auditing overview Actions File-based events BusinessObjects Enterprise Server An event is registered. Event Server (Event is created, and registered with system) An event is updated. (The name, description, or filename of an event is modified.) An event is unregistered. (Event is removed from system.) System Actions Actions Scheduled objects BusinessObjects Enterprise Server A job has been run successfully. Job Servers For example, a scheduled Crystal report has run successfully. A job has failed to run. For example, a scheduled Crystal report has failed to run. Tip: To audit every failure of a scheduled Crystal report, a scheduled program, or a scheduled List of Values, enable auditing of “A job has failed to run” on the Job Server, and “Communication with a running instance is lost.” on the Central Management Server. A job failed but will try to run again. Communication with a running instance is lost. For example, a scheduled Crystal report has failed to run because communication with the instance was lost, and the scheduled time for running the report expired. CMS File-based events Note: You do not need to enable this option to audit every failure of a scheduled Web Intelligence document. An event is triggered. Event Server 208 BusinessObjects Enterprise Administrator’s Guide Managing Auditing Configuring the auditing database 10 Configuring the auditing database Before you audit actions within BusinessObjects Enterprise, you must configure your Central Management Server to connect to an auditing database. You can use any database server supported for the CMS system database for your auditing database. See the Platforms.txt file included with your product distribution for a complete list of tested database software and version requirements. It is recommended that you develop a back up strategy for your auditing database. If necessary, contact your database administrator for more information. Note: • The CMS system database and the auditing database are independent. If you choose, you can use different database software for the CMS system database and the auditing database, or you can install these databases on separate servers. If you have a CMS cluster, every CMS in the cluster must be connected to the same auditing database, using the same connection method and the same connection name. Note that connection names are case sensitive. (See “Installing a new CMS and adding it to a cluster” on page 94 for more information on CMS clusters.) To configure the auditing database on Windows Start the Central Configuration Manager (CCM). Stop the CMS. Click Specify Auditing Data Source. In the Select Database Driver dialog box, specify whether you want to connect to the new database through SQL Server (ODBC), or through one of the native drivers. Click OK. The remaining steps depend upon the connection type you selected: • 1. 2. 3. 4. 5. 6. • If you selected ODBC, the Windows “Select Data Source” dialog box appears. Select the ODBC data source that you want to use as the auditing database; then click OK. (Click New to configure a new DSN.) Use a System DSN, and not a User DSN or File DSN. By default, server services are configured to run under the System account, which only recognizes System DSNs. When prompted, provide your database credentials and click OK. BusinessObjects Enterprise Administrator’s Guide 209 10 Managing Auditing Enabling auditing of user and system actions • If you selected a native driver, you are prompted for your database Server Name, your Login ID, and your Password. Provide this information and then click OK. The SvcMgr dialog box notifies you when the auditing database setup is complete. 7. 8. Click OK. Start the CMS. When the CMS starts, it will create the auditing database. Note: You can also configure the auditing database using the Properties option for the CMS. Stop the CMS, select Properties, and then go to the Configuration tab. Select “Write server audit information to specified data source”, and then click Specify. To configure the auditing database on UNIX For more information on UNIX scripts, see “UNIX Tools” on page 597. 1. 2. 3. 4. 5. 6. 7. Use ccm.sh to stop the CMS. Run cmsdbsetup.sh. Choose the selectaudit option, and then supply the requested information about your database server. Run serverconfig.sh. Choose the “Modify a server” option. Select the CMS, and enable auditing. Enter the port number of the CMS when prompted (the default value is 6400). Use ccm.sh to start the CMS. When the CMS starts, it will create the auditing database. Enabling auditing of user and system actions To audit an action in BusinessObjects Enterprise you must first determine which BusinessObjects Enterprise server controls the action. Then you must enable auditing on the server from the Servers management area of the Central Management Console (CMC). If you have multiple BusinessObjects Enterprise servers of a given type, be sure to enable identical audit actions on every server. Doing so ensures that you collect information on all user or system actions in your BusinessObjects Enterprise system. For example, if you are interested in the total number of concurrent user logons, enable auditing of concurrent user logons on each of your Central Management Servers. If you enable auditing on only one Central Management Server, you will only collect audit information about actions that occur on that server. 210 BusinessObjects Enterprise Administrator’s Guide Managing Auditing Enabling auditing of user and system actions 10 In some special cases you may wish to enable auditing on only one server of a given type. For example, if you are interested in the success or failure of only one kind of scheduled report and you have configured your system so that these reports are processed on one particular Job Server, it is not necessary to enable auditing on every Job Server in your system. You only need to enable auditing on the Job Server where the reports are processed. Note: You must configure the auditing database before you can collect data on audit actions. See “Configuring the auditing database” on page 209 for instructions. 1. 2. To enable audit actions Go to the organize Servers area of the CMC. Click the server that controls the action that you wish to audit. (See the “Reference list of auditable actions” on page 205 to find the correct server.) 3. Click the Auditing tab. 4. 5. 6. Select the Auditing is enabled check box. Select the audit actions that you wish to record. Ensure that your audit log file is located on a hard drive that has sufficient space to store the log files. (See “Optimizing system performance while auditing” on page 213 for information on adjusting the size of log files.) Click Update. 7. Tip: BusinessObjects Enterprise Administrator’s Guide 211 10 Managing Auditing Controlling synchronization of audit actions • To audit every failure of a scheduled Crystal report, a scheduled program, or a scheduled List of Values, enable auditing of “A job has failed to run” on the Job Server, and “Communication with a running instance is lost.” on the Central Management Server. Auditing is enabled independently on each server. If you want to audit all actions of a given type, enable identical audit actions on every server that supports those actions. Otherwise your audit record will be incomplete. For example, if you want to track the total number of concurrent logons to your BusinessObjects Enterprise system, you must enable logging of concurrent logons on every Central Management Server in your system. • Controlling synchronization of audit actions The CMS controls the synchronization of audit actions that occur on different machines. The CMS periodically broadcasts its system time to the auditees in UTC (Coordinated Universal Time). The auditees compare this time to their internal clocks, and then make the appropriate correction to the time stamp (in UTC) they record for subsequent audit actions. This correction affects only the time stamp that the auditee records in its audit log file. The auditee does not adjust the system time of the machine on which it is running. By default, the CMS broadcasts its system time every 60 minutes. You can change the interval using the command-line option -AuditeeTimeSyncInterval minutes You can turn off this option by setting minutes to zero. For more information, see “Central Management Server” on page 586 in “Server Command Lines” on page 583. This built-in method of time synchronization will be accurate enough for most applications. For more accurate and robust time synchronization, configure the auditee and auditor machines to use an NTP (Network Time Protocol) client, and then turn off internal synchronization by setting -AuditeeTimeSyncInterval 0 Tip: If you have a CMS cluster, apply the same command-line options to each server. Only one CMS in the cluster acts as the auditor. However, if this CMS fails, another CMS takes over auditing. This CMS will apply its own command-line options. If these options are different than those of the original auditor, audit behavior may not be what you expect. 212 BusinessObjects Enterprise Administrator’s Guide Managing Auditing Optimizing system performance while auditing 10 Optimizing system performance while auditing Enabling auditing should have minimal effect on the performance of BusinessObjects Enterprise. However, you can optimize system performance by fine-tuning these command-line options: • • • -AuditInterval minutes, where minutes is between 1 and 15. (The default value is 5.) The CMS requests audit records from each audited server every audit interval. -AuditBatchSize number, where number is between 50 and 500. (The default value is 200.) The CMS requests this fixed number of records from each audited server, every time interval. -auditMaxEventsPerFile number (number has a default value of 500 and must be greater than 0). The maximum number of records that an audited server will store in a single audit log file. When this maximum value is exceeded, the server opens a new log file. Note: Log files remain on the audited server until all records have been requested by the CMS. Changing each of these options has a different impact on system performance. For example, increasing the audit interval reduces frequency with which the CMS writes events to the auditing database. Decreasing the audit batch size decreases the rate at which records are moved from the audit log files on the audited servers to the auditing database, thereby increasing the length of time that it takes these records to get transferred to the central auditing database. Increasing the maximum number of audit events stored in each audit log file reduces the number of file open and close operations performed by audited servers. You can use these options to optimize audit performance to meet your needs. For example, if you frequently need up-to-date information about audited actions, you can choose a short audit interval and a large audit batch size. In this case, all audit records are quickly transferred to the auditing database, and you can always report accurately on the latest audit actions. However, choosing these options may have an impact on the performance of BusinessObjects Enterprise. Alternatively, you may only need to review audit results periodically (weekly, for example). In this case you can choose to increase the audit interval, and to decrease the number of audit records in each batch. Choosing these options minimizes the impact that auditing has on the performance of BusinessObjects Enterprise. However, depending upon activity levels in your system, these options can create a backlog of records stored in audit log files. BusinessObjects Enterprise Administrator’s Guide 213 10 Managing Auditing Using sample audit reports This backlog is cleared at times of low system activity (such as overnight, or over a weekend), but means that at times your audit reports may not contain records of the most recent audit actions. For more information on changing command-line options, see “Server Command Lines” on page 583. Using sample audit reports BusinessObjects Enterprise ships with several sample audit reports created using Crystal Reports. They are available on your product CD. To use these sample reports, first publish them to BusinessObjects Enterprise. Next configure an auditing database, and then enable auditing of the user and server actions needed to provide data for the sample reports. Finally, ensure that the sample reports are configured to use database connection information valid for your auditing database. You can now use the sample reports to view auditing data collected about user and system actions on your installation of BusinessObjects Enterprise. Note: If you have recently enabled auditing, the sample audit reports may contain little or no data the first time you view them. 1. To use sample audit reports Create a folder called “admin reports” inside the Report Samples folder to hold the sample auditing reports. Note: To create this folder, go to the Folders management area of the Central Management Console (CMC). Click Report Samples, and then click New Folder. 2. Publish the sample audit reports to the “admin reports” folder within BusinessObjects Enterprise. (The sample audit reports are in Samples > Reports > AdminReports on your product CD.) For more information about publishing, see “Publishing Objects to BusinessObjects Enterprise” on page 373. 3. If you have not already configured your auditing database, do so now. See “Configuring the auditing database” on page 209 for instructions. The sample audit reports were created using a ODBC connection to a database server named AuditData (that is, the DSN was AuditData), and a database called AuditData. You can create an auditing database that uses these names, or you can use a database server name and database name of your choice. 214 BusinessObjects Enterprise Administrator’s Guide Managing Auditing Using sample audit reports 10 4. Go to the Servers management area of the CMC. Enable auditing of the actions that are included in the sample audit report. See “Enabling auditing of user and system actions” on page 210 for instructions. Note: The description of the sample reports indicates which audit actions to enable for each report. BusinessObjects Enterprise will now begin to collect data on audit actions. 5. 6. 7. From the Crystal Enterprise Admin Launchpad, select the Central Management Console (CMC). Go to the Folders management area of the CMC. Click Report Samples, then admin reports to display the list of sample audit reports. BusinessObjects Enterprise Administrator’s Guide 215 10 Managing Auditing Using sample audit reports 8. Configure the report to use your auditing database. Click the name of a report that you want to use; then, from the Process tab, click the Database link. 9. If the server name, database name, or database logon information for your auditing database are different than the values originally specified for the sample report, click “Use custom database logon information specified here.” 216 BusinessObjects Enterprise Administrator’s Guide Managing Auditing Creating custom audit reports 10 10. Type the Server name (DSN) and Database name that you specified for your auditing database. Make sure you select the same database driver that you used when configuring the auditing database. 11. Type a User name and Password for a user with administrative rights to the auditing database. 12. Click Specify a custom table prefix, and then type DatabaseName.dbo. in the box, where DatabaseName is the name of the database that you specified above. 13. Click Update. The sample audit report is now configured to use your auditing database as its data source. 14. From the Process tab, click the Parameters link. 15. Click the value of any parameter to specify a default value for that parameter, or to indicate that the user should be prompted for a parameter value when the report is run. Click Update. 16. You may now view the report in BusinessObjects Enterprise. Creating custom audit reports This section contains information to help you understand the auditing database and the information it records about audit actions. With this information, you can use Crystal Reports to create custom audit reports of user and system actions.See your Crystal Reports User’s Guide for full instructions on creating reports. Alternatively, you may wish to use Designer to create a universe against the auditing database, so that you can create your own Web Intelligence documents. Consult the Designer’s Guide and the Web Intelligence guides for details. BusinessObjects Enterprise Administrator’s Guide 217 10 Managing Auditing Creating custom audit reports Auditing database schema reference The Audit database contains six tables, as shown in the following entityrelationship diagram. Audit_Event table This table stores one record per action that is audited. Field Server_CUID Description Server process ID. Combined with the Event_ID to form the primary key for the Audit_Event table. A unique ID generated by the server to identify the audit event. Combined with Server_CUID to form the primary key for the Audit_Event table. Name of user who performed the action. Time for start of action in UTC (Coordinated Universal Time) to the nearest millisecond. The time stamp is created by the server recording the action in its log file, and includes any correction necessary to synchronize with CMS time. You may want to correct this time to your local time zone when creating audit reports. Duration, in seconds, of the action that is audited. Event_ID User_Name Start_Timestamp Duration 218 BusinessObjects Enterprise Administrator’s Guide Managing Auditing Creating custom audit reports 10 Field Event_Type_ID Description Number that uniquely identifies the type of action the entry represents. Foreign key for the Event_Type table. Info Object ID of object associated with the action. This number uniquely identifies an object. Field reserved for error codes generated by the Web Intelligence Report Server. Object_CUID Error_Code Audit_Detail table The Audit_Detail table records more information about each audit action recorded in the Audit_Event table. For example, when a user logon fails, the reasons for that failure are recorded as audit details. There may be more than one record in this table for each audit action recorded in the Audit_Event table. Field Server_CUID Description Server process ID. Combined with the Event_ID and the Detail_ID to form the primary key for the Audit_Detail table. A unique ID generated by the server to identify the audit event. Combined with Server_CUID and the Detail_ID to form the primary key for the Audit_Detail table. The Detail_ID field is used to number the individual details associated with each audit action. That is, if there are two details associated with a particular audit action, the first will have a Detail_ID of 1, and the second will have a Detail_ID of 2. Number that uniquely identifies the type of detail about the audit action that the entry represents. Foreign key for the Detail_Type table. Information about the audit detail being recorded. For example, if the Detail_Type_Description were “universe name”, the detail text would contain the name of that universe. Event_ID Detail_ID Detail_Type_ID Detail_Text BusinessObjects Enterprise Administrator’s Guide 219 10 Managing Auditing Creating custom audit reports Server_Process table The Server_Process table contains information about the servers running within your BusinessObjects Enterprise system which can generate audit events. Field Server_CUID Server_Name Description Server process ID. Primary key for the Server_Process table. Machine name of the server that produced the action. That is, the host name. that generated the audit action. Foreign key to the Application_Type table. Application_Type_ID A unique ID that identifies the type of application Server_FullName Friendly name of the server that produced the action. The server’s friendly name is the name displayed in the CMC. The default friendly name is hostname.servertype. Server_Version Version of BusinessObjects Enterprise on server that produced the action. Event_Type table The Event_Type table contains a static list of the kinds of events that can be audited in your BusinessObjects Enterprise system. This table provides information roughly equivalent to that provided by AuditIDs and AuditStrings in Crystal Enterprise 10. Field Event_Type_ID Description Number that uniquely identifies the type of audit event that the entry represents. Event_Type_Description Description of the type of audit event. Event_Type table reference The following tables list the Event_Type_ID and Event_Type_Description of all events that can be audited in your system. For your convenience, these events are ordered according to the server that generates each type of event. 220 BusinessObjects Enterprise Administrator’s Guide Managing Auditing Creating custom audit reports 10 CMS audit events Event_Type_ ID Event_Type_Description Description 65537 65538 65540 65541 65539 65542 Concurrent user logon succeeded. Named user logon succeeded. User logged off. User password has been changed. User logon failed. New folder created. Logon failed because there was no valid license key available. A new folder is created, or an existing folder is copied. Note that this audit string will not be recorded when a new user account is created, even though creating a user creates a user folder. A folder is deleted. Note that this audit string will be recorded when a user account (and therefore the user’s folder) is deleted. The name, location, or description of the folder was changed. A scheduled report or scheduled program failed to run because communication with the running instance was lost, and the scheduled time for running the job expired. Note: This action must be audited by the CMS as Job Servers are not aware of losing communications with a job. Cache Server audit events Event_Type_ ID Event_Type_Description 196609 196610 Crystal report viewed successfully. A report could not be viewed. Description User successfully viewed a Crystal report that has saved or live data. User attempted to view a Crystal report, but was not successful. The user logged on successfully, using a concurrent user license. The user logged on successfully, using a named user license. 65543 Folder deleted. 65544 65545 Folder modified. Job failed. Reason: Unresponsive Job Server Child process. BusinessObjects Enterprise Administrator’s Guide 221 10 Managing Auditing Creating custom audit reports Job Server audit events For scheduled objects, the audit messages give you information about the status of scheduled actions. For example, the audit messages can tell you if a scheduled report ran successfully. For the Destination Job Server, the audit messages give you information on whether an object was sent to a destination, as requested by a user. Event_Type Event_Type_Description Description _ ID 327681 Job successful. The object ran as scheduled (or requested) and the job completed successfully. The scheduled job did not complete successfully. The scheduled job did not complete successfully. The job will be retried by the CMS at a later time. For more information on scheduling jobs, see “Scheduling objects” on page 466. 327682 327683 Job failed. Job failed. Job will be retried by the CMS. Event Server audit events Event_Type_ ID Event_Type_Description Description 262145 Event registered User creates a file-based event that can be used to schedule objects. User deletes a file-based event. Event object was modified by a user, or by the system. Events are updated when a user modifies the name or description of the file-based event. File-based event was initiated. 262146 262147 Event unregistered Event updated 262148 Event triggered 222 BusinessObjects Enterprise Administrator’s Guide Managing Auditing Creating custom audit reports 10 Report Application Server audit events The Report Application Server (RAS) is used to view reports opened with the Advanced DHTML viewer, and to create reports using custom applications developed with the RAS SDK. Event_Type_ ID Event_Type_Description 458753 Description Report was opened for User opened a report for viewing or viewing and/or modification modification. Note: In a few cases, this Event_Type_ID may be generated when the report opens but cannot be viewed. This may occur when: • • • • 458754 Report was saved to the CMS. There are problems with the database setup for the report. For example, you may see this message when the database driver for the report is not present on the client machine A processing extension associated with the report aborts viewing, or fails. The report used Business Views and the user did not have permissions to refresh the underlying data connections. The machine running the RAS ran out of space in its temporary directory. An existing report was saved. Note: This Event_Type_ID is generated when a custom application created using the RAS SDK saves a report (using the Save method). Consult your RAS SDK documentation for details. A new report was created and saved. Note: 458755 Report was created and saved to the CMS • This Event_Type_ID is generated when a custom application created using the RAS SDK saves a new report (using the Save As method). Consult your RAS SDK documentation for details. 458756 Report could not be opened. The report could not be opened by the RAS. BusinessObjects Enterprise Administrator’s Guide 223 10 Managing Auditing Creating custom audit reports Event_Type_ ID Event_Type_Description 458757 Report could not be saved to the CMS. Description An existing report could not be saved by RAS. Note: This Event_Type_ID is generated when a custom application created using the RAS SDK cannot save a new report (using the Save As method). Consult your RAS SDK documentation for details. 458758 Report could not be created in the CMS. A newly created report could not be saved by RAS. Web Intelligence Report Server audit events Event_Type_ ID Event_Type_Description Description 6 9 11 13 Get list of universes Save document to repository Read document Selection of universe User accesses a list of universes as part of a document creation workflow. User saves a Web Intelligence document to BusinessObjects Enterprise. User opens an existing Web Intelligence document. User selects a universe as part of a document creation workflow. This event occurs when a user opens the query panel. User manually refreshes a Web Intelligence document, or user opens a Web Intelligence document that has the “refresh on open” document property assigned. A list of values is retrieved from the database to populate a picklist associated with a prompt used to filter the data in a document. User has moved into Edit document mode. User applies a formatting change to a document, in a query panel. User action results in a request to server to generate the necessary data and layout to display all or part of a Web Intelligence document. 19 Document refresh 21 List of values 22 28 40 Edit document Apply format Get page 224 BusinessObjects Enterprise Administrator’s Guide Managing Auditing Creating custom audit reports 10 Event_Type_ ID Event_Type_Description Description 41 42 Generate SQL Drill out of scope Appears when a user refreshes a document. User drills past the scope of the data currently in memory, and triggers a call to the database for more data. Application_Type table The Application_Type table contains a static list of the applications that can produce audit events. In BusinessObjects Enterprise XI, the applications that can be audited are servers. Field Name Application_Type_ID Description A unique ID that identifies the type of application that generated the audit action. The description of the application generating the audit event. Application_Type_Description Application_Type table reference Application_Type_ID Application_Type_Description 1 8 11 12 13 14 15 16 18 19 Unknown Application Web Intelligence Report Server Central Management Server (CMS) Cache Server Report Job Server Report Application Server (RAS) Event Server Program Job Server Destination Job Server Web Intelligence Job Server BusinessObjects Enterprise Administrator’s Guide 225 10 Managing Auditing Creating custom audit reports Detail_Type table The Detail_Type table contains a static list of the standard details that can be recorded about audited events. For example, a user logon can fail for a number of different reasons. These reasons are listed as entries in the Detail_Type table. The information in the Detail_Type table is equivalent to the information that was recorded in variable AuditStrings in Crystal Enterprise 10. Field Detail_Type_ID Detail_Type_Description Description Number that uniquely identifies the type of audit detail that the entry represents. The description of the type of audit detail generated by the audit event. 226 BusinessObjects Enterprise Administrator’s Guide BusinessObjects Enterprise Security Concepts chapter 11 BusinessObjects Enterprise Security Concepts Security overview Security overview The BusinessObjects Enterprise architecture addresses the many security concerns that affect today’s businesses and organizations. The current release supports features such as distributed security, single sign-on, resource access security, granular object rights, and third-party Windows NT, LDAP, and Windows AD authentication in order to protect against unauthorized access. To allow for further customization of security, BusinessObjects Enterprise supports dynamically loaded processing extensions. And, for monitoring and auditing purposes, BusinessObjects Enterprise allows you to log various web statistics, thus enabling you to detect potential security concerns. Because BusinessObjects Enterprise provides the framework for an increasing number of components from the Enterprise family of Business Objects products, this chapter details the security features and related functionality to show how the framework itself enforces and maintains security. As such, this chapter does not provide explicit procedural details; instead, it focuses on conceptual information and provides links to key procedures. Related topics: • • • For key procedures that show how to modify the default accounts, passwords, and other security settings, see “Making initial security settings” on page 43. For procedures that show how to set up authentication, users, and groups, see “Managing User Accounts and Groups” on page 249. For procedures that show how to set object rights for your BusinessObjects Enterprise content, see “Controlling User Access” on page 315. Authentication and authorization Authentication is the process of verifying the identity of a user who attempts to access the system, and authorization is the process of verifying that the user has been granted sufficient rights to perform the requested action upon the specified object. This section describes the authentication and authorization processes in order to provide a general idea of how system security works within BusinessObjects Enterprise. Each of the components and key terms is discussed in greater detail later in this chapter. 228 BusinessObjects Enterprise Administrator’s Guide BusinessObjects Enterprise Security Concepts Authentication and authorization 11 Because BusinessObjects Enterprise is fully customizable, the authentication and authorization processes may vary from system to system. This section uses InfoView as a model and describes its default behavior. If you are developing your own BusinessObjects Enterprise end-user or administrative applications using the BusinessObjects Enterprise Software Development Kit (SDK), you can customize the system’s behavior to meet your needs. For complete details, see the developer documentation available on your product CD. For procedures that show how to set up the different authentication types, see “Available authentication types” on page 252. Primary authentication Primary authentication occurs when a user first attempts to access the system. The user provides a user name and password and specifies an authentication type. The authentication type may be Enterprise, Windows NT, LDAP, or Windows AD authentication, depending upon which type(s) you have enabled and set up in the Authorization management area of the Central Management Console (CMC). The user’s web browser sends the information by HTTP to your web server, which routes the information to the Web Component Adapter (WCA). The WCA passes the user’s information to logon.aspx and runs the script. Internally, this script communicates with the SDK and, ultimately, the appropriate security plug-in to authenticate the user against the user database. For instance, if the user specifies Enterprise Authentication, the SDK ensures that the BusinessObjects Enterprise security plug-in performs the authentication. The Central Management Server (CMS) uses the BusinessObjects Enterprise security plug-in to verify the user name and password against the system database. Alternatively, if the user specifies Windows NT, LDAP, or Windows AD Authentication, the SDK uses the corresponding security plug-in to authenticate the user. If the security plug-in reports a successful match of credentials (including a match to an appropriate group membership for Windows NT, Windows AD, or LDAP authentication), the CMS grants the user an active identity on the system and the system performs several actions: • • • The CMS stores the user’s information in memory in a CMS session variable. While active, this session consumes one user license on the system. The CMS generates and encodes a logon token and sends it to the WCA. The WCA stores the user’s information in memory in a WCA session variable. While active, this session stores information that allows BusinessObjects Enterprise to respond to the user’s requests. BusinessObjects Enterprise Administrator’s Guide 229 11 BusinessObjects Enterprise Security Concepts Authentication and authorization Note: • • • If you are familiar with the SDK, you should note that the WCA here instantiates the InfoStore object and stores it in the WCA session variable. The session variable does not contain the user’s password. The WCA sends the logon token to the user’s web browser, and the web browser caches the token in a cookie. Until the logon token expires, its encoded information serves as the user’s valid ticket for the system. Each of these steps contributes to the distributed security of BusinessObjects Enterprise, because each step consists of storing information that is used for secondary identification and authorization purposes. This is the model used in InfoView. However, if you are developing your own client application and you prefer not to store session state on the WCA, you can design your application such that it avoids using WCA session variables. Note: • The third-party Windows NT, LDAP, and Windows AD security plug-ins work only once you have mapped groups from the external user database to BusinessObjects Enterprise. For details, see “Available authentication types” on page 252. In a single sign-on situation, BusinessObjects Enterprise retrieves users’ credentials and group information directly from the Windows NT or Windows AD system. Hence, users are not prompted for their credentials. • Secondary authentication and authorization Secondary authentication is the process of double-checking the identity of each user who attempts to view, run, schedule, or otherwise act upon an object that is managed by BusinessObjects Enterprise. Authorization is the process of verifying that the user has been granted sufficient rights to perform the requested action upon the specified object. When a user attempts to access an object on the system, the web browser sends the request by HTTP to the WCA. Before fulfilling the user’s request, the WCA performs a series of security-related steps. 1. First, the WCA ensures that the user has a valid logon token: • • If there is a valid logon token, the WCA proceeds to its next task. If there is no valid logon token, the primary authentication process is repeated. For more information about logon tokens, see “Logon tokens” on page 243. 230 BusinessObjects Enterprise Administrator’s Guide BusinessObjects Enterprise Security Concepts Authentication and authorization 11 2. Second, the WCA checks internally for an active WCA session that matches the user’s logon token: • • If the corresponding WCA session variable remains in memory, the WCA proceeds to its next task. If the WCA session variable has timed out, the user is logged back on with the logon token. The SDK authenticates the user against the appropriate user database, and the CMS and the WCA recreate the required session variables. In this case, BusinessObjects Enterprise does not have to prompt the user for credentials, because the encoded logon token contains the required information. 3. Third, the WCA ensures that the appropriate server component actually processes the user’s request: • If the WCA can process the request itself, it queries the CMS database for the rights associated with the object that the user requested. For instance, if the user requests a list of reports in a specific folder, the WCA queries the CMS database for a list of the reports that the user is authorized to see. The WCA then dynamically lists the reports in an HTML page, and sends the page to the user’s browser. • If a different server component must process the request, the WCA sends the request and the user’s logon token to the appropriate server component. That server component then queries the CMS database for the rights associated with the object that the user requested. For instance, if the user attempts to refresh a report’s data, the WCA passes the request along to the Page Server. The Page Server passes the logon token to the CMS to ensure that the user is authorized to refresh the report. For details about how the CMS calculates a user’s effective rights to an object, see “Calculating a user’s effective rights” on page 328. This secondary authentication and authorization process begins similarly to initial identification; here, however, the authentication algorithm followed by the WCA maintains system security in the fewest number of steps, thereby providing the most efficient response to the user’s initial request. Note: If the user does not have the right to perform the requested action, the WCA displays an appropriate message. For details about setting object rights, see “Controlling User Access” on page 315. BusinessObjects Enterprise Administrator’s Guide 231 11 BusinessObjects Enterprise Security Concepts Authentication and authorization About single sign-on The term single sign-on is used to describe different scenarios. At its most basic level, it refers to a situation where a user can access two or more applications or systems while providing their log-on credentials only once, thus making it easier for users to interact with the system. Single sign-on to BusinessObjects Enterprise can be provided by BusinessObjects Enterprise, or by different authentication tools such as Windows NT, Windows AD, or LDAP with SiteMinder. Within the context of BusinessObjects Enterprise, we distinguish the following levels of single sign-on: • • • “Single sign-on to BusinessObjects Enterprise” on page 232 “Single sign-on to database” on page 233 “End-to-end single sign-on” on page 233 Single sign-on to BusinessObjects Enterprise Single sign-on to BusinessObjects Enterprise means that once users have logged on to the operating system they can access BusinessObjects Enterprise without having to provide their logon credentials again. When they log on to the operating system, a logon token is created. The system uses this token to authenticate the users and grant them access to BusinessObjects Enterprise and its components. The term “anonymous single sign-on” also refers to single sign-on to BusinessObjects Enterprise, but it specifically refers to the single sign-on functionality for the Guest user account. When the Guest user account is enabled, which it is by default, anyone can log on to BusinessObjects Enterprise as Guest and will have single sign-on access to BusinessObjects Enterprise. For more information, see “Disabling the Guest account” on page 44. Single sign-on to BusinessObjects Enterprise was already supported in previous versions of Crystal Enterprise and continues to exist in BusinessObjects Enterprise XI. For information on configuring single sign-on to BusinessObjects Enterprise, see: • • • • “Managing Enterprise and general accounts” on page 253 “Setting up NT single sign-on” on page 292 “Configuring LDAP authentication” on page 263 “Setting up AD single sign-on” on page 282 232 BusinessObjects Enterprise Administrator’s Guide BusinessObjects Enterprise Security Concepts Security management components 11 Single sign-on to database Once users are logged on to BusinessObjects Enterprise, single sign-on to the database enables them to perform actions that require database access, in particular, viewing reports and Web Intelligence documents, without having to provide their logon credentials again. Single sign-on to the database can be combined with single sign-on to BusinessObjects Enterprise, to provide users with even easier access to the resources they need. See “End-to-end single sign-on” on page 233. In BusinessObjects Enterprise XI single sign-on to the database is supported through Windows AD using Kerberos. You may want to use single sign-on to the database rather than end-to-end single sign-on, if you don’t want the LocalSystem account for the IIS to be trusted for delegation. For more information see “Configuring Kerberos single sign-on” on page 299, in particular “Configuring IIS for single sign-on to databases only” on page 309, and “Configuring web applications for single sign-on to the databases” on page 313. End-to-end single sign-on End-to-end single sign-on refers to a configuration where users have both single sign-on access to BusinessObjects Enterprise at the front-end, and single sign-on access to the databases at the back-end. Thus, users need to provide their logon credentials only once, when they log on to the operating system, to have access to BusinessObjects Enterprise and to be able to perform actions that require database access, such as viewing reports. In BusinessObjects Enterprise XI end-to-end single sign-on is supported through Windows AD and Kerberos. For more information, see “Configuring Kerberos single sign-on” on page 299. Security management components System security within BusinessObjects Enterprise is distributed across most components, but it is managed primarily by the WCA, the CMS, the security plug-ins, and third-party authentication tools, such as SiteMinder and Kerberos. These components work together to authenticate and to authorize users who access BusinessObjects Enterprise, its folders, and its other objects. This section discusses the key components as they relate to system security. It includes: • • • “Web Component Adapter” on page 234 “Central Management Server” on page 234 “Security plug-ins” on page 235 BusinessObjects Enterprise Administrator’s Guide 233 11 BusinessObjects Enterprise Security Concepts Security management components • “Processing extensions” on page 241 Note: Because these components are responsible for additional tasks, several of the components discussed in this section are described in additional detail in “BusinessObjects Enterprise Architecture” on page 53. Web Component Adapter The WCA is the gateway between the web server and the remaining BusinessObjects Enterprise components. As such, the WCA receives all HTTP requests that are sent to BusinessObjects Enterprise from users’ web browsers. The WCA ensures that each user has a valid logon token for the system. If the logon token is missing, or if it has expired, the WCA initiates the primary authentication process. For details, see “Primary authentication” on page 229. The WCA is also responsible for maintaining the user’s session state in the WCA session variable. This session variable contains information that BusinessObjects Enterprise uses when fulfilling user’s requests. For details, see “Sessions and session tracking” on page 244. Central Management Server In relation to system security, the Central Management Server (CMS) performs a number of important tasks. The majority of these tasks rely upon the database that the CMS uses to keep track of BusinessObjects Enterprise system data. This data includes security information, such as user accounts, group memberships, and object rights that define user and group privileges. When you first set up your system, the CMS allows you to create user accounts and groups within BusinessObjects Enterprise. And, with its thirdparty security plug-ins, the CMS allows you to reuse existing user accounts and groups that are stored in a third-party system (a Windows NT user database, an LDAP directory server, or a Windows AD server). The CMS supports third-party authentication, so users can log on to BusinessObjects Enterprise with their current Windows NT, LDAP, or Windows AD credentials. When users log on, the CMS coordinates the authentication process with its security plug-ins; the CMS then grants the user a logon token and an active session on the system. The CMS also responds to authorization requests made by the rest of the system. When a user requests a list of reports in a particular folder, the CMS authorizes the request only when it has verified that the user’s account or group membership provides sufficient privileges. 234 BusinessObjects Enterprise Administrator’s Guide BusinessObjects Enterprise Security Concepts Security management components 11 For details about the CMS and how it calculates a user’s effective rights to an object, see “Calculating a user’s effective rights” on page 328. For more information about the CMS and the CMS database, see “Central Management Server (CMS)” on page 61. Security plug-ins Security plug-ins expand and customize the ways in which BusinessObjects Enterprise authenticates users. BusinessObjects Enterprise currently ships with the system default BusinessObjects Enterprise security plug-in and with the Windows NT, LDAP, and Windows AD security plug-ins. Each security plug-in offers several key benefits. Security plug-ins facilitate account creation and management by allowing you to map user accounts and groups from third-party systems into BusinessObjects Enterprise. You can map third-party user accounts or groups to existing BusinessObjects Enterprise user accounts or groups, or you can create new Enterprise user accounts or groups that corresponds to each mapped entry in the external system. The security plug-ins dynamically maintain third-party user and group listings. So, once you map a Windows NT, LDAP, or Windows AD group into BusinessObjects Enterprise, all users who belong to that group can log on to BusinessObjects Enterprise. When you make subsequent changes to the third-party group membership, you need not update or refresh the listing in BusinessObjects Enterprise. For instance, if you map a Windows NT group to BusinessObjects Enterprise, and then you add a new NT user to the NT group, the security plug-in dynamically creates an alias for that new user when he or she first logs on to BusinessObjects Enterprise with valid NT credentials. Moreover, security plug-ins enable you to assign rights to users and groups in a consistent manner, because the mapped users and groups are treated as if they were Enterprise accounts. For example, you might map some user accounts or groups from Windows NT, and some from an LDAP directory server. Then, when you need to assign rights or create new, custom groups within BusinessObjects Enterprise, you make all of your settings in the CMC. Each security plug-in acts as an authentication provider that verifies user credentials against the appropriate user database. When users log on to BusinessObjects Enterprise, they choose from the available authentication types that you have enabled and set up in the Authorization management area of the CMC: Enterprise (the system default), Windows NT, LDAP, or Windows AD. Note: The Windows NT and Windows AD security plug-ins cannot authenticate users if the BusinessObjects Enterprise server components are running on UNIX, or if your system uses the BusinessObjects Enterprise Java SDK. BusinessObjects Enterprise Administrator’s Guide 235 11 BusinessObjects Enterprise Security Concepts Security management components BusinessObjects Enterprise supports the following security plug-ins: • • • • “BusinessObjects Enterprise security plug-in” on page 236 “Windows NT security plug-in” on page 236 “LDAP security plug-in” on page 238 “Windows AD security plug-in” on page 240 BusinessObjects Enterprise security plug-in The BusinessObjects Enterprise security plug-in (secEnterprise.dll) is installed and enabled by default when you install BusinessObjects Enterprise. This plug-in allows you to create and maintain user accounts and groups within BusinessObjects Enterprise; it also enables the system to verify all logon requests that specify Enterprise Authentication. In this case, user names and passwords are authenticated against the BusinessObjects Enterprise user list, and users are allowed or disallowed access to the system based solely on that information. For details on setting up Enterprise users and groups, see “Managing Enterprise and general accounts” on page 253. Default accounts When you first install BusinessObjects Enterprise, this plug-in sets up two default Enterprise accounts: Administrator and Guest. Neither account has a default password. For details on setting these passwords, see “Making initial security settings” on page 43. Single sign-on The BusinessObjects Enterprise authentication provider supports anonymous single sign-on for the Guest account. Thus, when users connect to BusinessObjects Enterprise without specifying a user name and password, the system logs them on automatically under the Guest account. If you assign a secure password to the Guest account, or if you disable the Guest account entirely, you disable this default behavior. For details, see “Disabling the Guest account” on page 44. Windows NT security plug-in The Windows NT security plug-in (secWindowsNT.dll) allows you to map user accounts and groups from your Windows NT user database to BusinessObjects Enterprise; it also enables BusinessObjects Enterprise to verify all logon requests that specify Windows NT Authentication. Users are authenticated against the Windows NT user database, and have their membership in a mapped NT group verified before the CMS grants them an active BusinessObjects Enterprise session. 236 BusinessObjects Enterprise Administrator’s Guide BusinessObjects Enterprise Security Concepts Security management components 11 This plug-in is compatible with NT 4 and Windows 2000 Active Directory user databases (when Windows 2000 Active Directory is configured in non-native mode only). If a Windows 2000 Active Directory user database is configured in native mode and contains universal groups that span several domains, you must use the Windows AD security plug-in. For information on mapping Windows NT users and groups to BusinessObjects Enterprise, see “Managing NT accounts” on page 284. For information on the Windows AD security plug-in, see “Windows AD security plug-in” on page 240. Once you have mapped your NT users and groups, all of the BusinessObjects Enterprise client tools support NT authentication, except for the Import Wizard. You can also create your own applications that support NT authentication. For more information, see the developer documentation available on your product CD. Note: The Windows NT and Windows AD security plug-ins cannot authenticate users if the BusinessObjects Enterprise server components are running on UNIX, or if your system uses the BusinessObjects Enterprise Java SDK. Default account If you install BusinessObjects Enterprise on Windows as an Administrator of the local machine, then this plug-in is enabled by default. A new NT group (called Business Objects NT Users) is created on the local machine, and your NT user account is added to the group. The Business Objects NT Users group is then mapped to BusinessObjects Enterprise. The result is that you can log on to BusinessObjects Enterprise with your usual NT user credentials. Single sign-on The Windows NT security plug-in supports single sign-on, thereby allowing authenticated NT users to log on to BusinessObjects Enterprise without explicitly entering their credentials. The single sign-on requirements depend upon the way in which users access BusinessObjects Enterprise: either via a thick client, or over the Web. In both scenarios, the security plug-in obtains the security context for the user from the authentication provider, and grants the user an active BusinessObjects Enterprise session if the user is a member of a mapped NT group: • To obtain NT single sign-on functionality from a thick-client application (such as the Publishing Wizard), the user must be running a Windows operating system, and the application must use the BusinessObjects Enterprise SDK. In this scenario, the Windows NT security plug-in queries the operating system for the current user’s credentials when the client is launched. BusinessObjects Enterprise Administrator’s Guide 237 11 BusinessObjects Enterprise Security Concepts Security management components • To obtain single sign-on functionality over the Web, the system must use Microsoft components only. Specifically, the user must be running Internet Explorer on a Windows operating system, and the web server must be running Internet Information Server (IIS). In this scenario, Internet Explorer and IIS engage in Windows NT Challenge/Response authentication before IIS forwards the user’s credentials to BusinessObjects Enterprise. Note: IIS performs the Challenge/Response authentication for every web page viewed. This can result in severe performance degradation. For details on configuring IIS for single sign-on, see “Setting up NT single sign-on” on page 292. Note: InfoView provides its own form of “anonymous single sign-on,” which uses Enterprise authentication, as opposed to Windows NT authentication. Design your own web applications accordingly (or modify InfoView) if you want to use NT single sign-on. For information on NT single sign-on, see “Setting up NT single sign-on” on page 292. LDAP security plug-in The LDAP security plug-in (secLDAP.dll) allows you to map user accounts and groups from your LDAP directory server to BusinessObjects Enterprise; it also enables the system to verify all logon requests that specify LDAP Authentication. Users are authenticated against the LDAP directory server, and have their membership in a mapped LDAP group verified before the CMS grants them an active BusinessObjects Enterprise session. User lists and group memberships are dynamically maintained by BusinessObjects Enterprise. You can specify that BusinessObjects Enterprise use a Secure Sockets Layer (SSL) connection to communicate to the LDAP directory server for additional security. LDAP authentication for BusinessObjects Enterprise is similar to NT and AD authentication in that you can map groups and set up authentication, authorization, and alias creation. Also as with NT or AD authentication, you can create new Enterprise accounts for existing LDAP users, and can assign LDAP aliases to existing users if the user names match the Enterprise user names. In addition, you can do the following: • • • Implement LDAP authentication when BusinessObjects Enterprise is running on Windows or on UNIX. Map users and groups from the LDAP directory service. Specify multiple host names and their ports. For information on mapping your LDAP users and groups to BusinessObjects Enterprise, see “Managing LDAP accounts” on page 262. 238 BusinessObjects Enterprise Administrator’s Guide BusinessObjects Enterprise Security Concepts Security management components 11 Once you have mapped your LDAP users and groups, all of the BusinessObjects Enterprise client tools support LDAP authentication, except for the Import Wizard. You can also create your own applications that support LDAP authentication. More about LDAP Lightweight Directory Access Protocol (LDAP), a common, applicationindependent directory, enables users to share information among various applications. Based on an open standard, LDAP provides a means for accessing and updating information in a directory. LDAP is based on the X.500 standard, which uses a directory access protocol (DAP) to communicate between a directory client and a directory server. LDAP is an alternative to DAP because it uses fewer resources and simplifies and omits some X.500 operations and features. The directory structure within LDAP has entries arranged in a specific schema. Each entry is identified by its corresponding distinguished name (DN) or common name (CN). Other common attributes include the organizational unit name (OU), and the organization name (O). For example, a member group may be located in a directory tree as follows: cn=BusinessObjects Enterprise Users, ou=Enterprise Users A, o=Research. Refer to your LDAP documentation for more information. Because LDAP is application-independent, any client with the proper authorization can access its directories. LDAP offers you the ability to set up users to log on to BusinessObjects Enterprise through LDAP authentication. It also enables users to be authorized when attempting to access objects in BusinessObjects Enterprise. As long as you have an LDAP server (or servers) running, and use LDAP in your existing networked computer systems, you can use LDAP authentication (along with Enterprise, NT, and Windows AD authentication). If desired, the LDAP security plug-in provided with BusinessObjects Enterprise can communicate with your LDAP server using an SSL connection established using either server authentication or mutual authentication. With server authentication, the LDAP server has a security certificate which BusinessObjects Enterprise uses to verify that it trusts the server, while the LDAP server allows connections from anonymous clients. With mutual authentication, both the LDAP server and BusinessObjects Enterprise have security certificates, and the LDAP server must also verify the client certificate before a connection can be established. Note: The LDAP security plug-in provided with BusinessObjects Enterprise can be configured to communicate with your LDAP server via SSL, but always performs basic authentication when verifying users’ credentials. Before deploying LDAP authentication in conjunction with BusinessObjects BusinessObjects Enterprise Administrator’s Guide 239 11 BusinessObjects Enterprise Security Concepts Security management components Enterprise, ensure that you are familiar with the differences between these LDAP types. For details, see RFC2251, which is currently available at http:// www.faqs.org/rfcs/rfc2251.html Windows AD security plug-in Windows AD security plug-in enables you to map user accounts and groups from your Windows 2000 Active Directory (AD) user database to BusinessObjects Enterprise; it also enables BusinessObjects Enterprise to verify all logon requests that specify Windows AD Authentication. Users are authenticated against the Windows AD user database, and have their membership in a mapped AD group verified before the Central Management Server grants them an active BusinessObjects Enterprise session. This plug-in is compatible with Windows 2000 Active Directory domains running in either native mode or mixed mode. Note that in order to use the Windows AD security plug-in, the CMS needs to run under a user account that has the “Act as Part of the Operating System” right. See your Windows 2000 documentation for more information. For information on mapping Windows AD users and groups to BusinessObjects Enterprise, see “Managing AD accounts” on page 275. Once you have mapped your AD users and groups, all of the BusinessObjects Enterprise client tools support AD authentication, except for the Import Wizard. You can also create your own applications that support AD authentication. For more information, see the developer documentation available on your product CD. For information on mapping Windows AD users and groups to BusinessObjects Enterprise, see “Managing AD accounts” on page 275. Note: • • • AD authentication only works for servers running on Windows systems. AD authentication and aggregation is not functional without a network connection. AD authentication and aggregation may not continue to function if the administration credentials become invalid (for example, if the administrator changes his or her password or if the account becomes disabled). Single sign-on The Windows AD security plug-in supports single sign-on, thereby allowing authenticated AD users to log on to BusinessObjects Enterprise without explicitly entering their credentials. The single sign-on requirements depend upon the way in which users access BusinessObjects Enterprise: either via a thick client, or over the Web. In both scenarios, the security plug-in obtains 240 BusinessObjects Enterprise Administrator’s Guide BusinessObjects Enterprise Security Concepts Security management components 11 the security context for the user from the authentication provider, and grants the user an active BusinessObjects Enterprise session if the user is a member of a mapped AD group: • To obtain AD single sign-on functionality from a thick-client application (such as the Publishing Wizard), the user must be running a Windows operating system, and the application must use the BusinessObjects Enterprise SDK. In this scenario, the Windows AD security plug-in queries the operating system for the current user’s credentials when the client is launched. • To obtain single sign-on functionality over the Web, the system must use Microsoft components only. Specifically, the user must be running Internet Explorer on a Windows operating system, and the web server must be running Internet Information Server (IIS). Note: BusinessObjects Enterprise provides its own form of “anonymous single sign-on,” which uses Enterprise authentication, as opposed to Windows AD authentication. Design your own web applications accordingly (or modify InfoView) if you want to use AD single sign-on. For information on AD single sign-on, see “Setting up AD single sign-on” on page 282. Processing extensions BusinessObjects Enterprise offers you the ability to further secure your reporting environment through the use of customized processing extensions. A processing extension is a dynamically loaded library of code that applies business logic to particular BusinessObjects Enterprise view or schedule requests before they are processed by the system. Note: On Windows systems, dynamically loaded libraries are referred to as dynamic-link libraries (.dll file extension). On UNIX systems, dynamically loaded libraries are often referred to as shared libraries (.so file extension). You must include the file extension when you name your processing extensions. Through its support for processing extensions, the BusinessObjects Enterprise administration SDK essentially exposes a “handle” that allows developers to intercept the request. Developers can then append selection formulas to the request before the report is processed. A typical example is a report-processing extension that enforces row-level security. This type of security restricts data access by row within one or more database tables. The developer writes a dynamically loaded library that intercepts view or schedule requests for a report (before the requests are processed by the Job Server, Page Server, or Report Application Server). The developer’s code first determines the user who owns the processing job; BusinessObjects Enterprise Administrator’s Guide 241 11 BusinessObjects Enterprise Security Concepts Active trust relationship then it looks up the user’s data-access privileges in a third-party system. The code then generates and appends a record selection formula to the report in order to limit the data returned from the database. In this case, the processing extension serves as a way to incorporate customized row-level security into the BusinessObjects Enterprise environment. Tip: In BusinessObjects Enterprise XI, you can also set and enforce rowlevel security through the use of Business Views. For more information, see the Business Views Administrator's Guide. The CMC provides methods for registering your processing extensions with BusinessObjects Enterprise and for applying processing extensions to particular object. For details, see “Applying processing extensions to reports” on page 443. By enabling processing extensions, you configure the appropriate BusinessObjects Enterprise server components to dynamically load your processing extensions at runtime. Included in the SDK is a fully documented API that developers can use to write processing extensions. For more information, see the developer documentation available on your product CD. Note: In the current release, processing extensions can be applied only to Crystal report (.rpt) objects. Active trust relationship In a networked environment, a trust relationship between two domains is generally a connection that allows one domain accurately to recognize users who have been authenticated by the other domain. While maintaining security, the trust relationship allows users to access resources in multiple domains without repeatedly having to provide their credentials. Within the BusinessObjects Enterprise environment, the active trust relationship works similarly to provide each user with seamless access to resources across the system. Once the user has been authenticated and granted an active session, all other BusinessObjects Enterprise components can process the user’s requests and actions without prompting for credentials. As such, the active trust relationship provides the basis for BusinessObjects Enterprise’s distributed security. Tip: When combined with single sign-on functionality, the active trust relationship allows users to access their BusinessObjects Enterprise resources without ever having to explicitly provide credentials to BusinessObjects Enterprise. 242 BusinessObjects Enterprise Administrator’s Guide BusinessObjects Enterprise Security Concepts Active trust relationship 11 When single sign-on functionality is combined third party ticket mechanisms, such as Kerberos or SiteMinder, the active trust relationship allows users to access BusinessObjects Enterprise and other network resources without ever having to explicitly provide credentials to the system. Logon tokens A logon token is an encoded string that defines its own usage attributes and contains a user’s session information. The logon token’s usage attributes are specified when the logon token is generated. These attributes allow restrictions to be placed upon the logon token to reduce the chance of the logon token being used by malicious users. The current logon token usage attributes are: • • Number of minutes This attribute restricts the lifetime of the logon token. Number of logons This attribute restricts the number of times that the logon token can be used to log on to BusinessObjects Enterprise. Both attributes hinder malicious users from gaining unauthorized access to BusinessObjects Enterprise with logon tokens retrieved from legitimate users. Ticket mechanism for distributed security Enterprise systems dedicated to serving a large number of users typically require some form of distributed security. An enterprise system may require distributed security, for instance, to support features such as load balancing, stateless environments, or transfer of trust (the ability to allow another component to act on behalf of the user). BusinessObjects Enterprise addresses distributed security by implementing a ticket mechanism (one that is similar to the Kerberos ticket mechanism). The CMS grants tickets that authorize components to perform actions on behalf of a particular user. In BusinessObjects Enterprise, the ticket is referred to as the logon token. This logon token is most commonly used over the Web. When a user is first authenticated by BusinessObjects Enterprise, he or she receives a logon token from the CMS. The user’s web browser caches this logon token. When the user makes a new request, other BusinessObjects Enterprise components can read the logon token from the user’s web browser. This use of the logon token provides the distributed security that is required for load balancing to be implemented in conjunction with effective fault-protection. BusinessObjects Enterprise Administrator’s Guide 243 11 BusinessObjects Enterprise Security Concepts Sessions and session tracking The user’s active identity is stored as a session variable on the WCA that processed the request; consequently, the user’s active identity is not immediately accessible by the other WCA. For this reason, the user’s logon token is used to route all of the user’s requests to the WCA that is storing the user’s session. By doing so, security is maintained while providing optimal performance: the user’s identity is verified, but the system does not have to repeatedly prompt the user for his or her credentials; in addition, the user is prevented from unnecessarily consuming resources on both Web Component Adapters. If the WCA that is storing the user’s active session is taken offline, the logon token again serves a critical purpose. If one WCA ceases to respond to a user’s requests, InfoView and the CMC are designed such that the request is redirected to the remaining WCA. The client application logs the user on with the valid logon token, and the remaining WCA can authenticate the user and create a new, active session without prompting the user for his or her credentials. The remaining WCA can then authorize and carry out the user’s request. In this way, the logon token enables the system’s load-balancing and fault-tolerance mechanisms to maintain a secure environment without affecting the user’s experience. In this scenario, when the original WCA is brought back online, the system automatically resumes its load balancing responsibilities by routing each subsequent request to the least used WCA. Sessions and session tracking In general, a session is a client-server connection that enables the exchange of information between the two computers. A session’s state is a set of data that describes the session’s attributes, its configuration, or its content. When you establish a client-server connection over the Web, the nature of HTTP limits the duration of each session to a single page of information; thus, your web browser retains the state of each session in memory only for as long as any single Web page is displayed. As soon as you move from one web page to another, the state of the first session is discarded and replaced with the state of the next session. Consequently, Web sites and Web applications must somehow store the state of one session if they need to reuse its information in another. BusinessObjects Enterprise uses two common methods to store session state: • Cookies—A cookie is a small text file that stores session state on the client side: the user’s web browser caches the cookie for later use. The BusinessObjects Enterprise logon token is an example of this method. 244 BusinessObjects Enterprise Administrator’s Guide BusinessObjects Enterprise Security Concepts Sessions and session tracking 11 • Session variables—A session variable is a portion of memory that stores session state on the server side. When BusinessObjects Enterprise grants a user an active identity on the system, information such as the user’s authentication type is stored in a session variable. So long as the session is maintained, the system neither has to prompt the user for the information a second time nor has to repeat any task that is necessary for the completion of the next request. Ideally, the system should preserve the session variable while the user is active on the system. And, to ensure security and to minimize resource usage, the system should destroy the session variable as soon as the user has finished working on the system. However, because the interaction between a web browser and a web server can be stateless, it can be difficult to know when users leave the system, if they do not log off explicitly. To address this issue, BusinessObjects Enterprise implements session tracking. WCA session tracking The WCA implements session tracking similarly to most web servers. The server-side script pages (Crystal Server Pages) programmatically save variables to the WCA session. By default, the WCA retains the session until the user explicitly logs off, or until 20 minutes after the user’s last request (whichever occurs first). Note: • • If you are familiar with the SDK, you should note that a WCA session is an instance of an InfoStore object. The WCA session timeout can be programmatically configured in the server-side .aspx pages to timeout earlier if the default of 20 minutes is not desired. CMS session tracking The CMS implements a simple tracking algorithm. When a user logs on, he or she is granted a CMS session, which the CMS preserves until the user logs off, or until the WCA session variable is released. The WCA session is designed to notify the CMS on a recurring basis that it is still active, so the CMS session is retained so long as the WCA session exists. If the WCA session fails to communicate with the CMS for a ten-minute time period, the CMS destroys the CMS session. This handles scenarios where client-side components shut down irregularly. Note: If you are familiar with the SDK, you should note that a CMS session is an instance of an EnterpriseSession object. BusinessObjects Enterprise Administrator’s Guide 245 11 BusinessObjects Enterprise Security Concepts Environment protection Environment protection Environment protection refers to the security of the overall environment in which client and server components communicate. Although the Internet and web-based systems are increasingly popular due to their flexibility and range of functionality, they operate in an environment that can be difficult to secure. When you deploy BusinessObjects Enterprise, environment protection is divided into two areas of communication: • • Web browser to web server Web server to BusinessObjects Enterprise Web browser to web server When sensitive data is transmitted between the web browser and the web server, some degree of security is usually required. Relevant security measures usually involve two general tasks: • • Ensuring that the communication of data is secure. Ensuring that only valid users retrieve information from the web server. These tasks are typically handled by web servers through various security mechanisms, including the Secure Sockets Layer (SSL) protocol, Windows NT Challenge/Response authentication, and other such mechanisms. You must secure communication between the web browser and the web server independently of BusinessObjects Enterprise. For details on securing client connections, refer to your web server documentation. Web server to BusinessObjects Enterprise Firewalls are commonly used to secure the area of communication between the web server and the rest of the corporate intranet (including BusinessObjects Enterprise). BusinessObjects Enterprise supports firewalls that use IP filtering or static network address translation (NAT), or SOCKS proxy servers, and it supports a multitude of configurations. Supported environments can involve multiple firewalls, web servers, or application servers. For complete details on BusinessObjects Enterprise and firewall interaction, see “Working with Firewalls” on page 181. 246 BusinessObjects Enterprise Administrator’s Guide BusinessObjects Enterprise Security Concepts Auditing web activity 11 Auditing web activity BusinessObjects Enterprise provides insight into your system by recording web activity and allowing you to inspect and to monitor the details. The WCA allows you to select the web attributes—such as time, date, IP address, port number, and so on—that you want to record. The auditing data is logged to disk and stored in comma-delimited text files, so you can easily report off the data or import it into other applications. Protection against malicious logon attempts No matter how secure a system is, there is often at least one location that is vulnerable to attack: the location where users connect to the system. It is nearly impossible to protect this location completely, because the process of simply guessing a valid user name and password remains a viable way to attempt to “crack” the system. BusinessObjects Enterprise implements several techniques to reduce the probability of a malicious user achieving access to the system. The various restrictions listed below apply only to Enterprise accounts—that is, the restrictions do not apply to accounts that you have mapped to an external user database (Windows NT, LDAP, or Windows AD). Generally, however, your external system will enable you to place similar restrictions on the external accounts. Password restrictions Password restrictions ensure that Enterprise users create passwords that are relatively complex. You can enable the following options: • Enforce mixed-case passwords This option ensures that passwords contain at least two of the following character classes: upper case letters, lower case letters, numbers, or punctuation. • Must contain at least N characters By enforcing a minimum complexity for passwords, you decrease a malicious user’s chances of simply guessing a valid user’s password. BusinessObjects Enterprise Administrator’s Guide 247 11 BusinessObjects Enterprise Security Concepts Protection against malicious logon attempts Logon restrictions Logon restrictions serve primarily to prevent dictionary attacks (a method whereby a malicious user obtains a valid user name and attempts to learn the corresponding password by trying every word in a dictionary). With the speed of modern hardware, malicious programs can guess millions of passwords per minute. To prevent dictionary attacks, BusinessObjects Enterprise has an internal mechanism that enforces a time delay (0.5–1.0 second) between logon attempts. In addition, BusinessObjects Enterprise provides several customizable options that you can use to reduce the risk of a dictionary attack: • • • Disable accounts after N failed attempts to log on Reset failed logon count after N minute(s) Re-enable account after N minute(s) User restrictions User restrictions ensure that Enterprise users create new passwords on a regular basis. You can enable the following options: • • • Must change password every N day(s) Cannot reuse the N most recent password(s) Must wait N minute(s) to change password These options are useful in a number of ways. Firstly, any malicious user attempting a dictionary attack will have to recommence every time passwords change. And, because password changes are based on each user’s first logon time, the malicious user cannot easily determine when any particular password will change. Additionally, even if a malicious user does guess or otherwise obtain another user’s credentials, they are valid only for a limited time. Guest account restrictions The BusinessObjects Enterprise authentication provider supports anonymous single sign-on for the Guest account. Thus, when users connect to BusinessObjects Enterprise without specifying a user name and password, the system logs them on automatically under the Guest account. If you assign a secure password to the Guest account, or if you disable the Guest account entirely, you disable this default behavior. For details, see “Disabling the Guest account” on page 44. 248 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups chapter 12 Managing User Accounts and Groups What is account management? What is account management? Account management can be thought of as all of the tasks related to creating, mapping, changing, and organizing user and group information. The Users and Groups management areas of the Central Management Console (CMC) provide you with a central place to perform all of these tasks. In the Users area, you can specify everything required for a user to access BusinessObjects Enterprise. To create user accounts, specify the following: • • • • • • • Account name (required) Full name Email Description Password settings Connection type Group membership In the Groups area, you can create groups that give a number of people access to the report or folder. This enables you to make changes in one place instead of modifying each user account individually. To create groups, specify the following: • • • • • Group name (required) Description Users who belong to the group Subgroups that belong to the group Group membership After the user accounts and groups have been created, you can add report objects and specify rights to them. When the users log on, they can view the reports using InfoView or their custom web application. For more information on objects and rights, see “Controlling users’ access to objects” on page 317. Default users and groups This section lists and describes the different types of default users and groups that are found within BusinessObjects Enterprise. Default users For procedures on managing users, see “Managing Enterprise and general accounts” on page 253. 250 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Default users and groups 12 Administrator The Administrator user belongs to the Administrators and Everyone groups. This user can perform all tasks in all BusinessObjects Enterprise applications (for example, the Central Management Console, Central Configuration Manager, Publishing Wizard, and InfoView). By default, the Administrator is not assigned a password. For security reasons, it is highly recommended that you create a password for the Administrator user as soon as possible. See “Setting the Administrator password” on page 44. Note: To use the Central Configuration Manager, your operating system account may require certain rights on the local machine. For more information, see “Using the Central Configuration Manager” on page 42. Guest The Guest user is a member of the Everyone group. This user can view reports that are found within the Report Samples folder. Generally, the Guest user accesses reports through InfoView. This account is enabled by default. To disable this default setting, see “Disabling the Guest account” on page 261. By default, the Guest user is not assigned a password. If you assign it a password, the single sign-on to InfoView will be broken. Note: If users in multiple time zones use the Guest account, see “Supporting users in multiple time zones” on page 527. Default groups In addition to organizing users and simplifying administration, groups enable you to determine the functionality a user has access to. In BusinessObjects Enterprise, the following default groups are created. For procedures on managing groups, see “Managing Enterprise and general accounts” on page 253. Administrators Users who belong to the Administrators group are able to perform all tasks in all of the BusinessObjects Enterprise applications (Central Management Console, Central Configuration Manager, Publishing Wizard, and InfoView). By default, the Administrator group contains only the Administrator user. Note: To use the Central Configuration Manager, your operating system account may require certain rights on the local machine. For more information, see “Using the Central Configuration Manager” on page 42. BusinessObjects Enterprise Administrator’s Guide 251 12 Managing User Accounts and Groups Available authentication types BusinessObjects NT Users When you install BusinessObjects Enterprise on Windows, BusinessObjects Enterprise creates a BusinessObjects NT Users group. This group is also added to Windows on the local machine and the user who installed BusinessObjects Enterprise is automatically added to this group. When NT authentication is enabled, BusinessObjects NT Users can use their NT accounts to log on to BusinessObjects Enterprise. By default, members of this group are able to view folders and reports. Everyone Each user is a member of the Everyone group. By default, the Everyone group allows access to all the reports that are found in the Report Samples folder. Universe Designer Users Users who belong to this group are granted access to the Universe Designer folder and the Connections folder. They can control who has access rights to the Designer application. You must add users to this group as needed. By default, no user belongs to this group. Available authentication types Before setting up user accounts and groups within BusinessObjects Enterprise, decide which type of authentication you want to use: • Enterprise authentication Use the system default Enterprise Authentication if you prefer to create distinct accounts and groups for use with BusinessObjects Enterprise, or if you have not already set up a hierarchy of users and groups in a Windows NT user database, an LDAP directory server, or a Windows AD server. See “Managing Enterprise and general accounts” on page 253. • Windows NT authentication If you are working in a Windows NT environment, you can use existing NT user accounts and groups in BusinessObjects Enterprise. When you map NT accounts to BusinessObjects Enterprise, users are able to log on to BusinessObjects Enterprise applications with their NT user name and password. This can reduce the need to recreate individual user and group accounts within BusinessObjects Enterprise. For more information, see “Managing NT accounts” on page 284. 252 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Managing Enterprise and general accounts 12 • LDAP authentication If you set up an LDAP directory server, you can use existing LDAP user accounts and groups in BusinessObjects Enterprise. When you map LDAP accounts to BusinessObjects Enterprise, users are able to access BusinessObjects Enterprise applications with their LDAP user name and password. This eliminates the need to recreate individual user and group accounts within BusinessObjects Enterprise. For more information, see “Managing LDAP accounts” on page 262. • Windows AD authentication If you are working in a Windows 2000 environment, you can use existing AD user accounts and groups in BusinessObjects Enterprise. When you map AD accounts to BusinessObjects Enterprise, users are able to log on to BusinessObjects Enterprise applications with their AD user name and password. This eliminates the need to recreate individual user and group accounts within BusinessObjects Enterprise. For more information, see “Managing AD accounts” on page 275. Note: You can use Enterprise Authentication in conjunction with either NT, LDAP, or AD authentication, or with all of the three authentication plug-ins. Managing Enterprise and general accounts Since Enterprise authentication is the default authentication method for BusinessObjects Enterprise, it is automatically enabled when you first install the system. When you add and manage users and groups, BusinessObjects Enterprise maintains the user and group information within its database. This section focuses on the following account management tasks: • • • • • • • • • • “Creating an Enterprise user account” on page 254 “Modifying a user account” on page 256 “Deleting a user account” on page 256 “Changing password settings” on page 257 “Creating a group” on page 258 “Modifying a group” on page 260 “Viewing group members” on page 261 “Deleting a group” on page 261 “Disabling the Guest account” on page 261 “Granting access to users and groups” on page 262 BusinessObjects Enterprise Administrator’s Guide 253 12 Managing User Accounts and Groups Managing Enterprise and general accounts Note: In many cases, these procedures also apply to NT, LDAP, and AD account management. For specific information on NT authentication, see “Managing NT accounts” on page 284. For specific information on LDAP authentication, see “Managing LDAP accounts” on page 262. For specific information on AD authentication, see “Managing AD accounts” on page 275. Creating an Enterprise user account When you create a new user, you specify the user’s properties and select the group or groups for the user. For information on setting rights for the user, see “Granting access to users and groups” on page 262. 1. 2. 3. 4. To create a user account Go to the Users management area of the CMC. Click New User. Select the Enterprise authentication type. Type the account name, full name, email, and description information. Use the description area to include extra information about the user or account. 5. Specify the password information and settings. Options include: • • • Password Enter the password and confirm. This is the initial password that you assign to the user. The maximum password length is 64 characters. Password never expires Select the check box. User must change password at next logon This check box is selected by default. If you do not want to force users to change the password the first time they log on, clear the check box. • 6. User cannot change password Select the check box. Select the connection type. • Concurrent User Choose Concurrent user if this user belongs to a license agreement that states the number of users allowed to be connected at one time. 254 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Managing Enterprise and general accounts 12 • Named User Choose Named user if this user belongs to a license agreement that associates a specific user with a license. Named user licenses are useful for people who require access to BusinessObjects Enterprise regardless of the number of other people who are currently connected. 7. Click OK. The user is added to the system and is automatically added to the Everyone group. You can now add the user to a group or specify rights for the user. See “Adding a user to groups” on page 255, Chapter 13: Controlling User Access. An inbox is also automatically created for the user. The user is also automatically assigned an Enterprise alias, for example, secEnterprise:bsmith. For more information, see “Managing aliases” on page 294. Adding a user to groups Use the following procedure to add a user to one or more groups directly from the user page. Note: You can also add users to a group from the group page. See “Adding users to a group” on page 259. 1. 2. 3. To add a user to a group Go to the Users management area of the CMC. Under Account Name, click the link to the user whose properties you want to change. Click the Member of tab to specify the group or groups the user should belong to. Note: All BusinessObjects Enterprise users of the system are part of the Everyone group. 4. 5. Click the Member of button to view the available groups. In the Available groups area, select the group(s) that the new user should be a member of. Use SHIFT+click or CTRL+click to select multiple groups. 6. 7. Click the > arrow to add the group(s); click the < arrow to remove the group(s). Click OK. The “Member of” tab appears and lists the groups in which the user is a member. BusinessObjects Enterprise Administrator’s Guide 255 12 Managing User Accounts and Groups Managing Enterprise and general accounts Modifying a user account Use this procedure to modify a user’s properties or group membership. Note: The user will be affected if he or she is logged on when you are making the change. 1. 2. 3. To modify a user account Go to the Users management area of the CMC. Under Account Name, click the link to the user whose properties you want to change. Make the required changes, as necessary, in the available fields. In addition to all of the options that were available when you initially created the account, you now can disable the account by selecting the “Account is disabled” check box. You can also assign aliases. For more information, see “Managing aliases” on page 294. 4. Click Update. Deleting a user account Use this procedure to delete a user’s account. The user might receive an error if they are logged on when their account is deleted. When you delete a user account, the Favorites folder, personal categories, and inbox for that user are deleted as well. If you think the user might require access to the account again in the future, select the “Account is disabled” check box in the Properties page of the selected user, instead of deleting the account. See “Modifying a user account” on page 256. Note: Deleting a user account won’t necessarily prevent the user from being able to log on to BusinessObjects Enterprise again. If the user account also exists in a third-party system, and if the account belongs to a third-party group that is mapped to BusinessObjects Enterprise, the user may still be able to log on. For details, see “Deleting an alias” on page 297 and “Disabling an aliases” on page 298. 256 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Managing Enterprise and general accounts 12 1. 2. 3. 4. To delete a user account Go to the Users management area of the CMC. Select the check box associated with the user you want to delete. Click Delete. The delete confirmation dialog box appears. Click OK. The user account is deleted. Changing password settings Within the Central Management Console, you can change the password settings for a specific user or for all users in the system. For information, see “Protection against malicious logon attempts” on page 247. The various restrictions listed below apply only to Enterprise accounts—that is, the restrictions do not apply to accounts that you have mapped to an external user database (Windows NT, LDAP, or Windows AD). Generally, however, your external system will enable you to place similar restrictions on the external accounts. 1. 2. 3. To change user password settings Go to the Users management area of the CMC. Click the user whose password settings you want to change. The Properties tab appears. Select or clear the check box associated with the password setting you wish to change. The available options are: • • • 4. 1. 2. 3. Password never expires User must change password at next logon User cannot change password Click Update. To change password settings Go to the Authentication management area of the CMC. Click the Enterprise tab. Select the check box and enter the value related to the password setting. BusinessObjects Enterprise Administrator’s Guide 257 12 Managing User Accounts and Groups Managing Enterprise and general accounts The table below identifies the minimum and maximum values for each of the settings you can configure: Recommended Maximum 100 days 100 passwords 100 minutes 100 failed 100 minutes 100 minutes Password Setting Must contain at least N characters Must change password every N days Must wait N minutes to change password Disable account after N failed attempts to log on Reset failed logon count after N minutes Re-enable account after N minutes 4. Click Update. Minimum 1 day 0 minutes 1 failed 1 minute 0 minutes 0 characters 64 characters Cannot reuse the N most recent passwords 1 password Creating a group Groups are collections of users who share the same account privileges. For instance, you may create groups that are based on department, role, or location. Groups enable you to change the rights for users in one place (a group) instead of modifying the rights for each user account individually. Also, you can assign object rights to a group or groups. For information on object rights, see “Managing objects overview” on page 416. For information on granting users and groups administrative rights to other groups, see “Granting access to users and groups” on page 262. After creating a new group, you can add users, add subgroups, or specify group membership so that the new group is actually a subgroup. Because subgroups provide you with additional levels of organization, they are useful when you set object rights to control users’ access to your BusinessObjects Enterprise content. 1. 2. 3. 4. To create a new group Go to the Groups management area of the CMC. Click New Group. On the Properties tab, enter the group name and description. Click OK. 258 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Managing Enterprise and general accounts 12 Adding users to a group Use the following procedure to add users to a group, directly from the group page. Note: You can also add a user to groups from the user page. See “Adding a user to groups” on page 255. 1. 2. 3. 4. To add users to a group In the Groups management area of the CMC, click the link for the group. Click the Users tab. Click Add Users. Select the users to add to the group; then click the > arrow. Tip: • • • 5. To select multiple users, use the SHIFT+click or CTRL+click combination. To search for a specific user, use the Look For field. If there are many users on your system, click the Previous and Next buttons to navigate through the list of users. Click OK. The Users tab appears. It lists all of the users who belong to this group. Adding subgroups You can add an existing group as a subgroup to another group. A subgroup inherits the rights of the parent group. Note: Adding a subgroup is similar to specifying group membership. See “Specifying group membership” on page 260. 1. 2. 3. 4. 5. To add subgroups In the Groups management area of the CMC, click the link for the group. Click the Subgroups tab. Click Add/Remove Subgroups. Select the groups that should be members of this new group; then click the > arrow. Click OK. BusinessObjects Enterprise Administrator’s Guide 259 12 Managing User Accounts and Groups Managing Enterprise and general accounts Specifying group membership You can make a group a member of another group. The group that becomes a member is referred to as a subgroup. The group that you add the subgroup to is the parent group. A subgroup inherits the rights of the parent group. Note: Adding a subgroup is similar to specifying group membership. See “Specifying group membership” on page 260. 1. 2. 3. 4. To make a group a member of another group In the Groups management area of the CMC, click the link for the group. Click the Member of tab. Click the Member of button. Select the parent groups that this new group will be a member of; then click the > arrow. Any rights associated with the parent group will be inherited by the new group you have created. 5. Click OK. Modifying a group You can modify a group by making changes to any of the settings. Note: The users who belong to the group will be affected by the modification if they are logged on when you are making changes. 1. 2. 3. To modify a group In the Groups management area of the CMC, click the link for the group. Under the Group Name column, click the link to the group whose configuration you want to change. Make the necessary changes in one of the four tabs: • • • • 4. Properties Users Subgroups Member of Depending on which tab you have selected, click OK or Update after you have made your changes. 260 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Managing Enterprise and general accounts 12 Viewing group members You can use this procedure to view the users who belong to a specific group. 1. 2. 3. To view group members In the Groups management area of the CMC, click the link for the group. Click Users. Click Refresh. Note: It may take a few minutes for your list to refresh if you have a large number of users in the group or if your group is mapped to an NT user database, LDAP user directory, or AD user directory. Deleting a group You can delete a group when that group is no longer required. You cannot delete the default groups Administrator and Everyone. Note: The users who belong to the deleted group will be affected by the change if they are logged on when the group is deleted. To delete a third-party authentication groups, such as the BusinessObjects NT Users group, use the Authentication management area in CMC. See “Unmapping LDAP groups” on page 272, “Unmapping AD groups” on page 280, and “Mapping NT accounts” on page 284. 1. 2. 3. 4. To delete a group Go to the Groups management area of the CMC. Select the check box associated with the group you want to delete. Click Delete. The delete confirmation dialog box appears. Click OK. Disabling the Guest account By disabling the Guest account, you ensure that no one can log on to BusinessObjects Enterprise with this account. By disabling the Guest account, you also disable the anonymous single sign-on functionality of BusinessObjects Enterprise, so users will be unable to access InfoView without providing a valid user name and password. BusinessObjects Enterprise Administrator’s Guide 261 12 Managing User Accounts and Groups Managing LDAP accounts 1. 2. 3. 4. 5. To disable the Guest account Go to the Users management area of the CMC. In the Account Name column, click Guest. On the Properties tab, select the Account is disabled check box. Click Update. If you are prompted for confirmation, click OK. Granting access to users and groups You can grant users and groups administrative access to other users and groups. Administrative rights include: viewing, editing, and deleting objects; viewing and deleting object instances; and pausing object instances. For example, for troubleshooting and system maintenance, you may want to grant your IT department access to edit and delete objects. For more information about granting rights to users and groups, see “Controlling access to users and groups” on page 352. Managing LDAP accounts To use LDAP authentication, you need to first ensure that you have your respective LDAP directory set up. For more information about LDAP, refer to your LDAP documentation. For more information on the LDAP security plugin, see “LDAP security plug-in” on page 238. Note: When you install BusinessObjects Enterprise, the LDAP authentication plug-in is installed automatically, but not enabled by default. This section describes tasks related to LDAP accounts in BusinessObjects Enterprise. In particular, it includes information on: • • • • • • • “Configuring LDAP authentication” on page 263 “Mapping LDAP groups” on page 269 “Unmapping LDAP groups” on page 272 “Viewing mapped LDAP users and groups” on page 272 “Changing LDAP connection parameters and member groups” on page 272 “Managing multiple LDAP hosts” on page 273 “Troubleshooting LDAP accounts” on page 274 262 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Managing LDAP accounts 12 Configuring LDAP authentication To simplify administration, BusinessObjects Enterprise supports LDAP authentication for user and group accounts. Before users can use their LDAP user name and password to log on to BusinessObjects Enterprise, you need to map their LDAP account to BusinessObjects Enterprise. When you map an LDAP account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account. Before setting up and enabling LDAP authentication, ensure that you have your LDAP directory set up. For more information, refer to your LDAP documentation. Configuring LDAP authentication includes the following main steps: • • • • “Configuring the LDAP host” on page 263. “Configuring the Secure Socket Layer authentication for LDAP” on page 264. “Configuring LDAP single sign-on with SiteMinder” on page 267. “Configuring LDAP mapping options” on page 267. Configuring the LDAP host 1. 2. To configure the LDAP host Go to the Authentication management area of the CMC. Click the LDAP tab, and then click “Start LDAP Configuration Wizard”. The LDAP Configuration Wizard will lead you through the setup of LDAP authentication, step by step. 3. The first screen of the wizard asks for information about your LDAP host. Type your LDAP host and port information in the Add LDAP host (hostname:port) field (for example, “myserver:123”); then click Add. Repeat this step to add more than one LDAP host of the same server type if you want to add hosts that can act as failover servers. If you want to remove a host, highlight the host name and click Delete. For more information on multiple hosts, refer to “Managing multiple LDAP hosts” on page 273. 4. 5. Click Next. Select your server type from the LDAP Server Type list. Click Show Attribute Mappings if you want to view or change any of the LDAP Server Attribute Mappings or the LDAP Default Search Attributes. By default, each supported server type’s server attribute mappings and search attributes are already set. BusinessObjects Enterprise Administrator’s Guide 263 12 Managing User Accounts and Groups Managing LDAP accounts 6. 7. 8. 9. Click Next. In the Base LDAP Distinguished Name field, type the distinguished name (for example, o=SomeBase). Click Next. Enter the credentials required by the LDAP hosts. • In the “LDAP Server Administration Credentials” area, type the distinguished name and password for a user account that is authorized to administer your LDAP server. If your LDAP Server allows anonymous binding, leave this area blank—BusinessObjects Enterprise servers and clients will bind to the primary host via anonymous logon. • Enter another distinguished name and password in the “LDAP Referral Credentials” area if all of the following apply: • • • The primary host has been configured to refer to another directory server that handles queries for entries under a specified base. The host being referred to has been configured to not allow anonymous binding. A group from the host being referred to will be mapped to BusinessObjects Enterprise. Although groups can be mapped from multiple hosts, only one set of referral credentials can be set. Therefore if you have multiple referral hosts, you must create a user account on each host that uses the same distinguished name and password. 10. Enter the number of referral hops in the Maximum Referral Hops field. If this field is set to zero, no referrals will be followed. 11. Click Next. 12. Proceed with configuring the Secure Socket Layer. Configuring the Secure Socket Layer authentication for LDAP Note: This section describes the CMC related information for configuring SSL for LDAP only. For additional information or for information on configuring the LDAP host server, refer to http:// www.techsupport.businessobjects.com or your LDAP vendor documentation. 264 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Managing LDAP accounts 12 1. To configure the Secure Socket Layer authentication If necessary, go to the Authentication management area of the CMC again. Click the LDAP tab, and then click Start LDAP Configuration Wizard. Click Next until the screen of the wizard asks for the Secure Socket Layer authentication information. Otherwise, skip to step 2. Select the type of SSL authentication (Basic (no SSL), Server Authentication, or Mutual Authentication) your LDAP hosts uses to establish a connection with BusinessObjects Enterprise. Click Next. If you selected Server Authentication or Mutual Authentication, choose one of the following options: 2. 3. • Always accept server certificate This is the lowest security option. Before BusinessObjects Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive a security certificate from the LDAP host. BusinessObjects Enterprise does not verify the certificate it receives. • Accept server certificate if it comes from a trusted Certificate Authority This is a medium security option. Before BusinessObjects Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive and verify a security certificate sent to it by the LDAP host. To verify the certificate, BusinessObjects Enterprise must find the Certificate Authority that issued the certificate in its certificate database. Tip: Java applications (such as the Java version of InfoView) always use this option, regardless of the setting you choose. • Accept server certificate if it comes from a trusted Certificate Authority and the CN attribute of the certificate matches the DNS hostname of the server This is the highest security option. Before BusinessObjects Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive and verify a security certificate sent to it by the LDAP host. To verify the certificate, BusinessObjects Enterprise must find the Certificate Authority that issued the certificate in its certificate database. It must also be able to confirm that the CN attribute on the server certificate exactly matches the host name of the LDAP host as you typed it in the “Add LDAP host” field in the first step of the wizard. That is, if you entered the LDAP host name as ABALONE.rd.crystald.net:389, using CN =ABALONE:389 in the certificate would not work. BusinessObjects Enterprise Administrator’s Guide 265 12 Managing User Accounts and Groups Managing LDAP accounts Tip: The host name on the server security certificate is the name of the primary LDAP host. Therefore if you select this option you cannot use a failover LDAP host. 4. In the SSL host box, you must next add the host name of each machine in your BusinessObjects Enterprise system that uses the BusinessObjects Enterprise SDK. (This includes the machine running your Central Management Server and the machine running your WCA.) Type the host name of each machine in the SSL Host box, and then click Add. 5. Now configure the SSL settings for each SSL host in the list, starting with the default host. • To select settings for the default host, first clear the Use default value boxes. Then type your values for the path to the certificate and key database files, the password for the key database. Type a nickname for the client certificate in the cert7.db if you selected mutual authentication. The settings for the default host are used: • • • for any setting (for any host) where you leave the “Use default value” box checked. for any machine whose name you do not explicitly add to the list of SSL hosts. To select settings for another host, select its name in the list on the left. Then type the appropriate values in the boxes on the right. 266 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Managing LDAP accounts 12 6. 7. Click Next. Proceed with configuring LDAP for single sign-on. Configuring LDAP single sign-on with SiteMinder SiteMinder is a third-party user access and authentication tool that you can use with the LDAP security plug-in to create single sign-on to BusinessObjects Enterprise. In order to use SiteMinder, you need to configure the single sign-on authentication for the LDAP plug-in. For more information about SiteMinder and how to install it, refer to the SiteMinder documentation. 1. To configure LDAP for single sign-on with SiteMinder If necessary, go to the Authentication management area of the CMC again. Click the LDAP tab, and then click Start LDAP Configuration Wizard. Click Next until the screen of the wizard asks for the LDAP single sign-on authentication. Otherwise, skip to step 2. Select the type of single sign-on authentication (Basic (no SSO) or SiteMinder). Click Next. If you selected SiteMinder, configure the SiteMinder hosts: 2. 3. 4. • • • 5. 6. In the Policy Server Host box, type the name of each Policy Server, and then click Add. For each Policy Server Host, specify the Accounting, Authentication and Authorization port numbers. Enter the name of the Web Agent and the Shared Secret. Enter the shared secret again. Click Next. Proceed with configuring the LDAP options. Configuring LDAP mapping options 1. To configure LDAP mapping options If necessary, go to the Authentication management area of the CMC again. Click the LDAP tab, and then click Start LDAP Configuration Wizard. Click Next until the screen of the wizard asks you to map the LDAP users to BusinessObjects Enterprise users. Otherwise, skip to step 2. The next screen of the wizard controls how BusinessObjects Enterprise maps LDAP users to BusinessObjects Enterprise users. 2. BusinessObjects Enterprise Administrator’s Guide 267 12 Managing User Accounts and Groups Managing LDAP accounts New Alias Options allow you to specify how LDAP aliases are mapped to Enterprise accounts. Select either: • Assign each added LDAP alias to an account with the same name Use this option when you know users have an existing Enterprise account with the same name; that is, LDAP aliases will be assigned to existing users (auto alias creation is turned on). Users who do not have an existing Enterprise account, or who do not have the same name in their Enterprise and LDAP account, are added as new LDAP users. or • Create a new account for every added LDAP alias Use this option when you want to create a new account for each user. 3. Update Options allow you to specify if LDAP aliases are automatically created for all new users. Select either: • New aliases will be added and new users will be created Use this option to automatically create a new alias for every LDAP user mapped to BusinessObjects Enterprise. New LDAP accounts are added for users without BusinessObjects Enterprise accounts, or for all users if you selected the “Create a new account for every added LDAP alias” option. or • No new aliases will be added and new users will not be created Use this option when the LDAP directory you are mapping contains many users, but only a few of them will use BusinessObjects Enterprise. BusinessObjects Enterprise does not automatically create aliases and Enterprise accounts for all users. Instead, it creates aliases (and accounts, if required) only for users who log on to BusinessObjects Enterprise. 268 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Managing LDAP accounts 12 4. New User Options allow you to specify properties of the new Enterprise accounts that are created to map to LDAP accounts. Select either: • New users are created as named users New user accounts are configured to use named user licenses. Named user licenses are associated with specific users and allow people to access the system based on their user name and password. This provides named users with access to the system regardless of how many other people are connected. You must have a named user license available for each user account created using this option. or • New users are created as concurrent users New user accounts are configured to use concurrent user licenses. Concurrent licenses specify the number of people who can connect to BusinessObjects Enterprise at the same time. This type of licensing is very flexible because a small concurrent license can support a large user base. For example, depending on how often and how long users access BusinessObjects Enterprise, a 100 user concurrent license could support 250, 500, or 700 users. 5. Click Finish to save your LDAP settings. The LDAP Server Summary page appears. Mapping LDAP groups Once you have configured LDAP authentication using the LDAP configuration wizard, you can map LDAP groups to Enterprise groups. See “Configuring LDAP authentication” on page 263. 1. 2. To map LDAP groups using BusinessObjects Enterprise Go to the Authentication management area of the CMC. Click the LDAP tab. If LDAP authorization is configured, the LDAP summary page appears. 3. In the “Mapped LDAP Member Groups” area, specify your LDAP group (either by common name or distinguished name) in the Add LDAP group (by cn or dn) field; click Add. BusinessObjects Enterprise Administrator’s Guide 269 12 Managing User Accounts and Groups Managing LDAP accounts You can add more than one LDAP group by repeating this step. To remove a group, highlight the LDAP group and click Delete. 4. New Alias Options allow you to specify how LDAP aliases are mapped to Enterprise accounts. Select either: • Assign each added LDAP alias to an account with the same name Use this option when you know users have an existing Enterprise account with the same name; that is, LDAP aliases will be assigned to existing users (auto alias creation is turned on). Users who do not have an existing Enterprise account, or who do not have the same name in their Enterprise and LDAP account, are added as new LDAP users. 270 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Managing LDAP accounts 12 or • Create a new account for every added LDAP alias Use this option when you want to create a new account for each user. 5. Update Options allow you to specify if LDAP aliases are automatically created for all new users. Select either: • New aliases will be added and new users will be created Use this option to automatically create a new alias for every LDAP user mapped to BusinessObjects Enterprise. New LDAP accounts are added for users without BusinessObjects Enterprise accounts, or for all users if you selected the “Create a new account for every added LDAP alias” option. or • No new aliases will be added and new users will not be created Use this option when the LDAP directory you are mapping contains many users, but only a few of them will use BusinessObjects Enterprise. BusinessObjects Enterprise does not automatically create aliases and Enterprise accounts for all users. Instead, it creates aliases (and accounts, if required) only for users who log on to BusinessObjects Enterprise. 6. New User Options allow you to specify properties of the new Enterprise accounts that are created to map to LDAP accounts. Select either: • New users are created as named users New user accounts are configured to use named user licenses. Named user licenses are associated with specific users and allow people to access the system based on their user name and password. This provides named users with access to the system regardless of how many other people are connected. You must have a named user license available for each user account created using this option. or • New users are created as concurrent users New user accounts are configured to use concurrent user licenses. Concurrent licenses specify the number of people who can connect to BusinessObjects Enterprise at the same time. This type of licensing is very flexible because a small concurrent license can support a large user base. For example, depending on how often and how long users access BusinessObjects Enterprise, a 100 user concurrent license could support 250, 500, or 700 users. 7. Click Update. BusinessObjects Enterprise Administrator’s Guide 271 12 Managing User Accounts and Groups Managing LDAP accounts Unmapping LDAP groups Similar to mapping, it is possible to unmap groups using BusinessObjects Enterprise. 1. 2. 3. 4. 5. To unmap LDAP groups using BusinessObjects Enterprise Go to the Authentication management area of the CMC. Click the LDAP tab. If LDAP authorization is configured, the LDAP summary page will appear. In the “Mapped LDAP Member Groups” area, select the LDAP group you would like to remove. Click Delete. Click Update. The users in this group will not be able to access BusinessObjects Enterprise. Tip: To deny LDAP Authentication for all groups, clear the “LDAP Authentication is enabled” check box and click Update. Note: The only exceptions to this occur when a user has an alias to an Enterprise account. To restrict access, disable or delete the user’s Enterprise account. For more information, see “Managing Enterprise and general accounts” on page 253. Viewing mapped LDAP users and groups You can view your LDAP mapped groups in BusinessObjects Enterprise by clicking the LDAP tab (located in the Authentication management area). If LDAP authorization is configured, the Mapped LDAP Member Groups area displays the LDAP groups that have been mapped to BusinessObjects Enterprise. Changing LDAP connection parameters and member groups After you have configured LDAP authentication using the LDAP configuration wizard, you can change LDAP connection parameters and member groups using the LDAP Server Configuration Summary Page. For information on configuring LDAP authentication using the LDAP configuration wizard, see “Configuring LDAP authentication” on page 263. 1. To change connection settings Go to the Authentication management area of the CMC. 272 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Managing LDAP accounts 12 2. Click the LDAP tab. If LDAP authorization is configured, the LDAP Server Configuration Summary page appears. On this page you can change any of the connection parameter areas or fields. You can also modify the Mapped LDAP Member Groups area. 3. 4. 5. 6. 7. 8. 9. Delete currently mapped groups that will no longer be accessible under the new connection settings. Click Update. Change your connection settings. Click Update. Change your Alias and New User options. Click Update. Map your new LDAP member groups. 10. Click Update. Managing multiple LDAP hosts Using LDAP and BusinessObjects Enterprise, you can add fault tolerance to your system by adding multiple LDAP hosts. BusinessObjects Enterprise uses the first host that you add as the primary LDAP host. Subsequent hosts are treated as failover hosts. The primary LDAP host and all failover hosts must be configured in exactly the same way, and each LDAP host must refer to all additional hosts from which you wish to map groups. For more information about LDAP hosts and referrals, see your LDAP documentation. To add multiple LDAP Hosts, enter all hosts when you configure LDAP using the LDAP configuration wizard (see “Configuring LDAP authentication” on page 263 for details.) Or if you have already configured LDAP, go to the Authentication management area of the Central Management Console and click the LDAP tab. In the LDAP Server Configuration Summary area, click the name of the LDAP host to open the page that enables you to add or delete hosts. Note: • The order in which the hosts are communicated with matters, so ensure that you add the primary host first, followed by the remaining failover hosts. BusinessObjects Enterprise Administrator’s Guide 273 12 Managing User Accounts and Groups Managing LDAP accounts • If you use failover LDAP hosts, you cannot use the highest level of SSL security (that is, you cannot select “Accept server certificate if it comes from a trusted Certificate Authority and the CN attribute of the certificate matches the DNS hostname of the server.”) For more information, see “Configuring LDAP authentication” on page 263. Troubleshooting LDAP accounts Creating a new LDAP user account • If you create a new LDAP user account, and the account does not belong to a group account that is mapped to BusinessObjects Enterprise, either map the group to BusinessObjects Enterprise, or add the new LDAP user account to a group that is already mapped to BusinessObjects Enterprise. For more information, see “Configuring LDAP authentication” on page 263. If you create a new LDAP user account, and the account belongs to a group account that is mapped to BusinessObjects Enterprise, refresh the user list. For more information, see “Viewing mapped LDAP users and groups” on page 272. • Creating a new LDAP group account • If you create a new LDAP group account, and the group account does not belong to a group account that is mapped to BusinessObjects Enterprise, add it to BusinessObjects Enterprise. For more information, see “Configuring LDAP authentication” on page 263. If you create a new LDAP group account, and the account belongs to a group account that is mapped to BusinessObjects Enterprise, refresh the group list. For more information, see “Viewing mapped LDAP users and groups” on page 272. • Disabling an LDAP user account If you disable an LDAP user account, and that LDAP user account is mapped to BusinessObjects Enterprise, the user will not be able to log on to BusinessObjects Enterprise. However, if the user also has an account that uses Enterprise authentication, the user can still access BusinessObjects Enterprise using that account. 274 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Managing AD accounts 12 Disabling an LDAP group account If you disable an LDAP group account, and that LDAP group account is mapped to BusinessObjects Enterprise, the users who belong to that group will not be able to log on to BusinessObjects Enterprise. However, if the user also has an account that uses Enterprise authentication, the user can still access BusinessObjects Enterprise using that account. Managing AD accounts This section provides an overview of AD authentication and the tasks related to managing it. For information on how AD authentication works in conjunction with BusinessObjects Enterprise, see “Windows AD security plug-in” on page 240. Once you have mapped your AD users and groups, all of the BusinessObjects Enterprise client tools support AD authentication, except for the Import Wizard. You can also create your own applications that support AD authentication. For more information, see the developer documentation available on your product CD. Note: • • • • AD authentication only works for servers running on Windows systems. AD authentication and aggregation is not functional without a network connection. Users cannot log on to BusinessObjects Enterprise using AD authentication via the Java SDK. AD authentication and aggregation may not continue to function if the administration credentials become invalid (for example, if the administrator changes his or her password or if the account becomes disabled). “Mapping AD accounts” on page 276 “Unmapping AD groups” on page 280 “Viewing mapped AD users and groups” on page 280 “Troubleshooting AD accounts” on page 281 “Setting up AD single sign-on” on page 282 Managing AD accounts includes the following tasks: • • • • • BusinessObjects Enterprise Administrator’s Guide 275 12 Managing User Accounts and Groups Managing AD accounts Mapping AD accounts To simplify administration, BusinessObjects Enterprise supports AD authentication for user and group accounts. However, before users can use their AD user name and password to log on to BusinessObjects Enterprise, their AD user account needs to be mapped to BusinessObjects Enterprise. When you map an AD account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account. To map AD users and groups Before starting this procedure, ensure that you have the appropriate AD domain and group information. As well, you must have created a domain user account on your AD server for BusinessObjects Enterprise to use when authenticating AD users and groups. 1. 2. 3. 4. Go to the Authentication management area of the CMC. Click the Windows AD tab. Ensure that the Windows Active Directory Authentication is enabled check box is selected. If you will be using single sign-on, select the Single Sign On is enabled check box. Note: If you select this option, you must also configure the IIS for single sign-on. For details, see “Setting up AD single sign-on” on page 282. Failing to configure IIS could compromise your system security if the account that IIS runs under belongs to a mapped group, because users who use one of the web applications would automatically have the same access privileges as the IIS machine account. 5. In the “AD Administration Credentials” area, enter the name and password of the domain user account you’ve set up on your AD server for BusinessObjects Enterprise to use when authenticating AD users and groups. 276 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Managing AD accounts 12 BusinessObjects Enterprise Administrator’s Guide 277 12 Managing User Accounts and Groups Managing AD accounts Administration credentials can use one of the following formats: • • NT name (DomainName\UserName) UPN (user@DNS_domain_name) Administration credentials must be entered to enable AD authentication, map groups, check rights, and so on. 6. Complete the Default AD Domain field. Note: • • 7. Groups from the default domain can be mapped without specifying the domain name prefix. By entering the Default AD Domain name, users from the default domain do not have to specify the AD domain name when they log on to BusinessObjects Enterprise via AD authentication. In the “Mapped AD Member Groups” area, enter the AD domain\group in the Add AD Group (Domain\Group) field. Groups can be mapped using one of the following formats: • • NT name (DomainName\GroupName) DN (cn=GroupName, ......, dc=DomainName, dc=com) Note: If you want to map a local group, you can use only the NT name format (\\ServerName\GroupName). Windows AD does not support local users. This means that local users who belong to a mapped local group will not be mapped to BusinessObjects Enterprise. Therefore they will not be able to access BusinessObjects Enterprise. 8. 9. Click Add. The group is added to the list. New Alias Options allow you to specify how AD aliases are mapped to Enterprise accounts. Select either: • Assign each added AD alias to an account with the same name Use this option when you know users have an existing Enterprise account with the same name; that is, AD aliases will be assigned to existing users (auto alias creation is turned on). Users who do not have an existing Enterprise account, or who do not have the same name in their Enterprise and AD account, are added as new AD users. or • Create a new account for every added AD alias Use this option when you want to create a new account for each user. 278 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Managing AD accounts 12 10. Update Options allow you to specify if AD aliases are automatically created for all new users. Select either: • New aliases will be added and new users will be created Use this option to automatically create a new alias for every AD user mapped to BusinessObjects Enterprise. New AD accounts are added for users without BusinessObjects Enterprise accounts, or for all users if you selected the “Create a new account for every added AD alias” option. or • No new aliases will be added and new users will not be created Use this option when the AD directory you are mapping contains many users, but only a few of them will use BusinessObjects Enterprise. BusinessObjects Enterprise does not automatically create aliases and Enterprise accounts for all users. Instead, it creates aliases (and accounts, if required) only for users who log on to BusinessObjects Enterprise. Note: You can also add AD users individually by adding them as a new user in BusinessObjects Enterprise and selecting Windows AD authentication. For details, see “Creating a user and a third-party alias” on page 294. 11. New User Options allow you to specify properties of the new Enterprise accounts that are created to map to AD accounts. Select either: • New users are created as named users New user accounts are configured to use named user licenses. Named user licenses are associated with specific users and allow people to access the system based on their user name and password. This provides named users with access to the system regardless of how many other people are connected. You must have a named user license available for each user account created using this option. • New users are created as concurrent users New user accounts are configured to use concurrent user licenses. Concurrent licenses specify the number of people who can connect to BusinessObjects Enterprise at the same time. This type of licensing is very flexible because a small concurrent license can support a large user base. For example, depending on how often and how long users access BusinessObjects Enterprise, a 100 user concurrent license could support 250, 500, or 700 users. BusinessObjects Enterprise Administrator’s Guide 279 12 Managing User Accounts and Groups Managing AD accounts 12. Click Update. A message appears stating that it will take several seconds to update the member groups. 13. Click OK. Unmapping AD groups Similar to mapping, it is possible to unmap groups using BusinessObjects Enterprise. 1. 2. 3. 4. 5. To unmap AD groups using BusinessObjects Enterprise Go to the Authentication management area of the CMC. Click the Windows AD tab. In the “Mapped AD Member Groups” area, select the AD group you would like to remove. Click Delete. Click Update. The users in the deleted group will no longer be able to access BusinessObjects Enterprise. Tip: To deny AD authentication for all users, clear the “Windows Active Directory Authentication is enabled” check box and click Update. Note: The only exceptions to this occur when a user has an alias other than the one assigned for AD authentication. To restrict access, disable or delete the user’s Enterprise account. For more information, see “Managing Enterprise and general accounts” on page 253. Viewing mapped AD users and groups 1. 2. 3. Go to the Groups management area of the CMC. Under Group Name, click the hyperlink to a Windows AD group Click the Users tab. Note: You can view the groups by clicking the Windows AD tab from the Authentication management area and then viewing the “Mapped AD Member Groups” area; users cannot be viewed from the Windows AD tab. 280 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Managing AD accounts 12 Troubleshooting AD accounts Creating a new AD user account • If you create a new AD user account, and the account belongs to a group account that is mapped to BusinessObjects Enterprise, ensure that you update the user list by clicking Update in the Windows AD tab found in the Authentication management area. Note that you must click Update to ensure that new users are imported properly. For information on viewing AD users and groups, see “Viewing mapped AD users and groups” on page 280. User accounts are automatically created for AD users who are added to an AD group when these users successfully log on to BusinessObjects Enterprise. • Adding an AD group account to a mapped AD group • When you add an AD group account to an AD group that was previously mapped to BusinessObjects Enterprise, and you would like the users of this nested group to get imported into BusinessObjects Enterprise, you need to click Update in the Windows AD tab (found in the Authentication management area). Note: The nested AD group will not get mapped to BusinessObjects Enterprise by this operation. • When you have added a new account in AD, and the AD group to which the account belongs is already mapped to BusinessObjects Enterprise, there are three ways you can get the new AD account into BusinessObjects Enterprise. Choose the method that works best for your situation: When the new AD user logs on to BusinessObjects Enterprise and selects AD authentication, the system will add the user to BusinessObjects Enterprise. This is the simplest method and it doesn’t require any extra steps, but the user won’t be added until he or she logs on to BusinessObjects Enterprise. You can add the new user to BusinessObjects Enterprise and select Windows AD authentication. The user is added and is automatically assigned a Windows AD alias. See “Creating a user and a third-party alias” on page 294. You can go to the Windows AD tab in the Authentication management area and select the option to add all new aliases and create all new users, and then click Update. In this case all AD users will be added to BusinessObjects Enterprise. For details, see “Mapping AD accounts” on • • • BusinessObjects Enterprise Administrator’s Guide 281 12 Managing User Accounts and Groups Managing AD accounts page 276. However, if the AD group contains many users who don’t require access to BusinessObjects Enterprise, you may want to add the user individually instead. Setting up AD single sign-on Installation of the Active Directory plug-in for BusinessObjects Enterprise enables you to use AD single sign-on. However, for AD single sign-on to work, you have to configure the IIS Business Objects virtual directory. Note: • • • • • AD single sign-on is not supported on client machines running on Windows 98. By default, AD single sign-on is not enabled. Setting up AD single sign-on to BusinessObjects Enterprise includes the following tasks: “Configuring IIS for AD single sign-on” on page 282 “Enabling AD single sign-on in CMC” on page 283 “Modifying the web.config file for AD single sign-on” on page 283 Note: For information on how to set up end-to-end single sign on with AD and Kerberos, see “Configuring Kerberos single sign-on” on page 299. Configuring IIS for AD single sign-on 1. To configure the IIS web server for AD single sign-on Using the documentation included with your IIS server, change the access and authentication settings for the Enterprise virtual directory as follows: • • Deselect the Anonymous access and Basic authentication check boxes. Ensure that Integrated Windows authentication check box is selected. Note: You must also enable AD single sign-on in the CMC. For details, see “Enabling AD single sign-on in CMC” on page 283. 2. 3. Modify the web.config file. See “Modifying the web.config file for AD single sign-on” on page 283. Restart your IIS server. Note: For AD single sign-on to function correctly, make sure you complete all tasks listed in “Setting up AD single sign-on” on page 282. 282 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Managing AD accounts 12 Enabling AD single sign-on in CMC 1. 2. 3. To enable the Windows AD plug-in for single sign-on in CMC Go to the Authentication management area of the CMC. Click the Windows AD tab. Select the Single sign-on is enabled check box. Note: If you select this option, you must also configure the IIS for single sign-on. For details, see “Configuring IIS for AD single sign-on” on page 282. Failing to configure IIS could compromise your system security if the account that IIS runs under belongs to a mapped group, because users who use one of the web applications would automatically have the same access privileges as the IIS machine account. 4. Click Update. Note: For AD single sign-on to function correctly, make sure you complete all tasks listed in “Setting up AD single sign-on” on page 282. Modifying the web.config file for AD single sign-on Make the following modifications to the web.config file to make sure Windows authentication is enabled. 1. To modify the web.config file for AD single sign-on Add the following lines to the block in the C:\Program Files\Business Objects\BusinessObjects Enterprise 11\Web Content\Enterprise11\WebAdmin\Web.config file: • • 2. Add the following lines to the block in the C:\Program Files\Business Objects\BusinessObjects Enterprise 11\Web Content\Enterprise11\InfoView\Web.config file: • • 3. Comment out the following line in the block in the C:\Program Files\Business Objects\BusinessObjects Enterprise 11\Web Content\Enterprise11\InfoView\Web.config file as shown: Note: For AD single sign-on to function correctly, make sure you complete all tasks listed in “Setting up AD single sign-on” on page 282. BusinessObjects Enterprise Administrator’s Guide 283 12 Managing User Accounts and Groups Managing NT accounts Managing NT accounts This section provides an overview of NT authentication and the tasks related to managing it. For information on how NT authentication works in conjunction with BusinessObjects Enterprise, see “Windows NT security plugin” on page 236. Note: • • • • • • • NT authentication only works for servers running on Windows systems. If you install BusinessObjects Enterprise on a Windows NT, 2000, or 2003 machine, NT authentication is installed and enabled by default. NT accounts refer to Windows NT, 2000, or 2003 accounts. “Mapping NT accounts” on page 284 “Unmapping NT groups” on page 288 “Viewing mapped NT users and groups” on page 289 “Troubleshooting NT accounts” on page 290 “Setting up NT single sign-on” on page 292 Managing NT accounts includes the following tasks: Mapping NT accounts To simplify administration, BusinessObjects Enterprise supports user and group accounts that are created using Windows NT. However, before users can use their NT user name and password to log on to BusinessObjects Enterprise, their NT user account needs to be mapped to BusinessObjects Enterprise. When you map an NT account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account. You can map NT accounts to BusinessObjects Enterprise through Windows, by using the User Manager in Windows NT or Computer Management in Windows 2000, or through the CMC. Note: NT accounts refer to both Windows NT and 2000 accounts. 1. To map NT users and groups using Windows NT From the Windows Administrative Tools program group, click User Manager. Note: Ensure that you have selected the domain that contains the BusinessObjects NT Users group. 2. Select the BusinessObjects NT Users group. 284 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Managing NT accounts 12 Note: The BusinessObjects NT Users group is created automatically in Windows NT when you install BusinessObjects Enterprise on Windows NT. 3. 4. 5. 6. 7. From the User menu, click Properties. Click Add. Select the group(s) and/or user(s); then click Add. Click OK to add the group(s) and/or user(s). Click OK to complete the process. Tip: Users will now be able to log on to InfoView using their NT account if they use the following format: \\NTDomainName\NTusername or NTMachineName\LocalUserName Users do not have to specify the NT Domain Name if it is specified in the “Default NT Domain” field on the Windows NT tab. 1. 2. 3. 4. 5. 6. 7. 8. To map NT users and groups using Windows 2000 From the Windows Administrative Tools program group, click Computer Management. Under System Tools, select Local Users and Groups. Click the Groups folder. Select the BusinessObjects NT Users and from the Action menu, select Properties. Click Add. Select the group(s) and/or user(s); then click Add. Click OK to add the group(s) and/or user(s). Click OK or Apply (and then Close) to complete the process. Tip: Users will now be able to log on to InfoView using their NT account if they use the following format: \\NTDomainName\NTusername or NTMachineName\LocalUserName Users do not have to specify the NT Domain Name if it is specified in the “Default NT Domain” field on the Windows NT tab. To map NT users and groups using BusinessObjects Enterprise Before starting this procedure, ensure you have the NT domain and group information. 1. Go to the Authentication management area of the CMC. BusinessObjects Enterprise Administrator’s Guide 285 12 Managing User Accounts and Groups Managing NT accounts 2. Click the Windows NT tab. 3. 4. Ensure that the NT Authentication is enabled check box is selected. If you will be using single sign-on, select the Single Sign On is enabled check box. Note: If you select this option, you must also configure the IIS for single sign-on. For details, see “Setting up NT single sign-on” on page 292. Failing to configure IIS could compromise your system security if the account that IIS runs under belongs to a mapped group, because users who use one of the web applications would automatically have the same access privileges as the IIS machine account. 5. To change the Default NT domain, click the domain name. Complete the Default NT Domain field. Note: By typing the default NT Domain Name, users do not have to specify the NT Domain Name when they log on to BusinessObjects Enterprise via NT authentication. Also, you don’t have to specify the NT domain name when you map groups. 286 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Managing NT accounts 12 6. In the Mapped NT Member Groups area, enter the NT domain\group in the Add NT Group (NT Domain\Group) field. Note: If you want to map a local NT group, you must type \\NTmachinename\groupname. 7. 8. Click Add. The group is added to the list. New Alias Options allow you to specify how NT aliases are mapped to Enterprise accounts. Select either: • Assign each added NT alias to an account with the same name Use this option when you know users have an existing Enterprise account with the same name; that is, NT aliases will be assigned to existing users (auto alias creation is turned on). Users who do not have an existing Enterprise account, or who do not have the same name in their Enterprise and NT account, are added as new NT users. or • Create a new account for every added NT alias Use this option when you want the system to create a new account for each user. The system ensures that the users are created with unique names. For example, if BusinessObjects Enterprise user bsmith already exists and an NT user with the same is added, the new user will be bsmith01. 9. Update Options allow you to specify if NT aliases are automatically created for all new users. Select either: • New aliases will be added and new users will be created Use this option to automatically create a new alias for every NT user mapped to BusinessObjects Enterprise. New NT accounts are added for users without BusinessObjects Enterprise accounts, or for all users if you selected the “Create a new account for every added NT alias” option. or • No new aliases will be added and new users will not be created Use this option when the NT directory you are mapping contains many users, but only a few of them will use BusinessObjects Enterprise. BusinessObjects Enterprise does not automatically create aliases and Enterprise accounts for all users. Instead, it creates aliases (and accounts, if required) only for users who log on to BusinessObjects Enterprise. BusinessObjects Enterprise Administrator’s Guide 287 12 Managing User Accounts and Groups Managing NT accounts 10. New User Options allow you to specify properties of the new Enterprise accounts that are created to map to NT accounts. Select either: • New users are created as named users New user accounts are configured to use named user licenses. Named user licenses are associated with specific users and allow people to access the system based on their user name and password. This provides named users with access to the system regardless of how many other people are connected. You must have a named user license available for each user account created using this option. • New users are created as concurrent users New user accounts are configured to use concurrent user licenses. Concurrent licenses specify the number of people who can connect to BusinessObjects Enterprise at the same time. This type of licensing is very flexible because a small concurrent license can support a large user base. For example, depending on how often and how long users access BusinessObjects Enterprise, a 100 user concurrent license could support 250, 500, or 700 users. 11. Click Update. A message appears stating that it will take several seconds to update the member groups. 12. Click OK. Unmapping NT groups Similar to mapping, it is possible to unmap groups using the administrative tool in Windows NT/2000, or BusinessObjects Enterprise. 1. 2. 3. 4. 5. To unmap NT users and groups using Windows NT From the Administrative Tools program group, click User Manager. Select BusinessObjects NT Users. From the User menu, click Properties. Select the user(s) or group(s); then click Remove. Click OK. The user or group will no longer be able to access BusinessObjects Enterprise. Note: The only exceptions to this occur when a user has an alias to an Enterprise account. To restrict access, disable or delete the user’s Enterprise account. For more information, see “Managing Enterprise and general accounts” on page 253. 288 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Managing NT accounts 12 1. 2. 3. 4. 5. 6. 7. To unmap NT users and groups using Windows 2000 From the Administrative Tools program group, click Computer Management. Under System Tools, select Local Users and Groups. Click the Groups folder. Select BusinessObjects NT Users. From the Action menu, click Properties. Select the user(s) or group(s); then click Remove. Click OK or Apply (and then Close) to complete the process. The user or group will no longer be able to access BusinessObjects Enterprise. Note: The only exceptions to this occur when a user has an alias to an Enterprise account. To restrict access, disable or delete the user’s Enterprise account. For more information, see “Managing Enterprise and general accounts” on page 253. 1. 2. 3. 4. 5. To unmap NT groups using BusinessObjects Enterprise Go to the Authentication management area of the CMC. Click the Windows NT tab. In the Mapped NT Member Groups area, select the NT group you would like to remove. Click Delete. Click Update. The users in this group will not be able to access BusinessObjects Enterprise. Tip: To deny NT Authentication for all groups, clear the “NT Authentication is enabled” check box and click Update. Note: The only exceptions to this occur when a user has an alias to an Enterprise account. To restrict access, disable or delete the user’s Enterprise account. For more information, see “Managing Enterprise and general accounts” on page 253. Viewing mapped NT users and groups There are two methods to view mapped users and groups in BusinessObjects Enterprise. The method you use depends on the way the groups and users have been mapped. BusinessObjects Enterprise Administrator’s Guide 289 12 Managing User Accounts and Groups Managing NT accounts To view users and groups that have been added using Windows NT/ 2000 or BusinessObjects Enterprise 1. Go to the Groups management area of the CMC. 2. If you added users and groups through Windows NT/2000, then click BusinessObjects NT Users. If you added users and groups through the CMC, then select the appropriate group. 3. 4. 5. 6. Click the Users tab. Click OK to the message which states that accessing the user list may take several seconds. Click Refresh. Click OK. To view users and groups that have been added using BusinessObjects Enterprise 1. Go to the Authentication management area of the CMC. 2. Click the Windows NT tab. The “Mapped NT Member Groups” area displays the groups that have been mapped to BusinessObjects Enterprise. Note: You can view the groups and users by selecting the appropriate group from the Groups management area and then clicking the Users tab. Troubleshooting NT accounts Creating a new NT user account • If you create a new NT user account, and the account does not belong to a group account that is mapped to BusinessObjects Enterprise, add it to BusinessObjects Enterprise. For more information, see “Mapping NT accounts” on page 284. If you create a new NT user account, and the account belongs to a group account that is mapped to BusinessObjects Enterprise, refresh the user list. For more information, see “Viewing mapped NT users and groups” on page 289. • 290 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Managing NT accounts 12 Adding an NT account to a mapped NT group When you have added a new account in NT, and the NT group to which the account belongs is already mapped to BusinessObjects Enterprise, there are three ways you can get the new NT account into BusinessObjects Enterprise. Choose the method that works best for your situation: • When the new NT user logs on to BusinessObjects Enterprise and selects NT authentication, the system will add the user to BusinessObjects Enterprise. This is the simplest method and it doesn’t require any extra steps, but the user won’t be added until he or she logs on to BusinessObjects Enterprise. You can add the new user to BusinessObjects Enterprise and select Windows NT authentication. The user is added and is automatically assigned a Windows NT alias. See “Creating a user and a third-party alias” on page 294. You can go to the Windows NT tab in the Authentication management area and select the option to add all new aliases and create all new users, and then click Update. In this case all NT users will be added to BusinessObjects Enterprise. For details, see “Mapping NT accounts” on page 284. However, if the NT group contains many users who don’t require access to BusinessObjects Enterprise, you may want to add the user individually instead. • • Creating a new NT group account • If you create a new NT group account, and the group account does not belong to a group account that is mapped to BusinessObjects Enterprise, add it to BusinessObjects Enterprise. For more information, see “Mapping NT accounts” on page 284. If you create a new NT group account, and the account belongs to a group account that is mapped to BusinessObjects Enterprise, refresh the group list. For more information, see “Viewing mapped NT users and groups” on page 289. • Disabling an NT user account • If you disable an NT user account (using Windows Administrative Tools), the user will not be able to log on to BusinessObjects Enterprise using the mapped NT account. However, if the user also has an account that uses Enterprise authentication, the user can still access BusinessObjects Enterprise using that account. BusinessObjects Enterprise Administrator’s Guide 291 12 Managing User Accounts and Groups Managing NT accounts Setting up NT single sign-on You can configure BusinessObjects Enterprise to allow users to use various BusinessObjects Enterprise applications without being prompted to log on. Users need only to enter their NT user name and password information once at the beginning of the NT session. For instance, if you have set up NT single sign-on, when you launch the CMC, NT authentication occurs in the background. You are not required to enter any additional information. Note: This feature is available if you are using a Microsoft Internet Information Server (IIS) web server and users are using Internet Explorer as their web browser. See the Platforms.txt file included with your product distribution for a complete list of version requirements. BusinessObjects Enterprise provides its own form of “anonymous single signon,” which uses Enterprise authentication, as opposed to Windows NT authentication. Design your own web applications accordingly (or modify InfoView) if you want to use NT single sign-on. When a user launches InfoView, he or she can log on using the Guest account (Enterprise authentication). You can disable this feature—for more information, see “Disabling the Guest account” on page 261. However, even when you disable the Guest account, BusinessObjects Enterprise is designed to display a logon page. With single sign-on enabled, the user can select Windows NT from the Authentication list and click Log On without entering his or her user name or password. In the developer documentation, refer to the tutorial for an example on creating a web application that uses single sign-on. Setting up NT single sign-on to BusinessObjects Enterprise includes the following tasks: • • • “Configuring IIS for NT single sign-on” on page 292 “Enabling NT single sign-on in CMC” on page 293 “Modifying the web.config file for NT single sign-on” on page 293 Note: BusinessObjects Enterprise does not support the Kerberos protocol for Windows NT. For information on how to set up end-to-end single sign on with AD and Kerberos, see “Configuring Kerberos single sign-on” on page 299. Configuring IIS for NT single sign-on 1. To configure the IIS web server for NT single sign-on Using the documentation included with your IIS server, change the access and authentication settings for the Enterprise virtual directory as follows: • • Deselect the Anonymous access and Basic authentication check boxes. Ensure that the Integrated Windows authentication check box is selected. 292 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Managing NT accounts 12 2. 3. Modify the web.config file. See “Modifying the web.config file for NT single sign-on” on page 293. Restart your IIS server. Note: For NT single sign-on to function correctly, make sure you complete all tasks listed in “Setting up NT single sign-on” on page 292. Enabling NT single sign-on in CMC 1. 2. 3. To enable the Windows NT plug-in for single sign-on in CMC Go to the Authentication management area of the CMC. Click the Windows NT tab. Select the Single Sign On is enabled check box. Note: If you select this option, you must also configure the IIS for single sign-on. For details, see “Configuring IIS for NT single sign-on” on page 292. Failing to configure IIS could compromise your system security if the account that IIS runs under belongs to a mapped group, because when users access one of the web applications they would automatically have the same access privileges as the IIS machine account. 4. Click Update. Note: For NT single sign-on to function correctly, make sure you complete all tasks listed in “Setting up NT single sign-on” on page 292. Modifying the web.config file for NT single sign-on Make the following modifications to the web.config file to make sure Windows authentication is enabled. 1. To modify the web.config file for NT single sign-on Add the following lines to the block in the C:\Program Files\Business Objects\BusinessObjects Enterprise 11\Web Content\Enterprise11\WebAdmin\Web.config file: • • 2. Add the following lines to the block in the C:\Program Files\Business Objects\BusinessObjects Enterprise 11\Web Content\Enterprise11\InfoView\Web.config file: • • BusinessObjects Enterprise Administrator’s Guide 293 12 Managing User Accounts and Groups Managing aliases 3. Comment out the following line in the block in the C:\Program Files\Business Objects\BusinessObjects Enterprise 11\Web Content\Enterprise 11\InfoView\Web.config file as shown: Note: For NT single sign-on to function correctly, make sure you complete all tasks listed in “Setting up NT single sign-on” on page 292. Managing aliases If a user has multiple accounts in BusinessObjects Enterprise, you can link the accounts using the assign alias feature. This is useful when a user has a third-party account that is mapped to Enterprise and an Enterprise account. By assigning an alias to the user, the user can log on using either a third-party user name and password or an Enterprise user name and password. Thus, an alias enables a user to log on via more than one authentication type. You can also reassign an alias in BusinessObjects Enterprise. For example, after you map your third-party accounts to BusinessObjects Enterprise, you can use the Reassign Alias feature to reassign an alias to a different a user. In CMC, the alias information is displayed at the bottom of the properties page for a user. A user can have any combination of BusinessObjects Enterprise, LDAP, AD, or NT aliases. Managing aliases includes: • • • • • • “Creating a user and a third-party alias” on page 294 “Creating an alias for an existing user” on page 296 “Assigning an alias” on page 296 “Reassigning an alias” on page 297 “Deleting an alias” on page 297 “Disabling an aliases” on page 298 Creating a user and a third-party alias When you create a user and select an authentication type other than Enterprise, the system creates the new user in BusinessObjects Enterprise and creates a third-party alias for the user. 294 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Managing aliases 12 Note: For the system to create the third-party alias, the following criteria must be met: • • • The authentication tool needs to have been enabled in CMC. The format of the account name must agree with the format required for the authentication type. The user account must exist in the third-party authentication tool, and it must belong to a group that is already mapped to BusinessObjects Enterprise. To create a user and add a third-party alias Go to the Users management area of the CMC. Click New User. The New User Properties page appears. Select the authentication type for the user, for example, Windows NT. The New User Properties page appears. 1. 2. 3. 4. 5. 6. Type in the third-party account name for the user, for example, bsmith. Select the connection type for the user. Click OK. The user is added to BusinessObjects Enterprise and is assigned an alias for the authentication type you selected, for example, secWindowsNT:ENTERPRISE:bsmith. If required, you can add, assign, and reassign aliases to user. BusinessObjects Enterprise Administrator’s Guide 295 12 Managing User Accounts and Groups Managing aliases Creating an alias for an existing user You can create aliases for existing BusinessObjects Enterprise users. The alias can be an Enterprise alias, or an alias for a third-party authentication tool. Note: For the system to create the third-party alias, the following criteria must be met: • • • The authentication tool needs to have been enabled in CMC. The format of the account name must agree with the format required for the authentication type. The user account must exist in the third-party authentication tool, and it must belong to a group that is mapped to BusinessObjects Enterprise. To create a new alias for a user Go to the Users management area of the CMC. Click the link for the user that you want to add an alias to. Click New Alias. The New Alias page appears. Select the authentication type for the user, for example, Windows NT. Type in the account name for the user. Click OK. An alias is created for the user. When you view the user in CMC, at least two aliases are shown, the one that was already assigned to the user and the one you just created. 1. 2. 3. 4. 5. 6. Assigning an alias When you assign an alias to a user, you move a third-party alias from another user to the user you are currently viewing. You cannot assign or reassign Enterprise aliases. Note: If a user has only one alias and you assign that last alias to another user, the system will delete the user account, and the Favorites folder, personal categories, and inbox for that account. 1. 2. 3. To assign an alias from another user Go to the Users management area of the CMC. Click the link for the user you want to assign an alias to. Click Assign Alias. The Assign Alias page appears. 296 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Managing aliases 12 4. 5. Select the alias you want in the list of available aliases. Click the > arrow. Tip: • • 6. To select multiple aliases, use the SHIFT+click or CTRL+click combination. To search for a specific alias, use the Look For field. Click OK. Reassigning an alias When you reassign an alias, you move a third-party alias from the user that you are currently viewing to another user. You cannot assign or reassign Enterprise aliases. Note: If a user has only one alias and you reassign that alias to another user, the system will delete the user account, and the Favorites folder, personal categories, and inbox for that account. 1. 2. 3. 4. 5. To reassign an alias to another user Go to the Users management area of the CMC. Click the link for the user whose alias you want to reassign, for example, bsmith. Click the Reassign Alias button for the alias. The Reassign Alias page appears. In the list, click the name of the user that you want to assign the alias to, for example, jbrown. Click OK. The alias for bsmith has now been assigned to the user jbrown, and the Properties page for user jbrown is displayed. The user jbrown can now log on using the third-party user account and authentication method. The user bsmith can no longer use this alias. Deleting an alias When you delete an alias, the alias is removed from the system. If a user has only one alias and you delete that alias, the system automatically deletes the user account and the Favorites folder, personal categories, and inbox for that account. BusinessObjects Enterprise Administrator’s Guide 297 12 Managing User Accounts and Groups Managing aliases 1. 2. 3. To delete an alias Go to the Users management area of the CMC. Click the link for the user whose alias you want to delete. Click the Delete Alias button for the alias. The alias is deleted from the system. Note: Deleting a user’s alias does not necessarily prevent the user from being able to log on to BusinessObjects Enterprise again. If the user account still exists in the third-party system, and if the account belongs to a group that is mapped to BusinessObjects Enterprise, then BusinessObjects Enterprise will still allow the user to log on. Whether the system creates a new user or assigns the alias to an existing user, depends on which Update Options you have selected for the authentication tool in the Authentication management area of CMC. Disabling an aliases You can prevent a user from logging on to BusinessObjects Enterprise using a particular authentication method by disabling the user’s alias associated with that method. To prevent a user from accessing BusinessObjects Enterprise altogether, disable all aliases for that user. Note: Deleting a user from BusinessObjects Enterprise does not necessarily prevent the user from being able to log on to BusinessObjects Enterprise again. If the user account still exists in the third-party system, and if the account belongs to a group that is mapped to BusinessObjects Enterprise, then BusinessObjects Enterprise will still allow the user to log on. To ensure a user can no longer use one of his or her aliases to log on to BusinessObjects Enterprise, it is best to disable the alias. See also “Deleting an alias” on page 297. 1. 2. 3. To disable an alias Go to the Users management area of the CMC. Click the name of the user whose alias you want to disable. In the Alias area on the Properties page, clear the Enabled check box for the alias you want disable. Repeat this step for each alias you want to disable. 4. Click Update. The user can no longer log on using the type of authentication that you just disabled. 298 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Configuring Kerberos single sign-on 12 Configuring Kerberos single sign-on This section tells you how to set up end-to-end single sign-on to your BusinessObjects Enterprise system and its back-end databases by using Kerberos and Windows AD authentication. For general information about the levels of single sign-on that are supported in BusinessObjects Enterprise, see “About single sign-on” on page 232. BusinessObjects Enterprise currently supports single sign-on to the database with Windows AD using Kerberos for the Windows platform only. It requires a Microsoft Internet Information Services (IIS) web server and users require Internet Explorer (IE) as their web browser. See the Platforms.txt file included with your product distribution for a complete list of version requirements. Configuration process overview Configuring end-to-end single sign-on using Kerberos includes the following main steps: 1. “Setting up a service account” on page 299 Note: The order in which you complete these steps is not important. However, before you can proceed you must have set up the service account. 2. 3. 4. 5. 6. 7. “Configuring the servers” on page 300 “Configuring the Windows AD plug-in for Kerberos authentication” on page 301 “Configuring the IIS and browsers” on page 303 “Configuring IIS for end-to-end single sign-on” on page 305 “Configuring BusinessObjects Enterprise web applications” on page 312 “Configuring the databases for single sign-on” on page 313 Setting up a service account To configure BusinessObjects Enterprise for end-to-end single sign-on using Kerberos and Windows AD authentication, you require a service account. This must be a domain account that has been trusted for delegation. You can either create a new domain account or use an existing domain account. The service account will be used to run the BusinessObjects Enterprise servers. Note: Instead of a service account, you could use a user or computer domain account. However, it is recommended you use a service account. BusinessObjects Enterprise Administrator’s Guide 299 12 Managing User Accounts and Groups Configuring Kerberos single sign-on To set up the service account On the domain controller, set up the domain service account. For detailed instructions, refer to http://msdn.microsoft.com. Note: The procedure for setting up a domain service account varies, depending on whether you are using Windows 2000 or Windows 2003: • • In Windows 2000, ensure that the Account is trusted for delegation option has been selected for the account. In Windows 2003, ensure that the following two options have been selected for the account: • • Trust this user for delegation to specified service only Use Kerberos only If you are using Windows 2003, you may have to first add a service principal name (SPN) for the domain account. Configuring the servers Configuring the BusinessObjects Enterprise servers includes: • • “Configuring the server machines” on page 300 “Configuring the servers to use the service account” on page 301 Configuring the server machines In order to support end-to-end single sign-on, you must grant the service account the right to act as part of the operating system. This must be done on each machine running the following servers: • • • • CMS Page Server Report Application Server Web Intelligence Report Server To configure the server machines Note: To complete this procedure, you require a service account that has been trusted for delegation. See “Setting up a service account” on page 299. 1. 2. 3. 4. 5. Click Start > Administrative Tools > Local Security Policy. Click Local Policies, then click User Rights Assignment. Double-click Act as part of the operating system. Click Add. Double-click the service account, and then click OK. 300 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Configuring Kerberos single sign-on 12 6. 7. Ensure that the Local Policy Setting check box is selected, and then click OK. Repeat the above steps on each machine running a BusinessObjects Enterprise server. For detailed instructions, see “Controlling users’ access to objects” on page 317. Configuring the servers to use the service account In order to support Kerberos single sign-on, you must use CCM and configure the following servers to log on as the service account: • • • • CMS server Page Server Report Application Server Web Intelligence Report Server To configure a server Note: To complete this procedure, you require a service account that has been trusted for delegation. See “Setting up a service account” on page 299. 1. 2. 3. 4. Start the CCM. Stop the server you want to configure, for example, the CMS server. Double-click the server you want to configure. The Properties dialog box is displayed. On the Properties tab: a. b. c. 5. 6. In the Log On As area, deselect the System Account check box. Enter the user name and password for the service account. Click Apply, and then click OK. Start the server again. Repeat steps 2 through 5 for each BusinessObjects server that has to be configured. Configuring the Windows AD plug-in for Kerberos authentication In order to support Kerberos single sign-on, you have to configure the Windows AD security plug-in in the CMC to use Kerberos authentication. This includes: • Ensuring Windows AD authentication is enabled. BusinessObjects Enterprise Administrator’s Guide 301 12 Managing User Accounts and Groups Configuring Kerberos single sign-on • • Setting up an AD Administrator account. This account requires read access to Active Directory only; it does not require any other rights. Enabling Kerberos single sign-on and setting the service principal name (SPN) to use a service account. To configure the Windows AD security plug-in Go to the Authentication management area of the CMC. Click the Windows AD tab. Ensure that the Windows Active Directory Authentication is enabled check box is selected. Select the Single sign-on is enabled check box. Note: For related information about configuring the Windows AD plug-in, see “Managing AD accounts” on page 275. 1. 2. 3. 4. 5. Set up the AD administrator account: a. b. Click AD Administrator Name. Enter the name and password for the account and the default AD Domain. Note: The AD Administrator account requires read access to Active Directory only; it does not require any other rights. c. Click Update. 6. In the “Mapped AD Member Group” area, map the AD group for the AD users who require access to BusinessObjects Enterprise via AD authentication and single sign-on. See “Mapping AD accounts” on page 276. Under Authentication Options select the following: 7. • • • Select the Use Kerberos authentication check box. Select the Cache Security context (required for SSO to database) check box. In the Service Principal Name box, enter the service principal name of the service account. Note: This must be the same account that you use to run the BusinessObjects Enterprise servers. See “Setting up a service account” on page 299. 8. Click Update. 302 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Configuring Kerberos single sign-on 12 Configuring the cache expiry When the system is using AD and Kerberos single sign-on, it uses the cache expiry for certain BusinessObjects Enterprise servers to determine whether a logon ticket is still valid. This applies to the CMS, Page Server, Report Application Server, and Web Intelligence Report Server. The CMS uses the cache expiry as follows: • • • If the CMS cache expiry is greater than that of the ticket, the system renews the ticket until the CMS cache expiry is reached. If the CMS cache expiry is less than that of the ticket, the ticket will expire when the CMS cache expiry is reached. If the CMS cache expiry is zero, the system will use the globally set ticket expiry. The other servers use either their cache expiry or the ticket expiry, whichever has the lowest value. Regardless of whether the cache expiry for the server is greater or less than that of the ticket, the ticket will expire when the lowest expiry value is reached. The system comes configured with default values for the server cache expiry. Use the following procedure to change these settings when needed. Note: If you are running multiple instances of a server, you can control the cache expiry for each instance individually. 1. 2. 3. 4. 5. To configure the servers in CMC Go to the Servers management area of the CMC. Click the link for the server. Click the Single Sign-On tab. Type in a new cache expiry value. Click Update. Configuring the IIS and browsers In order to support Kerberos end-to-end single sign-on, you have to configure the BusinessObjects Enterprise clients. This includes: • • “Configuring the BusinessObjects Enterprise clients on the IIS” on page 304 “Configuring the Internet Explorer browser on a client machine” on page 304 BusinessObjects Enterprise Administrator’s Guide 303 12 Managing User Accounts and Groups Configuring Kerberos single sign-on Configuring the BusinessObjects Enterprise clients on the IIS To support Kerberos single sign-on, you have to configure the BusinessObjects clients on the IIS to use integrated Windows authentication. 1. 2. 3. 4. 5. 6. 7. To configure the clients for Windows authentication On the IIS, in the Internet Information Services window, expand the tree on the left and go to businessobjects under Default Web Site. Right-click businessobjects and select Properties. On the Directory Security tab, click Edit. Turn off Anonymous Access. Turn on Integrated Windows Authentication. Click OK, and then click OK again. Repeat the above for crystalreportviewer. Configuring the Internet Explorer browser on a client machine To support Kerberos end-to-end single sign-on, you have to configure the Internet Explorer (IE) browser on the BusinessObjects Enterprise client machines. This includes: • • Setting up the client machines for integrated Windows authentication. Adding the IIS to the trusted sites. Note: If configuring the IIS for single sign-on to the database only, you do not need to configure the browser for single sign-on. See also “Configuring IIS for single sign-on to databases only” on page 309. Note: You can automate the following steps through a registry key. For details, refer to you Windows documentation. 1. 2. To configure the IE browser on the client machines On the client machine, open an Internet Explorer browser window. Enable integrated windows authentication: a. b. c. d. Click Tools > Internet Options. The Internet Options dialog box appears. Click the Advanced tab. Navigate to the Security settings. Click the Enable integrated windows authentication option, and then click Apply. 304 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Configuring Kerberos single sign-on 12 3. Add the IIS to the Trusted sites. You can enter the full domain name of the site: a. b. c. d. e. f. Click Tools > Internet Options. The Internet Options dialog box appears. Click the Security tab. Click Sites. Click Advanced. Type in the web site for the IIS, and then click Add. Click OK, and then click OK twice more to close the Internet Options dialog box. 4. 5. Close the Internet Explorer browser windows and then open them again for the changes to take effect. Repeat the above steps on each BusinessObjects Enterprise client machine. Configuring IIS for end-to-end single sign-on To support Kerberos end-to-end single sign-on, the worker processes of the IIS have to run under a domain account that is trusted for delegation. Refer to either of the following procedures, depending on whether you are using IIS5 or IIS6: • • “Configuring IIS5 for Kerberos end-to-end single sign-on” on page 305 “Configuring IIS6 for Kerberos end-to-end single sign-on” on page 307 Note: Instead of configuring the IIS worker processes for end-to-end single sign-on you can configure them to use single sign-on to the database only. You may want to do this, for example, if you don’t want to run the IIS worker processes under an account that has been trusted for delegation. For more information, see: • • “Configuring IIS for single sign-on to databases only” on page 309 “Configuring web applications for single sign-on to the databases” on page 313. Configuring IIS5 for Kerberos end-to-end single sign-on To support Kerberos end-to-end single sign-on, you have to set the IIS and the Aspnet_wp.exe worker process to run as a domain account that has been trusted for delegation. BusinessObjects Enterprise Administrator’s Guide 305 12 Managing User Accounts and Groups Configuring Kerberos single sign-on You can run the IIS either under the machine domain account or under a user domain account. Each approach has advantages and disadvantages: • • If you use a machine domain account, the password will be automatically generated and won’t expire, nor can it be exposed or modified. If you use a user domain account you have more control over the rights for the account, but the password could be exposed or modified, and it may expire, which would result in an error condition. Which approach you use, depends on how you want to manage your system security. For complete information about security risks associated with system or user domain accounts, refer to the Microsoft web site: www.microsoft.com. Refer to either of the following procedures, depending on whether you want to use a machine or user domain account: • • “To run the IIS5 worker process under the machine domain account” on page 306 “To run the IIS5 worker process under a user domain account” on page 307 To run the IIS5 worker process under the machine domain account On the domain controller, set the domain account of the IIS machine to be trusted for delegation. Changing this property can take several minutes to propagate. Set the Aspnet_wp.exe to run as a machine domain account. To do this, change the following parameters in the block in the \WINDOWS\Microsoft.NET\Framework\version\CONFIG\machine. config file: 1. 2. • • userName="SYSTEM" Password="AutoGenerate" In the above path name, version represents the software version. Note: Configuring the Aspnet_wp.exe account to run as a machine domain account will cause all ASP.NET web applications on the web server to run as privileged system accounts. Note: For security reasons, make sure that the account which the IIS helper processes run under does not belong to a mapped group. 3. If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine: setspn -A HTTP/serverhost.domainname.com serverhost For example, if access is via www.domainname.com but the machine name is web.domainname.com. 306 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Configuring Kerberos single sign-on 12 1. To run the IIS5 worker process under a user domain account Set the Aspnet_wp.exe to run as a user domain account that has been trusted for delegation. To do this, change the following parameters in the block in the \WINDOWS\Microsoft.NET\Framework\ version\CONFIG\machine.config file: • • userName="domainaccount" Password="password" Where domainaccount is a domain account that you have set to be trusted for delegation, and password is the password for the domain account. In the above path name, version represents the software version. Note: For security reasons, make sure that the account which IIS helper processes run under does not belong to a mapped group. 2. If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine: setspn -A HTTP/serverhost.domainname.com serverhost For example, if access is via www.domainname.com but the machine name is web.domainname.com. Configuring IIS6 for Kerberos end-to-end single sign-on To support Kerberos for end-to-end single sign-on, you have to set the IIS and w3wp.exe worker process to run as an account that has been trusted for delegation. You can run the IIS either under the machine domain account or under user domain account. Each approach has advantages and disadvantages: • • If you use a machine domain account, the password will be automatically generated and won’t expire, nor can it be exposed or modified. If you use a user domain account you have more control over the rights for the account, but the password could be exposed or modified, and it may expire, which would result in an error condition. Which approach you use, depends on how you want to manage your system security. For complete information about security risks associated with system or user domain accounts, refer to the Microsoft web site: www.microsoft.com. Refer to either of the following procedures, depending on whether you want to use a machine or user domain account: BusinessObjects Enterprise Administrator’s Guide 307 12 Managing User Accounts and Groups Configuring Kerberos single sign-on • • “To run the IIS6 worker process under the machine domain account” on page 308 “To run the IIS6 worker process under a user domain account” on page 309 To run the IIS6 worker process under the machine domain account On the domain controller, set account of the IIS machine to be trusted for delegation. Changing this property can take several minutes to propagate! If you don’t want to use end-to-end single sign-on but want to provide single sign-on to the database, skip step 1. See also “Configuring IIS for single sign-on to databases only” on page 309. 1. 2. Configure the account for the w3wp.exe worker process: a. b. c. d. e. f. g. In the Internet Service Manager window, right-click the machine name and select Application Pool > New. Type in a name for the application pool. In the tree panel on the left, expand machine name > Web Site > Default Web Site > businessobjects > EnterpriseXX. Right-click InfoView and select Properties. On the Directory tab select the new application pool name from the list, and then click Apply. Right-click the application pool you created, and select Properties. On the Identity tab select LocalSystem from the list, and then click Apply. Note: Configuring the w3wp.exe account to run as a LocalSystem account will cause all ASP.NET web applications on the web server to run as privileged system accounts. Note: For security reasons, make sure that the account which the IIS worked processes run under does not belong to a mapped group. 3. If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine: setspn -A HTTP/serverhost.domainname.com serverhost For example, if access is via www.domainname.com but the machine name is web.domainname.com. 308 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Configuring Kerberos single sign-on 12 1. To run the IIS6 worker process under a user domain account Set the w3wp.exe to run as a user domain account that has been trusted for delegation. To do this, change the following parameters in the block in the \WINDOWS\Microsoft.NET\Framework\ version\CONFIG\machine.config file: • • userName="domainaccount" Password="password" In the above path name, version represents the software version. Where domainaccount is a domain account that you have set to be trusted for delegation, and password is the password for the domain account. Note: If you don’t want to use end-to-end single sign-on but want to provide single sign-on to the database, skip step 1. See also “Configuring IIS for single sign-on to databases only” on page 309. For security reasons, make sure that the account which the IIS worker processes run under does not belong to a mapped group. 2. Add the domain account to the IIS_WPG local group, and give it the relevant rights to access the needed files. For more information, see http://msdn.Microsoft.com. If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine: setspn -A HTTP/serverhost.domainname.com serverhost 3. For example, if access is via www.domainname.com but the machine name is web.domainname.com. Configuring IIS for single sign-on to databases only When using Kerberos with Windows AD, you can choose whether you want to provide end-to-end single sign-on, or whether you want users to provide their logon credentials when they log in to BusinessObjects Enterprise. When users log on to BusinessObjects Enterprise, the system generates a logon token to provide single sign-on access to the databases. 1. To use single sign-on to the databases only Configure the IIS worker processes to run as a domain account in order for the network to recognize their accounts, but the account does not have to be trusted for delegation. Refer to either of the following procedures, depending on whether you are using IIS5 or IIS6: • • “Configuring IIS5 for single sign-on to database only” on page 310 “Configuring IIS6 for single sign-on to database only” on page 311 BusinessObjects Enterprise Administrator’s Guide 309 12 Managing User Accounts and Groups Configuring Kerberos single sign-on 2. Configure the web applications for single sign-on to the database instead of end-to-end single sign-on. See “Configuring web applications for single sign-on to the databases” on page 313. Note: If configuring the IIS for single sign-on to the database only, you do not need to configure the browser for single sign-on. See “Configuring the Internet Explorer browser on a client machine” on page 304. 3. Clear the Single Sign On is enabled check box on the Windows AD page in the Authentication management area in CMC. Configuring IIS5 for single sign-on to database only To support single sign-on to the database only, you have to set the Aspnet_wp.exe worker process to run as a domain account, but the account does not have to be trusted for delegation. You can run the IIS worker process either under the machine domain account or under a user domain account. Each approach has advantages and disadvantages: • • If you use a machine domain account, the password will be automatically generated and won’t expire, nor can it be exposed or modified. If you use a user domain account you have more control over the rights for the account, but the password could be exposed or modified, and it may expire, which would result in an error condition. Which approach you use, depends on how you want to manage your system security. For complete information about security risks associated with system or user domain accounts, refer to the Microsoft web site: www.microsoft.com. 1. 2. To configure the IIS5 for single sign-on to databases only Make sure IIS is running as a domain account Set the Aspnet_wp.exe to run as a machine domain account. To do this, change the following parameters to the block in the \WINDOWS\Microsoft.NET\Framework\version\CONFIG\machine. config file: • • userName="SYSTEM" Password:="AutoGenerate" In the above path name, version represents the software version. Note: • • Configuring the Aspnet_wp.exe account to run as a machine domain account will cause all ASP.NET web applications on the web server to run as privileged system accounts. For security reasons, make sure that the account which IIS runs under does not belong to a mapped group. 310 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Configuring Kerberos single sign-on 12 3. If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine: setspn -A HTTP/serverhost.domainname.com serverhost For example, if access is via www.domainname.com but the machine name is web.domainname.com. Configuring IIS6 for single sign-on to database only To support single sign-on to the database only, you have to set the w3wp.exe worker process to run as a machine or user domain account, but the account does not have to be trusted for delegation. You can run the IIS worker process either under the machine domain account or under a user domain account. Each approach has advantages and disadvantages: • • If you use a machine domain account, the password will be automatically generated and won’t expire, nor can it be exposed or modified. If you use a user domain account you have more control over the rights for the account, but the password could be exposed or modified, and it may expire, which would result in an error condition. Which approach you use, depends on how you want to manage your system security. For complete information about security risks associated with system or user domain accounts, refer to the Microsoft web site: www.microsoft.com. 1. 2. To configure the IIS6 for single sign-on to databases only Make sure IIS is running as a domain account. Configure the account for the w3wp.exe worker process: a. b. c. d. e. f. g. In the Internet Service Manager window, right-click the machine name and select Application Pool > New. Type in a name for the application pool. In the tree panel on the left, expand machine name > Web Site > Default Web Site > businessobjects > EnterpriseXX. Right-click InfoView and select Properties. On the Directory tab select the new application pool name from the list, and then click Apply. Right-click the application pool you created, and select Properties. On the Identity tab select LocalSystem from the list, and then click Apply. Configuring the w3wp.exe account to run as a machine domain account will cause all ASP.NET web applications on the web server to run as privileged system accounts. Note: • BusinessObjects Enterprise Administrator’s Guide 311 12 Managing User Accounts and Groups Configuring Kerberos single sign-on • 3. For security reasons, make sure that the account which IIS runs under does not belong to a mapped group. If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine: setspn -A HTTP/serverhost.domainname.com serverhost For example, if access is via www.domainname.com but the machine name is web.domainname.com. Configuring BusinessObjects Enterprise web applications In order for the end-to-end single sign on to work, you have to configure the BusinessObjects Enterprise web applications to impersonate the user. See “Configuring web applications for end-to-end single sign-on” on page 312. Note: If you want to use single sign-on to the databases instead of end-toend single sign-on, you have to set the BusinessObjects Enterprise web applications to not impersonate a user. See “Configuring web applications for single sign-on to the databases” on page 313. Configuring web applications for end-to-end single sign-on In order to use up end-to-end single sign-on, you have to set both the CMC and InfoView web applications to impersonate the user. To do this, edit the respective Web.config files on the IIS as follows. 1. To configure the web applications for full single sign-on Add the following lines to the block in the C:\Program Files\Business Objects\BusinessObjects Enterprise 11\Web Content\Enterprise11\WebAdmin\Web.config file: • • 2. Add the following lines to the block in the C:\Program Files\Business Objects\BusinessObjects Enterprise 11\Web Content\Enterprise11\InfoView\Web.config file: • • 3. Enable Windows authentication by commenting out the following line in the C:\Program Files\Business Objects\BusinessObjects Enterprise 11\Web Content\Enterprise 11\InfoView\Web.config as shown: 312 BusinessObjects Enterprise Administrator’s Guide Managing User Accounts and Groups Configuring Kerberos single sign-on 12 Configuring web applications for single sign-on to the databases If you want to use single sign-on to the databases instead of end-to-end single sign-on, you have to set BusinessObjects Enterprise web applications to not impersonate the user. To do this, edit their Web.config files on the IIS as follows. Note: If you want to use single sign-on to the database only, see also “Configuring IIS for single sign-on to databases only” on page 309. 1. To configure the web applications for single sign-on to the databases Set the CMC to not impersonate the user by adding the following lines to the block in the Web Content\Enterprise 11\WebAdmin\Web.config file: • • 2. Set InfoView to not impersonate the users, by adding the following lines to the block in the Web Content\Enterprise 11\InfoView\Web.config file: • • Note: Make sure you set identity impersonate to false. Users will now be able to log on to BusinessObjects Enterprise by providing their logon credentials in the InfoView or CMC logon dialog box and selecting Windows AD authentication. Once they are logged on, the users will have single sign-on access to the databases associated with BusinessObjects Enterprise. Mapping AD accounts for Kerberos single sign-on In order for the Kerberos single sign-on to work, you must map the groups containing the AD users that are to have access to BusinessObjects Enterprise to a BusinessObjects Enterprise group. See “Mapping AD accounts” on page 276. Note: For security reasons, ensure that the mapped groups do not contain the domain account that the IIS is running under. Configuring the databases for single sign-on This section provides information that is specific to setting up single sign-on to SQL Server databases. See the Platforms.txt file included with your product distribution for a complete list of tested database software and version requirements. For general information and for information about single sign-on to other supported databases, refer to the database vendors support documentation. BusinessObjects Enterprise Administrator’s Guide 313 12 Managing User Accounts and Groups Configuring Kerberos single sign-on Configuring SQL Server for single sign-on In order for Kerberos single sign-on to work, the machines running SQL Server database must be trusted for delegation. How to set up security delegation varies, depending on whether SQL Server has been configured to run under the LocalSystem account or under a service account: • If SQL Server is running under the LocalSystem account, no additional configuration is required. SQL Server registers itself when it starts and the system registers the SPN. When SQL Server shuts down, the system automatically un-registers the SPNs for the LocalSystem account. If SQL Server is running under a service account, you have to configure to be trusted for delegation. To run SQL Server under a service account In Active Directory, set up the SQL Server service account for security delegation: a. b. c. Select Start > Programs > Administrative Tools > Active Directory Users and Computers. Right-click the domain account and select Properties. On the Accounts tab, make sure the following options are selected: • 1. • • In Windows 2000, ensure that the Account is trusted for delegation option has been selected for the account. In Windows 2003, ensure that the following two options have been selected for the account: Trust this user for delegation to specified service only and Use Kerberos only. If you are using Windows 2003, you may have to first add a service principal name (SPN) for the domain account. 2. Set the machine running SQL Server as follows: • a. 3. Computer is trusted for delegation Click Apply, and then click OK. Add an SPN for the service account of the SQL Server: setspn -A MSSQLSvc/host:port serviceaccount Where host:port is the name of the machine running SQL Server and the port that, and serviceaccount is the name of the SQL Server service account. 314 BusinessObjects Enterprise Administrator’s Guide Controlling User Access chapter 13 Controlling User Access Controlling user access overview Controlling user access overview Rights are the base units for controlling users’ access to objects, users, applications, servers, and other features in BusinessObjects Enterprise. When granted, each right provides a user or group with permission to perform a particular action. Using rights, you can set security levels that affect individual users and groups. Rights allow you to control access to your BusinessObjects Enterprise content, to delegate user and group management to different departments, and to provide your IT people with administrative access to servers and server groups. To set rights within the Central Management Console (CMC), you first locate the object, user, or server and then you specify the rights for different users and groups. Each right can be Explicitly Granted, Explicitly Denied, or Inherited. The BusinessObjects Enterprise security model is designed such that, if a right is left “not specified,” the right is denied by default. Additionally, if contradictory settings result in a right being both granted and denied to a user or group, the right is denied by default. This “denial based” design assists in ensuring that users and groups do not automatically acquire rights that are not explicitly granted. To facilitate administration and maintenance, BusinessObjects Enterprise includes a set of predefined access levels that allow you to set common security levels quickly. Each access level grants a set of rights that combine to allow users to accomplish common tasks (such as view reports, schedule reports, and so on). It is recommended that you use the predefined access levels whenever possible, because they can greatly reduce the complexity of your object security model. For more information, see “Setting common access levels” on page 320. Whether or not you use access levels, you can also take advantage of the inheritance patterns recognized by BusinessObjects Enterprise: users can inherit rights as the result of group membership; subgroups can inherit rights from parent groups; and both users and groups can inherit rights from parent folders. When you need to disable inheritance or to customize security levels for particular objects, users, or groups, the Advanced Rights pages allow you to choose from the complete set of available object rights. Most importantly, the advanced object rights allow you to explicitly deny any user or group the right to perform a particular task. Users require specific licensing and rights to create or modify reports through the Report Application Server (RAS). For details, see “Object rights for the Report Application Server” on page 568. 316 BusinessObjects Enterprise Administrator’s Guide Controlling User Access Controlling users’ access to objects 13 Controlling users’ access to objects To secure the content that you publish to BusinessObjects Enterprise, you can set rights for each object. By setting object rights, you can control users’ access to specific content. For each object, you can grant or deny access to users and groups in your system. For example, you can use rights to make sure that you are the only one who can access your reports. You can ensure that confidential employee records can be accessed only by the human resources department. You can set rights for folders, report objects, program objects, and other BusinessObjects Enterprise objects. Tip: For detailed tutorials that walk you through sample implementations of object rights, see “Customizing a ‘top-down’ inheritance model” on page 331. Setting object rights for users and groups Object rights enable you to set access levels for your users and groups. You control which folders, reports, and other objects users and groups can access using BusinessObjects Enterprise. You set security settings at the object level. For objects that can be scheduled, the security settings are also reflected in the object instances object. To facilitate administration, BusinessObjects Enterprise includes a set of predefined rights (“access modes”) that allow you to set common security levels quickly. These include the following: • • • • • • • Inherited Rights No Access View Schedule View On Demand Full Control Advanced In addition to setting user and group rights for report objects from the Objects management area, you can also set user and group rights at the folder level. When you set rights at the folder level, these limits will be in effect for all objects that inherit rights from the folder (including any objects found within the subfolders). For detailed information on the different “access modes” for object rights and information on inherited rights, see “Controlling users’ access to objects” on page 317. BusinessObjects Enterprise Administrator’s Guide 317 13 Controlling User Access Controlling users’ access to objects 1. 2. 3. To add groups or users to an object’s rights settings In the Objects management area of the CMC, select an object by clicking its link. Click the Rights tab. The Rights tab appears. Click Add/Remove. 4. 5. 6. 7. 1. 2. Select an option in the Select Operation list. Select the group(s) or user(s) you would like to add or remove. Click the > arrow to add the group(s) or user(s); click the < arrow to remove the group(s) or user(s). Click OK. To change a group or user’s report rights In the Objects management area of the CMC, select an object by clicking its link. Click the Rights tab. The Rights tab appears. 318 BusinessObjects Enterprise Administrator’s Guide Controlling User Access Controlling users’ access to objects 13 3. Change the access level for a group or user by selecting a right from the appropriate list in the Access Level column; then click Update. If you select Advanced from the list, you grant or deny granular rights from the Advanced Rights page. For more information, see “Setting advanced object rights” on page 322. Viewing object rights settings Use the CMC to view the object rights that a user or group has to any folder, report, or other BusinessObjects Enterprise object. This section shows how to locate the rights for any object and briefly explains the information displayed on the Rights tab. You can locate any given object in several ways. Go to the Folders management area in the CMC to browse your folder hierarchy for an object, or go to the Objects management area in the CMC to view a list of all the objects on the system. Click the link that corresponds to the folder or other object whose rights you want to see, then click the object’s Rights tab. A page similar to the following appears: This example shows the rights for the Report Samples folder. The Name column lists all users and groups who have been given rights to the object. The Object column shows whether the entry is a User or a Group. In this case, users have not been specified individually; instead, users have been divided into two groups—Everyone and Administrators—which have been granted rights to the folder object. Click Add/Remove to add or remove a user or group to this object. The Access Level column shows how each user’s or group’s rights are determined. In this example, both groups possess Inherited Rights. You can change the rights for either group by selecting a predefined access level (or by selecting Advanced) from the list in the Access Level column. When you change an entry in the Access Level column, click Update to effect your changes. For more information, see “Setting common access levels” on page 320. The Net Access column displays the net effect of whatever is selected in the Access Level column. That is, the Net Access column shows the effective rights that each user or group has to the object. The Net Access column is BusinessObjects Enterprise Administrator’s Guide 319 13 Controlling User Access Controlling users’ access to objects particularly useful when you are working with inheritance. In this example, the Everyone group inherits rights from a parent folder—one that is not displayed on this screen. The Net Access column shows that the rights inherited from the parent folder are equivalent to the Schedule access level. Tip: If you want to view the individual object rights that make up a user’s (or group’s) Net Access, click the corresponding Access Level list and select Advanced. The Advanced Rights page displays the user’s full array of object rights that have been specified explicitly and/or inherited. Click Cancel to exit without making changes. For more information, see “Setting advanced object rights” on page 322. For detailed tutorials that walk you through sample implementations of object rights, see “Customizing a ‘top-down’ inheritance model” on page 331. Setting common access levels An access level is essentially a predefined set of object rights. BusinessObjects Enterprise provides a set of access levels that allow you to set common object security levels quickly. The available predefined access levels are No Access, View, Schedule, View On Demand, and Full Control. Access levels are based on a model of increasing rights: beginning with No Access and ending with Full Control, each access level builds upon the rights granted by the previous level. For example, the Schedule access level includes and adds to the rights that are granted by the View access level. For a complete listing of the object rights that make up each access level, see “Access levels” on page 565. Tip: By default, users or groups who have rights to a folder will inherit the same rights for any object that you subsequently publish to that folder. Consequently, the best strategy is to set the appropriate rights for users and groups at the folder level first. Then publish objects to that folder. Although access levels grant predefined sets of object rights, they do not explicitly deny any object rights. Instead, each access level grants some rights and leaves the other rights “not specified.” The system then denies the “not specified” rights by default. This is important, because it allows users to inherit the greatest rights when they belong to multiple groups: • When you assign an access level to a group, each user in the group will have at least that level of access to the object. If the user is a member of multiple groups, then he or she inherits the combination of each group’s rights. Thus, when a user is a member of multiple groups, he or she inherits the greatest possible rights. When you assign an access level directly to a user, you ensure that the user has only that level of access to the object. In other words, you prevent the user from inheriting rights that he or she may have otherwise acquired by virtue of group membership. • 320 BusinessObjects Enterprise Administrator’s Guide Controlling User Access Controlling users’ access to objects 13 This list provides a brief description of each access level: • No Access The user or group is not able to access the object or folder. InfoView, the Publishing Wizard, and the CMC enforce this right by ensuring that the object is not visible to the user. • View If this access level is set at the folder level, the user or group is able to view the folder, the objects contained within the folder, and all generated instances of each object. If this access level is set at the object level, the user can view the object, the history of the object, and all generated instances of the object. The user cannot, however, schedule the object or refresh it against its data source. • Schedule The user or group is able to view the object or folder and its contents, and to generate instances by scheduling the object to run against the specified data source once or on a recurring basis. The user or group can view, delete, and pause the scheduling of instances that they own. They can also schedule to different formats and destinations, set parameters and database logon information, pick servers to process jobs, add contents to the folder, and copy the object or folder. • • View On Demand In addition to the rights provided by the Schedule access level, the user gains the right to refresh data “on demand” against the data source. Full Control This access level grants all of the available advanced rights. It is the only access level that allows users to delete objects (folders, objects, and instances). This access level also allows users to modify all of the object’s properties, including the object rights that are set on the folder or object. Basically, this access level is designed to provide a user or group with administrative control over one or more folders or objects. Users can then log on to the CMC and add, edit, and remove content as required, without being members of the actual Administrators group. • Advanced This access level does not include a predefined set of object rights. Instead, it allows you to customize a user’s or group’s access to an object by selecting from the complete range of available object rights. For more information, see “Setting advanced object rights” on page 322. BusinessObjects Enterprise Administrator’s Guide 321 13 Controlling User Access Controlling users’ access to objects Note: There is no predefined access level to grant users the rights required to create or modify reports through the Report Application Server (RAS). For details, see “Object rights for the Report Application Server” on page 568. For a detailed listing of the object rights that make up each access level, see “Rights and Access Levels” on page 563. Note: In the developer documentation, access levels are referred to as roles. 1. 2. 3. 4. To set an access level for a user or group Go to the Objects or Folders management area of the CMC. Locate the object whose rights you want to modify. Click the link to the object, and then click its Rights tab. In the Name column, locate the user or group whose rights you want to specify. If the user or group is not listed, click Add/Remove. Add the appropriate user or group and click OK. You are returned to the object’s Rights tab. 5. In the Access Level column, select the access level (No Access, View, Schedule, View On Demand, or Full Control) that is appropriate for the user or group. Click Update. 6. Tip: For detailed tutorials that walk you through sample implementations of object rights, see “Customizing a ‘top-down’ inheritance model” on page 331. Setting advanced object rights To provide you with full control over object security, the CMC allows you to make Advanced object rights settings for any user or group. These Advanced settings enable you to choose from a complete set of granular object rights. The result is an increased flexibility as you define security levels for objects that you have published to BusinessObjects Enterprise. Use advanced rights, for instance, if you need to customize a user’s or group’s rights to a particular object or set of objects, or if you want to customize the default inheritance patterns. Most importantly, use advanced rights to explicitly deny a user or group any right that should not be permitted to change when, in the future, you make changes to group memberships or folder security levels. Tip: By default, users or groups who have rights to a folder will inherit the same rights for any object that you subsequently publish to that folder. Consequently, the best strategy is to set the appropriate rights for users and groups at the folder level first. Then publish objects to that folder. 322 BusinessObjects Enterprise Administrator’s Guide Controlling User Access Controlling users’ access to objects 13 Note: Because of the relative priorities assigned by BusinessObjects Enterprise to granted and denied rights, you must disable inheritance entirely when you need to explicitly grant a right that has been denied elsewhere to the user or group. For complete details, see “Priorities affecting advanced inheritance settings” on page 330. 1. 2. 3. 4. To view or set advanced rights Go to the Objects or Folders management area of the CMC. Locate the object whose rights you want to modify. Click the link to the object, and then click its Rights tab. In the Name column, locate the user or group whose rights you want to specify. If the user or group is not listed, click Add/Remove. Add the appropriate user or group and click OK. You are returned to the object’s Rights tab. 5. The next step depends upon the entry that already appears in the Access Level list for this user or group: • • If the Access Level is not already set to Advanced, click the list and select Advanced. If the Access Level is already set to Advanced, click the Advanced link in the Net Access column. The available object rights are displayed in the Advanced Rights page. This example shows advanced rights being applied to the Guest user for an Employee Profile report. BusinessObjects Enterprise Administrator’s Guide 323 13 Controlling User Access Controlling users’ access to objects The first two options specify which types of inheritance affect the Guest user’s rights to this object. In this example, the Guest user cannot inherit rights by virtue of group membership. But, the Guest user may inherit any rights that he or she has been granted to this report’s parent folder. The remainder of the Advanced Rights page lists all available object rights and shows how each right applies to the Guest user. To customize the overall security levels, you can explicitly grant or deny any given right, or you can specify that you want certain rights to be inherited. The Inherited column serves as an indicator to show how inherited rights affect the Guest user’s effective rights to this report object. A user or group can be granted or denied a right by virtue of inheritance. In addition, some rights may remain “not specified”—that is, they are neither granted nor denied. If an inherited right is labelled as “Not Specified”, BusinessObjects Enterprise treats it as having been denied. (And if the right is later granted for a parent group or object, the user or group will automatically inherit the right at this level.) In this example, the Guest user has two inherited rights (the right to “View document instances that the user owns” and to “Pause and Resume document instances that the user owns”). Currently, these rights are not specified, so the rights are denied by default. However, if the Guest user’s rights should change on the report’s parent folder, the rights will also change for this report object. This demonstrates how inheritance can facilitate future changes to the overall security model. Tip: For scalability and manageability, it is recommended that you leave as many rights as possible inherited, because the system automatically updates those rights as you modify and update your security settings throughout the folder and group hierarchies. The Explicitly Granted column shows which actions the Guest user is allowed to perform on this report. The Guest user is currently granted eleven rights to this report (the right to “View objects,” “Schedule the document to run,” and so on). Because group inheritance is disabled, the Guest user will retain these rights, even if its group membership is modified or changed completely. This demonstrates how you can use explicit rights to override a group’s rights for a particular group member. The Explicitly Denied column works similarly to the Explicitly Granted column. Regardless of any future changes to the user’s group membership, an explicitly denied right always prevents a user from performing the associated action. In this example, the Guest user has been explicitly denied eleven rights (the right to “Add objects to the folder,” “Edit objects,” and so on). Again, this demonstrates how you can use explicit rights to override a group’s rights for a particular group member. When you have made your changes on the Advanced Rights page, click OK. 324 BusinessObjects Enterprise Administrator’s Guide Controlling User Access Controlling users’ access to objects 13 Tip: For detailed tutorials that walk you through sample implementations of object rights, see “Customizing a ‘top-down’ inheritance model” on page 331. Base rights and available rights The BusinessObjects Enterprise system defines a set of base rights that apply to all objects in the system. For example, the “View objects” right is a base right: it applies equally well to folders, to reports, and to other BusinessObjects Enterprise objects. In addition to these base rights, however, each type of object provides an additional set of rights that apply only to that object type. For example, the “Refresh the report’s data” right applies only to report objects. The Central Management Server (CMS) is the component that keeps track of available rights. The list of available rights includes the base rights and all other object-specific rights that have been provided by particular object types, such as Crystal report objects. On the Advanced Rights pages, you will find that all of the available rights are displayed for every object on the system. These rights are grouped based on what type of file they apply to. The four groups are General, Report, Text, and Web Intelligence Document. When you are setting rights for folders, these groups make it easier to see where the rights will be applied. For example, the object-specific right “Refresh the report’s data” appears in the Report folder because it only applies to report objects. Available rights are displayed for every object on the system for purposes of inheritance, so that you can set object security at the folder level (rather than repeating the same settings for every object in the folder). Although certain object-specific rights do not strictly apply to the folder object itself, these rights may apply to objects that inherit rights from the folder. In other words, the “Refresh the report’s data” right is displayed for the folder object so that you can grant a user the right to refresh the data in all reports for which the user inherits rights from this folder. Note: This is only one type of object inheritance. For more information, see “Group and folder inheritance” on page 326. Using inheritance to your advantage In regards to object rights, BusinessObjects Enterprise recognizes two types of inheritance: group inheritance and folder inheritance. By taking advantage of the ways in which object rights are inherited, you can reduce the amount of time it takes to secure the content that you have published to BusinessObjects Enterprise. Additionally, you can set up BusinessObjects Enterprise such that you can integrate new users and new content quickly and easily. BusinessObjects Enterprise Administrator’s Guide 325 13 Controlling User Access Controlling users’ access to objects To facilitate administration, it is recommended that you enable and disable inheritance with access levels whenever possible (instead of with advanced rights). Additionally, it is recommended that you make your initial settings at the top-level BusinessObjects Enterprise folder and disable inheritance only when necessary. For detailed tutorials that walk you through sample implementations of object rights, see “Customizing a ‘top-down’ inheritance model” on page 331. Tip: By default, users or groups who have rights to a folder will inherit the same rights for any object that you subsequently publish to that folder. Consequently, the best strategy is to set the appropriate rights for users and groups at the folder level first. Then publish objects to that folder. Group and folder inheritance Group inheritance allows users to inherit rights as the result of group membership. Group inheritance proves especially powerful when you organize all of your users into groups that coincide with your organization’s current security conventions. For example, if you create a user called Sample User, and add it to an existing group called Sales, then Sample User will automatically inherit the appropriate rights for each of the reports and folders that the Sales group has been added to. When group inheritance is enabled for a user who belongs to more than one group, the rights of both groups are considered when the system checks credentials. The user is denied any right that is explicitly denied in any group, and the user is denied any right that remains completely “not specified”; thus, the user is granted only those rights that are granted in one or more groups (explicitly or through access levels) and never explicitly denied. Folder inheritance allows users to inherit any rights that they have been granted on an object’s parent folder. Folder inheritance proves especially powerful when you organize BusinessObjects Enterprise content into a folder hierarchy that reflects your organization’s current security conventions. For example, suppose that you create a folder called Sales Reports, and you provide your Sales group with View On Demand access to this folder. By default, every user that has rights to the Sales Reports folder will inherit the same rights to the reports that you subsequently publish to this folder. Consequently, the Sales group will have View On Demand access to all of the reports, and you need only set the object rights once, at the folder level. Note: If you need to disable or modify inheritance patterns for a particular folder or object within your folder hierarchy, you can do so with access levels or with advanced rights. 326 BusinessObjects Enterprise Administrator’s Guide Controlling User Access Controlling users’ access to objects 13 Enabling and disabling inheritance with access levels With access levels, you can enable or disable group inheritance, folder inheritance, or both. You can alternatively enable one or both types of inheritance with Advanced rights settings. For details, see “Inheritance with advanced rights” on page 328. 1. 2. 3. 4. To enable inheritance with an access level Go to the Objects or Folders management area of the CMC. Locate the object whose rights you want to modify. Click the link to the object, and then click its Rights tab. In the Name column, locate the user or group whose rights you want to specify. If the user or group is not listed, click Add/Remove. Add the appropriate user or group and click OK. You are returned to the object’s Rights tab. 5. 6. In the Access Level column, select Inherited Rights for the user or group. Click Update. The Net Access column now displays the effective rights that the user or group has inherited for this object. Note: If the entry displayed in the Net Access column is Advanced, ensure that both types of inheritance are enabled in the parent folder’s advanced rights settings. For details, see “Setting advanced object rights” on page 322. To disable inheritance with an access level Note: This procedure disables group and folder inheritance for a user account. When applied to a group, this procedure does not prevent group members from inheriting rights by virtue of membership in other groups. 1. 2. 3. 4. Go to the Objects or Folders management area of the CMC. Locate the object whose rights you want to modify. Click the link to the object, and then click its Rights tab. In the Name column, locate the user whose rights you want to specify. If the user is not listed, click Add/Remove. Add the appropriate user and click OK. You are returned to the object’s Rights tab. 5. 6. In the Access Level column, select the access level (No Access, View, Schedule, View On Demand, or Full Control) that is appropriate for the user. Click Update. The Net Access column now displays the effective rights that the user has to the object. Because you have disabled all inheritance, the Net Access entry equals the Access Level entry. BusinessObjects Enterprise Administrator’s Guide 327 13 Controlling User Access Controlling users’ access to objects Inheritance with advanced rights When you apply an Advanced set of object rights to a user or group for a particular object, you can enable or disable group and folder inheritance together or individually. On the Advanced Rights pages, the settings for inheriting rights from parent folders or groups serve as powerful tools that allow you to customize inheritance patterns in many ways. Note: You see the “Username will inherit rights from its parent groups” option if you are setting rights for a user; this option does not appear if you are setting rights for a group. Tip: When modifying inheritance patterns with Advanced rights settings, keep in mind that you can always assign a user a specific set of rights, either by explicitly applying a predefined access level, or by explicitly applying an Advanced setting in which both types of inheritance are disabled. To take full advantage of inheritance patterns and Advanced rights settings, it is useful to understand not only the types of inheritance that are available, but also the ways in which a user’s effective rights are calculated by the CMS. For more information on the two types of inheritance, see “Group and folder inheritance” on page 326. Calculating a user’s effective rights When a user attempts to perform an action on a BusinessObjects Enterprise object, the CMS determines the user’s rights to that object. If the user possesses sufficient rights, the CMS permits the user to perform the requested action. Although the calculations performed by the CMS can become quite complex, there are several ways to keep your object security model clear, consistent, and easy to maintain. For complete details on setting up a system that makes sense for your BusinessObjects Enterprise system, see “Customizing a ‘topdown’ inheritance model” on page 331. To calculate the user’s effective rights, the CMS follows a complex algorithm. This sequence of steps, and its various possible outcomes, is provided for administrators and/or system architects who prefer to know exactly how the CMS calculates the rights a user has to any object. The algorithm is described here and then illustrated in a different way using pseudocode: 1. The CMS checks the rights that have been directly granted or denied to the user’s account. The CMS immediately denies any right that is explicitly denied. Tip: If an individual user’s account has not been assigned any rights to the object, then group inheritance is enabled by default. As the result, you can make all your object rights settings at the group level to save administrative effort. 2. If folder inheritance is enabled for the user, the CMS determines the rights that the user has to the object’s parent folder. The CMS determines 328 BusinessObjects Enterprise Administrator’s Guide Controlling User Access Controlling users’ access to objects 13 3. these rights by ascending the inheritance tree to the level at which the inherited rights begin to take effect. The CMS denies any right that is explicitly denied (even if the right had already been explicitly granted). If group inheritance is enabled for the user, the CMS determines the rights specified on the object for each of the groups that the user belongs to. The CMS denies any right that is explicitly denied in any group (even if the right had already been explicitly granted). If group inheritance is enabled for the user, and folder inheritance is enabled for a group that the user belongs to, then the CMS determines the rights that the group has to the parent folder. The CMS denies any right that is explicitly denied in any group (even if the right had already been explicitly granted). The CMS completes the algorithm by denying any rights that remain “Not Specified.” 4. 5. As the result, when both types of inheritance are enabled, the CMS grants the user only those rights that are explicitly granted in one or more locations and never explicitly denied. When you disable both types of inheritance for a user, you reduce this algorithm to two steps (1 and 5). Thus, the CMS grants the user only those rights that he or she has been explicitly granted. This provides you with the least complicated way of ensuring that a user has only those rights that you have explicitly granted to him or her for a particular object. When you disable folder inheritance for a user, you reduce this algorithm to three steps (1, 3, and 5). When you disable group inheritance for a user, you reduce this algorithm to three different steps (1, 2, and 5). In both cases, the CMS grants the user only those rights that are explicitly granted in one or more locations and never explicitly denied. This pseudocode is provided as another way to illustrate and describe the algorithm that the CMS follows in order to determine whether a user is authorized to perform an action on a particular object: IF { (User granted right to object = True) OR [ (Inherit Parent Folder Rights = True) AND (User granted right to parent folder = True) ] OR [ (Inherit Group Rights = True) AND (Group granted right to object = True) ] OR [ (Inherit Group Rights = True) AND (Group granted right to parent folder = True) ] } BusinessObjects Enterprise Administrator’s Guide 329 13 Controlling User Access Controlling users’ access to objects AND { (User denied right to object = False) AND [ (Inherit Parent Folder Rights = False) OR ((Inherit Parent Folder Rights = True) AND (User denied right to parent folder = False)) ] AND [ (Inherit Group Rights = False) OR ((Inherit Group Rights = True) AND (Group denied right to object = False)) ] AND [ (Inherit Group Rights = False) OR ((Inherit Group Rights = True) AND (Group denied right to parent folder = False)) ] } THEN { User action authorized = True } ELSE { User action authorized = False } Priorities affecting advanced inheritance settings When you modify inheritance patterns with advanced rights, there are several important considerations to keep in mind. Where relevant, these considerations appear elsewhere in this chapter. They have been summarized here for reference. Denied rights take precedence over granted rights. This can cause seemingly contradictory results when inheritance is enabled. Suppose that the “View objects” right is explicitly denied to a Sales group for a particular folder of reports. For the same folder, the “View objects” right has been explicitly granted to a Manager user, and the “Respect current security by inheriting rights from parent groups” check box is selected. The Manager user is a member of the Sales group. In this scenario, the Manager user is both granted and denied the “See object” right to the folder. Because denied rights take precedence, the Manager user is effectively denied the ability to see the folder, so long as the user account inherits rights from its parent group (Sales). To remedy this situation, you could clear the “Respect current security by inheriting rights from parent groups” check box on the Advanced Rights page for the Manager user, or you could remove the Manager user from the Sales group. 330 BusinessObjects Enterprise Administrator’s Guide Controlling User Access Controlling users’ access to objects 13 Rights that are not specified are denied by default. On the Advanced Rights page for any object, the Inherited Rights column may label certain rights as “Not Specified.” This entry denotes rights that are neither granted nor denied by inheritance. To prevent possible security breaches, BusinessObjects Enterprise automatically denies rights that are not specified. Customizing a ‘top-down’ inheritance model With the flexibility offered by object rights, inheritance, and advanced rights, you can customize your object-level security environment in many ways. However, as the complexity of any security system increases, so too can that system become more difficult and time-consuming to maintain. This section recommends two general ways of setting up object security such that you achieve the desired security levels without complicating future administrative tasks. To this purpose, this section provides two tutorials that shows how to set up object security from the top-level folder (the root folder) down: • “Setting up an open system of decreasing rights” on page 334 This detailed tutorial creates an open security model. By default, all users and groups are first granted rights to all objects on the system. As you add folders and subfolders to the system, you decrease the rights of users and groups, as required, in order to secure particular BusinessObjects Enterprise content. • “Setting up a closed system of increasing rights” on page 346 This shorter tutorial creates the basis for closed security model. By default, users and groups cannot access any objects on the system. As you add folders and subfolders to the system, you increase the rights of users and groups, as required, in order to grant access to particular BusinessObjects Enterprise content. You can use your own Enterprise, NT, or LDAP groups when following along with these tutorials, or you can create new groups that correspond to those used in the tutorial. For details on setting up these groups and subgroups, see “Creating groups for the tutorials” on page 332. In each tutorial, you will specify the object rights that particular groups have to certain folders on the system. By making all of your security settings at the group and folder levels, you reduce the administrative efforts now and later. After finishing each tutorial, you may decide to add users to each group and to publish objects to each folder. If you do so, each user will inherit the appropriate rights for every folder and object on the system. BusinessObjects Enterprise Administrator’s Guide 331 13 Controlling User Access Controlling users’ access to objects Creating groups for the tutorials The object security tutorials make use of eight Enterprise groups. The four primary groups are named Administrators, Everyone, Sales, and Marketing. The Sales group has four additional subgroups: Sales USA, Sales Japan, Sales Managers, and Sales Report Designers. The Administrators and Everyone groups are created by default when you install BusinessObjects Enterprise, so these two procedures show only how to create the remaining groups for the tutorials. Note: For the shorter tutorial entitled “Setting up a closed system of increasing rights” on page 346, you need only create the Sales group and its Sales USA, Sales Japan, and Sales Managers subgroups. 1. 2. To create the Sales and Marketing groups Go to the Groups management area of the CMC. Click New Group. The new group’s Properties tab appears. 3. 4. 5. In the Group Name field, type Marketing. In the Description field, type This group contains all users who work in Marketing. Click OK. The Marketing group is added to the system and the page is refreshed. Tip: Click the Users tab if you want to add your own users to this group. 6. Repeat steps 1 to 5 to create another group called Sales. Use this description for the group: This group contains all users who work in Sales (worldwide). 332 BusinessObjects Enterprise Administrator’s Guide Controlling User Access Controlling users’ access to objects 13 1. To create the Sales subgroups Go to the Groups management area of the CMC. 2. 3. 4. 5. Click New Group. In the Group Name field, type Sales USA In the Description field, type This group contains all users who work in Sales in the USA. Click OK. The Sales USA group is added to the system and the page is refreshed. Tip: Click the Users tab if you want to add your own users to this group. 6. 7. Click the Member of tab; then click the Member of button. The Modify Member of page appears. In the Available groups list, select Sales; then click the > arrow. The Sales group is added to the “Sales USA is a member of” list, as displayed here: BusinessObjects Enterprise Administrator’s Guide 333 13 Controlling User Access Controlling users’ access to objects 8. Click OK. You are returned to the “Member of” tab. The Sales USA group is now a member (or subgroup) of the Sales group. 9. Repeat steps 1 to 8 to create the remaining Sales subgroups for the tutorials. Use the following values for the Group Name and Description fields: Group Name Sales Japan Description This group contains all users who work in Sales in Japan. Sales Managers This group contains all users who manage a Sales team. Sales Report Designers This group contains all users who design and publish reports for the Sales teams. If you now return to the Groups management area of the CMC, all of the new groups are displayed as follows: You are now ready to proceed to either of the object security tutorials: • • “Setting up an open system of decreasing rights” on page 334. “Setting up a closed system of increasing rights” on page 346. Setting up an open system of decreasing rights This tutorial shows how to create an open security model, wherein groups of users are first granted rights to all objects on the system by default. As you add folders and subfolders to the system, you decrease the rights of users and groups, as required, in order to secure particular BusinessObjects Enterprise content. 334 BusinessObjects Enterprise Administrator’s Guide Controlling User Access Controlling users’ access to objects 13 In this scenario, you are creating folders for several groups within your organization. You have some reports that you want to add to the system immediately. Because some groups plan to add their own reports later, you also need to give some users the ability to add subfolders and to publish reports. These are your security requirements for each folder: • • • • • Everyone must be able to view the majority of your reports. Administrators require Full Control access to all folders and objects on the system. Sales Managers are allowed to refresh most reports against the database to view the most recent data. The Marketing group needs Full Control access to its own set of folders that no other user can access (other than Administrators). The Sales groups need a hierarchy of folders containing worldwide reports, regional reports, and management reports: • • • • All Sales staff can view worldwide reports. Sales staff can also view reports for their own regions. If the staff member is also a Manager, he or she can view and refresh reports from all regions. Sales Managers require Full Control access to the management reports. Sales Report Designers require custom administrative privileges to all Sales folders. For a shorter, less detailed tutorial, see “Setting up a closed system of increasing rights” on page 346. Changing default rights on the top-level folder The first step is to set object rights on the top-level BusinessObjects Enterprise folder. This folder serves as the root for all other folders and objects that you add to the system. Each subfolder, report, or other object that you add to this top-level folder will by default inherit rights from this folder. So, by setting rights here first, you minimize the need to repeatedly customize object rights throughout your folder hierarchy. With this procedure, you set security on the top-level folder in order to meet your first three security requirements: • • • Everyone must be able to view the majority of your reports. Administrators require Full Control access to all folders and objects on the system. Sales Managers are allowed to refresh most reports against the database to view the most recent data. BusinessObjects Enterprise Administrator’s Guide 335 13 Controlling User Access Controlling users’ access to objects 1. 2. To change the rights on the top-level folder Go to the Settings management area of the CMC. Click the Rights tab. By default, the Everyone and the Administrators groups are granted access to this folder. You now need to reduce the rights of the Everyone group and to increase the rights of the Sales Managers. 3. 4. Click the Access Level list that corresponds to the Everyone group, and select View. Click Update. The rights for the Everyone group are reduced and the View access level is now displayed in the Net Access column. Now you will customize the top-level rights for the Sales Managers group. 5. 6. 7. 8. Click Add/Remove. The Add/Remove page appears. In the Select Operation list, click Add/Remove Groups. In the Available groups list, select Sales Managers. Click the > arrow; then click OK. You are returned to the Rights tab on the Settings page. Ensure that you grant the Sales Managers group View On Demand access. If necessary, change the Access Level list and click Update. This provides the Sales Managers group with sufficient rights to refresh reports. Now, your system meets your first three security requirements. The Everyone, Administrators, and Sales Managers groups will initially inherit these rights for any folders, subfolders, or reports that you subsequently publish to BusinessObjects Enterprise. You might, for instance, create folders for all of your generally accessible inventory reports, customer list reports, purchasing order reports, and so on. Now that you have created an open basis for your object security model, you will proceed to restricting access to certain folders within the system. Decreasing rights to a private folder Another security requirement for this tutorial is that the Marketing group needs Full Control access to their own set of folders that no other user can access. To accomplish this, you will create a private folder called Marketing Only and ensure that only the appropriate group of users has access to its contents. 336 BusinessObjects Enterprise Administrator’s Guide Controlling User Access Controlling users’ access to objects 13 1. 2. 3. 4. 5. 6. 7. To decrease rights to a private folder Go to the Folders management area of the CMC. Click New Folder. On the Properties tab, in the Folder Name field, type Marketing Only In the Description field, type This folder is accessible only to Marketing. Click OK. Click the Rights tab. In the Access Level column, select the following rights for each group: • • • 8. Administrators: (Inherited Rights) Everyone: No Access Sales Managers: No Access Click Update. The Net Access column shows that you have secured this folder from all users other than Administrators. Next, you will grant the Marketing group Full Control access to this folder. 9. Click Add/Remove. The Add/Remove page appears. 10. In the Select Operation list, click Add/Remove Groups. 11. In the Available groups list, select Marketing. 12. Click the > arrow; then click OK. You are returned to the Rights tab. The Marketing group is granted access to the folder. You need to change the default setting to grant them Full Control access. 13. Click the Access Level list that corresponds to the Marketing group, and select Full Control. 14. Click Update. The Net Access column shows that you have granted the Marketing group Full Control access to this folder. Members of this group now have the ability to perform all tasks in this folder. They can add and delete reports, folders, and subfolders, and they can view, schedule, and export reports to all available destinations and formats. To complete this tutorial, you need to customize the rights that various Sales groups have to a hierarchical set of Sales folders. Before setting the rights for each group, you will see how to create multiple folders quickly when you publish a set of reports to BusinessObjects Enterprise. BusinessObjects Enterprise Administrator’s Guide 337 13 Controlling User Access Controlling users’ access to objects Publishing a set of folders and reports The final security requirements for this tutorial are related to the Sales group and its subgroups. They require a hierarchy of folders containing worldwide reports, regional reports, and management reports. Because this tutorial sets up a system of decreasing rights, you will first create a set of folders that places the most general content at the top of the directory tree. In this case, all Sales staff can view the worldwide reports, so the folder for those reports requires the lowest level of security. The regional reports will go in subfolders that are accessible only to users who belong to the appropriate regional Sales group. The management reports will be located in subfolders of each of the regional folders. You could create this set of folders using the CMC, as in the earlier sections of this tutorial. However, if you already have a set of reports, the Publishing Wizard provides the quickest way to add content and create folders at the same time. 1. To create a set of folders while publishing reports On your local hard drive, create a set of folders that correspond to the folders you want to add to BusinessObjects Enterprise. For this tutorial, the Sales folders are named and arranged hierarchically as follows: 2. Arrange your reports (.rpt files) in the new folders on your local hard drive. If you do not have any of your own reports, use some of the sample reports included with BusinessObjects Enterprise. The sample reports are typically installed to C:\Program Files\Business Objects\BusinessObjects Enterprise 11\Samples\language \Reports (replace language with, for example, en, de, fr, or jp, depending upon your version of BusinessObjects Enterprise). Note: To complete this procedure, you must place at least one report file in each of the folders that you have created on your local hard drive. Otherwise, the Publishing Wizard will not create the appropriate directories on the BusinessObjects Enterprise system. 338 BusinessObjects Enterprise Administrator’s Guide Controlling User Access Controlling users’ access to objects 13 3. 4. 5. 6. 7. 8. From the BusinessObjects Enterprise XI Programs group, start the Publishing Wizard and, when it appears, click Next. In the System field, type the name of the CMS to which you want to add objects. In the User Name and Password fields, type your BusinessObjects Enterprise credentials. From the Authentication list, select the appropriate authentication type. Click Next. The Select A File dialog box appears. Click Add Folders. 9. Select the top level Worldwide Sales folder that you created on your local hard drive. 10. Select the Include subfolders check box, and then click OK. BusinessObjects Enterprise Administrator’s Guide 339 13 Controlling User Access Controlling users’ access to objects You are returned to the Select A File dialog box. All of the reports are added to the list. 11. Click Next. The Specify Location dialog box appears. 12. In the Specify Location dialog box, click New Folder. 13. Name the folder Worldwide Sales and ensure that it is located at the top of the directory tree, as shown here: 340 BusinessObjects Enterprise Administrator’s Guide Controlling User Access Controlling users’ access to objects 13 14. Click Next. The Specify Folder Hierarchy dialog box appears. 15. Select Duplicate the folder hierarchy to duplicate the local folder hierarchy on the BusinessObjects Enterprise system; then click Next. The Confirm Location dialog box appears. You can see here that the Regional Sales folders will be created below the Worldwide Sales folder, and the Managers Only folders will be created as additional subfolders. The actual report files are arranged in the appropriate folders. 16. Click Next. 17. Proceed through the rest of the Publishing Wizard and make any desired changes to your reports. Tip: If you are publishing sample reports for the purpose of this tutorial, click Next to accept all the default values. For more information on the rest of the Publishing Wizard, see “Publishing with the Publishing Wizard” on page 376. When the Publishing Wizard has added the reports and folders to the system, it displays a summary: 18. Click Finish to close the Publishing Wizard. BusinessObjects Enterprise Administrator’s Guide 341 13 Controlling User Access Controlling users’ access to objects You are now ready to set each Sales group’s object rights for the new set of Sales folders. Setting the base rights on the Sales folders Now that you have used the Publishing Wizard to add reports and create the appropriate folders and subfolders, you are ready to set the object rights for each level of reporting content. The security requirements are as follows: • • • • All Sales staff can view worldwide reports. Sales staff can also view reports for their own regions. If the staff member is also a Manager, he or she can view and refresh reports from all regions. Sales Managers require Full Control access to the management reports. Sales Report Designers require custom administrative privileges to all Sales folders. To set the base rights on the Worldwide Sales folder Go to the Folders management area of the CMC. Click the link to the Worldwide Sales folder. On the folder’s Rights tab, click Add/Remove. In the Select Operation list, click Add/Remove Groups. In the Available groups list, select Sales and Sales Report Designers. Tip: Use CTRL+click to select multiple groups. Click the > arrow; then click OK. You are returned to the Rights tab. 1. 2. 3. 4. 5. 6. 342 BusinessObjects Enterprise Administrator’s Guide Controlling User Access Controlling users’ access to objects 13 7. In the Access Level column, select the following rights for each group: • • • • • Administrators: Inherited Rights Everyone: No Access Sales: View Sales Managers: Inherited Rights Sales Report Designers: This group requires additional rights to publish content to this folder. You will use advanced rights to make these changes in the next procedure. For now, leave the Access Level list with the default settings. 8. Click Update. The Net Access column is updated to show your new security settings. You now need to grant the Sales Report Designers group a set of advanced rights, so group members can administer all the Sales folders. Creating a group of folder administrators This section of the tutorial shows how to provide a particular group of users with a customized level of administrative control over a set of folders. In general, you can accomplish this with the Full Control access level. This example, however, uses advanced rights to grant the Sales Report Designers group a particular set of administrative privileges to all Sales folders. 1. 2. To create a group of Sales folder administrators If you are not already there, go to the Rights tab of the Worldwide Sales folder. In the Access Level list for the Sales Report Designers group, select Advanced. The Advanced Rights page appears. You will use this page to grant group members a high level of control over the folder and its contents. However, you will not let any group member delete objects that have been added to a Sales folder. 3. To ensure that you completely break all inheritance patterns, clear the “Worldwide Sales” will inherit rights from its parent folders check box. Click Apply. Now that you have disabled all rights inheritance, the advanced rights that you specify will be the only rights that group members have to the folder. 5. In the Explicitly Denied column, select the following rights: 4. • • Modify the rights users have to objects Delete objects BusinessObjects Enterprise Administrator’s Guide 343 13 Controlling User Access Controlling users’ access to objects Tip: You may choose to explicitly deny additional rights to suit your needs. For instance, to prevent these folder administrators from copying confidential reports to public folders, you could deny the “Copy objects to another folder” right. Or, if you prefer to retain all administrative control over report-processing servers, you could deny the “Define server groups to process jobs” right. 6. 7. In the Explicitly Granted column, select all remaining rights. Click OK. You are returned to the Rights tab for the Worldwide Sales folder. The Net Access column now shows that the Sales Report Designers group has Advanced rights to this folder. Tip: Click the Advanced link in the Net Access column when you need to review or modify a set of advanced rights that have already been applied to a user or group. Now that you have set object rights on the uppermost Sales folder, you will proceed to decrease rights as you descend the folder hierarchy. Decreasing rights to the Sales subfolders Recall that the security requirements for the regional sales reports are as follows: • • Sales staff can view reports for their own region and can refresh these reports against the database to view the most recent data. If the staff member is also a Manager, he or she can view and refresh reports from all regions. You will use the various Sales groups to decrease rights appropriately for each Regional Sales folder. 1. 2. 3. 4. 5. 6. To decrease rights to the regional Sales folders Go to the Regional Sales - JP folder and click its Rights tab. Click Add/Remove. In the Select Operation list, click Add/Remove Groups. In the Available groups list, select Sales Japan. Click the > arrow; then click OK. You are returned to the Rights tab of the Regional Sales - JP folder. In the Access Level column, select the following rights for each group: • • • Administrators: Inherited Rights Everyone: Inherited Rights Sales: No Access 344 BusinessObjects Enterprise Administrator’s Guide Controlling User Access Controlling users’ access to objects 13 • • • 7. Sales Japan: View On Demand Sales Managers: Inherited Rights Sales Report Designers: Inherited Rights Click Update. The Net Access column shows your new security settings. As required, the Sales Japan and the Sales Managers groups have View On Demand access, which allows them to refresh reports against the database to view the latest data. The Sales Report Designers retain their advanced rights, and all other users are prevented from accessing the folder (except for Administrators). 8. Repeat steps 1 to 6 for the Regional Sales - USA folder, but grant View On Demand access to the Sales USA group (instead of to the Sales Japan group). You are now ready to complete the tutorial by customizing security for the final level of Sales folders—the Managers Only folders. 1. 2. 3. To decrease rights to the Managers Only folders Go to the Regional Sales - JP folder and click its Subfolders tab. Click the link to the Managers Only folder and click its Rights tab. In the Access Level column, select the following rights for each group: • • • • • • 4. Administrators: Inherited Rights Everyone: Inherited Rights Sales: Inherited Rights Sales Japan: No Access Sales Managers: Full Control Sales Report Designers: Inherited Rights Click Update. The Rights tab of this Managers Only folder now shows that the Administrators, Sales Managers, and Sales Report Designers groups all have Full Control access to the folder. Members who do not belong to one of these groups are completely restricted from the folder. 5. 6. 7. Go to the Regional Sales - USA folder and click its Subfolders tab. Click the link to the Managers Only folder and click its Rights tab. In the Access Level column, select the following rights for each group: • • • Administrators: Inherited Rights Everyone: Inherited Rights Sales: Inherited Rights BusinessObjects Enterprise Administrator’s Guide 345 13 Controlling User Access Controlling users’ access to objects • • • 8. Sales Managers: Full Control Sales Report Designers: Inherited Rights Sales USA: No Access Click Update. The Rights tab of this Managers Only folder shows again that the Administrators, Sales Managers, and Sales Report Designers groups all have Full Control access to the folder. Members who do not belong to one of these groups are completely restricted from the folder. You have now reached the end of this tutorial. Setting up a closed system of increasing rights This tutorial shows how to set up the basis for a closed security model, wherein groups of users are first denied rights to all objects on the system by default. As you add folders and subfolders to the system, you increase the rights of users and groups, as required, so they can access their BusinessObjects Enterprise content. In this scenario, you are creating folders for several groups within your organization. These are your security requirements for each folder: • • • The majority of your reports should be inaccessible to most users. Administrators require Full Control access to all folders and objects on the system. The Sales groups need a hierarchy of folders containing management reports and regional reports: • • Only the Sales Managers can view the management reports and all regional reports. Sales staff can only view reports for their own region. Because this scenario first completely restricts access to the top-level folders, and then gradually increases access to subfolders further down the folder hierarchy, the results are essentially incompatible with the design of InfoView. The closed security model works best when you deploy a web desktop or other application that provides users with a list of all reports and/or folders to which they have access. The sample Report Thumbnail Client and the Inframe Client applications provide examples that are compatible with a closed security model. You can access these applications from the Client Samples area of the Crystal Enterprise Launchpad. InfoView, by contrast, adheres to a hierarchical view of the system’s folder structure. Thus, if users cannot access a top-level folder, they have no way of browsing its subfolders (even if they have Full Control over those subfolders 346 BusinessObjects Enterprise Administrator’s Guide Controlling User Access Controlling users’ access to objects 13 and their contents). If you implement this closed security model in conjunction with InfoView, users will need to search for specific reports by name or description. For a lengthier, more detailed tutorial, see “Setting up an open system of decreasing rights” on page 334. Restricting access from the top-level folder The first step is to set object rights on the top-level BusinessObjects Enterprise folder. This folder serves as the root for all other folders and objects that you add to the system. Each subfolder, report, or other object that you add to this top-level folder will inherit rights from this folder by default. So, by setting rights here first, you minimize the need to repeatedly customize object rights throughout your folder hierarchy. With this procedure, you set security on the top-level folder in order to meet your first two security requirements: • • The majority of your reports should be inaccessible to most users. Administrators require Full Control access to all folders and objects on the system. This procedure gives the Everyone group No Access to all published content. This is how you set the basis for a closed security model. Do not use advanced rights to explicitly deny rights to the Everyone group (or any other group) at the top-level folder of your BusinessObjects Enterprise system, because once a right has been explicitly denied, you have to break all inheritance patterns in order to grant the same right further down the folder hierarchy. 1. 2. 3. To change the rights on the top-level folder Go to the Settings management area of the CMC. Click the Rights tab. You need only reduce the rights of the Everyone group. Click the Access Level list that corresponds to the Everyone group, and select No Access. Note: If users access reports through BusinessObjects Enterprise, they will be unable to browse subfolders once you make this initial security setting. Users will, however, be able to search for reports by name or description. 4. Click Update. The rights for the Everyone group are reduced and No Access is displayed in the Net Access column. BusinessObjects Enterprise Administrator’s Guide 347 13 Controlling User Access Controlling users’ access to objects Now, your system meets your first two security requirements. The Everyone group is prevented from seeing all subsequently published content, and the Administrators group retains Full Control in order to maintain the system. Now that you have created a closed basis for your object security model, you will increase access to certain folders within the system. Increasing access by descending the folder hierarchy The remaining security requirements for this tutorial are related to the Sales group and its subgroups. They require a hierarchy of folders containing management reports and regional reports. Because this tutorial sets up a system of increasing rights, the most secure content will be stored at the top of the directory tree. With these procedures, you create the folder hierarchy and set access levels in order to meet the remaining security requirements: • • 1. 2. 3. 4. 5. 6. 7. 8. 9. Only the Sales Managers can view the management reports and all regional reports. Sales staff can only view reports for their own region. To provide minimal access to the management reports Go to the Folders management area of the CMC. Click New Folder. On the Properties tab, in the Folder Name field, type Management Reports Click OK. The new folder is created and the page is refreshed. On the Rights tab, click Add/Remove. In the Select Operation list, click Add/Remove Groups. In the Available Groups list, select Sales Managers. Click the > arrow; then click OK. You are returned to the Rights tab of the Management Reports folder. Click the Access Level list for the Sales Managers group, and select View. The Rights tab now shows that the Sales Managers group has View access to this folder and to any objects that you subsequently publish to it. As required, the Everyone and Administrators groups have inherited the rights that you set on the top-level BusinessObjects Enterprise folder. 10. Click Update. 348 BusinessObjects Enterprise Administrator’s Guide Controlling User Access Controlling access to applications 13 Now you need only create folders for the regional reports and grant access to the appropriate regional Sales groups. 1. 2. 3. 4. 5. 6. 7. 8. 9. To provide selective access to the regional reports If you are not already there, go to the Management Reports folder. On the Subfolders tab, click New Folder. On the Properties tab, in the Folder Name field, type Regional Reports - JP Click OK. The new folder is created and the page is refreshed. On the Rights tab, click Add/Remove. In the Select Operation list, click Add/Remove Groups. In the Available Groups list, select Sales Japan. Click the > arrow; then click OK. You are returned to the Rights tab of the Management Reports folder. In the Access Level list for the Sales Japan group, select View. The Rights tab now shows that the Sales Japan group has View access to this folder and to any objects that you subsequently publish to it. The Administrators, Everyone, and Sales Managers groups automatically inherit the appropriate rights for this folder. 10. Click Update. 11. Repeat this procedure to create a subfolder called Regional Reports USA and to provide the Sales USA group with View access to the folder. When you finish, the Rights tab of the Regional Reports - USA folder shows that you have set the rights as required for this tutorial. You have now reached the end of this tutorial. Controlling access to applications You can use rights to control users’ access to certain features in BusinessObjects Enterprise applications. You can grant or deny users access to the Central Management Console. For InfoView, you can grant users or groups the ability to: • • • change their preferences organize folders search BusinessObjects Enterprise Administrator’s Guide 349 13 Controlling User Access Controlling access to applications • • filter object listings by object type view the Favorites folder For example, if you have already created your users’ folders using a standard naming convention, you may want to deny your users the ability to organize their own folders. Note: By default, all users have access to these features. 1. 2. 3. 4. 5. 6. To grant access to a Business Objects application’s features Go to the BusinessObjects Enterprise Applications management area of the CMC. Click the link for the application whose access rights you want to change. Click the Rights tab. Click Add/Remove to add users or groups you want to give access to the features. On the Add/Remove page, in the Select Operation list, select Add/ Remove Groups, Add Users, or Remove Users. Select the user or group you want to grant access to the features. Tip: If you have many users on your system, select the Add Users operation; then use the “Look for” field to search for a particular account. 7. 8. Click OK. On the Rights tab, click Advanced. 350 BusinessObjects Enterprise Administrator’s Guide Controlling User Access Controlling administrative access 13 9. For each feature, choose Inherited, Explicitly Granted, or Explicitly Denied for the user or group. Note: For the Web Intelligence application, make sure you grant access to the Allows interactive HTML viewing option in order for users to be able use the Interactive view format and use the Query HTML panel. The user can select this view format and report panel option in the Web Intelligence Document Preferences tab in InfoView. 10. Click OK. Controlling administrative access In addition to controlling access to objects and settings, you can use rights to divide administrative tasks between functional groups within your organization. For example, you may want people from different departments to manage their own BusinessObjects Enterprise users and groups. Or you may have one administrator who handles high-level management of BusinessObjects Enterprise, but you want all server management to be handled by people in your IT department. With all of the tasks facing a BusinessObjects Enterprise administrator, it can be very helpful to delegate responsibility to other managers and groups. This section describes how to grant rights for managing users, groups, servers, and server groups. BusinessObjects Enterprise Administrator’s Guide 351 13 Controlling User Access Controlling administrative access Controlling access to users and groups You can delegate user and group administration to the appropriate people in your organization by granting specific access rights. 1. 2. 3. 4. To grant access to a user or group Go to the Users or Groups management area of the CMC. Select the user or group you want to grant access to. Click the Rights tab. Click Add/Remove to add users or groups that you want to give access to the selected user or group. The Add/Remove page appears. 5. 6. In the Select Operation list, select Add/Remove Groups, Add Users, or Remove Users. Select the user or group you want to grant access to the specified user or group. Tip: If you have many users on your system, select the Add Users operation; then use the “Look for” field to search for a particular account. 7. 8. 9. Click OK. On the Rights tab, change the Access Level for each user or group, as required. To choose specific rights, choose Advanced. Note: For complete details on the predefined access levels and advanced rights, see “Rights and Access Levels” on page 563. 10. Click Update. Controlling access to user inboxes When you add a user, the system automatically creates an inbox for that user. The inbox has the same name as the user. By default, only the user and the administrator have the right to access a user’s inbox. Use the following procedure to change the access rights to a user’s inbox as needed. User inboxes can serve as destinations for scheduled reports. When scheduling a report, you can specify that you want the system to store the report instances in the inbox of one or more users. You can also send existing report objects or instances to a user’s inbox by using the “Send to” feature. For more information, see “Selecting a destination” on page 481, and “Sending an object or instance” on page 420. 352 BusinessObjects Enterprise Administrator’s Guide Controlling User Access Controlling administrative access 13 1. 2. 3. 4. To grant a user access to another user’s inbox Go to the Inbox management area of the CMC. Select the inbox you want to grant access to. Click the Rights tab. Click Add/Remove to add users or groups that you want to give access to the selected user or group. The Add/Remove page appears. In the Select Operation list, select Add/Remove Groups, Add Users, or Remove Users. Select the user or group you want to grant access to the specified inbox. Click OK. On the Rights tab, change the Access Level for each user or group, as required. To choose specific rights, choose Advanced. Note: For complete details on the predefined access levels and advanced rights, see “Rights and Access Levels” on page 563. 5. 6. 7. 8. 9. 10. Click Update. Controlling access to servers and server groups You can use rights to grant people access to servers and server groups, allowing them to perform tasks such as starting and stopping servers. Depending on your system configuration and security concerns, you may want to limit server management to the BusinessObjects Enterprise administrator. However, you may need to provide access to other people using those servers. Many organizations have a group of IT professionals dedicated to server management. If your server team needs to perform regular server maintenance tasks that require them to shut down and start up servers, you need to grant them rights to the servers. You may also want to delegate BusinessObjects Enterprise server administration tasks to other people. Or you may want different groups within your organization to have control over their own server management. 1. 2. 3. To grant access to a server or server group Go to the Servers or Server Groups management area of the CMC. Select the server or server group you want to grant access to. Click the Rights tab. BusinessObjects Enterprise Administrator’s Guide 353 13 Controlling User Access Controlling administrative access 4. Click Add/Remove to add users or groups that you want to give access to the selected server or server group. The Add/Remove page appears. In the Select Operation list, select Add/Remove Groups, Add Users, or Remove Users. Select the user or group you want to grant access to the specified server or server group. Tip: If you have many users on your system, select the Add Users operation; then use the “Look for” field to search for a particular account. 5. 6. 7. 8. 9. Click OK. On the Rights tab, change the Access Level for each user or group, as required. To choose specific rights, choose Advanced. Note: For complete details on the predefined access levels and advanced rights, see “Rights and Access Levels” on page 563. Click Update. Controlling access to universes You can use rights to grant people access to universes, allowing them to create and view Web Intelligence documents that use universes and connections. 1. 2. 3. 4. To control who has access to a universe Go to the Universes management area of the CMC. Click the link for the universe. Click the Rights tab. In the Name column, locate the user or group whose rights you want to specify. If the user or group is not listed, click Add/Remove. Add the appropriate user or group and click OK. You are returned to the object’s Rights tab. 5. The next step depends upon the entry that already appears in the Access Level list for this user or group: • • If the Access Level is not already set to Advanced, click the list and select Advanced. If the Access Level is already set to Advanced, click the Advanced link in the Net Access column. 354 BusinessObjects Enterprise Administrator’s Guide Controlling User Access Controlling administrative access 13 Controlling access to universe connections You can use rights to grant people access to universe connections, allowing them to create and view Web Intelligence documents that use universes and universe connections. You can either set the rights to all universes by using the Rights button on the Universe Connections page, or you can set the rights to individual universe connections. 1. 2. 3. To view or set the access levels for all universe connections Go to the Universe Connections management area of the CMC. Click the Rights button. In the Name column, locate the user or group whose rights you want to specify. If the user or group is not listed, click Add/Remove. Add the appropriate user or group and click OK. You are returned to the object’s Rights tab. 4. The next step depends upon the entry that already appears in the Access Level list for this user or group: • • If the Access Level is not already set to Advanced, click the list and select Advanced. If the Access Level is already set to Advanced, click the Advanced link in the Net Access column. 1. 2. 3. 4. To view or set who has access to a specific universe connection Go to the Connections management area of the CMC. Click the link for the connection. Click the Rights tab. In the Name column, locate the user or group whose rights you want to specify. If the user or group is not listed, click Add/Remove. Add the appropriate user or group and click OK. You are returned to the object’s Rights tab. 5. The next step depends upon the entry that already appears in the Access Level list for this user or group: • • If the Access Level is not already set to Advanced, click the list and select Advanced. If the Access Level is already set to Advanced, click the Advanced link in the Net Access column. BusinessObjects Enterprise Administrator’s Guide 355 13 Controlling User Access Controlling administrative access 356 BusinessObjects Enterprise Administrator’s Guide Organizing Objects chapter 14 Organizing Objects Organizing objects overview Organizing objects overview Creating an intuitive and logical organizational structure is the key to ensuring that your users can find the information they need quickly and easily. BusinessObjects Enterprise provides two methods for organizing content: folders and categories. By combining folders and categories, and setting appropriate rights for them, you can organize data according to multiple criteria and improve both security and navigation. About folders and categories Folders and categories provide you with the ability to organize and facilitate content administration. They are useful when there are a number of reports that a department or area requires frequent access to, because you can set object rights and limits once at the folder or category level, rather than setting them for each report or object. By default, new objects that you add to a folder or category inherit the object rights that are specified for the folder or category. It’s good practice to set up folders that represent a structure that already exists in your organization, such as departments, regions, or even your database table structure. Then use categories to set up an alternate system of organization. For example, you could organize your content into departmental folders, and then use categories to create an alternate filing system that divides content according to different roles in your organization, such as managers or VPs. This organizational model allows you set security on groups of documents based on department or job role. Working with folders Folders are objects used to organize documents. You can use folders to separate content into logical groups. Because you can set security at the folder level, you can use folders as a tool for controlling access to information. Creating and deleting folders There are several ways to create new folders in BusinessObjects Enterprise. In the Central Management Console (CMC), go to the Folders management area to create new folders and to add subfolders to the existing hierarchy of folder objects. 358 BusinessObjects Enterprise Administrator’s Guide Organizing Objects Working with folders 14 Tip: When you publish local directories and subdirectories of reports with the Publishing Wizard, you can duplicate your local directory structure on the BusinessObjects Enterprise system. This method provides you with an efficient way of creating multiple folders and subfolders at the same time. For details, see “Publishing with the Publishing Wizard” on page 376. Creating a new folder This procedure shows how to create a new folder at the top of your folder hierarchy. Folders created in this way are, in effect, subfolders of the top-level (or root) BusinessObjects Enterprise folder. 1. 2. 3. Go to the Folders management area of the CMC. Click New Folder. On the Properties tab, type the name, description, and keywords of the new folder. This example creates a new Marketing folder: 4. Click OK. The new folder is added to the system, and its Properties tab is refreshed. You can now use the Objects, Subfolders, Limits, and Rights tabs to add objects and to change settings for this folder. BusinessObjects Enterprise Administrator’s Guide 359 14 Organizing Objects Working with folders Creating a new subfolder at any level 1. Go to the Folders management area of the CMC. The initial level of folders is displayed. 2. 3. In the Title column, click the link to the folder where you want to add a subfolder. Click the Subfolders tab. Tip: You can browse through existing subfolders to add a new folder elsewhere in the folder hierarchy. When you have found the right parent folder, go to its Subfolders tab. The Subfolders tab appears. 4. 5. 6. Click New Folder. On the Properties tab, type the name and description of the new folder. Click OK. The new folder is added to the system, and its Properties tab is refreshed. You can now use the Objects, Subfolders, Limits, and Rights tabs to add objects and to change settings for this folder. 360 BusinessObjects Enterprise Administrator’s Guide Organizing Objects Working with folders 14 Deleting folders When you delete a folder, all subfolders, reports, and other objects contained within it are removed entirely from the system. 1. 2. To delete folders Go to the Folders management area of the CMC. Select the check box associated with the folder you want to delete. If the folder you want to delete is not at the top level, locate its parent folder. Then make your selection on the parent folder’s Subfolders tab. Tip: Select multiple check boxes to delete several folders from their parent folder. 3. Click Delete, and click OK to confirm. Copying and moving folders When you copy or move a folder, the objects contained within it are also copied or moved. BusinessObjects Enterprise treats the folder’s object rights differently, depending upon whether you copy or move the folder: • When you copy a folder, the newly created folder does not retain the object rights of the original. Instead, the copy inherits the object rights that are set on its new parent folder. For instance, if you copy a private Sales folder into a Public folder, the contents of the new Sales folder will be accessible to all users who have rights to the Public folder. When you move a folder, all of the folder’s object rights are retained. For instance, if you move a private Sales folder into a publicly accessible folder, the Sales folder will remain inaccessible to most users. To copy or move a folder Go to the Folders management area of the CMC. Select the check box associated with the folder that you want to copy or move. If the folder you want to copy or move is not at the top level, locate its parent folder. Then make your selection on the parent folder’s Subfolders tab. Tip: Select multiple check boxes to copy or move several folders from their parent folder to a different folder. • 1. 2. BusinessObjects Enterprise Administrator’s Guide 361 14 Organizing Objects Working with folders 3. Click Copy/Move. The Copy/Move Folder page appears. 4. Select the action to perform: • • 5. Copy to: Makes a copy of the folder. Move to: Moves the folder. Select the Destination folder from the list. Tip: If there are many folders on your system, use the “Look for” field to search, or click Previous, Next, and Show Subfolders to browse the folder hierarchy. 6. Click OK. The folder you selected is copied or moved, as requested, to the new destination. Adding a report to a new folder You can add objects individually to any folder in a number of ways. Follow this procedure to add a report to a new folder that you have just created. For complete information on publishing reports and other objects, see “Publishing overview” on page 374. 362 BusinessObjects Enterprise Administrator’s Guide Organizing Objects Working with folders 14 1. To add a report to a new folder Once you’ve created the new folder, click its Objects tab. 2. Click New Object. The New Object page appears. 3. 4. On the Report tab, in the File name field, type the full path to the report. If you do not know the path, click Browse to perform a search. If you do not want the user to see a thumbnail preview of the report in BusinessObjects Enterprise, clear the Generate thumbnail for the report check box. Tip: To display thumbnails for a report, open the report in Crystal Reports and click Summary Info on the File menu. Select the “Save preview picture” check box and click OK. Preview the first page of the report and save your changes. BusinessObjects Enterprise Administrator’s Guide 363 14 Organizing Objects Working with folders 5. If the report references objects in your BusinessObjects Enterprise Repository, select the Use Object Repository when refreshing report check box to update these objects now. For details about setting up the BusinessObjects Enterprise Repository, see “BusinessObjects Enterprise Repository overview” on page 174. 6. Ensure that the correct folder name appears in the Destination field. Tip: If there are many folders on your system, use the “Look for” field to search, or click Previous, Next, and Show Subfolders to browse the folder hierarchy. 7. Click OK. The report is published to BusinessObjects Enterprise. Specifying folder rights Follow this procedure to change the object rights for a new folder that you have just created. By default, new objects that you add to a folder inherit the object rights that are specified for the folder. For complete information on object rights, see “Controlling users’ access to objects” on page 317. 1. 2. To specify rights for a new folder Once you’ve created the new folder, click its Rights tab. Click Add/Remove to add groups or users to this folder. The Add/Remove page appears. 364 BusinessObjects Enterprise Administrator’s Guide Organizing Objects Working with folders 14 3. In the Select Operation list, select Add/Remove Groups, Add Users, or Remove Users. The page is refreshed and displays options that depend upon whether you are working with users or with groups. The example above shows the options that are available when you are working with groups. 4. Select the user/group whose rights you want to specify and click the arrows to specify whether the user/group does or does not have access to the folder. Tip: If you have many users on your system, select the Add Users operation; then use the “Look for” field to search for a particular account. 5. Click OK. You are returned to the Rights tab. 6. Change the Access Level for each user or group, as required. Note: For complete details on the predefined access levels and advanced rights, see “Controlling users’ access to objects” on page 317. 7. Click Update. Setting limits for folders, users, and groups Limits allow you to delete report instances on a regular basis. You set limits to automate regular clean-ups of old BusinessObjects Enterprise content. Limits that you set on a folder affect all objects that are contained within the folder. At the folder level, you can limit the number of instances that remain on the system for each object or for each user or group; you can also limit the number of days that an instance remains on the system for a user or group. Follow this procedure to enforce default limits on a folder that you have just created. For more information on limits, see “Setting instance limits for an object” on page 498. BusinessObjects Enterprise Administrator’s Guide 365 14 Organizing Objects Working with folders 1. To limit instances at the folder level Once you’ve created the new folder, click its Limits tab. 2. Modify the available settings according to the types of instance limits that you want to implement, and click Update after each change. The available settings are: • Delete excess instances when there are more than N instances of an object To limit the number of instances per object, select this check box. Then type the maximum number of instances that you want to remain on the system. (The default value is 100.) • Delete excess instances for the following users/groups To limit the number of instances per user or group, click Add/Remove in this area. Select from the available users and groups and click OK. Then type the maximum number of instances in the Instance Limit column. (The default value is 100.) • Delete instances after N days for the following users/groups To limit the age of instances per user or group, click Add/Remove in this area. Select from the available users and groups and click OK. Then type the maximum age of instances in the Maximum Days column. (The default value is 100.) 366 BusinessObjects Enterprise Administrator’s Guide Organizing Objects Working with folders 14 In this example, two settings have been combined to keep a maximum of 50 instances of any object in the folder, and to keep a maximum of 25 instances that belong to any member of the Administrators group. Managing User Folders BusinessObjects Enterprise creates a folder for each user on the system. These folders are organized within the CMC as User Folders. By default, there are User Folders for the Administrator and Guest accounts. When you log on to the CMC and view the list of User Folders, you will see only those folders to which you have View access (or greater). Within InfoView, these folders are referred to as the Favorites folders. When a user logs on to BusinessObjects Enterprise, he or she is redirected immediately to his or her Favorites folder. (Users can change this default behavior my modifying their Preferences.) 1. 2. 3. To view the User Folders Go to the Folders management area of the CMC. Click the User Folders link. If it is not already displayed, click the Subfolders tab. A list of subfolders appears. Each subfolder corresponds to a user account on the system. Unless you have View access (or greater) to a subfolder, it will not appear in the list. BusinessObjects Enterprise Administrator’s Guide 367 14 Organizing Objects Working with categories Working with categories Like folders, categories are objects used to organize documents. You can associate documents with multiple categories, and you can create subcategories within categories. BusinessObjects Enterprise provides two types of categories: • • Administrative (or corporate) categories are created by the administrator, or other users who have been granted access to these categories. If you have the appropriate rights, you can create administrative categories. Personal categories can be created by each user to organize their own personal documents. Note: For information about importing existing categories, see “Importing information from BusinessObjects Enterprise 6.x” on page 390. Creating and deleting categories There are several ways to create new categories in BusinessObjects Enterprise. In the Central Management Console (CMC), go to the Categories management area to create new categories and to add subcategories to the existing hierarchy of category objects. Creating a new category 1. 2. 3. 4. Go to the Categories management area of the CMC. Click New Category. On the Properties tab, type the name and description of the new category. Click Update. The new category is added to the system, and its Properties tab is refreshed. You can now use the Documents, Subcategories, and Rights tabs to add objects and to change settings for this category. Creating a new subcategory at any level 1. 2. Go to the Categories management area of the CMC. The initial level of categories is displayed. In the Title column, click the link for the category where you want to add a subcategory. 368 BusinessObjects Enterprise Administrator’s Guide Organizing Objects Working with categories 14 3. Click the Subcategories tab. Tip: You can browse through existing subcategories to add a new category elsewhere in the hierarchy. When you have found the right parent category, go to its Subcategories tab. 4. 5. 6. Click New Category. On the Properties tab, type the name and description of the new folder. Click Update. The new category is added to the system, and its Properties tab is refreshed. You can now use the Documents, Subcategories, and Rights tabs to add objects and to change settings for this category. Deleting categories When you delete a category, all subcategories within it are remove entirely from the system. Unlike folder deletion, the reports and other objects contained within the category are not deleted from the system. 1. 2. To delete categories Go to the Categories management area of the CMC. Select the check box associated with the category you want to delete. If the category you want to delete is not at the top level, locate its parent category. Then make your selection on the parent category’s Subcategories tab. Tip: Select multiple check boxes to delete several categories from their parent category. 3. Click Delete, and click OK to confirm. Moving categories When you move a category, any object assigned to the category maintains its association with it. All of the category’s object rights are retained. For instance, if you move a private Sales category into a publicly accessible category, the Sales category will remain inaccessible to most users. 1. 2. To move a category Go to the Categories management area of the CMC. Select the check box associated with the category that you want move. If the category you want to move is not at the top level, locate its parent category. Then make your selection on the parent category’s Subcategories tab. BusinessObjects Enterprise Administrator’s Guide 369 14 Organizing Objects Working with categories Tip: Select multiple check boxes to copy or move several categories from their parent category to a different category. 3. 4. Click Move. The Move page appears. Select the Destination category from the list. Tip: If there are many categories on your system, use the “Look for” field to search, or click Previous, Next, and Show Subcategories to browse the category hierarchy. 5. Click OK. The category you selected is moved to the new destination. Adding an object to a new category You can add objects individually to any category in a number of ways. Follow this procedure to add a report to a new category that you have just created. For complete information on publishing reports and other objects, see “Publishing overview” on page 374. 1. 2. To add a report to a new category Once you’ve created the category, click its Documents tab. Click New Document. The New Document page appears. Removing or deleting objects from a category You can either remove or delete objects from a category. When you remove an object, you remove it from the category only. When you delete an object, you remove it from the category and also delete it from the system. 1. 2. 3. 4. To remove or delete objects from a category Go to the Categories or Personal Categories management area of the CMC. Click the link for the category from which you want to remove or delete an object. Click the Objects tab. Select the check box for the object or objects you want to remove or delete. 370 BusinessObjects Enterprise Administrator’s Guide Organizing Objects Working with categories 14 5. Click either of the following buttons, depending on what you want to do: • • Click Remove to remove the object from the category only. In this case, the object continues to exist in the system. Click Delete to remove the object from the category and at the same time delete it from the system. Specifying category rights Follow this procedure to change the object rights for a new category that you have just created. By default, new objects that you add to a category inherit the object rights that are specified for the category. For complete information on object rights, see “Controlling users’ access to objects” on page 317. 1. 2. 3. To specify rights for a new category Once you’ve created the category, click its Rights tab. Click Add/Remove to add groups or users to this category. The Add/Remove page appears. In the Select Operation list, select Add/Remove Groups, Add Users, or Remove Users. The page is refreshed and displays options that depend upon whether you are working with users or with groups. The example above shows the options that are available when you are working with groups. 4. Select the user/group whose rights you want to specify and click the arrows to specify whether the user/group does or does not have access to the category. Tip: If you have many users on your system, select the Add Users operation; then use the “Look for” field to search for a particular account. 5. 6. Click OK. You are returned to the Rights tab. Change the Access Level for each user or group, as required. Note: For complete details on the predefined access levels and advanced rights, see “Controlling users’ access to objects” on page 317. 7. Click Update. BusinessObjects Enterprise Administrator’s Guide 371 14 Organizing Objects Working with categories Managing personal categories If you are granted the appropriate rights, you can view, edit, and delete users’ personal categories. For more information, see “Managing User Accounts and Groups” on page 249. 1. 2. To view the Personal Categories Go to the Personal Categories management area of the CMC. Click the user account whose personal categories you want to view. A list of the user’s personal categories appears. 372 BusinessObjects Enterprise Administrator’s Guide Publishing Objects to BusinessObjects Enterprise chapter 15 Publishing Objects to BusinessObjects Enterprise Publishing overview Publishing overview Publishing is the process of adding objects such as reports to the BusinessObjects Enterprise environment and making them available to authorized users. There are several types of objects that you can publish to BusinessObjects Enterprise: reports (from Crystal Reports, OLAP Intelligence, and Web Intelligence), programs, Microsoft Excel files, Microsoft Word files, Microsoft PowerPoint files, Adobe Acrobat PDFs, rich text format files, text files, and hyperlinks, as well as object packages, which consist of report and/or program objects. When you publish an object to BusinessObjects Enterprise, an entry is made in the Central Management Server (CMS) database. The Input File Repository Server stores the new object below the \Enterprise\FileStore\Input\ data\ directory. When a user schedules an instance of any object, BusinessObjects Enterprise queries the CMS for the location of the object file; the appropriate server component then retrieves and processes the object file from the Input File Repository. The processed instance is stored by the Output File Repository Server below the \Enterprise\FileStore\Output\data\ directory. Note: Only reports, programs, and object packages can be scheduled. Thus, only these three types of objects have instances. You can publish objects to BusinessObjects Enterprise in three ways: • Use the Publishing Wizard when you: • • • Have access to the locally installed application. Are adding multiple objects or an entire directory. For details, see “Publishing with the Publishing Wizard” on page 376. Use the Central Management Console (CMC) when you are: • • • • Publishing a single object. Taking care of other administrative tasks. Performing tasks remotely. For details, see “Publishing with the Central Management Console” on page 385. Save directly to your Enterprise folders when you are: • • • Designing reports with Crystal Reports. Using the OLAP Intelligence Application Designer. Creating other objects with BusinessObjects Enterprise plug-in components. For details, see “Saving objects directly to the CMS” on page 387. 374 BusinessObjects Enterprise Administrator’s Guide Publishing Objects to BusinessObjects Enterprise Publishing overview 15 Note: BusinessObjects Enterprise supports reports created in versions 6 through XI of Crystal Reports. Once published to BusinessObjects Enterprise, reports are saved, processed, and displayed in version XI format. Publishing options During the publishing process, you specify how often an object is run. You can choose to set a schedule (recurring), or you can choose to let users set the schedule themselves (on demand). For RPT report files, this affects when data is refreshed and what data users see. (You cannot schedule OLAP Intelligence reports (CAR files).) Each publishing option has potential benefits and drawbacks: • Specifying the data that users see (recurring) This option is recommended for objects that are accessed by a large number of people and that do not require separate database logon credentials. Benefits • • Users view the same instance of the report, reducing the number of times the database is hit (and thus system resources are used more effectively). The report instance is static (contains saved data) and is stored on the Cache Server, allowing multiple users to access the report at the same time. The report instance the users see is based on the selection criteria (parameters and record selection formulas) and schedule set by the administrator. Drawbacks • • Allowing users to update the data in the report (on demand) This option is recommended for smaller reports that use parameters and selection formulas, require separate database logon credentials, or have frequent data changes. Benefits • • • Users are able to determine the frequency in which the data in the report is updated. Multiple users generating reports at the same time increases the load on the system and the number of times the database is hit. Each unique report page is cached separately. It’s possible that the Cache Server can contain many copies of the cached report, each of them being generated by hitting the Page Server and database. Drawbacks BusinessObjects Enterprise Administrator’s Guide 375 15 Publishing Objects to BusinessObjects Enterprise Publishing with the Publishing Wizard Publishing with the Publishing Wizard The Publishing Wizard is a locally installed, 32-bit Windows application. The wizard is made up of a series of screens. Only the screens applicable to the objects or folders you are publishing appear. For example, the settings for parameters and schedule format do not appear when you publish OLAP Intelligence applications. This section of the guide features a series of procedures to help you through the Publishing Wizard. Once the object has been published, it will appear in the folder you specified in InfoView (or other web desktop) and in the Objects management area of the CMC. Note: Depending on the rights assigned by your BusinessObjects Enterprise administrator, you may not be able to publish objects using the Publishing Wizard. Logging on to BusinessObjects Enterprise 1. 2. 3. 4. 5. 6. From the BusinessObjects Enterprise XI program group, click Publishing Wizard. Click Next. In the System field, type the name of the CMS to which you want to add objects. In the User Name and Password fields, type your BusinessObjects Enterprise credentials. From the Authentication list, select the appropriate authentication type. Click Next. The Select Files dialog box appears. Adding objects 1. 2. In the Select Files dialog box, depending on the type of object you are adding, click either Add Files or Add Folders. Navigate to and select the object you want to add. If you are adding a folder, you can choose to also add its subfolders by selecting the Include Subfolders check box. Tip: Ensure the appropriate file type is listed in the Files of type field; by default this value is set to Report (*.rpt). 3. 4. Repeat steps 1 and 2 for each of the objects you want to add. Click Next. 376 BusinessObjects Enterprise Administrator’s Guide Publishing Objects to BusinessObjects Enterprise Publishing with the Publishing Wizard 15 Note: If the Specify Object Type dialog box appears, choose a file type for each unrecognized object, then click Next. The Specify Location dialog box appears. Creating and selecting a folder on the CMS To add the selected objects, you must create or select a folder on the host CMS. Only the folders that you have full control access to will appear. 1. In the Specify Location dialog box, click the folder you want to add the objects to. Click + to the left of the folder to view the subfolders. To add a new folder to the CMS, select a parent folder and then click the New Folder button. The new folder appears and can be renamed. To add a new object package to the CMS, select a parent folder and then click the New Object Package button. The new object package appears and can be renamed. To delete a folder or object package, select the item and click the Delete button. Note: From the wizard, you can delete only new folders and object packages. (New folders are green; existing folders are yellow.) If you are adding multiple objects and want to place them in separate directories, see “Duplicating the folder structure” on page 378. 2. Click Next. The Confirm Location dialog box appears. BusinessObjects Enterprise Administrator’s Guide 377 15 Publishing Objects to BusinessObjects Enterprise Publishing with the Publishing Wizard Moving objects between folders 1. In the Confirm Location dialog box, move objects to the desired folders by selecting each object and then clicking Move Up or Move Down. You can also add folders and object packages by selecting a parent folder and clicking the New Folder or New Object Package button. To delete a folder or object packages, select it and click the Delete button. You can drag-and-drop objects to place them where you want. And you can right-click objects to rename them. By default, objects are displayed using their titles. You can display the objects’ local file names by clicking the “Show file names” button. 2. Click Next when you are finished. The Specify Categories dialog box appears. Duplicating the folder structure If you are adding multiple objects from a directory and its subdirectories, you are asked if you want to duplicate the existing folder hierarchy on the CMS. 1. In the Specify Folder Hierarchy dialog box, choose a folder hierarchy option. To place all of the objects in a single folder, select Put the files in the same location. 378 BusinessObjects Enterprise Administrator’s Guide Publishing Objects to BusinessObjects Enterprise Publishing with the Publishing Wizard 15 To recreate all of the folders and subfolders on the CMS as they appear on your hard drive, select Duplicate the folder hierarchy. Choose the topmost folder that you want to include in the folder hierarchy. 2. Click Next. The Confirm Location dialog box appears. Adding objects to a category If you want to add the selected objects to a category, you can create or select a category on the host CMS. 1. In the Specify Categories dialog box, click the category you want to add the objects to. Click + to the left of the folder to view the subfolders. To add a new category to the CMS, select a parent category and then click the New Category button. The new category appears and can be renamed. 2. In the File list, choose the object that you want to add to the category, then click the Insert File button. To delete a category or to remove an object from a category, select the item and click the Delete button. Note: From the wizard, you can delete only new categories. (New categories are green; existing categories are blue.) 3. Click Next. The Specify Schedule dialog box appears. Changing scheduling options The Specify Schedule dialog box allows you to schedule each report, program, and/or object package that you are publishing to run at specific intervals. Note: This dialog box appears only for objects that can be scheduled. 1. 2. In the Specify Schedule dialog box, select the object you want to schedule. Select one of three intervals: • Run once only Selecting the “Run once only” option provides two more sets of options: • when finished this wizard This option runs the object once when you’ve finished publishing it. The object is not run again until you reschedule it. BusinessObjects Enterprise Administrator’s Guide 379 15 Publishing Objects to BusinessObjects Enterprise Publishing with the Publishing Wizard • • • at the specified date and time This option runs the object once at a date and time you specify. The object is not run again until you reschedule it. Let users update the object This option does not schedule the object. Instead, it leaves the task of scheduling up to the user. Run on a recurring schedule Once you have selected this option, click the Set Recurrence button to set the scheduling options. The “Pick a recurrence schedule” dialog box appears. The options in this dialog box allow you to choose when and how often the object runs. Select the appropriate options and click the OK button. 3. Click Next after you have set the schedule for each object you are publishing. Refreshing repository fields The BusinessObjects Enterprise Repository is a central location which stores shared elements such as text objects, bitmaps, custom functions, universes, and custom SQL commands. You can choose to refresh an object’s repository fields if the object references the repository. To complete this task, the Publishing Wizard needs to connect to your BusinessObjects Enterprise Repository database from the local machine. For details, see “BusinessObjects Enterprise Repository overview” on page 174. Note: The Specify Repository Refresh dialog box appears only when you publish report objects. 1. In the Specify Repository Refresh dialog box, select a report, and then select the Use Object Repository when refreshing report check box if you want to refresh it against the repository. Tip: Click the Enable All button if you want to refresh all objects that reference the repository; click the Disable All button if you want to refresh none of the objects. 2. Click Next when you are finished. Selecting a program type The Program Type dialog box appears only when you publish program objects. For details about program objects and program object types, see “What are report objects and instances?” on page 425. 380 BusinessObjects Enterprise Administrator’s Guide Publishing Objects to BusinessObjects Enterprise Publishing with the Publishing Wizard 15 1. 2. In the Program Type dialog box, select a program. Specify one of three program types: • Binary/Batch Binary/Batch programs are executables such as binary files, batch files, or shell scripts. They generally have file extensions such as: .com, .exe, .bat, .sh. You can publish any executable program that can be run from the command line on the machine where the Program Job Server is running. • • 3. Java You can publish any Java program to BusinessObjects Enterprise as a Java program object. They generally have a .jar file extension. Script Script program objects are JScript and VBScript scripts. Once you have specified the type of each program you are adding, click Next. The Program Credentials dialog box appears. Specifying program credentials 1. 2. In the Program Credentials dialog box, select a program. In the User Name and Password fields, specify the user credentials for the account for the program to run as. The rights of the program are limited to those of the account that it runs as. 3. Once you have specified the user credentials for each program to run as, click Next. The Change Default Values dialog box appears. Changing default values You can publish objects without changing any of the default properties, or you can go through the remaining screens and make changes. Note: If you use the default values, your object may not schedule properly if the database logon information is not correct, or if the parameter values are invalid. 1. 2. To publish objects without making modifications Select Publish without modifying properties. Click Next through the wizard’s remaining dialog boxes. BusinessObjects Enterprise Administrator’s Guide 381 15 Publishing Objects to BusinessObjects Enterprise Publishing with the Publishing Wizard 1. 2. To review or modify objects before publishing Select Review or modify properties. Click Next. The Review Object Properties dialog box appears. Changing object properties 1. 2. 3. In the Review Object Properties dialog box, select the object you want to modify. Enter a new title or description. Select the Generate thumbnail image check box if you want users to see a thumbnail of a report object before they open it. Tip: The “Generate thumbnail image” check box is available only if the object is an RPT file and was saved appropriately. To display thumbnails for a report, open the report in Crystal Reports and click Summary Info on the File menu. Select the “Save preview picture” check box and click OK. Preview the first page of the report and save your changes. 4. Click Next. The Specify Database Credentials dialog box appears if it is needed. Entering database logon information Some objects use data sources that require logon information. If objects you are adding are of this type, follow these steps. 1. In the Specify Database Credentials dialog box, double-click the object, or click + to the left of the object to expose the database. 382 BusinessObjects Enterprise Administrator’s Guide Publishing Objects to BusinessObjects Enterprise Publishing with the Publishing Wizard 15 2. Select the database and change the logon information in the appropriate fields. If the database does not require a user name or password, leave the fields blank. Note: Enter user name and password information carefully. If it is entered incorrectly, the object cannot retrieve data from the database. 3. Once you have completed the logon information for each object using a different database, click Next. The Set Report Parameters dialog box appears if it is needed. Setting parameters Some objects contain parameters for data selection. Before such an object can be scheduled, you must set the parameters in order to determine the default prompts. 1. In the Set Report Parameters dialog box, select the object whose prompts you want to change. The object’s prompts and default values appear in a list on the right-hand side of the screen. 2. Click Edit Prompt to change the value of a prompt. Depending on the type of parameter you have chosen, different dialog boxes appear. 3. 4. If you want to set the prompts to contain a null value (where possible), then click Set Prompts to NULL. Click Next after you have finished editing the prompts for each object. The Specify Format dialog box appears. Setting the schedule output format You can choose an output format for each scheduled report that you publish. For some of the formats, you can customize the schedule format options. 1. 2. In the Specify Format dialog box, select the object whose schedule format you want to change. Select a format from the list (Crystal Report, Microsoft Excel, Microsoft Word, Adobe Acrobat, and so on). Where applicable, customize the schedule format options. For example, if you select Paginated Text, enter the number of lines per page. 3. Click Next. BusinessObjects Enterprise Administrator’s Guide 383 15 Publishing Objects to BusinessObjects Enterprise Publishing with the Publishing Wizard Adding extra files for programs Some programs require access to other files in order to run. 1. 2. 3. Select a program. Click Add to navigate to and select the necessary file. Once you have added all necessary extra files for each program, click Next. The Command line for Program dialog box appears. Specifying command line arguments For each program, you can specify any command-line arguments supported by your program’s command-line interface. They are passed directly to the command-line interface, without parsing. 1. 2. Select a program. In the Command line area, type the command-line arguments for your program, using the same format you would use at the command line itself. Once you have specified all necessary command-line arguments for each program, click Next. 3. Finalizing the objects to be added After you have provided all of required information for the objects, the Publishing Wizard displays a final list of the objects that it is going to publish. 1. After ensuring all the objects you want to publish have been added to the list, click Next. The objects are added to the CMS, scheduled, and run as specified. When the processing is done, you are returned to the final screen of the Publishing Wizard. 2. 3. To view the details for an object, select it from the list. Click Finish to close the wizard. 384 BusinessObjects Enterprise Administrator’s Guide Publishing Objects to BusinessObjects Enterprise Publishing with the Central Management Console 15 Publishing with the Central Management Console If you have administrative rights to BusinessObjects Enterprise, you can publish objects over the Web from within the CMC. 1. 2. To add an object with the CMC Go to the Objects management area of the CMC. Click New Object. The New Object page appears, with the Report properties displayed. 3. 4. On the left side of the page, click the type of object you want to add. Enter the object’s properties. BusinessObjects Enterprise Administrator’s Guide 385 15 Publishing Objects to BusinessObjects Enterprise Publishing with the Central Management Console The properties that appear vary according to the type of object you are adding: Property File name Object Types Report, Program, Microsoft Excel, Microsoft Word, Microsoft PowerPoint, Adobe Acrobat, Text, Rich Text Object Package, Hyperlink Object Package, Hyperlink Report Description Type the full path to the object, or click Browse to perform a search. Title Description Generate thumbnail for the report Type the name of the object. Type a description of the object. If you do not want the user to see a thumbnail preview of the report in BusinessObjects Enterprise, clear the “Generate thumbnail for the report” check box. Tip: To display thumbnails for a report, open the report in Crystal Reports and click Summary Info on the File menu. Select the “Save preview picture” check box and click OK. Preview the first page of the report and save your changes. Use Object Report Repository when refreshing report Program Type Program Select this option to automatically refresh an object's repository fields against the repository each time the report runs. Select Executable, Java, or Script. Tip: • • • URL Hyperlink Run Java programs as Java program objects. Run JScript and VBScript programs as Script program objects. Run all other programs as Executable program objects. Type the URL address of the page you want the hyperlink object to link to. 386 BusinessObjects Enterprise Administrator’s Guide Publishing Objects to BusinessObjects Enterprise Saving objects directly to the CMS 15 5. 6. If you want to place the object in a category, select the category from the list. Ensure that the correct folder or object package name appears in the Destination field. Tip: • • To expand a folder, select it and click Show Subfolders. To search for a specific folder or object package, use the Look For field. Note: Only report and program objects can be published to object packages. 7. Click OK. When the object has been added to the system, the CMC displays the Properties screen. If necessary, you can now modify the object’s properties, such as its title and description, the database logon information, scheduling information, user rights, and so on. Saving objects directly to the CMS If you have installed one of the Business Objects designer components, such as Crystal Reports or OLAP Intelligence, you can use the Save As command to add objects to BusinessObjects Enterprise from within the designer itself. For instance, after designing a report in OLAP Intelligence, click Save As on the File menu. In the Save As dialog box, click Enterprise Folders; then, when prompted, log on to the Central Management Server (CMS). Specify the folder where you want to save the report and click Save. BusinessObjects Enterprise Administrator’s Guide 387 15 Publishing Objects to BusinessObjects Enterprise Saving objects directly to the CMS 388 BusinessObjects Enterprise Administrator’s Guide Importing Objects to BusinessObjects Enterprise chapter 16 Importing Objects to BusinessObjects Enterprise Importing information Importing information The Import Wizard is a locally installed Windows application that allows you to import existing user accounts, groups, folders, and reports to your new BusinessObjects Enterprise system. The Import Wizard runs only on Windows, but you can use it to import information from a source environment that is running on Windows or UNIX to a new BusinessObjects Enterprise system that is running on Windows or on UNIX. You can import information from any of these products: • • • • • • • BusinessObjects Enterprise XI BusinessObjects Enterprise 6.x Crystal Enterprise 10 Crystal Enterprise 9 Crystal Enterprise 8.5 Crystal Enterprise 8 Crystal Info 7.5 The functionality provided by the Import Wizard varies, depending upon the product from which you are importing information. In general, the Import Wizard imports settings that are specific to each object, rather than global system settings. For instance, a global “minimum number of characters” password restriction is not imported. But a user-level “must change password at next log on” restriction is imported with the user account. For details, see the section for the product from which you are importing information: • • • “Importing information from BusinessObjects Enterprise 6.x” on page 390 “Importing information from Crystal Enterprise” on page 396 “Importing information from Crystal Info” on page 400. For procedural details, see “Importing with the Import Wizard” on page 402. Importing information from BusinessObjects Enterprise 6.x If you have upgraded from BusinessObjects Enterprise 6.x, use the Import Wizard to import existing user accounts, groups, categories, Web Intelligence documents, universes, connection objects, universe restriction sets, and third-party documents to BusinessObjects Enterprise XI. 390 BusinessObjects Enterprise Administrator’s Guide Importing Objects to BusinessObjects Enterprise Importing information from BusinessObjects Enterprise 6.x 16 Before importing from BusinessObjects Enterprise 6.x Before you use the Import Wizard to import data into the new BusinessObjects Enterprise XI system, you need to perform the following steps: • • Make sure the Import Wizard is deployed on a Windows machine. Use the Custom installation if you want to install only the Import Wizard on a machine. If you are importing from a BusinessObjects Enterprise 6.x source environment, create data sources on the destination machine for every domain that is part of the source deployment. The name and configuration details for the data sources must match the data sources in the source deployment. On the machine that is running the Import Wizard, map drives to the following folders (where installdir represents the BusinessObjects Enterprise 6.x installation directory). • • • • • installdir/nodes//mycluster/locdata Map this folder for access to the .key files. installdir/nodes//mycluster/user Map this folder if you are importing personal documents and categories. installdir/nodes//mycluster/mail Map this folder if you are importing the content of users’ Inbox folders. Back up all repositories in the source deployment. Note: The Import Wizard modifies BusinessObjects Enterprise 6.x repositories to make them consistent with version 6.5 format before importing data into BusinessObjects Enterprise XI. If you need to access the repositories from a 6.x deployment, you will need to restore them from your backup copies. • • Stop all servers in the source deployment. Start the following servers in the BusinessObjects Enterprise XI deployment: • • Central Management Server Input File Repository Server and Output File Repository Server BusinessObjects Enterprise Administrator’s Guide 391 16 Importing Objects to BusinessObjects Enterprise Importing information from BusinessObjects Enterprise 6.x Importing objects from BusinessObjects Enterprise 6.x The following sections describe what happens to objects that have been imported from BusinessObjects Enterprise 6.x into BusinessObjects Enterprise XI. Generally, the Import Wizard imports the object if it is an object type that is supported by BusinessObjects Enterprise XI. By default, an imported object will not overwrite an object with the same name that is already stored in the BusinessObjects Enterprise XI CMS database. Universes You can import universes into the BusinessObjects Enterprise repository. There are two ways to import the universes: • • Import all universes, connections, and associated objects. You must import all the universes in one batch. You cannot select individual universes or connections to import. Import only universes, connections, and objects that are associated with the documents you are importing. Known as document dependency, this option imports only the objects used by the Web Intelligence documents that you are importing. You can also use this option if you want to import a subset of selected universes and their dependencies. When you import a universe, the Import Wizard also imports connection objects associated with the universe. It also imports universe restriction sets associated with the universe (if the restriction sets are associated with users or groups that are being imported). When you select a Web Intelligence document to import, the Import Wizard automatically selects the associated universe for import. You can select additional universes for import. Note: • Universe domains are converted into folders under the Universe folder. Each universe folder will be named after the corresponding Business Objects 6.x universe domain. When you import a universe from a domain, it is placed in the corresponding domain folder. When you import BusinessObjects Enterprise 6.x universes, the associated connections are imported automatically. They are converted into connection objects. When you import connection objects from BusinessObjects Enterprise 6.x, ensure that the Import Wizard can access the database the same way that the BusinessObjects Enterprise 6.x accesses it. This may involve installing database drivers or configuring connection settings on the machine. • • 392 BusinessObjects Enterprise Administrator’s Guide Importing Objects to BusinessObjects Enterprise Importing information from BusinessObjects Enterprise 6.x 16 For example, if you import SQL Server connection objects from a BusinessObjects Enterprise 6.x source environment, you must configure the connections on the destination machine via the Control Panel before you import the connection objects. You must use the exact same name and settings as the connection used on the source machine when you created the domain key. • • If a selected universe is a derived universe, then all relevant core universes and their connections will also be imported. For more information about importing universes, see “Selecting information to import” on page 405. Universe restriction sets The Import Wizard automatically migrates all universe restriction sets that are associated with the imported universes for any of the selected users and groups being imported. If no principal users or groups are selected for import, no restriction sets are imported. Because of the differences between restriction sets in BusinessObjects Enterprise 6.x and BusinessObjects Enterprise XI (and how they handle rights aggregation), the Import Wizard may create additional restriction sets on the destination deployment in order to preserve the restriction sets for all imported users. When restriction sets are migrated, they are converted into objects. They remain connected to the universes that they were connected to on your existing installation. Universe restriction sets are migrated using both object names and object IDs to identify universe components. Users and groups All existing BusinessObjects Enterprise 6.x users and groups can be migrated to BusinessObjects Enterprise XI. Users are imported into the BusinessObjects Enterprise repository. For each BusinessObjects Enterprise 6.x user, BusinessObjects Enterprise XI creates a user folder, a personal category, and an Inbox folder. User profiles from BusinessObjects Enterprise 6.x are mapped to default groups in BusinessObjects Enterprise XI as follows: BusinessObjects Enterprise 6.x user profile BusinessObjects Enterprise XI default group Added to the Everyone group. Added to the Administrators group. • • All user profiles General Supervisor BusinessObjects Enterprise Administrator’s Guide 393 16 Importing Objects to BusinessObjects Enterprise Importing information from BusinessObjects Enterprise 6.x BusinessObjects Enterprise 6.x user profile BusinessObjects Enterprise XI default group Granted appropriate rights on all imported objects, but not added to the Administrators group. Added to the Universe Designer Users group. Added to the Universe Designer Users group. Added to the Everyone group. • • • • Supervisor Designer Supervisor-Designer User/Versatile If you want to preserve security settings that are assigned to an imported object, select all users and groups that are principals on the selected object and ensure that you select the “Enforce rights fidelity” option in the Import Wizard. The “Enforce rights fidelity” option ensures that the effective rights match between the source and destination environments. If effective rights in the source and destination environments do not match for a principal on an object, the Import Wizard sets the effective rights as determined by aggregation rules in the source deployment for the principal user or group on the object in the destination deployment. Whenever possible, BusinessObjects Enterprise 6.x security settings are preserved in BusinessObjects Enterprise XI. If a BusinessObjects Enterprise 6.x right does not map exactly to a BusinessObjects Enterprise XI right, the right will not be granted to the user. Note: • • The Import Wizard migrates external users and groups (LDAP or Windows AD users and groups, for example). For more information about the migration of security settings, see the BusinessObjects Enterprise Installation Guide. Folders, domains, and categories Universe and document domains are converted to folders named after the respective domains. Objects corresponding to the universes and documents contained in these domains are imported to these folders. By default, BusinessObjects Enterprise XI creates folders for Categories and Personal Categories and preserves the hierarchy of subcategories. Corporate (or administrative) categories are imported as categories under the Categories folder. For each imported user, selected personal categories are imported to a new subfolder (named after the user) under the Personal Categories folder. 394 BusinessObjects Enterprise Administrator’s Guide Importing Objects to BusinessObjects Enterprise Importing information from BusinessObjects Enterprise 6.x 16 Personal categories can be imported only as part of a batch import. You can select individual corporate categories and import Web Intelligence documents grouped by corporate category. Documents To have access to a Web Intelligence document from the Import Wizard, the user must be granted access to the document in BusinessObjects Enterprise 6.x, and the user must be a member of the group to which the document is assigned. You can select which domains or documents you want to import into BusinessObjects Enterprise. When you select a document, the document's domain is also imported. Documents (and universes) cannot be imported without importing the domain. Note: If you import a large number of Web Intelligence documents from your existing BusinessObjects Enterprise 6.x deployment, it may require significant processing time. BusinessObjects (.rep) documents BusinessObjects (.rep) documents, also known as “full-client” documents, are not supported in BusinessObjects Enterprise XI. Therefore, you must migrate your .rep documents to Web Intelligence (.wid) format—in a separate procedure—before migrating the system. To migrate .rep documents to .wid format, you can use the Report Migration Utility, delivered with the BusinessObjects 6.x suite. Instructions are in the Report Migration Utility guide. Inbox documents Version 6.x Inbox documents are migrated to the user’s Inbox folder in BusinessObjects Enterprise. Inbox rights • • • Everyone [Add Document] Administrators [Full Control] Owner [Full Control] Personal Documents You can import BusinessObjects Enterprise 6.x Personal documents to BusinessObjects Enterprise. These documents are added to the user’s Favorites folder. BusinessObjects Enterprise Administrator’s Guide 395 16 Importing Objects to BusinessObjects Enterprise Importing information from Crystal Enterprise Third-party documents BusinessObjects Enterprise 6.x supports third-party (agnostic) documents. The Import Wizard migrates these documents into BusinessObjects Enterprise XI if the format is supported. Supported formats are: Adobe Acrobat PDF; Microsoft PowerPoint, Word, RTF, and Excel; and *.txt documents. Timestamps Timestamps are not migrated from BusinessObjects Enterprise 6.x to BusinessObjects Enterprise XI. Importing information from Crystal Enterprise If you have upgraded from Crystal Enterprise, use the Import Wizard to import existing user accounts, groups, folders, report objects, and report instances to BusinessObjects Enterprise XI. You can also use the Import Wizard to import information from an existing version XI installation to a new version XI installation. When doing so, you have the additional option of importing calendars, events, repository objects, and server groups. Events and server groups can also be imported from a version 8.5 or 9 installation. When using the Import Wizard, if any of an object’s dependencies are not imported, the wizard makes appropriate modifications to the object (in most cases, the dependency is removed). For example, if a user has Full Control rights on an object, but the user is not imported, the Full Control right for that user is discarded when the object is imported. In the case of objects brought across without their owners, the Administrator becomes the new owner of the objects. As another, more involved example, User A owns an object and has Full Control rights while User C has View rights on the same object. If User D runs the Import Wizard and brings the object across along with User C, but not User A, the object becomes owned by the Administrator: User A loses Full Control rights, but User C still has View rights on the object. Note: Always import users if you want to bring across the associated rights for an object, even if the user already exists in the destination system. If the user already exists, the Import Wizard maps all rights for the user on the source system to the existing user on the destination system. If the user is not brought across, all rights information for that user is discarded. 396 BusinessObjects Enterprise Administrator’s Guide Importing Objects to BusinessObjects Enterprise Importing information from Crystal Enterprise 16 Importing objects from Crystal Enterprise The following sections describe what happens to the objects that are imported from a Crystal Enterprise 8.x system. Generally, if the object will not overwrite an object that is already in the BusinessObjects Enterprise system, then the Import Wizard imports the object. Users and groups The Import Wizard imports users and groups and their hierarchical relationships. A user or group is imported only if it does not exist already by name. If you import a group that already exists in the destination environment, the list of group members is updated with any additional users who were members of the group in the source environment. These additional users are added to BusinessObjects Enterprise if their accounts do not exist already. User licensing can affect the behavior of the Import Wizard. If the source environment uses Concurrent licensing, the wizard imports all users as Concurrent Users. However, if the source environment uses Named User licensing, the wizard first checks the number of Named User license keys in the destination environment. If there are enough Named User licenses in the destination environment, the wizard imports all users as Named Users. If there are not enough Named User licenses in the destination environment, the wizard imports all users as Concurrent Users. For more information about licensing, see “Licensing overview” on page 530. Note: BusinessObjects Enterprise XI does not include a New Sign-Up feature. However, if your Crystal Enterprise source environment includes users that belong to the New Sign-Up group, the group is migrated to the destination BusinessObjects Enterprise XI environment. Aliases If a user in the destination system has an alias that is identical to a user who is being imported, the destination user keeps all aliases, and the imported user loses that particular alias. Windows AD When importing users that employ Windows Active Directory authentication, ensure that the administrative credentials are the same on both the source and destination systems. Active Directory authentication must also be enabled on the destination system. BusinessObjects Enterprise Administrator’s Guide 397 16 Importing Objects to BusinessObjects Enterprise Importing information from Crystal Enterprise LDAP When importing users that employ LDAP authentication, the Host list and Base LDAP name need to be the same on both the source and destination systems. LDAP authentication must also be enabled on the destination system. Folders Folders are imported, whether or not they exist already in the destination environment. To ensure that existing folders are not overwritten, make sure you choose the “Automatically rename top-level folders that match top-level folders on the destination system.” option in the “Please choose an import scenario” dialog box. When this option is selected, the Import Wizard appends a number to the end of any duplicated folder names to indicate the number of copies. For example, if you import a folder called Sales Reports when a folder called Sales Reports already exists, then the imported folder is added to BusinessObjects Enterprise with the name Sales Reports(2). Report objects The Import Wizard can import Crystal report objects only if they are based on native drivers, ODBC data sources, OLAP data sources, Crystal Info Views, or Business Views. You can import the report instances for each report object, and the scheduling patterns that you have set up in the source environment are imported automatically. Supported reports are always imported with their parent folders, whether or not they exist already in the destination environment. However, so as not to overwrite existing folders, the Import Wizard appends a number to the end of any duplicated folder names to indicate the number of copies. When you import content from one deployment to another, you can ensure that a particular user account retains ownership of its objects and scheduled instances by importing the user along with the content. If you don’t import the user account, the ownership properties of its objects and instances are reset to your current administrative account. In the SDK, ownership is reflected by an object’s SI_OWNERID property and by a scheduled instances’s SI_SUBMITTERID properties. Rights When you import folders and reports from one BusinessObjects Enterprise system to another, the associated object rights are imported for every user or group who is imported at the same time. If the user or group is not imported at the same time, the object rights are discarded. For instance, suppose that you import a report that explicitly grants View On Demand rights to the Everyone group in the source environment—but you do not import the Everyone group. 398 BusinessObjects Enterprise Administrator’s Guide Importing Objects to BusinessObjects Enterprise Importing information from Crystal Enterprise 16 In this case, the newly imported report in the destination environment will not grant the same explicit rights to the Everyone group. Instead, the report inherits any rights that have been set on its parent folder. If you do import the appropriate user or group, and it already exists by name in the destination environment, then the corresponding object rights are imported and applied to the existing user or group. For instance, modifying the example above, suppose that you import the report and the Everyone group. In this case, the Import Wizard imports the object rights along with the report. So the newly imported report in the destination environment will explicitly grant the View On Demand right to the Everyone group. Events and server groups When you use the Import Wizard to import information from a Crystal Enterprise 8.5 or later system, you have the additional option to import events and server groups from the source environment. When importing server groups, the wizard does not bring across the servers that belong to that group. You need to manually add servers to the imported group in the Central Management Console (CMC). For more information about how to do this, see the BusinessObjects Enterprise Administrator’s Guide. Note: • • When importing report objects associated with a server group, if the server group exists on the destination system, the report objects are added to the existing group and the source system’s server group is not imported. If you have jobs scheduled or pending on a server or server group that you are importing, you might notice odd behavior on the destination system with the individual jobs involved until they run or time out. Objects that have server group restrictions lose the restrictions if the objects are imported and the server group is not. For example, if a report is scheduled to run only under server group A and that server group is not imported, the report loses that restriction and will run under any server group. You need to import the server group at the same time as the objects that use it to keep the relationship between them. The same logic applies for events: if an object is set up to wait for an event or to trigger an event, you need to import the event at the same time as the object. Otherwise, the object is imported without the dependency and no longer waits for, or triggers, the event. Note: • If Event A is being imported from the source system but there is already an Event A on the destination system, and it is a different type (for BusinessObjects Enterprise Administrator’s Guide 399 16 Importing Objects to BusinessObjects Enterprise Importing information from Crystal Info example, a File event instead of a Custom event), the wizard removes the dependency on Event A from the object when it is imported. • Events are based on Event Servers and, since servers are not imported, you need to manually reset the event server and file name information on the event in the destination system. Once this is set, the event should work as expected. Importing information from Crystal Info Importing objects from Crystal Info The following sections describe what happens to objects that have been imported from Crystal Info to BusinessObjects Enterprise. Generally, if the Crystal Info object is of a type that is supported within BusinessObjects Enterprise, and if the Crystal Info object will not overwrite an object that is already in the BusinessObjects Enterprise system, then the Import Wizard imports the object. Note: Users who are accessing your Crystal Info implementation when you are importing objects to BusinessObjects Enterprise might experience a delay. Users and groups The Import Wizard imports users and groups and their hierarchical relationships as they exist in Crystal Info. A user or group is added to BusinessObjects Enterprise only if it does not exist already by name. If you import a group that already exists in BusinessObjects Enterprise, the list of group members is updated with additional users who were members of the Crystal Info group. These additional users are added to BusinessObjects Enterprise if their accounts do not exist already. User licensing can affect the behavior of the Import Wizard. If the source environment uses Concurrent licensing, the wizard imports all users as Concurrent Users. However, if the source environment uses Named User licensing, the wizard first checks the number of Named User license keys in the destination environment. If there are enough Named User licenses in the destination environment, the wizard imports all users as Named Users. If there are not enough Named User licenses in the destination environment, the wizard imports all users as Concurrent Users. For more information about licensing, see “Licensing overview” on page 530. 400 BusinessObjects Enterprise Administrator’s Guide Importing Objects to BusinessObjects Enterprise Importing information from Crystal Info 16 Folders Folders are imported, whether or not they exist already in BusinessObjects Enterprise. To ensure that existing folders are not overwritten, make sure you choose the “Automatically rename top-level folders that match top-level folders on the destination system” option in the “Please choose an import scenario” dialog box. When this option is selected, the Import Wizard appends a number to the end of any duplicated folder names to indicate the number of copies. For example, if you import a folder called Sales Reports, when a folder called Sales Reports already exists in BusinessObjects Enterprise, then the imported folder is added to BusinessObjects Enterprise with the name Sales Reports(2). Report objects The Import Wizard can import Crystal report objects only if they are based on native drivers, ODBC data sources, or OLAP data sources. Supported reports are always imported with their parent folders, whether or not they exist already in the destination environment. However, so as not to overwrite existing folders, the Import Wizard appends a number to the end of any duplicated folder names to indicate the number of copies. The Import Wizard can import successful instances and some recurring instances from Crystal Info systems. Recurrence patterns that cannot be automatically recreated within BusinessObjects Enterprise are written to the log file created by the Import Wizard. When you import reports based on a Crystal Info View, you are prompted to save the report files. Choose a specific folder where you want to save these reports. You can then run a conversion utility on all reports in that folder to convert them to use metadata. After converting the reports, you can publish them to BusinessObjects Enterprise with the Publishing Wizard. Rights BusinessObjects Enterprise enforces security through object rights, which differ from the user rights used within Crystal Info. Consequently, the Import Wizard does not import any of the folder security that is set up within the Crystal Info environment. If you transfer reports from Crystal Info to BusinessObjects Enterprise, the rights associated with the report are not transferred, only the ownership. If the owner of a report is the Administrators group, the Administrators group will have Full Control access to it. If the owner of the report is not an administrator, the report will be transferred and the View On Demand access mode will be associated with the report. BusinessObjects Enterprise Administrator’s Guide 401 16 Importing Objects to BusinessObjects Enterprise Importing with the Import Wizard Other objects The Import Wizard cannot import Crystal Info objects that are not supported by BusinessObjects Enterprise. Such objects include report packages, query objects, Info cubes, Open OLAP cubes, Holos Applications, and Crystal reports based on query files. Importing with the Import Wizard The Import Wizard provides a series of screens that guide you through the process of importing user accounts, groups, folders, and reports. The screens that appear depend on the source environment and the types of information that you choose to import. When you import information, you first connect to the Central Management Server (CMS) of your existing installation (the source environment) and specify the CMS of your new BusinessObjects Enterprise system (the destination environment). You then select the information that you want to import, and the Import Wizard copies the requested information from the source to the destination. You can choose to merge the contents of the source repository into the destination repository, or you can update the destination with the contents of the source CMS. Before starting this procedure, ensure that you have the Administrator account credentials for both the source and the destination environment. The overall process is divided into the following procedures: • • • • • • “Specifying the source and destination environments” on page 402 “Selecting information to import” on page 405 “Importing objects with rights” on page 407 “Choosing an import scenario” on page 407 “Importing specific objects” on page 409 “Finalizing the import” on page 414 Specifying the source and destination environments This procedure shows how to specify a source environment and a destination environment using the initial screens of the Import Wizard. 1. 2. To specify the source and destination environments From the BusinessObjects Enterprise program group, click Import Wizard. Click Next. 402 BusinessObjects Enterprise Administrator’s Guide Importing Objects to BusinessObjects Enterprise Importing with the Import Wizard 16 The “Specify source environment” dialog box appears. 3. In the Source list, select the product from which you want to import information. The available options are: • • • • • • • Crystal Info 7.5 Crystal Enterprise 8 Crystal Enterprise 8.5 Crystal Enterprise 9 Crystal Enterprise 10 BusinessObjects Enterprise 6.x BusinessObjects Enterprise XI You are prompted for administrative account information. The fields that appear depend on the type of source environment you chose. 4. If your source environment is Crystal Info, Crystal Enterprise 10 or earlier, or BusinessObjects Enterprise XI: • • In the CMS Name field, type the name of the source environment’s CMS (Central Management Server). Type the User Name and Password that provide you with administrative rights to the source environment. This example imports information from BusinessObjects Enterprise XI. BusinessObjects Enterprise Administrator’s Guide 403 16 Importing Objects to BusinessObjects Enterprise Importing with the Import Wizard 5. If your source environment is BusinessObjects Enterprise 6.x: • • 6. 7. 8. Type the User Name and Password that provide you with administrative rights to the source environment. Note: You must have the General Supervisor profile. In the Domain key file field, provide the full path of the domain file for the BusinessObjects Enterprise system, or click the browse button to select the domain file. Click Next. The “Specify destination environment” dialog box appears. In the CMS Name field, type the name of the destination environment’s Central Management Server. Type the User Name and Password of an Enterprise account that provides you with administrative rights to the BusinessObjects Enterprise system; then click Next. The “Choose objects to import” dialog box appears. 404 BusinessObjects Enterprise Administrator’s Guide Importing Objects to BusinessObjects Enterprise Importing with the Import Wizard 16 Selecting information to import This procedure shows how to select the users, groups, folders, and reports that you want to import. If you have not already started the Import Wizard, see “Specifying the source and destination environments” on page 402. 1. To choose which objects to import In the “Choose objects to import” dialog box, select the check box (or boxes) corresponding to the information you want to import: • Import users and user groups • • • • • • • • • • • • • Import inbox documents Import personal categories Import personal Web Intelligence documents Import favorite folders for selected users Import application rights Import corporate categories Import corporate Web Intelligence documents Import folders and objects • Import discussions associated with the selected reports Import events Import server groups Import repository objects Import calendars Import universes Note: The options available depend on the version of the source environment. Events and server groups can be imported from Crystal Enterprise 8.5 or later. Repository objects and calendars can be imported from Crystal Enterprise 10. Universes, categories, and Web Intelligence documents can be imported from BusinessObjects Enterprise 6.x. All object can be imported from BusinessObjects Enterprise XI. 2. 3. Click Next. If the “Import personal documents and inbox documents” dialog box appears, provide the paths for your personal and/or inbox documents. Note: You do not need to provide a path for corporate documents because they are stored in the repository. 4. If the “Import universe and connection objects” options dialog box appears, choose an import option: BusinessObjects Enterprise Administrator’s Guide 405 16 Importing Objects to BusinessObjects Enterprise Importing with the Import Wizard • • Import all universes, connections, and associated objects. This option imports all universes from the source environment in one batch. You cannot select individual universes or connections to import. Import only the universes and connection objects that are associated with the documents you are importing. Known as document dependency, this option imports only the objects used by the Web Intelligence documents that you are importing. You can also use this option if you want to import a subset of selected universes and their dependencies. 5. Click Next. The “Import Object Principals Option” dialog box appears. 406 BusinessObjects Enterprise Administrator’s Guide Importing Objects to BusinessObjects Enterprise Importing with the Import Wizard 16 Importing objects with rights If you import objects that already have rights assigned to them, you need to import the users and groups that have been granted these rights. To preserve the rights from the source system, enable the rights fidelity setting in the Import Wizard. If you enable rights fidelity, the rights on the destination system will closely match those on the source system. The setting also affects how the system handles duplicate objects. If you enable rights fidelity, users and groups from the source system overwrite users and groups that have the same name on the destination system. If you do not enable rights fidelity, the Import Wizard prompts you to either merge or update users and groups that have the same name on both the source and destination systems. If you enable rights fidelity, only the update option is available. 1. To enable rights fidelity In the “Import Object Principals Option” dialog box, select the “Enforce rights fidelity” option. 2. Click Next. The “Please choose an import scenario” dialog box appears. Proceed to “Choosing an import scenario” on page 407. Choosing an import scenario You can merge the source and destination systems, or you can add the source system’s information to the destination system without merging. BusinessObjects Enterprise Administrator’s Guide 407 16 Importing Objects to BusinessObjects Enterprise Importing with the Import Wizard Merging systems If you merge the source and destination systems, the Import Wizard adds all objects from the source system into the destination CMS without overwriting objects in the destination. Note: This is the safest import option. All of the objects in the destination system are preserved. Also, at a minimum, all objects from the source system with a unique title are copied to the destination system. Updating the destination system You can add the source system’s information to the destination system without merging. When you update the contents of the destination system using the source system as a reference, you add all objects in the source system to the destination CMS. If an object in the source system has the same unique identifier as an object in the destination, the object in the destination is overwritten. For more information about merging and updating systems, see “Importing data from a Crystal Enterprise 10 or BusinessObjects Enterprise XI CMS” on page 174. 1. To choose an import scenario In the “Please choose an import scenario” dialog box, choose the type of import you want. To merge the source and destination systems, choose “I want to merge the source system into the destination system.” To add the source system’s information to the destination system without merging, choose “I want to update the destination system by using the source system as a reference.” 408 BusinessObjects Enterprise Administrator’s Guide Importing Objects to BusinessObjects Enterprise Importing with the Import Wizard 16 2. Click Next. If you are prompted to select specific objects for import, proceed to “Importing specific objects” on page 409. If the “Information collection complete” dialog box appears, proceed to “Finalizing the import” on page 414. Importing specific objects If you chose to import users, groups, domains, Web Intelligence documents, categories, universes, folders, or repository objects, you are prompted to choose the specific objects you want to import. You can import all of the objects or select individual objects. 1. To select users and groups If you chose to import users and groups, the “Select Users and Groups” dialog box appears. In the Groups list, select the groups that you want to import. In the Subgroups and Users list, select specific members of any group. Click Next. This example imports all but one of the users in the Administrators group. 2. 3. 4. If the “Import Groups Option” dialog box appears, choose how you want to map third-party groups, and click Next. Note: • Ensure that the third party authentication is configured the same way on both the source and destination environments. BusinessObjects Enterprise Administrator’s Guide 409 16 Importing Objects to BusinessObjects Enterprise Importing with the Import Wizard • If you are importing third-party (or external) users and groups from BusinessObjects Enterprise 6.x, you need to determine how these users will be handled upon import into BusinessObjects Enterprise XI. For information about setting alias creation and assignment for LDAP and Active Directory users, see “Managing User Accounts and Groups” on page 249. • To select categories If you chose to import categories, the “Select categories” dialog box appears. Select the check boxes for the categories that you want to import, then click Next. The Import Wizard imports the selected categories and the objects that belong to the categories. • To select domains and Web Intelligence documents If you chose to import Web Intelligence documents, the “Select Domains and Web Intelligence documents” dialog box appears. Select the check boxes for domains or individual documents that you want to import, then click Next. 410 BusinessObjects Enterprise Administrator’s Guide Importing Objects to BusinessObjects Enterprise Importing with the Import Wizard 16 1. To select universes or universe folders If you chose to import a subset of the universes from the source environment, the “Select Universe Folder and Universes” dialog box appears. Select the check boxes for the universes that you want to import, then click Next. Note: When you import a universe, its connection objects are imported automatically. Before you can import connection objects from BusinessObjects Enterprise 6.x, ensure that the Import Wizard can access the database the same way that the source environment BusinessObjects Enterprise Administrator’s Guide 411 16 Importing Objects to BusinessObjects Enterprise Importing with the Import Wizard accesses it. This may involve installing database drivers or configuring connection settings on the machine. For example, if you import SQL Server connection objects from a BusinessObjects Enterprise 6.x source environment, you must configure the connections on the destination machine via the Control Panel before you import the connection objects. You must use the exact same name and settings as the connection used on the source machine when you created the domain key. 2. If the universe uses a connection object that is associated with a secure connection that was created with the “Use Business Objects username and password” option selected, the “Connection SSO Option” dialog box appears. Select the connection object, provide your connection information, and click Next. If your database supports Kerberos authentication, you can specify logon credentials for database access during scheduling, and you can enable Single Sign-On for database access during viewing and designing. Note: • • • • SSO can be enabled, but you do not need to provide SSO information for described connections. You can specify logon credentials for access when scheduling, and if SSO is not enabled, these credentials will also be used for access when viewing Web Intelligence documents or designing universes. You can enable SSO only for connections that support Kerberos SSO in BusinessObjects Enterprise XI. To select folders and objects If you chose to import folders and objects, the “Select Folders and Objects” dialog box appears. Select the check boxes for the folders and reports that you want to import. Then click Next. Tip: You can also choose to “Import all instances of each selected report and object package.” This example imports the Report Samples folder and a subset of its contents. 412 BusinessObjects Enterprise Administrator’s Guide Importing Objects to BusinessObjects Enterprise Importing with the Import Wizard 16 • To select repository objects If you chose to import repository objects, the “Import repository objects options” dialog box appears. Choose an importing option for repository objects, then click Next. BusinessObjects Enterprise Administrator’s Guide 413 16 Importing Objects to BusinessObjects Enterprise Importing with the Import Wizard Finalizing the import 1. When the “Information collection complete” dialog box appears, click Finish to begin importing the information. The “Import Progress” dialog box displays status information and creates an Import Summary while the Import Wizard completes its tasks. 2. If the import summary shows that some information was not imported successfully, click View Detail Log for a description of the problem. Otherwise, click Done. Note: The information that appears in the Detail Log is also written to a text file called ImportWiz.log, which you will find in the directory from which the Import Wizard was run. By default, this directory is: C:\Program Files\Business Objects\BusinessObjects Enterprise 11\win32_x86\ The log file includes a system-generated ID number, a title that describes the imported information, and a field that describes the action and the reason why it was taken. 414 BusinessObjects Enterprise Administrator’s Guide Managing Objects chapter 17 Managing Objects Managing objects overview Managing objects overview There are several types of objects that can exist in BusinessObjects Enterprise: reports, Web Intelligence documents, programs, Microsoft Excel files, Microsoft Word files, Microsoft PowerPoint files, Adobe Acrobat PDFs, rich text format files, text files, and hyperlinks, as well as object packages, which consist of report and/or program objects. After publishing objects to BusinessObjects Enterprise, you manage them through the Central Management Console (CMC) by going to the Objects management area. Tip: • • Go to the Object management area by clicking the Objects link on the CMC Home page. Use folders to organize and facilitate object administration for you and your users. For more information, see “Managing User Folders” on page 367. “General object management” on page 417 This section describes general object management concepts that apply to all objects, such as moving, copying, and deleting objects. It also describes how to search for objects, how to modify object properties, and how to set object rights for users and groups. This chapter is broken up into four sections: • • “Report object management” on page 425 This section explains report objects and instances, and how to manage them through the Central Management Console (CMC). Managing report objects includes applying processing extensions, specifying alert notification, changing database information, updating parameters, using filters, and working with hyperlinked reports. • “Program object management” on page 451 This section explains program objects and instances, and how to manage them through the Central Management Console (CMC). Additionally, this section covers type-specific program object configuration, and security considerations for program objects. • “Object package management” on page 459 This section explains object packages and instances, and how to manage them through the Central Management Console (CMC). Additionally, this section explains how to create an object package and how to add objects to an object package. 416 BusinessObjects Enterprise Administrator’s Guide Managing Objects General object management 17 General object management This section describes general tasks related to managing objects and their instances. It includes the following sections: • • • • • • “Copying, moving, or creating a shortcut for an object” on page 417 “Deleting an object” on page 419 “Searching for an object” on page 419 “Sending an object or instance” on page 420 “Changing properties of an object” on page 422 “Assigning an object to categories” on page 424 Tip: You can also manage an object by going to the Folders management area in the CMC, selecting a folder (and any subfolders) by clicking the appropriate link(s), and selecting the object that is located under the Object Title column. See Chapter 14: Organizing Objects. Note: For information setting the rights for an object, see “Setting object rights for users and groups” on page 317. Copying, moving, or creating a shortcut for an object Use this procedure to copy or move an object, or to create a shortcut to an object within BusinessObjects Enterprise: • “Copy” creates another copy of the object in a different location. The new copy of the object inherits all object rights from its new parent folder. You use copy, for example, when scheduling objects by using an object package, to copy the objects to the package. See “Scheduling objects using object packages” on page 471. • • “Move” changes the location of the object from one folder to another. The object retains its original set of object rights. “Create shortcut” enables you to create an alternate, more convenient, access route for an object. You can also create a shortcut to give users access to the object when you don’t want them to access the folder that the actual object is located in. The shortcut inherits object rights from its parent folder. However, the shortcut object rights do not override the rights of the original object. For example, if a user does not have rights to schedule a report, they are not able to schedule that report even through a shortcut that allows them full rights. BusinessObjects Enterprise Administrator’s Guide 417 17 Managing Objects General object management 1. 2. 3. To copy, move, or create a shortcut for an object Go to the Objects management area of the CMC. Select the check boxes associated with the object(s) you want to copy, move, or create a shortcut for. Click Copy/Move/Shortcut. The Copy/Move/Create Shortcut page appears. 4. Select one of the following options: • • • Copy to Move to Create shortcut in Tip: You may want to create a shortcut if you want to give someone access to an object without giving that user access to the entire folder that the object is located in. After you create the shortcut, users who have access to the folder where the shortcut is located can access this object and its instances. For more information on folder rights, see “Specifying folder rights” on page 364. 5. Select the appropriate destination folder; then click OK. Tip: • • To expand a folder, select it and click Show Subfolders. To search for a specific folder or object package, use the Look For field. 418 BusinessObjects Enterprise Administrator’s Guide Managing Objects General object management 17 Deleting an object This procedure explains how to delete either a single object or multiple objects. You can also delete a folder (by selecting a folder and clicking Delete in the Folders management area), which deletes all of the objects and instances that are stored in that folder. As well, you have the option of deleting object instances, rather than the object itself. For more information, see “Managing and viewing the history of instances” on page 495. Note: When you delete an object, all of its existing instances and scheduled instances will be deleted. 1. 2. 3. 4. To delete an object Go to the Objects management area of the CMC. Select the check boxes associated with the object(s). Click Delete. Click OK. Searching for an object The search feature enables you to search for specific text within object titles or descriptions. 1. 2. To search for an object or objects Go to the Objects management area of the CMC. Specify the search criteria. In the “Search for” fields, specify the object field to search (title or description) and the matching method to use (is, is not, contains, does not contain). In the Text field, type the text to search for. 3. Click Search. BusinessObjects Enterprise Administrator’s Guide 419 17 Managing Objects General object management Sending an object or instance You can use the “Send to” feature to send existing objects or instances of an object to different destinations. You can send an object, for example, a Word or Excel file, or you can send instances of an object, for example, a report instance. The “Send to” function handles existing objects or instances only. It does not cause the system to run the object and create new instances, nor does it refresh the data for a report instance. You can send either a copy of an object or instance, or a shortcut to the object or instance. You can also select the destination, for example, FTP or Inbox. Not all types of objects can be sent to all destinations. For details about which types of objects can be sent to which destinations, see See also “Available destinations by object type” on page 421. 1. 2. To send an object or an instance to a destination Go to the Objects management area of the CMC. Select the check boxes for the objects that you want to send. To send an instance of the object, click the link for the object. Click the History tab, and then select the check boxes for the instances you want to send. Select only instances with a status of Success or Failed. Instances with a status or Recurring or Pending are scheduled and do not contain any data yet. 3. Click Send to. The Send to page appears. 420 BusinessObjects Enterprise Administrator’s Guide Managing Objects General object management 17 4. If you want, you can the temporary instances that are created when you send an object or instance, deselect Clean up temporary objects created after objects have been sent. By default, this option is selected and the system deletes any temporary objects or instances after they have been sent. If you want to keep these 5. Select the destination option you want: • • Each selected object’s scheduling destination Sends the objects or instances to the destination specified on the Destination pages for the objects. A new destination for all selected objects Allows you to specify a destination. If you select this option, you must specify additional parameters for the destination information. See “Available destinations by object type” on page 421 and “Selecting a destination” on page 481. If you want the destination to become the default destination for the object, select the Set this destination as the selected object’s scheduling destination option. The system will update the destination information for the object when you click Send. Note: Send Web Intelligence documents to the “Inbox” destination only, or to an Email destination within BusinessObjects Enterprise. 6. Click Send. The system sends the selected objects or instances to the specified destinations. Available destinations by object type Most destinations can be used for most types of objects, but there are some exceptions. In some cases recipients must have access to the BusinessObjects Enterprise system to be able to open the object. The following table summarizes which objects cannot use certain destinations. For example, for a Web Intelligence document you cannot specify an unmanaged disk destination. Unm. DIsk Yes Yes Email (SMTP) FTP Yes Yes File Yes Yes Link Yes Yes Inbox File Yes Yes Yes Link Yes Yes Yes Object type Report Object Package Program BusinessObjects Enterprise Administrator’s Guide 421 17 Managing Objects General object management Object type Web Intelligence document Excel file Word file PDF file Text file RTF file PowerPoint file Hyperlink Unm. DIsk Yes Yes Yes Yes Yes Yes - Email (SMTP) FTP Yes Yes Yes Yes Yes Yes File Yes Yes Yes Yes Yes Yes Link Yes Yes Yes Yes Yes Yes Yes Yes Inbox File Yes Yes Yes Yes Yes Yes Yes Yes Link Yes Yes Yes Yes Yes Yes Yes Yes Changing properties of an object In the Properties page of an object, you can modify an object’s title and description. As well, you can view its file name, its location, and the date it was created. For objects that can be scheduled (reports, programs, and object packages), you can see the last times the object was modified and/or run. 1. 2. 3. To change the properties of an object In the Objects management area of the CMC, select an object by clicking its link. On the Properties page, change any of the properties as required. Click Update. Note that once you have clicked Update, you cannot click Reset to undo changes. View button For Microsoft Word, Microsoft Excel, Microsoft PowerPoint, Adobe Acrobat, Text, and Rich Text objects, a View button appears on the Properties page. Provided that you have the appropriate software installed on your browser machine, you can click the View button to open and view the object. 422 BusinessObjects Enterprise Administrator’s Guide Managing Objects General object management 17 Preview button Similarly, for report objects and Web Intelligence documents, a Preview button appears. The Preview button enables you to view a report on demand with all of your current report settings. BusinessObjects Enterprise connects to the report’s data source(s) if no cached pages are available. To use the Preview function, the user will need to have rights at the Schedule level or higher. (To preview a report with saved data, the user will need to have rights at the View level or higher.) By default, administrators have rights at the Full Control level (the highest rights setting) for all report objects. For details about object rights, see “Report object management” on page 425. Show report thumbnail option For reports, the “Show report thumbnail” check box is selected by default. If you do not want a thumbnail preview of this report to be available in InfoView or another web application, clear the Show report thumbnail check box. Note: A thumbnail is a graphical representation of the first page of a report. If the original report does not contain a thumbnail, then a thumbnail will not be stored on BusinessObjects Enterprise. The Show report thumbnail checkbox does not apply to Web Intelligence document objects. BusinessObjects Enterprise Administrator’s Guide 423 17 Managing Objects General object management Scheduled package fails upon individual component failure option For object packages, the “Scheduled package fails upon individual component failure” check box is selected by default. (A component is an object in an object package.) This means that if one of objects in a package fails, the object package instance in the History will appear as Failed. If you do not want the object package instance to fail if one of the objects fails, clear the “Scheduled package fails upon individual component failure” check box. Assigning an object to categories Like folders, categories are objects used to organize documents. You can associate objects with multiple categories, or subcategories within categories. A category can be a corporate or a personal category. For complete information, see Chapter 14: Organizing Objects. Use the following procedure to assign an object to a category by using the objects page. You can also assign objects to a category by using the categories page. See “Adding an object to a new category” on page 370. 1. 2. 3. 4. 5. To assign an object to a category In the Object management area of the CMC, select an object by clicking its link. Click the Categories tab. To assign an object to a personal category, click the Personal link. Otherwise, skip this step. Click Assign Categories. The Assign Corporate Categories page appears. In the Available Categories list, select the category that you want the object to belong to and use the arrow buttons to move to the Assigned Categories list. The Available Categories list includes all corporate or personal categories and their subcategories. Repeat this step for each category that you want the object to be assigned to. 6. Click OK. Note: To remove an object from a category, see “Removing or deleting objects from a category” on page 370. 424 BusinessObjects Enterprise Administrator’s Guide Managing Objects Report object management 17 Report object management This section explains report objects and instances, and how to manage them through the Central Management Console (CMC). It includes the following sections: • • • • • “What are report objects and instances?” on page 425 “Setting report refresh options” on page 426 “Setting report processing options” on page 428 “Applying processing extensions to reports” on page 443 “Working with hyperlinked reports” on page 447 Note: Most information in this section also applies to Web Intelligence document objects. Any exceptions have been identified. What are report objects and instances? A report object is an object that is created using a Business Objects designer component (such as Crystal Reports or OLAP Intelligence). A Web Intelligence document object Web Intelligence is created using the Report panel and HTML Query panel in InfoView. Both types of objects contain report information (such as database fields). Both types of objects can also contain saved data. A report object or Web Intelligence document object can be made available to everyone or to individuals in selected user groups. Scheduled instances When you schedule an object, the system creates a scheduled instance for the object. A scheduled instance contains object and schedule information. It does not contain any data yet. Scheduled instances appear on the History page of the respective object and have a status of Recurring or Pending. You can schedule objects either from CMC or by using a BusinessObjects Enterprise application, such as InfoView or a custom web application. Typically, report objects are designed such that you can create several instances with varying characteristics. For example, if you run a report object with parameters, you can schedule one instance that contains report data that is specific to one department and schedule another instance that contains information that is specific to another department, even though both instances originate from the same report object. For more information about scheduling, see Chapter 18: Scheduling Objects. BusinessObjects Enterprise Administrator’s Guide 425 17 Managing Objects Report object management Object instances At the specified time, the system runs the object and creates an object instance. The instance contains actual data from the database. It appears on the History page of the object and has a status of Success or Failed. Making changes to an object Any changes you make to the an object (by making the changes and then clicking Update) affect the default settings for the object only. Those changes do not affect any existing scheduled instances or object instances. The next time you schedule the object, whether you use CMC or an application such as InfoView, the new default settings are displayed. You can then change these settings as needed for the scheduled instance you want to create. Note: BusinessObjects Enterprise supports reports created in versions 6 through XI of Crystal Reports. Once published to BusinessObjects Enterprise, reports are saved, processed, and displayed in version XI format. Setting report refresh options Note: This feature does not apply to Web Intelligence document objects. You can set report refresh options that determine which settings of a report object are updated when you refresh it in BusinessObjects Enterprise. When you refresh a report object, BusinessObjects Enterprise compares the report object stored in BusinessObjects Enterprise with the original .rpt file stored in the Input File Repository Server. BusinessObjects Enterprise deletes or adds report elements in the report object to make it match the .rpt file, overwriting any changes you’ve made in BusinessObjects Enterprise. Where report elements are the same in the source report and the report object, the report refresh settings allow you to control which settings in the report object are updated with values from the source .rpt file. For example, if a prompt appears only in the source .rpt file, then refreshing the report adds the prompt to the report object. This holds true no matter which report refresh options you select. If a prompt appears in both the source .rpt and the report object and you have selected the “Prompt Values” option, then BusinessObjects Enterprise updates the default value of the prompt in the report object. Any changes that you have made to the default value of the parameter in BusinessObjects Enterprise are overwritten. 426 BusinessObjects Enterprise Administrator’s Guide Managing Objects Report object management 17 To preserve your changes to the values of report elements when you refresh a report, clear the appropriate report refresh option. Note: • • • If you select Prompt Values, BusinessObjects Enterprise ensures that changes to either the default value of a prompt or to the current value of a prompt are updated in the report object when the report is refreshed. If you select Prompt Options, BusinessObjects Enterprise ensures that changes to the metadata describing a prompt is updated in the report object. For example, “Can be null” is a prompt option. If you select “Use Object Repository when refreshing report”, repository objects in the report object will be refreshed against the repository. For more information, see “Refreshing repository objects in published reports” on page 179. To set a report object’s refresh options In the Objects management area of the CMC, select a report object by clicking its link. On the Properties page, click the Refresh Options link. Choose the report elements that you want to refresh from the source report file. Click Refresh Report. 1. 2. 3. 4. Viewing the universes for a Web Intelligence document You build queries for Web Intelligence documents using objects in a universe. A universe is a representation of the information available in the database. In CMC you can view which universes are used by a Web Intelligence document. 1. 2. To view the universes for a Web Intelligence document In the Objects management area of the CMC, select a Web Intelligence document object by clicking its link. On the Properties page, click the Universes link. The Universes page appears, listing the universes that are used by the document. BusinessObjects Enterprise Administrator’s Guide 427 17 Managing Objects Report object management Setting report processing options For each object you can set several processing options. These options appear on the Process page for the object. Setting the report processing options includes the following tasks: • • • • • • • • “Setting report viewing options” on page 428 “Specifying servers for scheduling” on page 430 “Specifying servers for viewing and modification” on page 432 “Changing database information” on page 434 “Updating parameters” on page 437 “Using filters” on page 439 “Setting printer and page layout options” on page 441 “Applying processing extensions to reports” on page 443 Setting report viewing options Note: This feature does not apply to Web Intelligence document objects. The report viewing options available in BusinessObjects Enterprise allow you to balance users’ need for up-to-date information with the need to optimize data retrieval times and overall system performance. BusinessObjects Enterprise allows you to enable data sharing, which permits different users accessing the same report object to use the same data when viewing or refreshing a report. Enabling data sharing reduces the number of database calls, thereby reducing the time needed to generate a report instance for subsequent users of the same report, while greatly improving overall system performance under load. You can control data sharing settings on either a per-report or a per-server basis: • If you specify which servers a report uses for viewing, you can use perserver settings to standardize data sharing settings for groups of reports, and centrally administer these settings. (See “Specifying servers for viewing and modification” on page 432.) Per-report settings permit you to specify that particular reports will not share data. They also allow you to tailor the data sharing interval for each report to meet the needs of that report’s users. In addition, per-report settings enable you to decide on a report-by-report basis whether it is appropriate to allow users to access the database whenever they refresh reports. • 428 BusinessObjects Enterprise Administrator’s Guide Managing Objects Report object management 17 Data sharing may not be ideal for all organizations, or for all reports. To get full value from data sharing, you must permit data to be reused for some period of time. This means that some users may see “old” data when they view a report on demand, or refresh a report instance that they are viewing. The default report viewing options for BusinessObjects Enterprise emphasize data freshness and integrity. By default, when you add a report to BusinessObjects Enterprise it is configured to use per-server settings for report sharing. The default server settings ensure that users always receive up-to-date information when they refresh a report, and guarantee that the oldest data given to any user is 0 minutes old. If you choose to enable perreport settings, the default settings allow data sharing, allow a viewer refresh to retrieve fresh data from the database, and ensure that the oldest data given to a client is 5 minutes old. Tip: Disabling the sharing of report data between clients is not the same as setting the “Oldest on-demand data given to a client” to 0 minutes. Under high load, your system may receive more than one request for the same report instance at the same time. In this case, if the data sharing interval is set to 0 but the “Share report data between clients” option is enabled, BusinessObjects Enterprise shares data between the client requests. If it is important that data not be shared between different clients (for example, because the report uses a User Function Library (UFL) that is personalized for each user), disable data sharing for that report. For details on setting report viewing options on a per-server basis, see: • • • • “Modifying Cache Server performance settings” on page 112 “Modifying Page Server performance settings” on page 115 “Modifying performance settings for the RAS” on page 120 “Configuring the Web Intelligence Report Server” on page 122 For more information on configuring BusinessObjects Enterprise to optimize report viewing in your system, see the planning chapter in the BusinessObjects Enterprise Installation Guide. Note: This feature does not apply to Web Intelligence document objects. 1. 2. 3. 4. To set report viewing options for a report In the Objects management area of the CMC, select a report by clicking its link. Click the Process tab. In the “Data Refresh for Viewing” area, click “Use report specific viewing settings.” Then select the options that you want to set for this report. Click Update. BusinessObjects Enterprise Administrator’s Guide 429 17 Managing Objects Report object management Specifying servers for scheduling You can specify the default servers that BusinessObjects Enterprise will use to run an object, and to schedule and process instances. When specifying your servers, you have three options: • • • • • Use the first available server. Use the servers that belong to a selected group first (and, if the servers from that group aren’t available, use any available server). Use only servers that belong to a specific group. Depending on the type of object, BusinessObjects Enterprise uses the following servers: Crystal reports are run on the Report Job Server. Web Intelligence documents are run on the Web Intelligence Report Server. By selecting a particular server or server group, you can balance the load of your scheduling, because specific objects can be processed by specific job servers. You must first create server groups by using the Server Groups management area in the CMC, before you can select servers that belong to a selected group. You can also set the maximum number of jobs that a job server will accept. For more information, see “Modifying performance settings for job servers” on page 121. Also, you can balance the load of your scheduling, because specific objects can be processed by specific job servers. You must first create server groups by using the Server Groups management area in the CMC, before you can select servers that belong to a selected group. You can also set the maximum number of jobs that a job server will accept. For more information, see “Modifying performance settings for job servers” on page 121. Note: • If you choose the “Use the first available server” option, the Central Management Server (CMS) will check the job servers to see which one has the lowest load. The CMS does this by checking the percentage of the maximum load on each job server. If all of the job servers have the same load percentage, then the CMS will randomly pick a job server. If you are scheduling a program object that requires access to files stored locally on a Program Job Server, but you have multiple Program Job Servers, you must specify which server to use to run the program. See “Specifying servers for viewing and modification” on page 432 for information on specifying the servers used to view or modify an object. To specify the servers to use for an object In the Objects management area of the CMC, select an object by clicking its link. • • 1. 430 BusinessObjects Enterprise Administrator’s Guide Managing Objects Report object management 17 2. Click the Process tab. 3. In the “Default Servers To Use For Scheduling” area, choose from one of the three options: • • Use the first available server BusinessObjects Enterprise will use the server that has the most resources free at the time of scheduling. Give preference to servers belonging to the selected group Select a server group from the list. This option will attempt to process the object from the servers that are found within your server group. If the specified servers are not available, then the object will be processed on the next available server. • Only use servers belonging to the selected group This option ensures that BusinessObjects Enterprise will only use the specified servers that are found within the selected server group. If all of the servers in the server group are unavailable, then the object will not be processed. BusinessObjects Enterprise Administrator’s Guide 431 17 Managing Objects Report object management 4. 5. Click Update. In the “Default Servers To Use For Viewing” area, repeat the activities from steps 3 and 4. Note: “Default Servers To Use For Viewing” applies only to report objects. Specifying servers for viewing and modification You can specify the default servers that BusinessObjects Enterprise will use when a user views or modifies a report or Web Intelligence document. When specifying your servers, you have three options: • • • • • Use the first available server. Use the servers that belong to a selected group first (and, if the servers from that group aren’t available, use any available server). Use only servers that belong to a specific group. Depending on the type of object, BusinessObjects Enterprise uses the following servers: Crystal reports are run on the Cache Server and Page Server, or the Report Application Server, depending on which viewer is used. Web Intelligence documents are run on the Web Intelligence Report Server. By selecting a particular server or server group, you can balance the load of your viewing, as specific reports can be processed using specific servers. You must first create server groups by going to the Server Groups management area in the CMC before you are able to select servers that belong to a selected group. You can also set the maximum number of jobs a server will accept. For more information, see “Modifying Cache Server performance settings” on page 112, “Modifying Page Server performance settings” on page 115, or “Modifying performance settings for the RAS” on page 120. 432 BusinessObjects Enterprise Administrator’s Guide Managing Objects Report object management 17 Note: • If you choose the “Use the first available server” option, the Central Management Server(CMS) will check the servers to see which one has the lowest load. The CMS does this by checking the percentage of the maximum load on each server. If all of the servers have the same load percentage, then the CMS will randomly pick a server. See “Specifying servers for scheduling” on page 430 for information on specifying Job Servers used to schedule an object. To specify the servers to use for a report object In the Objects management area of the CMC, select an object by clicking its link. Click the Process tab. • 1. 2. BusinessObjects Enterprise Administrator’s Guide 433 17 Managing Objects Report object management 3. In the “Default Servers To Use For Viewing” area, choose from one of the three options: • • Use the first available server BusinessObjects Enterprise will use the server that has the most resources free at the time of viewing. Give preference to servers belonging to the selected group Select a server group from the list. This option will attempt to process the object from the servers that are found within your server group. If the specified servers are not available, then the object will be processed on the next available server. • Only use servers belonging to the selected group This option ensures that BusinessObjects Enterprise will only use the specified servers that are found within the selected server group. If all of the servers in the server group are unavailable, then the object will not be processed. 4. Click Update. Changing database information Note: This feature does not apply to Web Intelligence document objects. You can select your database type and set the default database logon information on the Database page for a report. The Database page displays the data source or data sources for your report object and its instances. You can choose to prompt the user for a logon name and password when he or she views a report instance. 1. 2. To change database settings In the Objects management area of the CMC, select a report object by clicking its link. Click the Process tab, and then click the database link. 434 BusinessObjects Enterprise Administrator’s Guide Managing Objects Report object management 17 The Database page appears. BusinessObjects Enterprise Administrator’s Guide 435 17 Managing Objects Report object management 3. 4. In the Data Source(s) list, select the data source. Select Use original database logon information from the report or Use custom database logon information specified here. If you select the first option, you can specify a user name and password to be used with the original report database. If you select the second option, you can specify a server name (or a DSN in the case of an ODBC data source), a database name, a user name, and a password for a number of predefined database drivers, or for a custom database driver that you’ve specified. If you’ve changed the default table prefix in your database, specify a custom table prefix here. For a complete list of supported databases and drivers, refer to the platform.txt file included with your installation. 5. Select the database logon option you want. • Prompt the user for database logon The system will prompt users for a password when they refresh a report. Note: This option has no effect on a scheduled instance. Also, BusinessObjects Enterprise only prompts users when they first refresh a report; that is, if they refresh the report a second time, they will not be prompted. • Use SSO context for database logon The system will use the user’s security context, that is, the user’s logon and password, to log on to the database. Note: For this option to work, you must have your system configured for end-to-end single sign-on, or for single sign-on to the database. For more information, see “Configuring Kerberos single sign-on” on page 299. • Use same database logon as when report is run The system will use the same database logon information as was used when the report was run on the job server. 6. Click Update. 436 BusinessObjects Enterprise Administrator’s Guide Managing Objects Report object management 17 Updating parameters Note: This feature does not apply to Web Intelligence document objects. Parameter fields (with preset values) enable users to view and to specify the data that they want to see. If a report contains parameters, you can set the default parameter value for each field or fields (which is used whenever a report instance is generated). Through a BusinessObjects Enterprise application such as InfoView, your users are either able to use the report with the preset default value(s) or choose another value or values. If you do not specify a default value, users will have to choose a value when they schedule the report. Note: The Parameters link is available only if the report object contains parameters. 1. 2. To view parameter settings In the Objects management area of the CMC, select a report object by clicking its link. Click the Process tab, and then click the Parameters link. 3. Under the Value column, select the value associated with the parameter you want to change. A page opens that allows you to change the parameter value. Depending on the parameter value type, you either type a value in the field or choose a value from a list. If there is a list, you can also click Edit to type a new value. BusinessObjects Enterprise Administrator’s Guide 437 17 Managing Objects Report object management 4. 5. Select the Clear the current parameter value(s) check box if you want to clear the current value that is set for the specified parameter. Select the Prompt the user for new value(s) when viewing check box if you want your users to be prompted when they view a report instance through a BusinessObjects Enterprise application such as InfoView. Click Update. 6. Updating prompts for Web Intelligence document objects Note: This feature does not apply to Crystal reports objects. See “Updating parameters” on page 437 instead. Prompt fields (with preset values) enable users to view and to specify the data that they want to see. If a report contains parameters, you can set the default prompt value for each field or fields (which is used whenever a report instance is generated). Through a BusinessObjects Enterprise application such as InfoView, your users can either use the report with the preset default value(s) or choose another value or values. If you do not specify a default value, users will have to choose a value when they schedule the report. Note: The Prompts link is available only if the Web Intelligence document object contains prompts. 438 BusinessObjects Enterprise Administrator’s Guide Managing Objects Report object management 17 1. 2. 3. 4. To update the prompts for a Web Intelligence document object In the Objects management area of the CMC, select a report object by clicking its link. Click the Process tab, and then click the Prompts link. The Prompts page appears, showing a dialog box with prompts. Select the prompt and enter a value for the prompt. Repeat this step for every prompt whose you want to change. Click Update. Using filters Note: This feature does not apply to Web Intelligence document objects. In the Filters page, you set the default selection formulas for the report. Selection formulas are similar to parameter fields in that they are used to filter results so that only the required information is displayed. Unlike parameters, end users will not be prompted for selection formula values when they view or refresh the report. When users schedule reports through a web-based client such as InfoView, they can choose to modify the selection formulas for the reports. By default, if any formulas are set in the CMC, they will be used by the web-based client. For more information on selection formulas, see the Crystal Reports User’s Guide. In addition to changing selection formulas, if you have developed your own processing extensions, you can select the processing extensions that you want to apply to your report. For more information, see “Applying processing extensions to reports” on page 443. When you use filters in conjunction with processing extensions, a subset of the processed data is returned. Selection formulas and processing extensions act as filters for the report. 1. 2. To use filters In the Objects management area of the CMC, select a report object by clicking its link. Click the Process tab, and then click the Filters link. The Filters page appears. BusinessObjects Enterprise Administrator’s Guide 439 17 Managing Objects Report object management 440 BusinessObjects Enterprise Administrator’s Guide Managing Objects Report object management 17 3. Update or add new selection formulas. • Record Selection Formula Use the Record Selection Formula to create or edit a record selection formula or formulas that limit the records used when you or a user schedules a report. • Group Selection Formula Use the Group Selection Formulas to create or edit a group selection formula or formulas that limit the groups used when you or a user schedules a report. 4. In the processing extensions area, select a processing extension you want from the Available Processing Extensions list, and move it to the Use these Processing Extensions list. Repeat this step until you have selected the processing extensions you want. 5. Click Update. Setting printer and page layout options Note: This feature does not apply to Web Intelligence document objects. You can choose to print a report instance when scheduling it; report instances are always printed in Crystal Reports format. When printing a report, you can set the number of copies and the page range. The Print Setup page contains two areas: the first area specifies whether or not a report instance is printed, and if printed, the printer to use, the number of copies, and the page range; the second area specifies custom layout settings for changing the page size and orientation (regardless of whether the report instance is printed or not). Specifying a printer Note: This feature does not apply to Web Intelligence document objects. You can choose to print a report (each time it runs) using the Job Server’s default printer or a different printer. By selecting the Printer destination, BusinessObjects Enterprise prints your report after it is processed. Note: The Job Server must run under an account that has sufficient privileges to access the printer you specify. See “Changing the server user account” on page 146 for information on changing the user account. BusinessObjects Enterprise Administrator’s Guide 441 17 Managing Objects Report object management 1. 2. 3. To assign a printer In the Objects management area of the CMC, select a report object by clicking its link. On the Process tab, click the Print Setup link. The Print Setup page appears. Select Print in Crystal Reports format using the selected printer when scheduling if you want report instances to be sent directly to a printer. The report instances are automatically sent to the printer in Crystal Reports format. This does not interfere with the format selected when scheduling the report. 4. 5. Leave Default printer selected if you want to print to the Job Server’s default printer, otherwise, select Specify a printer. Enter a printer’s path and name, select the number of copies, and choose the print page range. If your job server is using Windows, in the “Specify a printer” field, type: \\printserver\printername Where printserver is the name of your printer server, and printername is the name of your printer. If your job server is running on UNIX, in the “Specify a printer” field, type the print command that you normally use. For instance, type: lp -d printername Note: Ensure that the printer you are using (on UNIX) is “shown” and not “hidden.” 6. Click Update. Specifying page layout Note: This feature does not apply to Web Intelligence document objects. When viewing or scheduling a report instance to any format, you can first specify page layout criteria such as page orientation, page size, and so on. The settings you choose in this section of the Print Setup page affect how you’ll see a report instance when displaying it. Note: Page layout settings are not specifically related only to scheduling a report to a printer, but also to the overall look of the report. The overall look is affected by the properties of the device for which the report is displayed in (that is, the font metrics and other layout settings of the display and/or the printer). 442 BusinessObjects Enterprise Administrator’s Guide Managing Objects Report object management 17 1. 2. To set a report’s page layout In the Objects management area of the CMC, select a report object by clicking its link. On the Process tab, click the Print Setup link. The Print Setup page appears. 3. Make your settings according to the type of layout you want. The options are as follows: • • Report file default Choose this option if you want the page layout to conform to the settings that were chosen for the report in Crystal Reports. Specified printer settings Choose this option if you want the page layout to conform to the settings of a specified printer. You can choose the Job Server’s default printer or another printer. For information about specifying another printer, see “Specifying a printer” on page 441. When you choose this option, you can print scheduled report instances only to the printer you specify in the “Specified printer settings” area. In other words, you cannot set your report to display with one printer’s setting and then print to a different printer. • Custom settings Choose this option if you want to customize all page layout settings. You can choose page orientation, page size, measurement units (inches or millimeters), page width, and page height. 4. Click Update. Applying processing extensions to reports Note: This feature does not apply to Web Intelligence document objects. BusinessObjects Enterprise supports the use of customized processing extensions. A processing extension is a dynamically loaded library of code that applies your business logic to particular BusinessObjects Enterprise view or BusinessObjects Enterprise Administrator’s Guide 443 17 Managing Objects Report object management schedule requests before they are processed by the system. This section shows how to register your processing extension with BusinessObjects Enterprise, and how to apply an available processing extension to a particular report object. For general information about processing extensions and how you can use them to customize report processing and security, see “Processing extensions” on page 241. For information on writing your own processing extensions with the Processing Extension API, see the developer documentation available on your product CD. Note: On Windows systems, dynamically loaded libraries are referred to as dynamic-link libraries (.dll file extension). On UNIX systems, dynamically loaded libraries are often referred to as shared libraries (.so file extension). You must include the file extension when you name your processing extensions. Also, file names cannot include the \ or / characters. Registering processing extensions with the system Note: This feature does not apply to Web Intelligence document objects. Before you can apply your processing extensions to particular objects, you must make your library of code available to each machine that will process the relevant schedule or view requests. The BusinessObjects Enterprise installation creates a default directory for your processing extensions on each Job Server, Page Server, and Report Application Server (RAS). It is recommended that you copy your processing extensions to the default directory on each server. On Windows, the default directory is C:\Program Files\Business Objects\BusinessObjects Enterprise 11\win32_x86\ProcessExt. On UNIX, it is the bobje/processext directory. Tip: It is possible to share a processing extension file. For details, see “Sharing processing extensions between multiple servers” on page 447. Depending upon the functionality that you have written into the extension, copy the library onto the following machines: • • • If your processing extension intercepts schedule requests only, copy your library onto each machine that is running as a Job Server. If your processing extension intercepts view requests only, copy your library onto each machine that is running as a Page Server or RAS. If your processing extension intercepts schedule and view requests, copy your library onto each machine that is running as a Job Server, Page Server, or RAS. Note: If the processing extension is required only for schedule/view requests made to a particular Server Group, you need only copy the library onto each processing server in the group. 444 BusinessObjects Enterprise Administrator’s Guide Managing Objects Report object management 17 1. 2. To register a processing extension with the system Go to the Objects management area of the CMC. Click Object Settings. 3. 4. In the Name field, type a display name for your processing extension. In the Location field, type the file name of your processing extension along with any additional path information: • • If you copied your processing extension into the default directory on each of the appropriate machines, just type the file name (but not the file extension). If you copied your processing extension to a subfolder below the default directory, type the location as: subfolder/filename Note: Although the actual file name must include the .dll or .so extension (as appropriate to the server’s operating system), you must not include the file extension in the Location field. 5. 6. Use the Description field to add information about your processing extension. Click Add. You can now select this processing extension to apply its logic to particular objects. For details, see “Selecting a processing extension for a report” on page 445. Tip: To delete a processing extension, select its check box and click Delete. (Make sure that no recurring jobs are based on this processing extension because any future jobs based on this processing extension will fail.) Selecting a processing extension for a report Note: This feature does not apply to Web Intelligence document objects. 1. 2. To select a processing extension for a report Go to the Objects management area of the CMC. Click the link to the report object that you want to apply your processing extension to. BusinessObjects Enterprise Administrator’s Guide 445 17 Managing Objects Report object management 3. Click the Process tab, and then click the Filters link. 4. Select your processing extension in the Available Processing Extensions list. Note: Your processing extensions appear in this list only after you have registered them with the system. For details, see “Registering processing extensions with the system” on page 444. Tip: You may apply more than one processing extension to a report object. Repeat steps 4 and 5 for each processing extension; then use the up and down arrows to specify the order in which the processing extensions should be used. 5. Click Update. Your processing extension is now enabled for this report object. 446 BusinessObjects Enterprise Administrator’s Guide Managing Objects Report object management 17 Sharing processing extensions between multiple servers Note: This feature does not apply to Web Intelligence document objects. If you want to put all processing extensions in a single location, you can override the default processing extensions directory for each Job Server, Page Server, and RAS. First, copy your processing extensions to a shared directory on a network drive that is accessible to all of the servers. Map (or mount) the network drive from each server’s machine. Note: Mapped drives on Windows are valid only until you reboot the machine. For details, see “Ensuring that server resources are available on local drives” on page 526. If you are running servers on both Windows and on UNIX, you must copy a .dll and an .so version of every processing extension into the shared directory. In addition, the shared network drive must be visible to Windows and to UNIX machines (through Samba or some other file-sharing system). Finally, change each server’s command line to modify the default processing extensions directory. Do this by adding “-report_ProcessExtPath ” to the command line. Replace with the path to the new folder, using whichever path convention is appropriate for the operating system that the server is running on (for example, M:\code\extensions, /home/shared/code/extensions, and so on). The procedure for making this modification depends upon your operating system: • • On Windows, use the CCM to stop the server. Then open the server’s Properties to modify the command line. Start the server again when you have finished. On UNIX, run ccm.sh to stop the Job Server/Page Server. Then edit ccm.config to modify the server’s command line. Start the server again when you have finished. For reference, see “ccm.sh” on page 598. Working with hyperlinked reports Note: This feature does not apply to Web Intelligence document objects. Crystal Reports lets you use hyperlinks to navigate from one report object to another. You can move to a Report Part within the report itself, to other report objects or their parts, or to specific instances of reports or Report Parts. This navigation is available only in the new script-based DHTML viewers (zeroclient, server-side viewers) included in BusinessObjects Enterprise XI. By linking directly from one object to another, the required data context is passed automatically so that you navigate to the object and data that is relevant. BusinessObjects Enterprise Administrator’s Guide 447 17 Managing Objects Report object management Initially, when you add hyperlinks between reports in Crystal Reports, you create a link from one file directly to another. However, when you publish linked report files simultaneously to the same object package, the links are modified to point to managed report objects. (Each link is changed, so that it references the appropriate destination report by Enterprise ID, rather than by file path.) Also, the modified links become relative inside the object package. When you schedule the object package, BusinessObjects Enterprise processes its reports, and again modifies hyperlinks within each report instance: hyperlinks between report objects in an object package are converted to hyperlinks between report instances in a specific instance of the object package. For more information on object packages, see “Scheduling objects using object packages” on page 471. To view hyperlinked reports, you must publish both the home and destination reports to the same BusinessObjects Enterprise system. (A home report is one that contains a hyperlink to another report: the destination report.) Note: For information about how to create hyperlinks between report objects, see the Crystal Reports Online Help. Publishing and hyperlinking reports Note: This feature does not apply to Web Intelligence document objects. To avoid breaking hyperlinks between reports, it is best to publish the reports first and then to create the hyperlinks. 1. 2. 3. 4. To publish and then hyperlink reports Create the reports, without hyperlinks, in Crystal Reports. Publish them to BusinessObjects Enterprise. Use Crystal Reports to log on to your BusinessObjects Enterprise system. Create the hyperlinks between the home and destination reports. See the Crystal Reports Online Help. Crystal Reports automatically determines what type of link—relative or absolute—to establish between the reports. In BusinessObjects Enterprise, relative links are those between reports in the same object package, and absolute links are links to specific report objects or instances. Publishing reports with existing hyperlinks Note: This feature does not apply to Web Intelligence document objects. The recommended method for creating hyperlinked reports is first to publish the individual reports, then create hyperlinks between them. See “Publishing and hyperlinking reports” on page 448.) However, because this is not always 448 BusinessObjects Enterprise Administrator’s Guide Managing Objects Report object management 17 possible, use the following procedure to publish reports after they have been hyperlinked. When you publish reports this way, the hyperlinks are converted to relative links. BusinessObjects Enterprise Administrator’s Guide 449 17 Managing Objects Report object management To publish reports with existing hyperlinks Using the Publishing Wizard, publish the reports (that are linked to each other) to the same object package. Note: If you publish hyperlinked reports independently of each other, rather than publishing them simultaneously to the same object package, all hyperlinks between the reports will break. You must re-establish the links using Crystal Reports and save the report back to BusinessObjects Enterprise. (For more information, see the Crystal Reports Online Help.) Viewing hyperlinks in a report Note: This feature does not apply to Web Intelligence document objects. You can view a list of the links in a report by clicking the Links link on the report’s Properties page. The links are listed as either relative or absolute. In BusinessObjects Enterprise, relative links are those between reports in the same object package, and absolute links are links to specific report objects or instances. 1. 2. To view a list of links in a report object In the Objects management area of the CMC, select the report object by clicking its link. Click the Properties tab, and then click the Links link. The Links page appears. Viewing hyperlinked reports Note: This feature does not apply to Web Intelligence document objects. BusinessObjects Enterprise supports navigation between hyperlinked reports only with script-based viewers, specifically the DHTML and Advanced DHTML viewers in InfoView. To change your preferred viewer in the CMC, click the Preferences button in the upper-right corner of the CMC, and select the appropriate viewer from the Viewer list. For information on how to change your preferred viewer, see the BusinessObjects Enterprise User’s Guide. Parameter information is not carried over between the home and destination reports. That is, when you view a destination report by clicking a hyperlink in a home report, you are prompted to enter any parameters that the destination report requires. 450 BusinessObjects Enterprise Administrator’s Guide Managing Objects Program object management 17 Security considerations To view hyperlinked reports through BusinessObjects Enterprise, you must have the appropriate rights both in BusinessObjects Enterprise and at the database level. In BusinessObjects Enterprise, to view a destination report through a hyperlink in a home report, you must have View rights to the destination report. When the hyperlink points to a report object, you must have View On Demand rights to be able to refresh the data against the data source. For information about setting the levels of access to objects, see “Setting common access levels” on page 320. Database logon information is carried over between hyperlinked reports. If the credentials you specified to view the home report are not valid for the destination report, you are prompted for a valid set of database logon credentials for the destination report. Program object management This section explains program objects and instances, and how to manage them through the Central Management Console (CMC). It includes the following sections: • • “What are program objects and instances?” on page 451 “Setting program processing options” on page 453 What are program objects and instances? A program object is an object in BusinessObjects Enterprise that represents an application. Publishing a program object to BusinessObjects Enterprise allows you to use BusinessObjects Enterprise to schedule and run the program object and to manage user rights in relation to the program object. For information about publishing program objects, see “Publishing overview” on page 374. When you publish a program object or its associated files to BusinessObjects Enterprise, they are stored in the Input File Repository Server (FRS). Each time a BusinessObjects Enterprise program runs, the program and files are passed to the Program Job Server, and BusinessObjects Enterprise creates a program instance. Unlike report instances, which you can view in their completed format, program instances exist as records in the object history. BusinessObjects Enterprise stores the program’s standard out and standard error in a text output file. This file appears when you click a program instance in the object History. BusinessObjects Enterprise Administrator’s Guide 451 17 Managing Objects Program object management Program types Three types of applications can be published to BusinessObjects Enterprise as program objects: • Executable Executable programs are binary files, batch files, or shell scripts. They generally have file extensions such as: .com, .exe, .bat, .sh. You can publish any executable program that can be run from the command line on the machine that runs the Program Job Server. • Java You can publish any Java program to BusinessObjects Enterprise as a Java program object. For Java program objects to have access to Java SDK objects, your class must implement the IProgramBase interface from the BusinessObjects Enterprise Java SDK (com.businessobjects.sdk.plugin.desktop.program.IProgramBase). For details, see the BusinessObjects Enterprise Java SDK Guide. • Script Script program objects are JScript and VBScript scripts. They are run on Windows using an embedded COM object and can—once published— reference the BusinessObjects Enterprise SDK objects. For details, see the BusinessObjects Enterprise COM SDK Guide. Note: Script program objects are not supported on UNIX. Note: As the administrator, you can choose to enable or disable any of the types of program objects. For details, see “Authentication and program objects” on page 458. Once you have published a program object to BusinessObjects Enterprise, you can configure it in the Objects management area of the CMC. For each type of program object (Executable, Java, or Script) you can choose to specify command-line arguments and a working directory. For executable and Java programs, there are additional ways, both required and optional, to configure the program objects and provide them with access to other files. Tip: Program objects allow you to write, publish, and schedule scripts or Java programs that run against BusinessObjects Enterprise, and perform maintenance tasks, such as deleting instances from the history. Furthermore, you can design these scripts and Java programs to access BusinessObjects Enterprise session information. This ensures that the scheduled program objects retain the security rights or restrictions of the user who scheduled the job. (Your scripts or java programs require access to the BusinessObjects Enterprise SDK. For details, see the BusinessObjects Enterprise COM SDK Guide or the BusinessObjects Enterprise Java SDK Guide.) 452 BusinessObjects Enterprise Administrator’s Guide Managing Objects Program object management 17 Setting program processing options For each object you can set several processing options. These options appear on the Process page for the object. Setting the program processing options includes the following tasks: • • • • • “Specifying command-line arguments” on page 453 “Setting a working directory for a program object” on page 454 “Configuring executable programs” on page 455 “Configuring Java programs” on page 456 “Authentication and program objects” on page 458 Specifying command-line arguments For each program object you can specify command-line arguments on the Parameters page for the object. You can specify any argument that is supported by the command-line interface for your program. Arguments are passed directly to the command-line interface, without parsing. 1. 2. To specify command-line arguments In the Objects management area of the CMC, select the program object by clicking its link. Click the Process tab, then click the Parameters link. The Parameters page appears. 3. In the Arguments field, type the command-line arguments for your program, using the same format you would use at the command line itself. For example, if your program has a loops option, to set the loops value to 100, you might type -loops 100 4. Click Update. BusinessObjects Enterprise Administrator’s Guide 453 17 Managing Objects Program object management Setting a working directory for a program object By default, when a program object runs, BusinessObjects Enterprise creates a temporary subdirectory in the Program Job Server’s working directory, and uses this subdirectory as the working directory for the program. The subdirectory is automatically deleted when the program finishes running. You can specify an alternative working directory for the program object by modifying the Working Directory field on the Parameters page of the object. Or, you can modify the default setting for the working directory for the Program Job Server. Note: The account under which the program runs must have appropriate rights to the folder that you set as the working directory. The level of file permissions required depend on what the program does; however, the program’s account generally needs read, write, and execute permissions to the working directory. For information about setting credentials for an account under which a program object will run, see “Authentication and program objects” on page 458 1. 2. 3. To set a working directory for a program object In the Objects management area of the CMC, select the program object by clicking its link. Click the Process tab, then click the Parameters link. The Parameters page appears. In the Working Directory field, type the full path to the directory that you want to set as the program object’s working directory. For example, on Widows, if you created a working directory named working_directory, type C:\working_directory On UNIX, type /working_directory 4. 1. 2. 3. 4. Click Update. To modify the default working directory for the Program Job Server Go to the Servers management area of the CMC. Click the link for Program Job Server. The Properties page appears. In the Temp Directory field, type the full path to the directory you want to set as the working directory for the Program Job Server. Click Update. 454 BusinessObjects Enterprise Administrator’s Guide Managing Objects Program object management 17 Configuring executable programs When you publish an executable program object to the CMC, you can: • • Configure the object to have access to external or auxiliary files. See “Providing Java programs with access to other files” on page 457. Customize environment variables for the shell in which BusinessObjects Enterprise runs the program. See “Specifying environment variables” on page 456. Providing executable programs with access to other files Some binary files, batch files, and shell scripts require access to external or auxiliary files to run. Aside from setting a working directory for the program object, there are two ways to provide access to these files: • • If a required file is on the same machine as the Program Job Server, you can specify the full path to the file. Alternatively, if the file is not located on the Program Job Server, you can upload the file to the File Repository Server, which will pass the files to the Program Job Server as necessary. To specify paths to required files In the Objects management area of the CMC, select the executable program object by clicking its link. Click the Process tab, then click the Parameters link. The Parameters page appears. In the External Dependencies field, type the full path to the required file and click Add. Repeat step 3 for each file required. Click Update. 1. 2. 3. 4. 5. Tip: To edit or remove external dependencies that you have specified, select the file path (in the list of external dependencies on the Parameters page) and click the appropriate button, either Edit or Remove. 1. 2. 3. 4. 5. To upload required files In the Objects management area of the CMC, select the executable program object by clicking its link. Click the Process tab, then click the Auxiliary Files link. The Auxiliary Files page appears. Click Browse to navigate to the required file, then click Add File. Repeat step 3 for each required file. Click Update. BusinessObjects Enterprise Administrator’s Guide 455 17 Managing Objects Program object management Tip: To remove auxiliary files that you have specified, select the file(s) (in the list of external dependencies on the Parameters page) and click Remove File(s). Specifying environment variables In the CMC, you can configure your program by adding or modifying environment variables. Modifications to an existing environment variable override this variable, rather than append to it. Any changes you make to environment variables exist only in the temporary shell in which BusinessObjects Enterprise runs the program. Thus, when the program exits, the environment variables are destroyed. 1. 2. 3. To add an environment variable In the Objects management area of the CMC, click the link for the program object. Click the Process tab, then click the Parameters link. The Parameters page appears. In the Environment Variables field, type the environment variables you want to set. Use the form name=value, where name is the environment variable name and value is the value for the environment variable. For example, you can set the path variable to append a user’s bin directory to the existing path: • • On Windows, you might type: path=%path%;c:\usr\bin On UNIX, you might type:PATH=$PATH:/usr/bin Note: BusinessObjects Enterprise sets your environment variables using the syntax that is appropriate for your operating system. However, on UNIX you must follow convention, and use the appropriate case. For example, all name values on UNIX must be typed in upper-case. 4. Click Update. Tip: To edit or remove environment variables that you have specified, select the variable (in the list of environment variables on the Parameters page), and click the appropriate button, either Edit or Remove. Configuring Java programs To successfully schedule and run Java programs in BusinessObjects Enterprise, you must specify the required parameters for the program object. See “Setting required parameters for Java programs” on page 457. Additionally, you can provide the Java program with access to other files located on the Program Job Servers, and you can specify Java Virtual Machine options. See “Providing Java programs with access to other files” on page 457. 456 BusinessObjects Enterprise Administrator’s Guide Managing Objects Program object management 17 Setting required parameters for Java programs To successfully schedule and run a Java program, you must provide BusinessObjects Enterprise with the base name of the .class file that implements the IProgramBase interface from the BusinessObjects Enterprise Java SDK. Note: The Java Runtime Environment must be installed on each machine that is running a Program Job Server. 1. 2. 3. To specify required parameters for Java programs In the Objects management area of the CMC, click the link for the Java program object. Click the Parameters tab. The Parameters page appears. In the Class to run field, type the base name of the .class file that implements the IProgramBase from the BusinessObjects Enterprise Java SDK (com.businessobjects.sdk.plugin.desktop.program.IProgramBase). For example, if the file name is Arius.class, type Arius 4. Click Update. Providing Java programs with access to other files You can provide Java programs with access to files, such as Java libraries, located on the Program Job Server. 1. 2. 3. To provide Java programs with access to other files In the Objects management area of the CMC, click the link for the Java program object. Click the Process tab, then click the Parameters link. The Parameters page appears. In the Classpath field, type the full paths to the locations of any Java library files that are required by the Java program, and stored on the Program Job Server. You must separate multiple paths with the classpath separator that is appropriate to your operating system: a semi-colon for Windows, a colon for UNIX. 4. Click Update. BusinessObjects Enterprise Administrator’s Guide 457 17 Managing Objects Program object management Authentication and program objects Be aware of the potential security risks associated with the publication of program objects. As the administrator, you must protect the system against abuse. The level of file permissions for the account under which a program object runs will determine what modifications, if any, the program can make to files. You can control the types of program objects users can run, and you can configure the credentials required to run program objects. Enabling or disabling a type of program object As a first level of security, you can configure the types of program objects available for use. 1. 2. 3. 4. To enable or disable a type of program object In the Objects management area of the CMC, click Object Settings. Click the Program Objects tab. Select the type or types of program objects you want users to run. Click Update. Authentication on all platforms In the Objects management area of the CMC, you must specify credentials for the account under which the program runs. This feature allows you, the administrator, to set up a specific user account for the program, and assign it appropriate rights, to have the program object run as that account. For details, see “Controlling users’ access to objects” on page 317. Alternatively, users who publish program objects to BusinessObjects Enterprise can assign their own credentials to a program object, to give the program access to the system. Thus, the program will run under that user account, and the rights of the program will be limited to those of the user. If you choose not to specify a user account for a program object, it runs under the default system account, which generally has rights locally but not across the network. Note: By default, when you schedule a program object, the job fails if credentials are not specified. To provide default credentials, click Object Settings in the Objects management area, then click the Program Objects tab. Click “Schedule with the following operating system credentials” and provide a default user name and password. 1. 2. To specify a user account for a program object In the Objects management area of the CMC, click the link for the program object. Click the Process tab, then click the Logon link. The Logon page appears. 458 BusinessObjects Enterprise Administrator’s Guide Managing Objects Object package management 17 3. 4. In the User Name and Password fields, type the credentials for the user account under which the program should run. Click Update. Authentication for Java programs BusinessObjects Enterprise allows you to set security for all program objects. For Java programs, BusinessObjects Enterprise forces the use of a Java Policy File, which has a default setting that is consistent with the Java default for unsecure code. Use the Java Policy Tool (available with the Java Development Kit) to modify the Java Policy File, to suit your specific needs. The Java Policy Tool has two code base entries. The first entry points to the BusinessObjects Enterprise Java SDK and allows program objects full rights to all BusinessObjects Enterprise JAR files. The second code base entry applies to all local files. It uses the same security settings for unsecure code as the Java default for unsecure code. Note: • • The settings for the Java Policy are universal for all Program Job Servers running on the same machine. By default, the Java Policy File is installed to the Java SDK directory in the BusinessObjects Enterprise install root directory. For example, a typical location on Windows is: C:\Program Files\Business Objects\BusinessObjects Enterprise 11\conf\crystal-program.policy On UNIX, a typical location is .../solaris_install/bobje/enterprise11/JavaSDK/crystalprogram.policy Object package management This section explains object packages and instances, and how to manage them through the Central Management Console (CMC). It includes: • • • • • “What are object packages, components, and instances?” on page 460 “Creating an object package” on page 460 “Adding objects to an object package” on page 461 “Configuring object packages and their objects” on page 462 “Authentication and object packages” on page 463 BusinessObjects Enterprise Administrator’s Guide 459 17 Managing Objects Object package management What are object packages, components, and instances? Object packages function as distinct objects in BusinessObjects Enterprise. Think of them as folders you can schedule, along with all of their contents. Object packages can be composed of any combination of report and program objects that are published to the BusinessObjects Enterprise system. (NonBusinessObjects Enterprise objects, such as Excel, Word, Acrobat, Text, Rich Text, PowerPoint, and Hyperlink objects, cannot be added to object packages.) Placing multiple objects in a single object package allows you to schedule them simultaneously. For reports, object packages allow users to view synchronized data across reports. Component objects are not autonomous. They have more limited configuration options than other objects, and they do not appear in the list of all objects on the first page of the Objects management area of the CMC. Rather, you can only view them by opening their object package. BusinessObjects Enterprise creates an object package instance each time it runs an object package. The object package instance contains individual instances of each of its component objects. Component instances are tied to object package instances, rather than to component objects. For example, if you run an object package, and thereby create an instance, then remove a report object from the object package, the existing object package instance does not change; it still contains the report instance from the report object that you removed. Future instances of the object package, however, will reflect the change. For hyperlinked report instances in object package instances, the hyperlinks point to the other report instances in the same object package instance. For details about hyperlinked reports, see “Working with hyperlinked reports” on page 447. Creating an object package 1. 2. 3. 4. 5. Go to the Objects management area of the CMC. Click New Object, then click the Object Package tab. The Object Package tab appears. In the Title field, type the name of the object package you want to create. In the Description field, type a description of the object package. This field is optional. Ensure the correct folder name appears in the Destination field. Note: You cannot place object packages in the top level folder or inside other object packages. Tip: • 460 To expand a folder, select it and click Show Subfolders. BusinessObjects Enterprise Administrator’s Guide Managing Objects Object package management 17 • 6. To search for a specific folder, use the Look For field. Click OK. Note: When the object package has been added to the system, the CMC displays the Properties page. You can now modify the properties, contents, scheduling information, destination, user rights, object settings, and notification for the object package. Adding objects to an object package In the CMC, after you have created an object package, you can add report and/or program component objects to it. You can add previously unpublished objects directly to the object package, or you can copy existing objects into the object package. You can only move copies of existing objects into the object package, or between object packages; you cannot move the existing objects themselves. For details on copying objects, see “Copying, moving, or creating a shortcut for an object” on page 417. When you copy an object into an object package, the component object retains the same settings as the original object. However, once you create the copy of the original object inside the object package, the component and the original are separate entities. Changes in one object are not reflected in the other. Note: You publish objects to new or existing object package using the Publishing Wizard. For details, see “Publishing with the Publishing Wizard” on page 376. 1. 2. 3. 4. 5. 6. To publish a new object directly to an object package In the Objects management area of the CMC, view an object package by clicking its link. Click the Objects tab, then click the New Object button. A list of object tabs appears. Note that you can add only report objects or program objects to an object. Click the appropriate tab, Report or Program. Specify the file name or, or click browse to navigate to the object you want to publish. Set the appropriate properties. • • 7. For reports, set whether to generate a thumbnail for the report, and whether to use the Object Repository when refreshing the report. For programs, set the program type: Executable, Java, or Script. Click OK. BusinessObjects Enterprise Administrator’s Guide 461 17 Managing Objects Object package management Configuring object packages and their objects Object packages are intended to save you time scheduling objects that have similar scheduling requirements. As a result, you configure some parameters at the object package level, and some at the object level, that is, for the individual objects in the object package. For example, you have to specify the destination for an object package, but you cannot specify destinations for the individual objects in the package. When the system runs the object package, it will save the output instances to the destination you specified for the object package. Note: Because the objects in an object package are copies of objects that exist outside the package, the changes you make will not affect the objects outside the object package. The following table indicates which configuration parameters you can modify for an object package or for individual objects in a package. The parameters are identified by tab or link. For information on how to set or modify these parameters, see: • • • • “General object management” on page 417 “Report object management” on page 425 “Program object management” on page 451 Chapter 18: Scheduling Objects Configure for an object package yes --yes Scheduling server ----yes --Configure for individual objects in a package yes yes yes -View & Modify server yes yes yes yes -yes yes Configuration tabs and links Properties tab Refresh Options Links History tab Process tab Database Parameters Filters Print Setup Schedule tab Notification Alert Notification 462 BusinessObjects Enterprise Administrator’s Guide Managing Objects Object package management 17 Configuration tabs and links Format Destination Schedule For Categories tab Corporate Personal Rights tab Configure for an object package -yes yes n/a yes yes yes Configure for individual objects in a package yes --n/a yes yes -- Authentication and object packages Object packages simplifies both Enterprise and database authentication. You enter your Enterprise authentication only once to schedule the object package, including all of its component objects. Consequently, you must have scheduling rights for each of the objects inside the object package. If you attempt to schedule a package that contains one or more component objects to which you do not have schedule rights, the component instance(s) fail(s). For database authentication, you specify database logon information for each report component object in the object package. (If you copied the report into the object package, it initially inherits the database logon information of the original report.) BusinessObjects Enterprise Administrator’s Guide 463 17 Managing Objects Object package management 464 BusinessObjects Enterprise Administrator’s Guide Scheduling Objects chapter 18 Scheduling Objects Scheduling objects overview Scheduling objects overview Scheduling an object lets you run it automatically at specified times. You can schedule report objects, Web Intelligence documents, program objects, and object packages. For details about object types and object management, see Chapter 17: Managing Objects. When you schedule an object, the system creates a scheduled instance for the object. A scheduled instance contains object and schedule information. It does not contain any data yet. Scheduled instances appear on the History page of the respective object and have a status of Recurring or Pending. When the system runs the object, it creates an output instance for the object, for example, a report or program instance. A report instance contains actual data from the database. A program instance is a text file that contains the standard out and standard error produced when the program object was run. Output instances also appear on the History page of an object and have a status of Success or Failed. This chapter contains the following sections: • • • “Scheduling objects” on page 466 This section provides information on how to schedule objects. “Managing instances” on page 495 This section describes how to manage instances for an object. “Setting the scheduling options” on page 476 This section describes the options on the different Schedule pages for an object, such as Notification, or Destination. Scheduling objects When you schedule an object, the system creates a scheduled instance for the object. A scheduled instance contains object and schedule information. It does not contain any data yet. Scheduled instances appear on the History page of the respective object and have a status of Recurring or Pending. Scheduled instances use the settings that are presently configured for the object in CMC. In order for a program object to be successfully scheduled and run, you must provide logon information for the account that the program object will run as. For details, see “Authentication and program objects” on page 458. 466 BusinessObjects Enterprise Administrator’s Guide Scheduling Objects Scheduling objects 18 For end users to schedule and run objects, they must use a web-based client such as InfoView or a custom web application. InfoView is designed primarily to schedule objects and view reports, whereas CMC enables you to manage and administer objects in addition to scheduling objects and viewing reports. Many scheduling options allow you to schedule an instance with events. For details, see “Scheduling an object with events” on page 473. Note: If a Web Intelligence document has been set to “refresh on open” then the system will access the database to obtain the latest information each time a user views the document. Therefore, it may not be advantageous to schedule Web Intelligence documents that are set to “refresh on open”, because running the document at scheduled times will not reduce the number of database hits. 1. 2. 3. To schedule an object In the Objects management area of the CMC, select an object by clicking its link. Click the Schedule tab. The Schedule page appears, showing the default settings for the object. Select the recurrence pattern you want. For example, select Weekly. For a list and descriptions of the recurrence patterns, see “Recurrence patterns” on page 469. 4. Specify the Run option and parameters that you want. For example, select “Every week on” and then specify Monday, Wednesday, Friday. For a list and descriptions of the Run options and parameters, see “Run options and parameters” on page 469. 5. 6. Set any of the other schedule options and parameters as required. For details, see “Setting the scheduling options” on page 476. Click Schedule. The system creates a scheduled instance and it will run the instance according to the schedule information you just specified. You can view the scheduled instance on the History page for the object. See also “Managing and viewing the history of instances” on page 495. Note: To save the schedule settings as the new default setting for the object, click Update. The new settings on the Schedule tab for the object are saved. BusinessObjects Enterprise Administrator’s Guide 467 18 Scheduling Objects Scheduling objects About the scheduling options and parameters When you schedule an object, you choose the recurrence pattern that you want. For example, you select Daily or Weekly, and then the run option (for example, “Every week on”). You then specify additional parameters to control exactly when and how often the object will be run. The recurrence patterns appear on the left of the Schedule page. The Run options list and related parameters appear to the right of the recurrence patterns. 468 BusinessObjects Enterprise Administrator’s Guide Scheduling Objects Scheduling objects 18 Which run options and parameters are available depends on the recurrence pattern you selected. In many case the same parameters appear, such as start and end dates. The names of the recurrence patterns, options, and fields are generally self explanatory, but for a complete description, see: • • “Recurrence patterns” on page 469 “Run options and parameters” on page 469 Recurrence patterns When scheduling an object, you can choose from the following recurrence patterns: • • • • • • On demand—The object will only be run when a user request it to be run. Once—The object will be run only once. It can be run now or in the future, or when a specified event has occurred. Daily—The object will be run every day. It can be run once or several times a day. You can specify what time as well as a start and end date. Weekly—The object will be run every week. It can be run once a week or several times a week. You can specify which days, what time, and a start and end date. Monthly—The object will be run every month or every several months. You can specify on which days of the month, what time, and a start and end date you want it to run. Calendar—The object will be run on the dates specified in a calendar. You can specify which calendar. The calendar must have been previously created. See Chapter 19: Managing Calendars. Run options and parameters This section describes the Run parameters for scheduling an object. Not all parameters apply in all cases, but when they apply, their function is the same. Run This list always appears, but the options vary depending on which recurrence pattern you select. For example, if you select Daily, you can select to run the object “Once each day” or “Every X day(s).” If you select Monthly, you can select to run the object “On the Nth day of the month” or “On the first Monday of the month.” To see all the Run options for a recurrence pattern, refer to the software. BusinessObjects Enterprise Administrator’s Guide 469 18 Scheduling Objects Scheduling objects X and N variables Applies to certain Daily and Monthly recurrence patterns only. When you select a Run option that contains these variables, the system displays their default values. You can then changes these values as needed. For example, if you select the “Daily” recurrence pattern and the “Every X hour(s), N minute(s)” Run option, you could specify to run the report every 4 (X) hours and 30 (N) minutes. If you don’t change the X or N value, the system will run the report every hour. Start Date Applies to most, but not all recurrence patterns and Run options. The default is the current date and time. The system will run the object according to the schedule that you specified, as soon as it can, after the Start Date has passed. For example, if you specify a start date that is three months into the future, the system won’t run the object until the start date has passed, even if all the other criteria are met. After that, the system will run the report at the specified time. End Date Applies to most, but not all, recurrence patterns and Run options. The default is the current time and a date in the distant future, to ensure an object will be run indefinitely. Specify a different End Date if required. Once the End Date has passed, the system no longer runs the object. Available Events Applies to all Run options that include “with events.” Select an event and click the Add button to move it to the “Events to wait for” box. You can select one or several events. The system will run the object only when those events have been successfully completed. See also “Scheduling an object with events” on page 473. Available Schedule Events Applies to all Run options that include “with events.” Select an event and click the Add button to move it to the “Events to trigger on completion” box. You can select one or several events. A successful run of the object will trigger the events that you specified. This list of events contains schedule events only. You cannot trigger file or custom events. See also “Scheduling an object with events” on page 473, and Chapter 20: Managing Events. Number of retries allowed Always applies. The number of times the system attempts to process an object if the first attempt is not successful. By default, the number is zero. Retry interval in seconds Always applies. The period, in seconds, that the system will wait before it attempts to process the object again if the first attempt is unsuccessful. 470 BusinessObjects Enterprise Administrator’s Guide Scheduling Objects Scheduling objects 18 Scheduling objects using object packages You can schedule objects in batches using the object packages feature. Object packages function as distinct objects in BusinessObjects Enterprise. They can contain any combination of objects that can be scheduled, such as report and program objects, and Web Intelligence documents. Using object packages simplifies authentication. In terms of reports and Web Intelligence document, it allows users to view synchronized data across instances. This procedure describes how to use the CMC to schedule objects by using object packages. First you publish an object package. Then, you copy existing objects into the object package. Finally, you schedule the object package as you would any object. Alternatively, you can publish objects directly to an object package, and then you can schedule that object packages as you would any object. For details on publishing directly to an object package, see “Publishing overview” on page 374. For details on configuring object packages, see “Object package management” on page 459. Note: • You must configure the processing information of each of the components of an object package individually. For example, if you want a report object in an object package to print when scheduled, you must configure it through the Print Setup link available on the report object’s Process tab. For more information about configuring objects, see “Managing Objects” on page 415. For information about publishing hyperlinked report objects, see “Working with hyperlinked reports” on page 447. To schedule objects using object packages Go to the Objects management area of the CMC. If the object package already exist, skip this step. Otherwise: a. b. c. d. e. f. Click New Object, and then click the Object Package tab. Type the package name and a description. Select a destination for the object package. If you want, assign the object package to a category. Click OK. Go to the Objects management area of the CMC again. • 1. 2. See also “Publishing with the Central Management Console” on page 385. BusinessObjects Enterprise Administrator’s Guide 471 18 Scheduling Objects Scheduling objects 3. 4. Select the check boxes associated with each object you want to place in the object package. Click Copy/Move/Shortcut. The Copy/Move/Create Shortcut page appears. 5. Select Copy to. Note: Existing objects cannot be moved into an object packages; they must be copied to the object package. 6. Select the object package you created as the Destination for the objects, and then click OK. Tip: • • • 7. Object packages are indicated by [square brackets]. To expand a folder, select it and click Show Subfolders. To search for a specific folder or object package, use the Look For field. Schedule the object package. See “Scheduling objects” on page 466. 472 BusinessObjects Enterprise Administrator’s Guide Scheduling Objects Scheduling objects 18 Scheduling an object with events When you schedule an object with events, the object will be run only when the additional condition (that is, the event) occurs. You can tell an object to wait for any, or all of the three event types: file-based, custom-based, and schedule-based. If you want a scheduled object to trigger an event, you must choose a schedule-based event. Note: A file-based event is triggered upon the existence of a specified file. A custom-based event is triggered manually. A schedule-based event is triggered by another object being run. Scheduling objects based on an event When you schedule an object that waits for a specified event, the object will run only when the event is triggered, and only when the rest of the schedule conditions are met. If the event is triggered before the start date of the object, the object will not run. If you have specified an end date for this object, and if the event is not triggered before the end date occurs, the object will not run because not all of the conditions will have been met. Also, if you choose a weekly, monthly, or calendar schedule, the object will have a specified time frame in which it can be processed. The event must be triggered within this specified time for the object to run. For example, if you schedule a weekly report object that runs every Monday, the event must be triggered within the 24-hour period on Monday; if the event is triggered outside of the 24-hour period, then the report will not run. Scheduling objects to trigger an event You can also schedule an object which triggers a schedule-based event upon completion of the object being run. When the object is run, BusinessObjects Enterprise will trigger the specified event. For a schedule-based event, if the event is based on the instance being run successfully, for example, the event won’t be triggered if the instance fails. For a sample scenario on when you would use a schedule-based event, see “Schedule-based events” on page 512. Note: To schedule an object with events, first ensure that you have created the event. See “Managing events overview” on page 510. 1. 2. 3. To schedule an object to run based on events In the Objects management area of the CMC, select an object by clicking its link. Click the Schedule tab. Select the recurrence pattern you want. For example, select Weekly. For a list and descriptions of the recurrence patterns, see “Recurrence patterns” on page 469. BusinessObjects Enterprise Administrator’s Guide 473 18 Scheduling Objects Scheduling objects 4. In the Run list, select a run option that contains the words, “with events.” 5. Select and complete the schedule parameters for your object (scheduling option, Start Date, End Date, and so on). For a list and descriptions of the Run options and parameters, see “Run options and parameters” on page 469. 6. In the Available Events area, select from the list of events and click Add. For example, the report object above is set to wait for a Custom-based event to occur before the report is processed. 7. To update the default scheduling information, click Update. If you don’t click Update, any changes you made to the scheduling information are not saved. 8. Click the Schedule button to schedule the object. 474 BusinessObjects Enterprise Administrator’s Guide Scheduling Objects Scheduling objects 18 1. 2. 3. To schedule an object to trigger an event In the Objects management area of the CMC, select an object by clicking its link. Click the Schedule tab. From the list on the left of the page, select a recurrence pattern: Once, Daily, Weekly, Monthly, or by Calendar. For a list and descriptions of the recurrence patterns, see “Recurrence patterns” on page 469. 4. 5. In the Run list, select a run option that contains the words, “with events.” Select and complete the schedule parameters for your object (scheduling option, Start Date, End Date, and so on). 6. In the Available Schedule Events area, select from the list of events and click Add. BusinessObjects Enterprise Administrator’s Guide 475 18 Scheduling Objects Setting the scheduling options For example, the report object above is set to trigger a Schedule-based event only if the report is successfully processed. Note: You can only select schedule-based events in this list. 7. To update the default scheduling information, click Update. If you don’t click Update, any changes you made to the scheduling information are not saved. 8. Click the Schedule button to schedule the object. Setting the scheduling options BusinessObjects Enterprise allows you to control the process and schedule settings for an object. Setting the scheduling options includes the following tasks: • • • • • • “Scheduling objects” on page 466 “Setting notification for an object’s success or failure” on page 476 “Specifying alert notification” on page 479 “Selecting a destination” on page 481 “Choosing a format” on page 491 “Scheduling an object for a user or group” on page 493 Setting notification for an object’s success or failure You can set scheduling options that automatically send notification when an object instance succeeds or fails. You can send notification using audit or email notification. You can also combine multiple notification methods, and provide different notification settings for successful and failed instances. For example, you may have a large number of reports that run every day. You need to check each instance to make sure it ran properly, and then send out emails to the users who need to know that the new report is available. With thousands of reports, it would take too much time to manually check the reports and contact the users who need the information. Using notification settings in BusinessObjects Enterprise, you can set each object to automatically notify you when the report fails to run properly, and you can automatically inform users when new report instances run successfully. 476 BusinessObjects Enterprise Administrator’s Guide Scheduling Objects Setting the scheduling options 18 Determining an object’s success or failure When you schedule an object, the scheduled instance either succeeds or fails. The conditions required for an instance’s success or failure depend on the type of object you schedule: • Report and Web Intelligence document objects A report instance runs successfully if it doesn’t encounter any errors while processing the report object or accessing the database. A report instance may fail if the user does not provide the correct parameters or logon information. • Program objects For program objects, the program must run in order to succeed. If the program does not run, the instance is considered a failure. If the program runs, but does not perform the tasks it is supposed to, it is still considered a successful instance because the program object ran. BusinessObjects Enterprise does not monitor problems with the program object’s code. • Object packages An object package may fail if one of its components fails. To change this setting, click the object package’s Properties tab and clear the “Scheduled package fails upon individual component failure” option. You can also set scheduling options for individual objects within an object package. Note: You cannot set audit or email notification for object packages, but you can set any type of notification for the individual objects in the object package. You can also schedule object packages with events on the Schedule tab. For more information about events, see “Schedule-based events” on page 512. About notification You can set notification at the object level. You can select unique notification options for each object, sending different types of notification for different conditions. For object packages, you can set only event notification, which will trigger an event based on success or failure of the object package. To monitor object successes and failures from a more general perspective, use the auditing functionality within BusinessObjects Enterprise. If notification fails, then the object instance fails. For example, if an email notification sends a message to an invalid email address, then the notification fails and the object instance is recorded as a failure in the object’s history. You can choose to notify using: BusinessObjects Enterprise Administrator’s Guide 477 18 Scheduling Objects Setting the scheduling options • Audit notification To use audit notification, you must configure the auditing database and enable auditing for the servers. If you use auditing to monitor your BusinessObjects Enterprise system, you can use audit notification. For more information about configuring the auditing database and enabling auditing, see “Managing Auditing” on page 203. When you select audit notification, information about the scheduled object is written to the auditing database. You can choose to have a notification sent to the auditing database when the job runs successfully, when it fails to run, or both. Note: For the job servers you can also set audit notification on the Auditing tab. • Email notification You can send an email as a notification of an object instance’s success or failure. You can choose the sender and recipients of the email message. You can send an email when the instance fails and when it succeeds. For example, you could send your administrator an email if the report fails, but when the report succeeds you can automatically send a notification to everyone who needs the report to let them know it is now available. Note: To enable email notification, you must have the Email SMTP destination enabled and configured on the job servers. See “Configuring the destinations for job servers” on page 125 Note: Notification of a scheduled object’s success or failure is not the same as alert notification. Alert notification must be built into the design of the report. For example, alert notification can send an email to you whenever a specific value in the report exceeds $1000000. In this case, the notification has nothing to do with the contents of the report - it’s just about whether or not the report object instance has failed or succeeded. 1. 2. 3. To set notification for an instance’s success or failure Select a object in the Objects management area of the CMC. Click the Schedule tab, then click the Notification link. Click the notification type (or types) you want to use. Note: If the notification type is already being used, it will be labelled “Enabled”. If not, it will be labelled “Not in use”. 4. Choose the specific settings for the notification. 478 BusinessObjects Enterprise Administrator’s Guide Scheduling Objects Setting the scheduling options 18 Audit notification To send a record to the auditing database when the job succeeds, select “A job has been run successfully.” To send a record when the job fails, select “A job has failed to run.” Email notification Choose whether you want to send a notification when the job fails or when it succeeds. To specify the contents and recipients of the email notification, select “Set the vales to be used here” and provide the From and To email addresses, the email subject line, and the message. Note: By default, the notification is sent to the server’s default email destination. For details on how to change the default email settings, see “Email (SMTP) destination properties” on page 128. 5. Click Update. Specifying alert notification Note: This feature does not apply to Web Intelligence document objects. Alerts are custom messages, created in Crystal Reports, that appear when certain conditions are met by data in a report. Alerts may indicate action to be taken by the user or information about report data. If the alert condition (as defined in Crystal Reports) is true, the alert is triggered and its message is displayed. In BusinessObjects Enterprise, you can choose to send alert notification when scheduling a report. If you enable alert notification, messages are sent through an SMTP server. You can configure email delivery options, specify the “To,” “Cc,” and “From” fields for the email, add subject and message information, set a URL for the viewer you want the email recipient to use, and set the maximum number of alert records to send. Note: • • • The Alert Notification link is available only if the report object contains alerts. Alerts are triggered in the report object even if you disable alert notification. To enable alert notification, you must have the Email SMTP destination enabled and configured on the job servers. See “Configuring the destinations for job servers” on page 125. BusinessObjects Enterprise Administrator’s Guide 479 18 Scheduling Objects Setting the scheduling options 1. 2. To set alert notification In the Objects management area of the CMC, select a report object by clicking its link. Click the Schedule tab, and then click the Alert Notification link. The Alert Notification page appears. 3. 4. Clear the Enable alert notification check box if you do not want to send an alert notification. Select either Use the Job Server’s defaults or Set the values to be used at schedule time here. If you select the first option, BusinessObjects Enterprise will deliver the alert notification using the Job Server’s default settings. You can change these settings in the Servers management area. For more information, see “Configuring the destinations for job servers” on page 125. 480 BusinessObjects Enterprise Administrator’s Guide Scheduling Objects Setting the scheduling options 18 If you select the second option, you can specify the email settings: • • • • • From Type a return address or distribution list. To Type the addresses or distribution list that you wish to send the report to. Cc Type the addresses or distribution list that you wish to send a copy of the alert notification to. Subject Complete the subject field. Message Type a short message, if required. Note: Separate multiple addresses or distribution lists using semicolons. 5. Type the URL for the viewer in which you want the email recipient to view the report. Alternatively, you can select the default viewer by clicking Use default. The viewer URL appears in the hyperlink that is sent in the alert notification email. You can set the default URL by clicking Object Settings on the main page of the objects management area of the CMC. For more information, see the developer documentation available on your product CD. Note: You must use World Wide Web Consortium (W3C) URL encoding when typing the viewer URL. For example, replace spaces in the path with %20. For more information, see http://www.w3.org/ 6. Type the maximum number of alert records to be included in the alert notification. The hyperlink in the alert notification displays a report page that contains the records that triggered the alert. Use this field to limit the number of records displayed. Tip: The Alert Name and Status fields are set in Crystal Reports. 7. Click Update. Selecting a destination Using BusinessObjects Enterprise, you can configure an object or instance for output to a destination other than the default Output File Repository Server (FRS). When the system runs an object, it always stores the output instance on the Output FRS. Being able to choose an additional destination gives you the flexibility to deliver instances across your enterprise system or to destinations outside your enterprise system. BusinessObjects Enterprise Administrator’s Guide 481 18 Scheduling Objects Setting the scheduling options For example, you can set an object to have its output automatically delivered by email to other users. Note: You can also configure object instances to be printed after they have been run. See “Setting printer and page layout options” on page 441. When you specify a destination other then “Default,” BusinessObjects Enterprise generates a unique name for the output file or files. To generate a file name, you can use a combination of ID, name or title of the object, owner information, or the date and time information. The following destinations are available: • • • • • “Default destination support” on page 483 “Unmanaged Disk destination support” on page 483 “FTP support” on page 485 “Email (SMTP) support” on page 487 “Inbox support” on page 490 Note: You can change the destination setting for an object or instance either in the Central Management Console (CMC) or in InfoView. When you specify the destination settings through the CMC, these settings are also reflected in the default scheduling settings for InfoView. For program and report objects you can specify any of the available destinations. However, for object packages and Web Intelligence documents you cannot do this, because the recipients must have access to the BusinessObjects Enterprise system to be able to open these types of objects. For example, you cannot specify Unmanaged Disk as a destination for a Web Intelligence document. The following table summarizes which destinations you can configure for which types of objects. Object type Report Object Package Program Web Intelligence document Unm. DIsk No No Email (SMTP) FTP No No File No No Link No Inbox File Link - 482 BusinessObjects Enterprise Administrator’s Guide Scheduling Objects Setting the scheduling options 18 Default destination support By default, object instances are saved to the Output File Repository Server (FRS). If you want to save instances to the FRS only and not to any other destinations, select that option. 1. 2. 3. 4. To set your destination to default In the Objects management area of the CMC, select an object by clicking its link. Click the Schedule tab, then click the Destination link. The Destination page appears. Select Default from the Destination list. Click Update. Unmanaged Disk destination support When scheduling objects, you can configure the objects for output to an unmanaged disk. In that case, the system will save an output instance to both the Output File Repository Server and the specified destination. If the object is a Web Intelligence document or an object package, you cannot specify Unmanaged Disk as a destination. However, for an object package you can configure the individual objects in the object package for output to Unmanaged Disk. Note: • • • 1. 2. To use a destination, you must have the destination enabled and configured on the job servers. See “Configuring the destinations for job servers” on page 125. The location must be a local or mapped directory on the processing server. For servers using Windows, the location can also be a Universal Naming Convention (UNC) path. The processing server must have sufficient rights to the specified location. To set your destination to unmanaged disk In the Objects management area of the CMC, select an object by clicking its link. Click the Schedule tab, then click the Destination link. The Destination page appears. BusinessObjects Enterprise Administrator’s Guide 483 18 Scheduling Objects Setting the scheduling options Select Unmanaged Disk from the Destination list. 3. If you want, select the Clean up instance after scheduling option. When that option is selected, the system automatically deletes the report or program instance from the Output File Repository Server to keep the number of instances on the server to a minimum. 4. Select either Use the Job Server’s defaults or Set the values to be used at schedule time here. If you select the first option, BusinessObjects Enterprise will schedule an object using the Job Server’s default settings. You can change these settings in the Servers management area. For more information, see “Configuring the destinations for job servers” on page 125. If you select the second option, you can set the file name properties and enter user information: • Destination Directory Enter a local location, mapped location, or a UNC path. 484 BusinessObjects Enterprise Administrator’s Guide Scheduling Objects Setting the scheduling options 18 • • Default File Name (randomly generated) Select this option if you want BusinessObjects Enterprise to generate a random file name. Specified File Name Select this option if you want to specify a file name—you can also add a variable to the file name. To add a variable, choose a placeholder for a variable property from the list and click Add. When the instance is run, the variable will be replaced with the specified information from the instance. For example, if you add the variable “Owner,” when you schedule an object, its file name will include the object owner’s name. • • User Name Specify a user who has permission to write files to the destination directory. Password Type the password for the user. Note: You can specify a user name and password only for servers using Windows. 5. Click Update. FTP support When scheduling objects, you can configure the objects for output to a File Transfer Protocol (FTP) server. To connect to the FTP server, you must specify a user who has the necessary rights to upload files to the server.If you specify an FTP destination, the system will save an output instance to both the Output File Repository Server and the specified destination. If the object is a Web Intelligence document or an object package, you cannot specify FTP as a destination. However, for an object package you can configure the individual objects in the object package for output to FTP. Note: To use a destination, you must have the destination enabled and configured on the job servers. See “Configuring the destinations for job servers” on page 125. 1. 2. To set an FTP server as the destination In the Objects management area of the CMC, select an object by clicking its link. Click the Schedule tab, then click the Destination link. The Destination tab appears. BusinessObjects Enterprise Administrator’s Guide 485 18 Scheduling Objects Setting the scheduling options 3. Select FTP from the Destination list. 4. If you want, select the Clean up instance after scheduling option. When that option is selected, the system automatically deletes the report or program instance from the Output File Repository Server to keep the number of instances on the server to a minimum. 5. Select either Use the Job Server’s defaults or Set the values to be used at schedule time here. If you select the first option, BusinessObjects Enterprise will schedule an object using the Job Server’s default settings. You can change these settings in the Servers management area. For more information see “Configuring the destinations for job servers” on page 125. 486 BusinessObjects Enterprise Administrator’s Guide Scheduling Objects Setting the scheduling options 18 If you select the second option, you can set the FTP and file name properties: • • • • • Host Enter the FTP host information. Port Enter the FTP port number (the default is 21). FTP User Name Specify a user who has the necessary rights to upload an object to the FTP server. FTP Password Enter the user’s password. Account Enter the FTP account information, if required. Account is part of the standard FTP protocol, but it is rarely implemented. Provide the appropriate account only if your FTP server requires it. • • • Destination Directory Enter the FTP directory that you want the object to be saved to. Default File Name (randomly generated) Select this option if you want BusinessObjects Enterprise to generate a random file name. Specified File Name Select this option if you want to enter a file name—you can also add a variable to the file name. To add a variable, choose a placeholder for a variable property from the list and click Add. 6. Click Update. Email (SMTP) support With Simple Mail Transfer Protocol (SMTP) mail support, you can choose to send the instances of an object, for example, a report instance, to one or more email destinations. After it has run the object, the system will send a copy of the output instance as an attachment to the email addresses you specified. When you select the Email (SMTP) destination, the system will save the instance to the Output File Repository Server as well as email it to the specified destinations. BusinessObjects Enterprise supports Multipurpose Internet Mail Extensions (MIME) encoding. BusinessObjects Enterprise Administrator’s Guide 487 18 Scheduling Objects Setting the scheduling options Note: To use a destination, you must have the destination enabled and configured on the job servers. See “Configuring the destinations for job servers” on page 125. Note: If the object is a Web Intelligence document, you cannot specify Email (SMTP) as a destination. 1. 2. 3. To send an object by email In the Objects management area of the CMC, select an object by clicking its link. Click the Schedule tab, then click the Destination link. The Destination page appears. Select Email (SMTP) from the Destination list 4. If you want, select the Clean up instance after scheduling option. 488 BusinessObjects Enterprise Administrator’s Guide Scheduling Objects Setting the scheduling options 18 5. 6. When that option is selected, the system automatically deletes the report or program instance from the Output File Repository Server to keep the number of instances on the server to a minimum. Select either Use the Job Server’s defaults or Set the values to be used at schedule time here. If you select the first option, BusinessObjects Enterprise will schedule an object using the Job Server’s default settings. You can change these settings in the Servers management area. For more information, see “Configuring the destinations for job servers” on page 125. If you select the second option, you can specify the email settings and the file name properties: • From Enter a return address. • To Enter an address or addresses that you wish to send the object to. Separate multiple addresses with semicolons. • Cc Enter an address or addresses that you wish to send a carbon copy of the object to. • Subject Complete the subject field. • Message Type a short message, if required. • Add viewer hyperlink to message body Click Add if you want to add the URL for the viewer in which you want the email recipient to view the object. You can set the default URL by clicking Object Settings on the main page of the Objects management area of the CMC. • Attach object instance to email message Clear this check box if you do not want a copy of the instance attached to the email. • Default File Name (randomly generated) Select this option if you want BusinessObjects Enterprise to generate a random file name. • Specified File Name Select this option if you want to enter a file name—you can also add a variable to the file name. To add a variable, choose a placeholder for a variable property from the list and click Add. Click Update. BusinessObjects Enterprise Administrator’s Guide 489 18 Scheduling Objects Setting the scheduling options Inbox support When scheduling objects, you can configure objects for output to the inboxes of users. In this case, the system will save the instance to both the Output File Repository Server and the inboxes you specified. Instead of sending the actual file to the inboxes, you can choose to send a shortcut. Note: To use a destination, you must have the destination enabled and configured on the job servers. See “Configuring the destinations for job servers” on page 125. 1. 2. 3. To send an object to inboxes In the Objects management area of the CMC, select an object by clicking its link. Click the Schedule tab, then click the Destination link. The Destination tab appears. Select Inbox from the Destination list. 490 BusinessObjects Enterprise Administrator’s Guide Scheduling Objects Setting the scheduling options 18 4. If you want, select the Clean up instance after scheduling option. When that option is selected, the system automatically deletes the report or program instance from the Output File Repository Server to keep the number of instances on the server to a minimum. 5. Select the processing option that you want: • Use the Job Server’s defaults BusinessObjects Enterprise will schedule the object with the job server’s default settings. For more information, see “Configuring the destinations for job servers” on page 125. • Set the values to be used at schedule time here BusinessObjects Enterprise will schedule the object with the parameters you specify. 6. If you selected “Set the values to be used at schedule time here,” set the parameters for that option, otherwise skip this step: Send Document as • • • • 7. Shortcut The system will send a shortcut to the instance, rather than send a copy of the instance itself. Copy The system will send a copy of the instance. Send List Operation Specify who must receive the report instance. You can select individual users or user groups. Look for Use this feature to search for a specific user or users group. Type the name and then click Find now. Click Update. Choosing a format Web Intelligence document formats For Web Intelligence documents, you can select the format that the document will be saved in when it is generated. This format will be saved to the destination you have selected. For more information on destinations, see “Selecting a destination” on page 481. You can select from the following formats: • • • WebIntelligence Microsoft Excel Adobe Acrobat BusinessObjects Enterprise Administrator’s Guide 491 18 Scheduling Objects Setting the scheduling options Crystal report formats For Crystal report objects, you can select the format that a report instance will be saved in when it is generated by BusinessObjects Enterprise. This format will be saved to the destination you have selected for the report object and its instances. For more information on destinations, see “Selecting a destination” on page 481. You can select from the following formats: • • • • • • • • • • • • Crystal Report Microsoft Excel Microsoft Excel (Data Only) Microsoft Word (RTF) Adobe Acrobat Rich Text Editable Rich Text Plain Text Paginated Text Tab-Separated Text Tab-Separated Values Character-separated Values For Excel, Paginated Text, Tab-separated Values, and Character-separated Values, you specify certain formatting properties for the report. For example, if you select Character-separated Values, you can enter characters for the separator and delimiter; you can also select the two check boxes: “Same number formats as in report” and “Same date formats as in report.” Note: • If you choose to print the report when it is scheduled (by checking the “Print in Crystal Reports format using the selected printer when scheduling” check box on the Print Setup page), the report instance is automatically sent to the printer in Crystal Reports format. This does not conflict with the format you select when scheduling the report. The difference between Excel and Excel (Data only) is that Excel attempts to preserve the look and feel of your original report, while Excel (Data only) saves only the data, with each cell representing a field. The Tab-separated Values format places a tab character between values; the Character-separated Values format places a specified character between values. Each of these two formats produce data lists. In contrast, the Tab-separated Text format attempts to preserve the formatting of the report. • • 492 BusinessObjects Enterprise Administrator’s Guide Scheduling Objects Setting the scheduling options 18 1. 2. 3. 4. 5. To select a format for the report In the Objects management area of the CMC, select a report object by clicking its link. On the Schedule tab, click the Format link. The Format page appears. Select a format from the Format list. Complete any fields that appear below the list and select (where appropriate) the check boxes that appear. Click Update. Selecting cache options for Web Intelligence documents When the system runs a scheduled Web Intelligence document it stores the the instance it generates on the Output File Repository Server. In addition, you can choose to have the system cache the report on the Web Intelligence Report Server by selecting a cache format for the document. If you don’t select a cache format, then the system won’t cache the document when it runs the document. Note: To select a cache option, the format you specified on the Schedule tab for the object must be WebInteligence. If you select a different format, the Cache Options link is disabled for the object. 1. 2. 3. 4. To select a cache format for Web Intelligence documents In the Objects management area of the CMC, select Web Intelligence object by clicking its link. On the Schedule tab, click the Caching Options link. The Caching Options page appears. Select the format you want. Click Update. Scheduling an object for a user or group The Schedule For feature allows you to generate reports that contain data for specific users only. It is intended to be used for either of the following types of objects: • • Crystal reports that are based on Business Views Web Intelligence documents that use Universes BusinessObjects Enterprise Administrator’s Guide 493 18 Scheduling Objects Setting the scheduling options Using the Schedule For feature you can schedule an object and specify for which users you want the system to run the object. The system will run the object and generate multiple instances of the report or document. Each instance will contain data that is relevant to the individual user only. For example, you can schedule a sales report and on the Schedule For page you can specify the users names for all your sales representatives. At the specified time, the system runs the report object and generates the individual report instances. Each instance would contain sales information for the individual sales representative only. 1. 2. To change the Schedule For settings for an object In the Objects management area of the CMC, select a report object by clicking its link. On the Schedule tab, click the Schedule For link. The Schedule For page appears. 3. Select who you want to schedule the object for. • • 4. Schedule only for myself Schedule for specified users and user groups If you selected Schedule for specified users and user groups, select one or more users or groups and add them to the “Groups to be added to the scheduling list” by using the arrow buttons. Otherwise, skip this step. Click Update. 5. 494 BusinessObjects Enterprise Administrator’s Guide Scheduling Objects Managing instances 18 Managing instances To view or manage instances, go to the History page for the object. That page lists the scheduled instances and the output instances for an object: • • Scheduled instances will have a status of Recurring or Pending. The system has not yet run these instances, and the instances do not contain any data yet. Output instances, that is, actual report or program instances, will have a status of Success or Failed, which indicate whether they were run successfully: • • A report instance contains actual report data. A program instance stores the program’s standard out and standard error in a text output file. From the History page, you can also choose to delete, run, pause, and refresh instances. See “Managing and viewing the history of instances” on page 495. To manage storage space, it is good practice to limit the number of possible instances for an object, or to provide a time limit for the instances. See “Setting instance limits for an object” on page 498. Managing and viewing the history of instances The History page displays all of the instances for a selected object. The Instance Time column displays the title of the instances and the date of the last update for each instance. The Status column displays the status of each instance. The Run By column indicates which user scheduled the instance. For report objects, the Format column displays which format the report is, or will be stored in and the Parameters column indicates what parameters were or will be used for each instance. For program objects, the Arguments column lists the command-line options that were or will be passed to the command line interface for each instance. BusinessObjects Enterprise creates instances from objects. That is, a report instance is created when a report object is scheduled and run by the Job Server. Essentially, a report instance is a report object that contains report data that is retrieved from one or more databases. Each instance contains data that is current at the time the report is processed. You can view specific report instances on the History page of the report object. BusinessObjects Enterprise creates a program instance each time that a program object is scheduled and run by the Program Job Server. Unlike report instances, which can be viewed in their completed format, program BusinessObjects Enterprise Administrator’s Guide 495 18 Scheduling Objects Managing instances instances exist as records in the object history. BusinessObjects Enterprise stores the program’s standard out and standard error in a text output file. This file appears when you click a program instance in the object History. Managing instances includes the following tasks: • • • • 1. 2. 3. “Viewing an instance” on page 496 “Pausing or resuming an instance” on page 497 “Deleting an instance” on page 498 “Sending an object or instance” on page 420 To manage instances In the Objects management area of the CMC, select an object by clicking its link. Click the History tab. The History tab appears. Select an instance or instances by selecting the appropriate check boxes. To select all instances, click the check box in the column heading. Note: To refresh the list, click Refresh. In this case you don’t need to select an instance first. 4. Click either Run Now, Pause, Resume, Send to, or Delete. If you click Run Now, the system schedules the object to be run immediately. The scheduled job will have a status of Pending. For information about the Send to button, see “Sending an object or instance” on page 420. Viewing an instance 1. 2. To view an instance Select a object in the Objects management area of the CMC. Click the History tab. 496 BusinessObjects Enterprise Administrator’s Guide Scheduling Objects Managing instances 18 The History page appears. 3. In the Instance Time column, click the instance you want to view. You can also use the Instance Manager tool to view a list of instances by status or by user. Access the Instance Manager by clicking its link in the Administrative Tools area of the BusinessObjects Enterprise Administration Launchpad. Pausing or resuming an instance You can pause and then resume an instance as needed. Pause and resume can be applied to scheduled instances only, that is, instances that have a status of Recurring or Pending. For example, if a job server is down for maintenance reasons, you may want to pause a scheduled instance. This prevents the system from running the object, and the object from failing because the job server is not running. When the job server is running again, you can resume the scheduled object. 1. 2. 3. 1. 2. 3. To pause and resume an instance Go to the History page for an object. Select the check box for the scheduled instance you want to pause. Click Pause. To resume an instance after pausing it Go to the History page for an object. Select the check box for the scheduled instance you want to resume. Click Resume. BusinessObjects Enterprise Administrator’s Guide 497 18 Scheduling Objects Managing instances Deleting an instance You can delete instances from an object as needed. You can delete both scheduled instances, which have a status of recurring or pending, and report or program instances, which have a status of success of failed. 1. 2. To delete an instance Go to the History page for an object. Select the check box for the instance or instances you want to delete. Click Delete. Setting instance limits for an object In the Limits page, you can set the limits for the selected object and its instances. You set limits to automate regular clean-ups of old BusinessObjects Enterprise content. At the object level, you can limit the number of instances that remain on the system for the object or for each user or group; you can also limit the number of days that an instance remains on the system for a user or group. In addition to setting the limits for the objects from the Objects management area, you can also set limits at the folder level. When you set limits at the folder level, these limits will be in effect for all objects that reside within the folder (including any objects found within the subfolders). For information on setting folder limits, see “Setting limits for folders, users, and groups” on page 365. Note: When you set the limits at the object level, the object limits will override the limits set for the folder; that is, the object will not inherit the limits of the folder. 1. 2. To set limits for instances In the Objects management area of the CMC, select an object by clicking its link. On the History tab, click the Limits link. 498 BusinessObjects Enterprise Administrator’s Guide Scheduling Objects Managing instances 18 The Limits page appears. 3. Make your settings according to the types of limits you want to set for your instances. The options are as follows: • Delete excess instances when there are more than N instances of an object To limit the number of instances per object, select this check box. Then type the maximum number of instances that you want to remain on the system. (The default value is 100.) • Delete excess instances for the following users/groups To limit the number of instances for users or groups, click Add/ Remove in this area. Select from the available users and groups and click OK. Then type the maximum number of instances in the Instance Limit column. (The default value is 100.) • Delete instances after N days for the following users/groups To limit the number of days that instances are saved for users or groups, click Add/Remove in this area. Select from the available users and groups and click OK. Then type the maximum age of instances in the Maximum Days column. (The default value is 100.) 4. Click Update. BusinessObjects Enterprise Administrator’s Guide 499 18 Scheduling Objects Managing instances 500 BusinessObjects Enterprise Administrator’s Guide Managing Calendars chapter 19 Managing Calendars Overview Overview Calendars make it easy for you to schedule complex recurring jobs efficiently. A calendar is a customized list of run dates for scheduled jobs. When users schedule objects, they can use a calendar to run the job on a predefined set of dates. By providing calendars for your users, you can create more complex processing schedules than you can with the standard scheduling options. Calendars are particularly useful when you want to run a recurring job on an irregular schedule, or if you want to provide users with sets of regular scheduling dates to choose from. Calendars also allow you to create more complex processing schedules, combining unique scheduling dates with recurring ones. For example, if you want a report object to run every business day except for your country’s statutory holidays, you can create a calendar with the holidays marked as “non-run” days, on which the report object cannot be run. BusinessObjects Enterprise will run the job every day you have specified as a “run” day in your calendar. You can set up as many calendars as you want in BusinessObjects Enterprise. Calendars you create appear in the Calendar selection list available when you choose to schedule an object using a calendar. When you apply the calendar to a job, runs the job on the run dates as scheduled. You can apply calendars to any object that can be scheduled, including report objects, program objects, and object packages. Managing calendars includes: • • • • “Creating calendars” on page 502 “Adding dates to a calendar” on page 503 “Deleting calendars” on page 507 “Specifying calendar rights” on page 508 Creating calendars In the Central Management Console (CMC), go to the Calendars management area to create new calendars and to modify existing calendars. To create a calendar, you need to provide a name and description. When the calendar is created, you can add run dates to it using the Dates tab. Tip: It is good practice to create a calendar for users to use as a template for creating new calendars. They can copy this template calendar and modify it as necessary. For example, you can create a default Weekdays calendar that includes all days as run dates except weekends and company holidays. 502 BusinessObjects Enterprise Administrator’s Guide Managing Calendars Adding dates to a calendar 19 1. 2. 3. To create a calendar Go to the Calendars management area of the CMC. Click New Calendar. On the Properties tab, type the name and description of the new calendar. This example creates a calendar for Canadian employees that schedules an object on all weekdays except statutory Canadian holidays. 4. Click Update. The new calendar is added to the system, and its Properties tab is refreshed. You can now use the Dates tab to add run dates to this calendar. For details, see “Adding dates to a calendar” on page 503. Adding dates to a calendar You can add dates to a calendar using a number of different formats. You can choose specific dates using a yearly, quarterly, or monthly view of the calendar, or you can choose recurring dates using general formats based on the day of the month or week. See “Recurring dates” on page 506. 1. 2. 3. To add dates to a calendar Go to the Calendars management area of the CMC. Click the link for the calendar you want to change. Click the Dates tab. BusinessObjects Enterprise Administrator’s Guide 503 19 Managing Calendars Adding dates to a calendar 4. In the “Select a calendar displaying format” list, choose from one of the five calendar format options: • Yearly Yearly displays the calendar’s run dates for the year. To change the year displayed, you can click the Previous Year and Next Year buttons. To add a date from the Yearly format, click a month to open it in Monthly format, where you can add run dates to specific days. • Quarterly Quarterly displays the calendar’s run dates for the current calendar quarter. You can change the displayed quarter using the Previous Quarter and Next Quarter buttons. To add a date from the Quarterly format, click a month to open it in Monthly format, where you can add run dates to specific days. • Monthly Monthly displays the calendar’s run dates for the current month. You can change the displayed month using the Previous Month and Next Month buttons. • Generic Monthly, by Day of Week Generic Monthly, by Day of Week allows you to add general recurring dates based on the day of the week. The dates are applied to the months specified between the Start and End Dates. Week 1 starts on the Sunday of the week of the Start Date you specify. Note that this format does not display the currently selected dates from the calendar; it only allows you to add new dates and update the schedule. • Generic Monthly, by Day of Month Generic Monthly, by Day of Month allows you to add general recurring dates based on the day of the month. The dates are applied to the months specified between the Start and End Dates. This format allows you to add new dates and update the schedule; it does not display currently selected dates from the calendar. See also “Specific dates” on page 505 and “Recurring dates” on page 506. 5. Click the days of the month that you want to include as run days for the calendar. To remove a run day, click the day again. Tip: For the Monthly and Generic Monthly, by Day of Week formats, you can select multiple dates at once by clicking the row or column headings. 6. To add the new dates to the calendar, click Update. 504 BusinessObjects Enterprise Administrator’s Guide Managing Calendars Adding dates to a calendar 19 If you added dates using a generic format, the Yearly format will automatically appear, displaying the new dates. Note: When you change an existing calendar, BusinessObjects Enterprise checks all currently scheduled instances in your system. Objects that use the edited calendar are automatically updated to run on the revised date schedule. Specific dates To add a specific date to a calendar, use the Yearly, Quarterly, and Monthly formats to add dates to the calendars. The Yearly format displays the run schedule for the entire year. The Quarterly format displays the run dates for the current quarter. You can also view the Monthly format for the calendar, which displays the run dates for the current month. In all three formats, you can change the displayed time range by clicking the previous and next buttons. You can add specific dates in the Monthly calendar format. To add dates for the Yearly and Quarterly calendar formats, click a month to open it in the Monthly format, where you can select specific days as run dates. For example, if your company ships products according to an irregular schedule that cannot be defined using the daily or weekly settings, you can create a list of these dates in a “Shipping dates” calendar. The Shipping department can now check the inventory after each shipment by scheduling a report that uses the calendar to run at the end of each shipping day. BusinessObjects Enterprise Administrator’s Guide 505 19 Managing Calendars Adding dates to a calendar Recurring dates To create a recurring pattern of monthly run dates, use the generic Monthly formats. You can add the generic dates based on the day of the week or the day of the month. To view existing run dates, you must use the Yearly, Quarterly, or Monthly format; the generic formats are used to add dates to the calendar. Although you can set a recurring schedule using the standard scheduling options, calendars allow you to specify several different recurring run patterns at once. You can also run instances on dates that do not follow the pattern by adding individual days to a calendar. For example, to schedule a report object to run on the first four days of every month, and on the second and fourth Friday of every month, first create a new calendar object and name it. Then, use the Generic Monthly, by Day of Month format to add the first four days of the month to this calendar. When you update the calendar, the Yearly format appears with the new run dates. To add every second and fourth Friday to the calendar, use the Generic Monthly, by Day of Week format. 506 BusinessObjects Enterprise Administrator’s Guide Managing Calendars Deleting calendars 19 Deleting calendars When you delete a calendar, any objects that are scheduled according to the deleted calendar will be run one more time by the system. After that, the system won’t be able to schedule the objects again, because the calendar no longer exists. To ensure the objects continue to be run, change the scheduling information for the objects either by selecting a different calendar or a different recurrence pattern. See “Scheduling objects” on page 466. 1. 2. 3. To delete a calendar Go to the Calendars management area of the CMC. Select the check box associated with the calendar you want to delete. Tip: Select multiple check boxes to delete several calendars. Click Delete, and click OK to confirm. BusinessObjects Enterprise Administrator’s Guide 507 19 Managing Calendars Specifying calendar rights Specifying calendar rights You can grant or deny users and groups access to calendars. Depending how you organize your calendars, you may have specific sets of dates that you want to be available only for certain employees or departments. For example, your finance team may use a series of financial tracking dates that aren’t useful for other departments. Users will only be able to see the calendars they have the rights to see, so you can use rights to hide calendars that aren’t applicable to a particular group. Follow this procedure to change the rights for a calendar. By default, calendars are based on current security settings, inheriting rights from the users’ parent folders. 1. 2. 3. 4. To grant access to a calendar Go to the Calendars management area of the CMC. Select the calendar you want to grant access to. Click the Rights tab. Click Add/Remove to add users or groups that you want to give access to the selected calendar. The Add/Remove page appears. 5. 6. In the Select Operation list, select Add/Remove Groups, Add Users, or Remove Users. Select the user or group you want to grant access to the specified calendar. If you have many users on your system, select the Add Users operation; then use the “Look for” field to search for a particular account. 7. 8. 9. Click OK. On the Rights tab, change the Access Level for each user or group, as required. To choose specific rights, choose Advanced. For complete details on the predefined access levels and advanced rights, see “Rights and Access Levels” on page 563. 10. Click Update. 508 BusinessObjects Enterprise Administrator’s Guide Managing Events chapter 20 Managing Events Managing events overview Managing events overview Event-based scheduling provides you with additional control over scheduling objects: you can set up events so that objects are processed only after a specified event occurs. Working with events consists of two steps: creating an event and scheduling an object with events. That is, once you create an event, you can select it as a dependency when you schedule an object. The scheduled job is then processed only when the event occurs. This chapter shows how to create events in the Events management area of the Central Management Console (CMC). You can create three kinds of events: • File events When you define a file-based event, you specify a filename that the Event Server should monitor for a particular file. When the file appears, the Event Server triggers the event. For instance, you might want to make some reports dependent upon the regular file output of other programs or scripts. For details, see “File-based events” on page 511. • Schedule events When you define a schedule-based event, you select an object whose existing recurrence schedule will serve as the trigger for your event. In this way, schedule-based events allow you to set up contingencies or conditions between scheduled objects. For instance, you might want certain large reports to run sequentially, or you might want a particular sales summary report to run only when a detailed sales report runs successfully. For details, see “Schedule-based events” on page 512. • Custom events When you create a custom event, you create a shortcut for triggering an event manually. Basically, your custom event occurs only when you or another administrator clicks the corresponding “Trigger this event” button in the CMC. For details, see “Custom events” on page 514. 510 BusinessObjects Enterprise Administrator’s Guide Managing Events File-based events 20 When working with events, keep in mind that an object’s recurrence schedule still determines how frequently the object runs. For instance, a daily report that is dependent upon a file-based event will run, at most, once a day (so long as the file that you specify appears every day). In addition, the event must occur within the time frame established when you actually schedule the event-based report. Note: For information on scheduling an event-based object in the Objects management area of the CMC, see “Scheduling an object with events” on page 473. File-based events File-based events wait for a particular file (the trigger) to appear before the event occurs. Before scheduling an object that waits for a file-based event to occur, you must first create the file-based event in the Events management area of the CMC. Then you can schedule the object and select this event. For more information on scheduling an object with events, see “Scheduling an object with events” on page 473. File-based events are monitored by the Event Server. When the file that you specify appears, the Event Server triggers the event. The Central Management Server (CMS) then releases any schedule requests that are dependent on the event. For instance, suppose that you want your daily reports to run after your database analysis program has finished and written its automatic log file. To do this, you specify the log file in your file-based event, and then schedule your daily reports with this event as a dependency. When the log file appears, the event is triggered and the reports are processed. Note: If the file already exists prior to the creation of the event, the event is not triggered. In this case, the event is triggered only when the file is removed and then recreated. If you want an event to be triggered multiple times, you must remove and recreate the file each time. 1. 2. To create a file-based event Go to the Events management area of the CMC. Click New Event. The New Event page appears. BusinessObjects Enterprise Administrator’s Guide 511 20 Managing Events Schedule-based events 3. 4. 5. 6. 7. In the Type list, select File. Type a name for the event in the Event Name field. Complete the Description field. In the Server list, select the Event Server that will monitor the specified file. Type a filename in the Filename field. Note: Type the absolute path to the file that the Event Server should look for (for example, C:\folder\filename, or /home/folder/filename). The drive and directory that you specify must be visible to the Event Server. Ideally, the directory should be on a local drive. 8. Click OK. Schedule-based events Schedule-based events are dependent upon scheduled objects. That is, a schedule-based event is triggered when a particular object has been processed. When you create this type of event, it can be based on the success or failure of a scheduled object, or it can be based simply on the completion of the job. Most importantly, you must associate your schedule-based event with at least two scheduled objects. The first object serves as the trigger for the event: when the object is processed, the event occurs. The second object is 512 BusinessObjects Enterprise Administrator’s Guide Managing Events Schedule-based events 20 dependent upon the event: when the event occurs, this second object runs. For more information on scheduling objects with events, see “Scheduling an object with events” on page 473. For instance, suppose that you want report objects R1 and R2 to run after program object P1 runs. To do this, you create a schedule-based event in the Events management area. You specify the “Success” option for the event, which means that the event is triggered only when program P1 runs successfully. Then, you schedule reports R1 and R2 with events, and select your new schedule-based event as the dependency. Schedule program P1 with events, and set program P1 to trigger the schedule-based event upon successful completion. Now, when program P1 runs successfully, the schedulebased event is triggered, and reports R1 and R2 are subsequently processed. 1. 2. To create a schedule-based event Go to the Events management area of the CMC. Click New Event. The New Event page appears. 3. 4. 5. In the Type list, select Schedule. Type a name for the event in the Event Name field. Complete the Description field. BusinessObjects Enterprise Administrator’s Guide 513 20 Managing Events Custom events 6. In the “Event based on” area, select from three options: • • • Success The event is triggered only upon successful completion of a specified object. Failure The event is triggered only upon non-successful completion of a specified object. Success or Failure The event is triggered upon completion of a specified object, regardless of whether that object was processed successfully or not. 7. Click OK. Custom events A custom event occurs only when you explicitly click its “Trigger this event” button. As with all other events, an object based on a custom event runs only when the event is triggered within the time frame established by the object’s schedule parameters. Custom events are useful because they allow you to set up a shortcut that, when clicked, triggers any dependent schedule requests. Tip: When developing your own web applications, you can trigger Custom events from within your own code, as required. For more information, see the developer documentation available on your product CD. For instance, you may have a scenario where you want to schedule a number of reports, but you want to run them after you have updated information in your database. To do this, create a new custom event, and schedule the reports with that event. When you update the data in the database and you need to run the reports, return to the event in the CMC and trigger it manually. BusinessObjects Enterprise then runs the reports. For more information on event-based scheduling, see “Scheduling an object with events” on page 473. Note: You can trigger a custom event multiple times. For example, you might schedule two sets of event-based program objects to run daily—one set runs in the morning, and one set runs in the afternoon. When you first trigger the related custom event in the morning, one set of programs is run; when you trigger the event again in the afternoon, the remaining set of programs is run. If you neglect to trigger the event in the morning and trigger it only in the afternoon, both sets of programs run at that time. 514 BusinessObjects Enterprise Administrator’s Guide Managing Events Specifying event rights 20 1. 2. 3. 4. 5. 6. To create a custom event Go to the Events management area of the CMC. Click New Event. In the Type list, select Custom. Type a name for the event in the Event Name field. Complete the Description field. Click OK. Note: Before you trigger this custom event, schedule an object that is dependent upon this event. 1. 2. 3. To trigger a custom event Go to the Events management area of the CMC. In the Event Name column, select a custom event by clicking its link. Click Trigger this event. A message appears: “This event has been triggered.” Specifying event rights You can grant or deny users and groups access to events. Depending how you organize your events, you may have specific events that you want to be available only for certain employees or departments. For example, you may want certain events to be triggered only by management or IT. Users will only be able to see events they have the rights to see, so you can use rights to hide events that aren’t applicable to a particular group. For example, by granting only the ITadmin group access to IT-related events, those events won’t appear for a user from the HRadmin group; this makes the event list easier for the HRadmin group to navigate. Follow this procedure to change the rights for an event. By default, events are based on current security settings, inheriting rights from the users’ parent folders. 1. 2. 3. To grant access to an event Go to the Events management area of the CMC. Select the event you want to grant access to. Click the Rights tab. BusinessObjects Enterprise Administrator’s Guide 515 20 Managing Events Specifying event rights 4. Click Add/Remove to add users or groups that you want to give access to the event. The Add/Remove page appears. In the Select Operation list, select Add/Remove Groups, Add Users, or Remove Users. Select the user or group you want to grant access to the specified event. If you have many users on your system, select the Add Users operation; then use the “Look for” field to search for a particular account. Click OK. On the Rights tab, change the Access Level for each user or group, as required. Note: For complete details on the predefined access levels and advanced rights, see “Rights and Access Levels” on page 563. 5. 6. 7. 8. 9. 10. To choose specific rights, choose Advanced. 11. Click Update. 516 BusinessObjects Enterprise Administrator’s Guide General Troubleshooting chapter 21 General Troubleshooting Troubleshooting overview Troubleshooting overview BusinessObjects Enterprise is designed to integrate with a multitude of different operating systems, web servers, network and firewall configurations, database servers, and reporting environments. Thus, any troubleshooting that you may need to undertake will likely reflect the particularities of your deployment environment. This chapter includes general troubleshooting steps along with solutions to some specific configuration issues. In general, consider the following key points when troubleshooting: • Ensure that client and server machines are running supported operating systems, database servers, database clients, and appropriate server software. For details, consult the Platforms.txt file, included with your product distribution. Verify that the problem is reproducible, and take note of the exact steps that cause the problem to recur. On Windows, use the sample reports and sample data included with the product to confirm whether or not the same problem exists. • • Determine whether the problem is isolated to one machine or is occurring on multiple machines. For instance, if a report fails to run on one processing server, see if it runs on another. If the problem is isolated to one machine, pay close attention to any configuration differences in the two machines, including operating system versions, patch levels, and general network integration. • If the problem relates to connectivity or functionality over the Web, check that BusinessObjects Enterprise is integrated properly with your web environment. For details, see BusinessObjects Enterprise Installation Guide and “Web accessibility issues” on page 519. If the problem relates to report viewing or report processing, verify your database connectivity and functionality from each of the affected machines. Use Crystal Reports to verify that the report can be viewed properly. If the Job or Page Servers are running on Windows, open the report in Crystal Reports on the server machine and check that you can refresh the report against the database. For details, see “Report viewing and processing issues” on page 521. Look for solutions in the documentation included with your product. For details, see “Documentation resources” on page 519. • • 518 BusinessObjects Enterprise Administrator’s Guide General Troubleshooting Documentation resources 21 • Check out the Business Objects Customer Support technical support web site for white papers, files and updates, user forums, and Knowledge Base articles: http://support.businessobjects.com/ Documentation resources The BusinessObjects Enterprise Release Notes are provided in the root directory of your product distribution, as is the Platforms.txt file. These documents list supported third-party software along with any known issues or implementation-specific configuration details. BusinessObjects Enterprise also includes a number of manuals. CHM and PDF files are located in the doc directory of your product distribution. Access the HTML versions from the BusinessObjects Enterprise Administrator Launchpad, or from within the CMC or InfoView. Additional Compiled HTML Help (CHM) files are provided with the following client tools: • • • • • Central Configuration Manager Publishing Wizard Repository Migration Wizard Import Wizard Crystal Report Offline Viewer Press F1 or click Help to launch the online help from within these applications. Web accessibility issues Using an IIS web site other than the default On Windows, the BusinessObjects Enterprise installation creates virtual directories on the Internet Information Server (IIS) “Default Web Site.” If you are using a web site other than the default, you must copy the virtual directory configuration from the default web site to the web site you are using. BusinessObjects Enterprise also sets up several application mappings on the default site. These can be viewed and copied from the default web site to the web site you are using. Restart the web server once you have made these changes. For more information, see BusinessObjects Enterprise Installation Guide. BusinessObjects Enterprise Administrator’s Guide 519 21 General Troubleshooting Web accessibility issues Unable to connect to CMS when logging on to the CMC If you attempt to log on to the CMC while the Central Management Server (CMS) is not running, the following error message appears: Unable to connect to CMS () to retrieve cluster members. Logon can not continue. Use the CCM to start the CMS. (If the CMS was already started, use the CCM to restart it.) Windows NT authentication cannot log you on When you attempt to log on to the Central Management Console (CMC) or to InfoView, the following error occurs: NT Authentication could not log you on. Please make sure your logon information is correct. If your account is in any domain other than "DOMAIN NAME" you must enter your user name as DomainName\UserName. This error may occur for various reasons. Investigate these common solutions: • Ensure that the specified authentication type corresponds to the user name and password provided on the log on page. To log on with a Windows NT user name, verify that the authentication type is set to Windows NT Authentication and not Enterprise. Netscape users must provide a valid Windows NT user name in the form of Domain\User. Microsoft Internet Explorer users must provide a valid Windows NT user name. It must be in the form of Domain\User if the user account does not reside in the default domain of the CMS. If Windows NT Integrated security (NT Challenge/Response) is enabled in Internet Information Services (IIS) and in the Web Component Adapter (WCA), then users must use Microsoft Internet Explorer. In addition, users must log on to the client machine with a valid NT domain user account before logging on to BusinessObjects Enterprise. Users must log on to BusinessObjects Enterprise with a valid Windows NT user name. It must be in the form of Domain\User if the user account does not reside in the default domain of the CMS. The web server and all BusinessObjects Enterprise components must be running on Windows NT/2000 for Windows NT authentication to work. • • • • 520 BusinessObjects Enterprise Administrator’s Guide General Troubleshooting Report viewing and processing issues 21 Report viewing and processing issues When troubleshooting reports, it is especially useful to determine whether the problem is isolated to one machine or is occurring on multiple machines. For instance, if a report fails to run on one processing server, see if it runs on another. If the problem is isolated to one machine, pay close attention to any configuration differences in the two machines, including operating system versions, patch levels, and general network integration. In particular, check the database client configurations, the drivers and versions, and the accounts under which the processing servers are running. If the reports are based off ODBC data sources, compare the ODBC driver versions, the DSN configurations, and the versions of the MDAC layer. Check to see if the Page Server or Job Server is running under an account that has the appropriate access rights to the report database server. If the report database server is on a remote machine, change the Page Server or Job Server to use a valid domain account with enough rights to view or process the report. If you follow these steps and the problem persists, contact Business Objects technical support. Before you call, take note of the database client and version you are running, the database server version that you are connecting to, and the driver name and version that you are using to connect. Troubleshooting reports with Crystal Reports On Windows, you can install Crystal Reports on all Job Server, Page Server, and RAS machines in order to speed up the troubleshooting of reports and database connectivity. In this way, you use Crystal Reports to simulate the steps that are performed by the BusinessObjects Enterprise processing servers when a scheduled report is processed, or when a report is viewed on demand over the Web. By locating the step where Crystal Reports is unable to open, refresh, or save the report, you may be able to locate the source of the problem. Note: The exact steps and menu options may differ, depending on your version of Crystal Reports. 1. To troubleshoot a report Start Crystal Reports on the appropriate machine: • • If the report runs successfully on demand, but fails when scheduled, start Crystal Reports on the Job Server. If the report fails when viewed on demand, but runs successfully when scheduled, start Crystal Reports on the Page Server. BusinessObjects Enterprise Administrator’s Guide 521 21 General Troubleshooting Report viewing and processing issues • • If the report fails when viewed on demand with the Advanced DHTML viewer, start Crystal Reports on the RAS. If the report fails in all cases, first complete these troubleshooting steps on one processing server; then verify whether or not the problem is resolved on all processing servers. If not, repeat the steps on a different processing server. 2. Open the report from the CMS. On the File menu, click Open. Click Enterprise Folders and log on to your CMS. If you cannot open the report, verify network connectivity between the server you are working on, the CMS, and the Input File Repository Server. 3. Test your database connection and authentication. On the Database menu, click Log On/Off Server. If you cannot log on to the database server, check the configuration of the database client software and ensure that the report contains a valid database user name and password. 4. If the report’s parameters or record selection need to be modified by BusinessObjects Enterprise users when they schedule or view the report, change the parameter values or record selection formula accordingly. If the values are invalid, Crystal Reports will report an error. Verify that the tables used in the report match the tables in the database. On the File menu, clear the “Save Data with Report” check box. On the Database menu, click Verify Database. Correct any issues reported by Crystal Reports, and then save the report. 5. 6. Refresh the report and, if current data is not returned from the database, check these possible causes: • • • If the report fails, ensure that the database credentials provide READ rights to all tables in the report. If the database credentials are valid, the report’s SQL statement is evaluated at this time. Check the join information. Note any ODBC errors that are produced. If the SQL statement is valid, data begins to return to Crystal Reports. As this happens, the temporary files increase in size. Verify resource allocation in case the machine is running out of memory or disk space. 7. Go to the last page of the report. Crystal Reports will report any errors that it encounters within the report (such as formulas, subreports, and other objects). 8. Export the report to Crystal Reports format (or any other desired format). 522 BusinessObjects Enterprise Administrator’s Guide General Troubleshooting Report viewing and processing issues 21 This step ensures that Crystal Reports is able to create temporary files that are required in order to complete the processing of a report. 9. If the report now refreshes successfully, save it back to the CMS. 10. Close the report. 11. Close Crystal Reports. 12. Repeat the activity that caused the original report to fail: view the report on demand over the Web, or schedule the report for processing. Troubleshooting reports and looping database logon prompts A common issue when viewing reports over the Web is a persistent database logon prompt that is displayed repeatedly by the user’s browser. Regardless of the credentials provided by the user, the report will not display. This problem is typically caused by the configuration of the Page Server or the Report Application Server (RAS). This section provides a series of troubleshooting steps that should resolve this problem and others that are specific to reports and database connectivity. 1. To troubleshoot reports and looping database logon prompts Verify the report with Crystal Reports. Use Crystal Reports to verify the report. If you have the Crystal Reports Designer installed on the Page Server, Job Server, or RAS machine, test database connectivity by opening the report in Crystal Reports on the server. For details, see “Troubleshooting reports with Crystal Reports” on page 521. 2. Change the server’s logon account. BusinessObjects Enterprise servers require access to various local and/ or remote resources and to the database server. Experience shows that running the Page Server, Job Server, RAS, and Web Component Adapter (WCA) under a Domain Administrator account allows them to access the components necessary to connect successfully to data sources. To change a server’s logon account, see “Configuring Windows processing servers for your data source” on page 132. Tip: Running a background application under an Administrator account does not inadvertently grant administrative privileges to another user, because users cannot impersonate services. 3. Verify the server’s access to ODBC Data Source Names (DSNs). BusinessObjects Enterprise Administrator’s Guide 523 21 General Troubleshooting Report viewing and processing issues Base reports off System DSNs (and not File or User DSNs), and set up each System DSN identically on every Job Server, Page Server, and RAS machine that will process the report. If the report is based off an ODBC data source, the processing server must have permission to access the corresponding DSN configuration. This information is stored in the Windows registry. The Job Server, Page Server, and RAS require Full Control or Special Access to the ODBC registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI Consult your Windows documentation for information about working with the registry. Additional configuration may be required, depending upon the database that you are reporting off of. For details, see “Configuring Windows processing servers for your data source” on page 132. 4. Determine the configuration of the database client software. If you are not using ODBC, the database client software must be installed on each machine that will process reports. On Windows, many database clients store their configuration in the registry below HKEY_LOCAL_MACHINE. If your database client stores its configuration below HKEY_CURRENT_USER, the BusinessObjects Enterprise services cannot use the database client software to communicate with the database. 5. Verify the NTFS permissions granted to the Job Server, Page Server, and RAS. Insufficient NTFS rights on the server may cause a number of problems to arise when you view reports over the Web. As in step 2, changing each server’s logon account to that of a Domain Administrator account should resolve such problems. For the minimum set of NTFS permissions required by BusinessObjects Enterprise, see “Configuring NTFS Permissions” on page 569. 6. Check whether or not NT authentication is performed by the database. If you report against a database that uses NT authentication for access control (Microsoft SQL Server, Sybase, and so on), the Job Server, Page Server, and RAS must run under a Windows NT/2000 domain user account that has access to the appropriate database tables. (In this scenario, each server’s logon account determines the level of access it is granted by the database. BusinessObjects Enterprise does not pass endusers’ NT tokens through to the database server.) To retain the access control levels that are set up within the database, you can instead change each ODBC DSN so that it implements SQL Server Login instead of NT authentication. 524 BusinessObjects Enterprise Administrator’s Guide General Troubleshooting Report viewing and processing issues 21 7. Check the available environment variables. Environment variables are used by the operating system to govern and manage system files for particular users. On Windows, BusinessObjects Enterprise servers are generally most affected by the TMP and TEMP environment variables. Because the servers are run as services, they cannot access the User Environment variables that are created by default. Therefore, it is recommended that you create System Environment variables if they do not already exist. Consult your Windows documentation for details. 8. Reference remote data sources with UNC paths. Ensure that servers have access to remote databases through UNC paths, instead of through mapped drives. For example, if you design a report off a PC database that resides on a network drive, ensure that the report references its data source with the appropriate UNC path. For details, see “Ensuring that server resources are available on local drives” on page 526. 9. Ensure that you have enough database client licenses. If all database client licenses are in use, the BusinessObjects Enterprise servers are unable to retrieve data from the database. 10. Check that database connections are closed in a timely fashion. If a database connection is not closed quickly, the database may not service another request until the connection has been closed. To decrease the “Minutes Before an Idle Job is Closed” setting, see “Modifying Page Server performance settings” on page 115. 11. Use multi-threaded database drivers. Multi-threaded database drivers allow the processing servers to connect to the database without having to wait for the database to fulfill initial requests. ODBC connections are typically recommended because they provide multithreaded connections to the database. However, Crystal Reports now includes a number of thread-safe native and OLEDB drivers. A list of these thread-safe drivers is available in the Crystal Reports Release Notes. 12. Check for problems with particular data sources. If your report is based on a Lotus Notes database, you may need to perform additional configuration. Download the latest instructions from the Business Objects Customer Support Knowledge Base. BusinessObjects Enterprise Administrator’s Guide 525 21 General Troubleshooting Report viewing and processing issues IBM offers several client applications for connecting to DB2. The recommended client is IBM DB2 Direct Connect, whose ODBC drivers were written for actual programmatic interaction with products like BusinessObjects Enterprise. See the Business Objects Customer Support Knowledge Base for discussions of this and other DB2 clients. If you encounter problems with any other specific data sources, check the Knowledge Base for the latest information. Ensuring that server resources are available on local drives When the BusinessObjects Enterprise servers are running on Windows, many can be configured to use specific directories to store files. For example, you can specify the root directory for each File Repository Server, the temporary directories for the Cache and Page Servers, or the directory from which the Job Servers load processing extensions. In all cases, the directory that you specify must be on a local drive (such as C:\InputFRS or C:\Cache). Do not use Universal Naming Convention (UNC) paths or mapped drives. Although some BusinessObjects Enterprise servers can recognize and use UNC paths, do not configure the servers to access network resources in this manner. Use local drives instead, because UNC paths can limit performance due to limitations in the underlying protocol. Tip: If your report runs against a PC database that resides on a network drive, then the report itself must reference its data source through a UNC path. In this case, the service must run under a domain user account with network permissions. For details, see “Configuring Windows processing servers for your data source” on page 132. Similarly, if you configure a server to use a mapped drive, the server may appear to function correctly. However, servers cannot access mapped resources when the machine is restarted. Drives are mapped according to your user profile when you log on to Windows NT/2000, but, once a drive is mapped, it is available to the entire operating system. So, when you log on and map a local or network drive, the mapped drive is accessible to the LocalSystem account, and hence to the BusinessObjects Enterprise servers running on the local machine. When you log off the local machine, the servers may retain access to the mapped drive for some time (Windows will release the drive mapping if no application maintains a persistent connection to the mapped resource). However, when you restart the local machine, the mapped drive is not restored until you log back on. Note: Changing a server’s log on account from the LocalSystem account to a Windows NT/2000 user account with network privileges will not resolve the problem, because the servers do not actually log on to the network with that 526 BusinessObjects Enterprise Administrator’s Guide General Troubleshooting InfoView considerations 21 account. Instead, the servers perform “account impersonation.” This provides access to some profile-specific resources (such as printers and email profiles), but not others (such as ODBC User Data Source Names and mapped drives). Page Server error when viewing a report When you attempt to run or preview a report, the following error message appears: There are no Page Servers connected to the Cache Server or all the connected Page Servers are disabled. Please try to reconnect later. [On Page Server : .Cacheserver] This error indicates that the Page Server is not started and enabled. Use the CCM to start the Page Server and then enable it. (If the Page Server was already started and enabled, use the CCM to restart it.) InfoView considerations Supporting users in multiple time zones Avoid granting Schedule access to the default Guest account if you deploy InfoView for users in different time zones. Instead, ensure that each user who is allowed to schedule reports has a dedicated account on the system, and that each user's InfoView preferences include the appropriate time-zone setting. To view or modify the time-zone setting for any user account, use the Preferences Manager, which is available as a Client Sample on the Crystal Enterprise User Launchpad. Dedicated accounts are recommended because the default Guest account does not allow users to modify account preferences that would affect other users. For more information about using specific time-zone properties in your custom web applications, see the BusinessObjects Enterprise SDK documentation. Setting default report destinations By default, a report's destination that is set in the CMC will be the selected destination when a report is scheduled in InfoView. A user can also select alternate destinations in InfoView by updating the Destination option. Note that the destination set in InfoView applies only to the scheduled instance. Thus, when a user schedules another instance in InfoView, the destination that is set in the CMC will be selected, unless the user changes the Destination option. If the user selects the Default destination setting in BusinessObjects Enterprise Administrator’s Guide 527 21 General Troubleshooting InfoView considerations InfoView, reports are processed on the Job Server and sent to the File Repository Server. The Default destination setting in InfoView is equivalent to the Default destination setting in the CMC. 528 BusinessObjects Enterprise Administrator’s Guide Licensing Information chapter 22 Licensing Information Licensing overview Licensing overview BusinessObjects Enterprise is a scalable product that provides you with the ability to add license keys as the demand for report information increases in your organization. You can purchase concurrent, named, and processor licenses. RAS Report Modification licenses are also available. Concurrent licenses specify the number of people who can connect to BusinessObjects Enterprise at the same time. This type of licensing is very flexible because a small concurrent license can support a large user base. For example, a 100 user concurrent license could support 250, 500, or 700 users depending on the frequency with which the system is accessed and the number and size of the reports. Named user licenses are associated with specific users and allow people to access the system based on their user name and password. This provides named users with access to the system regardless of how many other people are connected. You may want to purchase named user licenses for people in your organization who require access to BusinessObjects Enterprise at all times. For example, you could purchase a named user license for each of the 25 managers and a concurrent license for 175 general users. Processor licenses are based on the number of processors that are running BusinessObjects Enterprise. To determine the number of processor licenses you require, count the number of processors on any servers running any component of BusinessObjects Enterprise. BusinessObjects Enterprise Embedded or RAS Report Modification licenses enable the Report Application Server’s Software Development Kit (SDK) for report-creation, thereby providing you with tools for building your own webbased reporting and query tools. In addition, these licenses add standard report-creation and report-modification wizards to InfoView, so users can create and modify reports over the Web in an ad hoc fashion. Note: If you are upgrading from a trial version of the product, be sure to delete the Evaluation key prior to adding any new license keys or product activation keycodes. For more information about licenses, sessions, and session handling see “BusinessObjects Enterprise Security Concepts” on page 227. 530 BusinessObjects Enterprise Administrator’s Guide Licensing Information Accessing license information 22 Accessing license information The License Keys tab identifies the number of concurrent, named, and processor licenses associated with each key. 1. Go to the License Keys management area of the CMC. 2. Select a license key. The details associated with the key appear in the Licensing Information area. To purchase additional license keys: • • Contact your Business Objects sales representative. Contact your regional office. For details, go to: http://www.businessobjects.com/company/contact_us/ BusinessObjects Enterprise Administrator’s Guide 531 22 Licensing Information Adding a license key Adding a license key Note: If you are upgrading from a trial version of the product, be sure to delete the Evaluation key prior to adding any new license keys or product activation keycodes. 1. 2. 3. Go to the License Keys management area of the CMC. Type the key in the Add Key field. Note: Key codes are case-sensitive. Click Add. The key is added to the list. Viewing current account activity 1. 2. Go to the Settings management area of the CMC. Click the Metrics tab. This tab displays current license usage, along with additional job metrics. 532 BusinessObjects Enterprise Administrator’s Guide Licensing Information Viewing current account activity 22 Feature Crystal Repository refresh Insert subreport Unicode support Setting locale of the Report Engine New viewer architecture Smart Tags Exporting page ranges New Excel export options OLAP integration Export drill down views Embed URL link to report in email Set database location Custom printer settings Java SDK .NET SDK RAS support for processing extensions Distributed servers Ability to define users/ personalization Concurrent users Third-party authentication support Events Object distribution (Destinations) BusinessObjects Enterprise Mobile Desktop Server group re-direction Express X X X X X X X X X X X X Professional X X X X X X X X X X X X X X X X X X X X X X X X X X X BusinessObjects Enterprise Administrator’s Guide 533 22 Licensing Information Viewing current account activity 534 BusinessObjects Enterprise Administrator’s Guide BusinessObjects Enterprise Administrator’s Guide From BusinessObjects 6.x to BusinessObjects XI appendix A From BusinessObjects 6.x to BusinessObjects XI Product offering Product offering Here is a list of the applications in each version’s offering. Although the applications in each row belong to the same area of functionality, those in the BusinessObjects 6.x column and those in the BusinessObjects XI column are not necessarily equivalent: In BusinessObjects 6.x In BusinessObjects XI • • • Designer Supervisor Supervisor over the Web • • • Designer Business View Manager Central Management Console Several applications allow you to add • Publishing Wizard objects to the repository. Several other applications allow you to add objects to the repository as well. • • • • • • • • • • Administration Console Auditor InfoView BusinessObjects BusinessQuery WebIntelligence WebIntelligence for OLAP Data Sources Broadcast Agent Developer Suite • • • Central Configuration Manager Central Management Console Auditing is incorporated in the Central Management Console. InfoView • • • • • • • • • Web Intelligence Crystal Reports OLAP Intelligence OLAP Intelligence Designer Central Management Console (CMC) Developer Suite Performance Management (formerly Application Foundation) Data Integrator Import Wizard The Application Foundation suite and Data Integrator are available to complement the BusinessObjects 6.x suite, but are not part of it. 536 BusinessObjects Enterprise Administrator’s Guide From BusinessObjects 6.x to BusinessObjects XI Architecture A Architecture The overall architecture of the two systems is organized in a similar manner. BusinessObjects 6.x BusinessObjects 6.x is organized five logical layers: • • • • • The client tier contains products or features that run on the end-user’s computer (either as a standalone application or in the web browser). The presentation layer contains the web and application servers, as well as the Business Objects components hosted on them (server SDKs, portal pages, servlets, Dispatcher, and HSAL). The application services layer provides the essential framework and services to the processing layer, such as WISessionManager, WILoginServer, and WIStorageManager. The processing layer contains report engines, as well as the additional components that implement business logic (portal workflows, repository access, scheduling, etc.). The database tier is made up of the databases containing the data used in documents and reports. BusinessObjects Enterprise Administrator’s Guide 537 A From BusinessObjects 6.x to BusinessObjects XI Architecture BusinessObjects XI BusinessObjects XI is organized into five tiers: • The client tier contains client applications. • The application tier includes the web and application servers, as well as the Business Objects components hosted on them. • The intelligence tier manages the BusinessObjects XI system, maintaining security information, routing requests to the appropriate processing layer services, managing audit information, and storing report instances for rapid report viewing. There are no strict equivalents for these servers in the BusinessObjects 6.x system. • The processing tier accesses the data and generates reports. This layer contains fewer “servers,” or processes, than the BusinessObjects 6.x processing layer. Transactional workflows are therefore simplified, with each server processing requests for a specific type of object. In a BusinessObjects 6.x context, this corresponds a dedicated role such as WIReportServer, which processes WebIntelligence 6.x reports only, rather than a provider of shared services such as WIQT, which plays a shared role in several types of processing workflows. • The data tier is made up of the databases containing the data used in reports. 538 BusinessObjects Enterprise Administrator’s Guide From BusinessObjects 6.x to BusinessObjects XI Basic terminology A Basic terminology Here are some of the main differences in terminology between the two releases: In BusinessObjects 6.x Repository The BusinessObjects 6.x suite uses a repository — a database that is stored in a relational database management system. The repository is used to secure access to your data warehouse and to provide an infrastructure for distributing information to be shared by users. The repository database actually contains the data associated with the security, universe and document domains. Making sure the repository database has enough space is therefore critical. In BusinessObjects XI The repository exists here as well, as one of the databases maintained by the Central Management Server (CMS). The CMS is the central service/daemon in the BusinessObjects Enterprise XI system (see its entry further along in this table). Although the repository database stores specific information about the objects published to it, including users, servers, security, groups, folders, categories and parameters, it does not actually store physical copies of the objects; it also contains pointers to the physical objects, such as Web Intelligence WID files, Crystal Reports RPT files, universe UNV files and third-party documents, stored in storage associated with the File Repository Servers. When universe and document domains are imported from a BusinessObjects 6.x deployment, they are made into folders in the CMS database. Although the security domain itself is not imported, you can import its contents (user rights, etc.). See “Migration” on page 542. Repository domains The repository must have a security domain. It can also contain universe and document domains. BusinessObjects Enterprise Administrator’s Guide 539 A From BusinessObjects 6.x to BusinessObjects XI Basic terminology In BusinessObjects 6.x Business Objects servers At a minimum, the Business Objects server back end must be installed on the cluster’s primary node and all secondary nodes. This installs all the processing layer modules on the server machines. In BusinessObjects XI Central Management Servers (CMS) The CMS is a single service which provides framework services, security management, administers scheduling tasks, and also is responsible for maintaining the database (CMS database) containing system information, such as users/groups, security levels, and services. In addition it maintains the repository and audit databases. The CMS serves as the central nervous system of the BusinessObjects Enterprise intelligence layer. Disabling the CMS is roughly equivalent to disabling the Session Stack (starting with version 6.1, the set of core processing modules enabled or disabled as a group). Servers Processes in the BusinessObjects Enterprise XI system are called servers. They run as services under Windows, and as daemons under UNIX. The CMC’s ability to enable/disable and even group servers, for example, concerns processes, not actual Business Objects servers, or server machines. Modules Processes used in Business Objects transactions which can be configured through the Administration Console are called modules. A few examples of modules are: Broadcast Agent Manager (which manages Schedulers) • WIStorageManager • • • • • A few examples of servers are: Job Server the File Repository Servers Web Intelligence Report Server WIReportServer 540 BusinessObjects Enterprise Administrator’s Guide From BusinessObjects 6.x to BusinessObjects XI Basic terminology A In BusinessObjects 6.x Clusters A cluster is one or more Business Objects servers which provide the functional processing for a given BI portal. Each server hosts the entire set of Business Objects modules; the Session Stack must be activated in order for the server to contribute to cluster processing. In BusinessObjects XI CMS clusters A Central Management Server cluster (CMS cluster) consists of two or more CMSs working together to maintain the system databases and repository. The CMSs can be on the same machine or on different ones. This means that at a minimum only the CMS component must be installed and activated on the machine. Other processes (servers) can be installed and run on other machines. A CMS cluster is called an expanded deployment. When a cluster contains more than one server machine, it is called a distributed deployment. Clusters can contain the following elements: The distinction between primary and secondary nodes does not apply. When you add a new CMS to a deployment • The primary node serves as the containing a previously- installed CMS, you central coordinator amongst all the nodes in the cluster. There is one and instruct the new CMS to connect to the existing only one primary node in a cluster; if CMS database and to share the processing the cluster contains only one node, it workload with any existing CMS machines. By default, the new cluster is given the name of the is a primary node. first installed CMS, prefaced by “@”. • Optional secondary nodes run the ORB components required to communicate with the primary node and start Business Objects processes on the secondary node(s), as well as optional services. Both primary and secondary nodes are considered cluster nodes. WebIntelligence Application servers Broadcast Agent Web Intelligence Web application servers Scheduling functions are handled by the CMS, which instructs the Job Server to process the job on a schedule managed by the CMS. Web Intelligence Report Server Public folder The Event Server manages file-based events. Schedule-based and custom events, on the other hand, are managed by the CMS. WIReportServer Corporate documents page File Watcher allows the processing of a scheduled task only when a specified file is present in a specified location. BusinessObjects Enterprise Administrator’s Guide 541 A From BusinessObjects 6.x to BusinessObjects XI Migration Migration To import repository objects such as domains, universes, universe restriction sets, users and groups, categories, documents, and reports from BusinessObjects 6.x, you use the Import Wizard. This Wizard and how to use it is described in the BusinessObjects Enterprise XI Installation Guide. Here is a summary of what the Import Wizard does and doesn’t import: The Import Wizard imports: The Import Wizard doesn’t import: • • • • • • Users and groups WebIntelligence reports Universes Connections Categories Security • BusinessObjects documents To migrate .rep documents to .wid format, you can use the Report Migration Utility, delivered with the BusinessObjects 6.5 suite. Instructions are in the Report Migration Utility guide. • WebIntelligence OLAP • • • • Custom applications and interfaces created using the SDK Broadcast Agent Scheduler or Publisher tasks BusinessObjects Auditor Timestamps Migration and mapping of specific objects Here is some important information about migrating specific objects from BusinessObjects 6.x to BusinessObjects Enterprise XI: Object User properties Specific migration information These properties are not mapped. • • • • Identification Strategy Logon Enable Real Time User Rights Update Enable Password Modification flag This maps to the User cannot change password property, which when True, means what it says. This property must be reset manually by the administrator at the global level. Password Validity settings 542 BusinessObjects Enterprise Administrator’s Guide From BusinessObjects 6.x to BusinessObjects XI Migration A Object Object Security level Specific migration information Expressed as limit rights set on the universe folder; object levels in BusinessObjects 6.x map to appropriately-named user groups. Most BusinessObjects 6.x user profiles map to default groups in the new system. For example, General Supervisors become members of the Administrators groups. Supervisors, on the other hand, are not mapped to the Administrators group, but instead simply granted the appropriate rights on all imported objects. Users with the User/Versatile profile are added to an Object Level Security group based on their Object Security levels. The Company group maps to the Everyone group. The Import Wizard maps static LDAP groups. Dynamic groups are mapped with Enterprise authentication. After migration, Administrators need to create dynamic groups. Inbox documents are imported to the Inbox folder. If Inbox already includes duplicate documents, they are also migrated to the File Repository Servers, which manage all document instances that have been scheduled or published to the repository. Personal documents are imported to the user’s Favorites folder, where only the BusinessObjects administrator and their owners have access to them. Any personal or corporate categories that referred to these documents in BusinessObjects 6.x continue to refer to them in BusinessObjects Enterprise XI. Both personal and corporate categories are imported. When you import corporate categories, you can select individual categories and subcategories to import into BusinessObjects Enterprise XI. Document and universe domains become folders with the same name. User and group access to these folders is equivalent to the rights they had on the BusinessObjects 6.x domains. Documents and universes cannot be imported unless their domain is imported as well. User profiles Groups External groups Inbox documents Personal documents Categories Domains BusinessObjects Enterprise Administrator’s Guide 543 A From BusinessObjects 6.x to BusinessObjects XI Migration Object Object Security level Specific migration information Expressed as limit rights set on the universe folder; object levels in BusinessObjects 6.x map to appropriately-named user groups. Most BusinessObjects 6.x user profiles map to default groups in the new system. For example, General Supervisors become members of the Administrators groups. Supervisors, on the other hand, are not mapped to the Administrators group, but instead simply granted the appropriate rights on all imported objects. Users with the User/Versatile profile are added to an Object Level Security group based on their Object Security levels. The Company group maps to the Everyone group. The Import Wizard maps static LDAP groups. Dynamic groups are mapped with Enterprise authentication. After migration, Administrators need to create dynamic groups. Inbox documents are imported to the Inbox folder. If Inbox already includes duplicate documents, they are also migrated to the File Repository Servers, which manage all document instances that have been scheduled or published to the repository. Personal documents are imported to the user’s Favorites folder, where only the BusinessObjects administrator and their owners have access to them. Any personal or corporate categories that referred to these documents in BusinessObjects 6.x continue to refer to them in BusinessObjects Enterprise XI. Both personal and corporate categories are imported. When you import corporate categories, you can select individual categories and subcategories to import into BusinessObjects Enterprise XI. Document and universe domains become folders with the same name. User and group access to these folders is equivalent to the rights they had on the BusinessObjects 6.x domains. Documents and universes cannot be imported unless their domain is imported as well. User profiles Groups External groups Inbox documents Personal documents Categories Domains 544 BusinessObjects Enterprise Administrator’s Guide From BusinessObjects 6.x to BusinessObjects XI Migration A Object Universes Specific migration information Users can choose between importing all universes and connections, or only those associated with the WebIntelligence reports being imported. WebIntelligence documents that used a BusinessObjects 6.x universe use the same universe in BusinessObjects Enterprise XI. BusinessObjects 6.x universe IDs are updated to BusinessObjects Enterprise XI IDs and CUIDs: • For universes: Universe ID, connection ID, and core universe ID • For Web Intelligence reports: universe ID Scope management is a Supervisor option which allows you to control the extent of the access that all supervisors are granted to users and user groups. General supervisors can limit other supervisors’ access by setting their scope management setting to Standard, Secured or Extended mode, each of which defines a different level of access to user/group information and management. Although this feature is mapped to the Delegated Administration feature in Business Objects Enterprise XI, the two features are not strictly equivalent; in particular, Delegated Administration does not support “modes”. Import attempts to set rights in the destination deployment that are at least as restrictive as the effective rights in the source deployment. This is true for all restrictions that limit modification and administration of objects. A delegated administrator may nonetheless be able to view imported objects (such as connections) that were previously hidden in the source deployment. It is recommended to verify effective rights on imported objects for “delegated administrators” after import and to set appropriate rights for access to objects that only exist in BusinessObjects Enterprise XI and not in BusinessObjects 6.x (e.g. calendars, events, etc.). By default, imported “delegated administrators” will inherit the rights specified for the Everyone group for access to such objects. Scope management Migration of user rights Key security features provided by BusinessObjects 6.x (as applied to the integrated components) are available in BusinessObjects XI. Along with the ability to specify rights at the object level, BusinessObjects XI provides the ability to specify global rights for Web Intelligence, Dashboard Manager, and Performance Manager applications. BusinessObjects Enterprise Administrator’s Guide 545 A From BusinessObjects 6.x to BusinessObjects XI Migration The following identifies the migration path for integrated rights: Right Type in BusinessObjects 6.x Migrated to BusinessObjects Enterprise XI as... Product Access (PA) right Security Command right Domain Access right Document/Universe Access right Right to view application object Right to application object, domain folder, or content object Right to view domain folder Right to view content object Different default and aggregate rules The fundamental default and aggregate rules governing rights change radically in BusinessObjects Enterprise XI, to maintain greater system security: Right Type (6.x) Product Access (PA) Right Default Value in Version 6.x Default Value in Version XI Aggregation Rules Aggregation in Version 6.x Rules in Version XI If granted (or unspecified) anywhere: granted If unspecified or denied anywhere, then denied Granted Denied (The Designer and Supervisor PA right is set to Denied on the root folder at install time.) Enabled Denied Security Command Right • • • If hidden anywhere, then hidden If disabled anywhere, then disabled Otherwise, enabled • • Hidden in 6.x = denied in XI If unspecified or denied anywhere, then denied Domain Access Right Document/ Universe Access Right Granted Denied If granted (or unspecified) anywhere: granted If granted anywhere: granted If unspecified or denied anywhere, then denied If unspecified or denied anywhere, then denied Denied Denied 546 BusinessObjects Enterprise Administrator’s Guide From BusinessObjects 6.x to BusinessObjects XI Installation, configuration, and deployment A Installation, configuration, and deployment Here is an overview of key differences in installation, configuration, and deployment: In BusinessObjects 6.x Server operating systems BusinessObjects 6.5 supports heterogeneous clusters, in which Business Objects servers are hosted on Windows and UNIX machines. In BusinessObjects XI The CMS “servers” in a BusinessObjects Enterprise XI cluster must all be running on machines running the same operating system and version. The other “servers” in the intelligence layer, however, such as the Job Server, can be hosted on machines running completely different (but supported) operating systems. Initial installation options • Desktop • • Server Custom • • • • • Client Server The Server option provides three installation options: New Expand Custom Distributed deployments To distribute processing, you add additional cluster nodes to a cluster. To add a cluster node, you must install Business Objects server on the node machine. This installs the entire set of processes required for system processing on each machine. At a minimum, the Session Stack must be activated on each cluster node to share the transaction load. You can distribute a single deployment’s transactional capabilities on the same machine by creating multiple instances of a “server”, or you can install on additional machines to distribute the load. This capability offers you the ability to scale your system vertically (more services on the same machine) or horizontally (more machines). The CMS does not need to run on each machine. BusinessObjects Enterprise Administrator’s Guide 547 A From BusinessObjects 6.x to BusinessObjects XI Installation, configuration, and deployment In BusinessObjects 6.x Installation and the repository Repository creation is completely independent of the installation of Business Objects software. In BusinessObjects XI Setting up the CMS database, which includes the repository, is an integral part of BusinessObjects Enterprise installation. In a New server installation, if you install a Central Management Server in a Windows environment, and you do not choose to connect the CMS to an existing database, the installation procedure automatically installs and configures Microsoft Data Engine (MSDE) as the CMS database. In similar circumstances in UNIX environments, MySQL is installed. After installation, you can select or create a new CMS database at any time using the Central Configuration Manager (CCM). Silent installation You must install a Web Component Adapter (WCA) on any machine hosting an application server. The WCA allows your application server to run BusinessObjects Enterprise applications making Crystal Web Requests, and to host the Central Management Console. Not all applications require the WCA. For example, InfoView doesn’t need it unless users will be viewing OLAP Intelligence documents. Installing BusinessObjects Enterprise XI on the same machine as the application server is called a server-side installation. When you perform this installation, the client and server components are installed, the default user and group accounts are created, and the sample reports are published to the system. When the installation is complete, the servers are started as services on the local machine. Command-line installation Application servers Application servers communicate with the Business Objects cluster through the ORB. If the application server is hosted on a machine which is neither a primary nor secondary node, you must configure the ORB on it in order to allow it to communicate with the cluster. You configure the ORB on the application server machine either by installing the Configuration Tool on that machine, then using it to configure the server as a client node of the cluster, or by configuring the ORB manually. For information on deploying web For information on deploying web applications on application servers, see “Deploying web applications on application servers, see “Deploying web applications” on page 550 applications” on page 550 in this table. in this table. 548 BusinessObjects Enterprise Administrator’s Guide From BusinessObjects 6.x to BusinessObjects XI Installation, configuration, and deployment A In BusinessObjects 6.x Web servers To configure the web server to work with a cluster, you must install a third-party connector to the cluster’s application server. In BusinessObjects XI If you connect BusinessObjects Enterprise to a web server, the web server must be able to communicate with the machine that runs your Web Component Adapter (WCA). For information on deploying web For information on deploying web applications on applications on web servers, see web servers, see “Deploying web applications” on “Deploying web applications” on page 550 page 550 in this table. in this table. License key management Before installation, you copy your license key to a directory to which all nodes or application client machines have access. During installation, you specify where these XML files are located. OLAP You install Web Intelligence for OLAP Data Sources using the standard installation process. Configuring clusters and the ORB You create clusters and configure their ORB on their nodes using the Configuration Tool. You configure the cluster’s primary node and then its secondary nodes. License keys are stored in the CMS database. You can view your deployment’s current license keys, as well as add or delete them, using the CMC. OLAP Intelligence is installed separately. When you install the first Central Management Server (typically a New install), you can define it as a cluster. This creates a cluster of one and sets the cluster up for subsequent Expand installs, which add additional CMSs to the cluster. The subsequent machines on which you install the CMS become part of a CMS cluster named <@Name of First CMS>. At the installation of each additional CMS, you specify the name of the first CMS you installed. This makes it part of the cluster. BusinessObjects Enterprise Administrator’s Guide 549 A From BusinessObjects 6.x to BusinessObjects XI Installation, configuration, and deployment In BusinessObjects 6.x In BusinessObjects XI • • • • • Available web applications Administration Console InfoView Auditor Supervisor over the Web • • • • Central Management Console InfoView Performance Manager applications (formerly Application Foundation), J2EE only Custom web applications developed using the SDK Custom web applications developed using the SDK Although not part of the BusinessObjects 6.x suite, Application Foundation applications can also be deployed. Deploying web applications You can deploy web applications in three ways: • If you’re using IIS or Tomcat/Apache, the Configuration Tool can deploy the applications automatically on web and application servers. • You can use the wdeploy tool, a command-line utility that you can run on all other supported application and/ or web servers. • You can manually deploy the application on all other supported web and/or application servers. Repository creation You create the repository after installation and configuration, using the Supervisor application. After repository creation, you must copy the bomain.key file corresponding to the repository on each node in the cluster. If you choose a New installation and are using IIS or Apache/Tomcat, the Business Objects web applications are deployed automatically on the web and/or application server, unless you are deploying to an existing Java application server. Otherwise, you must deploy web applications manually. If you do not have a supported database client on the machine, installation can install and configure MSDE (Windows) or mySQL (UNIX) for use as the CMS database. To use your own database server, you must create a new, empty database on your database server prior to running the installation. This database will be configured during the install. Whenever you add a new CMS to a cluster in an Expand installation, you define the connection to the initial CMS’s database. This allows the server to connect to it. 550 BusinessObjects Enterprise Administrator’s Guide From BusinessObjects 6.x to BusinessObjects XI Security A In BusinessObjects 6.x Multiple service instances In BusinessObjects 6.x, certain modules such as WIQT, BusinessObjects.exe (Windows)/bolight (UNIX), Connection Server, and WIReportServer, are designed to be multi-instance on cluster nodes. You use the Administration Console to set the number of instances in each process pool. BusinessObjects 6.5 also supports multiple Business Objects servers on the same UNIX box. Unicode databases In BusinessObjects XI Multiple instances of the same service can run on the same machine (providing vertical scaling), or on separate machines (for horizontal scaling), in any mixture of supported operating systems. The single exception is the Central Management Server, which must run on the same operating system within a single cluster. The use of Unicode databases, which can All CMS databases must support the Unicode protocol. store information in different languages and centralize all the information in a company, is supported as a data source for Web Intelligence reports. Unicode databases are not supported for repositories or BusinessObjects documents. Security BusinessObjects 6.x applications use a very different security model than that provided with BusinessObjects Enterprise XI, and as such, administrators of BusinessObjects 6.x systems are encouraged to read with attention the documentation shipped with BusinessObjects Enterprise XI. Through BusinessObjects 6.5.1, authentication is defined for an entire cluster and/or all desktop users. Implementing an authentication method is broken down into selecting an authentication mode, then its source, which can be Repository, External then Repository, or External. You can choose between Microsoft AD or an LDAP user management system for external authentication sources. In BusinessObjects XI, security is much more granular. You implement an authentication method for each user, when you create the user’s account. When users log into the system, they specify their username and password, but may enter their authentication method as well. BusinessObjects Enterprise Administrator’s Guide 551 A From BusinessObjects 6.x to BusinessObjects XI Security In BusinessObjects 6.x In BusinessObjects XI bomain.key The bomain.key tells Business Objects There is no bomain.key file. At login, the Central applications where to find the repository’s management Server (CMS) verifies the user security domain. name and password against the security information stored in the CMS database. Each CMS is configured either at installation or subsequently using the Central Management Console (CMC) to connect to a specific database. Setting the authentication and authorization methods Up through version 6.5.1, you set authentication/authorization for the entire cluster using the Security Configuration Tool. You select the authentication method for each user at the creation of the user’s account, using the CMC. You can even assign multiple aliases, or authentication modes, to a single user, or create new aliases then assign them to exiting users in the system. If you import external users via LDAP, Windows NT or Active Directory, users are automatically created. So if you are not using complex scenarios in which users can log on with both NT and LDAP authentications, you don’t need to create the settings for each user individually. Configuring authentication and authorization You set authentication/authorization for the entire cluster using the Security Configuration Tool. You configure authentication in the Authentication management area of the CMC. 552 BusinessObjects Enterprise Administrator’s Guide From BusinessObjects 6.x to BusinessObjects XI Security A In BusinessObjects 6.x In BusinessObjects XI • • • • Available authentication modes Business Objects standard Windows-NTLM (similar to BusinessObjects XI Windows NT authentication) Single Sign-On • LDAP authentication Basic authentication (user Windows AD authentication authentication is delegated to the web server) Other authentication modes are available through add-in products, such as SAP authentication. Single Sign-On is not a mode in itself, but is available for certain authentication modes. See below. Single Sign-On to BusinessObjects Enterprise can be provided through the use of third-party systems such as Windows AD or Netegrity SiteMinder. End-to-end single sign-on includes SSO to the database at the back end. Note: If you use SiteMinder, you must use LDAP for external user management. Because of the use of Access Control Lists (ACL), an industry standard method of controlling cascading security access, the imposition of restrictions is much more granular. You can apply user, group, and role level security at the object level, to documents, categories, folders, universes, and connections. This means, for example, that you could allow a group to refresh document A, but not refresh document B. • • • Enterprise authentication (automatically enabled when you install the system, and similar to Business Objects standard in version 6.x) Windows NT authentication Single-Sign-On (SSO) To enable SSO, you must use Netegrity SiteMinder. Authorization You can use security commands in Supervisor to restrict user and group access to functionalities in Business Objects products. You cannot restrict access at the object level. For example, if you grant a group the right to refresh, but not create documents, the restriction will apply regardless of the documents being used. BusinessObjects Enterprise Administrator’s Guide 553 A From BusinessObjects 6.x to BusinessObjects XI Administration Administration The administrative model applied to BusinessObjects Enterprise XI is very different from the BusinessObjects 6.x model. • The Central Management Console (CMC) The CMC allows you to perform user management tasks such as setting up authentication and adding users and groups. It also allows you to publish, organize, and set security levels for all of your BusinessObjects Enterprise content. Additionally, the CMC enables you to manage servers and create server groups, whenever the Central Management Server (CMS) is running. • The Central Configuration Manager The CCM is a server-management tool that allows you to view and configure each of your BusinessObjects Enterprise server components while Business Objects servers are offline. This tool allows you to start, stop, enable, and disable Business Objects servers, as well as view and configure advanced server settings. On Windows, these settings include default port numbers, CMS database and clustering details, SOCKS server connections, and more. In addition, on Windows the CCM allows you to add servers to, or remove servers from your BusinessObjects Enterprise system. The CCM comes in two forms. In a Windows environment, the CCM allows you to manage local and remote servers through its Graphical User Interface (GUI) or from a command line. In a UNIX environment, the CCM shell script (ccm.sh) allows you to manage servers from a command line. At first, the CCM takes into account only the servers running locally. You can then connect to servers on a remote machine. This section covers administrative tasks concerning the repository, users and groups, universes, server and cluster management, and auditing. 554 BusinessObjects Enterprise Administrator’s Guide From BusinessObjects 6.x to BusinessObjects XI Administration A In BusinessObjects 6.x Repository creation and management You create your cluster’s repository after Business Objects installation and configuration, using the Supervisor application. In BusinessObjects XI If you do not have a supported database client on the machine, installation can install and configure MSDE (Windows) or mySQL (UNIX) for use as the CMS database. To use your own database server, you must create a new, empty database on your database server prior to running the installation. This database will be configured during the install. Whenever you add a new CMS to a cluster in an Expand installation, you define the connection to the initial CMS’s database. This allows the server to connect to it. User/group creation and management You use Supervisor or Supervisor over the Web. You use the CMC. An initial General Supervisor account By default, an initial Administrator and Guest account is is created when you create the created at installation. repository. A “company name” group is automatically created at repository creation. Two default groups are automatically created at installation: • Administrators • Using Designer You can use Designer in online or offline mode. Everyone If you’re using Windows NT/2000, an additional group called Business Objects NT Users is also created. You can use Designer in online mode only. This means that unless you are logged into the repository, you cannot work on a universe. BusinessObjects Enterprise Administrator’s Guide 555 A From BusinessObjects 6.x to BusinessObjects XI Administration In BusinessObjects 6.x Cluster start/stop Under Windows, you can use WINotify or the Start menu; during installation, you can also set the In BusinessObjects XI You use the CCM to stop a Central Management Server (CMS), regardless of the operating system. At installation, you can also configure the server to start automatically at machine startup. Note: You cannot use the Central Management Console (CMC) to stop a CMS. Business Objects server to run automatically as a Windows service. Under UNIX, you start the cluster manually using the wstart command, or use S99WebIntelligence to start it automatically on machine startup. Cluster server enable/disable You use the Administration Console. In Windows, you use the Central Configuration Manager (CCM) to disable a Central Management Server (CMS). In UNIX, you use the cms.sh script. Caution: You can use the CMC to disable/enable and even group servers, but this refers to what BusinessObjects 6.x users refer to as modules, not the actual cluster nodes. Server settings management You use the Administration Console. You use the Central Management Console or the Central Configuration Manager, depending on the type of setting you want to define, and whether you are online or offline. Audit management You use the Audit facility in the Administration Console. You can also use the Auditor application for enhanced system monitoring and analysis. You use the CMC. You can also use the CMC to view server metrics, including information about the machine that the server is running on—its name, operating system, total hard disk space, free hard disk space, total RAM, number of CPUs, and local time. The CMC allows you to configure what information you want each server/service to audit. Auditor is not part of this release. Setting up Broadcast Agent schedulers You create and manage schedulers using the Broadcast Agent Manager’s Properties page in the Administration Console. Because the scheduler is incorporated into the CMS, it comes automatically installed with BusinessObjects Enterprise XI and requires little or no additional configuration beyond setting up access to email servers, printers and file servers. 556 BusinessObjects Enterprise Administrator’s Guide From BusinessObjects 6.x to BusinessObjects XI Administration A In BusinessObjects 6.x In BusinessObjects XI Viewing scheduled tasks You can view the full list of scheduled You cannot view a global list of scheduled jobs. documents and their status using the You can view the status of one scheduled object at a Broadcast Agent Console. time in the CMC in the object’s History page. This list includes all scheduled jobs for the object, as well as existing instances of the object (i.e. reports that have already been run and contain data). In InfoView, you can also view a list of an object’s instances by looking at the object’s history. A sample application built using the Administration SDK and available from the BusinessObjects Enterprise User’s Launchpad also allows you to see all the jobs scheduled by any specific user. InfoView appearance and functionality management You can use Supervisor security commands to prevent users from modifying the default settings in the InfoView Options page. Setting locale You set the cluster’s language at installation; you can subsequently use the Site Properties tab in the Administration Console to modify it. Users can set the language of their interface in InfoView. You can modify the appearance and some functionality using the BusinessObjects Enterprise Applications management area in the CMC. You don’t specifically set the CMS locale. Users set the locale for their own interface in InfoView; if they don’t, InfoView uses the locale specified on the web server. BusinessObjects Enterprise Administrator’s Guide 557 A From BusinessObjects 6.x to BusinessObjects XI Reporting, analysis, information sharing Reporting, analysis, information sharing This section includes information on available reporting tools, as well as enduser tasks such as accessing, distributing and scheduling corporate data: In BusinessObjects 6.x Reporting tools • BusinessObjects In BusinessObjects XI • • WebIntelligence WebIntelligence for OLAP Data Sources • • • • • Crystal Reports Web Intelligence OLAP Intelligence What reporting tools use universes? • BusinessObjects Crystal Reports Web Intelligence • WebIntelligence Crystal Reports can also connect directly to databases using a variety of methods including ODBC and native drivers, as well as XML and text files. It can also use Business Views (the semantic layer from Crystal Enterprise) as a data source. The out-of-the-box portal in BusinessObjects Enterprise XI is also called InfoView. Available for both Java and .NET platforms, its interface is somewhat different from the BusinessObjects 6.x application. InfoView InfoView is a web application that must be deployed after Business Objects installation using the Configuration Tool, wdeploy, or manual procedures. It is available in JSP and ASP platforms. 558 BusinessObjects Enterprise Administrator’s Guide From BusinessObjects 6.x to BusinessObjects XI Reporting, analysis, information sharing A In BusinessObjects 6.x Categories Within InfoView, you can use categories to organize documents on a particular document list page. In BusinessObjects XI BusinessObjects Enterprise XI uses both categories and folders to organize documents. Folders are used for the storage location of information, while categories are used more for the classifying information regardless of its storage location. • BusinessObjects Enterprise XI automatically creates a folder for each user in the system, called Personal Folders. These folders are organized within the CMC as User folders. Within InfoView, these folders are called Favorites folders. Folders are created and managed from the CMC. • Categories are equivalent to BusinessObjects 6.x categories. Folders contain actual copies of objects, while categories simply point to objects. There are two types of categories: • Corporate There are two kinds of categories: • Corporate • Personal • Personal Corporate categories can be created Corporate categories can be created either in from InfoView, BusinessObjects, or InfoView (with reduced management capabilities) or Supervisor. from the CMC (full management capabilities). As a general supervisor or supervisor, you can grant specific users or groups the right to create categories, and to rename and delete the categories they create, from BusinessObjects or WebIntelligence. You do this by enabling the security command Manage All Categories or Manage My Categories. You can use security commands to restrict access to corporate categories. In the CMC you can restrict users’ and/or groups’ access to categories and folders. You can set limits on folders, which automate regular clean-ups of old Business Objects content by eliminating excess instances of particular objects, or object instances which have remained more than the specified number of days in the folder. BusinessObjects Enterprise Administrator’s Guide 559 A From BusinessObjects 6.x to BusinessObjects XI Reporting, analysis, information sharing In BusinessObjects 6.x Scheduling You schedule for refresh documents and files either from 2-tier deployments of BusinessObjects, or from InfoView. In BusinessObjects XI You schedule for refresh objects from the CMC or from InfoView. 560 BusinessObjects Enterprise Administrator’s Guide From BusinessObjects 6.x to BusinessObjects XI Reporting, analysis, information sharing A In BusinessObjects 6.x In BusinessObjects XI • • • You can schedule: BusinessObjects documents WebIntelligence reports WebIntelligence OLAP reports • • You can schedule: Crystal reports Web Intelligence reports You can also schedule program objects, such as executables, Java programs, or scripts (Jscripts and VBscripts) to run at specified times. You can publish objects to BusinessObjects Enterprise in several ways. Use the Publishing Wizard when you: • Have access to the locally installed application. Publishing to the repository You add objects to the repository by: • Exporting universes from Designer or Supervisor • Adding users and groups and managing security settings from Supervisor and/or Supervisor over the Web • Saving documents to the repository from InfoView • Publishing documents from 2- and 3-tier deployments of BusinessObjects • Are adding multiple objects or an entire directory. The Publishing Wizard is a locally installed Windows application that enables both administrators and end users to add any supported document to BusinessObjects Enterprise. Use the Central Management Console (CMC) when you are: • Publishing a single object. • • • Taking care of other administrative tasks. Performing tasks remotely. Save directly to your Enterprise folders when you are: Designing reports with Crystal Reports or Web Intelligence. • Using the OLAP Intelligence Application Designer. • Creating other objects with BusinessObjects Enterprise plug-in components. Upload documents stored on your local computer when you’re using InfoView. Use Designer to export universes to the repository. Use the Import Wizard to migrate objects to a BusinessObjects Enterprise XI repository from BusinessObjects 6.x or Crystal Enterprise 10. BusinessObjects Enterprise Administrator’s Guide 561 A From BusinessObjects 6.x to BusinessObjects XI SDK SDK In BusinessObjects 6.x Development platforms • Java In BusinessObjects XI • WebServices • • • • Java WebServices .NET .COM 562 BusinessObjects Enterprise Administrator’s Guide Rights and Access Levels appendix B Rights and Access Levels Rights Rights This table lists the rights available within the Advanced Rights page of the Central Management Console (CMC). Other BusinessObjects Enterprise plug-in components may in future add their own, object-specific rights to this list. The table matches the descriptions used in the CMC with the programmatic name that developers use when assigning rights with the BusinessObjects Enterprise SDK. Description used in the CMC Respect current security by inheriting rights from parent groups Respect current security by inheriting rights from parent folders Add objects to the folder View objects Edit objects Modify the rights users have to objects Schedule the document to run Delete objects Define server groups to process jobs Delete instances Copy objects to another folder Schedule to destinations View document instances Pause and Resume document instances Print the report’s data Refresh the report’s data Export the report’s data View objects that the user owns Edit objects that the user owns Modify the rights users have to objects that the user owns Name used in the SDK AdvancedInheritGroups AdvancedInheritFolders ceRightAdd ceRightView ceRightEdit ceRightModifyRights ceRightSchedule ceRightDelete ceRightPickMachines ceRightDeleteInstance ceRightCopy ceRightSetDestination ceRightViewInstance ceRightPauseResumeSchedule ceReportRightPrintReport ceReportRightRefreshOnDemand Report ceReportRightPageServerExport ceRightOwnerView ceRightOwnerEdit ceRightOwnerModifyRights 564 BusinessObjects Enterprise Administrator’s Guide Rights and Access Levels Access levels B Description used in the CMC Delete objects that the user owns Delete instances that the user owns View document instances that the user owns Name used in the SDK ceRightOwnerDelete ceRightOwnerDeleteInstance ceRightOwnerViewInstance Pause and resume document instances ceRightOwnerPauseResume that the user owns Schedule Access levels This section lists the rights that constitute each of the predefined access levels that are available through the Advanced Rights page of the Central Management Console (CMC). Note: There is no predefined access level to grant users the rights required to create or modify reports through the Report Application Server (RAS). For details, see “Object rights for the Report Application Server” on page 568. No Access This access level ensures that all rights remain unspecified. That is, rights are neither explicitly granted nor explicitly denied. When rights are unspecified, the system denies the right by default. View Description used in the CMC View objects View document instances Name used in the SDK ceRightView ceRightViewInstance Schedule Description used in the CMC View objects Schedule the document to run Define server groups to process jobs Name used in the SDK ceRightView ceRightSchedule ceRightPickMachines BusinessObjects Enterprise Administrator’s Guide 565 B Rights and Access Levels Access levels Description used in the CMC Copy objects to another folder Schedule to destinations View document instances Print the report’s data Export the report’s data Edit objects that the user owns Pause and resume document instances that the user owns Name used in the SDK ceRightCopy ceRightSetDestination ceRightViewInstance ceReportRightPrintReport ceReportRightPageServerExport ceRightOwnerEdit ceRightOwnerPauseResumeSchedule Delete instances that the user owns ceRightOwnerDeleteInstance View On Demand Description used in the CMC View objects Schedule the document to run Define server groups to process jobs Copy objects to another folder Schedule to destinations View document instances Print the report’s data Refresh the report’s data Export the report’s data Edit objects that the user owns Delete instances that the user owns Pause and resume document instances that the user owns Name used in the SDK ceRightView ceRightSchedule ceRightPickMachines ceRightCopy ceRightSetDestination ceRightViewInstance ceReportRightPrintReport ceReportRightRefreshOnDemand Report ceReportRightPageServerExport ceRightOwnerEdit ceRightOwnerDeleteInstance ceRightOwnerPauseResumeSchedule 566 BusinessObjects Enterprise Administrator’s Guide Rights and Access Levels Default rights on the top-level folder B Full Control Description used in the CMC Add objects to the folder View objects Edit objects Modify the rights users have to objects Schedule the document to run Delete objects Delete instances Copy objects to another folder Schedule to destinations View document instances Pause and Resume document instances Print the report’s data Refresh the report’s data Export the report’s data Name used in the SDK ceRightAdd ceRightView ceRightEdit ceRightModifyRights ceRightSchedule ceRightDelete ceRightDeleteInstance ceRightCopy ceRightSetDestination ceRightViewInstance ceRightPauseResumeSchedule ceReportRightPrintReport ceReportRightRefreshOnDemand Report ceReportRightPageServerExport Define server groups to process jobs ceRightPickMachines Default rights on the top-level folder The top-level BusinessObjects Enterprise folder serves as the root for all other folders and objects that you add to the system. This folder provides the following rights by default: • • The Everyone group is granted the Schedule access level. The Administrators group is granted the Full Control access level. BusinessObjects Enterprise Administrator’s Guide 567 B Rights and Access Levels Object rights for the Report Application Server Object rights for the Report Application Server To allow users to create or modify reports over the Web through the Report Application Server (RAS), you must have RAS Report Modification licenses available on your system. You must also grant users a minimum set of object rights. When you grant users these rights to a report object, they can select the report as a data source for a new report or modify the report directly: • • • • View objects (or “View document instances”, as appropriate) Edit objects Refresh the report’s data Export the report’s data User must also have permission to add objects to at least one folder before they can save new reports back to BusinessObjects Enterprise. To ensure that users retain the ability to perform additional reporting tasks (such as copying, scheduling, printing, and so on), it’s recommended that you first assign the appropriate access level and update your changes. Then, change the access level to Advanced, and add any of the required rights that are not already granted. For instance, if users already have View On Demand rights to a report object, you allow them to modify the report by changing the access level to Advanced and explicitly granting the additional Edit objects right. When users view reports through the Advanced DHTML viewer and the RAS, the View access level is sufficient to display the report, but View On Demand is required to actually use the advanced search features. The extra Edit objects right is not required. Tip: For more information about RAS Report Modification licenses, see “Licensing overview” on page 530. 568 BusinessObjects Enterprise Administrator’s Guide Configuring NTFS Permissions appendix C Configuring NTFS Permissions Configuring NTFS permissions Configuring NTFS permissions When you view reports over the Web, insufficient New Technology File System (NTFS) permissions on the server can cause a number of problems. For example, a report may not appear in the viewer, even after you repeatedly enter the correct database logon information. NTFS provides security for file storage in Microsoft Windows. If a BusinessObjects Enterprise component is running on a user account that does not have the required NTFS permissions, users may be unable to access reports over the Web. To troubleshoot NTFS permissions, ensure that each BusinessObjects Enterprise component uses an account with the appropriate permissions. You may need to change the user account or change the NTFS access for particular files and folders. For details on changing server user accounts, see “Changing the server user account” on page 146. For information on changing NTFS permissions, see the Microsoft Windows help. Configuring NTFS permissions for BusinessObjects Enterprise components Each component requires a user account with certain NTFS access rights to specific files and folders. Ensure that each component is running on the correct user account, and make sure the user account has the required NTFS permissions. 570 BusinessObjects Enterprise Administrator’s Guide Configuring NTFS Permissions Configuring NTFS permissions C Web Component Adapter (WCA) By default, the Central Management Server uses the LocalSystem account to access resources and BusinessObjects Enterprise components. Ensure this user account has the appropriate NTFS permissions for specific folders: NTFS permissions Files and folders • • Read Read & Execute • • • • • C:\Winnt\system32 C:\Program Files\BusinessObjects Enterprise\Web Content\enterprise C:\Program Files\BusinessObjects Enterprise\WCA\CRImages C:\Program Files\BusinessObjects Enterprise\WCA C:\Program Files\Business Objects\BusinessObjects Enterprise 11\win32_x86 C:\Program Files\BusinessObjects Enterprise\WCA\Logging • • • Write • Note: This table shows the default installation paths. If your BusinessObjects Enterprise deployment includes OLAP Intelligence, the WCA user account also needs Read permission for the OLAP Intelligence FileStore\Input folder. File Repository Servers (FRS) The Input and Output File Repository Servers (Input and Output FRS) use the local System account by default; these accounts provide sufficient access to files and folders on the local machine. However, if the Input or Output FRS needs access to directories on other machines, set its user account to a domain user account with local administrative access to all computers hosting BusinessObjects Enterprise components. For details on changing the user account, see “Changing the server user account” on page 146. BusinessObjects Enterprise Administrator’s Guide 571 C Configuring NTFS Permissions Configuring NTFS permissions Ensure that the user account for the Input FRS has the appropriate NTFS permissions for the following folders: NTFS permissions Files and folders • • • Read Read & Execute Write • • • C:\Winnt\system32 C:\Program Files\Business Objects\BusinessObjects Enterprise 11\FileStore\Input C:\Program Files\Business Objects\BusinessObjects Enterprise 11\FileStore\Input For the Output FRS, make sure the user account has access to the following folders: NTFS permissions Files and folders • • • Read Read & Execute Write • • • C:\Winnt\system32 C:\Program Files\Business Objects\BusinessObjects Enterprise 11\FileStore\Output C:\Program Files\Business Objects\ BusinessObjects Enterprise 11\FileStore\Output Note: • • The Input and Output File Repository Servers cannot share the same directories. If the Input folder or the Output folder does not exist, the respective FRS creates it when the service starts. Central Management Server (CMS) The CMS uses the local System account by default. This account does not need access to other machines. Ensure that the System account has the appropriate NTFS permissions for specific files and folders: NTFS rights Folders • • Read & Execute Write • • C:\Winnt\system32\drivers\etc\hosts C:\Program Files\Business Objects\BusinessObjects Enterprise 11\win32_x86\CITemp 572 BusinessObjects Enterprise Administrator’s Guide Configuring NTFS Permissions Configuring NTFS permissions C Cache Server The Cache Server uses the local System account by default. If the Cache Server needs to access BusinessObjects Enterprise components on other machines, you must set its user account to a domain user account that has local administrative access to all computers hosting components. For details on changing the user account, see “Changing the server user account” on page 146. Ensure that the Cache Server’s user account has the correct NTFS permissions for the following folders: NTFS permissions Files and folders • • • Job Server Read Read & Execute Write • • • C:\Winnt\system32 C:\Program Files\Business Objects\BusinessObjects Enterprise 11\win32_x86 C:\Program Files\Business Objects\WCA The Job Server uses the local System account by default. The Job Server must use a different user account if it needs to access BusinessObjects Enterprise components on other machines. If the CMS, the Input FRS, or the Output FRS is not located on the same machine as the Job Server, set the Job Server’s user account to a domain user account that has local administrative access to all computers hosting these components. For details on changing the user account, see “Changing the server user account” on page 146. Ensure that the Job Server’s user account has the correct NTFS permissions for the following folders: NTFS permissions Files and folders • • Read Read & Execute • • • • • • • C:\Winnt\system32 The system’s temporary directory C:\Winnt\Business Objects C:\Winnt\Fonts C:\Program Files\Business Objects\Shared C:\Program Files\Business Objects\WCA C:\Program Files\Business Objects\BusinessObjects Enterprise 11\FileStore • Write BusinessObjects Enterprise Administrator’s Guide 573 C Configuring NTFS Permissions Configuring NTFS permissions Page Server The Page Server connects to the database to retrieve the information needed to build the report. For most BusinessObjects Enterprise deployments, the reporting database is located on a separate machine. If the Page Server is on a different machine from the database, you must change the Page Server’s user account from the default local System account to a domain user account with local administrative access to the computer hosting the reporting database. For details on changing the user account, see “Changing the server user account” on page 146. Ensure that the Page Server’s user account has the correct NTFS permissions for the following folders: NTFS permissions Files and folders • • Read Read & Execute • • • • • • C:\Winnt\system32 The system’s temporary directory C:\Winnt\Business Objects C:\Winnt\Fonts C:\Program Files\Business Objects\Shared C:\Program Files\Business Objects\BusinessObjects Enterprise 11\FileStore\Input C:\Program Files\Business Objects\WCA • Write • 574 BusinessObjects Enterprise Administrator’s Guide Customizing the appearance of Web Intelligence documents appendix D Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents You can customize the default appearance of all new Web Intelligence documents created using the Web Intelligence Java Report Panel or the HTML - Query Panel. To do so, you must edit a file called defaultconfig.xml. By editing defaultconfig.xml, you can change the default appearance of many interface elements: • • • • fonts and font sizes for tables, cells, chart axes, and so on background colors (“wallpaper”) lines and borders for cells and tables color palettes The new settings take effect only for reports created after the defaultconfig.xml file is modified and saved. Earlier reports are not affected by the new settings. In the defaultconfig.xml file, settings are grouped by “key value.” (See “List of key values” on page 580.) To modify a setting, open the defaultconfig.xml file in a text editor and modify the parameter you want. Back up the original file before you start. For an example of how to modify the defaultconfig.xml file, see “Example: Modifying the default font in table cells” on page 581. Note: • • You cannot use defaultconfig.xml to customize the appearance of the HTML Report panel. The defaultconfig.xml is also used by the REBean Editing SDK. For more information, see the developer documentation. 576 BusinessObjects Enterprise Administrator’s Guide Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents D What you can do with the defaultconfig.xml file With the defaultconfig.xml file, you can change certain aspects of the look and feel of Web Intelligence reports. You can make the reports adhere to your corporate visual guidelines. Here’s what a Web Intelligence report looks like before changes are made to the defaultconfig.xml file: BusinessObjects Enterprise Administrator’s Guide 577 D Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents By modifying a few settings—stable header and body cell fonts, alternative row settings, chart axes values, label fonts, and section cell borders—default Web Intelligence tables and charts can look like this: Locating and modifying defaultconfig.xml To customize the default appearance of a new Web Intelligence document, you must edit the defaultconfig.xml associated with the report panel used to create that document. Each report panel has its own defaultconfig.xml file. 578 BusinessObjects Enterprise Administrator’s Guide Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents D BusinessObjects Enterprise Java InfoView If you deploy the BusinessObjects Enterprise Java InfoView, you can customize the default appearance of documents created using the Java Report Panel or the HTML-Query Report Panel. On Windows, you must edit the defaultconfig.xml files inside the desktop.war file. For additional information on modifying XML and .war files, see the BusinessObjects Enterprise Installation Guide. 1. 2. To update defaultconfig.xml in the .war file Stop the web application server if it is running. Find the desktop.war file. On Windows, it’s found at C:\Progam Files\Business Objects\BusinessObjects Enterprise 11\java\applications\desktop.war. On UNIX, it’s found at / bobje/enterprise11/java/applications/desktop.war. 3. Extract defaultconfig.xml from the desktop.war file. For the Java Report Panel, extract webiApplet\AppletConfig\defaultconfig.xml For the HTML-Query Report Panel, extract WEB-INF\classes\defaultconfig.xml Tip: On Windows, you can use a tool such as WinZip to extract and replace files in a .war file. 4. 5. Make a backup of the defaultconfig.xml file. Open defaultconfig.xml, and make your changes. See “List of key values” on page 580 for information on the values you can change, and “Example: Modifying the default font in table cells” on page 581 for an example. 6. 7. 8. Save and close defaultconfig.xml. Reinsert defaultconfig.xml into desktop.war. Ensure that you insert the file into the correct directory within the .war file. Restart your web application server and redeploy desktop.war. See the BusinessObjects Enterprise Installation Guide for details. BusinessObjects Enterprise .NET InfoView If you deploy the BusinessObjects Enterprise .NET InfoView, you can customize the appearance of new documents created using the Java Report Panel. To customize the appearance of reports created with the Java Report Panel, edit the copy of defaultconfig.xml found at: C:\Program Files\Common Files\Business Objects\3.0\java\webiApplet\AppletConfig BusinessObjects Enterprise Administrator’s Guide 579 D Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents List of key values In the defaultconfig.xml file, settings are grouped by “key value.” The following table lists the key values and the corresponding interface elements. Key value Block*defaultBg Block*selectionBg Cell*selectionColor cell_skin0,report_skin0, section_skin0,bloc_skin0 freeCell*default freeCell*section graph*Data graph*Graph graph*Palette*0 graph*Palette*1 graph*Wall graph*YGrid graph*ZGrid graph*XLabels graph*YLabels graph*ZLabels graph*XValues graph*YValues graph*ZValues page*default Section*arrowColor Section*background Section*selectionColor table*AltBody table*body table*BodyForm Interface element Background colors for blocks Background colors for selected blocks Selected cell color Combo default skin Free cells (not section cells) Section cells Removing black line around bar charts General settings for graphs Adding a new color palette Adding a new color palette Default background colors for charts Color for horizontal grid (Y axis) Removing X-axis and Z-axis grid X-axis labels in a graph Y-axis labels in a graph Z-axis labels in a graph X-axis values in a graph Y-axis values in a graph Z-axis values in a graph Default page layout. For example: A4, Letter; portrait or landscape. Color of section arrow General settings for sections Color of selected section arrow Alternate body cells in a table Body cells in a table Body cells in a form 580 BusinessObjects Enterprise Administrator’s Guide Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents D Key value table*ExtraHeader table*Footer table*Form table*Header table*HeaderForm table*Table UI*default Interface element Object name cells in a crosstable Footer cells in a table General settings for forms Header cells in a table Header cells in a form General settings for tables Custom fonts Example: Modifying the default font in table cells You can modify the default font to another font available on your system, including non-standard fonts that you install on the server. The default font is Arial. This setting is found in the table*Body key value in the defaultconfig.xml file. Languages and fonts must be supported on the client machine for correct display. In addition, all fonts must be defined in the fontalias.xml file. Note: To change the default appearance of Web Intelligence documents created in a report panel, you must modify and deploy the correct copy of the defaultconfig.xml file. See “Locating and modifying defaultconfig.xml” on page 578 for more information. 1. 2. 3. To modify the default font Make a backup of the defaultconfig.xml file. Open the defaultconfig.xml file. Find the table*Body key value. Here’s what it looks like: BusinessObjects Enterprise Administrator’s Guide 581 D Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents 4. To change the default font for specified languages, enter the font name after FACE=. For example, to change only Japanese to a font named “SpecialFont,” you would enter: