SAP BusinessObjects Security Essentials

Dallas Marks SAP Inside Track – St. Louis July 15, 2011

SAP BusinessObjects Security Essentials
Dallas Marks Session 409








[ Breakout Description
In this presentation, learn how the SAP BusinessObjects security model works. Leverage features, such as inheritance, scope of rights, and custom access levels, to secure the business intelligence system, while reducing overall complexity and maintenance. Techniques will be demonstrated using SAP BusinessObjects XI that are also applicable to SAP BusinessObjects Edge BI. Real-world scenarios drive home the concepts learned and give each attendee the confidence to implement the same techniques back home.

Real Experience. Real Advantage.


[ About Dallas Marks
 Dallas Marks is a Senior Architect and Trainer at Kalvin Consulting, an SAP Services Partner focusing on business intelligence, business analytics and data warehousing. Kalvin is also a SAP BusinessObjects Authorized Education Provider, providing on-site education services at client locations throughout North America. Dallas is an SAP Certified Application Associate and authorized trainer for Web Intelligence, Universe Design, Xcelsius, and SAP BusinessObjects Enterprise administration. A seasoned consultant and speaker, Dallas has worked with SAP BusinessObjects tools since 2003 and presented at the North American conference each year since 2006. Dallas has implemented SAP BusinessObjects solutions for a number of industries, including energy, health care, and manufacturing. He holds a master’s degree in Computer Engineering from the University of Cincinnati. Dallas blogs about various business intelligence topics at

Real Experience. Real Advantage.


Roadmaps & Architecture • Installation. Business Analytics. we will get it right Expertise spans across all areas of BI • “Best of Breed” solution provider for Business Intelligence.About Kalvin Consulting Mission • To be a world class consulting company by delivering innovative solutions and extraordinary service Our Values • Kalvin’s Success: Every customer is a successful customer • Kalvin’s Service: We value your time. Configuration & Customization • Cross Platform & Cross Product Migrations • Reporting. and Data Warehousing • Solution Blueprints. dashboards & guided analysis • Cutting edge customization .

Atlanta & Boston • Strive to maintain 10% availability • Extensive network of independent consultants • Non-billable Delivery Manager to oversee the project deliverables and ensure client expectations are met . Dayton. marketing. HR & administration staff • Dedicated support staff with lab and training center Virtual Offices – 25 Consultants • Greater Cincinnati.About Kalvin’s Staff Corporate Office – Mason. Chicago. Ohio • Dedicated sales.

in August 2009 Expertise • Kalvin is an end to end solutions provider from data integration. dashboard and visualization • Our dedicated team of consultants bring together a full range of technical expertise in all Business Intelligence and Data Integration products: SAP BI . We had our first KalvinFest.BusinessObjects. reporting. IBM.NET Partnerships • Kalvin believes each client is unique and works to build a long-term partnership .The Kalvin Difference Dedicated Team • Dedicated team of Kalvin employees. Microsoft BI and customization techniques using Java and . Kalvin is NOT a staffing company • Kalvin holds bi-weekly information sharing sessions and quarterly company events for our employees to stay connected and learn from each other. Oracle.

Kalvin’s BI Methodology Making BI Successful Reporting Ad-hoc Analysis Dashboards Data warehouse and cubes Data mining Data enhancement Master Data Management .

Kalvin’s Best Practices Adopt the best from the industry Follow the best of BI standards Deploy the processes. policies and framework Create a repository of information for learning and training Share ideas and experiences by participating in User Groups & Conferences .

. are you using:  SAP Applications?  SAP BusinessObjects?  SAP BusinessObjects Business Intelligence 4. Real Advantage.[ Poll By a show of hands.0 (rampup)? Real Experience.

[ Does Security Setup Make You Angry? Real Experience. . Real Advantage.

Real Advantage. .[ Agenda  SAP BusinessObjects Security Basics  Demonstration  Custom Access Levels. Permissions Explorer and Security Query  Best Practices  Next Steps  Your Questions Real Experience.

Real Advantage. .[ SAP BusinessObjects Security Essentials SECURITY BASICS Real Experience.

a rights behavior in which rights that are set on child objects override the rights set on parent objects  General Global Rights – access rights enforced regardless of content type  Content Specific Rights – access rights unique to content type (Crystal Report. Real Advantage.[ Terminology  Principal – a user or group  Rights override . etc) Real Experience. Web Intelligence. .

x slightly different yes yes yes yes Real Experience. Real Advantage.[ Predefined Rights Rights Option Description Unable to access an object Able to view historical (scheduled) instances of an object Able to schedule instances of an object Able to view live data on-demand Able to change or delete an object XI R2 yes yes yes yes yes No Access View Schedule View on Demand Full Control XI 3. .

By default. This option becomes available when you click Granted or Denied. This option becomes available when you click Granted or Denied. rights set to Not Specified are denied.x yes yes Not Specified yes yes Apply to Object no yes Apply to Sub-Objects no yes Real Experience. XI R2 yes yes XI 3. Real Advantage. The right applies to sub-objects.[ Advanced/Granular Rights Rights Option Granted Denied Description The right is granted to a principal. The right is denied to a principal. The right applies to the object. The right is unspecified for a principal. .

[ Folder Inheritance Global Rights Top Level Folder Object Subfolder Object NOTE: In XI R2. Real Advantage. In XI 3. global rights are set on the Rights tab in the Settings management area. . global rights are set in the Folders management area as “All Folders Security” Subfolder Object Object Real Experience.x.

.[ Group Inheritance Rules eFashion Sales Managers 2008 eFashion East eFashion South eFashion West Barrett Richards Larry Leonard Bennett Steve Real Experience. Real Advantage.

. Real Advantage.x as it was in XI Release 2  Can disable folder inheritance. group inheritance.x because of new scope of rights features Real Experience.[ Breaking Inheritance  Still possible in XI 3. or both  May not be as necessary in XI 3.

Full Control) levels cannot be altered  Easier to manage than setting Advanced rights Real Experience.[ Custom Access Levels  New Management Area in CMC XI 3. View On Demand.x  Can create new access levels or copy existing access levels  Pre-defined rights (View. Real Advantage. Schedule. .

the ability to limit the extent of rights inheritance (Apply to Object. However… Real Experience. Apply to Sub-object)  In BusinessObjects Enterprise XI R2.[ Scope of Rights  Scope of rights – new in XI 3. rights are effective for both the parent object and the child objects by default (same as XI R2). the administrator was forced to break inheritance when they wanted to give user rights to child folders that were different to those given to the parent folder  In XI 3.x.x. . Real Advantage.

Real Advantage.  With BusinessObjects Enterprise XI 3. Real Experience. the administrator can now specify that a right set on a parent object should apply to that object only. .[ Scope of Rights.x. cont.

Real Advantage.[ SAP BusinessObjects Security Essentials DEMONSTRATION Real Experience. .

Real Advantage. .[ Demonstration      Authentication Types Users and Groups Custom Access Levels Permissions Explorer Security Query Real Experience.

0) Real Experience. 25 . Real Advantage.[ Demonstration .Authentication Types      Enterprise LDAP Windows AD Windows NT SAP (requires SAP Integration Kit in releases prior to BI 4.

Real Advantage.[ Demonstration – Users & Groups Real Experience. .

Real Advantage. .[ Demonstration – Folders and Content Real Experience.

[ SAP BusinessObjects Security Essentials DEMONSTRATION – CUSTOM ACCESS LEVELS Real Experience. . Real Advantage.

.[ Demonstration – Custom Access Levels Custom Access Level demo… Real Experience. Real Advantage.

[ SAP BusinessObjects Security Essentials PERMISSIONS EXPLORER AND SECURITY QUERY Real Experience. . Real Advantage.

) that can have rights assigned Real Experience. connection. etc. Real Advantage. document. Check User Rights only identified the effective rights – the source of the rights assignment was still unknown  Available from any object (folder. universe.[ Permissions Explorer (object centric)  Use the Permissions Explorer to determine the rights a principal has on an object  Improvement upon Check User Rights button in XI Release 2. .

[ Permissions Explorer Permissions Explorer demo… Real Experience. Real Advantage. .

.  Available from Users and Groups or Query Results Real Experience. Real Advantage.[ Security Query (user centric)  Use Security Query to determine the objects to which a principal has been granted or denied access.

[ Security Query – Query Principal Query Principal . Real Advantage. You can specify one principal for each security query Real Experience.the user or group that you want to run the security query for. .

and the object type these rights are set on Real Experience. the status of these rights.the right or rights you want to run the security query for. . Real Advantage.[ Security Query – Query Permission Query Permission .

the CMC areas that you want the security query to search. Real Advantage. For each area. . A security query can have a maximum of four areas Security Query demo… Real Experience. you can choose whether to include sub-objects in the security query.[ Security Query – Query Context Query Context .

[ SAP BusinessObjects Security Essentials BEST PRACTICES Real Experience. . Real Advantage.

XI R2 or XI 3.x  Grant rights to groups on folders.  Avoid breaking inheritance. while understanding it is sometimes necessary  Add multiple users to Administrators group rather than sharing Administrator user account to improve traceability  Document and maintain your security structure outside of the CMC – MS Excel is a good choice Real Experience. Real Advantage. the security model can become difficult to maintain. Although rights can be granted on individual objects or users. Understand the additional complexity that advanced rights can introduce. .  Use pre-defined rights wherever possible.[ Security Best Practices .

[ Security Best Practices .x  Allot time in your upgrade/migration for administrative staff to understand both the new CMC interface/workflows as well as its new features  Use custom access levels where you would have previously resorted to advanced rights. . Real Advantage.XI 3.  Identify opportunities to limit the scope of rights instead of breaking inheritance  Take advantage of the Permissions Explorer and Security Query tools to diagnose and correct security issues Real Experience.

Real Advantage. 40 .[ SAP BusinessObjects Security Essentials NEXT STEPS Real Experience.

41 . can you? (Custom Access Levels) Sandra Brotje | Session 0405 Tuesday. October 5.[ Relevant ASUG SBOUC 2010 Breakout Sessions  I can CAL. 2010 | 4:00 PM – 5:00 PM Real Experience. Real Advantage.

1 Migration Guide Visit the SAP Help Portal at http://help. Real Experience.[ Recommended Reading  SAP BusinessObjects Enterprise Administrator’s Guide  SAP BusinessObjects Enterprise XI to download these resources.1 Upgrade Guide  SAP BusinessObjects 5/6 to XI 3. Real Advantage. 42 .0/

1: Administering Servers 3 days .1: Administration and Security 2 days .0/3. 43 .[ Relevant Education  SAP BusinessObjects Enterprise XI 3. Real Experience.0/3.0/3. Real Advantage.course code BOE310  SAP BusinessObjects Enterprise XI 3.1: Designing and Deploying a Solution 4 days .course code BOE330 Official SAP BusinessObjects curriculum is available on-site at your location or at authorized education centers around the world.course code BOE320  SAP BusinessObjects Enterprise XI 3.

[ SAP BusinessObjects Security Essentials YOUR QUESTIONS Real Experience. Real Advantage. 44 .

X SECURITY Real Experience. .[ SAP BusinessObjects Security Essentials COMPARING XI R2 AND XI 3. Real Advantage.

x yes yes yes yes no yes yes Real Experience.x yes yes yes no yes yes XI 3. Real Advantage.[ Default Users and Groups Users Administrator Guest QaaWSServletPrincipal PMUser Set Administrator password during install? Guest user disabled by default? Groups Administrators Everyone QaaWS Group Designer Report Conversion Tool Users BusinessObjects NT Users Universe Designer users Translators XI R2 yes yes no yes no no XI R2 yes yes no yes yes yes no XI 3. .

[ Security Features Feature Folder Inheritance Group Inheritance Predefined Access Levels No Access View Schedule View On Demand Full Control Advanced Rights Custom Access Levels Break Inheritance Scope of Rights Combined Access Levels XI R2 yes yes yes yes yes yes yes yes yes no yes no no XI 3.x yes yes yes yes* yes yes yes yes yes yes yes yes yes Real Experience. . Real Advantage.

x yes! no no yes no yes yes Real Experience.[ Security Applications Application Central Management Console Web Component Adapter (WCA) Administrative Launchpad Query Builder Security Viewer Add-on Security Query Permissions Explorer XI R2 yes yes yes yes yes no no XI 3. Real Advantage. .

Please remember to complete and return your evaluation form following this For more information about Kalvin Consulting http://www. contact@kalvinsoft. For ongoing education on this area of focus. visit the YearRound Community page at 513.asug.[  Thank you for ] [ SESSION CODE: 409 Dallas Marks Senior Architect and Trainer http://dallasmarks. . Real Follow us on Twitter at @kalvinsoft.9120 49 Real Experience.kalvinsoft.

Sign up to vote on this title
UsefulNot useful