SECURE UNIVERSES USING RESTRICTION SETS

Dallas J. Marks, Dataspace

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

AGENDA
1. 2. 3. 4. 5. 6. 7. The need for universe security What are restriction sets? Previewing access restrictions Tips & Tricks Live demonstrations Conclusion Q&A

SLIDE 3

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

THE NEED FOR UNIVERSE SECURITY

SLIDE 4

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

TWO METHODS FOR SECURING UNIVERSES

Restrict access to entire universe by setting universe rights in the Central Management Console (CMC) Create various forced and optional restrictions within Designer
Forced
Object restrictions Self-restricting joins

Inferring multiple tables

Optional
Condition objects

SLIDE 5

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

BUSINESS PROBLEM
Business requirement to secure business critical data based on a users role in the organization All of these restrictions affect all users unilaterally A different solution is required to apply security to specific users and groups: restriction sets

SLIDE 6

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

WHAT IS A RESTRICTION SET?

A restriction set is a named group of restrictions that apply to a universe Restriction sets can be applied to BusinessObjects users and groups to force behavior changes in a universe Restriction sets are managed using the Business Objects Universe Designer application, using a feature named access restrictions

SLIDE 7

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

WHAT CAN BE RESTRICTED?

Type of restriction Connection Description Override the default universe connection with an alternate connection Limit the size of the result set and query execution time Control how SQL is generated by user query Column-level security Row-level security force restrictions into the WHERE clause of inferred SQL Replace a table referenced in the universe with another table in the database

Query controls SQL generation controls Object access Row access

Alternative table access

SLIDE 8

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

DESIGNER MANAGING ACCESS RESTRICTIONS

Access restrictions can be accessed from either the tools menu or the editing toolbar

Editing Toolbar

Tools Menu

SLIDE 9

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

PREVIOUS VERSIONS SUPERVIOR

Previous versions of BusinessObjects provided similar capabilities, accessed from the supervisor application

SLIDE 10

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

WHAT ARE RESTRICTION SETS?

Creating and managing user- and group-based universe security

SLIDE 11

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

SECURING UNIVERSES DESIGN PROCESS

4) Deploy using Import Wizard 1) Create & Manage Security Model

3) Build reports using universe 2b) Add Restriction Sets

2a) Build and Export universe

SLIDE 12

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

MANAGE ACCESS RESTRICTIONS IN DESIGNER

Three basic steps to follow
1. Create new restrictions 2. Add appropriate groups and users

3. Map restrictions to groups and users

SLIDE 13 COPYRIGHT 2007 BUSINESS OBJECTS S.A.

MANAGE ACCESS RESTRICTIONS IN DESIGNER

Additional configuration
Priority of multiple restrictions

Options

SLIDE 14

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

GETTING HELP
On-line help is available from the manage access restrictions dialog

SLIDE 15

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

RESTRICTION SET DIALOGS CONNECTION

Control which database connection is used Identical to definition tab of universe parameters Useful for pointing subset of users to alternate data source (ex. QA instead of production)

Restrictions that differ from universe defaults appear in red

SLIDE 16 COPYRIGHT 2007 BUSINESS OBJECTS S.A.

RESTRICTION SET DIALOGS CONTROLS

Define limits on query execution Identical to controls tab of universe parameters Useful for giving power users higher limits than standard users

Restrictions that differ from universe defaults appear in red

SLIDE 17 COPYRIGHT 2007 BUSINESS OBJECTS S.A.

RESTRICTION SET DIALOGS SQL

Define limits on what types of queries users may create Identical to SQL tab of universe parameters Useful for limiting the complexity of queries

Restrictions that differ from universe defaults appear in red

SLIDE 18 COPYRIGHT 2007 BUSINESS OBJECTS S.A.

RESTRICTION SET SQL

The Allow use of subqueries checkbox controls access to the feature in the Web Intelligence query panel

Restrictions that differ from universe defaults appear in red

SLIDE 19 COPYRIGHT 2007 BUSINESS OBJECTS S.A.

RESTRICTION SETS - SQL

The Allow use of union, intersect and minus operators checkbox controls access to the feature in the Web Intelligence query panel

SLIDE 20

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

RESTRICTION SETS - SQL

The Allow complex operands in Query Panel checkbox controls access to the both and except query filter operators in the Web Intelligence query panel

Allowed (checked)
SLIDE 21 COPYRIGHT 2007 BUSINESS OBJECTS S.A.

Disallowed (unchecked)

RESTRICTION SET DIALOGS OBJECTS

Restrict access to universe objects, for example, employee salary or other sensitive objects

SLIDE 22

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

RESTRICTION SET DIALOGS ROWS

Restrict access to universe objects

SLIDE 23

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

RESTRICTION SET DIALOGS TABLE MAPPING

Replace a table referenced in the universe by another table in the database

The table selection feature behind the Add button only lists tables in the universe structure; however, other tables in the database schema can be typed in manually.

SLIDE 24

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

RESTRICTION PRIORITY
Users that belong to multiple groups may have multiple restrictions You can arrange user groups in order. The restriction for the lowest group in the listed order is used Applies only to exclusive restrictions such as connection, table mapping, or SQL controls. ALL object restrictions are applied

SLIDE 25

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

RESTRICTION OPTIONS
By default, all restrictions are ANDed together When organized into user and group hierarchies, useful to be able to switch between AND and OR This feature was not available in XI Release 1

SLIDE 26

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

PREVIEWING ACCESS RESTRICTIONS

Verifying the security model

SLIDE 27

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

PREVIEWING RESTRICTION SETS 1 of 3

Restrictions can be previewed using the preview button on the editing toolbar

SLIDE 28

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

PREVIEWING RESTRICTION SETS 2 of 3

Click preview to show tabbed dialog showing all restrictions applied to a user or group

SLIDE 29

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

PREVIEWING RESTRICTION SETS 3 of 3

Restrictions can also be previewed from the manage access restrictions dialog

Preview cumulative restrictions

SLIDE 32 COPYRIGHT 2007 BUSINESS OBJECTS S.A.

TIPS AND TRICKS

Best practices for working with restriction sets

SLIDE 33

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

EXPORTING UNIVERSE
You must export the universe before you can apply restriction sets Although most changes become effective when a universe is exported, remember that restrictions take effect as soon as they are applied

SLIDE 34

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

@AGGREGATE_AWARE
The @AGGREGATE_AWARE function can be used to create objects that leverage aggregate tables, where appropriate Make sure that each aggregate table supports your requirements for row-level security
Each aggregate level should have a database column used to store the attribute used as the row-level filter

The sample eFashion universe contains aggregates, however, they did not support row-level security for managers, so a modified version of eFashion (without aggregate tables) was used for this presentation

SLIDE 35

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

@VARIABLE 1 of 2
The @VARIABLE function is a Business Objects function that can be used for The text of an interactive object previously created with the @Prompt function; i.e. the first argument entered in the @Prompt function BusinessObjects system variable such as BOUSER or BOPASS These variables represent respectively the user name and password forming the user identification

SLIDE 36

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

@VARIABLE 2 of 2
System variables also exist for the connection to the RDBMS (DBUSER & DBPASS). @Variable(BOUSER) is useful for creating access restrictions based on user ID The use of @Variable will be explored in one of the demonstrations

SLIDE 37

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

LIVE DEMONSTRATIONS

1) Creating and previewing a restriction set 2) Restriction options 3) Restriction priority 4) Using the schedule for option
SLIDE 38 COPYRIGHT 2007 BUSINESS OBJECTS S.A.

DEMO 1: CREATING AND PREVIEWING A RESTRICTION SET

Goal: Limit managers data access to their own stores Goal: Restrict managers access to margin object

SLIDE 39

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

DEMO 1: CREATING AND PREVIEWING A RESTRICTION SET

Solution: Limit row access to own stores by creating row restriction using @Variable(BOUSER)

SLIDE 40

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

DEMO 1: CREATING AND PREVIEWING A RESTRICTION SET

Solution: Create object restriction to hide margin object

SLIDE 41

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

DEMO 1: CREATING AND PREVIEWING A RESTRICTION SET

Test object restrictions for manager Chris Anderson

SLIDE 42

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

DEMO 2: RESTRICTION OPTIONS

Show the effect of cumulative restrictions by using subgroups A1 is a parent group, with A2 and A3 as nested subgroups B1 is a peer group to A1 Irene is a member of both groups

SLIDE 43

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

DEMO 2: RESTRICTION OPTIONS

Demonstrate the effect of both options (AND/OR), using user Irene in the Insight 2007 A1 and Insight 2007 B1 security groups

SLIDE 44

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

DEMO 3: RESTRICTION PRIORITY

Determine the effect of priority when a user receives restrictions from more than one restriction set

SLIDE 45

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

DEMO 4: USING THE SCHEDULE FOR OPTION

The schedule for feature allows you to generate reports that contain data for specific users only You can schedule an object and specify for which users or groups you want the system to run the object The system will run the object for each user applying the universe restrictions appropriate to the user

SLIDE 46

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

FOR MORE INFORMATION

BusinessObjects documentation
BusinessObjects XI Release 2 Designers Guide (pp. 441-450) BusinessObjects Enterprise Administrators Guide

Business Objects XI: The Complete Reference by Cindi Howson

Chapter 13, Securing the System, (pp. 312-326) McGraw-Hill/Osborne 2006 ISBN 0-07-226265-6

SLIDE 47

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

CONCLUSION
Restriction sets allow universe behavior to be tailored and secured for individuals or groups In addition to row and column-level security, restriction sets can override connection, query control, and SQL generation options Restriction set priority can be controlled for users that belong to multiple security groups

SLIDE 48

COPYRIGHT 2007 BUSINESS OBJECTS S.A.

Q&A
Questions
Dallas Marks, Training Manager, Dataspace I will repeat questions to ensure everyone can hear

Contact information
[email protected] www.dataspace.com

Visit us at booth S8 in the Partner Showcase

SLIDE 49

COPYRIGHT 2007 BUSINESS OBJECTS S.A.