SAP BusinessObjects Security Essentials

Dallas Marks Session 409

[ MIKE NARDUCCI

ASUG ASSOCIATE MEMBER MEMBER SINCE: 1998

[ PHIL AWTRY

ASUG INSTALLATION MEMBER MEMBER SINCE: 1999

[ STEPHANIE CLUNE

ASUG INSTALLATION MEMBER MEMBER SINCE: 2004

[ Breakout Description
In this presentation, learn how the SAP BusinessObjects security model works. Leverage features, such as inheritance, scope of rights, and custom access levels, to secure the business intelligence system, while reducing overall complexity and maintenance. Techniques will be demonstrated using SAP BusinessObjects XI that are also applicable to SAP BusinessObjects Edge BI. Real-world scenarios drive home the concepts learned and give each attendee the confidence to implement the same techniques back home.

Real Experience. Real Advantage.

[ About Dallas Marks

Dallas Marks is a Senior Consultant and Trainer in the Information Management/Business Intelligence practice of Quorum Business Solutions. With offices in Dallas, Houston, and Calgary, Alberta, Quorum helps clients of all sizes throughout North America make better business decisions utilizing the power of business intelligence. Quorum is also an SAP BusinessObjects Authorized Education Provider and provides education at its training centers in Dallas, Houston, and client locations across North America. Dallas is an SAP BusinessObjects Certified Professional (BOCP) and authorized trainer for Web Intelligence, Universe Design, Xcelsius, and BusinessObjects Enterprise administration. A seasoned consultant and speaker, Dallas has worked with BusinessObjects tools since 2003 and presented at the North American conference each year since 2006. Dallas has implemented SAP BusinessObjects solutions for a number of industries, including energy, health care, and manufacturing. He holds a masters degree in Computer Engineering from the University of Cincinnati. Dallas blogs about various business intelligence topics at http://www.dallasmarks.org/.

Real Experience. Real Advantage.

[Quorum Company Profile

Solutions Consulting Firm Founded in 1998 Houston, Dallas, Calgary 350+ employees Employee owned; consistently profitable Strategic growth Oil & Gas Other emerging markets Upstream, Midstream, Marketing, Transportation Business Intelligence

Industry Expertise

Clients Project Experience

Real Experience. Real Advantage.

100+ clients Multiple projects with many Clients 400+ successful projects

[ Poll
By a show of hands, are you: Not currently running SAP BusinessObjects? Using classic version 6.x and earlier? Crystal Enterprise 10 and earlier? SAP BusinessObjects Edge BI? SAP BusinessObjects Enterprise XI R2? SAP BusinessObjects Enterprise XI 3.0? SAP BusinessObjects Enterprise XI 3.1 SP2 or higher? SAP BusinessObjects 4.0 (beta)?

Real Experience. Real Advantage.

[ Agenda
Comparing XI R2 and XI 3.x Security SAP BusinessObjects Security Basics Demonstration
Custom Access Levels, Permissions Explorer and Security Query

Best Practices Next Steps Your Questions

Real Experience. Real Advantage.

SAP BusinessObjects Security Essentials

COMPARING XI R2 AND XI 3.X SECURITY

Real Experience. Real Advantage.

[ Default Users and Groups

Users Administrator Guest QaaWSServletPrincipal PMUser Set Administrator password during install? Guest user disabled by default? Groups Administrators Everyone QaaWS Group Designer Report Conversion Tool Users BusinessObjects NT Users Universe Designer users Translators XI R2 yes yes no yes no no XI R2 yes yes no yes yes yes no XI 3.x yes yes yes no yes yes XI 3.x yes yes yes yes no yes yes

Real Experience. Real Advantage.

[ Security Features
Feature Folder Inheritance Group Inheritance Predefined Access Levels No Access View Schedule View On Demand Full Control Advanced Rights Custom Access Levels Break Inheritance Scope of Rights Combined Access Levels XI R2 yes yes yes yes yes yes yes yes yes no yes no no XI 3.x yes yes yes yes* yes yes yes yes yes yes yes yes yes

Real Experience. Real Advantage.

[ Security Applications
Application Central Management Console Web Component Adapter (WCA) Administrative Launchpad Query Builder Security Viewer Add-on Security Query Permissions Explorer XI R2 yes yes yes yes yes no no XI 3.x yes! no no yes no yes yes

Real Experience. Real Advantage.

SAP BusinessObjects Security Essentials

SECURITY BASICS

Real Experience. Real Advantage.

[ Terminology
Principal a user or group Rights override - a rights behavior in which rights that are set on child objects override the rights set on parent objects General Global Rights access rights enforced regardless of content type Content Specific Rights access rights unique to content type (Crystal Report, Web Intelligence, etc)

Real Experience. Real Advantage.

[ Predefined Rights

Rights Option

Description Unable to access an object Able to view historical (scheduled) instances of an object Able to schedule instances of an object Able to view live data on-demand Able to change or delete an object

XI R2 yes yes yes yes yes

No Access View Schedule View on Demand Full Control

XI 3.x slightly different yes yes yes yes

Real Experience. Real Advantage.

[ Advanced/Granular Rights
Rights Option Granted Denied Description The right is granted to a principal. The right is denied to a principal. The right is unspecified for a principal. By default, rights set to Not Specified are denied. The right applies to the object. This option becomes available when you click Granted or Denied. The right applies to sub-objects. This option becomes available when you click Granted or Denied. XI R2 yes yes XI 3.x yes yes

Not Specified

yes

yes

Apply to Object

no

yes

Apply to Sub-Objects

no

yes

Real Experience. Real Advantage.

[ Folder Inheritance
Global Rights

Top Level Folder Object

Subfolder Object

NOTE: In XI R2, global rights are set on the Rights tab in the Settings management area. In XI 3.x, global rights are set in the Folders management area as All Folders Security

Subfolder Object

Object

Real Experience. Real Advantage.

[ Group Inheritance Rules

eFashion Sales Managers 2008

eFashion East

eFashion South

eFashion West

Barrett

Richards

Larry

Leonard

Bennett

Steve

Real Experience. Real Advantage.

[ Breaking Inheritance
Still possible in XI 3.x as it was in XI Release 2 Can disable folder inheritance, group inheritance, or both May not be as necessary in XI 3.x because of new scope of rights features

Real Experience. Real Advantage.

[ Custom Access Levels

New Management Area in CMC XI 3.x Can create new access levels or copy existing access levels Pre-defined rights (View, Schedule, View On Demand, Full Control) levels cannot be altered Easier to manage than setting Advanced rights

Real Experience. Real Advantage.

[ Scope of Rights
Scope of rights new in XI 3.x, the ability to limit the extent of rights inheritance (Apply to Object, Apply to Sub-object) In BusinessObjects Enterprise XI R2, the administrator was forced to break inheritance when they wanted to give user rights to child folders that were different to those given to the parent folder In XI 3.x, rights are effective for both the parent object and the child objects by default (same as XI R2). However

Real Experience. Real Advantage.

[ Scope of Rights, cont.

With BusinessObjects Enterprise XI 3.x, the administrator can now specify that a right set on a parent object should apply to that object only.

Real Experience. Real Advantage.

SAP BusinessObjects Security Essentials

DEMONSTRATION USERS, GROUPS, FOLDERS

Real Experience. Real Advantage.

[ Demonstration Users & Groups

Real Experience. Real Advantage.

[ Demonstration Folders and Content

Real Experience. Real Advantage.

SAP BusinessObjects Security Essentials

DEMONSTRATION CUSTOM ACCESS LEVELS

Real Experience. Real Advantage.

[ Demonstration Custom Access Levels

Custom Access Level demo

Real Experience. Real Advantage.

SAP BusinessObjects Security Essentials

DEMONSTRATIONPERMISSIONS EXPLORER AND SECURITY QUERY

Real Experience. Real Advantage.

[ Permissions Explorer (object centric)

Use the Permissions Explorer to determine the rights a principal has on an object Improvement upon Check User Rights button in XI Release 2. Check User Rights only identified the effective rights the source of the rights assignment was still unknown Available from any object (folder, document, universe, connection, etc.) that can have rights assigned

Real Experience. Real Advantage.

[ Permissions Explorer

Permissions Explorer demo

Real Experience. Real Advantage.

[ Security Query (user centric)

Use Security Query to determine the objects to which a principal has been granted or denied access. Available from Users and Groups or Query Results

Real Experience. Real Advantage.

[ Security Query Query Principal

Query Principal - the user or group that you want to run the security query for. You can specify one principal for each security query

Real Experience. Real Advantage.

[ Security Query Query Permission

Query Permission - the right or rights you want to run the security query for, the status of these rights, and the object type these rights are set on

Real Experience. Real Advantage.

[ Security Query Query Context

Query Context - the CMC areas that you want the security query to search. For each area, you can choose whether to include sub-objects in the security query. A security query can have a maximum of four areas Security Query demo

Real Experience. Real Advantage.

SAP BusinessObjects Security Essentials

BEST PRACTICES

Real Experience. Real Advantage.

[ Security Best Practices - XI R2 or XI 3.x

Grant rights to groups on folders. Although rights can be granted on individual objects or users, the security model can become difficult to maintain. Use pre-defined rights wherever possible. Understand the additional complexity that advanced rights can introduce. Avoid breaking inheritance, while understanding it is sometimes necessary Add multiple users to Administrators group rather than sharing Administrator user account to improve traceability Document and maintain your security structure outside of the CMC MS Excel is a good choice

Real Experience. Real Advantage.

[ Security Best Practices - XI 3.x

Allot time in your upgrade/migration for administrative staff to understand both the new CMC interface/workflows as well as its new features Use custom access levels where you would have previously resorted to advanced rights. Identify opportunities to limit the scope of rights instead of breaking inheritance Take advantage of the Permissions Explorer and Security Query tools to diagnose and correct security issues

Real Experience. Real Advantage.

Deploying BI to the Masses

NEXT STEPS

Real Experience. Real Advantage.

36

[ Relevant ASUG SBOUC 2010 Breakout Sessions

I can CAL, can you? (Custom Access Levels)
Sandra Brotje | Session 0405 Tuesday, October 5, 2010 | 4:00 PM 5:00 PM

Real Experience. Real Advantage.

37

[ Recommended Reading
SAP BusinessObjects Enterprise Administrators Guide SAP BusinessObjects Enterprise XI 3.0/3.1 Upgrade Guide SAP BusinessObjects 5/6 to XI 3.1 Migration Guide

Visit the SAP Help Portal at http://help.sap.com to download these resources.

Real Experience. Real Advantage.

38

[ Relevant Education
SAP BusinessObjects Enterprise XI 3.0/3.1: Administration and Security
2 days - course code BOE310

SAP BusinessObjects Enterprise XI 3.0/3.1: Administering Servers

3 days - course code BOE320

SAP BusinessObjects Enterprise XI 3.0/3.1: Designing and Deploying a Solution

4 days - course code BOE330

Official SAP BusinessObjects curriculum is available on-site at your location or at authorized education centers around the world.

Real Experience. Real Advantage.

39

Thank you for participating.

Please remember to complete and return your evaluation form following this session. For ongoing education on this area of focus, visit the Year-Round Community page at www.asug.com/yrc

]
40

SESSION CODE: 409

Dallas Marks
Senior Consultant & Trainer Quorum Business Solutions [email protected] http://www.dallasmarks.org/blog/

Real Experience. Real Advantage.

For more information about Quorum Business Solutions: http://www.qbsol.com/ [email protected] 713.430.8601