8/20/2019 2005 Security Xi
1/74
BusinessObjects XI Security
From the Ground Up
BusinessObjects XI Security
From the Ground Up
Scott Emmons
Alan Mayer
Integra Solutions Inc.
8/20/2019 2005 Security Xi
2/74
Slide 2
Presentation Information (Hidden Slide)
Author: Scott Emmons, Alan Mayer
Company: Integra Solutions, Inc.
Contributors: Alan Mayer
Breakout session title (same as on slide 1) BusinessObjects XI Security From the Ground Up
Breakout session description
BusinessObjects XI introduces a new security model that allows administrators to
centrally manage users and report content with more control than ever before.Discover how the essential pieces of this model can be configured to cover a varietyof security schemes. Learn how to organize and designate access rights to resourcesat the folder, group, user, application, and metalayer level. Find out how to takeadvantage of new security concepts like restriction sets to further control database
resources. For users of prior versions of BusinessObjects, this session will alsoinclude some tips and tricks that will make configuring security in BusinessObjectsXI much easier.
Print_Code (please leave for Business Objects use)
8/20/2019 2005 Security Xi
3/74
Slide 3
Topics
The Big Picture
Folders and Categories
GroupsUsers
Security Rights
Q&A
8/20/2019 2005 Security Xi
4/74Slide 4
The Big Picture 1/6
All security information is kept in
the System database
Users, groups, categories, rights
The Central Management Server
(CMS) uses this database
Process logins
Create sessions
Validate rights
Published objects resides in
Filestores Objects include Crystal reports, Webi
documents, programs, …
Two types of stores: Input and Output
8/20/2019 2005 Security Xi
5/74Slide 5
Relies on 5 tables
Much less than 50 tables for traditional
BusinessObjects repository
Uses less resources to process
Each table stores information used
by the Central Management Server (CMS) CMS_AliasesX – Alternative accounts for users
CMS_IdNumbersX – Next available unique ID
CMS_InfoObjectsX – All objects (users, groups, folders, …)
CMS_RELATIONSX – Relationships between objects
CMS_VersionInfo – Latest software version
The Big Picture 2/6
System Database
8/20/2019 2005 Security Xi
6/74Slide 6
The Big Picture 3/6
Central Management Server (CMS)
The only enterprise service that interacts with the
System database.
CMS decides “who gets to see what”
The tables contain the accounts, groups, and rights
This server deciphers this information to make its decision
This server also maintains this database through the
Central Management Console (CMC)
Web-based tool used to add folders, users, groups, and rights
Can also be used to publish report objects
Traditional BusinessObjects – acts like Supervisor
8/20/2019 2005 Security Xi
7/74Slide 7
The Big Picture 4/6
Central Management Console (CMC)
The Central Management Console wil l be our main
window into the System Database
8/20/2019 2005 Security Xi
8/74Slide 8
The Big Picture 5/6
Filestores
Flat-file databases used to index and store published
objects
All published objects are maintained as files.
Directory structure is used like an “index” to quickly retrieve
content.
Objects are stored using machine-generated names
Two types of fi lestores available Input Filestore
• Stores published objects that can be re-executed later.
• Data not stored with object
Output Filestore
• Stores object instances that have already been processed.
• Data is stored with instance
8/20/2019 2005 Security Xi
9/74Slide 9
The Big Picture 6/6
Filestores, cont’d
Example of Input Filestore
8/20/2019 2005 Security Xi
10/74Slide 10
Topics
The Big Picture
Folders and Categories
Groups and Users
Security Rights
Q&A
8/20/2019 2005 Security Xi
11/74Slide 11
Folders and Categories 1/6
Folders store report content All published objects stored in a folder
An “object” can be a Crystal Report, Webi document,
program, image, and so on.
Objects can be stored in one folder only – it represents
the home for that object.
Traditional BusinessObjects – folders are like domains
Subfolders are allowed just like subdirectories inWindows
Categories allow users to classify objects
Unlike folders, objects may be linked to multiplecategories
Categories can span objects stored in multiple folders
They serve as an alternative filing system
F ld d C i 2/6
8/20/2019 2005 Security Xi
12/74
Slide 12
Folders and Categories 2/6
Real-life considerations for folders Folders usually mirror the groups or departments that own the
content
Folders can be based on organization, location, customers, …
Subfolders represent groups that own their own report objects in
addition to objects within the main folder
Folder creation is CONTENT DRIVEN.
F ld d C t i 3/6
8/20/2019 2005 Security Xi
13/74
Slide 13
Folders and Categories 3/6
Creating a Folder
Run the Administration Launchpad (Java or .NET)
Log into the Central Management Console
Choose ‘Folders’Click the New Folder button
F ld d C t i 4/6
8/20/2019 2005 Security Xi
14/74
Slide 14
Folders and Categories 4/6
Creating a Folder, cont’d
Define your folder
F ld d C t i 5/6
8/20/2019 2005 Security Xi
15/74
Slide 15
Folders and Categories 5/6
Creating a Folder, cont’d
Once the folder is created, subfolders can be added
Folders and Categories 6/6
8/20/2019 2005 Security Xi
16/74
Slide 16
Folders and Categories 6/6
Creating a Category
Categories can also be created from the CMC
Topics
8/20/2019 2005 Security Xi
17/74
Slide 17
Topics
The Big Picture
Folders and Categories
Groups and Users
Security Rights
Q&A
Users and Groups 1/13
8/20/2019 2005 Security Xi
18/74
Slide 18
Users and Groups 1/13
Users allow people to access BusinessObjectsEnterprise
These accounts determine how a user is authenticated
when logging in
Authentication methods include:
• Enterprise
• Windows Authentication
• Active Directory
• Lightweight Directory Access Protocol (LDAP)
Users can be manually added or imported (mapped)
Information about the user can be added
• Name• Description
• Password
• E-mail address
• License type (CPU or named user)
Users and Groups 2/13
8/20/2019 2005 Security Xi
19/74
Slide 19
Users and Groups 2/13
Default users available Administrator – Performs all tasks within Enterprise
Guest – Accesses reports (like Report Samples)
Users and Groups 3/13
8/20/2019 2005 Security Xi
20/74
Slide 20
Users and Groups 3/13
Groups tie users with similar access rightstogether
Access to report content (reports, documents, …) is
usually granted for groups rather than individual users
Users can belong to more than one group
Access rights will be discussed in a later section
Information about each group can be added
• Name
• Description
• Users that belong to the group
• Subgroups
Users and Groups 4/13
8/20/2019 2005 Security Xi
21/74
Slide 21
Users and Groups 4/13
Default groups are available Administrators
• Members can perform all tasks
Everyone• All users belong to this group• Allows access to Report Samples folder
Universe Designer Users
• Can use the Designer application• Can access Universe Designer, Connections folder
BusinessObjects NT Users
• Windows Authentication only
Users and Groups 5/13
8/20/2019 2005 Security Xi
22/74
Slide 22
Users and Groups 5/13
Creating a User
Run the Administration Launchpad (Java or .NET)
Log into the Central Management Console
Choose ‘Users’Click the New User button
Users and Groups 6/13
8/20/2019 2005 Security Xi
23/74
Slide 23
Users and Groups 6/13
Creating a User, cont’d
Fill in details for that user
Users and Groups 7/13
8/20/2019 2005 Security Xi
24/74
Slide 24
Users and Groups 7/13
Creating a User, cont’d
Set password, authentication, and license type
Outdated
Users and Groups 8/13
8/20/2019 2005 Security Xi
25/74
Slide 25
Users and Groups 8/13
Creating a User, cont’d
Once added, a user can be assigned to a group
Click on the ‘Member of’ button from the Member tab
Users and Groups 9/13
8/20/2019 2005 Security Xi
26/74
Slide 26
Users and Groups 9/13
Creating a User, cont’d
Choose the groups that user should be a member of
Users and Groups 10/13
8/20/2019 2005 Security Xi
27/74
Slide 27
p
Creating a Group
Run the Administration Launchpad (Java or .NET)
Log into the Central Management Console
Choose ‘Groups’Click the New Group button
Users and Groups 11/13
8/20/2019 2005 Security Xi
28/74
Slide 28
p
Creating a Group, cont’d
Fill in details for that group
Users and Groups 12/13
8/20/2019 2005 Security Xi
29/74
Slide 29
p
Creating a Group, cont’d
Subgroups can now be assigned (if they exist) using
the Subgroups tab …
… OR this group can be assigned as a subgroup
Users and Groups 13/13
8/20/2019 2005 Security Xi
30/74
Slide 30
p
Creating a Group, cont’d
In this case, IT Administrators will be a subgroup of IT
Topics
8/20/2019 2005 Security Xi
31/74
Slide 31
The Big Picture
Folders and Categories
Groups and Users
Security Rights
Q&A
Security Rights 1/41
8/20/2019 2005 Security Xi
32/74
Slide 32
Assigning rights to groups and users is easy once youunderstand the Enterprise Security Model
This model shows how rights are set and inherited
Once the main rules are understood, we’ll cover how toapply these rights at different levels
Globally
By Folder
By Group
By Object
By Category By Application
By Universe
Security Rights 2/41
8/20/2019 2005 Security Xi
33/74
Slide 33
The Enterprise Security Model
This model controls how users interact withBusinessObjects applications and report content
Control is granted/removed through RIGHTS
A right dictates what actions a user can perform View a report
Use WebIntelligence to create an ad-hoc query
Publish documents to the System database
Rights have been grouped internally as ACCESS
LEVELS to make the job easier
These predefined levels can be customized by adding ADVANCED RIGHTS.
Security Rights 3/41
8/20/2019 2005 Security Xi
34/74
Slide 34
The Enterprise Security Model – Access Levels
Predefined access levels include: No Access
• Not able to access report content
View
• A user can view the folder or report object , as well as any generated instances
(executed versions) of those objects.
Schedule
• In addition to View, a user can create additional instances of an object through
scheduling
• Complete control is given over those generated instances (delete, modify)
• For folders, a user can add report objects and copy the object and/or folder.
View On Demand
• In addition to Schedule rights, a user can refresh a report instantly (on demand)
Full Control
• The user gains all additional rights
Security Rights 4/41
8/20/2019 2005 Security Xi
35/74
Slide 35
The Enterprise Security Model – Access Levels
Advanced rights can be set on a folder or report object Explicitly Granted
• User or group is given the right
Explicitly Denied
• User or group is denied the right. Denials take priority over grants.
Inherited
• The user or group inherits a right that was granted at a higher level
• Higher level folders or groups Not Specified
• The right has not been assigned so it is denied
• It could be inherited or explicitly granted
Security Rights 5/41
8/20/2019 2005 Security Xi
36/74
Slide 36
Rules of the Road
Follow these simple rules … Top-level folders inherit rights set at the global security level
• More on this in a minute
Children inherit the rights of their parents
Advanced rights override inherited rights
Denied rights override granted rights
Security Rights 6/41
8/20/2019 2005 Security Xi
37/74
Slide 37
Global-Level Rights
Global rights set the default security for the entireEnterprise system
Any top-level folder that is created will be given these
permissions Any group that should have certain system-wide rights
needs global rights
Set these rights first, then decrease/increase rights asadditional folders and objects are added
A common scenario:
Administrators may need Full Control by default The Everyone group should have No Access
Security Rights 7/41
8/20/2019 2005 Security Xi
38/74
Slide 38
Establishing Global-level Rights
Run the Administration Launchpad (Java or .NET)
Log into the Central Management Console
Choose ‘Settings’
Security Rights 8/41
8/20/2019 2005 Security Xi
39/74
Slide 39
Establishing Global-level Rights, cont’d
Example: Change global access for Administrators
to ‘Full Control’
Security Rights 9/41
8/20/2019 2005 Security Xi
40/74
Slide 40
Establishing Global-level Rights, cont’d
Control can be fine-tuned by setting Advanced Rights
Security Rights 10/41
8/20/2019 2005 Security Xi
41/74
Slide 41
Establishing Global-level Rights, cont’d
General settings can be explicitly granted or denied
These Advanced Rights are available at any level
(folder, object, ..)
Security Rights 11/41
8/20/2019 2005 Security Xi
42/74
Slide 42
Establishing Global-level Rights, cont’d
Advanced Rights for Reports
Security Rights 12/41
8/20/2019 2005 Security Xi
43/74
Slide 43
Establishing Global-level Rights, cont’d
Advanced Rights for Text and WebIntelligence
Security Rights 13/41
F ld l l Ri ht
8/20/2019 2005 Security Xi
44/74
Slide 44
Folder-level Rights
Top-level folders use global rights to set their accesslevels
Groups and users are given access to folders
Rights for those groups and users are inherited fromtheir parent folders
Additional rights can be added
SalesGlobal
Admin: Full Control
Everyone: No Access
Admin: Full Control (inherited)
Everyone: No Access (Inherited)
Sales: View
Marketing: View
Security Rights 14/41
F ld l l Ri ht t’d
8/20/2019 2005 Security Xi
45/74
Slide 45
Folder-level Rights, cont’d
Subfolders inherit the rights of their parents A subfolder may have different rights than its parent
Sales
USASales
Sales: View
Marketing: View
Sales: Schedule
Marketing: View (Inherited)
Sales
Japan
Sales: Schedule
Marketing: No Access
Security Rights 15/41
E t bli hi F ld l l Ri ht
8/20/2019 2005 Security Xi
46/74
Slide 46
Establishing Folder-level Rights
Run the Administration Launchpad (Java or .NET)
Log into the Central Management Console
Choose ‘Folders’
Select a folder (like Sales)
Security Rights 16/41
Establishing Folder level Rights cont’d
8/20/2019 2005 Security Xi
47/74
Slide 47
Establishing Folder-level Rights, cont’d
Select the Rights tab
Add the group(s) that need access to this folder
Security Rights 17/41
Establishing Folder level Rights cont’d
8/20/2019 2005 Security Xi
48/74
Slide 48
Establishing Folder-level Rights, cont d
Adjust that group’s access level to the folder
Security Rights 18/41
Group level Rights
8/20/2019 2005 Security Xi
49/74
Slide 49
Group-level Rights
Users inherit rights from the group(s) they belong toSubgroups inherit rights from their parent groups
A user that belongs to more than one group inherits the
most powerful (least restrictive) access of any group
Sales Sales: View Marketing: No access
Sales USA: View (inherited)John: View
John: View
Security Rights 19/41
Group level Rights
8/20/2019 2005 Security Xi
50/74
Slide 50
Group-level Rights
Users granted explicit rights override any rightsinherited from their group
Denied rights override any other access
Sales Sales: View Marketing: No access
Sales USA: View (inherited)John: Denied
John: DeniedSally: Schedule
Security Rights 20/41
Object-level Rights
8/20/2019 2005 Security Xi
51/74
Slide 51
Object-level Rights
Report content within a folder can have access rightsThis allows finer-grained control over individual
reports, programs, …
Establishing object-level access is very similar tofolder-level access
Inventory Report.rpt
Sales
Admin: Full Control (inherited)
Everyone: No Access (Inherited)
Sales: View
Marketing: View
Customers.xls
Logo.bmp
Security Rights 21/41
Object-level Rights cont’d
8/20/2019 2005 Security Xi
52/74
Slide 52
Object-level Rights, cont d
Object-level rights take priority over group and folderrights
Sales
Sales: View
Marketing: View
Inventory Report.rpt
Sales: Schedule
Scott: Full Control
Alan: Denied
Security Rights 22/41
Establishing Object-level Rights
8/20/2019 2005 Security Xi
53/74
Slide 53
Establishing Object level Rights
Run the Administration Launchpad (Java or .NET)
Log into the Central Management Console
Choose ‘Objects’
Select an object
Security Rights 23/41
Establishing Object-level Rights
8/20/2019 2005 Security Xi
54/74
Slide 54
Establishing Object level Rights
Select the Rights tab
Add a group or user that needs access
Modify existing group or user access
Security Rights 24/41
Category-level Rights
8/20/2019 2005 Security Xi
55/74
Slide 55
Category level Rights
Categories group similar object content together It acts as an alternative filing system that can span
multiple folders
Like folders and objects, access rights can be set oncategories
A group or user must have rights to the category and
object within that categoryIf the object is not available, it will not appear in its
associated category
Security Rights 25/41
Establishing Category Rights
8/20/2019 2005 Security Xi
56/74
Slide 56
s ab s g Ca ego y g s
Run the Administration Launchpad (Java or .NET)
Log into the Central Management Console
Choose ‘Categories’
Select a category
Security Rights 26/41
Establishing Category-level Rights
8/20/2019 2005 Security Xi
57/74
Slide 57
g g y g
Select the Rights tab
Add a group or user that needs access
Modify existing group or user access
Security Rights 27/41
Application-level Rights
8/20/2019 2005 Security Xi
58/74
Slide 58
pp g
Enterprise applications can be secured using rightsBasic applications that can be secured:
Central Management Console (CMC)
Designer Infoview
WebIntelligence
Additional applications can be added and secured Strategy Builder
Performance Management
…
This allows portions of each application to be assigned
to separate groups
Security Rights 28/41
Establishing Application Rights
8/20/2019 2005 Security Xi
59/74
Slide 59
g pp g
Run the Administration Launchpad (Java or .NET)
Log into the Central Management Console
Choose ‘BusinessObjects Enterprise Applications’
Security Rights 29/41
Establishing Application Rights, cont’d
8/20/2019 2005 Security Xi
60/74
Slide 60
Select an Enterprise Application (like Designer)
Security Rights 30/41
Establishing Application Rights, cont’d
8/20/2019 2005 Security Xi
61/74
Slide 61
Select the Rights tab
Add a group or user if necessary
Click on the Advanced button for application-specific
rights
Security Rights 31/41
Universe-level Rights
8/20/2019 2005 Security Xi
62/74
Slide 62
Universes are interfaces built using the Designer
application.
Users can use these universes to develop ad-hocreports using WebIntelligence (and Crystal Reports!)
Universes must be imported into the System database
The Central Management Console can control their use Who can access a universe
What rights are given for that universe
What objects that group or user can see
What databases the universe can connect to
The Designer application can further restrict access to
a universe
Security Rights 32/41
Establishing Universe Rights
8/20/2019 2005 Security Xi
63/74
Slide 63
Run the Administration Launchpad (Java or .NET)
Log into the Central Management Console
Choose ‘Universes’
Security Rights 33/41
Establishing Universe Rights, cont’d
8/20/2019 2005 Security Xi
64/74
Slide 64
Select a universe (like Xtreme)
Click on the Object Level Security tab
Security Rights 34/41
Establishing Universe Rights, cont’d
8/20/2019 2005 Security Xi
65/74
Slide 65
Objects can be designated with a security level whenthe universe is created
This matches with the group/user’s security level
Object
PublicControlled
Confidential
RestrictedPrivate
Group/User
PublicControlled
Confidential
RestrictedPrivate
A group or usercan see objects
up to his security
level!
Security Rights 35/41
Establishing Universe Rights, cont’d
8/20/2019 2005 Security Xi
66/74
Slide 66
Rights are established like folders and objects
Advanced rights apply to Universe Designers
Security Rights 36/41
Establishing Universe Rights, cont’d
8/20/2019 2005 Security Xi
67/74
Slide 67
Universe database connections can also be secured
Run the Administration Launchpad (Java or .NET)
Log into the Central Management Console
Choose ‘Universe Connections’
Security Rights 37/41
Establishing Universe Rights, cont’d
8/20/2019 2005 Security Xi
68/74
Slide 68
Select a connection (like Xtreme)
Select the Rights tab
Advanced rights are pretty simple
You can use the connection or you can’t
Security Rights 38/41
Establishing Universe Rights, cont’d
8/20/2019 2005 Security Xi
69/74
Slide 69
The Universe Designer now allows security restrictionsets
These restriction sets mimic the universe restrictions
from BO Supervisor Database connections can be changed
Row and column level security can be enforced
Tables can be substituted for other tables and views
Once created, they can be applied against any user or
group
Security Rights 39/41
Establishing Universe Rights, cont’d
8/20/2019 2005 Security Xi
70/74
Slide 70
Log into Universe Designer Open or import a universe (like Xtreme)
Select the Security Restriction Set icon
Security Rights 40/41
Establishing Universe Rights, cont’d
8/20/2019 2005 Security Xi
71/74
Slide 71
Refer to the Designer’s Guide for more information
Security Rights 41/41
Establishing Universe Rights, cont’d
8/20/2019 2005 Security Xi
72/74
Slide 72
Once created, the restriction set can be applied togroups and users
Topics
8/20/2019 2005 Security Xi
73/74
Slide 73
IntroductionThe Big Picture
Folders and Categories
Groups and Users
Security Rights
Q&A
Q&A
8/20/2019 2005 Security Xi
74/74
Slide 74
QuestionsContact information
Scott Emmons
Email: [email protected]