2005 Security Xi

8/20/2019 2005 Security Xi

1/74

BusinessObjects XI Security

From the Ground Up

BusinessObjects XI Security

From the Ground Up

Scott Emmons

Alan Mayer

Integra Solutions Inc.

8/20/2019 2005 Security Xi

2/74

Slide 2

Presentation Information (Hidden Slide)

Author: Scott Emmons, Alan Mayer

Company: Integra Solutions, Inc.

Contributors: Alan Mayer

Breakout session title (same as on slide 1) BusinessObjects XI Security From the Ground Up

Breakout session description

BusinessObjects XI introduces a new security model that allows administrators to

centrally manage users and report content with more control than ever before.Discover how the essential pieces of this model can be configured to cover a varietyof security schemes. Learn how to organize and designate access rights to resourcesat the folder, group, user, application, and metalayer level. Find out how to takeadvantage of new security concepts like restriction sets to further control database

resources. For users of prior versions of BusinessObjects, this session will alsoinclude some tips and tricks that will make configuring security in BusinessObjectsXI much easier.

Print_Code (please leave for Business Objects use)

8/20/2019 2005 Security Xi

3/74

Slide 3

Topics

The Big Picture

Folders and Categories

GroupsUsers

Security Rights

Q&A

8/20/2019 2005 Security Xi

4/74Slide 4

The Big Picture 1/6

All security information is kept in

the System database

Users, groups, categories, rights

The Central Management Server

(CMS) uses this database

Process logins

Create sessions

Validate rights

Published objects resides in

Filestores Objects include Crystal reports, Webi

documents, programs, …

Two types of stores: Input and Output

8/20/2019 2005 Security Xi

5/74Slide 5

Relies on 5 tables

Much less than 50 tables for traditional

BusinessObjects repository

Uses less resources to process

Each table stores information used

by the Central Management Server (CMS) CMS_AliasesX – Alternative accounts for users

CMS_IdNumbersX – Next available unique ID

CMS_InfoObjectsX – All objects (users, groups, folders, …)

CMS_RELATIONSX – Relationships between objects

CMS_VersionInfo – Latest software version

The Big Picture 2/6

System Database

8/20/2019 2005 Security Xi

6/74Slide 6

The Big Picture 3/6

Central Management Server (CMS)

The only enterprise service that interacts with the

System database.

CMS decides “who gets to see what”

The tables contain the accounts, groups, and rights

This server deciphers this information to make its decision

This server also maintains this database through the

Central Management Console (CMC)

Web-based tool used to add folders, users, groups, and rights

Can also be used to publish report objects

Traditional BusinessObjects – acts like Supervisor

8/20/2019 2005 Security Xi

7/74Slide 7

The Big Picture 4/6


The Central Management Console wil l be our main

window into the System Database

8/20/2019 2005 Security Xi

8/74Slide 8

The Big Picture 5/6

Filestores

Flat-file databases used to index and store published

objects

All published objects are maintained as files.

Directory structure is used like an “index” to quickly retrieve

content.

Objects are stored using machine-generated names

Two types of fi lestores available Input Filestore

• Stores published objects that can be re-executed later.

• Data not stored with object

Output Filestore

• Stores object instances that have already been processed.

• Data is stored with instance

8/20/2019 2005 Security Xi

9/74Slide 9

The Big Picture 6/6

Filestores, cont’d

Example of Input Filestore

8/20/2019 2005 Security Xi

10/74Slide 10

Topics

The Big Picture


Groups and Users

Security Rights

Q&A

8/20/2019 2005 Security Xi

11/74Slide 11

Folders and Categories 1/6

Folders store report content All published objects stored in a folder

An “object” can be a Crystal Report, Webi document,

program, image, and so on.

Objects can be stored in one folder only – it represents

the home for that object.

Traditional BusinessObjects – folders are like domains

Subfolders are allowed just like subdirectories inWindows

Categories allow users to classify objects

Unlike folders, objects may be linked to multiplecategories

Categories can span objects stored in multiple folders

They serve as an alternative filing system

F ld d C i 2/6

8/20/2019 2005 Security Xi

12/74

Slide 12


Real-life considerations for folders Folders usually mirror the groups or departments that own the

content

Folders can be based on organization, location, customers, …

Subfolders represent groups that own their own report objects in

addition to objects within the main folder

Folder creation is CONTENT DRIVEN.

F ld d C t i 3/6

8/20/2019 2005 Security Xi

13/74

Slide 13


Creating a Folder

Run the Administration Launchpad (Java or .NET)

Log into the Central Management Console

Choose ‘Folders’Click the New Folder button

F ld d C t i 4/6

8/20/2019 2005 Security Xi

14/74

Slide 14


Creating a Folder, cont’d

Define your folder

F ld d C t i 5/6

8/20/2019 2005 Security Xi

15/74

Slide 15


Creating a Folder, cont’d

Once the folder is created, subfolders can be added


8/20/2019 2005 Security Xi

16/74

Slide 16


Creating a Category

Categories can also be created from the CMC

Topics

8/20/2019 2005 Security Xi

17/74

Slide 17

Topics

The Big Picture


Groups and Users

Security Rights

Q&A

Users and Groups 1/13

8/20/2019 2005 Security Xi

18/74

Slide 18


Users allow people to access BusinessObjectsEnterprise

These accounts determine how a user is authenticated

when logging in

Authentication methods include:

• Enterprise

• Windows Authentication

• Active Directory

• Lightweight Directory Access Protocol (LDAP)

Users can be manually added or imported (mapped)

Information about the user can be added

• Name• Description

• Password

• E-mail address

• License type (CPU or named user)


8/20/2019 2005 Security Xi

19/74

Slide 19


Default users available Administrator – Performs all tasks within Enterprise

Guest – Accesses reports (like Report Samples)


8/20/2019 2005 Security Xi

20/74

Slide 20


Groups tie users with similar access rightstogether

Access to report content (reports, documents, …) is

usually granted for groups rather than individual users

Users can belong to more than one group

Access rights will be discussed in a later section

Information about each group can be added

• Name

• Description

• Users that belong to the group

• Subgroups


8/20/2019 2005 Security Xi

21/74

Slide 21


Default groups are available Administrators

• Members can perform all tasks

Everyone• All users belong to this group• Allows access to Report Samples folder

Universe Designer Users

• Can use the Designer application• Can access Universe Designer, Connections folder

BusinessObjects NT Users

• Windows Authentication only


8/20/2019 2005 Security Xi

22/74

Slide 22


Creating a User



Choose ‘Users’Click the New User button


8/20/2019 2005 Security Xi

23/74

Slide 23


Creating a User, cont’d

Fill in details for that user


8/20/2019 2005 Security Xi

24/74

Slide 24



Set password, authentication, and license type

Outdated


8/20/2019 2005 Security Xi

25/74

Slide 25



Once added, a user can be assigned to a group

Click on the ‘Member of’ button from the Member tab


8/20/2019 2005 Security Xi

26/74

Slide 26



Choose the groups that user should be a member of


8/20/2019 2005 Security Xi

27/74

Slide 27

p

Creating a Group



Choose ‘Groups’Click the New Group button


8/20/2019 2005 Security Xi

28/74

Slide 28

p

Creating a Group, cont’d

Fill in details for that group


8/20/2019 2005 Security Xi

29/74

Slide 29

p


Subgroups can now be assigned (if they exist) using

the Subgroups tab …

… OR this group can be assigned as a subgroup


8/20/2019 2005 Security Xi

30/74

Slide 30

p


In this case, IT Administrators will be a subgroup of IT

Topics

8/20/2019 2005 Security Xi

31/74

Slide 31

The Big Picture


Groups and Users

Security Rights

Q&A

Security Rights 1/41

8/20/2019 2005 Security Xi

32/74

Slide 32

Assigning rights to groups and users is easy once youunderstand the Enterprise Security Model

This model shows how rights are set and inherited

Once the main rules are understood, we’ll cover how toapply these rights at different levels

Globally

By Folder

By Group

By Object

By Category By Application

By Universe


8/20/2019 2005 Security Xi

33/74

Slide 33

The Enterprise Security Model

This model controls how users interact withBusinessObjects applications and report content

Control is granted/removed through RIGHTS

A right dictates what actions a user can perform View a report

Use WebIntelligence to create an ad-hoc query

Publish documents to the System database

Rights have been grouped internally as ACCESS

LEVELS to make the job easier

These predefined levels can be customized by adding ADVANCED RIGHTS.


8/20/2019 2005 Security Xi

34/74

Slide 34

The Enterprise Security Model – Access Levels

Predefined access levels include: No Access

• Not able to access report content

View

• A user can view the folder or report object , as well as any generated instances

(executed versions) of those objects.

Schedule

• In addition to View, a user can create additional instances of an object through

scheduling

• Complete control is given over those generated instances (delete, modify)

• For folders, a user can add report objects and copy the object and/or folder.

View On Demand

• In addition to Schedule rights, a user can refresh a report instantly (on demand)

Full Control

• The user gains all additional rights


8/20/2019 2005 Security Xi

35/74

Slide 35

The Enterprise Security Model – Access Levels

Advanced rights can be set on a folder or report object Explicitly Granted

• User or group is given the right

Explicitly Denied

• User or group is denied the right. Denials take priority over grants.

Inherited

• The user or group inherits a right that was granted at a higher level

• Higher level folders or groups Not Specified

• The right has not been assigned so it is denied

• It could be inherited or explicitly granted


8/20/2019 2005 Security Xi

36/74

Slide 36

Rules of the Road

Follow these simple rules … Top-level folders inherit rights set at the global security level

• More on this in a minute

Children inherit the rights of their parents

Advanced rights override inherited rights

Denied rights override granted rights


8/20/2019 2005 Security Xi

37/74

Slide 37

Global-Level Rights

Global rights set the default security for the entireEnterprise system

Any top-level folder that is created will be given these

permissions Any group that should have certain system-wide rights

needs global rights

Set these rights first, then decrease/increase rights asadditional folders and objects are added

A common scenario:

Administrators may need Full Control by default The Everyone group should have No Access


8/20/2019 2005 Security Xi

38/74

Slide 38

Establishing Global-level Rights



Choose ‘Settings’


8/20/2019 2005 Security Xi

39/74

Slide 39

Establishing Global-level Rights, cont’d

Example: Change global access for Administrators

to ‘Full Control’


8/20/2019 2005 Security Xi

40/74

Slide 40


Control can be fine-tuned by setting Advanced Rights


8/20/2019 2005 Security Xi

41/74

Slide 41


General settings can be explicitly granted or denied

These Advanced Rights are available at any level

(folder, object, ..)


8/20/2019 2005 Security Xi

42/74

Slide 42


Advanced Rights for Reports


8/20/2019 2005 Security Xi

43/74

Slide 43


Advanced Rights for Text and WebIntelligence


F ld l l Ri ht

8/20/2019 2005 Security Xi

44/74

Slide 44

Folder-level Rights

Top-level folders use global rights to set their accesslevels

Groups and users are given access to folders

Rights for those groups and users are inherited fromtheir parent folders

Additional rights can be added

SalesGlobal

Admin: Full Control

Everyone: No Access

Admin: Full Control (inherited)

Everyone: No Access (Inherited)

Sales: View

Marketing: View


F ld l l Ri ht t’d

8/20/2019 2005 Security Xi

45/74

Slide 45

Folder-level Rights, cont’d

Subfolders inherit the rights of their parents A subfolder may have different rights than its parent

Sales

USASales

Sales: View

Marketing: View

Sales: Schedule

Marketing: View (Inherited)

Sales

Japan

Sales: Schedule

Marketing: No Access


E t bli hi F ld l l Ri ht

8/20/2019 2005 Security Xi

46/74

Slide 46

Establishing Folder-level Rights



Choose ‘Folders’

Select a folder (like Sales)


Establishing Folder level Rights cont’d

8/20/2019 2005 Security Xi

47/74

Slide 47

Establishing Folder-level Rights, cont’d

Select the Rights tab

Add the group(s) that need access to this folder


Establishing Folder level Rights cont’d

8/20/2019 2005 Security Xi

48/74

Slide 48

Establishing Folder-level Rights, cont d

Adjust that group’s access level to the folder


Group level Rights

8/20/2019 2005 Security Xi

49/74

Slide 49

Group-level Rights

Users inherit rights from the group(s) they belong toSubgroups inherit rights from their parent groups

A user that belongs to more than one group inherits the

most powerful (least restrictive) access of any group

Sales Sales: View Marketing: No access

Sales USA: View (inherited)John: View

John: View


Group level Rights

8/20/2019 2005 Security Xi

50/74

Slide 50

Group-level Rights

Users granted explicit rights override any rightsinherited from their group

Denied rights override any other access

Sales Sales: View Marketing: No access

Sales USA: View (inherited)John: Denied

John: DeniedSally: Schedule


Object-level Rights

8/20/2019 2005 Security Xi

51/74

Slide 51

Object-level Rights

Report content within a folder can have access rightsThis allows finer-grained control over individual

reports, programs, …

Establishing object-level access is very similar tofolder-level access

Inventory Report.rpt

Sales

Admin: Full Control (inherited)

Everyone: No Access (Inherited)

Sales: View

Marketing: View

Customers.xls

Logo.bmp


Object-level Rights cont’d

8/20/2019 2005 Security Xi

52/74

Slide 52

Object-level Rights, cont d

Object-level rights take priority over group and folderrights

Sales

Sales: View

Marketing: View

Inventory Report.rpt

Sales: Schedule

Scott: Full Control

Alan: Denied


Establishing Object-level Rights

8/20/2019 2005 Security Xi

53/74

Slide 53

Establishing Object level Rights



Choose ‘Objects’

Select an object


Establishing Object-level Rights

8/20/2019 2005 Security Xi

54/74

Slide 54

Establishing Object level Rights


Add a group or user that needs access

Modify existing group or user access


Category-level Rights

8/20/2019 2005 Security Xi

55/74

Slide 55

Category level Rights

Categories group similar object content together It acts as an alternative filing system that can span

multiple folders

Like folders and objects, access rights can be set oncategories

A group or user must have rights to the category and

object within that categoryIf the object is not available, it will not appear in its

associated category


Establishing Category Rights

8/20/2019 2005 Security Xi

56/74

Slide 56

s ab s g Ca ego y g s



Choose ‘Categories’

Select a category


Establishing Category-level Rights

8/20/2019 2005 Security Xi

57/74

Slide 57

g g y g


Add a group or user that needs access

Modify existing group or user access


Application-level Rights

8/20/2019 2005 Security Xi

58/74

Slide 58

pp g

Enterprise applications can be secured using rightsBasic applications that can be secured:


Designer Infoview

WebIntelligence

Additional applications can be added and secured Strategy Builder

Performance Management

…

This allows portions of each application to be assigned

to separate groups


Establishing Application Rights

8/20/2019 2005 Security Xi

59/74

Slide 59

g pp g



Choose ‘BusinessObjects Enterprise Applications’


Establishing Application Rights, cont’d

8/20/2019 2005 Security Xi

60/74

Slide 60

Select an Enterprise Application (like Designer)


Establishing Application Rights, cont’d

8/20/2019 2005 Security Xi

61/74

Slide 61


Add a group or user if necessary

Click on the Advanced button for application-specific

rights


Universe-level Rights

8/20/2019 2005 Security Xi

62/74

Slide 62

Universes are interfaces built using the Designer

application.

Users can use these universes to develop ad-hocreports using WebIntelligence (and Crystal Reports!)

Universes must be imported into the System database

The Central Management Console can control their use Who can access a universe

What rights are given for that universe

What objects that group or user can see

What databases the universe can connect to

The Designer application can further restrict access to

a universe


Establishing Universe Rights

8/20/2019 2005 Security Xi

63/74

Slide 63



Choose ‘Universes’


Establishing Universe Rights, cont’d

8/20/2019 2005 Security Xi

64/74

Slide 64

Select a universe (like Xtreme)

Click on the Object Level Security tab



8/20/2019 2005 Security Xi

65/74

Slide 65

Objects can be designated with a security level whenthe universe is created

This matches with the group/user’s security level

Object

PublicControlled

Confidential

RestrictedPrivate

Group/User

PublicControlled

Confidential

RestrictedPrivate

A group or usercan see objects

up to his security

level!



8/20/2019 2005 Security Xi

66/74

Slide 66

Rights are established like folders and objects

Advanced rights apply to Universe Designers



8/20/2019 2005 Security Xi

67/74

Slide 67

Universe database connections can also be secured



Choose ‘Universe Connections’



8/20/2019 2005 Security Xi

68/74

Slide 68

Select a connection (like Xtreme)


Advanced rights are pretty simple

You can use the connection or you can’t



8/20/2019 2005 Security Xi

69/74

Slide 69

The Universe Designer now allows security restrictionsets

These restriction sets mimic the universe restrictions

from BO Supervisor Database connections can be changed

Row and column level security can be enforced

Tables can be substituted for other tables and views

Once created, they can be applied against any user or

group



8/20/2019 2005 Security Xi

70/74

Slide 70

Log into Universe Designer Open or import a universe (like Xtreme)

Select the Security Restriction Set icon



8/20/2019 2005 Security Xi

71/74

Slide 71

Refer to the Designer’s Guide for more information



8/20/2019 2005 Security Xi

72/74

Slide 72

Once created, the restriction set can be applied togroups and users

Topics

8/20/2019 2005 Security Xi

73/74

Slide 73

IntroductionThe Big Picture


Groups and Users

Security Rights

Q&A

Q&A

8/20/2019 2005 Security Xi

74/74

Slide 74

QuestionsContact information

Scott Emmons

Email: [email protected]

2005 Security Xi

Documents