© 2012 Wellesley Information Services. All rights reserved. A Comprehensive Introduction to the Business Objects BI Security Model Dallas Marks Kalvin Consulting
Nov 08, 2014
© 2012 Wellesley Information Services. All rights reserved.
A Comprehensive Introduction to the Business Objects BI Security Model
Dallas Marks Kalvin Consulting
About Dallas Marks
• Dallas is an SAP Certified Application Associate and authorized
trainer for Web Intelligence, Information Design Tool, Universe
Design Tool, Dashboards (formerly Xcelsius), and SAP
BusinessObjects Business Intelligence administration. A
seasoned consultant and speaker, Dallas has worked with SAP
BusinessObjects tools since 2003 and presented at the North
American conference each year since 2006. This is Dallas’ first
appearance at an SAP Insider event.
• Dallas has implemented SAP BusinessObjects solutions for a
number of industries, including retail, energy, health care, and
manufacturing. He holds a master’s degree in Computer
Engineering from the University of Cincinnati.
• Dallas blogs about various business intelligence topics at
http://www.dallasmarks.org/. You can follow him on Twitter at
@dallasmarks. 1
In This Session …
• In this presentation, learn how the Business Objects security
model works
• Leverage features such as inheritance, scope of rights, and
custom access levels to secure the business intelligence system
while reducing overall complexity and maintenance
• Techniques will be demonstrated using SAP BusinessObjects
Business Intelligence 4.0 that are also applicable to SAP
BusinessObjects Edge BI 4.0 and previous releases of SAP
BusinessObjects Enterprise (XI R2 and XI 3.x)
2
3
What We’ll Cover …
• Business Objects Security Basics
• Demonstration: Business Objects Security Basics
• Troubleshooting Your Security Model
• Best Practices
• Wrap-up
Does Security Setup Make You Angry?
4 Image courtesy of Sardonic Salad, used with permission
Terminology
• Principal – A user or group
• Rights override – A rights
behavior in which rights that are
set on child objects override the
rights set on parent objects
• General Global Rights – Access
rights enforced regardless of
content type
• Content Specific Rights –
Access rights unique to content
type (Crystal Report, Web
Intelligence, etc.)
5
Predefined Rights
6
Rights Level Description XI R2 XI 3.x/BI 4.0
No Access Unable to access an object (default) Yes Slightly
different
View Able to view historical (scheduled) instances
of an object
Yes Yes
Schedule Able to schedule instances of an object Yes Yes
View on Demand Able to view and re-query live data on-
demand
Yes Yes
Full Control Able to change or delete an object Yes Yes
Advanced/Granular Rights
7
Rights Option Description XI R2 XI 3.x/BI 4.0
Granted The right is granted to a principal Yes Yes
Denied The right is explicitly denied to a principal Yes Yes
Not Specified The right is unspecified for a principal. By
default, rights set to Not Specified are
denied.
Yes Yes
Apply to Object The right applies to the object. This option
becomes available when you click Granted
or Denied.
No Yes
Apply to Sub-
Objects
The right applies to sub-objects. This option
becomes available when you click Granted
or Denied.
Yes Yes
Folder Inheritance
8
Global Rights
Object
Object
Object
Object
Top Level Folder
Subfolder
Subfolder
In XI 3.x and higher, global rights are set in
the Folders management area as “All Folders
Security”
In XI R2, global rights were set on the Rights
tab in the Settings management area
Slide courtesy of SAP
Group Inheritance
9 Slide courtesy of SAP
eFashion Sales Managers 2008
eFashion East eFashion South eFashion West
Barrett Richards Larry Leonard Bennett Steve
Breaking Inheritance
• Still possible in BI 4 and XI
3.x as it was in XI Release 2
• Can disable folder
inheritance, group
inheritance, or both
• May not be as necessary in
XI 3.x because of new scope
of rights features
10
Custom Access Levels
• New Central Management Console (CMC) feature in XI 3.x
• Can create new access levels or copy existing access levels
• Combines object rights (folder, report, etc.) and application rights
(BI Launchpad, Web Intelligence) into single access level
• Predefined rights levels (View, Schedule, View On Demand, Full
Control) cannot be altered
• Easier to manage than setting Advanced rights
11
Scope of Rights
• Scope of rights – New in XI 3.x, the ability to limit the extent of
rights inheritance (Apply to Object, Apply to Sub-Object)
• In SAP BusinessObjects Enterprise XI R2, the administrator was
forced to break inheritance when they wanted to give user rights
to child folders that were different to those given to the parent
folder
• In XI 3.x, rights are effective for both the parent object and the
child objects by default (same as XI R2). However …
12
Scope of Rights (cont.)
• With SAP BusinessObjects Enterprise XI 3.x and higher, the
administrator can now specify that a right set on a parent object
should apply to that object only
13
14
What We’ll Cover …
• Business Objects Security Basics
• Demonstration: Business Objects Security Basics
• Troubleshooting Your Security Model
• Best Practices
• Wrap-up
Demonstration: Business Objects Security
15
16
What We’ll Cover …
• Business Objects Security Basics
• Demonstration: Business Objects Security Basics
• Troubleshooting Your Security Model
• Best Practices
• Wrap-up
Permissions Explorer (Object-Centric)
• Use the Permissions Explorer to determine the rights a principal
has on an object
• Improvement upon Check User Rights button in XI Release 2
Check User Rights only identified the effective rights – The
source of the rights assignment was still unknown
• Available from any object (folder, document, universe,
connection, etc.) that can have rights assigned
17
Permissions Explorer
Permissions Explorer demo …
18
Security Query (User-Centric)
• Use Security Query to determine the objects to which a principal
has been granted or denied access
• Available from Users and Groups or Query Results
19
Security Query — Query Principal
Query Principal – The user or group that
you want to run the security query for. You
can specify one principal for each security
query.
20
Security Query — Query Permission
Query Permission – The right or rights you
want to run the security query for, the
status of these rights, and the object type
these rights are set on
21
Security Query — Query Context
Query Context –The CMC areas that you
want the security query to search. For
each area, you can choose whether to
include sub-objects in the security query.
A security query can have a maximum of
four areas.
Security Query demo …
22
23
What We’ll Cover …
• Business Objects Security Basics
• Demonstration: Business Objects Security Basics
• Troubleshooting Your Security Model
• Best Practices
• Wrap-up
Security Best Practices
• Grant rights to groups on folders
Although rights can be granted on individual objects or users,
the security model can become difficult to maintain
• Use pre-defined rights wherever possible
Understand the additional complexity that advanced rights can
introduce
• Avoid breaking inheritance while understanding that it is
sometimes necessary
• Add multiple users to Administrators group rather than sharing
Administrator user account to improve traceability
• Document and maintain your security structure outside of the
CMC – Microsoft Excel is a good choice
24
Security Best Practices (cont.)
• Allot time in your upgrade/migration for administrative staff to
understand both the new CMC interface/workflows as well as its
new features
• Use custom access levels where you would have previously
resorted to advanced rights
• Identify opportunities to limit the scope of rights instead of
breaking inheritance
• Take advantage of the Permissions Explorer and Security Query
tools to diagnose and correct security issues
25
26
What We’ll Cover …
• Business Objects Security Basics
• Demonstration: Business Objects Security Basics
• Troubleshooting Your Security Model
• Best Practices
• Wrap-up
Additional Resources
• Business Intelligence Platform Administrator Guide (SAP AG, October 2011).
http://help.sap.com/businessobject/product_guides/boexir4/en/xi4_bip_admin_en.pdf
• Business Intelligence Platform Upgrade Guide (SAP AG, April 2011).
http://help.sap.com/content/bobj/bi/business_intelligence_platform.htm
Scroll to SAP BusinessObjects Business Intelligence platform 4.0 Knowledge Center Installation, Upgrade, Deployment
• BusinessObjects 5/6 to XI 3.1 Migration Guide (SAP AG, September 2008).
http://help.sap.com/boe31
Scroll to Installation, Upgrade, Deployment Upgrade Guide BusinessObjects 5/6 to XI 3.1 Migration Guide
27
Relevant Education
28
• SAP BusinessObjects Business Intelligence:
Administration and Security 2 days - course code BOE310
• SAP BusinessObjects Business Intelligence:
Administering Servers 3 days - course code BOE320
• SAP BusinessObjects Business Intelligence: Designing
and Deploying a Solution 4 days - course code BOE330
Official SAP BusinessObjects curriculum is available onsite at your
location or at authorized education centers around the world
Official Product Tutorials on SCN
29 Visit www.sap.com/learnbi to access these free tutorials
30
7 Key Points to Take Home
• Leverage folder and group inheritance to simplify rights
administration
• Use Custom Access Levels to simplify rights administration
• Replace any Advanced Rights created in older versions with
Custom Access Levels
• Permissions Explorer is an object-centric way to view security
• Security Query is a user-centric way to view security
• Review the free tutorials for Central Management Console on
SAP SCN site
• Document and maintain your security structure outside of the
CMC – Microsoft Excel is a good choice
This document is a result of using our specialized expertise and contains intellectual ideas prepared solely for your use. This document represents valuable work by Kalvin Consulting and may not be disseminated to any external entity without the prior written consent of Kalvin Consulting .
32
TEAM AT KALVIN
One of the Largest W2 Staff Specializing in BI
We have 39 W-2 consultants on staff.
16 Business Objects certified consultants.
16 ex-Business Objects consultants with
experience at clients on BOBJ Global services
engagements. (We have a sub-contracting
relationship with Business Objects/SAP).
We pride ourselves on delivery and exceeding
our customer’s expectations.
Dedicated Project Management Office to
oversee the project deliverables and client
expectations
Repository of documentation as part of business
continuity plan for clients, project and
consultants
Focus on Long Term Partnership
Kalvin believes each client is unique and
leverages best practices and customizes a
solution that is successful for our customer’s
organization.
Build strong and long-lasting relationships
with clients and partners by creating a
productive work environment that
encourages innovation and great attitudes.
Kalvin believes in investing our time to
ensure
YOUR BI success.
Customer satisfaction/success is our #1
priority.
Kalvin believes through your BI
success will Kalvin be successful.
“Best of Breed” solution provider for Business
Intelligence and Data Warehousing Mission
Vision
Creating intelligent data to power an
intelligent world
To partner with you to create intelligent data
that will empower your business to:
Maximize operational performance
Increase not just revenue but profit
Help identify and serve your clients better
This document is a result of using our specialized expertise and contains intellectual ideas prepared solely for your use. This document represents valuable work by Kalvin Consulting and may not be disseminated to any external entity without the prior written consent of Kalvin Consulting .
33
Core Competencies
Kalvin is an expert in Application development
Java/J2EE enterprise solutions .NET Solutions Customized solutions using Java, .NET, Web services , SDK
Infrastructure and Best Practices SAP BW integration Business Object architecture, center of excellence and Implementation OBIEE Architecture and Implementations Cognos architecture and implementation
Data Integration Data warehouse/Data mart design and implementation using Kimball or Inmon methodology Master data Management Data governance ETL using Data Integrator, Informatica, Data Stage & PL/SQL Data Quality & Data cleansing
SAP BW End to end BW & BOBJ solution design and implementation Complete documentation of BW transport documents and technical content
SAP NetWeaver BI Upgrades and implementation, toolsets and authorization Advanced ABAP design and code solutions SAP R/3 Data Analysis, extraction, custom extractor design and implementation
This document is a result of using our specialized expertise and contains intellectual ideas prepared solely for your use. This document represents valuable work by Kalvin Consulting and may not be disseminated to any external entity without the prior written consent of Kalvin Consulting .
34
Kalvin specializes and is an expert in Reporting & Dashboards
SAP Business Objects SAP BW as a data source Reporting, Analytics & executive dashboards (WebI, crystal, Xcelsius, Predictive Workbench etc.) BO mobile Sharepoint integration
Descriptive Analytics (What?) Data Mining and Pattern Recognition Clustering and Segmentations Decision Trees
Predictive Analytics (Why? and What Next?) Marketing Mix Modeling and Demand Forecasting Promotion/Price/Product/Campaign/Operational Effectiveness Customer Behavior/Attrition Predictive Modeling
Training SAP Certified - BI 4.0 SAP Certified - BI 3.0/3.1 E-learning Mentor/Knowledge Transfer
Core Competencies Contd…
This document is a result of using our specialized expertise and contains intellectual ideas prepared solely for your use. This document represents valuable work by Kalvin Consulting and may not be disseminated to any external entity without the prior written consent of Kalvin Consulting .
Capabilities Matrix
35 35
Services
SAP BW & Enterprise Data Warehouse (Oracle, dB2, SQL) X X X X X X X
ETL (SAP Data Services, IBM DataStage, Informatica) X X X X X X X X
Custom Report Portals (WebSphere, SharePoint, Weblogic) X X X X X
Enterprise BI Platforms (SAP Business Objects, IBM Cognos)
X X X X X X X
Reporting and Dashboards X X X X X X X X
Predictive Analytics (IBM SPSS, SAS, R) X X X X X X
Descriptive Analytics (IBM SPSS, SAS, R) X X X X X X
This document is a result of using our specialized expertise and contains intellectual ideas prepared solely for your use. This document represents valuable work by Kalvin Consulting and may not be disseminated to any external entity without the prior written consent of Kalvin Consulting .
36
Behavioral Data EMR / Clinical Data Attitudinal/Research Market Research Psychographics Macro economics Data Integration Data mart /Data models ETL/Data warehousing
Who are my core customers and how do the behave?
What drives their behavior?
Can I predict change? Segmentation (Value,
lifestyle) Promotion Impact
/Marketing Mix Predictive Analysis
Brand Loyalty Promotion scorecard
Customer 1st KPI’s (Key Drivers) Risk Scorecard Loyalty Promotion
Loyalty Programs One to one customer
communication Technology(RFID, POS,
Mobile, Location based) Surprise and Delight
ACTIVATION
STRATEGY
INTELLIGENT REPORTING
BUSINESS / ANALYTICAL INSIGHTS
INTELLIGENT DATA MODELING
Kalvin’s holistic approach to your BI needs – we start with data foundation to delivering strategic insights to further activating upon your quintessential customers.
Kalvin Business Solution
Activation
Strategy
Intelligent Business Reporting
Business Analytics
Intelligent Data
8573 Mason-Montgomery Road Mason, OH 45040 P: (513) 492-9120 F: (513) 492-9122
http://www.facebook.com/kalvinconsulting
http://twitter.com/kalvinsoft
http://www.linkedin.com/company/kalvinsoft
38
Disclaimer
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG
in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective
companies. Wellesley Information Services is neither owned nor controlled by SAP.