4965kalvin dallas marks bi2012 sap businessobjects security (1)

© 2012 Wellesley Information Services. All rights reserved.

A Comprehensive Introduction to the Business Objects BI Security Model

Dallas Marks Kalvin Consulting

About Dallas Marks

• Dallas is an SAP Certified Application Associate and authorized

trainer for Web Intelligence, Information Design Tool, Universe

Design Tool, Dashboards (formerly Xcelsius), and SAP

BusinessObjects Business Intelligence administration. A

seasoned consultant and speaker, Dallas has worked with SAP

BusinessObjects tools since 2003 and presented at the North

American conference each year since 2006. This is Dallas’ first

appearance at an SAP Insider event.

• Dallas has implemented SAP BusinessObjects solutions for a

number of industries, including retail, energy, health care, and

manufacturing. He holds a master’s degree in Computer

Engineering from the University of Cincinnati.

• Dallas blogs about various business intelligence topics at

http://www.dallasmarks.org/. You can follow him on Twitter at

@dallasmarks. 1

http://www.dallasmarks.org/

http://www.twitter.com/dallasmarks

http://www.twitter.com/dallasmarks

In This Session …

• In this presentation, learn how the Business Objects security

model works

• Leverage features such as inheritance, scope of rights, and

custom access levels to secure the business intelligence system

while reducing overall complexity and maintenance

• Techniques will be demonstrated using SAP BusinessObjects

Business Intelligence 4.0 that are also applicable to SAP

BusinessObjects Edge BI 4.0 and previous releases of SAP

BusinessObjects Enterprise (XI R2 and XI 3.x)

2

3

What We’ll Cover …

• Business Objects Security Basics

• Demonstration: Business Objects Security Basics

• Troubleshooting Your Security Model

• Best Practices

• Wrap-up

Does Security Setup Make You Angry?

4 Image courtesy of Sardonic Salad, used with permission

Terminology

• Principal – A user or group

• Rights override – A rights

behavior in which rights that are

set on child objects override the

rights set on parent objects

• General Global Rights – Access

rights enforced regardless of

content type

• Content Specific Rights –

Access rights unique to content

type (Crystal Report, Web

Intelligence, etc.)

5

Predefined Rights

6

Rights Level Description XI R2 XI 3.x/BI 4.0

No Access Unable to access an object (default) Yes Slightly

different

View Able to view historical (scheduled) instances

of an object

Yes Yes

Schedule Able to schedule instances of an object Yes Yes

View on Demand Able to view and re-query live data on-

demand

Yes Yes

Full Control Able to change or delete an object Yes Yes

Advanced/Granular Rights

7

Rights Option Description XI R2 XI 3.x/BI 4.0

Granted The right is granted to a principal Yes Yes

Denied The right is explicitly denied to a principal Yes Yes

Not Specified The right is unspecified for a principal. By

default, rights set to Not Specified are

denied.

Yes Yes

Apply to Object The right applies to the object. This option

becomes available when you click Granted

or Denied.

No Yes

Apply to Sub-

Objects

The right applies to sub-objects. This option

becomes available when you click Granted

or Denied.

Yes Yes

Folder Inheritance

8

Global Rights

Object

Object

Object

Object

Top Level Folder

Subfolder

Subfolder

In XI 3.x and higher, global rights are set in

the Folders management area as “All Folders

Security”

In XI R2, global rights were set on the Rights

tab in the Settings management area

Slide courtesy of SAP

Group Inheritance

9 Slide courtesy of SAP

eFashion Sales Managers 2008

eFashion East eFashion South eFashion West

Barrett Richards Larry Leonard Bennett Steve

Breaking Inheritance

• Still possible in BI 4 and XI

3.x as it was in XI Release 2

• Can disable folder

inheritance, group

inheritance, or both

• May not be as necessary in

XI 3.x because of new scope

of rights features

10

Custom Access Levels

• New Central Management Console (CMC) feature in XI 3.x

• Can create new access levels or copy existing access levels

• Combines object rights (folder, report, etc.) and application rights

(BI Launchpad, Web Intelligence) into single access level

• Predefined rights levels (View, Schedule, View On Demand, Full

Control) cannot be altered

• Easier to manage than setting Advanced rights

11

Scope of Rights

• Scope of rights – New in XI 3.x, the ability to limit the extent of

rights inheritance (Apply to Object, Apply to Sub-Object)

• In SAP BusinessObjects Enterprise XI R2, the administrator was

forced to break inheritance when they wanted to give user rights

to child folders that were different to those given to the parent

folder

• In XI 3.x, rights are effective for both the parent object and the

child objects by default (same as XI R2). However …

12

Scope of Rights (cont.)

• With SAP BusinessObjects Enterprise XI 3.x and higher, the

administrator can now specify that a right set on a parent object

should apply to that object only

13

14





• Best Practices

• Wrap-up

Demonstration: Business Objects Security

15

16





• Best Practices

• Wrap-up

Permissions Explorer (Object-Centric)

• Use the Permissions Explorer to determine the rights a principal

has on an object

• Improvement upon Check User Rights button in XI Release 2

Check User Rights only identified the effective rights – The

source of the rights assignment was still unknown

• Available from any object (folder, document, universe,

connection, etc.) that can have rights assigned

17

Permissions Explorer

Permissions Explorer demo …

18

Security Query (User-Centric)

• Use Security Query to determine the objects to which a principal

has been granted or denied access

• Available from Users and Groups or Query Results

19

Security Query — Query Principal

Query Principal – The user or group that

you want to run the security query for. You

can specify one principal for each security

query.

20

Security Query — Query Permission

Query Permission – The right or rights you

want to run the security query for, the

status of these rights, and the object type

these rights are set on

21

Security Query — Query Context

Query Context –The CMC areas that you

want the security query to search. For

each area, you can choose whether to

include sub-objects in the security query.

A security query can have a maximum of

four areas.

Security Query demo …

22

23





• Best Practices

• Wrap-up

Security Best Practices

• Grant rights to groups on folders

Although rights can be granted on individual objects or users,

the security model can become difficult to maintain

• Use pre-defined rights wherever possible

Understand the additional complexity that advanced rights can

introduce

• Avoid breaking inheritance while understanding that it is

sometimes necessary

• Add multiple users to Administrators group rather than sharing

Administrator user account to improve traceability

• Document and maintain your security structure outside of the

CMC – Microsoft Excel is a good choice

24

Security Best Practices (cont.)

• Allot time in your upgrade/migration for administrative staff to

understand both the new CMC interface/workflows as well as its

new features

• Use custom access levels where you would have previously

resorted to advanced rights

• Identify opportunities to limit the scope of rights instead of

breaking inheritance

• Take advantage of the Permissions Explorer and Security Query

tools to diagnose and correct security issues

25

26





• Best Practices

• Wrap-up

Additional Resources

• Business Intelligence Platform Administrator Guide (SAP AG, October 2011).

http://help.sap.com/businessobject/product_guides/boexir4/en/xi4_bip_admin_en.pdf

• Business Intelligence Platform Upgrade Guide (SAP AG, April 2011).

http://help.sap.com/content/bobj/bi/business_intelligence_platform.htm

Scroll to SAP BusinessObjects Business Intelligence platform 4.0 Knowledge Center Installation, Upgrade, Deployment

• BusinessObjects 5/6 to XI 3.1 Migration Guide (SAP AG, September 2008).

http://help.sap.com/boe31

Scroll to Installation, Upgrade, Deployment Upgrade Guide BusinessObjects 5/6 to XI 3.1 Migration Guide

27

Relevant Education

28

• SAP BusinessObjects Business Intelligence:

Administration and Security 2 days - course code BOE310

• SAP BusinessObjects Business Intelligence:

Administering Servers 3 days - course code BOE320

• SAP BusinessObjects Business Intelligence: Designing

and Deploying a Solution 4 days - course code BOE330

Official SAP BusinessObjects curriculum is available onsite at your

location or at authorized education centers around the world

Official Product Tutorials on SCN

29 Visit www.sap.com/learnbi to access these free tutorials

http://www.sdn.sap.com/irj/scn/info-design-tool-elearning?refer=main

30

7 Key Points to Take Home

• Leverage folder and group inheritance to simplify rights

administration

• Use Custom Access Levels to simplify rights administration

• Replace any Advanced Rights created in older versions with

Custom Access Levels

• Permissions Explorer is an object-centric way to view security

• Security Query is a user-centric way to view security

• Review the free tutorials for Central Management Console on

SAP SCN site

• Document and maintain your security structure outside of the

CMC – Microsoft Excel is a good choice

31

Your Turn!

How to contact me:

Dallas Marks

[email protected]

This document is a result of using our specialized expertise and contains intellectual ideas prepared solely for your use. This document represents valuable work by Kalvin Consulting and may not be disseminated to any external entity without the prior written consent of Kalvin Consulting .

32

TEAM AT KALVIN

One of the Largest W2 Staff Specializing in BI

We have 39 W-2 consultants on staff.

16 Business Objects certified consultants.

16 ex-Business Objects consultants with

experience at clients on BOBJ Global services

engagements. (We have a sub-contracting

relationship with Business Objects/SAP).

We pride ourselves on delivery and exceeding

our customer’s expectations.

Dedicated Project Management Office to

oversee the project deliverables and client

expectations

Repository of documentation as part of business

continuity plan for clients, project and

consultants

Focus on Long Term Partnership

Kalvin believes each client is unique and

leverages best practices and customizes a

solution that is successful for our customer’s

organization.

Build strong and long-lasting relationships

with clients and partners by creating a

productive work environment that

encourages innovation and great attitudes.

Kalvin believes in investing our time to

ensure

YOUR BI success.

Customer satisfaction/success is our #1

priority.

Kalvin believes through your BI

success will Kalvin be successful.

“Best of Breed” solution provider for Business

Intelligence and Data Warehousing Mission

Vision

Creating intelligent data to power an

intelligent world

To partner with you to create intelligent data

that will empower your business to:

Maximize operational performance

Increase not just revenue but profit

Help identify and serve your clients better


33

Core Competencies

Kalvin is an expert in Application development

Java/J2EE enterprise solutions .NET Solutions Customized solutions using Java, .NET, Web services , SDK

Infrastructure and Best Practices SAP BW integration Business Object architecture, center of excellence and Implementation OBIEE Architecture and Implementations Cognos architecture and implementation

Data Integration Data warehouse/Data mart design and implementation using Kimball or Inmon methodology Master data Management Data governance ETL using Data Integrator, Informatica, Data Stage & PL/SQL Data Quality & Data cleansing

SAP BW End to end BW & BOBJ solution design and implementation Complete documentation of BW transport documents and technical content

SAP NetWeaver BI Upgrades and implementation, toolsets and authorization Advanced ABAP design and code solutions SAP R/3 Data Analysis, extraction, custom extractor design and implementation


34

Kalvin specializes and is an expert in Reporting & Dashboards

SAP Business Objects SAP BW as a data source Reporting, Analytics & executive dashboards (WebI, crystal, Xcelsius, Predictive Workbench etc.) BO mobile Sharepoint integration

Descriptive Analytics (What?) Data Mining and Pattern Recognition Clustering and Segmentations Decision Trees

Predictive Analytics (Why? and What Next?) Marketing Mix Modeling and Demand Forecasting Promotion/Price/Product/Campaign/Operational Effectiveness Customer Behavior/Attrition Predictive Modeling

Training SAP Certified - BI 4.0 SAP Certified - BI 3.0/3.1 E-learning Mentor/Knowledge Transfer

Core Competencies Contd…


Capabilities Matrix

35 35

Services

SAP BW & Enterprise Data Warehouse (Oracle, dB2, SQL) X X X X X X X

ETL (SAP Data Services, IBM DataStage, Informatica) X X X X X X X X

Custom Report Portals (WebSphere, SharePoint, Weblogic) X X X X X

Enterprise BI Platforms (SAP Business Objects, IBM Cognos)

X X X X X X X

Reporting and Dashboards X X X X X X X X

Predictive Analytics (IBM SPSS, SAS, R) X X X X X X

Descriptive Analytics (IBM SPSS, SAS, R) X X X X X X


36

Behavioral Data EMR / Clinical Data Attitudinal/Research Market Research Psychographics Macro economics Data Integration Data mart /Data models ETL/Data warehousing

Who are my core customers and how do the behave?

What drives their behavior?

Can I predict change? Segmentation (Value,

lifestyle) Promotion Impact

/Marketing Mix Predictive Analysis

Brand Loyalty Promotion scorecard

Customer 1st KPI’s (Key Drivers) Risk Scorecard Loyalty Promotion

Loyalty Programs One to one customer

communication Technology(RFID, POS,

Mobile, Location based) Surprise and Delight

ACTIVATION

STRATEGY

INTELLIGENT REPORTING

BUSINESS / ANALYTICAL INSIGHTS

INTELLIGENT DATA MODELING

Kalvin’s holistic approach to your BI needs – we start with data foundation to delivering strategic insights to further activating upon your quintessential customers.

Kalvin Business Solution

Activation

Strategy

Intelligent Business Reporting

Business Analytics

Intelligent Data

8573 Mason-Montgomery Road Mason, OH 45040 P: (513) 492-9120 F: (513) 492-9122

[email protected]

http://www.facebook.com/kalvinconsulting

http://twitter.com/kalvinsoft

http://www.linkedin.com/company/kalvinsoft

mailto:[email protected]

38

Disclaimer

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG

in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective

companies. Wellesley Information Services is neither owned nor controlled by SAP.

4965kalvin dallas marks bi2012 sap businessobjects security (1)

Documents

prior written

central management

cmc microsoft

custom access

permissions

free tutorials

web intelligence

security query