A Comprehensive Introduction to the Business Objects BI Security Model

Dallas Marks Kalvin Consulting

2012 Wellesley Information Services. All rights reserved.

About Dallas Marks

Dallas is an SAP Certified Application Associate and authorized trainer for Web Intelligence, Information Design Tool, Universe Design Tool, Dashboards (formerly Xcelsius), and SAP BusinessObjects Business Intelligence administration. A seasoned consultant and speaker, Dallas has worked with SAP BusinessObjects tools since 2003 and presented at the North American conference each year since 2006. This is Dallas first appearance at an SAP Insider event. Dallas has implemented SAP BusinessObjects solutions for a number of industries, including retail, energy, health care, and manufacturing. He holds a masters degree in Computer Engineering from the University of Cincinnati. Dallas blogs about various business intelligence topics at http://www.dallasmarks.org/. You can follow him on Twitter at @dallasmarks. 1

In This Session

In this presentation, learn how the Business Objects security model works Leverage features such as inheritance, scope of rights, and custom access levels to secure the business intelligence system while reducing overall complexity and maintenance Techniques will be demonstrated using SAP BusinessObjects Business Intelligence 4.0 that are also applicable to SAP BusinessObjects Edge BI 4.0 and previous releases of SAP BusinessObjects Enterprise (XI R2 and XI 3.x)

What Well Cover

Business Objects Security Basics Demonstration: Business Objects Security Basics Troubleshooting Your Security Model Best Practices Wrap-up

Does Security Setup Make You Angry?

Image courtesy of Sardonic Salad, used with permission

Terminology

Principal A user or group Rights override A rights behavior in which rights that are set on child objects override the rights set on parent objects General Global Rights Access rights enforced regardless of content type Content Specific Rights Access rights unique to content type (Crystal Report, Web Intelligence, etc.)

Predefined Rights

Rights Level
No Access View Schedule

Description
Unable to access an object (default) Able to view historical (scheduled) instances of an object Able to schedule instances of an object

XI R2 XI 3.x/BI 4.0
Yes Yes Yes Yes Yes Slightly different Yes Yes Yes Yes

View on Demand Able to view and re-query live data ondemand Full Control Able to change or delete an object

Advanced/Granular Rights

Rights Option Description

Granted
Denied Not Specified

XI R2 XI 3.x/BI 4.0
Yes
Yes Yes

The right is granted to a principal

The right is explicitly denied to a principal The right is unspecified for a principal. By default, rights set to Not Specified are denied. The right applies to the object. This option becomes available when you click Granted or Denied. The right applies to sub-objects. This option becomes available when you click Granted or Denied.

Yes
Yes Yes

Apply to Object

No

Yes

Apply to SubObjects

Yes

Yes

Folder Inheritance

Global Rights

Top Level Folder

Object

Subfolder Object

Subfolder Object

In XI 3.x and higher, global rights are set in the Folders management area as All Folders Security In XI R2, global rights were set on the Rights tab in the Settings management area

Object

Slide courtesy of SAP

Group Inheritance

eFashion Sales Managers 2008

eFashion East

eFashion South

eFashion West

Barrett

Richards

Larry

Leonard

Bennett

Steve

Slide courtesy of SAP

Breaking Inheritance

Still possible in BI 4 and XI 3.x as it was in XI Release 2 Can disable folder inheritance, group inheritance, or both May not be as necessary in XI 3.x because of new scope of rights features

10

Custom Access Levels

New Central Management Console (CMC) feature in XI 3.x Can create new access levels or copy existing access levels Combines object rights (folder, report, etc.) and application rights (BI Launchpad, Web Intelligence) into single access level Predefined rights levels (View, Schedule, View On Demand, Full Control) cannot be altered Easier to manage than setting Advanced rights

11

Scope of Rights

Scope of rights New in XI 3.x, the ability to limit the extent of rights inheritance (Apply to Object, Apply to Sub-Object) In SAP BusinessObjects Enterprise XI R2, the administrator was forced to break inheritance when they wanted to give user rights to child folders that were different to those given to the parent folder In XI 3.x, rights are effective for both the parent object and the child objects by default (same as XI R2). However

12

Scope of Rights (cont.)

With SAP BusinessObjects Enterprise XI 3.x and higher, the administrator can now specify that a right set on a parent object should apply to that object only

13

What Well Cover

Business Objects Security Basics Demonstration: Business Objects Security Basics Troubleshooting Your Security Model Best Practices Wrap-up

14

Demonstration: Business Objects Security

15

What Well Cover

Business Objects Security Basics Demonstration: Business Objects Security Basics Troubleshooting Your Security Model Best Practices Wrap-up

16

Permissions Explorer (Object-Centric)

Use the Permissions Explorer to determine the rights a principal has on an object Improvement upon Check User Rights button in XI Release 2 Check User Rights only identified the effective rights The source of the rights assignment was still unknown Available from any object (folder, document, universe, connection, etc.) that can have rights assigned

17

Permissions Explorer

Permissions Explorer demo

18

Security Query (User-Centric)

Use Security Query to determine the objects to which a principal has been granted or denied access Available from Users and Groups or Query Results

19

Security Query Query Principal

Query Principal The user or group that you want to run the security query for. You can specify one principal for each security query.

20

Security Query Query Permission

Query Permission The right or rights you want to run the security query for, the status of these rights, and the object type these rights are set on
21

Security Query Query Context Query Context The CMC areas that you want the security query to search. For each area, you can choose whether to include sub-objects in the security query. A security query can have a maximum of four areas. Security Query demo

22

What Well Cover

Business Objects Security Basics Demonstration: Business Objects Security Basics Troubleshooting Your Security Model Best Practices Wrap-up

23

Security Best Practices

Grant rights to groups on folders Although rights can be granted on individual objects or users, the security model can become difficult to maintain Use pre-defined rights wherever possible Understand the additional complexity that advanced rights can introduce Avoid breaking inheritance while understanding that it is sometimes necessary Add multiple users to Administrators group rather than sharing Administrator user account to improve traceability Document and maintain your security structure outside of the CMC Microsoft Excel is a good choice

24

Security Best Practices (cont.)

Allot time in your upgrade/migration for administrative staff to understand both the new CMC interface/workflows as well as its new features Use custom access levels where you would have previously resorted to advanced rights Identify opportunities to limit the scope of rights instead of breaking inheritance Take advantage of the Permissions Explorer and Security Query tools to diagnose and correct security issues

25

What Well Cover

Business Objects Security Basics Demonstration: Business Objects Security Basics Troubleshooting Your Security Model Best Practices Wrap-up

26

Additional Resources

Business Intelligence Platform Administrator Guide (SAP AG, October 2011). http://help.sap.com/businessobject/product_guides/boexir4/en/xi4 _bip_admin_en.pdf Business Intelligence Platform Upgrade Guide (SAP AG, April 2011). http://help.sap.com/content/bobj/bi/business_intelligence_platform .htm Scroll to SAP BusinessObjects Business Intelligence platform 4.0 Knowledge Center Installation, Upgrade, Deployment BusinessObjects 5/6 to XI 3.1 Migration Guide (SAP AG, September 2008). http://help.sap.com/boe31 Scroll to Installation, Upgrade, Deployment Upgrade Guide BusinessObjects 5/6 to XI 3.1 Migration Guide
27

Relevant Education

SAP BusinessObjects Business Intelligence: Administration and Security

2 days - course code BOE310

SAP BusinessObjects Business Intelligence: Administering Servers

3 days - course code BOE320

SAP BusinessObjects Business Intelligence: Designing and Deploying a Solution

4 days - course code BOE330

Official SAP BusinessObjects curriculum is available onsite at your location or at authorized education centers around the world

28

Official Product Tutorials on SCN

Visit www.sap.com/learnbi to access these free tutorials

29

7 Key Points to Take Home

Leverage folder and group inheritance to simplify rights administration Use Custom Access Levels to simplify rights administration Replace any Advanced Rights created in older versions with Custom Access Levels Permissions Explorer is an object-centric way to view security Security Query is a user-centric way to view security Review the free tutorials for Central Management Console on SAP SCN site Document and maintain your security structure outside of the CMC Microsoft Excel is a good choice

30

Your Turn!

How to contact me: Dallas Marks dallas@kalvinsoft.com

31

TEAM AT KALVIN
Mission
To partner with you to create intelligent data that will empower your business to:
Maximize operational performance Increase not just revenue but profit Help identify and serve your clients better

Best of Breed solution provider for Business Intelligence and Data Warehousing

Vision
Creating intelligent data to power an intelligent world

One of the Largest W2 Staff Specializing in BI

We have 39 W-2 consultants on staff. 16 Business Objects certified consultants. 16 ex-Business Objects consultants with experience at clients on BOBJ Global services engagements. (We have a sub-contracting relationship with Business Objects/SAP). We pride ourselves on delivery and exceeding our customers expectations. Dedicated Project Management Office to oversee the project deliverables and client expectations Repository of documentation as part of business continuity plan for clients, project and consultants

Focus on Long Term Partnership

Kalvin believes each client is unique and leverages best practices and customizes a solution that is successful for our customers organization. Build strong and long-lasting relationships with clients and partners by creating a productive work environment that encourages innovation and great attitudes. Kalvin believes in investing our time to ensure YOUR BI success. Customer satisfaction/success is our #1 priority. Kalvin believes through your BI success will Kalvin be successful.
32

This document is a result of using our specialized expertise and contains intellectual ideas prepared solely for your use. This document represents valuable work by Kalvin Consulting and may not be disseminated to any external entity without the prior written consent of Kalvin Consulting .

Core Competencies
Kalvin is an expert in Application development
Java/J2EE enterprise solutions .NET Solutions Customized solutions using Java, .NET, Web services , SDK

Infrastructure and Best Practices

SAP BW integration Business Object architecture, center of excellence and Implementation OBIEE Architecture and Implementations Cognos architecture and implementation

Data Integration
Data warehouse/Data mart design and implementation using Kimball or Inmon methodology Master data Management Data governance ETL using Data Integrator, Informatica, Data Stage & PL/SQL Data Quality & Data cleansing

SAP BW
End to end BW & BOBJ solution design and implementation Complete documentation of BW transport documents and technical content

SAP
NetWeaver BI Upgrades and implementation, toolsets and authorization Advanced ABAP design and code solutions SAP R/3 Data Analysis, extraction, custom extractor design and implementation
This document is a result of using our specialized expertise and contains intellectual ideas prepared solely for your use. This document represents valuable work by Kalvin Consulting and may not be disseminated to any external entity without the prior written consent of Kalvin Consulting .

33

Core Competencies
Kalvin specializes and is an expert in Reporting & Dashboards

Contd

SAP Business Objects SAP BW as a data source Reporting, Analytics & executive dashboards (WebI, crystal, Xcelsius, Predictive Workbench etc.) BO mobile Sharepoint integration

Descriptive Analytics (What?)

Data Mining and Pattern Recognition Clustering and Segmentations Decision Trees

Predictive Analytics (Why? and What Next?)

Marketing Mix Modeling and Demand Forecasting Promotion/Price/Product/Campaign/Operational Effectiveness Customer Behavior/Attrition Predictive Modeling

Training
SAP Certified - BI 4.0 SAP Certified - BI 3.0/3.1 E-learning Mentor/Knowledge Transfer

This document is a result of using our specialized expertise and contains intellectual ideas prepared solely for your use. This document represents valuable work by Kalvin Consulting and may not be disseminated to any external entity without the prior written consent of Kalvin Consulting .

34

Capabilities Matrix

Services
SAP BW & Enterprise Data Warehouse (Oracle, dB2, SQL) ETL (SAP Data Services, IBM DataStage, Informatica) Custom Report Portals (WebSphere, SharePoint, Weblogic) Enterprise BI Platforms (SAP Business Objects, IBM Cognos) Reporting and Dashboards Predictive Analytics (IBM SPSS, SAS, R) Descriptive Analytics (IBM SPSS, SAS, R) X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X

This document is a result of using our specialized expertise and contains intellectual ideas prepared solely for your use. This document represents valuable work by Kalvin Consulting and may not be disseminated to any external entity without the prior written consent of Kalvin Consulting .

35

Kalvin Business Solution

Kalvins holistic approach to your BI needs we start with data foundation to delivering strategic insights to further activating upon your quintessential customers.
Behavioral Data EMR / Clinical Data Attitudinal/Research Market Research Psychographics Macro economics Data Integration Data mart /Data models ETL/Data warehousing Loyalty Programs One to one customer communication Technology(RFID, POS, Mobile, Location based) Surprise and Delight

Activation ACTIVATION
Brand Loyalty Promotion scorecard

Customer 1st KPIs (Key Drivers) Risk Scorecard Loyalty Promotion

Strategy STRATEGY Intelligent Business Reporting INTELLIGENT REPORTING

Business Analytics BUSINESS / ANALYTICAL INSIGHTS

Intelligent Data INTELLIGENT DATA MODELING

Who are my core customers and how do the behave? What drives their behavior? Can I predict change? Segmentation (Value, lifestyle) Promotion Impact /Marketing Mix Predictive Analysis

This document is a result of using our specialized expertise and contains intellectual ideas prepared solely for your use. This document represents valuable work by Kalvin Consulting and may not be disseminated to any external entity without the prior written consent of Kalvin Consulting .

36

8573 MasonMontgomery Road Mason, OH 45040 P: (513) 492-9120 F: (513) 492-9122 contact@kalvinsoft.com

http://twitter.com/kalvinsoft http://www.facebook.com/kalvinconsulting http://www.linkedin.com/company/kalvinsoft

Disclaimer
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP.

38