- Information Services | The University of...

<V1.0>

This guidance document sets out how to manage users, groups and folders within the BusinessObjects XI application. It is targeted towards BOXI administrators in business areas and within Applications Division.

These training materials can be used as-is to deliver a tutor led course, or may be copied and adapted by members of the University in order to produce more business area specific training and guidance.

Managing Users, Groups & Folders

Course Outline

BusinessObjects XI –Devolved Administration

Managing Users, Groups and Folders

of 20


Introduction.............................................................................................................................................. 3

Definitions................................................................................................................................................ 3

1. Accessing the Central Management Console (CMC)...................................................................5

2. Managing Users............................................................................................................................... 6

2.1 Creating Users................................................................................................................................. 6

2.2 Assigning Users to Groups...............................................................................................................8

2.3 Disabling a User Account.................................................................................................................9

3. Folders.................................................................................................................................................. 9

3.1 Top-Level Folders............................................................................................................................ 9

3.2 Creating Sub-Folders..................................................................................................................... 10

3.3 Assigning Groups to Folders..........................................................................................................11

4. Managing Groups.............................................................................................................................. 12

4.1 Understanding Groups................................................................................................................... 12

4.2 Creating Groups............................................................................................................................. 13

4.3 Defining sub-groups....................................................................................................................... 13

4.4 Adding Users to Groups................................................................................................................. 14

4.5 Devolved Administrators Group......................................................................................................14

5. Managing universes...................................................................................................................... 15

Appendix 1.............................................................................................................................................. 16

1.1 Predefined Access Levels - Definitions..........................................................................................16

1.2 Advanced Rights given to a group for a folder................................................................................17

of 20


Introduction

This document sets out how to manage users, groups and folders within the BusinessObjects XI (BOXI) application. It is targeted towards BOXI administrators in business areas and within Applications Division.

Definitions

BusinessObjects XI:BOXI comprises a number of different web-based applications:

o InfoView – an interactive browser-based reporting application which enables users to view and schedule pre-written reports. Available as a channel in MyEd called “BusinessObjects Reporting”.

o Web Intelligence (Webi) – an interactive browser-based reporting application, accessible only from the InfoView application, which provides additional functionality to InfoView, e.g. allows users to create and edit existing reports.

o Central Management Console (CMC) – an interactive browser-based administrative application which allows administrators to create and manage users, folders, categories and groups. Available as a channel in MyEd called “BusinessObjects Administration”.

User:A BOXI user account must be created for every person who wishes to use BOXI. In addition, in order to access InfoView, a user must have an EASE account as access to InfoView is via EASE using single sign on.

Administrators are able to set up and manage user accounts for people in their own business area who wish to use BOXI.

Folder: Folders store documents (also known as objects or reports) and are used to organize documents in much the same way as Windows folders. Documents are published to folders via the InfoView application and access to folders is controlled by assigning groups to folders, e.g. all documents in the HR > PPIPMI folder can only be seen by users in those groups which have been assigned to the HR > PPIPMI folder.

Administrators are able to create sub-folders, assign groups to sub-folders and delete sub-folders.

Group:A group is a collection of users to which a set of rights is applied – this simplifies managing permissions for a number of users as they can be applied and modified just once (i.e. to the group) rather than for each user account.

of 20


Administrators are able to create new groups, create subgroups and assign users to groups.

Devolved Administrator:The management of users, folders, categories and groups is devolved to specific users in each UoE business area, thereby reducing the administrative burden on Applications Division and giving business areas the flexibility to tailor a configuration to suit their own needs.

Overview of Group-based Security:The following diagram summarises the relationships between users groups and folders:

Figure 1: Relationships between users, groups and folders

Security is implemented via groups – a user is placed into a group and groups are assigned rights to folders. The user has access to the folders based on the group rights. This means that:

1. Users must be created using the default rights, and no manual changes should ever be made to the rights of an individual user.

2. Users must not be given rights to folders directly.

of 20

User Belongs to Group

Folder

Granted rights on

Has access to (via group rights)

Reports

Contains

1. Accessing the Central Management Console (CMC)

Users, groups, folders and categories are managed using BOXI’s administrative application, the Central Management Console (CMC), which can be accessed via the MyEd portal.

Only Devolved Administrators can access the CMC; in order to access the CMC you will need to request that IS Applications Division places your user account into the appropriate Devolved Administrator group.

Administrators should log in using their BOXI username and password. Once logged in you will be presented with the main menu panel:

Figure 2: Home screen of CMC


2. Managing Users2.1 Creating UsersThe following screen appears when launching the CMC and clicking Users.

Figure 3: Users screen

Administrators will be able to see all users in the system.

A business area devolved administrator can create InfoView users according to the following procedure:

1. Firstly you should check to see if the user already exists as the user may already have been created by another business area. This can be done by using the search functionality at top of screen shown in Figure 3 (user names always match UUNs).

2. Click New User button (top-right of Figure 3). This loads the following screen:

of 20


Figure 4: New user screen

3. Complete the following settings on the screen shown in Figure 4:

Authentication Type Enterprise

Account Name UUN (use lower case, although not case-sensitive)1

Full Name Forename + Surname

Email Optional

Description Optional

Password Settings Give the account a password. Although users will be authenticated using their EASE password regardless of what you set here, you need to assign a password to the BOXI account to ensure it is protected. The user does not need to know what this password is.

Ensure “User cannot change password” is ticked – all other options should be unticked.

Connection Type Select “Named User”

4. Click OK.

Good passwords can be chosen by going to a site such as: https://secure.pctools.com/guides/password/?length=8&alpha=on&numeric=on&nosimilar=on&quantity=1&generate=true

1

of 20

https://secure.pctools.com/guides/password/?length=8&alpha=on&numeric=on&nosimilar=on&quantity=1&generate=true

https://secure.pctools.com/guides/password/?length=8&alpha=on&numeric=on&nosimilar=on&quantity=1&generate=true

2.2 Assigning Users to Groups

In order to run reports users must be assigned to one or more groups; in turn groups are assigned to folders. Groups will already have been created for each business area based on their individual requirements at the time of migration from BO 5.0. See section 4 for detailed information about groups.

1. Click the name of the user you wish to assign to a group.

2. Click Member of tab (Figure 5), then click Member of button (top-right of screen in Figure 5).

Figure 5: View group membership of selected user

Figure 6: Editing group membership

3. In the list of Available Groups (Figure 6) click the group that the user should be a member of, then click the > (Add) button (the user will automatically be a member of the “Everyone” group by default). If necessary, you may need to create a new group first (see section 4 below).

4. Click OK.

Important: Do not use the Rights tab, shown in Figure 5, to grant rights directly on the user.


2.3 Disabling a User AccountWhen a user leaves the university, or you no longer wish a user to have access to BusinessObjects, you may wish to have their account disabled.

Devolved administrators in business areas cannot delete or disable a user account. If you wish a user account to be disabled or deleted, you should send a request to a CMS call by using the following email address: [email protected]

Checklisto When creating a new user ensure they are added to a group

3. Folders3.1 Top-Level FoldersEach business area has a top level folder, e.g. Human Resources, and sub-folders can then be created to further organize groups of documents for that business area.

By default, each business area top level group is assigned “View” rights on the business area top level folder, e.g. the Human Resources group is assigned View rights on the Human Resources folder – meaning that everyone in the Human Resources group (and implicitly all those in all Human Resources sub-groups) can view all objects in the Human Resources folder (and implicitly all documents in all Human Resources sub-folders). Sub-folders automatically inherit the rights of their parent folder and administrators are able to modify these rights if required.

The following screen is displayed when Folders is selected from the main CMC menu:

Figure 7: Top level folders

An administrator will only be able to see those top level folders for which they have permission to view. In addition the user’s own personal folder will be shown.

of 20

mailto:[email protected]


3.2 Creating Sub-Folders

Devolved administrators cannot create new top level folders (you will see the “New Folder” button on the top right of the screen in Figure 7 is greyed out); however, they are able to create sub-folders as follows:

1. Click the top level business area folder name

2. Click the Subfolders tab (Figure 8)

Figure 8: Subfolders tab for a business area folder

3. Click the “New Folder …” button on the top right of the screen

4. Enter folder name, description (optional), and keywords (optional) on the screen shown in Figure9.

Figure 9: Enter folder details

5. Click OK.

6. You should now assign groups to this folder (see section 3.2 below)

You are able to create further sub-folders in the same way.

of 20


3.3 Assigning Groups to Folders

After you have created a sub-folder you should decide which group(s) of users should have access to the documents in this folder.

1. Click the name of the folder or sub-folder you want a group to have access to.

2. Click the Rights tab (Figure 10)

Figure 10: Folder rights

3. You will see that several groups already have Inherited Rights, including your business area top level group. Ensure that the access level for your business area top level group is set to ‘No Access’.

4. Click the Update button on the top right of the screen.

5. Click the Add/Remove button on the top right of the screen.

6. In the list of Available Groups click the group that the folder should be given rights to, then click the > (Add) button (Figure 11). If necessary, you may need to create a new group first (see section 4 below).

Figure 11: Edit group membership of folders

7. Click OK.

8. You then need to choose the level of access you wish your group to have using the Access Level drop-down menu in Figure 10. See Appendix 1 for a description of each access level and an example permissions set.

of 20


Checklisto When creating a new folder ensure you assign a group(s) to the folder.

o If you have assigned a sub-group to a folder ensure you disable access for your top level group by setting their permissions to ‘No Access’

4. Managing Groups4.1 Understanding GroupsEach business area has a top level group, e.g. HR, EUCLID. Sub-groups can then be created by administrators that will inherit the rights of the parent group. The names of groups must be unique and should follow the convention of parent-group-name > sub-group-name, e.g. HR > PPIPMI. This will make it far easier to visually see a group/sub-group hierarchy on screen (Figure 12).

Note: There is a 100 character limit on group names.

It is advisable to make your group structure and folder structure match as closely as possible, e.g. if you have a folder called HR > HESA which contains only objects relating to HR HESA then a group should be created called HR > HESA.

In order to simplify user administration IS Applications division will add two predefined user groups to each area. So, using the HR HESA example again, you will find two user groups under HR > HESA:

HR > HESA > Users. This user group can view and refresh documents in the HR HESA part of the corporate repository.

HR > HESA > Owners. This group also has rights to create and edit documents in the HR HESA part of the corporate repository.

Important: Do not use the Rights tab (shown in Figure 14), to grant rights directly on the group.

The following screen is displayed when launching the CMC and clicking Groups.

Figure 12: Groups screen

of 20


4.2 Creating Groups

1. Click the New Group button (top-right of screen).

2. Complete the Group Name and Description (Figure 13).

3. Click OK.

Figure 13: New group screen

4.3 Defining sub-groups

There are two methods of creating parent-child relationships between groups.

The first method describes adding groups as subgroups of a parent group:

1. Select the parent group and then click the Subgroups tab.

2. Click the Add/remove subgroups button (Figure 14) and then choose groups to add as subgroups of this group (the screen layout is similar to Figure 11).

Figure 14: View subgroups for a group

The second method describes defining a group as being a member of a parent group:

of 20


5. Select the child group and then click the Member of tab.

5. Click the Member of button (Figure 15) and then choose groups to define as this group’s parents.

Figure 15: View membership of a group

Both routes produce the same result – a parent-child relationship between the chosen groups.

4.4 Adding Users to Groups

1. Select the group to which the user will be added

2. Click on the Users tab and click the Add Users button (Figure 16). Note that the user must already exist.

Figure 16: Users in a group

3. In the list of Available Users click the user(s) that should be added to the group, then click the > (Add) button.

4. Click OK.

4.5 Devolved Administrators Group

Each business area has its own group which contains users who are responsible for creating and managing users, groups and folders via the CMC. This group is a sub-group of ‘Devolved Administrators’ and is called ‘Devolved Administrators > <businessAreaName>’, e.g. Devolved Administrators > HR.

Business area devolved administrator accounts are created by IS Applications Division. If you wish a new business area devolved administration account to be created, you should send a request to a CMS call by using the following email address: [email protected]

of 20

mailto:[email protected]


5. Managing universes

The management of universes is taken care of by the universe designer within the Designer application. Any changes are automatically applied to each environment via the BOXI import wizard.

of 20


Appendix 1

1.1 Predefined Access Levels - Definitions

Inherited: the folder inherits the same rights as the folder above.

No Access: the group is not able to access the folder, unless rights are inherited due to being granted explicitly at a higher level. This predefined access level actually means “not specified” (explained under “advanced rights” below).

View: the group is able to view the folder, the objects contained within the folder, and all generated instances of each object. The group cannot schedule an object or refresh it against the datasource.

Schedule: In addition to the rights granted by the View access level, the group can generate instances by scheduling the object to run against the datasource once or on a recurring basis. The group can view, delete and pause the scheduling of instances that they own. They can also schedule to different formats and destinations, set parameters and database logon information, add contents to the folder and copy the folder.

View on Demand: In addition to the rights granted the Schedule access level, the user gains the right to refresh data on demand from the data source.

Full Control: In addition to the rights granted by the View on Demand access level, the user gains all of the available advanced rights. This is the only access level that allows users to delete objects, folders and instances.

Advanced Rights: provides administrators with full control over object security and allows you to make advanced object rights settings for any group. Each folder right can be:

o Explicitly Granted – the group is given the designated access right

o Explicitly Denied – the group is not given the designated access right. If the group is granted the access right through another group membership, the denial takes precedence

o Not specified – the right is not assigned to the group, so it is not granted. Unlike an explicitly denied access right, the user or group could be granted the access right through another group membership, or inherit the rights from a higher group or folder level.

of 20


1.2 Advanced Rights given to a group for a folder

A typical Advanced Rights set-up given to user groups for a folder is set out below. You can change the rights by navigating to the relevant folder, click the Rights tab, and select the Advanced Rights access level, then click on the ‘Advanced’ link.

Please note that you should try and use the default groups if at all possible as this will simplify things both for you and if you need to obtain support from IS Applications Division. If you have a specific access requirement you are advised to create a new group and give it the rights you want rather than amending the default “user” and “owner” groups

“… > User” Advanced Rights

All rights are to be set to “Not Specified” except:

Right Level Notes

General rights

View objects Explicitly granted

Copy objects to another folder

Explicitly Granted Allows users to copy a public report to their personal folder, thereby allowing them to edit it and save it to their personal folder

View document instances

Explicitly Granted

Report rights

Print the report’s data Explicitly Granted

Refresh the report’s data

Explicitly Granted

Export the report’s data Explicitly Granted

Web Intelligence rights


Explicitly granted

Refresh list of values Explicitly granted

Use list of values Explicitly granted

Export the report’s data Explicitly granted

of 20


“… > Owner” Advanced Rights

All rights are to be set to “Not Specified” except:

Right Level Notes

General rights

Add objects to the folder Explicitly Granted

View objects Explicitly granted

Edit objects Explicitly Granted

Schedule the document to run

Explicitly Granted

Delete objects Explicitly Granted

Delete instances Explicitly Granted

Copy objects to another folder

Explicitly Granted Allows users to copy a public report to their personal folder, thereby allowing them to edit it and save it to their personal folder

Schedule to destinations Explicitly Granted

View document instances

Explicitly Granted

Pause and resume document instances

Explicitly Granted

Report rights

Print the report’s data Explicitly Granted


Explicitly Granted

Export the report’s data Explicitly Granted

Web Intelligence rights


Explicitly granted

Edit query Explicitly granted

Refresh list of values Explicitly granted

Use list of values Explicitly granted

View SQL Explicitly granted

of 20


Export the report’s data Explicitly granted

of 20

- Information Services | The University of...

Documents

Transcript of - Information Services | The University of...