sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01

8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01

1/49

SAP BusinessObjectsSecurity EssentialsDallas Marks

SAP Inside Track St. LouisJuly 15, 2011
http://twitter.com/http://www.kalvinsoft.com/http://www.linkedin.com/company/353351http://www.facebook.com/kalvinconsulting


2/49

]

STEPHANIE CLUNE[ASUG INSTALLATION MEMBER

MEMBER SINCE: 2004

PHIL AWTRY[ASUG INSTALLATION MEMBER

MEMBER SINCE: 1999

MIKE NARDUCCI[ASUG ASSOCIATE MEMBER

MEMBER SINCE: 1998

SAP BusinessObjects SecurityEssentials

Dallas MarksSession 409


3/49

Real Experience. Real Advantage.

[ Breakout Description

In this presentation, learn how the SAP BusinessObjectssecurity model works. Leverage features, such asinheritance, scope of rights, and custom access levels, tosecure the business intelligence system, while reducingoverall complexity and maintenance. Techniques will be

demonstrated using SAP BusinessObjects XI that are alsoapplicable to SAP BusinessObjects Edge BI. Real-worldscenarios drive home the concepts learned and give eachattendee the confidence to implement the same techniques

back home.

3


4/49


[ About Dallas Marks

Dallas Marks is a Senior Architect and Trainer at Kalvin Consulting, an SAP

Services Partner focusing on business intelligence, business analytics anddata warehousing. Kalvin is also a SAP BusinessObjects AuthorizedEducation Provider, providing on-site education services at client locationsthroughout North America.

Dallas is an SAP Certified Application Associate and authorized trainer for

Web Intelligence, Universe Design, Xcelsius, and SAP BusinessObjectsEnterprise administration. A seasoned consultant and speaker, Dallas hasworked with SAP BusinessObjects tools since 2003 and presented at theNorth American conference each year since 2006.

Dallas has implemented SAP BusinessObjects solutions for a number ofindustries, including energy, health care, and manufacturing. He holds a

masters degree in Computer Engineering from the University of Cincinnati. Dallas blogs about various business intelligence topics at

http://www.dallasmarks.org/.

4
http://www.kalvinsoft.com/http://www.dallasmarks.org/http://www.dallasmarks.org/http://www.kalvinsoft.com/http://www.kalvinsoft.com/http://www.kalvinsoft.com/


5/49

About Kalvin Consulting

Mission To be a world class consulting company by delivering innovative solutions and

extraordinary service

Our Values

Kalvins Success: Every customer is a successful customer Kalvins Service: We value your time, we will get it right

Expertise spans across all areas of BI

Best of Breed solution provider for Business Intelligence, Business Analytics, and

Data Warehousing

Solution Blueprints, Roadmaps & Architecture

Installation, Configuration & Customization

Cross Platform & Cross Product Migrations

Reporting, dashboards & guided analysis

Cutting edge customization


6/49

About Kalvins Staff

Corporate Office Mason, Ohio

Dedicated sales, marketing, HR & administration staff

Dedicated support staff with lab and training center

Virtual Offices 25 Consultants

Greater Cincinnati, Dayton, Chicago, Atlanta & Boston

Strive to maintain 10% availability Extensive network of independent consultants

Non-billable Delivery Manager to oversee the project

deliverables and ensure client expectations are met


7/49

The Kalvin Difference

Dedicated Team

Dedicated team of Kalvin employees. Kalvin is NOT a staffing company

Kalvin holds bi-weekly information sharing sessions and quarterly company events for

our employees to stay connected and learn from each other. We had our first

KalvinFest, in August 2009

Expertise

Kalvin is an end to end solutions provider from data integration, reporting, dashboard

and visualization

Our dedicated team of consultants bring together a full range of technical expertise

in all Business Intelligence and Data Integration products:

SAP BI - BusinessObjects, IBM, Oracle, Microsoft BI and customization techniques

using Java and .NET

Partnerships

Kalvin believes each client is unique and works to build a long-term partnership


8/49

Kalvins BI Methodology

ReportingAd-hoc

AnalysisDashboards

Datawarehouseand cubes

Data miningData

enhancementMaster DataManagement

Making BI Successful


9/49

Kalvins Best Practices

Adopt the best from the industry

Follow the best of BI standards

Deploy the processes, policies and framework

Create a repository of information for learning and training

Share ideas and experiences by participating in User Groups &

Conferences


10/49Real Experience. Real Advantage.

[ Poll

By a show of hands, are you using: SAP Applications?

SAP BusinessObjects?

SAP BusinessObjects Business Intelligence 4.0 (ramp-

up)?



[ Does Security Setup Make You Angry?



[ Agenda

SAP BusinessObjects Security Basics Demonstration

Custom Access Levels, Permissions Explorer and Security Query

Best Practices

Next Steps Your Questions



[

SECURITY BASICS

SAP BusinessObjects Security Essentials



[ Terminology

Principal a user or group

Rights override - a rights behavior inwhich rights that are set on child objectsoverride the rights set on parent objects

General Global Rights access rightsenforced regardless of content type

Content Specific Rights access rightsunique to content type (Crystal Report,Web Intelligence, etc)



[ Predefined Rights

Rights Option Description XI R2 XI 3.x

No Access Unable to access an object yes

slightly

different

View Able to view historical (scheduled) instances of an object yes yes

Schedule Able to schedule instances of an object yes yes

View on Demand Able to view live data on-demand yes yes

Full Control Able to change or delete an object yes yes



[ Advanced/Granular Rights

Rights Option Description XI R2 XI 3.xGranted The right is granted to a principal. yes yes

Denied The right is denied to a principal. yes yes

Not Specified

The right is unspecified for a principal. By

default, rights set to Not Specified are denied. yes yes

Apply to Object

The right applies to the object. This optionbecomes available when you click Granted or

Denied. no yes

Apply to Sub-Objects

The right applies to sub-objects. This option

becomes available when you click Granted or

Denied. no yes



[ Folder Inheritance

Global Rights

Object

Object

Object

Object

Top Level Folder

Subfolder

Subfolder

NOTE:In XI R2, global rights are set on the Rights tabin the Settings management area.

In XI 3.x, global rights are set in the Foldersmanagement area as All Folders Security



[ Group Inheritance Rules

eFashion Sales Managers 2008

eFashion East eFashion South eFashion West

Barrett Richards Larry Leonard Bennett Steve



[ Breaking Inheritance

Still possible in XI 3.x asit was in XI Release 2

Can disable folderinheritance, group

inheritance, or both May not be as

necessary in XI 3.xbecause of new scope

of rights features



[ Custom Access Levels

New Management Area in CMC XI 3.x

Can create new access levels or copyexisting access levels

Pre-defined rights (View, Schedule, ViewOn Demand, Full Control) levels cannotbe altered

Easier to manage than setting Advanced

rights



[ Scope of Rights

Scope of rights new in XI 3.x, the ability to limit the

extent of rights inheritance (Apply to Object, Apply toSub-object)

In BusinessObjects Enterprise XI R2, the administratorwas forced to break inheritance when they wanted to give

user rights to child folders that were different to thosegiven to the parent folder

In XI 3.x, rights are effective for both the parent object andthe child objects by default (same as XI R2). However



[ Scope of Rights, cont.

With BusinessObjects Enterprise XI 3.x, the administrator can now

specify that a right set on a parent object should apply to that object only.



[

DEMONSTRATION




[ Demonstration

Authentication Types Users and Groups

Custom Access Levels

Permissions Explorer Security Query


25/49


[ Demonstration - Authentication Types

Enterprise

LDAP

Windows AD

Windows NT

SAP (requiresSAPIntegration Kitin releasesprior to BI 4.0)

25


26/49


[ Demonstration Users & Groups


27/49


[ Demonstration Folders and Content


28/49


[

DEMONSTRATION

CUSTOMACCESS LEVELS



29/49


[ Demonstration Custom Access Levels

Custom Access Level demo


30/49


[

PERMISSIONS EXPLORERAND SECURITY QUERY



31/49


[ Permissions Explorer (object centric)

Use the Permissions Explorer to determine therights a principal has on an object

Improvement upon Check User Rights button inXI Release 2. Check User Rights only identified

the effective rights the source of the rightsassignment was still unknown

Available from any object (folder, document,universe, connection, etc.) that can have rightsassigned


32/49


[ Permissions Explorer

Permissions Explorer demo

[


33/49


[ Security Query (user centric)

Use Security Query to determine the objects to which aprincipal has been granted or denied access.

Available from Users and Groups or Query Results

[


34/49


[ Security Query Query Principal

Query Principal - the user or groupthat you want to run the security queryfor. You can specify one principal foreach security query

[


35/49


[ Security Query Query Permission

Query Permission - the right or rightsyou want to run the security query for,the status of these rights, and the

object type these rights are set on

[


36/49


[ Security Query Query Context

Query Context - the CMC areas thatyou want the security query to search.For each area, you can choosewhether to include sub-objects in thesecurity query. A security query canhave a maximum of four areas

Security Query demo

[


37/49


[

BEST PRACTICES


[


38/49


[ Security Best Practices - XI R2 or XI 3.x

Grant rights to groups on folders. Although rights can begranted on individual objects or users, the security modelcan become difficult to maintain.

Use pre-defined rights wherever possible. Understandthe additional complexity that advanced rights can

introduce.

Avoid breaking inheritance, while understanding it issometimes necessary

Add multiple users to Administrators group rather than

sharing Administrator user account to improve traceability

Document and maintain your security structure outside ofthe CMC MS Excel is a good choice

[


39/49


[ Security Best Practices - XI 3.x

Allot time in your upgrade/migration for administrativestaff to understand both the new CMC interface/workflowsas well as its new features

Use custom access levels where you would havepreviously resorted to advanced rights.

Identify opportunities to limit the scope of rights instead ofbreaking inheritance

Take advantage of the Permissions Explorer and SecurityQuery tools to diagnose and correct security issues

[


40/49


[

NEXT STEPS


40

[


41/49


[ Relevant ASUG SBOUC 2010 Breakout Sessions

41

I can CAL, can you?

(Custom Access Levels)Sandra Brotje | Session 0405Tuesday, October 5, 2010 | 4:00 PM 5:00 PM

[


42/49


[ Recommended Reading SAP BusinessObjects Enterprise Administrators Guide

SAP BusinessObjects Enterprise XI 3.0/3.1 Upgrade Guide SAP BusinessObjects 5/6 to XI 3.1 Migration Guide

42

Visit the SAP Help Portalat http://help.sap.com todownload theseresources.

[
http://help.sap.com/http://help.sap.com/


43/49


[ Relevant Education SAP BusinessObjects Enterprise XI 3.0/3.1:

Administration and Security2 days - course code BOE310

SAP BusinessObjects Enterprise XI 3.0/3.1:Administering Servers3 days - course code BOE320

SAP BusinessObjects Enterprise XI 3.0/3.1:Designing and Deploying a Solution4 days - course code BOE330

43

Official SAP BusinessObjects curriculum is available on-site atyour location or at authorized education centers around the world.

[


44/49


[

YOUR QUESTIONS


44

[


45/49


[

COMPARING XI R2 ANDXI 3.X SECURITY


[


46/49


[

Users XI R2 XI 3.x

Administrator yes yes

Guest yes yes

QaaWSServletPrincipal no yes

PMUser yes no

Set Administrator password during install? no yes

Guest user disabled by default? no yes

Groups XI R2 XI 3.x

Administrators yes yes

Everyone yes yes

QaaWS Group Designer no yes

Report Conversion Tool Users yes yes

BusinessObjects NT Users yes noUniverse Designer users yes yes

Translators no yes

Default Users and Groups

[


47/49


[

Feature XI R2 XI 3.x

Folder Inheritance yes yes

Group Inheritance yes yes

Predefined Access Levels yes yes

No Access yes yes*

View yes yes

Schedule yes yesView On Demand yes yes

Full Control yes yes

Advanced Rights yes yes

Custom Access Levels no yes

Break Inheritance yes yes

Scope of Rights no yes

Combined Access Levels no yes

Security Features

[


48/49


[

Application XI R2 XI 3.xCentral Management Console yes yes!

Web Component Adapter (WCA) yes no

Administrative Launchpad yes no

Query Builder yes yes

Security Viewer Add-on yes no

Security Query no yes

Permissions Explorer no yes

Security Applications

[


49/49

[

[

] Thank you for participating.

SESSION CODE:409

Please remember to complete and return your

evaluation form following this session.

For ongoing education on this area of focus, visit the Year-

Round Community page at www.asug.com/yrc

Dallas MarksSenior Architect and Trainer

[email protected]

http://dallasmarks.org/

For more information about KalvinConsulting

http://www.kalvinsoft.com/Follow us on Twitter at @kalvinsoft.
http://www.kalvinsoft.com/http://www.kalvinsoft.com/http://www.kalvinsoft.com/http://dallasmarks.org/http://www.kalvinsoft.com/http://www.kalvinsoft.com/http://www.kalvinsoft.com/http://twitter.com/http://twitter.com/http://twitter.com/http://www.kalvinsoft.com/http://www.kalvinsoft.com/http://www.kalvinsoft.com/http://www.kalvinsoft.com/http://dallasmarks.org/http://www.kalvinsoft.com/

sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01

Documents

Transcript of sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01