Sternautobedrijfspresentatie2012 13299273125283 Phpapp01 120222101715 Phpapp01
sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
-
Upload
madhes-analyst -
Category
Documents
-
view
222 -
download
0
Transcript of sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
1/49
SAP BusinessObjectsSecurity EssentialsDallas Marks
SAP Inside Track St. LouisJuly 15, 2011
http://twitter.com/http://www.kalvinsoft.com/http://www.linkedin.com/company/353351http://www.facebook.com/kalvinconsulting -
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
2/49
]
STEPHANIE CLUNE[ASUG INSTALLATION MEMBER
MEMBER SINCE: 2004
PHIL AWTRY[ASUG INSTALLATION MEMBER
MEMBER SINCE: 1999
MIKE NARDUCCI[ASUG ASSOCIATE MEMBER
MEMBER SINCE: 1998
SAP BusinessObjects SecurityEssentials
Dallas MarksSession 409
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
3/49
Real Experience. Real Advantage.
[ Breakout Description
In this presentation, learn how the SAP BusinessObjectssecurity model works. Leverage features, such asinheritance, scope of rights, and custom access levels, tosecure the business intelligence system, while reducingoverall complexity and maintenance. Techniques will be
demonstrated using SAP BusinessObjects XI that are alsoapplicable to SAP BusinessObjects Edge BI. Real-worldscenarios drive home the concepts learned and give eachattendee the confidence to implement the same techniques
back home.
3
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
4/49
Real Experience. Real Advantage.
[ About Dallas Marks
Dallas Marks is a Senior Architect and Trainer at Kalvin Consulting, an SAP
Services Partner focusing on business intelligence, business analytics anddata warehousing. Kalvin is also a SAP BusinessObjects AuthorizedEducation Provider, providing on-site education services at client locationsthroughout North America.
Dallas is an SAP Certified Application Associate and authorized trainer for
Web Intelligence, Universe Design, Xcelsius, and SAP BusinessObjectsEnterprise administration. A seasoned consultant and speaker, Dallas hasworked with SAP BusinessObjects tools since 2003 and presented at theNorth American conference each year since 2006.
Dallas has implemented SAP BusinessObjects solutions for a number ofindustries, including energy, health care, and manufacturing. He holds a
masters degree in Computer Engineering from the University of Cincinnati. Dallas blogs about various business intelligence topics at
http://www.dallasmarks.org/.
4
http://www.kalvinsoft.com/http://www.dallasmarks.org/http://www.dallasmarks.org/http://www.kalvinsoft.com/http://www.kalvinsoft.com/http://www.kalvinsoft.com/ -
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
5/49
About Kalvin Consulting
Mission To be a world class consulting company by delivering innovative solutions and
extraordinary service
Our Values
Kalvins Success: Every customer is a successful customer Kalvins Service: We value your time, we will get it right
Expertise spans across all areas of BI
Best of Breed solution provider for Business Intelligence, Business Analytics, and
Data Warehousing
Solution Blueprints, Roadmaps & Architecture
Installation, Configuration & Customization
Cross Platform & Cross Product Migrations
Reporting, dashboards & guided analysis
Cutting edge customization
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
6/49
About Kalvins Staff
Corporate Office Mason, Ohio
Dedicated sales, marketing, HR & administration staff
Dedicated support staff with lab and training center
Virtual Offices 25 Consultants
Greater Cincinnati, Dayton, Chicago, Atlanta & Boston
Strive to maintain 10% availability Extensive network of independent consultants
Non-billable Delivery Manager to oversee the project
deliverables and ensure client expectations are met
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
7/49
The Kalvin Difference
Dedicated Team
Dedicated team of Kalvin employees. Kalvin is NOT a staffing company
Kalvin holds bi-weekly information sharing sessions and quarterly company events for
our employees to stay connected and learn from each other. We had our first
KalvinFest, in August 2009
Expertise
Kalvin is an end to end solutions provider from data integration, reporting, dashboard
and visualization
Our dedicated team of consultants bring together a full range of technical expertise
in all Business Intelligence and Data Integration products:
SAP BI - BusinessObjects, IBM, Oracle, Microsoft BI and customization techniques
using Java and .NET
Partnerships
Kalvin believes each client is unique and works to build a long-term partnership
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
8/49
Kalvins BI Methodology
ReportingAd-hoc
AnalysisDashboards
Datawarehouseand cubes
Data miningData
enhancementMaster DataManagement
Making BI Successful
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
9/49
Kalvins Best Practices
Adopt the best from the industry
Follow the best of BI standards
Deploy the processes, policies and framework
Create a repository of information for learning and training
Share ideas and experiences by participating in User Groups &
Conferences
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
10/49Real Experience. Real Advantage.
[ Poll
By a show of hands, are you using: SAP Applications?
SAP BusinessObjects?
SAP BusinessObjects Business Intelligence 4.0 (ramp-
up)?
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
11/49Real Experience. Real Advantage.
[ Does Security Setup Make You Angry?
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
12/49Real Experience. Real Advantage.
[ Agenda
SAP BusinessObjects Security Basics Demonstration
Custom Access Levels, Permissions Explorer and Security Query
Best Practices
Next Steps Your Questions
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
13/49Real Experience. Real Advantage.
[
SECURITY BASICS
SAP BusinessObjects Security Essentials
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
14/49Real Experience. Real Advantage.
[ Terminology
Principal a user or group
Rights override - a rights behavior inwhich rights that are set on child objectsoverride the rights set on parent objects
General Global Rights access rightsenforced regardless of content type
Content Specific Rights access rightsunique to content type (Crystal Report,Web Intelligence, etc)
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
15/49Real Experience. Real Advantage.
[ Predefined Rights
Rights Option Description XI R2 XI 3.x
No Access Unable to access an object yes
slightly
different
View Able to view historical (scheduled) instances of an object yes yes
Schedule Able to schedule instances of an object yes yes
View on Demand Able to view live data on-demand yes yes
Full Control Able to change or delete an object yes yes
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
16/49Real Experience. Real Advantage.
[ Advanced/Granular Rights
Rights Option Description XI R2 XI 3.xGranted The right is granted to a principal. yes yes
Denied The right is denied to a principal. yes yes
Not Specified
The right is unspecified for a principal. By
default, rights set to Not Specified are denied. yes yes
Apply to Object
The right applies to the object. This optionbecomes available when you click Granted or
Denied. no yes
Apply to Sub-Objects
The right applies to sub-objects. This option
becomes available when you click Granted or
Denied. no yes
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
17/49Real Experience. Real Advantage.
[ Folder Inheritance
Global Rights
Object
Object
Object
Object
Top Level Folder
Subfolder
Subfolder
NOTE:In XI R2, global rights are set on the Rights tabin the Settings management area.
In XI 3.x, global rights are set in the Foldersmanagement area as All Folders Security
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
18/49Real Experience. Real Advantage.
[ Group Inheritance Rules
eFashion Sales Managers 2008
eFashion East eFashion South eFashion West
Barrett Richards Larry Leonard Bennett Steve
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
19/49Real Experience. Real Advantage.
[ Breaking Inheritance
Still possible in XI 3.x asit was in XI Release 2
Can disable folderinheritance, group
inheritance, or both May not be as
necessary in XI 3.xbecause of new scope
of rights features
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
20/49Real Experience. Real Advantage.
[ Custom Access Levels
New Management Area in CMC XI 3.x
Can create new access levels or copyexisting access levels
Pre-defined rights (View, Schedule, ViewOn Demand, Full Control) levels cannotbe altered
Easier to manage than setting Advanced
rights
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
21/49Real Experience. Real Advantage.
[ Scope of Rights
Scope of rights new in XI 3.x, the ability to limit the
extent of rights inheritance (Apply to Object, Apply toSub-object)
In BusinessObjects Enterprise XI R2, the administratorwas forced to break inheritance when they wanted to give
user rights to child folders that were different to thosegiven to the parent folder
In XI 3.x, rights are effective for both the parent object andthe child objects by default (same as XI R2). However
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
22/49Real Experience. Real Advantage.
[ Scope of Rights, cont.
With BusinessObjects Enterprise XI 3.x, the administrator can now
specify that a right set on a parent object should apply to that object only.
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
23/49Real Experience. Real Advantage.
[
DEMONSTRATION
SAP BusinessObjects Security Essentials
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
24/49Real Experience. Real Advantage.
[ Demonstration
Authentication Types Users and Groups
Custom Access Levels
Permissions Explorer Security Query
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
25/49
Real Experience. Real Advantage.
[ Demonstration - Authentication Types
Enterprise
LDAP
Windows AD
Windows NT
SAP (requiresSAPIntegration Kitin releasesprior to BI 4.0)
25
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
26/49
Real Experience. Real Advantage.
[ Demonstration Users & Groups
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
27/49
Real Experience. Real Advantage.
[ Demonstration Folders and Content
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
28/49
Real Experience. Real Advantage.
[
DEMONSTRATION
CUSTOMACCESS LEVELS
SAP BusinessObjects Security Essentials
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
29/49
Real Experience. Real Advantage.
[ Demonstration Custom Access Levels
Custom Access Level demo
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
30/49
Real Experience. Real Advantage.
[
PERMISSIONS EXPLORERAND SECURITY QUERY
SAP BusinessObjects Security Essentials
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
31/49
Real Experience. Real Advantage.
[ Permissions Explorer (object centric)
Use the Permissions Explorer to determine therights a principal has on an object
Improvement upon Check User Rights button inXI Release 2. Check User Rights only identified
the effective rights the source of the rightsassignment was still unknown
Available from any object (folder, document,universe, connection, etc.) that can have rightsassigned
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
32/49
Real Experience. Real Advantage.
[ Permissions Explorer
Permissions Explorer demo
[
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
33/49
Real Experience. Real Advantage.
[ Security Query (user centric)
Use Security Query to determine the objects to which aprincipal has been granted or denied access.
Available from Users and Groups or Query Results
[
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
34/49
Real Experience. Real Advantage.
[ Security Query Query Principal
Query Principal - the user or groupthat you want to run the security queryfor. You can specify one principal foreach security query
[
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
35/49
Real Experience. Real Advantage.
[ Security Query Query Permission
Query Permission - the right or rightsyou want to run the security query for,the status of these rights, and the
object type these rights are set on
[
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
36/49
Real Experience. Real Advantage.
[ Security Query Query Context
Query Context - the CMC areas thatyou want the security query to search.For each area, you can choosewhether to include sub-objects in thesecurity query. A security query canhave a maximum of four areas
Security Query demo
[
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
37/49
Real Experience. Real Advantage.
[
BEST PRACTICES
SAP BusinessObjects Security Essentials
[
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
38/49
Real Experience. Real Advantage.
[ Security Best Practices - XI R2 or XI 3.x
Grant rights to groups on folders. Although rights can begranted on individual objects or users, the security modelcan become difficult to maintain.
Use pre-defined rights wherever possible. Understandthe additional complexity that advanced rights can
introduce.
Avoid breaking inheritance, while understanding it issometimes necessary
Add multiple users to Administrators group rather than
sharing Administrator user account to improve traceability
Document and maintain your security structure outside ofthe CMC MS Excel is a good choice
[
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
39/49
Real Experience. Real Advantage.
[ Security Best Practices - XI 3.x
Allot time in your upgrade/migration for administrativestaff to understand both the new CMC interface/workflowsas well as its new features
Use custom access levels where you would havepreviously resorted to advanced rights.
Identify opportunities to limit the scope of rights instead ofbreaking inheritance
Take advantage of the Permissions Explorer and SecurityQuery tools to diagnose and correct security issues
[
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
40/49
Real Experience. Real Advantage.
[
NEXT STEPS
SAP BusinessObjects Security Essentials
40
[
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
41/49
Real Experience. Real Advantage.
[ Relevant ASUG SBOUC 2010 Breakout Sessions
41
I can CAL, can you?
(Custom Access Levels)Sandra Brotje | Session 0405Tuesday, October 5, 2010 | 4:00 PM 5:00 PM
[
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
42/49
Real Experience. Real Advantage.
[ Recommended Reading SAP BusinessObjects Enterprise Administrators Guide
SAP BusinessObjects Enterprise XI 3.0/3.1 Upgrade Guide SAP BusinessObjects 5/6 to XI 3.1 Migration Guide
42
Visit the SAP Help Portalat http://help.sap.com todownload theseresources.
[
http://help.sap.com/http://help.sap.com/ -
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
43/49
Real Experience. Real Advantage.
[ Relevant Education SAP BusinessObjects Enterprise XI 3.0/3.1:
Administration and Security2 days - course code BOE310
SAP BusinessObjects Enterprise XI 3.0/3.1:Administering Servers3 days - course code BOE320
SAP BusinessObjects Enterprise XI 3.0/3.1:Designing and Deploying a Solution4 days - course code BOE330
43
Official SAP BusinessObjects curriculum is available on-site atyour location or at authorized education centers around the world.
[
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
44/49
Real Experience. Real Advantage.
[
YOUR QUESTIONS
SAP BusinessObjects Security Essentials
44
[
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
45/49
Real Experience. Real Advantage.
[
COMPARING XI R2 ANDXI 3.X SECURITY
SAP BusinessObjects Security Essentials
[
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
46/49
Real Experience. Real Advantage.
[
Users XI R2 XI 3.x
Administrator yes yes
Guest yes yes
QaaWSServletPrincipal no yes
PMUser yes no
Set Administrator password during install? no yes
Guest user disabled by default? no yes
Groups XI R2 XI 3.x
Administrators yes yes
Everyone yes yes
QaaWS Group Designer no yes
Report Conversion Tool Users yes yes
BusinessObjects NT Users yes noUniverse Designer users yes yes
Translators no yes
Default Users and Groups
[
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
47/49
Real Experience. Real Advantage.
[
Feature XI R2 XI 3.x
Folder Inheritance yes yes
Group Inheritance yes yes
Predefined Access Levels yes yes
No Access yes yes*
View yes yes
Schedule yes yesView On Demand yes yes
Full Control yes yes
Advanced Rights yes yes
Custom Access Levels no yes
Break Inheritance yes yes
Scope of Rights no yes
Combined Access Levels no yes
Security Features
[
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
48/49
Real Experience. Real Advantage.
[
Application XI R2 XI 3.xCentral Management Console yes yes!
Web Component Adapter (WCA) yes no
Administrative Launchpad yes no
Query Builder yes yes
Security Viewer Add-on yes no
Security Query no yes
Permissions Explorer no yes
Security Applications
[
-
8/2/2019 sapinsidetrack2011markssapbusinessobjectssecurity-110721195827-phpapp01
49/49
[
[
] Thank you for participating.
SESSION CODE:409
Please remember to complete and return your
evaluation form following this session.
For ongoing education on this area of focus, visit the Year-
Round Community page at www.asug.com/yrc
Dallas MarksSenior Architect and Trainer
http://dallasmarks.org/
For more information about KalvinConsulting
http://www.kalvinsoft.com/Follow us on Twitter at @kalvinsoft.
http://www.kalvinsoft.com/http://www.kalvinsoft.com/http://www.kalvinsoft.com/http://dallasmarks.org/http://www.kalvinsoft.com/http://www.kalvinsoft.com/http://www.kalvinsoft.com/http://twitter.com/http://twitter.com/http://twitter.com/http://www.kalvinsoft.com/http://www.kalvinsoft.com/http://www.kalvinsoft.com/http://www.kalvinsoft.com/http://dallasmarks.org/http://www.kalvinsoft.com/