Understanding Security and Rights in SAP BusinessObjects Business Intelligence 4.1
By Greg Wcislo | September, 2013
Disclaimer
This presentation outlines general product direction and should not be relied upon for purchase decisions. SAP has no obligation to pursue any course of business outlined or release any functionality mentioned. Strategy and future developments are subject to change without notice. The document is provided without warranty, and SAP assumes no responsibility for errors or omissions, except for intentional or grossly negligent damages.
Agenda
- What security is available in BI4: Authentication, Report, Application, Data, Inheritance
- Securing at the right layer: BI Object security (report level), Universe security, Data source security
- Best practices for a low headache security model
- Security changes between 3.1 and 4.x
Data Security
Data can be secured at:
- Folder/report level
- Universe level
- Database source level
Diagram Description: The interface shows different security management areas within SAP BusinessObjects. One section displays the Lifecycle Management (LCM) console with options like User Security and Limits. Another shows a user login screen for 'GREG' with authentication details and session client information. A third shows the Universes/Profiles and Users/Groups structure, allowing for the insertion, modification, and checking of data security profiles. A table lists granted roles, showing 'PUBLIC' with 'SYS' as the grantor.
Considerations for Data Connections
Shared Connection
All users log on to the database with the same shared user ID, often referred to as a "Technical User" or "System User". Security can be managed at the report or universe level within the BI system.
Pros: Reduces the need to replicate users and manage security at the database level.
Cons: Does not differentiate what users can see directly within the database.
Diagram Description: An 'Edit Relational Connection' dialog for SAP HANA is shown, illustrating authentication modes like 'Use Specified User Name and Password', 'Use BusinessObjects Credential Mapping', and 'Use Single Sign On'. It also shows data source configuration options.
Single Sign On (SSO)
SSO is available for Kerberos with MS SQL Server & Analysis Services, Oracle, Teradata (via ODBC), and HANA. Trust Certificates are used for HANA (SAML) and SAP.
Pros: User's account and security are applied at the data source level, offering the most secure approach.
Cons: No Kerberos SSO for scheduling, and user accounts must exist on both the BI system and the data source.
Diagram Description: Similar to the shared connection diagram, this shows the 'Edit SAP HANA database 1.0 connection' dialog, highlighting the 'Use Single Sign On' authentication mode.
For a full list of SSO options, refer to: http://scn.sap.com/docs/DOC-33875
Saving Passwords (Credential Mapping)
User's database credentials can be hardcoded and saved within the BI4 system. This requires password capture/replication, and a user can only have one such mapping.
Diagram Description: A 'Database Credentials' dialog is shown, allowing users to enable credential saving with an account name and password. The 'Edit Relational Connection' dialog is also displayed, showing the 'Use BusinessObjects Credential Mapping' option.
Capture can occur during logon if SSO is not used or set via SDK.
Deciding Where to Secure Content
Report objects will still be listed if only the database is secured.
- Consider where your main user management resides and take user federation into account.
- Evaluate your overall landscape, not just the BI system. Determine if other applications access your database.
Application Rights
Application rights dictate what a user can do within a specific application, such as the Web Intelligence (Webi) report edit panel or logging into the Central Management Console (CMC).
Users must have rights to the actual object (e.g., a Webi document) to perform actions.
Diagram Description: An 'Add/Remove Rights' interface is displayed, detailing 'Specific Rights for Web Intelligence' and 'General Rights for Web Intelligence'. It shows options like 'Data - enable data tracking', 'Desktop interface - enable local data providers', and 'Desktop interface - export documents', with associated implicit values and granted status.
Access Control List (ACL)
An Access Control List (ACL) is a list of principals (users and groups) who have access to an object.
Diagram Description: The 'User Security: Web Intelligence Samples' interface shows an ACL with columns for Name, Full Name, Type, and Access. Principals like 'Administrators', 'Everyone', and 'WebI Viewers' are listed with their respective access levels (e.g., 'Full Control (Inherited)', 'No Access', 'View On Demand').
Access Levels
Avoid assigning individual rights, as this is not reproducible and requires high maintenance. Instead, use Access Levels, which are collections of rights.
- Assign Access Levels to groups, not individual users.
- Build up from minimum rights and increment.
- Minimize explicit denies: Grant + Deny = Deny.
Diagram Description: The Central Management Console (CMC) displays 'Access Levels' such as 'Full Control', 'Full Control (Owner)', 'Schedule', and 'View On Demand', along with their descriptions detailing the granted permissions.
Rights Management
General rights can be overridden by content-specific rights. For example, a user might be granted the right to 'Add object' but denied the right to 'Add Webi object'.
Application rights, such as the right to use the Webi application, are also defined.
Diagram Description: An 'Included Rights: Schedule Webi' view shows 'Rights Collections' (General, Content, Application, System) and 'Specific Rights for Web Intelligence', listing actions like 'Copy objects to another folder', 'Delete instances that the user owns', and 'Schedule document to run'.
Example of Application Rights
Application rights dictate user actions within an application. Rights to the actual object (like a Webi document) are necessary to perform these actions.
Diagram Description: The 'Add/Remove Rights' interface for Web Intelligence is shown, detailing specific rights such as 'Desktop interface - install from BI launch pad', 'Desktop interface - print documents', and 'Log on to Web Intelligence'. It also includes general rights like 'Edit this object' and 'Modify the rights users have to objects'.
Understanding Granted, Denied, and Not Specified Rights
Granted and Denied rights should be clear. Rights set to "Not Specified" are effectively denied, meaning "Not permitted unless I say otherwise".
Rights can apply to the current level or all sublevels.
Trumping Rights:
- Example 1: Grant rights on a folder, but explicitly deny rights on a single report or subfolder.
- Example 2: Deny rights on a folder, but explicitly grant rights on a single report or subfolder.
Diagram Description: A legend indicates that a green checkmark (✓) means 'granted', a red cross (✗) means 'denied', and a question mark (?) means 'not specified'. Icons are shown for applying rights to the current level or all sublevels.
Managing Folders and Permissions
For departments, basic permissions are often set up using multiple folders. The root public folder is denied by default for security.
A common scenario involves denying permission on many folders while granting it on a specific one for a department group.
Diagram Description: The interface shows how to manage folder permissions, including granting view object rights but not subobjects. Two views illustrate folder structures: 'Seen By Administrator' showing a hierarchical list of folders (Public Folders, _HR, Auditing, etc.), and 'Seen By HRUser' showing a similar structure.
Creating Access Levels and Common Roles
Access levels can be created from minimal rights to full control. For multiple departments, consider using a multi-tenancy tool.
Common roles include:
- Viewers/Consumers: Users who view reports.
- Report creators/Editors: Users who create or edit reports. This can be split into "Analyst" (create/edit) and "Report Editor" (publicly edit/modify all reports).
- Report Publisher: Users responsible for scheduling and publishing reports.
Inheritance in Groups and Folders
When a user is a member of two groups, one permitting and one denying access, the hierarchy of precedence is DENY > GRANT > NOT SPECIFIED.
Cheat Sheet:
- G + NS = Grant
- G + D = Deny
- G + D + NS = Deny
- D + NS = Deny
Users and groups also have inheritance properties.
Diagram Description: A simple inheritance diagram shows a user belonging to HR and Finance groups, with a deny symbol (✗) on Finance. The 'Assign Security' dialog illustrates inheritance options, allowing users to 'Inherit From Parent Folder' or 'Inherit From Parent Group'.
Changes Between SAP BI 3.x and 4.x
Key changes include the introduction of a "New Owner Right" and modifications/renames to Webi Rights.
For detailed information on Webi rights changes, refer to: http://scn.sap.com/wiki/display/BOBJ/WEBI+security+rights+changes+between+XI3.1+and+BI4.x
The "Connection Download right" has also been updated.
Diagram Description: Tables showing 'General Global Rights General' and 'Specific Rights for Relational Connection' highlight changes such as 'Delete objects that the user owns' and 'View objects that the user owns'.
Central Management Console (CMC) Tab Access
CMC tab access is useful for delegated administration but is not considered actual security. The UI can be hidden, but users with sufficient rights can still manage and access settings via the SDK.
Diagram Description: The Central Management Console (CMC) interface is shown, displaying options like 'Program Object Rights', 'CMC Tab Access Configuration', and 'User Security'. Another view details 'CMC Tab Access Configuration' with 'Unrestricted' and 'Restricted' options. A third diagram illustrates 'Configure CMC Tabs' for 'BI Viewers', showing permission settings for configuring CMC tabs.
User Attribute Mapping for Universe Security
Custom user attributes can be used to further secure universes. This involves mapping attributes from sources like LDAP to internal BI system attributes.
Diagram Description: The 'Define a user attribute' dialog shows how to configure the system to pull in attributes for creating new Enterprise user attributes. It includes fields for 'Name' and 'Internal Name', and a 'Sources' section where LDAP attributes like 'Locality' can be mapped to internal names like 'SI_COUNTRY'. The 'Result Objects for Query #1' and 'Query Filters for Query #1' show how these mapped attributes are used in queries, for example, filtering by Customers.country = @VARIABLE('SI_COUNTRY').
See the SCN article for a complete guide: http://scn.sap.com/community/bi-platform/blog/2012/07/05/user-attribute-mapping-in-bi4
The user properties, such as 'Country', are displayed in the 'Properties: Jean-Luc' dialog.
Security Query Tool
The Security Query Tool allows users to view a full listing of rights for a specific principal (single user or group). It is useful for debugging and can be exported to CSV for compliance. It can also be scripted for broader use.
Diagram Description: The 'Create Security Query' window is shown, enabling users to specify a 'Query Principal', 'Query Permission', and 'Query Context' to search for objects based on permissions and location within the CMC.
Diagram Description: The 'Security Query Tool Results' interface displays the output, allowing users to drill down into specific folders and rights to see their source. It shows shared folders like '_Finance', '_HR', and 'Auditing' with their access levels and inheritance details.
Further Information
SAP Public Web Resources:
- scn.sap.com
- http://scn.sap.com/community/bi-platform/blog/2012/07/05/user-attribute-mapping-in-bi4
- http://scn.sap.com/docs/DOC-33875
- http://scn.sap.com/docs/DOC-41311
- http://wiki.scn.sap.com/wiki/display/BOBJ/WEBI+security+rights+changes+between+XI3.1+and+BI4.x
SAP Education and Certification Opportunities:
Watch SAP TechEd Online:
SAP TechEd Virtual Hands-on Workshops and SAP TechEd Online
Continue SAP TechEd education with hands-on workshops (available January – March 2014) and online content, including keynotes, interviews, and lecture sessions.
- Virtual Hands-on Workshops: http://saptechedhandson.sap.com/
- SAP TechEd Online: http://sapteched.com/online
Diagram Description: Screenshots of the SAP TechEd Virtual Hands-on Workshops and SAP TechEd Online websites are displayed, showcasing available content and navigation.
Feedback
Please complete your session evaluation for EA209.
Thanks for attending this SAP TechEd session.
Legal and Copyright Notices
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form without SAP AG's express permission. Information is subject to change without notice. SAP AG and its affiliates are not liable for errors or omissions. SAP trademarks and logos are registered in Germany and other countries. For trademark information, see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark.
