Personal blog
Header

Setup security in BusinessObjects XI 3.1

October 8th, 2011 | Posted by Paul Berden in Business Objects

This article:

Is about setting up security in the Central Management Console (CMC)

Is best used in combination with a demo environment of BO XI 3.1

Is intended for BOBJ system administrators

Expects you to know basic browser functions. Security model knowledge is an advantage

Aims to enable you to perform security related administrative tasks in the CMC

Introduction

The Central Management Console (CMC) is a web-based tool to perform regular administrative tasks, including user, content, and server management. It also allows you to publish, organize, and set security levels for all of your BusinessObjects Enterprise content. Because the CMC is a web-based application, you can perform all of these administrative tasks through a web browser on any machine that can connect to the server. All users can log on to the CMC to change their user preference settings. Only members of the Administrators group can change management settings, unless explicitly granted the rights to do so.

Authentication

Authentication is the process of verifying the identity of a user who attempts to use Business Objects system.

Authentication type can be Enterprise or Third Party Authentication such as LDAP or Windows AD.

In this training we will not deal with third party authentication

Authorization

Authorization is the process of verifying the user has sufficient rights to perform the requested action upon a given objects.

Actions can be view, refresh, edit, schedule, etc. Objects can be folder, report, instance, universe, etc.

Authorization is handled based on how the access level, application security, and content security such as users and groups, universe security, folder access, etc. are defined using CMC.

Access Levels and Inheritance

Access level is a set of rights that users frequently need.

BO comes with pre-defined out of the box access levels such as Administrator, Full Access, Schedule, View and View on Demand.

However it is also possible to create and customize your own access levels.

Rights are set on an object for a user in order to control the access to the specific objects. It is highly impractical to set this individually when there are hundreds of objects.

Inheritance resolves this impractical situation by passing on the set of rights from a group to sub-group or from a folder to subfolder.

Users and groups

A Group is a collection of users who share the same account privileges. A group can have sub-groups which may share the same or a sub-set of the parent group privileges.

Users can be added to a group or sub-group or more than one groups or sub-groups.

When groups with different access levels are enabled to other contents such as folders, categories, universe or connections, the users from the group automatically inherit the rights.

Schematic security model

Effective rights

Three possible explicit values on security commands:

Explicitly granted (G) User or group is given the right

Explicitly denied (D) User or group is denied the right

Not specified (NS) No right assignment

 

Effective rights (user real rights) = explicit rights aggregation

 

Where D = denied and G = granted

 

Best practices

Create a security matrix for each of your applications

Leverage out of the box access levels. Create new access levels based on the existing ones

Use common naming convention for your application across report folder, universe folder, user groups, and access levels.

Leverage the use of Inheritance while defining folder, subfolder, user and group security.

Simplify the security model; KISS!

Interface

The URL is: http://servername:8080/CmcApp/logon.faces

 

 

Add users

Go to ‘Users and Groups’  > User list

 

Create a new user

 

 

 

 

 

Fill in details

 

 

Create and close

 

 

 

 

 

 

 

 

 

 

 

Add groups

Go to ‘Users and Groups’ > Group Hierarchy

 

 

 

 

 

Create a new group

Be aware that the group is created in the group that is currently selected!

Create a new group

 

 

 

Assign user to group

Right click user

Join Group

Select the group and add it to the destination group(s)

‘OK’

 

 

 

 

 

 

Logon to Infoview

When the newly created user logs on to infoview you will notice that there is not much to see:

Create Access levels

Copy an access level

 

 

 

 

 

Rename the access level

 

 

 

 

 

 

 

 

 

 

For advanced options edit ‘Included rights’

Assign security to objects

The following objects need to be assigned with  a access level in order for users to successfully use them

Assign security to Folders

Go to ‘Folders’

 

 

Right click desired folder >
‘User security’

 

 

 

 

 

Click ‘Add Principle’

 

 

 

 

 

Select group or user and add these to the field on the right

 

 

‘Add and Assign Security’

 

 

 

 

 

Select desired Access level(s) and add these to the field on the right

 

 

 

 

 

 

 

‘OK’

 

 

 

 

 

 

 

Logon to Infoview

When the newly created user logs on to infoview you will notice that there is still not much to see.

 

Assign security to ROOT folder

Right click ‘All Folders’ > Properties

 

 

 

 

 

 

Click ‘User Security’

 

 

 

Select ‘Everyone’ > ‘Assign Security’

 

 

 

Go to ‘Advanced’ tab > ‘Add/Remove Rights’

 

 

 

 

 

 

Grant ‘View objects’ and ‘View objects that…’ and uncheck the ‘Apply to sub object’

 

OK > OK > Close

 

 

Logon to Infoview

When the newly created user logs on to infoview you will notice that there is something to see

 

Assign security to Connections

Go to ‘Connections’

Right click desired connection >
‘User security’

 

Click ‘Add Principle’

 

Select group or user and add these to the field on the right

 

‘Add and Assign Security’

 

 

 

 

 

 

Assign security to remaining objects

Repeat steps from previous slide for

  • Universes
  • Applications
  • QaaWS (if used)
Linkedin Twitter Facebook Stumbleupon Tumblr Email

You can follow any responses to this entry through the RSS 2.0 You can leave a response, or trackback.

9 Responses



Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>