Setup security in BusinessObjects XI 3.1

This article:

Is about setting up security in the Central Management Console (CMC)

Is best used in combination with a demo environment of BO XI 3.1

Is intended for BOBJ system administrators

Expects you to know basic browser functions. Security model knowledge is an advantage

Aims to enable you to perform security related administrative tasks in the CMC


The Central Management Console (CMC) is a web-based tool to perform regular administrative tasks, including user, content, and server management. It also allows you to publish, organize, and set security levels for all of your BusinessObjects Enterprise content. Because the CMC is a web-based application, you can perform all of these administrative tasks through a web browser on any machine that can connect to the server. All users can log on to the CMC to change their user preference settings. Only members of the Administrators group can change management settings, unless explicitly granted the rights to do so.


Authentication is the process of verifying the identity of a user who attempts to use Business Objects system.

Authentication type can be Enterprise or Third Party Authentication such as LDAP or Windows AD.

In this training we will not deal with third party authentication


Authorization is the process of verifying the user has sufficient rights to perform the requested action upon a given objects.

Actions can be view, refresh, edit, schedule, etc. Objects can be folder, report, instance, universe, etc.

Authorization is handled based on how the access level, application security, and content security such as users and groups, universe security, folder access, etc. are defined using CMC.

Access Levels and Inheritance

Access level is a set of rights that users frequently need.

BO comes with pre-defined out of the box access levels such as Administrator, Full Access, Schedule, View and View on Demand.

However it is also possible to create and customize your own access levels.

Rights are set on an object for a user in order to control the access to the specific objects. It is highly impractical to set this individually when there are hundreds of objects.

Inheritance resolves this impractical situation by passing on the set of rights from a group to sub-group or from a folder to subfolder.

Users and groups

A Group is a collection of users who share the same account privileges. A group can have sub-groups which may share the same or a sub-set of the parent group privileges.

Users can be added to a group or sub-group or more than one groups or sub-groups.

When groups with different access levels are enabled to other contents such as folders, categories, universe or connections, the users from the group automatically inherit the rights.

Schematic security model

Effective rights

Three possible explicit values on security commands:

Explicitly granted (G) User or group is given the right

Explicitly denied (D) User or group is denied the right

Not specified (NS) No right assignment


Effective rights (user real rights) = explicit rights aggregation


Where D = denied and G = granted


Best practices

Create a security matrix for each of your applications

Leverage out of the box access levels. Create new access levels based on the existing ones

Use common naming convention for your application across report folder, universe folder, user groups, and access levels.

Leverage the use of Inheritance while defining folder, subfolder, user and group security.

Simplify the security model; KISS!


The URL is: http://servername:8080/CmcApp/logon.faces



Add users

Go to ‘Users and Groups’  > User list


Create a new user






Fill in details



Create and close












Add groups

Go to ‘Users and Groups’ > Group Hierarchy






Create a new group

Be aware that the group is created in the group that is currently selected!

Create a new group




Assign user to group

Right click user

Join Group

Select the group and add it to the destination group(s)








Logon to Infoview

When the newly created user logs on to infoview you will notice that there is not much to see:

Create Access levels

Copy an access level






Rename the access level











For advanced options edit ‘Included rights’

Assign security to objects

The following objects need to be assigned with  a access level in order for users to successfully use them

Assign security to Folders

Go to ‘Folders’



Right click desired folder >
‘User security’






Click ‘Add Principle’






Select group or user and add these to the field on the right



‘Add and Assign Security’






Select desired Access level(s) and add these to the field on the right
















Logon to Infoview

When the newly created user logs on to infoview you will notice that there is still not much to see.


Assign security to ROOT folder

Right click ‘All Folders’ > Properties







Click ‘User Security’




Select ‘Everyone’ > ‘Assign Security’




Go to ‘Advanced’ tab > ‘Add/Remove Rights’







Grant ‘View objects’ and ‘View objects that…’ and uncheck the ‘Apply to sub object’


OK > OK > Close



Logon to Infoview

When the newly created user logs on to infoview you will notice that there is something to see


Assign security to Connections

Go to ‘Connections’

Right click desired connection >
‘User security’


Click ‘Add Principle’


Select group or user and add these to the field on the right


‘Add and Assign Security’







Assign security to remaining objects

Repeat steps from previous slide for

  • Universes
  • Applications
  • QaaWS (if used)
Linkedin Twitter Facebook Stumbleupon Tumblr Email

17 thoughts on “Setup security in BusinessObjects XI 3.1

  1. Mallika


    Thanks for an informative article. Can you help me with the steps involved if the user need to have Import rights for importing the report.

    Thanks in advance,

    1. Paul Berden Post author

      Hi Mallika, I have no experience with restricting or enabling import rights for specific users. But I’m sure it’s possible since right management is extensive.

      The way to go would be to change your Access Level accordingly
      – Right click -> properties
      – Included rights
      – Add/Remove rights
      – Application -> Web Intelligence
      – See screenshot:

      Good luck, let me know if you’ve managed to fix it!

      Regards, Paul

      1. ajay

        Can we get same screen shot in Bo 4 .. please let me if i have 4 group
        1-BO Deleveloper
        2-Bo Users
        3-Bo Power Users
        4-Bo Adminusers group

        How to define access level for above group


  2. omkar

    thank a lot .. can please provide brief document about server setup and clustering of servers..

  3. MAT

    Paul my question is to restrict user ‘John’ to see only one universe but he still be able to run all the existing reports on existed universes. is this possible in 3.1 SP5.



    1. Paul Berden

      Hi MAT, this might be of help to you:

      So create two Custom Access Levels:
      – CAL A: Data Access, View Access
      – CAL B: Data Access, View Accees, Create and Edit Queries Based on possible

      And then:
      For Users John and others we apply CAL A on all Universes
      For User John we apply CAL B on that one Universe

      Also see:

  4. Bernadine

    I see you don’t monetize your site, i think there is one
    opportunity to earn additional money on your site, search in google for; idol4jp makes

  5. 95Alfredo

    Hello blogger, i must say you have high quality content here.
    Your page can go viral. You need initial traffic boost only.
    How to get it? Search for: Mertiso’s tips go viral

  6. FirstGrady

    I see you don’t monetize your page, don’t waste your traffic, you can earn extra cash
    every month because you’ve got hi quality content.
    If you want to know how to make extra $$$, search for:
    Boorfe’s tips best adsense alternative

  7. ChanteSmall

    I have checked your page and i have found some duplicate content, that’s why you don’t rank high
    in google, but there is a tool that can help you to create 100% unique content, search for; Boorfe’s tips unlimited content

  8. BestBailey

    I see you don’t monetize your website, don’t waste your traffic,
    you can earn extra bucks every month because you’ve got hi quality
    content. If you want to know how to make extra bucks, search for: Ercannou’s essential tools best adsense alternative

  9. regi

    Hi Paul,
    i am right now setting up the top folder authorisations for the connections folder and somehow there are three settings by default that are granted there:
    Connections->Applications->OLP.CustomGroups to add, edit and delete objects.

    Do you think I should remove this three predefined advanced authorisations for the top folder auhtorisations for the connections folder at all or I should also add the view on demand on it?

    Thanks regi

    1. Paul Berden Post author

      Hi Regi, I haven’t worked on SAP BO administration tasks in a long while since I posted this article. I don’t know what these default settings might do in your system.
      Glad that you like my post and that it’s still helpful.

  10. BestMonroe

    I have noticed you don’t monetize your page, don’t waste your traffic,
    you can earn extra cash every month. You can use
    the best adsense alternative for any type of website (they approve all websites), for more info simply search in gooogle:
    boorfe’s tips monetize your website


Leave a Reply

Your email address will not be published.