Security in SAP BO
Administration & Security
Account management involves all of the tasks related to creating, mapping, changing, and organizing user and group information.
After the user accounts and groups have been created, you can add objects and specify rights to them. When the users log on, they can view the objects using BI launch pad or their custom web application.
In the Users and Groups management area, you can specify everything required for a user to access SAP BusinessObjects Business Intelligence platform.
You can also view the two default user accounts summarized by the following table.
Under the user-role based licensing scheme, there are two roles which can be assignedto SAP BusinessObjects Business Intelligence platform users:
Each role is bundled with specific access levels to SAP BusinessObjects Business Intelligence platform applications.
You cannot modify or override the access level to either user role. User roles apply to new user accounts created in SAP BusinessObjects Business Intelligence platform or
BI Analyst role
The BI Analyst role is designed for users who create content in the SAP BusinessObjectsBusiness Intelligence platform.
Users who edit or create reports, design and manage universes, or perform anyadministrative tasks in the CMC should be assigned the BI Analyst role.
BI Viewer role
The BI Viewer role is designed primarily for content consumers. These users only view reports but do not modify content.
Users assigned to the BI Viewer role will be prevented by the system from creating content, modifying reports and performing general administrative tasks in the system.
The BI Viewer role should not be assigned to users who need to:
Update or modify reports
Perform administrative tasks using the CMC
Groups are collections of users who share the same account privileges; therefore, you may create groups that are based on department, role, or location.
Groups enable you to change the rights for users in one place (a group) instead of modifying the rights for each user account individually.
Also, you can assign object rights to a group or groups.
In the Users and Groups area, you can create groups that give a number of people access to the report or folder.
This enables you to make changes in one place instead of modifying each user account individually.
You can also view the several default group accounts summarized by the following table.
Note: To view available groups in the CMC, click Group List in the Tree panel. Alternatively, you can click Group Hierarchy to display a hierarchal list of all available groups.
|Report Conversion Tool||Members of this group have access to the Report Conversion Tool application.|
|Translators||Members of this group have access to theTranslation|
|Universe Designer Users||Users who belong to this group are granted access to the Universe Designer folder and the Connections folder. They can control who hasaccess rights tothe Designer application. You must add users to this group as needed By default no user|
Enable the Guest account
The Guest account is disabled by default to ensure that no one can log on to SAP BusinessObjects Business Intelligence platform with this account.
This default setting also disables the anonymous single sign-on functionality of SAP BusinessObjects Business Intelligence platform, so users will be unable to access BI launch pad without providing a valid user name and password.
1.Go to the Users and Groups management area of the CMC.
2.Click User List in the Navigation panel.
4.Click Manage → Properties. The Properties dialog box appears.
5.Clear the Account is disabled check box.
6.Click Save & Close.
7.If you are prompted for confirmation, click OK.
Creating users and groups
New users and groups are created in the CMC. When you create a new user account in the CMC, you first must specify the user’s properties, before you configure group memberships for the user.
Groups are collections of users who share the same account privileges. For instance, you may create groups that are based on department, role, or location. Groups enable you to change the rights for users in one place (a group) instead of modifying the rights for each user account individually.
Also, you can assign object rights to a group or groups.
Creating and modifying a user account
After a user account has been created, you can modify the account properties. The properties that can be modified include:
The account name is the unique identifier for a user account and is the user name entered when logging into SAP BusinessObjects Business Intelligence platform.
This optional field is used to capture the user’s full name. It is recommended that you use this field, particularly when managing many users.
This optional field is used to add the user’s email address. This is for reference only. For example, if the user forgets their password sometime in the future, you can get their email address from this field to send them their password.
This optional field is used to add information about the user, such as their position, department, or geographic location.
Enterprise Password Settings
User password settings allow you to change the password and password settings for the user. Global password settings can be configured in the Authentication area of the Central Management Console.
This option specifies how the user connects to the SAP BusinessObjects Business Intelligence platform based on the license agreement.
Account is disabled
This check box allows the Administrator to deactivate the user account, instead of permanently deleting the account.
This is useful when administering users who will be temporarily denied system access, such as employees taking parental leave
Select the Account is disabled check box to disable the Guest account. This makes it unavailable for use.
If a user has multiple accounts within SAP BusinessObjects Business Intelligence platform, use this feature to link the accounts.
This results in the user having multiple SAP BusinessObjects Business Intelligence platform login credentials that map to one SAP BusinessObjects Business Intelligence platform account.
You can also use the New Alias. button to create a new alias.
In the CMC home page, click Users and Groups.
Click Manage → New → New User.
The New User dialog box appears.
Select the Authentication Type.
To create an Enterprise user,
Select Enterprise from the Authentication Type list.
Type the account name, full name, email, and description information. Use the description area to include extra information about the user or account.
Specify the password information and settings.
To create a user that will logon using a different authentication type, select the appropriate option from the Authentication Type list, and type the account name.
Specify how to designate the user account according to options stipulated by your SAP BusinessObjects Business Intelligence platform license agreement.
If your license agreement is based on user roles, select one of the following options:
BI Viewer: access to SAP BusinessObjects Business Intelligence platform applications for all accounts under the BI Viewer role is defined in the license agreement. Users are restricted to access application workflows that are defined for the BI Viewer role. Access rights are generally limited to viewing business intelligence documents. This role is typically suitable for users who consume content through SAP BusinessObjects Business Intelligence platform applications.
BI Analyst: access to SAP BusinessObjects Business Intelligence platform applications for all accounts under the BI Analyst role is defined in the license agreement. Users can access all applications workflows that are defined for the BI Analyst role. Access rights include viewing and modifying business intelligence documents. This role is typically suitable for users who create and modify content for SAP BusinessObjects Business Intelligence platform applications
If your license agreement is not based on user roles, specify a connection type for the user account.
Choose Concurrent User if this user belongs to a license agreement that states the number of users allowed to be connected at one time.
Choose Named User if this user belongs to a license agreement that associates a specific user with a license. Named user licenses are useful for people who require access to BusinessObjects Business Intelligence platform regardless of the number of other people who are currently connected. that are defined for the
BI Analyst role. Access rights include viewing and modifying business intelligence documents. This role is typically suitable for users who create and modify content for SAP BusinessObjects Business Intelligence platform applications
Click Create & Close.
Modify a user account
Use this procedure to modify a user's properties or group membership.
The user will be affected if they are logged on when you are making the change.
The user account must already exist before it can be modified.
In the CMC home page, click Users and Groups.
Select the user whose properties you want to change.
Click Manage → Properties.
The Properties dialog box for the user appears.
Modify the properties for the user.
In addition to all of the options that were available when you initially created the account, you now can disable the account by selecting the Account is disabled check box.
Any changes you make to the user account do not appear until the next time the user logs on.
Click Save & Close.
Creating and modifying a group account
Once a group is created, you can modify its membership to include other groups. Groups can include other groups as subgroups.
Group names must be unique.
After a group is created, you can modify the properties. Properties can include:
Delete a user or group Use
You can delete a user or group when that user or group is no longer required.
You cannot delete the default groups Administrator and Everyone.
The users who belong to a deleted group will be affected by the change the next time they log on.
The users who belong to the deleted group will lose any rights they inherited from the group.
Go to the Users and Groups management area of the CMC.
Select the user or group you wish to delete.
Click Manage → Delete.
The delete confirmation dialog box appears.
Adding users to groups
Once you have created a group structure, you will need to add users to the groups. You can add users to groups in the following ways:
Select the group, and then click Actions → Add Members to Group.
Select the user, and then click Actions → Member Of.
Select the user, and then click Actions → Join Group.
Add a user to one or more groups
In the Users and Groups management area of the CMC.
Select the user that you wish to add to a group.
Click Actions→Join Group.
Note: All SAP BusinessObjects Business Intelligence platform users of the system are part of the Everyone group.
The Join Group dialog box appears.
Select the group that you want to add the user to from the Available Groups list, and click > to move it to the Destination Group(s) list.
Use SHIFT + click or CTRL + click to select multiple groups.
Add one or more users to a group
In the Users and Groups management area of the CMC, select the group.
Click Actions → Add Members to Group.
The Add dialog box appears.
Click User list.
The Available users/groups list refreshes and displays all user accounts in the system.
Select the user that you want to add to the group from the Available users/groups list, and click >to move it to the Selected users/groups list.
To select multiple users, use the SHIFT + click or CTRL +click combination.
To search for a specific user, use the search field.
If there are many users on your system, click the Previous and
Next buttons to navigate through the list of users.
The user(s) is added to the group.
To create a logical structure in which to store an organization's content you must create folders.
Folders store objects and are used to organize documents.
You can use folders to separate content into logical areas. Every report or document must reside in a folder.
Because you can set security at the folder level, you can use folders as a tool for controlling access to information.
Object-level rights are either set explicitly for the object or inherited from the folder in which the object resides.
Creating and managing folders is typically the responsibility of the SAP BusinessObjects BI platform administrator, but end users can be given the option to create their own folders and control the objects within their folders in BI launchpad.
Managing folders in SAP BusinessObjects BI platform is done in the Folders management area of the Central Management Console.
Learn SAP BO by Tekslate - Fastest growing sector in the industry.
Explore Online SAP BO Training and course is aligned with industry needs & developed by industry veterans.
Tekslate will turn you into SAP BO Expert.
Create a folder
Go to the Folders management area in the CMC.
Navigate to where you want to create the folder.
Click Manage → New → Folder.
Enter a name for the folder and click OK.
The folder is created.
Categories provide an alternative way of organizing objects, and therefore an alternative way for users to navigate to them.
For example, you could organize your content into departmental folders, and then use categories to create an alternate filing system that divides content according to different roles in your organization, such as managers or VPs.
This organizational model allows you set security on groups of documents based on department or job role. There are two types of categories: corporate and personal. Corporate categories are created and administrated by administers with the appropriate rights, and are only visible to groups and users who have the rights to view them; personal categories are created by individual users, and are only visible to themselves.
There are two types of categories:
Corporate categories are created and administrated by administers with the appropriate rights,and are only visible to groups and users who have the rights to view them.
Personal categories are created by individual users, and are only visible to themselves.
Note: While all objects must reside in folders, category assignment is optional; therefore, it is important to note that:
While you can assign rights to a category as an object (that is, grant groups and users rights to it), the objects within the category cannot inherit rights set on the category itself.
An object in a category retains its affiliation with the folder it resides in.
An object can reside in multiple categories.
Create a category
-Go to the Categories management area of the CMC.
-Click Manage → New → Category.
-Type a name for your cateogry.
The new category is added to the system. You can now click Manage → Properties to change settings for this category.
Assign an object to a category
-Go to the Folders management area of the CMC.
-Navigate to the object you would like to add to a category and select it.
-Click Manage → Properties.
-Under Properties, in the Categories section, select the categories to which you want to add the object.
-Click Save & Close.
You can either remove or delete objects from a category. When you remove an object, you remove it from the category only. When you delete an object, you remove it from the category and also delete it from the system.
Go to the Categories management area of the CMC.
Double-click the category from which you want to remove or delete an object.
If the category you want to delete is not at the top level, locate its parent category. Then make your selection.
To select multiple categories, hold down the CTRL or Option key and click each category, so that you can delete several categories simultaneously.
Select the object or objects you want to remove or delete.
Remove the object from the category or delete the object.
Click Actions → Remove From Category to remove the object from the category only. In this case, the object continues to exist in the system.
Click Manage → Delete to remove the object from the category and at the same time delete it from the system.
Move a category
When you move a category, any object assigned to the category maintains its association with it. All of the category's object rights are retained.
For example, you may have a South American Sales category that is accessible only by sales people in that region.
You also have a World Sales category that contains worldwide sales reports needed by all sales people.
For more intuitive organization, you want to move the region categories into the World Sales category.
When you move the South American Sales category into the World Sales category, it retains its rights settings and associated objects, even though it has become a subcategory of the World Sales category.
Go to the Categories management area of the CMC.
Select the category that you want move.
If the category you want to move is not at the top level, locate its parent category. Then make your selection.
Click Organize → Move To.
Select the Destination category and add it to the Destinations list.
If there are many categories on your system, use the Search title field to search, or click Previous, Next, and + to browse the category hierarchy.
The category you selected is moved to the new destination.
Administering Rights in SAP BusinessObjects Business Intelligence Platform
Rights play an important role in SAP BusinessObjects Business Intelligence platform because they allow you to control access to your SAP BusinessObjects Business Intelligence platform content, rights enable you to delegate user and group management to different departments, and to provide your IT people with administrative access to servers and server groups.
Access levels are groups of rights that users frequently need. They allow administrators to set common security levels quickly and uniformly rather than requiring that individual rights be set one by one. SAP BusinessObjects Business Intelligence platform comes with several predefined access levels. These predefined access levels are based on a model of increasing rights: Beginning with View and ending with Full Control, each access level builds upon the rights granted by the previous level.
Top-level folder security
Top-level folder security is the default security set for each specific object type (for example Universes, Web Intelligence Application, Groups and Folders). Each object type has its own top-level folder (root folder) that all the objects below inherit rights from.
If there are any access levels common to certain object types that apply throughout the whole system, set them at the top-level folder specific to each object type. For example, if the Sales group requires the View access level to all folders, you can set this at the root level for Folders.
Folder-level security enables you to set access-level rights for a folder and the objects contained within that folder. While folders inherit security from the top-level folder (root folder), subfolders inherit the security of their parent folder. Rights set explicitly at the folder level override inherited rights.
Objects in SAP BusinessObjects Business Intelligence platform inherit security from their parent folder. Rights set explicitly at the object level override inherited rights.
How rights work in SAP Business Objects Business Intelligence platform
Rights are the base units for controlling user access to the objects, users, applications, servers, and other features in SAP BusinessObjects Business Intelligence platform.
They play an important role in securing the system by specifying the individual actions that users can perform on objects.
Besides allowing you to control access to your SAP BusinessObjects Business Intelligence platform content, rights enable you to delegate user and group management to different departments, and to provide your IT people with administrative access to servers and server groups.
It is important to recognize the difference between rights set on objects or folders, and rights set on principals (the users and groups) who access them.
For example, to give a manager access to a particular folder, in the Folders area, you add the manager to the access control list (the list of principals who have access to an object) for the folder.
You cannot give the manager access by configuring the manager's rights settings in the "Users and Groups" area.
The rights settings for the manager in the Users and Group area are used to grant other principals (such as delegated administrators) access to the manager as an object in the system. In this way, principals are themselves like objects for others with greater rights to manage.
Each right on an object can be granted, denied, or unspecified. The SAP BusinessObjects Business Intelligence platform security model is designed such that, if a right is left unspecified, the right is denied.
Additionally, if settings result in a right being both granted and denied to an user or group, the right is denied.
There is an important exception to this rule. If a right is explicitly set on a child object that contradicts the rights inherited from the parent object, the right set on the child object overrides the inherited rights.
This exception applies to users who are members of groups as well. If an user is explicitly granted a right that the user's group is denied, the right set on the user overrides the inherited right.
Advanced rights settings
To provide you with full control over object security, the CMC allows you to set advanced rights. These advanced rights provide increased flexibility as you define security levels for objects at a granular level.
Use advanced rights settings, for instance, if you need to customize a principal's rights to a particular object or set of objects.
Most importantly, use advanced rights to explicitly deny a user or group any right that should not be permitted to change when, in the future, you make changes to group memberships or folder security levels.
The following table summarizes the options that you have when you set advanced rights.
|Granted||The right is granted to a principal.|
|Not Specified||The right is unspecified for a principal.By default, rights set to Not Specified are denied.|
|Denied||The right is denied to a principal.|
|Apply to Object||The right applies to the object. This option becomes available when you click Granted or Denied.|
|Apply to Sub Objects||The right applies to sub-objects. This option becomes available when you click Granted or Denied.|
Type-specific rights are rights that affect specific object types only, such as Crystal reports, folders, or access levels. Type-specific rights consist of the following:
• General rights for the object type
These rights are identical to general global rights (for example, the right to add, delete, oredit an object), but you set them on specific object types to override the general global rights settings.
• Specific rights for the object type
These rights are available for specific object types only. For example, the right to export a report's data appears for Crystal reports but not for Word documents.
The diagram Type-specific rights example illustrates how type-specific rights work. Here right 3 represents the right to edit an object. Blue Group is denied Edit rights on the top-level folder and granted Edit rights for Crystal reports in the folder and subfolder.
These Edit rights are specific to Crystal reports and override the rights settings on a general global level. As a result, members of Blue Group have Edit rights for Crystal reports but not the XLF file in the subfolder.
Type-specific rights are useful because they let you limit the rights of principals based on object type.
Consider a situation in which an administrator wants employees to be able to add objects to a folder but not create subfolders. The administrator grants Add rights at the general global level for the folder, and then denies Add rights for the folder object type.
Rights are divided into the following collections based on the object types they apply to:
These rights affect all objects
These rights are divided according to particular content object types. Examples of content object types include Crystal reports, and Adobe Acrobat PDFs.
These rights are divided according to which SAP BusinessObjects Business Intelligence platform application they affect. Examples of applications include the CMC and BI launch pad.
These rights are divided according to which core system component they affect. Examples of core system components include Calendars, Events, and Users and Groups.
Type-specific rights are in the Content, Application, and System collections. In each collection, they are further divided into categories based on object type.
Troubleshooting user rights
Troubleshooting user rights can be a laborious undertaking for a systems administrator. The SAP BusinessObjects Business Intelligence platform contains two tools which are aimed at negating this challenge.
The Permissions Explorer is aimed at making it easier to pinpoint the source of inherited user rights.
The Security Query tool enables an administrator to list which objects a user can access and why. It also enables the administrator to interactively make changes to the security settings from the query result.
Managing security settings for objects in the CMC
You can manage security settings for most objects in the CMC with the security options on the Manage menu. These options let you assign principals to the access control list for an object, view the rights that a principal has, and modify the rights that the principal has to an object.
Viewing rights for a principal on an object
You can view the rights for a principal on an object using the Permissions Explorer tool. The Permissions Explorer saves time when trying to determine where inherited rights originate from in SAP BusinessObjects BI platform.
-Select the object for which you want to view security settings.
-Click Manage → User Security to display the access control list for the object.
-The User Security dialog box appears and displays the access control list for the object.
-Select a principal from the access control list, and click View Security.
The Permissions Explorer dialog launches and displays a list of effective rights for the principal on the object. In addition, the Permissions Explorer lets you do the following:
Browse for another principal whose rights you want to view.
Filter the rights displayed according to these criteria:
–from access level
–the name of the right
Sort the list of rights displayed in ascending or descending order according to these criteria:
–right status (granted, denied, or unspecified)
Additionally, you can click one of the links in the Source column to display the source of inherited rights.
Checking security settings for a principal
In some cases, you may want to know the objects to which a principal has been granted or denied access.
You can use a security query to do this. Security queries let you determine which objects a principal has certain rights to and manage user rights. For each security query, you provide the following information:
You specify the user or group that you want to run the security query for. You can specify one principal for each security query.
You specify the right or rights you want to run the security query for, the status of these rights, and the object type these rights are set on. For example, you can run a security query for all reports that a principal can refresh, or for all reports that a principal cannot export.
You specify the CMC areas that you want the security query to search. For each area, you can choose whether to include sub-objects in the security query. A security query can have a maximum of four areas.
Access levels are groups of rights that users frequently need. They allow administrators to set common security levels quickly and uniformly rather than requiring that individual rights be set one by one.
You can do the following with access levels:
Copy an existing access level, make changes to the copy, rename it, and save it as a new access level.
Create, rename, and delete access levels.
Modify the rights in an access level.
Trace the relationship between access levels and other objects in the system.
Trace the relationship
Replicate and manage access levels across sites.
Use one of the predefined access levels in SAP BusinessObjects Business Intelligence platform to set rights quickly and uniformly for many principals.
Predefined access levels
SAP BusinessObjects Business Intelligence platform comes with several predefined access levels. These predefined access levels are based on a model of increasing rights: Beginning with View and ending with Full Control, each access level builds upon the rights granted by the previous level.
The following table summarizes the rights that each predefined access level contains.
Predefined access levels
HINT: The following rights are required when using these access levels.
Custom access levels
In addition to the predefined access levels, you can also create and customize your own, which can greatly reduce administrative and maintenance costs associated with security.
Consider a situation in which an administrator must manage two groups, sales managers and sales employees. Both groups need to access five reports in the SAP Business Objects Business Intelligence platform system,but sales managers require more rights than sales employees.
The predefined access levels do not meet the needs of either group. Instead of adding groups to each report as principals and modifying their rights in five different places, the administrator can create two new access levels, Sales Managers and Sales Employees.
The administrator then adds both groups as principals to the reports and assigns the groups their respective access levels. When rights need to be modified, the administrator can modify the access levels.
Because the access levels apply to both groups across all five reports, the rights those groups have to the reports are quickly updated.
Rights are set on an object for a principal in order to control access to the object however, it is impractical to set the explicit value of every possible right for every principal on every object.
Consider a system with 100 rights, 1000 users, and 10,000 objects: to set rights explicitly on each object would require the CMS to store billions of rights in its memory, and, importantly, require that an administrator manually set each one.
Inheritance patterns resolve this impracticality. With inheritance, the rights that users have to objects in the system come from a combination of their memberships in different groups and subgroups and from objects which have inherited rights from parent folders and subfolders.
These users can inherit rights as the result of group membership; subgroups can inherit rights from parent groups; and both users and groups can inherit rights from parent folders.
By default, users or groups who have rights to a folder inherit the same rights for any objects that are subsequently published to that folder.
Consequently, the best strategy is to set the appropriate rights for users and groups at the folder level first, then publish objects to that folder.
SAP BusinessObjects Business Intelligence platform recognizes two types of inheritance:
Group inheritance allows principals to inherit rights as the result of group membership. Group inheritance proves especially useful when you organize all of your users into groups that coincide with your organization's current security conventions.
In Group inheritance example 1, you can see how group inheritance works. Red Group is a subgroup of Blue Group, so it inherits Blue Group's rights. In this case, it inherits right 1 as granted, and the rest of the rights as unspecified.
Every member of Red Group inherits these rights. In addition, any other rights that are set on the subgroup are inherited by its members. In this example, Green User is a member of Red Group, and thus inherits right 1 as granted, rights 2, 3, 4, and 6 as not specified, and Right 5 as denied.
When group inheritance is enabled for a user who belongs to more than one group, the rights of all parent groups are considered when the system checks credentials.
The user is denied any right that is explicitly denied in any parent group, and the user is denied any right that remains completely not specified thus, the user is granted only those rights that are granted in one or more groups (explicitly or through access levels) and never explicitly denied.
In Group inheritance example 2, Green User is a member of two unrelated groups. From Blue Group, he inherits rights 1 and 5 as "granted" and the rest as not specified; however, because Green User also belongs to Red Group, and Red Group has been explicitly denied right 5, Green User's inheritance to right 5 from Blue Group is overridden.
Folder inheritance allows principals to inherit any rights that they have been granted on an object's parent folder.
Folder inheritance proves especially useful when you organize SAP BusinessObjects Business Intelligence platform content into a folder hierarchy that reflects your organization's current security conventions.
For example, suppose that you create a folder called Sales Reports, and you provide your Sales group with View On Demand access to this folder.
By default, every user that has rights to the Sales Reports folder will inherit the same rights to thereports that you subsequently publish to this folder. Consequently, the Sales group will have View On Demand access to all of the reports, and you need set the object rights only once, at the folder level.
In Folder inheritance example, rights have been set for Red Group on a folder. Rights 1 and 5 have been granted, while the rest have been left unspecified. With folder inheritance enabled, members of Red Group have rights on the object level identical to the rights of the group on the folder level. Rights 1 and 5 are inherited as granted, while the rest have been left unspecified.
Rights override is a rights behavior in which rights that are set on child objects override the rights set on parent objects. Rights override occurs under the following circumstances:
In general, the rights that are set on child objects override the rights that are set on parent objects.
In general, the rights that are set on subgroups or members of groups override the rights that are set on groups.
You do not need to disable inheritance to set customized rights on an object. The child object inherits the rights settings of the parent object except for the rights that are explicitly set on the child object. Also, any changes to rights settings on the parent object apply to the child object.
Rights override example 1 illustrates how rights override works on parent and child objects. Blue User is denied the right to edit a folder's contents; the rights setting is inherited by the subfolder. However, an administrator grants Blue User Edit rights to a document in the subfolder.
The Edit right that Blue User receives on the document overrides the inherited rights that come from the folder and subfolder.
Rights override example 2 illustrates how rights override works on members and groups. Blue Group is denied the right to edit a folder; Blue Subgroup inherits this rights setting.
However, an administrator grants Blue User, who is a member of Blue Group and Blue Subgroup,Edit rights on the folder. The Edit rights that Blue User receives on the folder override the inherited rights that come from Blue Group and Blue Subgroup.
Complex rights override illustrates a situation where the effects of rights override are less obvious. Purple User is a member of subgroups 1A and 2A, which are in Groups 1 and 2, respectively. Groups 1 and 2 both have Edit rights on the folder. 1A inherits the Edit rights that Group 1 has, but an administrator denies Edit rights to 2A. The rights settings on 2A override the rights settings on Group 2 because of rights override. Therefore, Purple User inherits contradictory rights settings from 1A and 2A. 1A and 2A do not have a parent-child relationship,so rights override does not occur; that is, one sub-group's rights settings do not override another's because they have equal status. In the end, Purple User is denied Edit rights because of the “denial-based” rights model in SAP BusinessObjects Business Intelligence platform.
Rights override lets you make minor adjustments to the rights settings on a child object without discarding all inherited rights settings.
Consider a situation in which a sales manager needs to view confidential reports in the Confidential folder.
The sales manager is part of the Sales group, which is denied access to the folder and its contents. The administrator grants the manager View rights on the Confidential folder and continues to deny the Sales group access. In this case, the View rights granted to the sales manager override the denied access that the manager inherits from membership in the Sales group.
Scope of rights
Scope of rights refers to the ability to limit the extent of rights inheritance. To define the scope of a right, you decide whether the right applies to the object, its sub-objects, or both. By default, the scope of a right extends to both objects and sub-objects.
Scope of rights can be used to protect personal content in shared locations. Consider a situation in which the finance department has a shared Expense Claims folder that contains Personal Expense Claims subfolders for each employee.
The employees want to be able to view the Expense Claims folder and add objects to it, but they also want to protect the contents of their Personal Expense Claims subfolders. The administrator grants all employees View and Add rights on the Expense Claims folder, and limits the scope of these rights to the Expense Claims folder only.
This means that the View and Add rights do not apply to sub-objects in the Expense Claims folder. The administrator then grants employees View and Add rights on their own Personal Expense Claims subfolders.
Scope of rights can also limit the effective rights that a delegated administrator has. For example, a delegated administrator may have Securely Modify Rights and Edit rights on a folder, but the scope of these rights is limited to the folder only and does not apply to its sub-objects. The delegated administrator cannot grant these rights to another user on one of the folder's sub-objects.
Guidelines for planning security
Use the following principles as a guide for planning security in SAP BusinessObjects Business Intelligence plaform.
Each right is also referred to as an Access Control Entry (ACE) in SAP BusinessObjects BI platform and can be set to one of three states: Explicit Denial (D), Explicit Grant (G), Not Specified (NS).
A list of all ACEs is referred to as an Access Control List (ACL).
A combination of ACEs and states (for example Right to Schedule - G, Right to View - G, Right to Modify - D, and so on) makes up an Access Level.
There are predefined Access Levels: No Access (Not Specified state for all rights), Full Control, View, Schedule, View On Demand, and there are also Custom Access Levels that administrators can create on their own.
Groups and users in the system are also referred to as principals. In SAP BusinessObjects BI platform you give rights to principals on objects (folder, document, application)
If a user belongs to more than one group, and there is a conflict in rights assignments between the groups to which the user belongs to, the Denied (D) right wins over a Granted (G) right, and the Granted
(G) right wins over a Not Specified (NS) right (Deny > Grant > Not Specified).
–G + NS = G
–G + D = D
–G + D + NS = D
–D + NS = D
A more specific assignment typically wins over a less specific assignment, such as a user over a group, a subgroup over a parent group, and a sub-object over a parent object.
Groups may contain subgroups and/or users. Subgroups and users are treated as members of the parent group. In other words, if a parent group is given
an explicit Grant right to view the folder, the user who is a member of a subgroup of the parent group will have the right to view the folder as well. In this case only the parent group is listed in the User Security dialog box on the folder while the subgroup is not.
The rights given to the group closest to the user take precedence (without breaking inheritance). In other words, if a user is a member of a subgroup and is not added to the parent group, the user's effective rights will come from the subgroup, and not from the parent group. In this case both the parent group and the subgroup are listed in the access rights dialog box on the folder. The rights between the parent group and the subgroup may be the same or conflicting, but rights assigned to the subgroup will take precedence.
If a user is added to both the subgroup and to the parent group, the calculation of effective rights is the same as if a user belonged to two groups on the same level. Refer to the rule G + D + NS = D.
User rights are of explicit type on the object, but of inherited type on sub-objects.
Group rights are always of inherited type.
Explicit rights (the user's rights) on an object overwrite inherited rights (the group's
rights) on the same object.
Security rights can be overridden on lower levels in folder hierarchy without breaking inheritance.
The administrator can combine access levels for a principal which can result in a conflict. In these cases, refer again to the rule G + D + NS = D.
Summary of recommendations for rights administration
Keep these considerations in mind for rights administration:
Use access levels wherever possible. These predefined sets of rights simplify administration by grouping together rights associated with common user needs.
Set rights and access levels on top-level folders. Enabling inheritance will allow these rights to be passed down through the system with minimal administrative intervention.
Avoid breaking inheritance whenever possible. By doing so, you can reduce the amount of time it takes to secure the content that you have added to SAP BusinessObjects Business Intelligence platform.
Set appropriate rights for users and groups at the folder level, then publish objects to that folder. By default, users or groups who have rights to a folder will inherit the same rights for any object that you subsequently publish
to that folder.
Organize users into user groups, assign access levels and rights to the entire group, and assign access levels and rights to specific members when necessary.
Create individual administrator accounts for each administrator in the system and add them to the Administrators group to improve accountability for system changes.
By default, the Everyone group is granted with limited rights to top-level folders. After installation, it is recommended that you review the rights of Everyone group members and assign security accordingly.
For indepth understanding click on