Setup security in BusinessObjects XI 3.

1
October 8th, 2011 | Posted by Paul Berden in Business Objects This article: Is about setting up security in the Central Management Console (CMC) Is best used in combination with a demo environment of BO XI 3.1 Is intended for BOBJ system administrators Expects you to know basic browser functions. Security model knowledge is an advantage Aims to enable you to perform security related administrative tasks in the CMC

Introduction
The Central Management Console (CMC) is a web-based tool to perform regular administrative tasks, including user, content, and server management. It also allows you to publish, organize, and set security levels for all of your BusinessObjects Enterprise content. Because the CMC is a web-based application, you can perform all of these administrative tasks through a web browser on any machine that can connect to the server. All users can log on to the CMC to change their user preference settings. Only members of the Administrators group can change management settings, unless explicitly granted the rights to do so.

Authentication
Authentication is the process of verifying the identity of a user who attempts to use Business Objects system. Authentication type can be Enterprise or Third Party Authentication such as LDAP or Windows AD. In this training we will not deal with third party authentication

Authorization
Authorization is the process of verifying the user has sufficient rights to perform the requested action upon a given objects. Actions can be view, refresh, edit, schedule, etc. Objects can be folder, report, instance, universe, etc. Authorization is handled based on how the access level, application security, and content security such as users and groups, universe security, folder access, etc. are defined using CMC.

Access Levels and Inheritance

Access level is a set of rights that users frequently need. BO comes with pre-defined out of the box access levels such as Administrator, Full Access, Schedule, View and View on Demand. However it is also possible to create and customize your own access levels. Rights are set on an object for a user in order to control the access to the specific objects. It is highly impractical to set this individually when there are hundreds of objects. Inheritance resolves this impractical situation by passing on the set of rights from a group to sub-group or from a folder to subfolder.

Users and groups

A Group is a collection of users who share the same account privileges. A group can have sub-groups which may share the same or a sub-set of the parent group privileges. Users can be added to a group or sub-group or more than one groups or sub-groups. When groups with different access levels are enabled to other contents such as folders, categories, universe or connections, the users from the group automatically inherit the rights.

Schematic security model

Effective rights
Three possible explicit values on security commands: Explicitly granted (G) User or group is given the right Explicitly denied (D) User or group is denied the right Not specified (NS) No right assignment

Effective rights (user real rights) = explicit rights aggregation

Where D = denied and G = granted

Best practices
Create a security matrix for each of your applications Leverage out of the box access levels. Create new access levels based on the existing ones Use common naming convention for your application across report folder, universe folder, user groups, and access levels. Leverage the use of Inheritance while defining folder, subfolder, user and group security. Simplify the security model; KISS!

Interface
The URL is: http://servername:8080/CmcApp/logon.faces

Add users
Go to Users and Groups > User list

Create a new user

Fill in details

Create and close

Add groups
Go to Users and Groups > Group Hierarchy

Create a new group Be aware that the group is created in the group that is currently selected! Create a new group

Assign user to group

Right click user Join Group Select the group and add it to the destination group(s) OK

Logon to Infoview
When the newly created user logs on to infoview you will notice that there is not much to see:

Create Access levels

Copy an access level

Rename the access level

For advanced options edit Included rights

Assign security to objects

The following objects need to be assigned with a access level in order for users to successfully use them

Assign security to Folders

Go to Folders

Right click desired folder > User security

Click Add Principle

Select group or user and add these to the field on the right

Add and Assign Security

Select desired Access level(s) and add these to the field on the right

OK

Logon to Infoview
When the newly created user logs on to infoview you will notice that there is still not much to see.

Assign security to ROOT folder

Right click All Folders > Properties

Click User Security

Select Everyone > Assign Security

Go to Advanced tab > Add/Remove Rights

Grant View objects and View objects that and uncheck the Apply to sub object

OK > OK > Close

Logon to Infoview
When the newly created user logs on to infoview you will notice that there is something to see

Assign security to Connections

Go to Connections Right click desired connection > User security

Click Add Principle

Select group or user and add these to the field on the right

Add and Assign Security

Assign security to remaining objects

Repeat steps from previous slide for

Universes Applications QaaWS (if used)