Você está na página 1de 630

BusinessObjects Enterprise™ XI Release

2 Administrator’s Guide

BusinessObjects XI Release 2 Update


Patents Business Objects owns the following U.S. patents, which may cover products that are offered
and sold by Business Objects: 5,555,403, 6,247,008 B1, 6,578,027 B2, 6,490,593 and
6,289,352.

Trademarks Business Objects, the Business Objects logo, Crystal Reports, and Crystal Enterprise are
trademarks or registered trademarks of Business Objects SA or its affiliated companies in the
United States and other countries. All other names mentioned herein may be trademarks of
their respective owners.

Copyright Copyright © 2006 Business Objects. All rights reserved.


Last update: March 2006

Third-party Business Objects products in this release may contain redistributions of software licensed
contributors from third-party contributors. Some of these individual components may also be available
under alternative licenses. A partial listing of third-party contributors that have requested or
permitted acknowledgments, as well as required notices, can be found at:
http://www.businessobjects.com/thirdparty
Contents
Chapter 1 Introduction to the BusinessObjects Enterprise XI Release 2
Administrator’s Guide 19
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Who should use this guide? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Business Objects information resources . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Chapter 2 Administering BusinessObjects Enterprise 21


Administration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Central Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Logging on to the Central Management Console . . . . . . . . . . . . . . . . 23
Navigating within the Central Management Console . . . . . . . . . . . . . . 24
Setting console preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Logging off of the Central Management Console . . . . . . . . . . . . . . . . 26
Using the Central Configuration Manager . . . . . . . . . . . . . . . . . . . . . . . . . 26
Accessing the CCM for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Accessing the CCM for UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Making initial security settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Setting the Administrator password . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Disabling a user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Modifying the default security levels . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Managing universes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Managing universe connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Managing BusinessObjects Enterprise applications . . . . . . . . . . . . . . . . . 32
Managing the Central Management Console . . . . . . . . . . . . . . . . . . . 32
Managing Crystal Reports Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Managing Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Managing Desktop Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Managing Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

BusinessObjects Enterprise Administrator’s Guide3


Contents

Managing InfoView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Managing Web Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Managing license information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Adding a license key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Viewing current account activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Chapter 3 BusinessObjects Enterprise Architecture 43


Architecture overview and diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Client tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
InfoView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Central Management Console (CMC) . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Central Configuration Manager (CCM) . . . . . . . . . . . . . . . . . . . . . . . . . 47
Publishing Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Import Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Application tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Application tier components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Web development platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Web application environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Intelligence tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Central Management Server (CMS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Event Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
File Repository Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Processing tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Job servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Report Application Server (RAS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Page Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Data tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Report viewers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Information flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
What happens when you schedule an object? . . . . . . . . . . . . . . . . . . . 61
What happens when you view a report? . . . . . . . . . . . . . . . . . . . . . . . . 62

4BusinessObjects Enterprise Administrator’s Guide


Contents

Choosing between live and saved data . . . . . . . . . . . . . . . . . . . . . . . . . . . 66


Live data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Saved data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Chapter 4 Managing and Configuring Servers 69


Server management overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Viewing current metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Viewing current server metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Viewing system metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Viewing and changing the status of servers . . . . . . . . . . . . . . . . . . . . . . . . 74
Starting, stopping, and restarting servers . . . . . . . . . . . . . . . . . . . . . . 75
Stopping a Central Management Server . . . . . . . . . . . . . . . . . . . . . . . 77
Enabling and disabling servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Printing, copying, and refreshing server status . . . . . . . . . . . . . . . . . . 79
Configuring the application tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Configuring the Web Component Adapter . . . . . . . . . . . . . . . . . . . . . . 80
Configuring the intelligence tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Clustering Central Management Servers . . . . . . . . . . . . . . . . . . . . . . . 86
Copying data from one CMS database to another . . . . . . . . . . . . . . . . 93
Deleting and recreating the CMS database . . . . . . . . . . . . . . . . . . . . . 97
Selecting a new or existing CMS database . . . . . . . . . . . . . . . . . . . . . 98
Setting root directories and idle times of the
File Repository Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Modifying Cache Server performance settings . . . . . . . . . . . . . . . . . 101
Modifying the polling time of the Event Server . . . . . . . . . . . . . . . . . . 104
Configuring the processing tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Modifying Page Server performance settings . . . . . . . . . . . . . . . . . . 105
Modifying Desktop Intelligence Report Server
performance settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Modifying database settings for the RAS . . . . . . . . . . . . . . . . . . . . . . 109
Modifying performance settings for the RAS . . . . . . . . . . . . . . . . . . . 111
Modifying performance settings for job servers . . . . . . . . . . . . . . . . . 112
Configuring the Web Intelligence Report Server . . . . . . . . . . . . . . . . 113

BusinessObjects Enterprise Administrator’s Guide5


Contents

Configuring the destinations for job servers . . . . . . . . . . . . . . . . . . . . 116


Configuring Windows processing servers for your data source . . . . . 123
Configuring UNIX processing servers for your data source . . . . . . . . 124
Logging server activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Advanced server configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Changing the default server port numbers . . . . . . . . . . . . . . . . . . . . . 131
Configuring a multihomed machine . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Adding and removing Windows server dependencies . . . . . . . . . . . . 135
Changing the server startup type . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Changing the server user account . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Configuring servers for SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Chapter 5 Managing Server Groups 141


Server group overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Creating a server group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Working with server subgroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Modifying the group membership of a server . . . . . . . . . . . . . . . . . . . . . . 145

Chapter 6 Scaling Your System 147


Scalability overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Common configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
One-machine setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Three-machine setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Six-machine setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
General scalability considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Increasing overall system capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Increasing scheduled reporting capacity . . . . . . . . . . . . . . . . . . . . . . . 153
Increasing on-demand viewing capacity for Crystal reports . . . . . . . . 154
Increasing prompting capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Delegating XSL transformation to Internet Explorer . . . . . . . . . . . . . . 155
Enhancing custom web applications . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Improving web response speeds . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Getting the most from existing resources . . . . . . . . . . . . . . . . . . . . . . 157

6BusinessObjects Enterprise Administrator’s Guide


Contents

Adding and deleting servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158


Adding a server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Deleting a server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Chapter 7 Working with Firewalls 161


Firewalls overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
What is a firewall? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Firewall types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Understanding firewall integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Communication between servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Firewall configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Typical firewall scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Configuring the system for firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Configuring desktop products across a firewall . . . . . . . . . . . . . . . . . 170
Configuring for Network Address Translation . . . . . . . . . . . . . . . . . . 171
Configuring for packet filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Configuring for SOCKS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Chapter 8 Managing BusinessObjects Enterprise Repository 183


BusinessObjects Enterprise Repository overview . . . . . . . . . . . . . . . . . . 184
Copying data from one repository database to another . . . . . . . . . . . . . . 184
Importing data from a Crystal Enterprise 10
or BusinessObjects Enterprise XI CMS . . . . . . . . . . . . . . . . . . . . . . . 184
Copying data from a Crystal Enterprise 9 repository database . . . . . 188
Copying data from a Crystal Reports 9 repository database . . . . . . . 190
Refreshing repository objects in published reports . . . . . . . . . . . . . . 192

Chapter 9 BusinessObjects Enterprise Security Concepts 193


Security overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Authentication and authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Primary authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Secondary authentication and authorization . . . . . . . . . . . . . . . . . . . 196
About single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Security management components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

BusinessObjects Enterprise Administrator’s Guide7


Contents

Web Component Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200


Central Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Security plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Processing extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Active trust relationship . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Logon tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Ticket mechanism for distributed security . . . . . . . . . . . . . . . . . . . . . . 209
Sessions and session tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
WCA session tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
CMS session tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Environment protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Web browser to web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Web server to BusinessObjects Enterprise . . . . . . . . . . . . . . . . . . . . . 212
Auditing web activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Protection against malicious logon attempts . . . . . . . . . . . . . . . . . . . . . . . 213
Password restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Logon restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
User restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Guest account restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Chapter 10 Managing User Accounts and Groups 215


What is account management? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Default users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Default users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Default groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Available authentication types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Managing Enterprise and general accounts . . . . . . . . . . . . . . . . . . . . . . . 219
Creating an Enterprise user account . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Adding a user to groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Modifying a user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Deleting a user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Changing password settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Creating a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

8BusinessObjects Enterprise Administrator’s Guide


Contents

Adding users to a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226


Modifying a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Viewing group members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Deleting a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Disabling the Guest account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Granting access to users and groups . . . . . . . . . . . . . . . . . . . . . . . . 229
Managing LDAP accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Configuring LDAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Mapping LDAP groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Unmapping LDAP groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Viewing mapped LDAP users and groups . . . . . . . . . . . . . . . . . . . . . 241
Changing LDAP connection parameters and member groups . . . . . 241
Managing multiple LDAP hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Troubleshooting LDAP accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Managing AD accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Mapping AD accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Unmapping AD groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Viewing mapped AD users and groups . . . . . . . . . . . . . . . . . . . . . . . 247
Troubleshooting AD accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Setting up AD single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Managing NT accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Mapping NT accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Unmapping NT groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Viewing mapped NT users and groups . . . . . . . . . . . . . . . . . . . . . . . 257
Troubleshooting NT accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Setting up NT single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Managing aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Creating a user and a third-party alias . . . . . . . . . . . . . . . . . . . . . . . . 262
Creating an alias for an existing user . . . . . . . . . . . . . . . . . . . . . . . . . 263
Assigning an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Reassigning an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Deleting an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Disabling an aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

BusinessObjects Enterprise Administrator’s Guide9


Contents

Configuring Kerberos and Active Directory . . . . . . . . . . . . . . . . . . . . . . . . 266


Configuring Kerberos single sign-on to the database . . . . . . . . . . . . . . . . 266
Setting up a service account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Configuring the servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Configuring the Windows AD plug-in for Kerberos authentication . . . 269
Configuring Kerberos for Windows Active Directory authentication . . 271
Troubleshooting Kerberos and enabling logging . . . . . . . . . . . . . . . . . 276
Configuring the cache expiry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Configuring the IIS and browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Configuring IIS for end-to-end single sign-on . . . . . . . . . . . . . . . . . . . 279
Configuring IIS for single sign-on to databases only . . . . . . . . . . . . . . 284
Configuring BusinessObjects Enterprise web applications . . . . . . . . . 286
Mapping AD accounts for Kerberos single sign-on . . . . . . . . . . . . . . . 288
Configuring the databases for single sign-on . . . . . . . . . . . . . . . . . . . 288

Chapter 11 Controlling User Access 291


Controlling user access overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Controlling users’ access to objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Setting object rights for users and groups . . . . . . . . . . . . . . . . . . . . . . 293
Viewing object rights settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Setting common access levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Setting advanced object rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Using inheritance to your advantage . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Inheritance with advanced rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Customizing a ‘top-down’ inheritance model . . . . . . . . . . . . . . . . . . . . 307
Controlling access to applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Controlling administrative access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Controlling access to users and groups . . . . . . . . . . . . . . . . . . . . . . . 327
Controlling access to user inboxes . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Controlling access to servers and server groups . . . . . . . . . . . . . . . . 328
Controlling access to universes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Controlling access to universe connections . . . . . . . . . . . . . . . . . . . . 330

10BusinessObjects Enterprise Administrator’s Guide


Contents

Chapter 12 Organizing Objects 331


Organizing objects overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
About folders and categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Working with folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Creating and deleting folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Copying and moving folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Adding an object to a new folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Specifying folder rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Setting limits for folders, users, and groups . . . . . . . . . . . . . . . . . . . . 339
Managing User Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Working with categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Creating and deleting categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Moving categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Adding an object to a new category . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Removing or deleting objects from a category . . . . . . . . . . . . . . . . . . 343
Specifying category rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Managing personal categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

Chapter 13 Publishing Objects to BusinessObjects Enterprise 345


Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Publishing with the Publishing Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Publishing options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Logging on to BusinessObjects Enterprise . . . . . . . . . . . . . . . . . . . . 347
Adding objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Creating and selecting a folder on the CMS . . . . . . . . . . . . . . . . . . . 349
Moving objects between folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Duplicating the folder structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Adding objects to a category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Changing scheduling options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Refreshing repository fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Publishing with saved data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Selecting a program type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Specifying program credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

BusinessObjects Enterprise Administrator’s Guide11


Contents

Changing default values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354


Changing object properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Entering database logon information . . . . . . . . . . . . . . . . . . . . . . . . . 355
Setting parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Setting the schedule output format . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Adding extra files for programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Specifying command line arguments . . . . . . . . . . . . . . . . . . . . . . . . . 357
Finalizing the objects to be added . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Publishing with the Central Management Console . . . . . . . . . . . . . . . . . . 357
Saving objects directly to the CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Chapter 14 Importing Objects to BusinessObjects Enterprise 361


Importing information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Importing information from Crystal Enterprise . . . . . . . . . . . . . . . . . . . . . . 363
Importing objects from Crystal Enterprise . . . . . . . . . . . . . . . . . . . . . . 364
Importing information from BusinessObjects 5.x or 6.x . . . . . . . . . . . . . . . 367
Importing Application Foundation objects . . . . . . . . . . . . . . . . . . . . . . 367
Limitations on importing objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Before importing from Application Foundation . . . . . . . . . . . . . . . . . . 369
Before importing from BusinessObjects 5.x/6.x . . . . . . . . . . . . . . . . . 370
Importing objects from BusinessObjects 5.x/6.x . . . . . . . . . . . . . . . . . 373
Using the Import Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Specifying the source environment . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Specifying the destination environment . . . . . . . . . . . . . . . . . . . . . . . 394
Selecting the type of objects to import . . . . . . . . . . . . . . . . . . . . . . . . 395
Choosing an import scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Updating previously imported objects . . . . . . . . . . . . . . . . . . . . . . . . . 401
Selecting specific objects to import . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Finalizing the import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Using text files with the Import Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Text file format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Importing from text files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

12BusinessObjects Enterprise Administrator’s Guide


Contents

Chapter 15 Managing Objects 417


Managing objects overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
General object management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Copying, moving, or creating a shortcut for an object . . . . . . . . . . . . 419
Deleting an object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Searching for an object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Sending an object or instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Changing properties of an object . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Assigning an object to categories . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Report object management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
What are report objects and instances? . . . . . . . . . . . . . . . . . . . . . . 427
Setting report refresh options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Viewing the universes for a Web Intelligence document . . . . . . . . . . 429
Setting report processing options . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Applying processing extensions to reports . . . . . . . . . . . . . . . . . . . . 442
Working with hyperlinked reports . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Program object management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
What are program objects and instances? . . . . . . . . . . . . . . . . . . . . 449
Setting program processing options . . . . . . . . . . . . . . . . . . . . . . . . . 451
Object package management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
What are object packages, components, and instances? . . . . . . . . . 458
Creating an object package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Adding objects to an object package . . . . . . . . . . . . . . . . . . . . . . . . . 459
Configuring object packages and their objects . . . . . . . . . . . . . . . . . 460
Authentication and object packages . . . . . . . . . . . . . . . . . . . . . . . . . 461

Chapter 16 Scheduling Objects 463


Scheduling objects overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Scheduling objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
About the scheduling options and parameters . . . . . . . . . . . . . . . . . . 466
Scheduling objects using object packages . . . . . . . . . . . . . . . . . . . . 469
Scheduling an object with events . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Setting the scheduling options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

BusinessObjects Enterprise Administrator’s Guide13


Contents

Setting notification for an object’s success or failure . . . . . . . . . . . . . 474


Specifying alert notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Selecting a destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Choosing a format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Selecting cache options for Web Intelligence documents . . . . . . . . . . 489
Scheduling an object for a user or group . . . . . . . . . . . . . . . . . . . . . . 489
Managing instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Managing and viewing the history of instances . . . . . . . . . . . . . . . . . . 491
Setting instance limits for an object . . . . . . . . . . . . . . . . . . . . . . . . . . . 493

Chapter 17 Managing Calendars 495


Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Creating calendars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Adding dates to a calendar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Deleting calendars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Specifying calendar rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502

Chapter 18 Managing Events 503


Managing events overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
File-based events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
Schedule-based events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Custom events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Specifying event rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509

Chapter 19 Managing Profiles 511


What are profiles? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Creating profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Personalizing data with profile targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
Personalizing data for users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Resolving conflicts between profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Specifying profile rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515

14BusinessObjects Enterprise Administrator’s Guide


Contents

Chapter 20 General Troubleshooting 517


Troubleshooting overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Documentation resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Web accessibility issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Using an IIS web site other than the default . . . . . . . . . . . . . . . . . . . 519
Unable to connect to CMS when logging on to the CMC . . . . . . . . . . 520
Windows NT authentication cannot log you on . . . . . . . . . . . . . . . . . 520
Report viewing and processing issues . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Troubleshooting reports with Crystal Reports . . . . . . . . . . . . . . . . . . 521
Troubleshooting reports and looping database logon prompts . . . . . 523
Ensuring that server resources are available on local drives . . . . . . . 526
Page Server error when viewing a report . . . . . . . . . . . . . . . . . . . . . 527
InfoView considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Supporting users in multiple time zones . . . . . . . . . . . . . . . . . . . . . . 527
Setting default report destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . 528

Chapter 21 Managing Auditing 529


How does auditing work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
Configuring the auditing database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Which actions can I audit? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Enabling auditing of user and system actions . . . . . . . . . . . . . . . . . . . . . 537
Configuring the universe connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
Using sample audit reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
Controlling synchronization of audit actions . . . . . . . . . . . . . . . . . . . . . . . 541
Optimizing system performance while auditing . . . . . . . . . . . . . . . . . . . . 542

Chapter 22 Auditing Reports 545


Using auditing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
Why are reports important? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
Auditor report names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
Viewing sample auditing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
Creating custom audit reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
Auditing database schema reference . . . . . . . . . . . . . . . . . . . . . . . . 554

BusinessObjects Enterprise Administrator’s Guide15


Contents

Appendix A Rights in the CMC 565


Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566
Folder rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566
Object rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
User rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
Category rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Group rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Universe rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
Connection rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
Server rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
Desktop Intelligence document rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
Web Intelligence document rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589

Appendix B UNIX Tools 591


UNIX tools overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592
Script utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592
ccm.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592
cmsdbsetup.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
configpatch.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
serverconfig.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
sockssetup.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
uninstallBOBJE.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598
Script templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598
startservers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598
stopservers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
silentinstall.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Scripts used by BusinessObjects Enterprise . . . . . . . . . . . . . . . . . . . . . . . 600
bobjerestart.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
env.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
env-locale.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
initlaunch.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
patchlevel.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601

16BusinessObjects Enterprise Administrator’s Guide


Contents

postinstall.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
setup.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
setupinit.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601

Appendix C Business Objects Information Resources 603


Documentation and information services . . . . . . . . . . . . . . . . . . . . . . . . . 604
Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
What’s in the documentation set? . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
Where is the documentation? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
Send us your feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
Customer support, consulting and training . . . . . . . . . . . . . . . . . . . . . . . . 605
How can we support you? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
Looking for the best deployment solution for your company? . . . . . . 606
Looking for training options? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
Useful addresses at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606

Index 609

BusinessObjects Enterprise Administrator’s Guide17


Contents

18BusinessObjects Enterprise Administrator’s Guide


Introduction to the
BusinessObjects Enterprise
XI Release 2 Administrator’s
Guide

chapter
1 Introduction to the BusinessObjects Enterprise XI Release 2 Administrator’s Guide
About this guide

About this guide


This guide provides you with information and procedures covering a wide
range of administrative tasks. Procedures are provided for common tasks.
Conceptual information and technical details are provided for all advanced
topics.
BusinessObjects Enterprise is a flexible, scalable, and reliable solution for
delivering powerful, interactive reports to end users via any web application—
intranet, extranet, Internet or corporate portal. Whether it is used for
distributing weekly sales reports, providing customers with personalized
service offerings, or integrating critical information into corporate portals,
BusinessObjects Enterprise delivers tangible benefits that extend across and
beyond the organization. As an integrated suite for reporting, analysis, and
information delivery, BusinessObjects Enterprise provides a solution for
increasing end-user productivity and reducing administrative efforts.

Who should use this guide?


This guide is intended for system administrators who are responsible for
configuring, managing, and maintaining a BusinessObjects Enterprise
installation. Familiarity with your operating system and your network
environment is certainly beneficial, as is a general understanding of web
server management and scripting technologies. However, in catering to all
levels of administrative experience, this guide aims to provide sufficient
background and conceptual information to clarify all administrative tasks and
features.
For more information about the product, consult the BusinessObjects
Enterprise Installation Guide and the BusinessObjects Enterprise User’s
Guide. Online versions of these guides are included in the doc directory of
your product distribution. Once you install BusinessObjects Enterprise, they
are also accessible from the BusinessObjects Enterprise Launchpad.

Business Objects information resources


For more information and assistance, see Appendix A: Business Objects
Information Resources. This appendix describes the Business Objects
documentation, customer support, training, and consulting services, with links
to online resources.

20 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Administering
BusinessObjects Enterprise

chapter
2 Administering BusinessObjects Enterprise
Administration overview

Administration overview
The regular administrative tasks associated with BusinessObjects Enterprise
can be roughly divided into three major categories: user management,
content management, and server management. The remainder of this guide
provides technical and procedural information corresponding to each of these
management categories. This chapter briefly introduces new
BusinessObjects Enterprise administrators to some of the available
management tools. It also shows you how to make initial security settings,
such as setting the password for the system’s default Administrator account.
You will typically use the following applications to manage BusinessObjects
Enterprise:
• Central Management Console (CMC)
This web application is the most powerful administrative tool provided for
managing a BusinessObjects Enterprise system. It offers you a single
interface through which you can perform almost every task related to
user management, content management, and server management.
For an introduction to the CMC, see “Central Management Console” on
page 23.
• Central Configuration Manager (CCM)
This server administration tool is provided in two forms. In a Windows
environment, the CCM allows you to manage local and remote servers
through its Graphical User Interface (GUI) or from a command line. In a
UNIX environment, the CCM shell script (ccm.sh) allows you to manage
servers from a command line.
For an introduction to the CCM, see “Using the Central Configuration
Manager” on page 26.
• Publishing Wizard
This application allows you to publish your reporting content to
BusinessObjects Enterprise quickly. It also allows you to specify a
number of options on each report that you publish. Although this
application runs only on Windows, you can use it to publish reports to
BusinessObjects Enterprise servers that are running on Windows or on
UNIX.
For more information on publishing content to BusinessObjects
Enterprise, see “Overview” on page 346.

22 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Administering BusinessObjects Enterprise
Central Management Console 2
Central Management Console
You will use the Central Management Console (CMC) extensively to manage
your BusinessObjects Enterprise system. This tool allows you to perform user
management tasks such as setting up authentication and adding users and
groups. And it allows you to publish, organize, and set security levels for all of
your BusinessObjects Enterprise content. Additionally, the CMC enables you
to manage servers and create server groups. Because the CMC is a web-
based application, you can perform all of these administrative tasks remotely.
Any user with valid credentials to BusinessObjects Enterprise can log on to the
CMC and set his or her preferences. However, users who are not members of
the Administrators group cannot perform any of the available management
tasks unless they have been granted rights to do so. For complete details
about object rights, see “Controlling User Access” on page 291.

Logging on to the Central Management Console


There are two ways to access the CMC: type the name of the machine you
are accessing directly into your browser, or select BusinessObjects Enterprise
Administration Launchpad from the program group on the Windows Start
menu.
To log on to the CMC
1. To log on to the CMC directly from your browser, type the appropriate URL:
• To use the BusinessObjects Enterprise .NET Administration
Launchpad, go to the following page:
http://webserver/businessobjects/Enterprise115/
WebTools/adminlaunch/default.aspx
• To use the BusinessObjects Enterprise Java Administration
Launchpad, go to the following page:
http://webserver:8080/businessobjects/enterprise115/
adminlaunch/launchpad.html
Replace webserver with the name of the web server machine. If you
changed this default virtual directory on the web server, you will need to
type your URL accordingly. If necessary, change the default port number
to the number you provided when you installed.
Tip: On Windows, you can click Start > Programs > BusinessObjects
XI Release 2> BusinessObjects Enterprise > BusinessObjects
Enterprise .NET Administration Launchpad or BusinessObjects
Enterprise Java Administration Launchpad.
2. Click Central Management Console.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 23


2 Administering BusinessObjects Enterprise
Central Management Console

3. Type your User Name and Password.


For this example, type Administrator as the User Name. This default
Enterprise account does not have a password until you create one. For
details, see “Setting the Administrator password” on page 29.
If you’re using LDAP or Windows NT authentication, you may log on
using an account that has been mapped to the BusinessObjects
Enterprise Administrators group.
4. Select Enterprise in the Authentication Type list.
Windows AD, Windows NT and LDAP authentication also appear in the
list; however, you must map your third-party user accounts and groups to
BusinessObjects Enterprise before you can use these types of
authentication.
5. Click Log On. The CMC Home page appears.

Navigating within the Central Management Console


Because the CMC is a web-based application, you can navigate through its
areas and pages in a number of ways:
• Click the links or icons on the Home page to go to specific “management
areas.”
• Select the same “management areas” from the drop-down list in the title
area of the window. Click Go if your browser doesn’t take you directly to
the new page.
Once you leave the Home page, your location within the CMC is indicated by
a path that appears above the title of each page. For example, Home >
Users > New User indicates that you’re on the New User page. You can
click the hyperlinked portions of the path to jump quickly to different parts of
the application. In this example, you could click Home or Users to go to the
corresponding page.

Setting console preferences


The Preferences area of the CMC allows you to customize your
administrative view of BusinessObjects Enterprise.
To set the console preference
1. Log on to the CMC and click the Preferences button in the upper-right
corner of the CMC.
2. Set the preference as required. See “CMC preferences” on page 25.
3. Click OK.

24 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Administering BusinessObjects Enterprise
Central Management Console 2
CMC preferences

Crystal Reports Viewer


This list sets the default report viewer that is loaded when you view a Crystal
report in the CMC. To set the available and default viewers for all users, see
“Configuring the processing tier” on page 104.
Web Intelligence Viewer
This list sets the default viewer that is loaded when you view a Web
Intelligence document in the CMC.
Desktop Intelligence Viewer
This list sets the default viewer that is loaded when you view a Desktop
Intelligence document in the CMC.
Maximum number of objects per page
This option limits the number of objects listed on any page or tab in the CMC.
Note: This setting does not limit the number of objects displayed, simply the
number displayed per page. For details about limiting the number of objects
displayed on a page or in a search, see “Logging off of the Central
Management Console” on page 26.
Maximum number of characters for each page index
When a list of objects spans multiple pages, the full list is sorted
alphanumerically and indexed before being subdivided. At the top of every
page, hyperlinks are displayed as an index to each of the remaining pages.
This setting determines the number of characters that are included in each
hyperlink.
In this example, the maximum number of characters is set to 3, so three-
character hyperlinks are used to index the report objects on each page.
Note: To specify an unlimited maximum number of characters, select the
Unlimited check box.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 25


2 Administering BusinessObjects Enterprise
Using the Central Configuration Manager

Measuring units for report page layout


Specify inches or millimeters as the measuring units used by default when
you customize a report’s page layout on the report object’s Print Setup tab.
Time zone
If you are managing BusinessObjects Enterprise remotely, use this list to
specify your time zone. BusinessObjects Enterprise synchronizes scheduling
patterns and events appropriately. For instance, if you select Eastern Time
(US & Canada), and you schedule a report to run at 5:00 a.m. every day on a
server that is located in San Francisco, then the server will run the report at
2:00 a.m. Pacific Time.
For more information about time zones, see “Supporting users in multiple
time zones” on page 527.
My Password
Click the Change Password link to change the password for the account
under which you are currently logged on.

Logging off of the Central Management Console


When you have finished using the CMC, end the session by logging off. The
Logoff button is located in the upper-right corner of the console.

Using the Central Configuration Manager


The Central Configuration Manager (CCM) is a server-management tool that
allows you to configure each of your BusinessObjects Enterprise server
components. This tool allows you to start, stop, enable, and disable servers. It
also allows you to view and to configure advanced server settings such as
default port numbers, CMS database and clustering details, SOCKS server
connections, and more.
To access the CCM, see:
• “Accessing the CCM for Windows” on page 27
• “Accessing the CCM for UNIX” on page 28

26 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Administering BusinessObjects Enterprise
Using the Central Configuration Manager 2
Accessing the CCM for Windows
From a Windows machine, use the CCM to manage BusinessObjects
Enterprise server components that are running locally or on a remote
Windows machine. To run the CCM, you must have NT administrator rights
on the local machine. If you are managing servers on a remote machine, you
must also have NT administrator rights on the machine you are connecting to.
Depending on the configuration of your network, you might be prompted to
enter a user name and password.
To start the CCM
From the BusinessObjects Enterprise program group, click Central
Configuration Manager.
The servers that are available on the local machine appear in the list. A status
icon is displayed for each server:
• A green arrow indicates the server is running.
• A yellow arrow indicates the server is starting.
• A red arrow indicates the server is not running.
Note: The status icons do not indicate whether servers are enabled or
disabled. Servers must be enabled before they will respond to
BusinessObjects Enterprise requests. Click Enable/Disable on the toolbar to
log on and enable or disable servers. For details, see “Enabling and disabling
servers” on page 77.
To connect to servers on a remote machine
1. Once you have started the CCM, you can connect to a remote machine in
several ways:
• In the Computer Name field, type the name of the machine you want
to connect to; then press Enter.
• In the Computer Name field, select a remote machine from the list.
• On the toolbar, click Browse. Select the appropriate computer; then
click OK.
2. If prompted, log on to the remote machine with an account holding
administrative rights.
Note: You may need to type your user name as domain\username.
The CCM lists the servers associated with this machine.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 27


2 Administering BusinessObjects Enterprise
Making initial security settings

Accessing the CCM for UNIX


Run the CCM on your UNIX server to manage BusinessObjects Enterprise
server components that are running on that machine. You can run the CCM
remotely through a telnet session or locally through a terminal window. To run
the CCM, you must have execute permissions on the ccm.sh script and on its
parent Business Objects directory.
To run the CCM
1. Go to the Business Objects directory that was created by the
BusinessObjects Enterprise installation:
cd INSTALL_ROOT/bobje
2. Run ccm.sh with command-line options to manage one or more servers.
For instance, the following set of commands starts the BusinessObjects
Enterprise servers and enables each server on its default port:
./ccm.sh -enable all
./ccm.sh -start all
Note: The main options for the CCM are covered in more detail in the
“UNIX Tools” chapter of the BusinessObjects Enterprise Administrator’s
Reference guide.
To view additional help on ccm.sh
The ccm.sh script also provides a detailed description of its command-line
options. To see the command-line help, issue the following command:
./ccm.sh -help | more

Making initial security settings


To ensure system security, you may want to configure the following security
settings before you publish content or provide users with access to
BusinessObjects Enterprise:
• “Setting the Administrator password” on page 29
• “Disabling a user account” on page 29
• “Modifying the default security levels” on page 30
For additional security information, you may also want to refer to:
• Chapter 9: BusinessObjects Enterprise Security Concepts
• “Available authentication types” on page 218
• “Controlling User Access” on page 291

28 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Administering BusinessObjects Enterprise
Making initial security settings 2
Setting the Administrator password
As part of the installation, BusinessObjects Enterprise creates an
Administrator account and a Guest account that do not have passwords. Log
on to the Central Management Console (CMC) with the Administrator account
and use the following procedure to create a secure password for the
Administrator account.
Note: Do not create a password for the Guest account if you plan to use the
anonymous single sign-on or the Sign Up features available in
BusinessObjects Enterprise. To disable these features, see “Disabling a user
account” on page 29.
To change the Administrator password
1. Go to the Users management area of the CMC.
2. Click the link for the Administrator account.
3. In the Enterprise Password Settings area, enter and confirm the new
password.
4. If it is selected, clear the “User must change password at next logon”
check box.
5. Click Update.

Disabling a user account


You can disable any user account through the Central Management Console.
For example, you may want to disable the Guest account to ensure that no
one can log on to BusinessObjects Enterprise with this account. In doing so,
you also disable the anonymous single sign-on functionality of
BusinessObjects Enterprise, so users cannot access InfoView without
providing a valid user name and password.
To disable a user account
1. Go to the Users management area of the CMC.
2. In the Account Name column, click the user account you want to disable.
3. On the Properties tab, select the Account is disabled check box.
4. Click Update.
5. If you are prompted for confirmation, click OK.
For more information about user accounts, see “Managing Enterprise and
general accounts” on page 219.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 29


2 Administering BusinessObjects Enterprise
Managing universes

Modifying the default security levels


This procedure shows where you can modify the default object rights that
users are granted to the top-level BusinessObjects Enterprise folder.
Initially, the Everyone group is granted Schedule access to the top-level
folder, and the Administrators group is granted Full Control. You can change
these default security levels to suit your needs. For a full description of object
rights and inheritance patterns, see “Controlling users’ access to objects” on
page 293.
To modify top-level security settings
1. Go to the Settings management area of the CMC.
2. Click the Rights tab.
3. As required, change the value selected in the Access Level list for each
user or group that is displayed.
For detailed information, see “Controlling users’ access to objects” on
page 293.
4. Click Update.
5. Click Add/Remove to grant different levels of security to additional users
or groups.

Managing universes
Web Intelligence users connect to a universe, and run queries against a
database. They can perform data analysis and create reports using the
objects in a universe, without seeing, or having to know anything about, the
underlying data structures in the database. You create a universe by using the
Designer. For complete information, see the Designer’s Guide.
Using CMC, you can view and delete universes. You can also control who has
access rights to a universe. See “Controlling access to universes” on
page 329.
To view a universe
1. Go to the Universes management area of the CMC.
The Universes page appears.

30 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Administering BusinessObjects Enterprise
Managing universe connections 2
2. Click the link for the universe you want to view.
The properties page for the universe appears.
To delete a universe
1. Go to the Universes management area of the CMC.
The Universes page appears.
2. Select the universe you want to delete.
3. Click Delete.

Managing universe connections


A connection is a named set of parameters that defines how a
BusinessObjects application accesses data in a database file. A connection
links Web Intelligence to your middleware. You must have a connection to
access data. You must select or create a connection when you create a
universe. For complete information, see the Designer’s Guide.
Using CMC, you can view and delete connections. You can also control who
has access rights to a connection. See “Controlling access to universe
connections” on page 330.
To view connections
1. Go to the Universe Connections management area of the CMC.
The Connections page appears.
2. Click the link for the connection you want to view.
The properties page for the connection appears.
To delete a universe connection
1. Go to the Universe Connections management area of the CMC.
The Universe Connections page appears.
2. Select the connection you want to delete.
3. Click Delete.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 31


2 Administering BusinessObjects Enterprise
Managing BusinessObjects Enterprise applications

Managing BusinessObjects Enterprise


applications
You can use the Business Objects Applications area of the Central
Management Console to make changes to the appearance and functionality
of web applications such as the Central Management Console and the
InfoView, without doing any programming. Note that some applications
provide more flexibility than others.
You can also control user and administrator access by changing the rights
associated with each application.
• “Managing the Central Management Console” on page 32
• “Managing Crystal Reports Explorer” on page 34
• “Managing Designer” on page 34
• “Managing Desktop Intelligence” on page 34
• “Managing Discussions” on page 35
• “Managing InfoView” on page 38
• “Managing Web Intelligence” on page 39

Managing the Central Management Console


You can change the following Central Management Console settings:
• Query size threshold
By default, when you go to the Objects, Folders, Groups, or Users
management areas of the CMC, a list of objects in that management area is
displayed. Because BusinessObjects Enterprise loads each of the objects
in the list, if you have numerous objects this can heavily tax your system
resources. You can adjust this list using the Query size threshold setting.
You can modify the number of objects displayed by setting the Query size
threshold in the Business Objects Applications management area of the
CMC. By default the Query size threshold value is 500. This means that
BusinessObjects Enterprise prompts users to use the search function of
the CMC if the return size exceeds 500 objects. Modify this value to
specify the maximum number of objects that displayed on the initial pages
of the Objects, Folders, Groups, and Users management areas of the
CMC and when displaying search results in these management areas.

32 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Administering BusinessObjects Enterprise
Managing BusinessObjects Enterprise applications 2
• CMC Access URL
Specifying this URL allows other applications, such as Crystal Reports, to
get this URL from the CMS in order to call pages in the CMC. Crystal
Reports, for example, needs this information to allow object previewing
and certain administration tasks performed from Crystal Reports.
To manage settings for the Central Management Console
1. Go to the BusinessObjects Enterprise Applications management area
of the CMC.
2. Click the BusinessObjects Enterprise Central Management Console
link.
The Properties page appears.

3. In the Prompt for search if the return size exceeds field, type the
maximum number of objects you want to be returned in searches and on
the initial pages of the Objects, Folders, Groups, and Users management
areas.
4. In the CMC Access URL field, type the URL for the CMC.
Specifying the URL here allows Crystal Reports to get this URL from the
CMS in order to call pages in the CMC. It needs to call these pages in
order to support the previewing of reports and to enable administration
tasks to be performed from Crystal Reports.
5. Click Update.
Note: To modify the number of objects displayed on a page (rather than the
total number of objects displayed), see “Setting console preferences” on
page 24.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 33


2 Administering BusinessObjects Enterprise
Managing BusinessObjects Enterprise applications

Managing Crystal Reports Explorer


Crystal Reports Explorer allows users to create and modify reports, design
layouts, and perform data analysis using a zero client interface. This
functionality reduces IT reporting backlog by enabling users to create, save,
and redistribute personalized report views in BusinessObjects Enterprise.
You can use Crystal Reports Explorer to perform the following administrative
tasks:
• Setting user access to Business Views and report data sources.
• Controlling the Crystal Reports Explorer features that are available to
each user.
• Providing users with standardized report templates by setting the Default
Template folder.
• Configuring and managing data sources.
For more information about administering Crystal Reports Explorer, click Help
in the bottom right corner of Crystal Reports Explorer.

Managing Designer
You can grant access to the Designer application by setting the rights through
the Central Management Console.
To manage settings for Designer
1. Go to the BusinessObjects Enterprise Applications management area
of the CMC.
2. Click Designer.
3. Click the Rights tab, then assign the appropriate rights to each group or
user.
4. Click Apply.

Managing Desktop Intelligence


You can grant access to the Desktop Intelligence application by setting the
rights through the Central Management Console.
To manage settings for Desktop Intelligence
1. Go to the BusinessObjects Enterprise Applications management area
of the CMC.
2. Click Desktop Intelligence.

34 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Administering BusinessObjects Enterprise
Managing BusinessObjects Enterprise applications 2
3. Click the Rights tab, then assign the appropriate rights to each group or
user.
4. Click Apply.

Managing Discussions
BusinessObjects Enterprise administrators are responsible for maintaining
the discussion threads and for granting the appropriate access rights to
BusinessObjects Enterprise users.
Managing Discussions includes the following tasks:
• “Accessing the Discussions page” on page 35
• “Searching for discussion threads” on page 36
• “Sorting search results” on page 37
• “Deleting discussion threads” on page 38
• “Setting user rights” on page 38

Accessing the Discussions page


To access the Discussions page
1. Go to the BusinessObjects Enterprise Applications management area
of the CMC.
2. Click Discussions.
The Discussions page appears.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 35


2 Administering BusinessObjects Enterprise
Managing BusinessObjects Enterprise applications

Searching for discussion threads


By default, the Discussions page displays the titles of all discussion threads.
Only the root level threads are displayed. Branches from the root level thread
are not displayed. Use the Previous and Next buttons to page through the list
of discussion threads.
You can search for a specific thread or group of threads.
Note: To cancel a search and reset the search values back to the default
settings, click Cancel.
To search for a discussion thread
1. Go to the BusinessObjects Enterprise Applications management area
of the CMC.
2. Click Discussions.
The Discussions page appears.
3. In the Field name list, select which of the following criteria you want to
search by:
• Thread title. Search by the title of a thread.
• Creation date. Search by the date the thread was created.
• Last modified date. Search based on the date a thread was last
modified.
• Author. Search by the author of a specific thread.
4. From the second list, refine your search.
If you search by Thread title or Author, the second field provides you
with the following options.
• is: The DMC searches for any discussion threads where the thread
title, or the author name, exactly match the text that you type into the
third field. Searches are not case sensitive.
• is not: The DMC searches for any discussion threads where the
thread title, or the author name, do not exactly match the text that
you type into the third field.
• contains: The DMC searches for any discussion threads that
contain the search text string within any part of the thread title or the
author’s name.
• does not contain: The DMC searches for any discussion threads
that do not contain the text string within any part of the thread title.

36 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Administering BusinessObjects Enterprise
Managing BusinessObjects Enterprise applications 2
If you search by Creation date or Last modified date, there are the
following options.
• before: The DMC searches for any discussion threads that were
created or modified before the search date.
• after: The DMC searches for any discussion threads that were
created or modified after the search date.
• between: The DMC searches for any discussion threads that were
created or modified between the two search dates.
5. Use the third field to further refine your search.
If you selected a text-based search in the first two fields, type in the text
string. If you selected a date-based search, enter the date or dates in the
appropriate fields.
6. Click Search to display all the records that match your search criteria.

Sorting search results


You can select how you want your search results to display. For example you
can display them in ascending alphabetical order, and choose how many
results to display per page.
To sort your results
1. In the Sort by list, select which of the following criteria you want to
display:
• Thread title. Sort by the title of a thread.
• Creation date. Sort by the date the thread was created.
• Last modified date. Sort based on the date a thread was last
modified.
• Author. Sort by the author of a specific thread.
2. In the second list, select whether you want the records to be displayed in
ascending or descending order.
3. In the third category, enter how many results you want to be displayed on
each page.
4. Click Search.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 37


2 Administering BusinessObjects Enterprise
Managing BusinessObjects Enterprise applications

Deleting discussion threads


You can delete any discussion thread.
To delete a discussion thread
1. On the Discussions page, select which threads you want to delete in the
results list.
For details, see “Accessing the Discussions page” on page 35.
Tip: You can use the Select All and Clear All buttons to select or clear all
the threads displayed on the page.
2. Click Delete.
The selected threads are deleted.

Setting user rights


Users of the Discussions feature must have the right to view a report in order
to create a discussion thread, or add a note to a report. For more information
on setting user rights to reports and report objects, see Chapter 11:
Controlling User Access.

Managing InfoView
In the BusinessObjects Enterprise Applications area of the Central
Management Console, the Properties tab for the InfoView allows you to
change several display options.
You can also control user and administrator access by changing the rights
associated with each user and group on the Rights tab.
To change display settings for InfoView
1. Go to the BusinessObjects Enterprise Applications management area
of the CMC.
2. Click InfoView.
3. On the Properties tab, select the options that you want.
• Header and style: You can change the colors of the header and the
logo displayed in the header. If you have a cascading style sheet for
your intranet, you can specify it here to format InfoView with the
same styles.

38 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Administering BusinessObjects Enterprise
Managing BusinessObjects Enterprise applications 2
• Display: Choose the functionality that your users can see. You can
choose whether or not to display the Preferences button, the Type
list, and the Filters tab. You can also choose a default navigation
method for your users (folders or categories), and you can specify
the maximum number of pages of objects to show at a time.
• Object Listing: Choose whether to display the original object or the
latest instance of the object.
• Viewers: You can also configure settings that control which viewers
are available to users.
When users view a report using the Advanced DHTML viewer, the
report is processed by the Report Application Server.
If you are using the Java version of InfoView and want users to be
able to use the Active X or Java viewers, you must enter the context
path of the Web Component Adapter. Consult the BusinessObjects
Enterprise Installation Guide for more information.
4. Click Update.

Managing Web Intelligence


For the Web Intelligence application, you can control which interactive
features your users have access to for Web Intelligence documents by setting
Web Intelligence rights in the Central Management Console.
Note that in order for users to be able to use the Interactive view format and
use the Query HTML panel, you must grant access to the “Allows interactive
HTML viewing (as per license)” option. The user can select this view format
and report panel option in the Web Intelligence Document Preferences tab in
InfoView.
To set rights for Web Intelligence features
1. Go to the BusinessObjects Enterprise Applications management area
of the CMC.
2. Click Web Intelligence.
3. Click the Rights tab, and click Web Intelligence to expand the list of
available rights.
4. Select the options that you want, and then click Apply.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 39


2 Administering BusinessObjects Enterprise
Managing license information

Managing license information


The License Keys tab identifies the number of concurrent, named, and
processor licenses associated with each key.
1. Go to the License Keys management area of the CMC.

2. Select a license key.


The details associated with the key appear in the Licensing Information
area. To purchase additional license keys:
• Contact your Business Objects sales representative.
• Contact your regional office. For details, go to:
http://www.businessobjects.com/company/contact_us/

40 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Administering BusinessObjects Enterprise
Managing license information 2
Adding a license key
Note: If you are upgrading from a trial version of the product, be sure to
delete the Evaluation key prior to adding any new license keys or product
activation keycodes.
1. Go to the License Keys management area of the CMC.
2. Type the key in the Add Key field.
Note: Key codes are case-sensitive.
3. Click Add.
The key is added to the list.

Viewing current account activity


To view current account activity
1. Go to the Settings management area of the CMC.
2. Click the Metrics tab.
This tab displays current license usage, along with additional job metrics.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 41


2 Administering BusinessObjects Enterprise
Managing license information

42 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


BusinessObjects Enterprise
Architecture

chapter
3 BusinessObjects Enterprise Architecture
Architecture overview and diagram

Architecture overview and diagram


BusinessObjects Enterprise is a multi-tier system. Although the components
are responsible for different tasks, they can be logically grouped based on the
type of work they perform. If you are new to BusinessObjects Enterprise, use
this chapter to gain familiarity with the BusinessObjects Enterprise
framework, its components, and the general tasks that each component
performs.
In BusinessObjects Enterprise, there are five tiers: the client tier, the
application tier, the intelligence tier, the processing tier, and the data tier. To
provide flexibility, reliability, and scalability the components that make up each
of these tiers can be installed on one machine, or spread across many.
The following diagram illustrates how each of the components fits within the
multi-tier system. Other Business Objects products, such as OLAP
Intelligence and Report Application Server, plug in to the BusinessObjects
Enterprise framework in various ways. This chapter describes the framework
itself. Consult each product’s installation or administration guides for details
about how it integrates with the BusinessObjects Enterprise framework.
The “servers” run as services on Windows machines. On UNIX, the servers
run as daemons. These services can be “vertically scaled” to take full
advantage of the hardware that they are running on, and they can be
“horizontally scaled” to take advantage of multiple computers over a network
environment. This means that the services can all run on the same machine,
or they can run on separate machines. The same service can also run in
multiple instances on a single machine.
For example, you can run the Central Management Server and the Event
Server on one machine, while you run the Report Application Server on a
separate machine. This configuration is called “horizontal scaling.” If the
Report Application Server is running on a multi-processor computer, then you
may choose to run multiple Report Application Servers on it. This
configuration is called “vertical scaling.” The important thing to understand is
that, even though these are called servers, they are actually services and
daemons that do not need to run on separate computers.
Note: BusinessObjects Enterprise Standard requires all of the components
to be installed on one machine.

44 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


BusinessObjects Enterprise Architecture
Architecture overview and diagram 3

The remainder of this chapter describes each tier, the key BusinessObjects
Enterprise components, and their primary responsibilities:
• “Client tier” on page 46
• “Application tier” on page 48
• “Processing tier” on page 55
• “Data tier” on page 59

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 45


3 BusinessObjects Enterprise Architecture
Client tier

Tip: When you are familiar with the architecture and want to customize your
system configuration, see Chapter 4: Managing and Configuring Servers and
Chapter 6: Scaling Your Systemthe BusinessObjects Enterprise
Administrator’s Guide.
Note: BusinessObjects Enterprise supports reports created in versions 6
through XI of Crystal Reports. Once published to BusinessObjects Enterprise,
reports are saved, processed, and displayed in version XI format.

Client tier
The client tier is the only part of the BusinessObjects Enterprise system that
administrators and end users interact with directly. This tier is made up of the
applications that enable people to administer, publish, and view reports and
other objects.

The client tier includes:


• “InfoView” on page 46
• “Central Management Console (CMC)” on page 47
• “Central Configuration Manager (CCM)” on page 47
• “Publishing Wizard” on page 47
• “Import Wizard” on page 48

InfoView
BusinessObjects Enterprise comes with InfoView, a web-based interface that
end users access to view, schedule, and keep track of published reports.
Each BusinessObjects Enterprise request that a user makes is directed to the
BusinessObjects Enterprise application tier. The web server forwards the
user request directly to an application server where the request is processed
by the WCA.
InfoView also serves as a demonstration of the ways in which you can use the
BusinessObjects Enterprise Software Development Kit (SDK) to create a
custom web application for end users. In the case of .NET, InfoView also

46 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


BusinessObjects Enterprise Architecture
Client tier 3
demonstrates how you can use the BusinessObjects Enterprise .NET Server
Components. For more information, see the developer documentation
available on your product CD.

Central Management Console (CMC)


The Central Management Console (CMC) allows you to perform user
management tasks such as setting up authentication and adding users and
groups. It also allows you to publish, organize, and set security levels for all of
your BusinessObjects Enterprise content. Additionally, the CMC enables you
to manage servers and create server groups. Because the CMC is a web-
based application, you can perform all of these administrative tasks remotely.
For more information, see “Central Management Console (CMC)” on
page 47the BusinessObjects Enterprise Administrator’s Guide.
The CMC also serves as a demonstration of the ways in which you can use
the administrative objects and libraries in the BusinessObjects Enterprise
SDK to create custom web applications for administering BusinessObjects
Enterprise. For more information, see the developer documentation available
on your product CD.

Central Configuration Manager (CCM)


The Central Configuration Manager (CCM) is a server-management tool that
allows you to configure each of your BusinessObjects Enterprise server
components. This tool allows you to start, stop, enable, and disable servers,
and it allows you to view and to configure advanced server settings. On
Windows, these settings include default port numbers, CMS database and
clustering details, SOCKS server connections, and more. In addition, on
Windows the CCM allows you to add or remove servers from your
BusinessObjects Enterprise system. On UNIX, some of these functions are
performed using other tools. For more information, see “Using the Central
Configuration Manager” on page 26the BusinessObjects Enterprise
Administrator’s Guide and Chapter 4: Managing and Configuring Servers.

Publishing Wizard
The Publishing Wizard is a locally installed Windows application that enables
both administrators and end users to add reports to BusinessObjects
Enterprise. By assigning object rights to BusinessObjects Enterprise folders,
you control who can publish reports and where they can publish them to. For

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 47


3 BusinessObjects Enterprise Architecture
Application tier

more information, see “Overview” on page 346 and “Controlling users’ access
to objects” on page 293the BusinessObjects Enterprise Administrator’s
Guide.
The Publishing Wizard publishes reports from a Windows machine to
BusinessObjects Enterprise servers running on Windows or on UNIX.

Import Wizard
The Import Wizard is a locally installed Windows application that guides
administrators through the process of importing users, groups, reports, and
folders from an existing BusinessObjects Enterprise, Crystal Enterprise, or
Crystal Info implementation to BusinessObjects Enterprise. For more
information, see “Using the Import Wizard” on page 387the BusinessObjects
Enterprise Administrator’s Guide.
The Import Wizard runs on Windows, but you can use it to import information
into a new BusinessObjects Enterprise system running on Windows or on
UNIX.

Application tier
The application tier hosts the server-side components that process requests
from the client tier as well as the components that communicate these requests
to the appropriate server in the intelligence tier. The application tier includes
support for report viewing and logic to understand and direct web requests to
the appropriate BusinessObjects Enterprise server in the intelligence tier.
The application tier includes:
• “Application tier components” on page 48
• “Web development platforms” on page 50
• “Web application environments” on page 51

Application tier components


For both the Java and .NET platforms, the application tier includes the
following components:
• “Application server and BusinessObjects Enterprise SDK” on page 49
• “Web Component Adapter (WCA)” on page 49

48 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


BusinessObjects Enterprise Architecture
Application tier 3

Note: In Crystal Enterprise 10 on Windows, the communication between the


web server and the application server was handled through the Web
Connector; the functionality of the Web Component Adapter (WCA) was
provided through the Web Component Server (WCS). In BusinessObjects
Enterprise XI, the web server communicates directly with the application
server and the WCA handles the WCS functionality, both on Windows and
Unix platforms.

Application server and BusinessObjects Enterprise SDK


BusinessObjects Enterprise systems that use the BusinessObjects Enterprise
Java SDK or the BusinessObjects Enterprise .NET SDK run on a third party
application server. See the Platforms.txt file included with your product
distribution for a complete list of tested application servers and version
requirements.
The application server acts as the gateway between the web server and the
rest of the components in BusinessObjects Enterprise. The application server
is responsible for processing requests from your browser. It also supports
InfoView and other Business Objects applications, and uses the SDK to
convert report pages (.epf files) to HTML format when users view pages with
a DHTML viewer.

Web Component Adapter (WCA)


The web server communicates directly with the application server that hosts
the BusinessObjects Enterprise SDK. The Web Component Adapter (WCA)
runs within the application server and provides all services that are not
directly supported by the BusinessObjects Enterprise SDK. The web server
passes requests directly to the application server, which then forwards the
requests on to the WCA.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 49


3 BusinessObjects Enterprise Architecture
Application tier

The WCA supports Business Objects applications such as the Central


Management Console (CMC) and Crystal report viewers (that are
implemented through viewrpt.aspx requests).
Note: In Crystal Enterprise 10 on Windows, the communication between the
web server and the application server was handled through the Web
Connector; the functionality of the Web Component Adapter (WCA) was
provided through the Web Component Server (WCS). In BusinessObjects
Enterprise XI, the web server communicates directly with the application
server and the WCA handles the WCS functionality, both on Windows and
Unix platforms.

Web development platforms


BusinessObjects Enterprise supports the following web development
platforms:
• “Java platform” on page 50
• “Windows .NET platform” on page 50

Java platform
All UNIX installations of BusinessObjects Enterprise include a Web
Component Adapter (WCA). In this configuration, a Java application server is
required to host the WCA and the BusinessObjects Enterprise Java SDK. The
use of a web server is optional as you may choose to have static content
hosted by the application server.

Windows .NET platform


BusinessObjects Enterprise installations that use the .NET Framework
include Primary Interop Assemblies (PIAs) that allow you to use the
BusinessObjects Enterprise .NET SDK with ASP.NET, and a set of .NET
Server Components that you can optionally use to simplify the development
of custom applications. This configuration requires the use of a Microsoft
Internet Information Services (IIS) web server.
Note: In Crystal Enterprise 10 on Windows, the communication between the
web server and the application server was handled through the Web
Connector; the functionality of the Web Component Adapter (WCA) was
provided through the Web Component Server (WCS). In BusinessObjects
Enterprise XI, the web server communicates directly with the application
server and the WCA handles the WCS functionality, both on Windows and
Unix platforms.
You do not need a Web Component Adapter for custom ASP.NET
applications.

50 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


BusinessObjects Enterprise Architecture
Intelligence tier 3
Web application environments
BusinessObjects Enterprise supports Java Server Pages (.jsp) and ASP.NET
(.aspx) pages. BusinessObjects Enterprise includes web applications
developed in .aspx, such as InfoView and the sample applications available
via the BusinessObjects Enterprise Launchpad. Java Server Pages (.jsp) and
ASP.NET (.aspx) pages allow you to develop cross-platform J2EE and
ASP.NET applications that use the BusinessObjects Enterprise SDKs in
conjunction with third party APIs.
Note: For backward compatibility, BusinessObjects Enterprise continues to
support Crystal Server Pages (.csp) and Active Server Pages (.asp).
BusinessObjects Enterprise also includes Primary Interop Assemblies (PIAs)
that enable you to use the BusinessObjects Enterprise SDK and Report
Application Server SDK with ASP.NET. It also includes a set of .NET Server
Components which simplify development of custom BusinessObjects
Enterprise applications in ASP.NET.
For more information, see the developer documentation available on your
product CD.

Intelligence tier
The intelligence tier manages the BusinessObjects Enterprise system. It
maintains all of the security information, sends requests to the appropriate
servers, manages audit information, and stores report instances.

For more information, refer to the following sections:


• “Central Management Server (CMS)” on page 52
• “Event Server” on page 53
• “File Repository Servers” on page 54
• “Cache Server” on page 54

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 51


3 BusinessObjects Enterprise Architecture
Intelligence tier

Central Management Server (CMS)


The CMS is responsible for maintaining a database of information about your
BusinessObjects Enterprise system, which other components can access as
required. The data stored by the CMS includes information about users and
groups, security levels, BusinessObjects Enterprise content, and servers.
The CMS also maintains the BusinessObjects Enterprise Repository, and a
separate audit database of information about user actions. This data allows
the CMS to perform its four main tasks:
• Maintaining security
By maintaining a database of users and their associated object rights, the
CMS enforces who has access to BusinessObjects Enterprise and the
types of tasks they are able to perform. These tasks include enforcing
and maintaining the licensing policy of your BusinessObjects Enterprise
system.
• Managing objects
The CMS keeps track of the location of objects and maintains the
containment hierarchy, which includes folders, categories, and inboxes.
By communicating with the Job Servers and Program Job Servers, the
CMS is able to ensure that scheduled jobs run at the appropriate times.
• Managing servers
By staying in frequent contact with each of the servers in the system, the
CMS is able to maintain a list of server status. Report viewers access this
list, for instance, to identify which Cache Server is free to use for a report
viewing request.
• Managing auditing
By collecting information about user actions from each BusinessObjects
Enterprise server, and then writing these records to a central audit
database, the CMS acts as the system auditor. This audit information
allows system administrators to better manage their BusinessObjects
Enterprise deployment.
Note: In previous versions of Crystal Enterprise, the Central Management
Server (CMS) was known as the Crystal Management Server, and also as the
Automated Process Scheduler (APS).
Typically, you provide the CMS with database connectivity and credentials
when you install BusinessObjects Enterprise, so the CMS can create its own
system database and BusinessObjects Enterprise Repository database using
your organization’s preferred database server. For details about setting up

52 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


BusinessObjects Enterprise Architecture
Intelligence tier 3
CMS databases, see the BusinessObjects Enterprise Installation Guide. See
the Platforms.txt file included with your product distribution for a complete
list of tested database software and version requirements.
Note:
• It is strongly recommended that you back up the CMS system database,
and the audit database frequently. The backup procedure depends upon
your database software. If you are unsure of the procedure, consult with
your database administrator.
• The CMS database should not be accessed directly. System information
should only be retrieved using the calls that are provided in the
BusinessObjects Enterprise Software Development Kit (SDK). For more
information, see the developer documentation available on your product CD.
• You can access the audit database directly to create custom audit
reports. See the BusinessObjects Enterprise Auditor’s Guide for more
information.
On Windows, the Setup program can install and configure its own Microsoft
Data Engine (MSDE) database if necessary. MSDE is a client/server data
engine that provides local data storage and is compatible with Microsoft SQL
Server. If you already have the MSDE or SQL Server installed, the installation
program uses it to create the CMS system database. You can migrate your
default CMS system database to a supported database server later.
For details about configuring the CMS, its system database, and CMS
clusters, see “Configuring the intelligence tier” on page 85the
BusinessObjects Enterprise Administrator’s Guide. For more information
about Auditing, see the BusinessObjects Enterprise Auditor’s Guide.

Event Server
The Event Server manages file-based events. When you set up a file-based
event within BusinessObjects Enterprise, the Event Server monitors the
directory that you specified. When the appropriate file appears in the
monitored directory, the Event Server triggers your file-based event: that is,
the Event Server notifies the CMS that the file-based event has occurred. The
CMS then starts any jobs that are dependent upon your file-based event.
After notifying the CMS of the event, the Event Server resets itself and again
monitors the directory for the appropriate file. When the file is newly created in
the monitored directory, the Event Server again triggers your file-based event.
Note: Schedule-based events, and custom events are managed by the
Central Management Server.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 53


3 BusinessObjects Enterprise Architecture
Intelligence tier

File Repository Servers


There is an Input and an Output File Repository Server in every
BusinessObjects Enterprise implementation.
The Input File Repository Server manages all of the report objects and
program objects that have been published to the system by administrators or
end users (using the Publishing Wizard, the Central Management Console,
the Import Wizard, or a Business Objects designer component such as
Crystal Reports or the Web Intelligence Java or HTML Report Panels).
Tip: If you use the BusinessObjects Enterprise SDK, you can also publish
reports from within your own code.
The Output File Repository Server manages all of the report instances
generated by the Report Job Server or the Web Intelligence Report Server,
and the program instances generated by the Program Job Server.
The File Repository Servers are responsible for listing files on the server,
querying for the size of a file, querying for the size of the entire file repository,
adding files to the repository, and removing files from the repository.
Note:
• The Input and Output File Repository Servers cannot share the same
directories. This is because one of the File Repository Servers could then
delete files and directories belonging to the other.
• In larger deployments, there may be multiple Input and Output File
Repository Servers, for redundancy. In this case, all Input File Repository
Servers must share the same directory. Likewise, all Output File
Repository Servers must share a directory.
• Objects with files associated with them, such as text files, Microsoft Word
files, or PDFs, are stored on the Input File Repository Server.

Cache Server
The Cache Server is responsible for handling all report viewing requests. The
Cache Server checks whether or not it can fulfill the request with a cached
report page. If the Cache Server finds a cached page that displays exactly the
required data, with data that has been refreshed from the database within the
interval that you have specified as the default, the Cache Server returns that
cached report page.
If the Cache Server cannot fulfil the request with a cached report page, it
passes the request along to the Page Server. The Page Server runs the
report and returns the results to the Cache Server. The Cache Server then

54 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


BusinessObjects Enterprise Architecture
Processing tier 3
caches the report page for future use, and returns the data to the viewer. By
storing report pages in a cache, BusinessObjects Enterprise avoids
accessing the database each and every time a report is requested.
If you are running multiple Page Servers for a single Cache Server, the Cache
Server automatically balances the processing load across Page Servers.
For more information, see “Modifying Cache Server performance settings” on
page 101the BusinessObjects Enterprise Administrator’s Guide.

Processing tier
The processing tier accesses the data and generates the reports. It is the only
tier that interacts directly with the databases that contain the report data.

The processing tier includes:


• “Job servers” on page 55
• “Web Intelligence Report Server” on page 58
• “Report Application Server (RAS)” on page 58
• “Page Server” on page 58

Job servers
A Job Server processes scheduled actions on objects at the request of the
CMS. When you add a Job Server to the BusinessObjects Enterprise system,
you can configure the Job Server to:
• Process report objects
• Process program objects

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 55


3 BusinessObjects Enterprise Architecture
Processing tier

• Send objects or instances to specified destinations


If you configure a Job Server to process report objects, it becomes a Report
Job Server. If you configure a Job Server to process program objects, it
becomes a Program Job Server, and so on. The processing tier includes:
• “Report Job Server” on page 56
• “Program Job Server” on page 56
• “Web Intelligence Job Server” on page 57
• “Destination Job Server” on page 57
• “List of Values Job Server” on page 57
• “Desktop Intelligence Job Server” on page 58

Report Job Server


If you configure a Job Server to process report objects, it becomes a Report
Job Server.
The Report Job Server processes scheduled reports, as requested by the
CMS, and generates report instances (instances are versions of a report
object that contain saved data). To generate a report instance, the Report Job
Server obtains the report object from the Input FRS and communicates with
the database to retrieve the current data. Once it has generated the report
instance, it stores the instance on the Output FRS.

Program Job Server


If you configure a Job Server to process program objects, it becomes a
Program Job Server.
Program objects allow you to write, publish, and schedule custom
applications, including scripts, Java programs or .NET programs that run
against, and perform maintenance work on, BusinessObjects Enterprise.
The Program Job Server processes scheduled program objects, as
requested by the CMS. To run a program, the Program Job Server first
retrieves the files from storage on the Input File Repository Server, and then
runs the program. By definition, program objects are custom applications.
Therefore the outcome of running a program will be dependent upon the
particular program object that is run.
Unlike report instances, which can be viewed in their completed format,
program instances exist as records in the object history. BusinessObjects
Enterprise stores the program’s standard out and standard error in a text output
file. This file appears when you click a program instance in the object History.

56 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


BusinessObjects Enterprise Architecture
Processing tier 3
Web Intelligence Job Server
The Web Intelligence Job Server processes scheduling requests it receives
from the CMS for Web Intelligence documents. It forwards these requests to
the Web Intelligence Report Server, which will generate the instance of the
Web Intelligence document. The Web Intelligence Job Server does not
actually generate object instances.

Destination Job Server


If you configure a Job Server to send objects or instances, it become a
Destination Job Server.
A Destination Job Server processes requests that it receives from the CMS
and sends the requested objects or instances to the specified destination:
• If the request is for an object, it retrieves the object from the Input File
Repository Server.
• If the request is for a report or program instance, it retrieves the instance
from the Output File Repository Server.
The Destination Job Server can send objects and instances to destinations
inside the BusinessObjects Enterprise system, for example, a user’s inbox, or
outside the system, for example, by sending a file to an email address.
The Destination Job Server does not run the actual report or program objects.
It only handles objects and instances that already exist in the Input or Output
File Repository Servers. For more information, see “Sending an object or
instance” on page 422the Business Objects Enterprise Administrator’s Guide.

List of Values Job Server


The List of Values Job Server processes scheduled list-of-value objects.
These are objects that contain the values of specific fields in a Business View.
Lists of values are use to implement dynamic prompts and cascading lists of
values within Crystal Reports. List-of-value objects do not appear in CMC or
InfoView. For more information, see the Business Views Administrator’s
Guide.
The List of Values Job Server behaves similarly to the Report Job Server in
that it retrieves the scheduled objects from the Input File Repository Server
(FRS) and saves the instance it generates to the Output FRS. There is never
more than one instance of a list-of-values object. On demand list of value
objects are processed by the Report Application Server.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 57


3 BusinessObjects Enterprise Architecture
Processing tier

Desktop Intelligence Job Server


The Desktop Intelligence Job Server processes scheduling requests it
receives from the CMS for Desktop Intelligence documents and generates the
instance of the Desktop Intelligence document.

Web Intelligence Report Server


The Web Intelligence Report Server is used to create, edit, view, and analyze
Web Intelligence documents. It also processes scheduled Web Intelligence
documents and generates new instances of the document, which it stores on
the Output File Repository Server (FRS). Depending on the user’s access
rights and the refresh options of the document, the Web Intelligence Report
Server will use cached information, or it will refresh the data in the document
and then cache the new information.

Report Application Server (RAS)


The Report Application Server (RAS) processes reports that users view with
the Advanced DHTML viewer. The RAS also provides the ad hoc reporting
capabilities that allow users to create and modify reports over the Web.
The RAS is very similar to the Page Server: it too is primarily responsible for
responding to page requests by processing reports and generating EPF
pages. However, the RAS uses an internal caching mechanism that involves
no interaction with the Cache Server.
As with the Page Server, the RAS supports COM, ASP.NET, and Java viewer
SDKs. The Report Application Server also includes an SDK for report-
creation and modification, providing you with tools for building custom report
interaction interfaces.

Page Server
The Page Server is primarily responsible for responding to page requests by
processing reports and generating Encapsulated Page Format (EPF) pages.
The EPF pages contain formatting information that defines the layout of the
report. The Page Server retrieves data for the report from an instance or
directly from the database (depending on the user’s request and the rights he
or she has to the report object). When retrieving data from the database, the
Page Server automatically disconnects from the database after it fulfills its
initial request and reconnects if necessary to retrieve additional data. (This
behavior conserves database licenses.)

58 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


BusinessObjects Enterprise Architecture
Data tier 3
The Cache Server and Page Server work closely together. Specifically, the
Page Server responds to page requests made by the Cache Server. The Page
Server and Cache Server also interact to ensure cached EPF pages are reused
as frequently as possible, and new pages are generated as soon as they are
required. BusinessObjects Enterprise takes advantage of this behavior by
ensuring that the majority of report-viewing requests are made to the Cache
Server and Page Server. (However, if a user’s default viewer is the Advanced
DHTML viewer, the report is processed by the Report Application Server.)
The Page Server also supports COM, ASP.NET, and Java viewer Software
Development Kits (SDKs).

Data tier
The data tier is made up of the databases that contain the data used in the
reports. BusinessObjects Enterprise supports a wide range of corporate
databases.

See the Platforms.txt file included with your product distribution for a
complete list of tested database software and version requirements.

Report viewers
BusinessObjects Enterprise includes report viewers that support different
platforms and different browsers in the client tier, and which have different
report viewing functionality. (For more information on the specific functionality
or platform support provided by each report viewer, see the BusinessObjects
Enterprise User’s Guide or the Crystal Reports Developer’s Guide.)
All of the viewers fall into two categories:
• client-side viewers
Client-side viewers are downloaded and installed in the users’ web
browser.
• zero client viewers
The code to support zero client viewers resides in the application tier.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 59


3 BusinessObjects Enterprise Architecture
Information flow

client-side viewers zero client viewers


Active X viewer DHTML viewer
Java viewer Advanced DHTML viewer
All report viewers help process requests for reports, and present report pages
that appear in the user’s browser.
Client-side viewers
Client-side viewers are downloaded and installed in the user’s browser. When
a user requests a report, the application server processes the request, and
retrieves the report pages (in .epf format) from the BusinessObjects
Enterprise framework. The application server then passes the report pages to
the client-side viewer, which processes the report pages and displays them
directly in the browser.
Zero client viewers
Zero client viewers reside on the application server. When a user requests a
report, the application server processes the request, and then retrieves the
report pages (in .epf format) from the BusinessObjects Enterprise framework.
The SDK creates a viewer object on the application server which processes
the report pages and creates DHTML pages that represent both the viewer
controls and the report itself. The viewer object then sends these pages
through the web server to the user’s web browser.
Installing viewers
If they haven’t already done so, users are prompted to download and install
the appropriate viewer software before the report is displayed in the browser.
The Active X viewer is downloaded the first time a user requests a report, and
then remains installed on the user’s machine. The user will be prompted to
reinstall the ActiveX viewer only when a new version becomes available on
the server.

Information flow
This section describes the interaction of the server components in order to
demonstrate how report-processing is performed. This section covers two
different scenarios:
• “What happens when you schedule an object?” on page 61
• “What happens when you view a report?” on page 62

60 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


BusinessObjects Enterprise Architecture
Information flow 3
What happens when you schedule an object?
When you schedule an object, you instruct BusinessObjects Enterprise to
process an object at a particular point in time, or on a recurring schedule. For
example, if you have a report that is based on your web server logs, you can
schedule the report to run every night on a recurring basis.
Tip: BusinessObjects Enterprise also allows you to schedule jobs that are
dependent upon other events. For details, see “Managing events overview”
on page 504the BusinessObjects Enterprise Administrator’s Guide.
When a user schedules an object using InfoView, the following happens:
1. InfoView sends the request to the web server.
2. The web server passes the web request directly to the application server,
where it is evaluated by the BusinessObjects Enterprise SDK.
3. The SDK passes the request to the Central Management Server.
4. The CMS checks to see if the user has sufficient rights to schedule the
object.
5. If the user has sufficient rights, the CMS schedules the object to be run at
the specified time(s).
6. When the time occurs, the CMS passes the job to the appropriate job
server. Depending on the type of object, the CMS will send the job to one
of the following job servers:
• If the object is Web Intelligence document, it sends the job to the
Web Intelligence Job Server, which sends the request to the Web
Intelligence Report Server.
• If the object is a report, it sends the job to the Report Job Server.
• If the object is program, it sends the job to the Program Job Server.
7. The job server retrieves the object from the Input File Repository Server
and runs the object against the database, thereby creating an instance of
the object.
8. The job server then saves the instance to the Output File Repository
Server, and tells the CMS that it has completed the job successfully.
If the job was for a Web Intelligence document, the Web Intelligence
Report Server notifies the Web Intelligence Job Server. The Web
Intelligence Job Server then notifies the CMS that the job was completed
successfully.
Tip: For details about multiple time zones, see “Supporting users in multiple
time zones” on page 527the BusinessObjects Enterprise Administrator’s
Guide.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 61


3 BusinessObjects Enterprise Architecture
Information flow

Note:
• The Cache Server and the Page Server do not participate in scheduling
reports or in creating instances of scheduled reports. This can be an
important consideration when deciding how to configure BusinessObjects
Enterprise, especially in large installations. See “Scaling Your System” on
page 147the section on scaling your system in the BusinessObjects
Enterprise Administrator’s Guide.
• When you schedule program objects or object packages, the interaction
between servers follows the same pattern as it does for reports.
Users without schedule rights on an object will not see the schedule option in
BusinessObjects Enterprise.

What happens when you view a report?


This section describes the viewing mechanisms that are implemented in
InfoView. The processing flow for custom applications may differ.
When you view a report through BusinessObjects Enterprise, the processing
flow varies depending upon your default report viewer, the type of report, and
the rights you have to the report. In all cases, however, the request that
begins at the web server must be forwarded to the application server.
The actual request is constructed as a URL that includes the report’s unique
ID. This ID is passed as a parameter to a server-side script that, when
evaluated by the application server, verifies the user’s session and retrieves
the logon token from the browser. The script then checks the user’s InfoView
preferences and redirects the request to the viewing mechanism that
corresponds to the user’s default viewer.
Different report viewers require different viewing mechanisms:
• The zero-client DHTML viewer is implemented through
report_view_dhtml.aspx.
When evaluated by the application server, this script communicates with
the framework (through the published SDK interfaces) in order to create a
viewer object and retrieve a report source from the Cache Server and
Page Server.
• The zero-client Advanced DHTML viewer is implemented through
report_view_advanced.aspx.
When evaluated by the application server, this script communicates with
the framework (through the published SDK interfaces) in order to create a
viewer object and retrieve a report source from the Report Application
Server.

62 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


BusinessObjects Enterprise Architecture
Information flow 3
• The client-side report viewers (the ActiveX and Java viewers) are
implemented through viewrpt.aspx, hosted by the WCA.
The Crystal Web Request is executed internally through viewer code on
the application server. The viewer code communicates with the
framework in order to retrieve a report page (in .epf format) from the
Cache Server and Page Server.
If they haven’t already done so, users are prompted to download and
install the appropriate viewer software.

Report viewing with the Cache Server and Page Server


This section describes the process for viewing a Crystal report when using
the zero-client DHTML, ActiveX, or Java viewer. This process uses the Cache
Server and the Page Server.
1. Upon receiving a report-viewing request, the Cache Server checks to see
if it has the requested pages cached. Cached pages are stored as
Encapsulated Page Format (.epf) files.
2. If a cached page for the report (.epf file) is available:
a. The Cache Server checks with the CMS to see if the user has rights
to view the cached page.
b. If the user is granted the right to view the report, the Cache Server
sends the cached page (.epf file) to the application server.
3. If a cached page for the report (.epf file) is unavailable:
a. The Cache Server requests new cached pages (.epf files) from the
Page Server.
b. The Page Server checks with the CMS to see if the user has rights to
view the report.
c. If the user is granted the right to view the report, the Page Server
retrieves the report from the Input File Repository Server.
d. If the report is an instance, and the user only has View rights, the
Page Server will generate pages of the report instance using the
data stored in the report instance. That is, the Page Server will not
retrieve the latest data from the database.
If the report is an object, the user must have View On Demand rights
to view the report successfully (because the Page Server needs to
retrieve data from the database).
e. If the user has sufficient rights, the Page Server generates the
cached page (.epf files) and forwards them to the Cache Server.
f. The Cache Server then caches the pages (.epf files).

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 63


3 BusinessObjects Enterprise Architecture
Information flow

g. The Cache Server sends the pages (.epf files) to the application
server.
4. The application server sends the report to the user’s Web browser in one
of two ways, depending on how the initial request was made:
• If the initial request was made through a DHTML viewer
(report_view_dhtml.aspx), the viewer SDK (residing on the
application server) is used to generate HTML that represents both
the DHTML viewer and the report itself. The HTML pages are then
returned through the web server to the user’s web browser.
• If the initial request was made through an Active X or Java viewer
(viewrpt.aspx), the application server forwards the cached pages
(.epf files) through the web server to the report viewer software in the
user’s web browser.

Report viewing with the Report Application Server (RAS)


This section describes the process for viewing a Crystal report when using
the Advanced DHTML viewer. This process flow uses the Report Application
Server (RAS).
1. Upon receiving a report-viewing request, the RAS checks to see if it has
the requested report data in cache. (The RAS has its own caching
mechanism, which is separate from the Cache Server.)
2. If a cached version of the report (.epf file) is available:
a. The RAS checks with the CMS to see if the user has rights to view
the report.
b. If the user is granted the right to view the report, the RAS returns
cached pages (.epf files) to the application server.
3. If a cached page of the report (.epf file) is unavailable:
a. The RAS checks with the CMS to see if the user has rights to view
the report.
b. If the user is granted the right to view the report, the RAS retrieves
the report object from the Input File Repository Server.
c. The RAS then processes the report object, obtains the data from the
database, generates the cached pages (.epf files), caches the pages
and sends the pages to the application server.
d. If the user is granted View rights to the report object, then the RAS
will only ever generate pages of the latest report instance. That is,
the RAS will not retrieve the latest data from the database.
If the user is granted View On Demand rights to the report object,
then the RAS will refresh the report against the database.

64 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


BusinessObjects Enterprise Architecture
Information flow 3
Note: The interactive search and filter features provided by the
Advanced DHTML viewer are available only if the user has View On
Demand rights (or greater) to the report object.
4. When the application server receives the cached pages (.epf files) from
the RAS, the viewer SDK generates HTML that represents both the
Advanced DHTML viewer and the report itself.
5. The application server sends the HTML pages through the web server to
the user’s web browser.

Viewing Web Intelligence documents


This section describes the process for viewing a Web Intelligence document.
1. InfoView sends the request to the web application server.
2. The web application server sends the request to the application server,
which creates a new session with the Web Intelligence Report Server.
3. The Web Intelligence Report Server checks if the user has rights to use
the Web Intelligence application.
4. The web application server then sends the request to the Web
Intelligence Report Server.
5. The Web Intelligence Report Server contacts the CMS to check whether
the user has the right to view the document, and to check when the
document was last updated.
6. If the user has the right to view the document, the Web Intelligence
Report Server checks whether it has up-to-date cached content for the
document.
7. If cached content is available, the Web Intelligence Report Server sends
the cached document information to the SDK.
If cached content is not available, the following happens:
a. The Web Intelligence Report Server obtains the document
information from the CMS and checks what rights the user has on
the document.
b. The Web Intelligence Report Server obtains the Web Intelligence
document from either the Input or Output File Repository Server and
loads the document file.
Note: Which FRS is used depends on whether the request was for a
Web Intelligence document that was saved to BusinessObjects
Enterprise or for an instance of the document. Documents are stored
on the Input FRS. Instances are generated when an object is run
according to a schedule, and they are stored on the Output FRS.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 65


3 BusinessObjects Enterprise Architecture
Choosing between live and saved data

c. If the document is set to “refresh on open” and the user has the View
On Demand rights, the Web Intelligence Report Server refreshes the
data in the document with data from the database.
Note: If the document is set to “refresh on open” but the user does
not have View On Demand rights, an error message is displayed.
d. The Web Intelligence Report Server stores the document file and the
new document information in cache.
e. The Web Intelligence Report Server sends the document information
to the SDK.
8. The viewer script calls the SDK to get the requested page of the
document. The request is passed to the Web Intelligence Report Server.
9. If the Web Intelligence Report Server has cached content for the page, it
returns the cached XML to the SDK.
If the Web Intelligence Report Server does not have the cached content
for the page, it renders the page to XML using the current data for the
document. It then returns the XML to the SDK.
10. The SDK applies an XSLT style sheet to the XML to transform it to HTML.
11. The viewer script returns the HTML to the browser.

Choosing between live and saved data


When reporting over the Web, the choice to use live or saved data is one of
the most important decisions you’ll make. Whichever choice you make,
however, BusinessObjects Enterprise displays the first page as quickly as
possible, so you can see your report while the rest of the data is being
processed.

Live data
On-demand reporting gives users real-time access to live data, straight from
the database server. Use live data to keep users up-to-date on constantly
changing data, so they can access information that’s accurate to the second.
For instance, if the managers of a large distribution center need to keep track
of inventory shipped on a continual basis, then live reporting is the way to give
them the information they need.
Before providing live data for all your reports, however, consider whether or
not you want all of your users hitting the database server on a continual basis.
If the data isn’t rapidly or constantly changing, then all those requests to the
database do little more than increase network traffic and consume server

66 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


BusinessObjects Enterprise Architecture
Choosing between live and saved data 3
resources. In such cases, you may prefer to schedule reports on a recurrent
basis so that users can always view recent data (report instances) without
hitting the database server.
For more information about optimizing the performance of reports that are
viewed on demand, see the “Designing Optimized Web Reports” section in
the Crystal Reports User’s Guide (version 8.5 and later).
Tip: Users require View On Demand access to refresh reports against the
database.

Saved data
To reduce the amount of network traffic and the number of hits on your
database servers, you can schedule reports to be run at specified times.
When the report has been run, users can view that report instance as
needed, without triggering additional hits on the database.
Report instances are useful for dealing with data that isn’t continually
updated. When users navigate through report instances, and drill down for
details on columns or charts, they don’t access the database server directly;
instead, they access the saved data. Consequently, reports with saved data
not only minimize data transfer over the network, but also lighten the
database server’s workload.
For example, if your sales database is updated once a day, you can run the
report on a similar schedule. Sales representatives then always have access
to current sales data, but they are not hitting the database every time they
open a report.
Tip: Users require only View access to display report instances.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 67


3 BusinessObjects Enterprise Architecture
Choosing between live and saved data

68 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring
Servers

chapter
4 Managing and Configuring Servers
Server management overview

Server management overview


This chapter provides information on a range of server tasks that allow you to
customize the behavior of BusinessObjects Enterprise. It also includes
information on the server settings that you can alter to accommodate the
needs of your organization. The default values for these settings have been
chosen to maximize the reliability, predictability, and consistency of operation
of a typical BusinessObjects Enterprise installation. The default settings
guarantee the highest degree of data accuracy and timeliness. For example,
by default, data sharing between reports is disabled. When running reports on
demand, disabling data sharing means that every user can always assume
that they will receive the latest data.
If you prefer to place more emphasis on the efficiency, economy, and
scalability of BusinessObjects Enterprise, you can tune server settings to set
your own balance between system reliability and performance. For example,
enabling data sharing between reports markedly increases system
performance when user loads are heavy. To take advantage of this feature
while ensuring that every user receives data that meets your criteria for
timeliness, you can also specify how long data will be shared between users.
BusinessObjects Enterprise administrative tools
BusinessObjects Enterprise includes two key administrative tools that allow
you to view and to modify a variety of server settings:
• Central Management Console (CMC)
The CMC is the web-based administration tool that allows you to view
and to modify server settings while BusinessObjects Enterprise is
running. For instance, you use the CMC to change the status of a server,
change server settings, access server metrics, or create server groups.
Because the CMC is a web-based interface, you can configure your
BusinessObjects Enterprise servers remotely over the Internet or through
your corporate intranet.
• Central Configuration Manager (CCM)
The CCM is a program that allows you to view and to modify server
settings while Business Objects servers are offline. For instance, you use
the CCM to stop servers, to modify performance settings, and to change
the default server port numbers. With BusinessObjects Enterprise, the
CCM allows you to configure BusinessObjects Enterprise remotely over
your corporate network.
You can accomplish some configuration tasks with both tools, while other
tasks must be performed with a specific tool.

70 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Viewing current metrics 4
Related topics:
• For an overview of the multi-tier architecture and the BusinessObjects
Enterprise server components, see “BusinessObjects Enterprise
Architecture” on page 43.
• For information about creating groups of servers, see “Managing Server
Groups” on page 141.
• With the BusinessObjects Enterprise Software Development Kit (SDK),
you can now access and modify server metrics and settings from your
own web applications. For more information, see the developer
documentation available on your product CD.

Viewing current metrics


The CMC allows you to view server metrics over the Web. These metrics
include general information about each machine, along with details that are
specific to the type of server. The CMC also allows you to view system
metrics, which include information about your product version, your CMS, and
your current system activity.
Tip: For an example of how to use server metrics in your own web
applications, see the “View Server Summary” sample on the BusinessObjects
Enterprise Admin Launchpad.

Viewing current server metrics


The Servers management area of the CMC displays server metrics that
provide statistics and information about each BusinessObjects Enterprise
server. The general information displayed for each server includes
information about the machine that the server is running on—its name,
operating system, total hard disk space, free hard disk space, total RAM,
number of CPUs, and local time. The general information also includes the
time the server started and the version number of the server.
To view server metrics
1. Go to the Servers management area of the CMC.
2. Click the link to the server whose metrics you want to view.
3. Click the Metrics tab.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 71


4 Managing and Configuring Servers
Viewing current metrics

This example shows the metrics for an Input File Repository Server that is
running on a machine called Crystal-E501888.crystald.net.

The Metrics tabs for the following servers include additional, server-specific
information:
Input and Output File Repository Servers
The Metrics tab of each File Repository Server lists the root directory of the
files that the server maintains, indicates the maximum idle time, and displays
the number of active files and active client connections. It also lists the total
available hard disk space, as well as the number of bytes sent and received.
Each File Repository Server also has an Active Files tab, which lists the
filename, the number of readers, and the number of writers for each active
file.
Cache Server
The Metrics tab of the Cache Server displays the maximum number of
processing threads, the maximum cache size, the minutes before an idle job
is closed, the minutes between refreshes from the database, whether or not
the database is accessed whenever a viewer’s file (object) is refreshed, the
location of the cache files, the total threads running, the number of requests
served, the number of bytes transferred, the cache hit rate, the number of
current connections, and the number of requests that are queued.
The Metrics tab also provides a table that lists the Page Servers that the
Cache server has connections to, along with the number of connections
made to each Page Server.
Event Server
The Metrics tab of the Event Server contains statistics on the files that the
server is monitoring. This tab includes a table showing the file name and the
last time the event occurred.

72 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Viewing current metrics 4
Page Server
The Metrics tab of the Page Server contains information on how the server is
running. It lists the maximum number of simultaneous report jobs, the location
of temporary files, the number of minutes before an idle connection is closed,
the minutes before a report job is closed, the maximum number of database
records shown when previewing or refreshing a report, the oldest processed
data given to a client, whether a viewer refresh always hits the database, and
the setting for the Report Job Database Connection. It also shows the number
of current connections, the number of requests queued, the current number of
processing threads running, the total number of requests served, and the total
bytes transferred.
Report Application Server
The Metrics tab of the Report Application Server (RAS) shows the number of
reports that are open, and the number of reports that have been opened. It
also shows the number of open connections, along with the number of open
connections that have been created.
Job servers and Web Intelligence servers
The Metrics tabs of these servers list the current number of jobs that are
being processed, the total number of requests received, the total number of
failed job creations, the processing mode, and the location of its temporary
files.
Central Management Server
The Metrics tab of the CMS lists only the general information about the
machine it is running on. The Properties tab, however, shows a list of users
who have active sessions on the system. Click any user’s link to view the
associated account details.
Connection Server
The Metrics tab of the Connection Server shows the current settings,
including HTTP and CORBA protocol settings, trace settings, connection
pooling, and the timeout duration for inactive jobs. You can change these
settings on the Properties tab. The Metrics tab also lists general information
about the machine it is running on.
Desktop Intelligence Cache and Job servers
These servers, which process information only for Desktop Intelligence
documents, provide the same metrics as standard cache and job servers.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 73


4 Managing and Configuring Servers
Viewing and changing the status of servers

Viewing system metrics


The Settings management area of the CMC displays system metrics that
provide general information about your BusinessObjects Enterprise
installation. The Properties tab includes information about the product version
and build. It also lists the data source, database name, and database user
name of the CMS database. The Metrics tab lists current account activity,
along with statistics about current and processed jobs. The Cluster tab lists
the name of the CMS you are connected to, the name of the CMS cluster, and
the names of other cluster members.
To view system metrics
1. Go to the Settings management area of the CMC.
2. View the contents of the Properties, Metrics, and Cluster tabs.
Related topics:
• For more information about licenses and account activity, see “Managing
license information” on page 40.
• For information about CMS clusters, see Clustering Central Management
Servers.

Viewing and changing the status of servers


The status of a server is its current state of operation: a server can be started,
stopped, enabled, or disabled. To respond to BusinessObjects Enterprise
requests, a server must be started and enabled. A server that is disabled is
still running as a process; however, it is not accepting requests from the rest
of BusinessObjects Enterprise. A server that is stopped is no longer running
as a process.
This section shows how to modify the status of servers with the CMC and the
CCM. It includes:
• “Starting, stopping, and restarting servers” on page 75
• “Enabling and disabling servers” on page 77
• “Stopping a Central Management Server” on page 77
• “Printing, copying, and refreshing server status” on page 79

74 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Viewing and changing the status of servers 4
Starting, stopping, and restarting servers
Starting, stopping, and restarting servers are common actions that you
perform when you configure servers or take them offline for other reasons.
The remainder of this chapter tells you when a certain configuration change
requires that you first stop or restart the server. However, because these
tasks appear frequently, the concepts and differences are explained first, and
the general procedures are provided for reference.

Action Description
Stopping a server You must stop BusinessObjects Enterprise servers
before you can modify certain properties and settings.
Starting a server If you have stopped a server to configure it, you need
to start it to effect your changes and to have the server
resume processing requests.
Restarting a server Restarting a server is a shortcut to stopping a server
completely and then starting it again. You can change
certain settings without stopping the server; however,
the changes typically do not take effect until your
restart the server.
For example, if you want to change the name of a CMS, then you must first
stop the server. Once you have made your changes, you start the server
again to effect your changes.
Tip: When you stop (or restart) a server, you terminate the server’s process,
thereby stopping the server completely. If you want to prevent a server from
receiving requests without actually stopping the server process, you can also
enable and disable servers. We recommend that you disable Job Servers and
Program Job Servers before stopping them so that they can finish processing
any jobs they have in progress before stopping. For details, see “Enabling
and disabling servers” on page 77.
To start, stop, or restart servers with CMC
Note: You cannot use CMC to stop the CMS. You must use the CCM instead.
See “Stopping a Central Management Server” on page 77 for more
information.
1. Go to the Servers management area of the CMC.
A list of servers appears. The icon associated with each server identifies
its status:
• Running is indicated by a server with a green arrow.
• Stopped is indicated by a server with a red arrow.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 75


4 Managing and Configuring Servers
Viewing and changing the status of servers

• Disabled is indicated by a server with a red circle.


In this example, the Page Server is stopped, the Event Server is
disabled, and the remaining servers are running and enabled.

2. Select the check box for the server whose status you want to change.
3. Depending upon the action you need to perform, click Start, Stop, or
Restart.
You may be prompted for network credentials that allow you to start and
stop services running on the remote machine.
4. Click Refresh to update the page.
To start, stop, or restart a Windows server with the CCM
1. Start the CCM.
2. Select the server that you want to start, stop, or restart.
3. On the toolbar, click the appropriate button.

Toolbar Action
Icon
Start the selected server.

Stop the selected server.

Restart the selected server.

You may be prompted for network credentials that allow you to start and
stop services.
Note: When you provide your network credentials, they are first checked
against the machine hosting the CMS. If the server that you want to start,
stop, or restart is located on another machine, the same credentials are

76 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Viewing and changing the status of servers 4
used to access the other machine. If you supply credentials that are valid
on the remote machine but not on the machine running the CMS, then
you receive an error message.
The CCM performs the action and refreshes the list of servers.
To start, stop, or restart a UNIX server with the CCM
Use the ccm.sh script. For reference, see the BusinessObjects Enterprise
Administrator’s Reference Guide.

Stopping a Central Management Server


If your BusinessObjects Enterprise installation has a single Central
Management Server (CMS), shutting it down will make BusinessObjects
Enterprise unavailable to your users and will interrupt the processing of
reports and programs. Before stopping your CMS, you may wish to disable
your processing servers so that they can finish any jobs in progress before
BusinessObjects Enterprise shuts down. See “Enabling and disabling
servers” on page 77 for more information.
If you have a CMS cluster consisting of more than one active CMS, you can
shut down a single CMS without losing data or affecting system functionality.
The other CMS in the cluster will assume the workload of the stopped server.
Using a CMS cluster enables you to perform maintenance on each of your
Central Management Servers in turn without taking BusinessObjects
Enterprise out of service.
For more information on CMS clusters, see “Clustering Central Management
Servers” on page 86.

Enabling and disabling servers


When you disable a BusinessObjects Enterprise server, you prevent it from
receiving and responding to new BusinessObjects Enterprise requests, but
you do not actually stop the server process. This is especially useful when
you want to allow a server to finish processing all of its current requests
before you stop it completely.
For example, you may want to stop a Job Server before rebooting the
machine it is running on. However, you want to allow the server to fulfill any
outstanding report requests that are in its queue. First, you disable the Job
Server so it cannot accept any additional requests. Next, go to the Central
Management Console to monitor when the server completes the jobs it has in
progress. (From the Servers management area, choose the server name and
then the metrics tab). Then, once it has finished processing current requests,
you can safely stop the server.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 77


4 Managing and Configuring Servers
Viewing and changing the status of servers

Note: The CMS must be running in order for you to enable and/or disable
other servers.
To enable and disable servers with CMC
1. Go to the Servers management area of the CMC.
The icon associated with each server identifies its status. In this example,
the Event Server is disabled (but not stopped), and the remaining servers
are running and enabled.

1. Select the check box for the server whose status you want to change.
2. Depending upon the action you need to perform, click Enable or Disable.
To enable or disable a Windows server with the CCM
1. Start the CCM.
2. On the toolbar, click Enable/Disable.
3. When prompted, log on to your CMS with the credentials that provide you
with administrative privileges to BusinessObjects Enterprise.
4. Click Connect.
The Enable/Disable Servers dialog box appears.

78 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Viewing and changing the status of servers 4
This dialog box lists all of the BusinessObjects Enterprise servers that
are registered with your CMS, including servers running on remote
machines. By default, servers running on remote machines are displayed
as MACHINE.servertype. In this example, all of the listed servers are
currently enabled.
5. To disable a server, clear the check box in the Server Name column.
6. Click OK to effect your changes and return to the CCM.
To enable or disable a UNIX server with the CCM
Use the ccm.sh script. For reference, see the BusinessObjects Enterprise
Administrator’s Reference Guide.

Printing, copying, and refreshing server status


When using the CCM on Windows, you can print and copy the properties of a
server, and refresh the list of servers.
To print the status of a server
1. Start the CCM.
2. Select the server(s).
3. Click Print.
The Print dialog box appears.
4. Click OK.
A brief listing of the server’s properties is printed, including the Display
Name, Version, Command Line, Status, and so on.
To copy the status of a server
To save the status of a server, you can copy the details from the CCM to a
document or to an email message (if you want to send the status information
to someone else).
1. Start the CCM.
2. Select the server(s).
3. Click Copy.
4. Paste the information into a document for future reference.
To refresh the list of servers
• To ensure you are looking at the latest information, click Refresh.
Note: Disabled servers may not appear in this list. Click Enable/Disable to
view a list of servers and ensure that each is enabled.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 79


4 Managing and Configuring Servers
Configuring the application tier

Configuring the application tier


This section includes technical information and procedures that show how
you can modify settings for the application tier.

The majority of the settings discussed here allow you to integrate


BusinessObjects Enterprise more effectively with your current hardware,
software, and network configurations. Consequently, the settings that you
choose will depend largely upon your own requirements.
Note: This section does not show how to configure your Web application
server to deploy BusinessObjects Enterprise applications. This task is
typically performed when you install BusinessObjects Enterprise. For details,
see the BusinessObjects Enterprise Installation Guide. For further
troubleshooting, see “Working with Firewalls” on page 161.

Configuring the Web Component Adapter


The WCA provides support for the Central Management Console and CSP
applications. The Web Component Adapter is a web application. It does not
appear as a server in the Central Management Console or in the Central
Configuration Manager.
To configure the WCA, edit either of the following files, depending on whether
you are running the system on a Java or .NET platform:
• On a Java platform edit the web.xml file associated with the WCA. See
“Configuring the Java Web Component Adapter” on page 81.
• On a .NET platform edit the web.config file associated with the WCA.
See “Configuring the .NET Web Component Adapter” on page 84.

80 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Configuring the application tier 4
Configuring the Java Web Component Adapter
To configure the Java WCA you edit the web.xml file associated with the WCA:
• Windows: C:\Program Files\Business
Objects\BusinessObjects Enterprise
11.5\java\applications directory
• UNIX: WEB-INF subdirectory of the webcompadapter.war archive file
stored in the bobje_root/enterprise115/java/applications
directory
For example, the context parameter that controls whether a group tree will be
generated looks like this:
<context-param>
<param-name>viewrpt.groupTreeGenerate</param-name>
<param-value>true</param-value>
<desctiption>”true” or “false” value determining whether
a group tree will be generated.</description>
</context-param>
To change the value of a context parameter, edit the value between the
<param-value> </param-value> tags.

To configure web.xml
Note: Your Java Web Application Server may provide tools to allow you to
edit web.xml directly from an administrative console.Otherwise use the
following procedure to configure web.xml.
1. Stop your application server.
2. Extract the web.xml file from the webcompadapter.war archive.
3. Edit the file by using a text editor such as Notepad or vi.
4. Reinsert the file into the WEB-INF directory in webcompadapter.war.
Tip: To reinsert web.xml into WEB-INF using WinZip, right-click on the
WEB-INF directory that contains your edited web.xml file and select “Add
to Zip File...”. Adding the file in this way ensures that it is placed in the
correct directory inside the archive.
5. Restart your application server.
When you install more than one WCA, each webcomponentadapter.war file
contains its own web.xml file containing configuration parameters for that
WCA. However, you can only set the parameters listed in the following table
individually for each WCA. The remaining parameters must be the same for
all WCA in your system.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 81


4 Managing and Configuring Servers
Configuring the application tier

Context Parameter Description


display-name Equivalent to WCA name.
cspApplication.defaultPage The default page that will be loaded if no
filename is specified in a particular request.
cspApplication.dir This is the real path to the directory
containing the CSP/WAS application(s)
that you would like to host. This is a
required field.
connection.cms This is the name (or name and port
number) of the CMS that you would like
your application(s) to connect to.
connection.listeningPort This field defaults to the port that the WCA
related servlets are running on.
log.file Filename of the logfile including full real
path to file, excluding extension. Defaults
to WCA with no path
log.ext File extension of logfile, defaults to .log
log.isRolling Determines whether or not the logs will be
rotated, defaults to true.
log.size If log rolling is turned on, this will govern
the max size before logfile is rotated.
Accepted suffix: MB, KB and GB.
log.level The default loglevel is “error.”
log.entryPattern Please refer to log4j documentation for
accepted log entry patterns.

Changing the default session timeout value for the Java CMC
The default session timeout value is 20 minutes in the CMC. Use this
procedure if you want to modify the default session timeout value.
To change the sesion timeout value
1. Verify that the Java SDK is installed and its location is in your PATH
environement variable.
If you are able to execucute the jar command, and receive usage
information on the command, proceed to the next step. If you receive a
error message, install the JAVA SDK and add is location to your PATH.
2. Stop the Web application server on the machine where
webcompadapter.war is deployed.

82 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Configuring the application tier 4
3. Extract the web.xml file from the directory where webcompadapter.war is
deployed.
jar -xvf webcompadapter.war WEB-INF/web.xml
4. Open web.xml in a text editor like Notepad and search for the following
section:
<session-config>
<session-timeout>20</session-timeout>
</session-config>
5. Change the value between <session-timeout> to the number of minutes
you require for the session to timeout.
6. Save web.xml.
7. Update the webcompadapter.war with the modified web.xml file. Use the
following command:
jar -uvf webcompadapter.war WEB-INF/web.xml
8. Restart you web application server and reploy webcompadapter.war.

Changing the default session timeout value for the Java InfoView
The default session timeout value is 20 minutes in the InfoView. Use this
procedure if you want to modify the default session timeout value.
To change the sesion timeout value for InfoView
1. Verify that the Java SDK is installed and its location is in your PATH
environement variable.
If you are able to execucute the jar command, and receive usage
information on the command, proceed to the next step. If you receive a
error message, install the JAVA SDK and add is location to your PATH.
2. Stop the Web application server on the machine where desktop.war is
deployed.
3. Extract the web.xml file from the directory where desktop.war is deployed
or edit the deployed web.xml file.
• To extract web.xml, issue the following command.
jar -xvf desktop.war WEB-INF/web.xml
Note: Instead of extracting the web.xml from the specified location, you
can edit web.xml from the deployed location. If you installed Tomcat with
your installation, you can find this file in this location:
C:\Program Files\Business Objects\Tomcat\webapps
\businessobjects\enterprise115\desktoplaunch\WEB-INF
4. Open web.xml in a text editor like Notepad and search for the following
section:

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 83


4 Managing and Configuring Servers
Configuring the application tier

<session-config>
<session-timeout>20</session-timeout>
</session-config>
5. Change the value between <session-timeout> to the number of minutes
you require for the session to timeout.
6. Save web.xml.
7. Update the desktop.war with the modified web.xml file. Use the following
command:
jar -uvf desktop.war WEB-INF/web.xml
Note: This step is not required if you did not extract the web.xml file.
8. Restart you web application server and reploy desktop.war.
Note: You don’t need to redploy desktop.war if you edited the web.xml
file from the deployed location; Restarting your web application server
will suffice.

Configuring the .NET Web Component Adapter


To configure the .NET WCA you edit the web.config file associated with the
the WCA. This file is located in the following directory:
C:\Program Files\Business Objects\BusinessObjects Enterprise
11.5\Web Content\application
For example, the context parameter that controls whether a group tree will be
generated looks like this:
To configure web.config
Note: Your .NET Web Application Server may provide tools to allow you to
edit web.config directly from an administrative console.
1. Stop your application server.
2. Edit the web.config file by using a text editor such as Notepad.
3. Restart your application server.

Parameter Description
display-name Equivalent to WCA name.
cspApplication.defaultPage The default page that will be loaded if no
filename is specified in a particular request.
connection.cms This is the name (or name and port
number) of the CMS that you would like
your application(s) to connect to.

84 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Configuring the intelligence tier 4
Parameter Description
connection.listeningPort This field defaults to the port that the WCA
related servlets are running on.
log.file Filename of the logfile including full real
path to file, excluding extension. Defaults
to WCA with no path
log.ext File extension of logfile, defaults to .log
log.isRolling Determines whether or not the logs will be
rotated, defaults to true.
log.size If log rolling is turned on, this will govern
the max size before logfile is rotated.
Accepted suffix: MB, KB and GB.
log.level The default loglevel is “error.”
log.entryPattern Please refer to log4j documentation for
accepted log entry patterns.

Configuring the intelligence tier


This section includes technical information and procedures that show how
you can modify settings for the BusinessObjects Enterprise servers that make
up the intelligence tier.

The majority of the settings discussed here allow you to integrate


BusinessObjects Enterprise more effectively with your current hardware,
software, and network configurations. Consequently, the settings that you
choose will depend largely upon your own requirements.
Configuring the intelligence tier includes the following tasks:
• “Clustering Central Management Servers” on page 86
• “Copying data from one CMS database to another” on page 93
• “Deleting and recreating the CMS database” on page 97
• “Selecting a new or existing CMS database” on page 98
• “Setting root directories and idle times of the File Repository Servers” on
page 100

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 85


4 Managing and Configuring Servers
Configuring the intelligence tier

• “Modifying Cache Server performance settings” on page 101


• “Modifying the polling time of the Event Server” on page 104

Clustering Central Management Servers


If you have a large or mission-critical implementation of BusinessObjects
Enterprise, you will probably want to run several CMS machines together in a
CMS cluster. A CMS cluster consists of two or more CMS servers working
together to maintain the system database. If a machine that is running one
CMS fails, a machine with another CMS will continue to service
BusinessObjects Enterprise requests. This “failover” support helps to ensure
that BusinessObjects Enterprise users can still access information when
there is equipment failure.
This section shows how to add a new CMS cluster member to a production
system that is already up and running. When you add a new CMS to an
existing cluster, you instruct the new CMS to connect to the existing CMS
database and to share the processing workload with any existing CMS
machines. For information about your current CMS and CMS cluster, go to
the Settings management area of the CMC and click the Cluster tab.
Before clustering CMS machines, you must make sure that each CMS is
installed on a system that meets the detailed requirements (including version
levels and patch levels) for operating system, database server, database
access method, database driver, and database client outlined in the
platforms.txt file included in your product distribution.
In addition, you must meet the following clustering requirements:
• For best performance, the database server that you choose to host the
system database must be able to process small queries very quickly. The
CMS communicates frequently with the system database and sends it
many small queries. If the database server is unable to process these
requests in a timely manner, BusinessObjects Enterprise performance
will be greatly affected.
• For best performance, run each CMS cluster member on a machine that
has the same amount of memory and the same type of CPU.
• Configure each machine similarly:
• Install the same operating system, including the same version of
operating system service packs and patches.
• Install the same version of BusinessObjects Enterprise (including
patches, if applicable).

86 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Configuring the intelligence tier 4
• Ensure that each CMS connects to the CMS database in the same
manner: whether you use native or ODBC drivers, ensure that the
drivers are the same on each machine, and are a supported version.
• Ensure that each CMS uses the same database client to connect to
its system database, and that it is a supported version.
• Check that each CMS uses the same database user account and
password to connect to the CMS database. This account must have
create, delete, and update rights on the system database.
• Run each CMS service/daemon under the same account. (On
Windows, the default is the “LocalSystem” account.)
• Verify that the current date and time are set correctly on each CMS
machine (including settings for daylight savings time).
• Ensure that each and every CMS in a cluster is on the same Local Area
Network.
• If you wish to enable auditing, each CMS must be configured to use the
same auditing database and to connect to it in the same manner. The
requirements for the auditing database are the same as those for the
system database in terms of database servers, clients, access methods,
drivers, and user IDs.
Tip: By default, a CMS cluster name reflects the name of the first CMS that
you install, but the cluster name is prefixed by the @ symbol. For instance, if
your existing CMS is called BUSINESSOBJECTSCMS, then the default cluster
name is @BUSINESSOBJECTSCMS. To modify the default name, see “Preparing
to migrate a CMS database” on page 90.
There are two ways to add a new CMS cluster member. Follow the
appropriate procedure, depending upon whether or not you have already
installed a second CMS:
• “Installing a new CMS and adding it to a cluster” on page 88
See this section if you have not already installed the new CMS on its own
machine.
• “Adding an installed CMS to a cluster” on page 88
Follow this procedure if you have already installed a second, independent
CMS on its own machine. While testing various server configurations, for
instance, you might have set up an independent BusinessObjects
Enterprise system with its own CMS. Follow this procedure when you
want to incorporate this independent CMS into your production system.
Note: Back up your current CMS database before making any changes. If
necessary, contact your database administrator.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 87


4 Managing and Configuring Servers
Configuring the intelligence tier

Installing a new CMS and adding it to a cluster


When you install a new CMS, you can quickly cluster it with your existing CMS.
Run the BusinessObjects Enterprise installation and setup program on the
machine where you want to install the new CMS cluster member. The setup
program allows you to perform an Expand installation. During the Expand
installation, you specify the existing CMS whose system you want to expand,
and you select the components that want to install on the local machine. In
this case, specify the name of the CMS that is running your existing system,
and choose to install a new CMS on the local machine. Then provide the
Setup program with the information it needs to connect to your existing CMS
database. When the Setup program installs the new CMS on the local
machine, it automatically adds the server to your existing CMS cluster.
For complete requirements for CMS added to a cluster, see “Clustering
Central Management Servers” on page 86. For complete information on
running the Setup program and performing the Expand installation, see the
BusinessObjects Enterprise Installation Guide.

Adding an installed CMS to a cluster


In these steps, the independent CMS refers to the one that you want to add to
a cluster. You will add the independent CMS to your production CMS cluster.
By adding an independent CMS to a cluster, you disconnect the independent
CMS from its own database and instruct it to share the system database that
belongs to your production CMS.
Before starting this procedure, ensure that you have a database user account
with Create, Delete, and Update rights to the database storing the
BusinessObjects Enterprise tables. Ensure also that you can connect to the
database from the machine that is running the independent CMS (through
your database client software or through ODBC, according to your
configuration). Also ensure that the CMS you are adding to the cluster meets
the requirements outlined in “Clustering Central Management Servers” on
page 86.
Note: Back up your current CMS database before beginning this procedure.
If necessary, contact your database administrator.
To add an installed CMS to a cluster on Windows
1. Use the CCM to stop the independent Central Management Server.
2. With the CMS selected, click Specify CMS Data Source on the toolbar.

88 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Configuring the intelligence tier 4
The CMS Database Setup dialog box appears.

3. Click Select a Data Source; then click OK.


4. In the Select Database Driver dialog box, specify whether you want to
connect to the production CMS database through ODBC, or through one
of the native drivers.
5. Click OK.
6. The remaining steps depend upon the connection type you selected:
• If you selected ODBC, the Windows “Select Data Source” dialog box
appears. Select the ODBC data source that corresponds to your
production CMS database; then click OK. If prompted, provide your
database credentials and click OK. The CCM connects to the
database server and adds the new CMS to the cluster.
• If you selected a native driver, you are prompted for your database
Server Name, your Login ID, and your Password. Once you provide
this information, the CCM connects to the database server and adds
the new CMS to the cluster.
The SvcMgr dialog box notifies you when the CMS database setup is
complete.
7. Click OK.
8. Start the Central Management Server.
To add an installed CMS to a cluster on UNIX
Use the cmsdbsetup.sh script. For reference, see the BusinessObjects
Enterprise Administrator’s Reference Guide.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 89


4 Managing and Configuring Servers
Configuring the intelligence tier

Adding clustered CMSs to the web.xml file


If you have added additional CMSs, and you are using a Java application
server, you will need to modify the web.xml file with your changes.
To modify the web.xml to define CMS clusters
1. Open the web.xml from the following location:
C:\Program Files\Business
Objects\Tomcat\webapps\businessobjects\enterprise115\
desktoplaunch\WEB-INF
2. Locate the following section in the file:
<!-- EXAMPLE:
<context-param>
<param-name>cms.clusters</param-name>
3. Remove the comment tags from this section in the file.
4. In the first param-value tag, list the names of each cms cluster.
Begin each cluster name with a “@” and separate each cluster name with
a comma.
5. In the second param-name tag, add the name of the first cms cluster.
Note: Do not start the cluster name with a “@”.Each cluster name must
be entered in the same case as in the previous step.
6. In the second param-value tag, list the name of each CMS in that
cluster and enter the port number for the CMS if required.
Note: Separate each CMS name with a comma. The port number is
separted from the CMS name with a colon; The port number is assumed
to be 6400 unless it is specified
Note: Repeat the procedure for each CMS cluster you have.
7. Save your changes.
8. Restart your application server.

Preparing to migrate a CMS database


Before migrating a CMS database, take the source and the destination
environments offline by disabling and subsequently stopping all servers. Back
up both CMS databases, and back up the root directories used by all Input
and Output File Repository Servers. If necessary, contact your database or
network administrator.
Ensure that you have a database user account that has permission to read all
data in the source database, and a database user account that has Create,
Delete, and Update rights to the destination database. Ensure also that you

90 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Configuring the intelligence tier 4
can connect to both databases—through your database client software or
through ODBC, according to your configuration—from the CMS machine
whose database you are replacing.
Make a note of the license keys you purchased for the current version of
BusinessObjects Enterprise. During migration, license keys that are present
in the destination database are retained only if the source database contains
no license keys that are valid for the current version of BusinessObjects
Enterprise. License keys in the destination database are replaced with license
keys from the source database when the source license keys are valid for the
current version of BusinessObjects Enterprise. License keys from earlier
versions of Crystal Enterprise are not copied.
If you are copying CMS data from a different CMS database (version 8.0, 8.5,
9, or 10 of Crystal Enterprise or version XI of BusinessObjects Enterprise)
into your current CMS database, your current CMS database is the
destination database whose tables are deleted before they are replaced with
the copied data. In this scenario, make note of the current root directories
used by the Input and Output File Repository Servers in the source
environment. The database migration does not actually move report files from
one directory location to another. After you migrate the database, you will
connect your new Input and Output File Repository Servers to the old root
directories, thus making the report files available for the new system to
process. Log on with an administrative account to the CMS machine whose
database you want to replace. Complete the procedure that corresponds to
the version of the source environment:
• “Copying data from one CMS database to another” on page 93
If you are copying a CMS database from its current location to a different
database server, your current CMS database is the source environment. Its
contents are copied to the destination database, which is then established as
the active database for the current CMS. This is the procedure to follow if you
want to move the default CMS database on Windows from the local Microsoft
Data Engine (MSDE) to a dedicated database server, such as Microsoft SQL
Server, Informix, Oracle, DB2, or Sybase. Log on with an administrative
account to the machine that is running the CMS whose database you want to
move. Complete the following procedure:
• “Copying data from one CMS database to another” on page 93
Note:
• When you migrate a CMS database from an earlier version of Crystal
Enterprise, the database and database schema are upgraded to the
format required by the current version of BusinessObjects Enterprise.
• When you copy data from one database to another, the destination
database is initialized before the new data is copied in. That is, if your
destination database does not contain the four BusinessObjects

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 91


4 Managing and Configuring Servers
Configuring the intelligence tier

Enterprise XI system tables, these tables are created. If the destination


database does contain BusinessObjects Enterprise XI system tables, the
tables will be permanently deleted, new system tables will be created,
and data from the source database will be copied into the new tables.
Other tables in the database, including previous versions of Crystal
Enterprise system tables, are unaffected.

Changing the name of a CMS cluster


By default, a CMS cluster name reflects the name of the first CMS that you
install, but the cluster name is prefixed by the @ symbol. For instance, if your
existing CMS is called BUSINESSOBJECTSCMS, then the default cluster name
is @BUSINESSOBJECTSCMS.
This procedure allows you to change the name of a cluster that is already
installed and running. To change the cluster name, you need only stop one of
the CMS cluster members. The remaining CMS cluster members are
dynamically notified of the change.
For optimal performance, after changing the name of the CMS cluster
reconfigure each Business Objects server so that it registers with the CMS
cluster, rather than with an individual CMS.
To change the cluster name on Windows
1. Use the CCM to stop any Central Management Server that is a member
of the cluster.
2. With the CMS selected, click Properties on the toolbar.
3. Click the Configuration tab.
4. Select the Change Cluster Name to check box.
5. Type the new name for the cluster.
6. Click OK and then start the Central Management Server.
The CMS cluster name is now changed. All other CMS cluster members
are dynamically notified of the new cluster name (although it may take
several minutes for your changes to propagate across cluster members).
7. Go to the Servers management area of the CMC and check that all of
your servers remain enabled. If necessary, enable any servers that have
been disabled by your changes.
To change the cluster name on UNIX
Use the cmsdbsetup.sh script. For reference, see the BusinessObjects
Enterprise Administrator’s Reference Guide.

92 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Configuring the intelligence tier 4
To register servers with the CMS cluster on Windows
1. Use the CCM to stop a Business Objects server.
2. Select the server from the list, and then click Properties.
3. Click the Configuration tab.
4. In the CMS Name box, type the name of the cluster.
The name of the cluster begins with the @ symbol. For example, if the
cluster name was changed to ENTERPRISE, type @ENTERPRISE in the box.
5. Click OK, and then start the server. Repeat for each Business Objects
server in your installation.
To registers servers with the CMS cluster on UNIX
1. Use ccm.sh to stop each server.
2. Use a text editor such as vi to open the ccm.config file found in the
root directory of your BusinessObjects Enterprise installation.
3. Find the -ns command in the launch string for each server, and change
the name of the CMS to the name of the CMS cluster.
The name of the cluster begins with the @ symbol. For example, if the
cluster name was changed to ENTERPRISE, type @ENTERPRISE. Do not
include a port number with the cluster name.
4. Save the file, and then use ccm.sh to restart the servers.

Copying data from one CMS database to another


BusinessObjects Enterprise enables you to copy the contents of one CMS
database into another database. This procedure is also referred to as
migrating a CMS database. You can migrate CMS data from a different CMS
database (versions 8.5 through 10 of Crystal Enterprise and version XI of
BusinessObjects Enterprise) into your current CMS database. Or, you can
migrate the data from your current CMS database into a different data source.
Throughout this section, the source CMS database refers to the database that
holds the data you are copying; this data is copied into the destination
database. The destination database is initialized before the new data is
copied in, so any existing contents of the destination database are
permanently deleted (all BusinessObjects Enterprise tables are destroyed
permanently and then recreated). Once the data has been copied, the
destination database is established as the current database for the CMS.
Note: Prior to BusinessObjects Enterprise XI, the CMS was known as Crystal
Management Server, and also as the Automated Process Scheduler (APS).

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 93


4 Managing and Configuring Servers
Configuring the intelligence tier

Tip: If you want to import users, groups, folders, and reports from one system
to another, without deleting the contents of the current CMS database, see
“Using the Import Wizard” on page 387.
Depending on the platform of your system and the version of your CMS
database, migrating a CMS database will include several of the following tasks:
• “Preparing to migrate a CMS database” on page 90
• “Changing the name of a CMS cluster” on page 92
When you finish copying data from the source database to the destination
database, complete these steps before allowing users to access the system.
When migrating from an older version of Crystal Enterprise, servers that
existed in the source installation do not appear in the migrated install. This
occurs because there cannot be a mix of old and new servers in a
BusinessObjects Enterprise installation.
Server groups from the old installation appear in the new system, but they will
be empty. New servers are automatically detected and added to the servers
list (outside of any group) in a disabled state. You must enable these servers
before they can be used. You may add the new servers to the imported
groups as appropriate.
Reports that depend on a particular server group for scheduled processing
will not execute until a job server is added to that group. Reports that depend
on a particular server group for processing are not available until servers are
added to that group.
To complete a CMS database migration on Windows
1. If errors occurred during migration, a db_migration log file was created
in the logging directory on the machine where you ran the CCM to carry
out the migration. The CCM will notify you if you need to check the log file.
The default logging directory is:
C:\Program Files\Business Objects\BusinessObjects
Enterprise 11.5\Logging\
2. If you migrated CMS data from a different CMS database into your
current CMS database, you need to make your old input and output
directories available to the new Input and Output File Repository Servers.
You can do this in several ways:
• Copy the contents of the original input root directory into the root
directory that the new Input File Repository Server is already
configured to use. Then copy the contents of the original output
directory into the root directory that the new Output File Repository is
already configured to use.

94 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Configuring the intelligence tier 4
• Reconfigure the new Input and Output File Repository Servers to use
the old input and output root directories.
• If the old Input and Output File Repository Servers are running on a
dedicated machine, you can run the BusinessObjects Enterprise
setup program to upgrade the servers directly. Then you need not
move the input and output directories. Instead, modify the -ns option
in both servers’ command lines to have them register with your new
CMS.
3. Use the Central Configuration Manager (CCM) to start the CMS on the
local machine.
4. Make sure your web application server is running.
5. Log on to the Central Management Console with the default
Administrator account, using Enterprise authentication.
Tip: If you just replaced your CMS database with data from an older
system, keep in mind that you now need to provide the Administrator
password that was valid in the older system.
6. Go to the Authorization management area and check that your
BusinessObjects Enterprise license keys are entered correctly.
7. In the CCM, start and enable the Input File Repository Server and the
Output File Repository Server.
8. Go to the Servers management area of the Central Management
Console and verify that the Input File Repository Server and the Output
File Repository Server are both started and enabled.
9. Click the link to each File Repository Server and, on the Properties tab,
check that the Root Directory points to the correct location.
10. Return to the Central Configuration Manager.
11. If objects in your source database require updating, the Update Objects
button on the toolbar contains a flashing red exclamation mark. Click
Update Objects.
12. When prompted, log on to your CMS with credentials that provide you
with administrative privileges to BusinessObjects Enterprise.
The Update Objects dialog box tells you how many objects require
updating. Objects typically require updating because their internal
representation has changed in the new version of BusinessObjects
Enterprise, or because the objects require new properties to support the
additional features offered by BusinessObjects Enterprise XI. Because
your Central Management Server was stopped when the migration
occurred, you need to update the objects now.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 95


4 Managing and Configuring Servers
Configuring the intelligence tier

13. If there are objects that require updating, click Update, otherwise click
Cancel.
14. Start and enable the remaining BusinessObjects Enterprise servers.
Verify that BusinessObjects Enterprise requests are handled correctly, and
check that you can view and schedule reports successfully.
To complete a CMS database migration on UNIX
1. If errors occurred during migration, a db_migration log file was created
in the logging directory on the machine where you ran cmsdbsetup.sh
to carry out the migration. The script will notify you if you need to check
the log file.
The default logging directory is:
BusinessObjects_root/logging
where BusinessObjects_root is the absolute path to the root Business
Objects directory of your BusinessObjects Enterprise installation.
2. If you migrated CMS data from a different CMS database into your
current CMS database, you need to make your old input and output
directories available to the new Input and Output File Repository Servers.
You can do this in several ways:
• Copy the contents of the original input root directory into the root
directory that the new Input File Repository Server is already
configured to use. Then copy the contents of the original output
directory into the root directory that the new Output File Repository is
already configured to use.
• Reconfigure the new Input and Output File Repository Servers to use
the old input and output root directories.
• If the old Input and Output File Repository Servers are running on a
dedicated machine, you can run the BusinessObjects Enterprise
setup program to upgrade the servers directly. Then you need not
move the input and output directories. Instead, modify the -ns option
in both servers’ command lines to have them register with your new
CMS. For more information, see “Setting root directories and idle
times of the File Repository Servers” on page 100.
3. Use the ccm.sh script to start the CMS on the local machine. See the
BusinessObjects Enterprise Administrator’s Reference Guide for more
information.
4. Ensure that the Java web application server that hosts your Web
Component Adapter is running.
5. Log on to the Central Management Console with the default
Administrator account, using Enterprise authentication.

96 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Configuring the intelligence tier 4
Tip: If you just replaced your CMS database with data from an older
system, keep in mind that you now need to provide the Administrator
password that was valid in the older system.
6. Go to the Authorization management area and check that your
BusinessObjects Enterprise license keys are entered correctly.
7. Use the ccm.sh script to start and enable the Input File Repository
Server and the Output File Repository Server.
8. Go to the Servers management area of the Central Management
Console and verify that the Input File Repository Server and the Output
File Repository Server are started and enabled.
9. Click the link to each File Repository Server and, on the Properties tab,
check that the Root Directory points to the correct location.
10. Run the ccm.sh script again. If you migrated a source database from an
earlier version of BusinessObjects Enterprise, enter the following
command:
./ccm.sh -updateobjects authentication info
See the BusinessObjects Enterprise Administrator’s Reference Guide for
information on the authentication information required by ccm.sh.
Objects typically require updating because their internal representation
has changed in the new version of BusinessObjects Enterprise, or
because the objects require new properties to support the additional
features offered by BusinessObjects Enterprise XI.
11. Use ccm.sh to start and enable the remaining BusinessObjects
Enterprise servers.
12. Verify that BusinessObjects Enterprise requests are handled correctly,
and check that you can view and schedule reports successfully.

Deleting and recreating the CMS database


This procedure shows how to recreate (re-initialize) the current CMS
database. By performing this task, you destroy all data that is already present
in the database. This procedure is useful, for instance, if you have installed
BusinessObjects Enterprise in a development environment for designing and
testing your own, custom web applications. You can re-initialize the CMS
database in your development environment every time you need to clear the
system of absolutely all its data.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 97


4 Managing and Configuring Servers
Configuring the intelligence tier

When you recreate the CMS database with the CCM, your existing license
keys should be retained in the database. However, if you need to enter
license keys again, log on to the CMC with the default Administrator account
(which will have been reset to have no password). Go to the Authorization
management area and enter your information on the License Keys tab.
Note: Remember that all data in your current CMS database will be
destroyed if you follow this procedure. Consider backing up your current CMS
database before beginning. If necessary, contact your database administrator.
To recreate the CMS database on Windows
1. Use the CCM to stop the Central Management Server.
2. With the CMS selected, click Specify CMS Data Source on the toolbar.
3. In the CMS Database Setup dialog box, click Recreate the current Data
Source.
4. Click OK and, when prompted to confirm, click Yes.
The SvcMgr dialog box notifies you when the CMS database setup is
complete.
5. Click OK.
You are returned to the CCM.
6. Start the Central Management Server.
While it is starting, the CMS writes required system data to the newly
emptied data source. You may need to click the Refresh button in the
CCM to see that the CMS has successfully started.
To recreate the CMS database on UNIX
Use the cmsdbsetup.sh script. For reference, see the BusinessObjects
Enterprise Administrator’s Reference Guide.

Selecting a new or existing CMS database


Follow this procedure if you want to disconnect a CMS from its current
database and connect it to an alternate database. When you complete these
steps, none of the data in the current database is copied into the alternate
database. If the alternate database is empty, the CCM initializes it by writing
system data that is required by BusinessObjects Enterprise. If the alternate
database already contains BusinessObjects Enterprise system data, the CMS
uses that data when it starts.
Generally, there are only a few times when you need to complete these steps:

98 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Configuring the intelligence tier 4
• If you have changed the password for the current CMS database, these steps
allow you to disconnect from, and then reconnect to, the current database.
When prompted, you can provide the CMS with the new password.
• If you want to select and initialize an empty database for BusinessObjects
Enterprise, these steps allow you to select that new data source.
• If you have restored a CMS database from backup (using your standard
database administration tools and procedures) in a way that renders the
original database connection invalid, you will need to reconnect the CMS
to the restored database. (This might occur, for instance, if you restored
the original CMS database to a newly installed database server.)
Note: These steps are essentially the same as adding a CMS to an existing
cluster; in this case, however, there are no other CMS machines already
maintaining the database. For complete details about CMS clusters, see
“Clustering Central Management Servers” on page 86.
To select a new or existing database for a CMS on Windows
1. Use the CCM to stop the Central Management Server.
2. With the CMS selected, click Specify CMS Data Source on the toolbar.
The CMS Database Setup dialog box appears.

3. Click Select a Data Source; then click OK.


4. In the Select Database Driver dialog box, specify whether you want to
connect to the new database through ODBC, or through one of the native
drivers.
5. Click OK.
6. The remaining steps depend upon the connection type you selected:

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 99


4 Managing and Configuring Servers
Configuring the intelligence tier

• If you selected ODBC, the Windows “Select Data Source” dialog box
appears. Select the ODBC data source that you want to use as the
CMS database; then click OK. (Click New to configure a new DSN.)
When prompted, provide your database credentials and click OK.
• If you selected a native driver, you are prompted for your database
Server Name, your Login ID, and your Password. Provide this
information and then click OK.
The SvcMgr dialog box notifies you when the CMS database setup is
complete.
7. Click OK.
8. Start the Central Management Server.
To select a new or existing database for a CMS on UNIX
Use the cmsdbsetup.sh script. For reference, see the BusinessObjects
Enterprise Administrator’s Reference Guide

Setting root directories and idle times of the File


Repository Servers
The Properties tabs of the Input and Output File Repository Servers enable
you to change the locations of the default root directories. These root
directories contain all of the report objects and instances on the system. You
may change these settings if you want to use different directories after
installing BusinessObjects Enterprise, or if you upgrade to a different drive
(thus rendering the old directory paths invalid).
Note:
• The Input and Output File Repository Servers must not share the same
root directory, because modifications to the files and subdirectories
belonging to one server could have adverse effects on the other server.
In other words, if the Input and Output File Repository Servers share the
same root directory, then one server might damage files belonging to the
other.
• If you run multiple File Repository Servers, all Input File Repository
Servers must share the same root directory, and all Output File
Repository Servers must share the same root directory (otherwise there
is a risk of having inconsistent instances).
• It is recommended that you replicate the root directories using a RAID
array or an alternative hardware solution.
• The root directory should be on a drive that is local to the server.

100 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Configuring the intelligence tier 4
You can also set the maximum idle time of each File Repository Server. This
setting limits the length of time that the server waits before it closes inactive
connections. Before you change this setting, it is important to understand that
setting a value too low can cause a user's request to be closed prematurely.
Setting a value that is too high can result the uneasier consumption of system
resources such as processing time and disk space.
To modify settings for a File Repository Server
1. Go to the Servers management area of the CMC.
2. Click the link to the File Repository Server you want to change.
By default, the File Repository Servers are named Input and Output,
respectively. If you run multiple instances of each server, their names
should be prefixed with “Input.” and “Output.” as appropriate.
3. Make your changes on the Properties tab.
In this example, the Input File Repository Server is set to use
D:\InputFRS\ as its root directory. The server will remain idle for a
maximum of 10 minutes.

4. Click either Apply or Update:


• Click Apply to submit changes and restart the server so that the
changes take effect immediately.
• Click Update to save the changes. You must restart the server for the
changes to take effect.

Modifying Cache Server performance settings


The Properties tab of the Cache Server allows you to set the location of the
cache files, the maximum cache size, the maximum number of simultaneous
processing threads, the number of minutes before an idle job is closed, and
the number of minutes between refreshes from the database.
To modify Cache Server performance settings
1. Go to the Servers management area of the CMC.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 101


4 Managing and Configuring Servers
Configuring the intelligence tier

2. Click the link to the Cache Server whose settings you want to change.
3. Make your changes on the Properties tab.
In this example, the Cache Server retains its default settings.

4. Click either Apply or Update:


• Click Apply to submit changes and restart the server so that the
changes take effect immediately.
• Click Update to save the changes. You must restart the server for the
changes to take effect.
Location of the Cache Files
The “Location of the Cache Files” setting specifies the absolute path to the
directory on the Cache Server machine where the cached report pages (.epf
files) are stored.
Note: The cache directory must be on a drive that is local to the server.
Maximum Cache Size Allowed
The “Maximum Cache Size Allowed” setting limits the amount of hard disk
space (in KBytes) that is used to cache reports. When the Cache Server has
to handle large numbers of reports, or reports that are especially complex, a
larger cache size is needed. The default value is 5000 Kbytes, which is large
enough to optimize performance for most installations.
Maximum Simultaneous Processing Threads
The “Maximum Simultaneous Processing Threads” setting limits the number
of concurrent reporting requests that the Cache Server processes. The
default value is set to “Automatic”, and is acceptable for most, if not all,
reporting scenarios. With this setting, the Cache Server sets the maximum
number of threads using the number of processors in your system as a guide.

102 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Configuring the intelligence tier 4
If your Cache Server responds slowly under high load, and resource
utilization on the machine is high (that is, either memory usage is high or CPU
utilization is high, particularly in the kernel), you may wish to decrease the
number of threads to improve performance. If the Cache Server is slow under
high load but CPU utilization is low, increasing the number of threads may
improve performance. However, the ideal setting for your reporting
environment is highly dependent upon your hardware configuration, your
database software, and your reporting requirements. Thus, it is
recommended that you contact your Business Objects sales representative
and request information about the BusinessObjects Enterprise Sizing Guide.
A Business Objects services consultant can then assess your reporting
environment and assist you in customizing these advanced configuration and
performance settings.
Minutes Before an Idle Connection is Closed
The “Minutes Before an Idle Connection is Closed” setting alters the length of
time that the Cache Server waits for further requests from an idle connection.
Before you change this setting, it is important to understand that setting a
value too low can cause a user’s request to be closed prematurely, and
setting a value that is too high can cause requests to be queued while the
server waits for idle jobs to be closed.
Share Report Data Between Clients
This setting appears only for Desktop Intelligence servers. Select to allow
users to share data from Desktop Intelligence documents with other users.
Viewer Refresh Always Yields Current Data
When enabled, the “Viewer Refresh Always Yields Current Data” setting
ensures that, when users explicitly refresh a report, all cached pages are
ignored, and new data is retrieved directly from the database.
When disabled, this setting prevents users from retrieving new data more
frequently than is permitted by the time specified in the “Minutes Between
Refreshes from Database” setting.
Oldest On-Demand Data Given To a Client (in minutes)
The “Oldest On-Demand Data Given To a Client (in minutes)” setting
determines how long cached report pages are used before new data is
requested from the database. This setting is respected for report instances
with saved data, and for report objects that do not have on-demand
subreports or parameters and that do not prompt for database logon
information. Generally, the default value of 15 minutes is acceptable: as with
other performance settings, the optimal value is largely dependent upon your
reporting requirements.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 103


4 Managing and Configuring Servers
Configuring the processing tier

Always Share Report Jobs


This setting appears only for Desktop Intelligence servers. Select to allow
users to share report jobs with other users by default.
Amount of Cache to Keep When Document Cache is Full
This setting appears only for the Desktop Intelligence Cache Server. Select a
percentage of the cache to keep. This setting helps reduce the load on the
Cache Server if you have a large deployment.

Modifying the polling time of the Event Server


The Properties tab of the Event Server allows you to change the frequency
with which the Event Server checks for file events. This “File Polling Interval in
Seconds” setting determines the number of seconds that the server waits
between polls. The minimum value is 1 (one). It is important to note that, the
lower the value, the more resources the server requires.
Tip: On Windows, you can also change this setting in the CCM. Stop the
Event Server and view its Properties. Then click the Configuration tab.
To modify the polling time
1. Go to the Servers management area of the CMC.
2. Click the link to the Event Server whose settings you want to change.
3. Make your changes on the Properties tab.
The value that you type must be 1 or greater.
4. Click Update.
5. Return to the Servers management area of the CMC.

Configuring the processing tier


This section includes technical information and procedures that show how
you can modify settings for the BusinessObjects Enterprise servers that make
up the processing tier. The processing tier includes different job servers, Page
Servers, Report Application Servers, and Web Intelligence Job Servers and
Web Intelligence Report Servers.

104 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Configuring the processing tier 4

The majority of the settings discussed here allow you to integrate


BusinessObjects Enterprise more effectively with your current hardware,
software, and network configurations. Consequently, the settings that you
choose will depend largely upon your own requirements.
Configuring the processing tier includes:
• “Modifying Page Server performance settings” on page 105
• “Modifying Desktop Intelligence Report Server performance settings” on
page 108
• “Modifying database settings for the RAS” on page 109
• “Modifying performance settings for the RAS” on page 111
• “Modifying performance settings for job servers” on page 112
• “Configuring the Web Intelligence Report Server” on page 113
• “Configuring the destinations for job servers” on page 116
• “Configuring Windows processing servers for your data source” on
page 123
• “Configuring UNIX processing servers for your data source” on page 124

Modifying Page Server performance settings


The Properties tab of the Page Server in the Central Management Console
lets you set the location of temporary files, the maximum number of
simultaneous report jobs, the minutes before an idle connection is closed, the
minutes before a processing job is closed, the number of database records to
read when previewing or refreshing a report, the oldest processed data to
give a client, and when to disconnect from the report job database.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 105


4 Managing and Configuring Servers
Configuring the processing tier

Note: For Desktop Intelligence documents, Page Server features are


handled by the Desktop Intelligence Report Server.
To modify Page Server performance settings
1. Go to the Servers management area of the CMC.
2. Click the link to the Page Server whose settings you want to change.
3. Make your changes on the Properties tab.
4. Click either Apply or Update:
• Click Apply to submit changes and restart the server so that the
changes take effect immediately.
• Click Update to save the changes. You must restart the server for the
changes to take effect.

Location of Temp Files


The “Location of Temp Files” setting specifies the absolute path to a directory
on the Page Server machine.This directory must have plenty of free hard disk
space. If not enough disk space is available, job processing may be slower
than usual, or job processing may fail.
Maximum Simultaneous Report Jobs
The “Maximum Simultaneous Report Jobs” setting limits the number of
concurrent reporting requests that any single Page Server processes. The
default value of 75 is acceptable for most, if not all, reporting scenarios. The
ideal setting for your reporting environment, however, is highly dependent

106 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Configuring the processing tier 4
upon your hardware configuration, your database software, and your
reporting requirements. Thus, it is difficult to discuss the recommended or
optimum settings in a general way. It is recommended that you contact your
Business Objects sales representative and request information about the
BusinessObjects Enterprise Sizing Guide. A Business Objects services
consultant can then assess your reporting environment and assist you in
customizing these advanced configuration and performance settings.
Minutes Before an Idle Connection is Closed
The “Minutes Before an Idle Connection is Closed” setting alters the length of
time that the Page Server waits for further requests from an idle connection.
Before you change this setting, it is important to understand that setting a
value too low can cause a user’s request to be closed prematurely. Setting a
value that is too high can cause system resources to be consumed for longer
than necessary.
Minutes before an Idle Report Job is Closed
The “Minutes before an Idle Report Job is Closed” setting alters the length of
time that the Page Server keeps a report job active. Before you change this
setting, it is important to understand that setting a value too low can cause a
user’s request to be closed prematurely. Setting a value that is too high can
cause system resources to be consumed for longer than necessary. (Note
that this setting works in conjunction with the “Report Job Database
Connection” setting.)
Database Records to Read When Previewing Or Refreshing a Report
The “Database Records to Read When Previewing Or Refreshing a Report”
area allows you to limit the number of records that the server retrieves from
the database when a user runs a query or report. This setting is useful when
you want to prevent users from running on-demand reports containing
queries that return excessively large record sets. You may prefer to schedule
such reports, both to make the reports available more quickly to users and to
reduce the load on your database from these large queries.
Oldest On-Demand Data Given to a Client (in minutes)
The “Oldest On-Demand Data Given To a Client (in minutes):” setting controls
how long the Page Server uses previously processed data to meet requests.
If the Page Server receives a request that can be met using data that was
generated to meet a previous request, and the time elapsed since that data
was generated is less than the value set here, then the Page Server will reuse
this data to meet the subsequent request. Reusing data in this way
significantly improves system performance when multiple users need the
same information. When setting the value of the “oldest processed data given
to a client” consider how important it is that your users receive up-to-date

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 107


4 Managing and Configuring Servers
Configuring the processing tier

data. If it is very important that all users receive fresh data (perhaps because
important data changes very frequently) you may need to disallow this kind of
data reuse by setting the value to 0.
Viewer Refresh Always Yields Current Data
When enabled, the “Viewer Refresh Always Yields Current Data” setting
ensures that, when users explicitly refresh a report, all previously processed
data is ignored, and new data is retrieved directly from the database. When
disabled, the setting ensures that the Page Server will treat requests
generated by a viewer refresh in exactly the same way as it treats as new
requests.
Report Job Database Connection
The “Report Job Database Connection” settings can be used to make a trade-
off between the number of database licenses you use and the performance
you can expect for certain types of reports.
If you select “Disconnect when all records have been retrieved or the job is
closed”, the Page Server will automatically disconnect from the report
database as soon as it has retrieved the data it needs to fulfill a request.
Selecting this option limits the amount of time that Page Server stays
connected to your database server, and therefore limits the number of
database licenses consumed by the Page Server.
However, if the Page Server needs to reconnect to the database to generate
an on-demand sub-report or to process a group-by-on-server command for
that report, performance for these reports will be significantly slower than if
you had selected “Disconnect when the job is closed”. (The latter option
ensures that Page Server stays connected to the database server until the
report job is closed. Note that you can set the “Minutes before a Report Job is
Closed” above.)

Modifying Desktop Intelligence Report Server


performance settings
The Properties tab of the Desktop Intelligence Report Server in the Central
Management Console allows you to configure many of the same settings as
the Page Server, plus additional report sharing settings.
To modify Desktop Intelligence Report Server performance settings
1. Go to the Servers management area of the CMC.
2. Click the link to the Desktop Intelligence Report Server whose settings
you want to change.
3. Make your changes on the Properties tab.

108 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Configuring the processing tier 4
The options include:
Share Report Data Between Clients
This setting appears only for Desktop Intelligence server. Select to allow
users to share data from Desktop Intelligence documents with other
users.
Viewer Refresh Always Yields Current Data
When enabled, the “Viewer Refresh Always Yields Current Data” setting
ensures that, when users explicitly refresh a report, all cached pages are
ignored, and new data is retrieved directly from the database.
When disabled, this setting prevents users from retrieving new data more
frequently than is permitted by the time specified in the “Minutes Between
Refreshes from Database” setting.
Oldest On-Demand Data Given To a Client (in minutes)
The “Oldest On-Demand Data Given To a Client (in minutes)” setting
determines how long cached report pages are used before new data is
requested from the database. This setting is respected for report
instances with saved data, and for report objects that do not have on-
demand subreports or parameters and that do not prompt for database
logon information. Generally, the default value of 15 minutes is
acceptable: as with other performance settings, the optimal value is
largely dependent upon your reporting requirements.
Always Share Report Jobs
This setting appears only for Desktop Intelligence servers. Select to allow
users to share report jobs with other users by default.
For more information on other settings, see “Modifying Page Server
performance settings” on page 105.
4. Click either Apply or Update:
• Click Apply to submit changes and restart the server so that the
changes take effect immediately.
• Click Update to save the changes. You must restart the server for the
changes to take effect.

Modifying database settings for the RAS


The Database tab of the Report Application Server (RAS) in the Central
Management Console lets you modify the way the server runs reports against
your databases.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 109


4 Managing and Configuring Servers
Configuring the processing tier

To modify database interaction settings for the RAS


1. Go to the Servers management area of the CMC.
2. Click the link to the RAS whose settings you want to change.
3. Make your changes on the Database tab.
4. Click either Apply or Update:
• Click Apply to submit changes and restart the server so that the
changes take effect immediately.
• Click Update to save the changes. You must restart the server for the
changes to take effect.
Tip: On Windows, you can also change these settings in the CCM. Stop the
RAS and view its Properties. Click the Parameters tab. From the Option Type
list, select Database.
Number of database records to read when previewing or refreshing a
report
The “Number of database records to read when previewing or refreshing a
report” area allows you to limit the number of records that the server retrieves
from the database when a user runs a query or report. This setting is
particularly useful if you provide users with ad hoc query and reporting tools,
and you want to prevent them from running queries that return excessively
large record sets.
When the RAS retrieves records from the database, the query results are
returned in batches. The “Number of records per batch” setting allows you to
determine the number of records that are contained in each batch. The batch
size cannot be equal to or less than zero.
Number of records to browse
The “Number of records to browse” setting allows you to specify the number
of distinct records that will be returned from the database when browsing
through a particular field’s values. The data will be retrieved first from the
client’s cache—if it is available—and then from the server’s cache. If the data
is not in either cache, it is retrieved from the database.
Oldest on-demand data given to a client (in minutes)
The “Oldest on-demand data given to a client (in minutes)” setting controls
how long the RAS uses previously processed data to meet requests. If the
RAS receives a request that can be met using data that was generated to
meet a previous request, and the time elapsed since that data was generated
is less than the value set here, then the RAS will reuse this data to meet the
subsequent request. Reusing data in this way significantly improves system
performance when multiple users need the same information. When setting
the value of the “oldest on-demand data given to a client” consider how

110 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Configuring the processing tier 4
important it is that your users receive up-to-date data. If it is very important
that all users receive fresh data (perhaps because important data changes
very frequently) you may need to disallow this kind of data reuse by setting
the value to 0. This is the default on the RAS, to support the data needs of
users performing ad hoc reporting.
Report Job Database Connection
The “Report Job Database Connection” settings can be used to make a trade-
off between the number of database licenses you use and the performance
you can expect for certain types of reports.
If you select “Disconnect when all records have been retrieved or the job is
closed”, the Report Application Server will automatically disconnect from the
report database as soon as it has retrieved the data it needs to fulfill a
request. Selecting this option limits the amount of time that RAS stays
connected to your database server, and therefore limits the number of
database licenses consumed by the RAS.
However, if the RAS needs to reconnect to the database to generate an on-
demand sub-report or to process a group-by-on-server command for that
report, performance for these reports will be significantly slower than if you had
selected “Disconnect when the job is closed”. (The latter option ensures that
RAS stays connected to the database server until the report job is closed.)

Modifying performance settings for the RAS


The Server tab of the Report Application Server (RAS) in the Central
Management Console allows you to modify the number of minutes before an
idle connection is closed, and the maximum number of simultaneous
processing threads.
Note: The RAS server must have been installed and configured in order to
use the List of Values Job Server. For more information, see “Processing tier”
on page 55.
To modify performance settings for the RAS
1. Go to the Servers management area of the CMC.
2. Click the link to the RAS whose settings you want to change.
3. Make your changes on the Server tab.
4. Click either Apply or Update:
• Click Apply to submit changes and restart the server so that the
changes take effect immediately.
• Click Update to save the changes. You must restart the server for the
changes to take effect.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 111


4 Managing and Configuring Servers
Configuring the processing tier

Tip: On Windows, you can also change these settings in the CCM. Stop the
RAS and view its Properties. Click the Parameters tab. From the Option Type
list, select Server.
Minutes Before an Idle Connection is Closed
The “Minutes Before an Idle Connection is Closed” setting alters the length of
time that the RAS waits for further requests from an idle connection. Before
you change this setting, it is important to understand that setting a value too
low can cause a user’s request to be closed prematurely, and setting a value
that is too high can affect the server’s scalability (for instance, if the
ReportClientDocument object is not closed explicitly, the server will be waiting
unnecessarily for an idle job to close).
Maximum Simultaneous Report Jobs
The “Maximum Simultaneous Report Jobs” setting limits the number of
concurrent reporting requests that a RAS processes. The default value is
acceptable for most, if not all, reporting scenarios. The ideal setting for your
reporting environment, however, is highly dependent upon your hardware
configuration, your database software, and your reporting requirements.
Thus, it is difficult to discuss the recommended or optimum settings in a
general way.
It is recommended that you contact your Business Objects sales
representative and request information about the BusinessObjects Enterprise
Sizing Guide. A Business Objects services consultant can then assess your
reporting environment and assist you in customizing these advanced
configuration and performance settings.

Modifying performance settings for job servers


By default, the job servers run jobs as independent processes rather than as
threads. This method allows for more efficient processing of large, complex
reports.
Use the following procedure to modify the performance settings for any of the
job servers, that is the Report Job Server, Program Job Server, Destination
Job Server, List of Values Job Server, and the Web Intelligence Job Server.
To modify performance settings for job servers
1. Go to the Servers management area of the CMC.
2. Click the link to the job server whose settings you want to change.
3. Make your changes on the Properties tab.
4. Click Update.
5. Return to the Servers management area of the CMC.

112 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Configuring the processing tier 4
Maximum Jobs Allowed
The “Maximum Jobs Allowed” setting limits the number of concurrent
independent processes (child processes) that the server allows—that is, it
limits the number of scheduled objects that the server will process at any one
time. You can tailor the maximum number of jobs to suit your reporting
environment.
The default “Maximum Jobs Allowed” setting is acceptable for most, if not all,
reporting scenarios. The ideal setting for your reporting environment,
however, is highly dependent upon your hardware configuration, your
database software, and your reporting requirements. Thus, it is difficult to
discuss the recommended or optimum settings in a general way. It is
recommended that you contact your Business Objects sales representative
and request information about the BusinessObjects Enterprise Sizing Guide.
A Business Objects services consultant can then assess your reporting
environment and assist you in customizing these advanced configuration and
performance settings.
Temp Directory
You can also change the default directory where the server stores its
temporary files.

Configuring the Web Intelligence Report Server


Use the following procedure to configure the performance settings for the
Web Intelligence Report Server.
To modify performance settings for the Web Intelligence report server
1. Go to the Servers management area of the CMC.
2. Click the link to the Web Intelligence Report Server whose settings you
want to change.
3. Make your changes on the Properties tab.
4. Click either Apply or Update:
• Click Apply to submit changes and restart the server so that the
changes take effect immediately.
• Click Update to save the changes. You must restart the server for the
changes to take effect.
5. Return to the Servers management area of the CMC and restart the Job
Server.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 113


4 Managing and Configuring Servers
Configuring the processing tier

Maximum Simultaneous Connections


The maximum number of simultaneous connections that the server allows at
one time, from sources such the Web Intelligence SDK or the Web
Intelligence Job Server. If this limit is reached, the user will receive an error
message, unless another server is available to handle the request.
Connection Time Out
The number of minutes before an idle connection to the Web Intelligence
Report Server will be closed.
List of Values Batch Size
The maximum number of values that can be returned per list of values batch.
For example, if the number of values in a list of values exceeds this size, then
the list of values will be returned to the user in several batches of this size or
less.
The minimum value that you can enter is 10. Although there is no limit on the
maximum value, Business Objects recommends that you limit it to 30000.
Universe Cache Size
The number of universes to be cached on the Web Intelligence Report
Server.
List of Values Caching
Enables or disables caching per user session of list of values in Web
Intelligence Report Server. The default is for the feature to be on.

114 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Configuring the processing tier 4
Enable Viewing Caching
When this parameter is on, real-time caching is possible for Web Intelligence
documents when they are viewed, or when they are generated as a result of
having been run as a scheduled job.
When this parameter is off both real-time caching of Web Intelligence
documents and viewing of cached Web Intelligence documents is impossible.
Real-time caching is done only if both this parameter and the Enable Real
Time Caching parameters are on.
Enable Real Time Caching
When this parameter is on, the Web Intelligence Report Server caches Web
Intelligence documents when the documents are viewed. The server also
caches the documents when they are run as a scheduled job, provided the
pre-cache was enabled in the document.
When the parameter is off, the Web Intelligence Report Server does not
cache the Web Intelligence documents when the documents are viewed. Nor
does it cache the documents when they are run as a scheduled job.
This parameter is taken into account only when the Enable Viewing Caching
is set to on.
Note: To improve system performance, set the Maximum Number Of
Downloaded Documents To Cache to zero when this option is selected, but
enter a value for Maximum Number Of Downloaded Documents To Cache
when this option deselected.
Document Cache Duration
The amount of time (in minutes) that content is stored in cache.
Document Cache Size
The size (in kilobytes) of the document cache.
Amount of Cache To Keep When Document Cache is Full
If the storage size is bigger than the allocated storage size, the system will
delete documents with the oldest “last accessed time.” Then if the cache size
is still exceeds the maximum storage size, the Web Intelligence Report Server
will clean up the cache until the amount of cache percentage is reached.
Document Cache Scan Interval
The number of minutes that the system waits before checking the document
cache for cleanup.
Maximum Number of Downloaded Documents To Cache
The number of Web Intelligence documents that can be stored in cache.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 115


4 Managing and Configuring Servers
Configuring the processing tier

Note: To improve system performance, set this value to zero when Enable
Real Time Caching is selected, but enter a value when Enable Real Time
Caching is deselected.

Configuring the destinations for job servers


By default, when the system runs a scheduled report or a program object, it
stores the output instance it creates on the Output File Repository Server
(FRS). However, you can specify a different destination. If you do, the system
will store one output instance on the Output FRS, and one at the specified
destination.
You also specify a destination when you use the Send to feature, which sends
an existing object to a specified destination.
In order for the system to work with destinations other than the default, the
destination must have been enabled and configured on the respective job server.
For example, to be able to schedule a report object for output to an
unmanaged disk, you have to enable and configure the Unmanaged Disk
destination on the Job Server. To send a report instance by email, you have to
configure the Email (SMTP) destination on the Destination Job Server.
Configuring destinations for job servers includes:
• “Enabling or disabling destinations for job servers” on page 116
• “Configuring the destination properties for job servers” on page 117
For information about selecting destinations for objects see:
• “Selecting a destination” on page 480
• “Sending an object or instance” on page 422

Enabling or disabling destinations for job servers


This procedure applies to the Job Server, Program Job Server, Destination
Job Server, List of Values Job Server, and Web Intelligence Job Server.
For a job server to store output instances in a destination other than the
default, you have to enable and configure the other destinations on the job
servers. See also “Configuring the destination properties for job servers” on
page 117.
Note: On the Destination Job Server, the Inbox destination is enabled by
default. This allows you to use the “Send to” feature and to distribute reports
to users within the BusinessObjects Enterprise system. If you want, you can
enable and configure additional destinations on the Destination Job Server.

116 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Configuring the processing tier 4
To enable or disable destinations for a job server
1. Go to the Servers management area of the CMC.
2. Click the link for the job server for which you want to enable or disable a
destination.
3. Select the check box for each destination you want to support.
4. Click Enable.
To disable destinations, click Disable. When a destination is disabled a
red circle is shown beside the name.
5. If you enabled the destination, you must also configure the destination.
See “Configuring the destination properties for job servers” on page 117.

Configuring the destination properties for job servers


This procedure applies to the Job Server, Program Job Server, Destination
Job Server, List of Values Job Server, and Web Intelligence Job Server.
For a job server to store output instances in a destination other than the
default, you have to enable and configure the other destinations on the job
servers. See also “Enabling or disabling destinations for job servers” on
page 116.
To set the destination properties for a job server
1. Go to the Servers management area of the CMC.
2. Click the link for the job server whose setting you want to change.
3. Click the Destinations tab.
4. Click the link for the destination whose setting you want to set, for
example, FTP.
5. Set the properties for the destination. For information about the
properties for each destination, see:
• “Inbox destination properties” on page 118
• “Unmanaged Disk destination properties” on page 122
• “FTP destination properties” on page 120
• “Email (SMTP) destination properties” on page 119
6. Click Update.
7. Make sure the destination has been enabled. See “Enabling or disabling
destinations for job servers” on page 116.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 117


4 Managing and Configuring Servers
Configuring the processing tier

Inbox destination properties


The Inbox destination stores an object or instance in the user inboxes on the
BusinessObjects Enterprise system. A user inbox is automatically created
when you add a user. For more information, see “Configuring the destination
properties for job servers” on page 117 and “Controlling access to user
inboxes” on page 327.
Note: On the Destination Job Server, the Inbox destination is enabled by
default. This allows you to use the “Send to” feature and to distribute reports
to users within the BusinessObjects Enterprise system. If you want, you can
enable and configure additional destinations on the Destination Job Server.

Send document as
Select the option you want:
• Shortcut—The systems sends a shortcut to the specified destination.
• Copy—The system sends a copy of the instance, for example, the .rpt
file, to the destination.
Send List
Specify which users or user groups you want to receive instances that have
been generated or processed by the job server.

118 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Configuring the processing tier 4
Email (SMTP) destination properties
In this example, the SMTP server resides in the businessobjects.com
domain. Its name is EMAIL_SERV and it is listening on the standard SMTP
port. Plain text authentication is being used, and an account called
BusinessObjectsJobAccount has been created on the SMTP server for
use by the Job Server.

See also “Configuring the destination properties for job servers” on page 117.
Domain Name
Enter the fully qualified domain of the SMTP server.
Server Name
Enter the name of the SMTP server.
Port
Enter the port that the SMTP server is listening on. (This standard SMTP port
is 25.)
Authentication
Select Plain or Login if the job server must be authenticated using one of
these methods in order to send email.
SMTP User Name
Provide the Job Server with a user name that has permission to send email
and attachments through the SMTP server.
SMTP Password
Provide the Job Server with the password for the SMTP server.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 119


4 Managing and Configuring Servers
Configuring the processing tier

From
Provide the return email address. Users can override this default when they
schedule an object.
To, Cc, Subject, and Message
Set the default values for users who schedule reports to this SMTP
destination. Users can override these defaults when they schedule an object.
Add viewer hyperlink to message body
Click Add if you want to add the URL for the viewer in which you want the
email recipient to view the report. You can set the default URL by clicking
Object Settings on the main page of the Objects management area of the
CMC. If you send a hyperlink, the email recipient must log on to
BusinessObjects Enterprise to see the report.)
Users can override this default when they schedule an object.
Attach report instance to email message
Clear this check box if you do not want to attach a copy of the report or
program instance attached to the email. Users can override these defaults
when they schedule an object.
Default File Name (randomly generated)
Select this option if you want BusinessObjects Enterprise to generate a
random file name.
Specified File Name
Select this option if you want to enter a file name. You can also add a variable
to the file name. To add a variable, choose a placeholder for a variable
property from the list and click Add.
Add file extension
Adds the .%EXT% extension to the specified filename. This is similar to
selecting File Extension from the list and clicking Add. By adding an extension
to the file name, Windows will know which program to use to open the file
when users want to view the file.

FTP destination properties


In this example, reports scheduled to this destination are randomly named
and uploaded to the ftp.businessobjects.com site.

120 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Configuring the processing tier 4

See also “Configuring the destination properties for job servers” on page 117.
Host
Enter your FTP host information.
Port
Enter the FTP port number (the standard FTP port is 21).
FTP User Name
Specify a user who has the necessary rights to upload a report to the FTP server.
FTP Password
Enter the user’s password.
Account
Enter the FTP account information, if required. Account is part of the standard
FTP protocol, but it is rarely implemented. Provide the appropriate account
only if your FTP server requires it.
Destination Directory
Enter the FTP directory that you want the object to be saved to. A relative
path is interpreted relative to the root directory on the FTP server.
Default File Name (randomly generated)
Select this option if you want BusinessObjects Enterprise to generate a
random file name.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 121


4 Managing and Configuring Servers
Configuring the processing tier

Specified File Name


Select this option if you want to enter a file name—you can also add a
variable to the file name. To add a variable, choose a placeholder for a
variable property from the list and click Add.

Unmanaged Disk destination properties


An unmanaged disk is disk on a system outside the BusinessObjects
Enterprise system. See also “Configuring the destination properties for job
servers” on page 117.

Destination Directory
Type the absolute path to the directory. The directory can be on a local drive
of the Job Server machine, or on any other machine that you can specify with
a UNC path.
Default File Name (randomly generated)
Select this option if you want BusinessObjects Enterprise to generate a
random file name.
Specified File Name
Select this option if you want to specify a file name—you can also add a
variable to the file name. To add a variable, choose a placeholder for a
variable property from the list and click Add. When each instance runs, the

122 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Configuring the processing tier 4
variable is replaced with the appropriate information. For example, when you
add the variable “Owner,” the file name of each object includes the object
owner’s name.
User Name
Specify a user who has permission to write files to the destination directory.
Password
Type the password for the user.
In this example, the destination directory is on a network drive that is
accessible to the Job Server machine through a UNC path. Each file name will
be randomly generated, and a user name and password have been specified
to grant the Job Server permission to write files to the remote directory.

Configuring Windows processing servers for your data


source
When started on Windows, the report processing servers by default log on to
the local system as services with the Windows “LocalSystem” account. This
account determines the permissions that each service is granted on the local
machine. This account does not grant the service any network permissions.
In the majority of cases, this account is irrelevant in relation to the server’s
task of processing reports against your data source. (The database logon
credentials are stored with the report object.) Thus, you can usually leave
each server’s default logon account unchanged or, if you prefer, you can
change it to a Windows user account with the appropriate permissions.
However, there are certain cases when you must change the logon account
used by the processing servers. These cases arise either because the server
needs additional network permissions to access the database, or because the
database client software is configured for a particular Windows user account.
This table lists the various database/ driver combinations and shows when
you must complete additional configuration.
Tip: Running a service under an Administrator account does not
inadvertently grant administrative privileges to another user, because users
cannot impersonate services.
For details on changing the user accounts, see “Changing the server user
account” on page 136. For a complete list of supported databases and
drivers, refer to the platform.txt file included with your installation.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 123


4 Managing and Configuring Servers
Configuring the processing tier

Configuring UNIX processing servers for your data source


The Job Servers and Page Server support native and ODBC connections to a
number of reporting databases. This section discusses the environment
variables, software, and configuration files that must be available to the
servers in order for them to process reports successfully. Whether your
reports use native or ODBC drivers, ensure that the reporting environment
configured on the server accurately reflects the reporting environment
configured on the Windows machine that you use when designing reports
with Crystal Reports.
See the Platforms.txt file included with your product distribution for a
complete list of tested database software and version requirements.

Native drivers
If you design reports using native drivers, you must install the appropriate
database client software on each Job Server and/or Page Server machine
that will process the reports. The server loads the client software at runtime in
order to access the database that is specified in the report. The server locates
the client software by searching the library path environment variable that
corresponds to your operating system (LD_LIBRARY_PATH on Sun Solaris,
LIBPATH on IBM AIX, and so on), so this variable must be defined for the
login environment of each Job Server and Page Server.
Depending on your database, additional environment variables may be
required for the Job Server and Page Server to use the client software. These
include:
• Oracle
The ORACLE_HOME environment variable must define the top-level
directory of the Oracle client installation.
• Sybase
The SYBASE environment variable must define the top-level directory of
the Sybase client installation. The SYBPLATFORM environment variable
must define the platform architecture.
• DB2
The DB2INSTANCE environment variable must define the DB2 instance
that is used for database access. Use the DB2 instance initialization
script to ensure that the DB2 environment is correct.
Note: For complete details regarding these and other required environment
variables, see the documentation included with your database client software.

124 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Configuring the processing tier 4
As an example, suppose that you are running reports against both Sybase
and Oracle. The Sybase database client is installed in /opt/sybase, and the
Oracle client is installed in /opt/oracle/app/oracle/product/8.1.7.
You installed BusinessObjects Enterprise under the crystal user account
(as recommended in the BusinessObjects Enterprise Installation Guide).
If the crystal user’s default shell is a C shell, add these commands to the
crystal user’s login script:
setenv LD_LIBRARY_PATH /opt/oracle/app/oracle/product/8.1.7/
lib:opt/sybase/lib:$LD_LIBRARY_PATH
setenv ORACLE_HOME /opt/oracle/app/oracle/product/8.1.7
setenv SYBASE /opt/sybase
setenv SYBPLATFORM sun_svr4
If the crystal user’s default shell is a Bourne shell, modify the syntax
accordingly:
LD_LIBRARY_PATH=/opt/oracle/app/oracle/product/8.1.7/
lib:opt/sybase/lib:$LD_LIBRARY_PATH;export
LD_LIBRARY_PATH
ORACLE_HOME=/opt/oracle/app/oracle/product/8.1.7;export
ORACLE_HOME
SYBASE=/opt/sybase;export SYBASE
SYBPLATFORM=sun_svr4;export SYBPLATFORM

ODBC drivers
If you design reports off ODBC data sources (on Windows), you must set up
the corresponding data sources on the Job Server and Page Server
machines. In addition, you must ensure that each server is set up properly for
ODBC. During the installation, BusinessObjects Enterprise installs ODBC
drivers for UNIX, creates configuration files and templates related to ODBC
reporting, and sets up the required ODBC environment variables. This section
discusses the installed environment, along with the information that you need
to edit.
Note:
• Detailed documentation covering the various ODBC drivers is included in
the Merant Connect ODBC Reference (odbcref.pdf). This is installed
below the crystal/enterprise/platform/odbc directory; it is also
located in the doc directory of your product distribution.
• If you report off DB2 using ODBC, your database administrator must first
bind the UNIX version of the driver to every database that you report
against (and not just each database server). The bind packages are
installed below the crystal/enterprise/platform/odbc/lib
directory; their filenames are iscsso.bnd, iscswhso.bnd,
isrrso.bnd, isrrwhso.bnd, isurso.bnd, and isurwhso.bnd.
Because Crystal Reports runs on Windows, ensure also that the
Windows version of the driver has been bound to each database.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 125


4 Managing and Configuring Servers
Configuring the processing tier

• On UNIX, BusinessObjects Enterprise does not include the Informix


client-dependent ODBC driver (CRinf16) that is installed on Windows.
The UNIX version does, however, include the clientless ODBC driver for
Informix connectivity.
ODBC environment variables
The environment variables related to ODBC reporting are: the library path
that corresponds to your operating system (LD_LIBRARY_PATH on Sun
Solaris, LIBPATH on IBM AIX, and so on), ODBC_HOME, and ODBCINI. The
BusinessObjects Enterprise installation includes a file called env.csh that is
sourced automatically every time you start the BusinessObjects Enterprise
servers with the CCM. Thus, the environment for the Job Server and Page
Server is set up automatically:
• The INSTALL_ROOT/bobje/enterprise115/platform/odbc/lib
directory of your installation is added to the library path environment
variable.
• The ODBC_HOME environment variable is set to the INSTALL_ROOT/bobje/
enterprise115/platform/odbc directory of your installation.
• The ODBCINI environment variable is defined as the path to the
.odbc.ini file that was created by the BusinessObjects Enterprise
installation.
Modify the environment variables in the env.csh script only if you have
customized your configuration of ODBC. The main ODBC configuration file
that you need to modify is the system information file.
Working with the ODBC system information file
The system information file (.odbc.ini) is created in the HOME directory of
the user account under which you installed BusinessObjects Enterprise
(typically the crystal user account). In this file, you define each of the ODBC
data sources (DSNs) that the Job Server and Page Server need in order to
process your reports. The BusinessObjects Enterprise installation completes
most of the required information—such as the location of the ODBC directory
and the name and location of each installed ODBC driver—and shows where
you need to provide additional information.
Tip: A template of the system information file is installed to INSTALL_ROOT/
bobje/defaultodbc.ini
The following example shows the contents of a system information file that
defines a single ODBC DSN for servers running on UNIX. This DSN allows
the Job Server and Page Server to process reports based on a System DSN
(on Windows) called CRDB2:
[ODBC Data Sources]
CRDB2=MERANT 3.70 DB2 ODBC Driver

126 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Configuring the processing tier 4
[CRDB2]
Driver=/opt/bobje/enterprise115/platform/odbc/lib/crdb216.so
Description=MERANT 3.70 DB2 ODBC Driver
Database=myDB2server
LogonID=username

[ODBC]
Trace=0
TraceFile=odbctrace.out
TraceDll=/opt/bobje/enterprise115/platform/odbc/lib/
odbctrac.so
InstallDir=/opt/bobje/enterprise115/platform/odbc
As shown in the example above, the system information file is structured in
three major sections:
• The first section, denoted by [ODBC Data Sources], lists all the DSNs
that are defined later in the file. Each entry in this section is provided as
dsn=driver, and there must be one entry for every DSN that is defined in Kalu002fthis

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 127


4 Managing and Configuring Servers
Configuring the processing tier

driver are included in the file (Database=, LogonID=, and so on). Edit the file
and provide the corresponding values that are specific to your reporting
environment.
This example shows the entire contents of a system information file created
when BusinessObjects Enterprise was installed to the /usr/local directory.
[ODBC Data Sources]
CRDB2=MERANT 3.70 DB2 ODBC Driver
CRINF_CL=MERANT 3.70 Informix Dynamic Server ODBC Driver
CROR8=MERANT 3.70 Oracle8 ODBC Driver
CRSS=MERANT 3.70 SQL Server ODBC Driver
CRSYB=MERANT 3.70 Sybase ASE ODBC Driver
CRTXT=MERANT 3.70 Text ODBC Driver

[CRDB2]
Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/
crdb216.so
Description=MERANT 3.70 DB2 ODBC Driver
Database=
LogonID=

[CRINF_CL]
Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/
crifcl16.so
Description=MERANT 3.70 Informix Dynamic Server ODBC Driver
ServerName=
HostName=
PortNumber=
Database=
LogonID=

[CROR8]
Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/
cror816.so
Description=MERANT 3.70 Oracle8 ODBC Driver
ServerName=
ProcedureRetResults=1
LogonID=

[CRSS]
Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/
crmsss16.so
Description=MERANT 3.70 SQL Server ODBC Driver
Address=
Database=
QuotedId=Yes
LogonID=

128 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Configuring the processing tier 4
[CRSYB]
Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/
crase16.so
Description=MERANT 3.70 Sybase ASE ODBC Driver
NetworkAddress=
Database=
LogonID=

[CRTXT]
Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/
crtxt16.so
Description=MERANT 3.70 Text ODBC Driver
Database=

[ODBC]
Trace=0
TraceFile=odbctrace.out
TraceDll=/usr/local/bobje/enterprise115/platform/odbc/lib/
odbctrac.so
InstallDir=/usr/local/bobje/enterprise115/platform/odbc
Adding a DSN to the default ODBC system information file
When you need to add a new DSN to the installed system information file
(.odbc.ini) file, first add the new DSN to the bottom of the [ODBC Data
Sources] list. Then add the corresponding [dsn] definition just before the
[ODBC] section.
For example, suppose that you have a Crystal report that uses ODBC drivers
to report off your Oracle8 database. The report is based off a System DSN
(on Windows) called SalesDB. To create the corresponding DSN, first append
this line to the [ODBC Data Sources] section of the system information file:
SalesDB=MERANT 3.70 Oracle8 ODBC Driver
Then define the new DSN by adding the following lines just before the system
information file’s [ODBC] section:
[SalesDB]
Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/
cror816.so
Description=MERANT 3.70 Oracle8 ODBC Driver
ServerName=MyServer
ProcedureRetResults=1
LogonID=MyUserName
Once you have added this information, the new DSN is available to the Job
Server and Page Server, so they can process reports that are based off the
SalesDB System DSN (on Windows).

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 129


4 Managing and Configuring Servers
Logging server activity

Logging server activity


BusinessObjects Enterprise allows you to log specific information about
BusinessObjects Enterprise web activity. For details on locating and
customizing the web activity logs, see “Configuring the Web Component
Adapter” on page 80.
• In addition, each of the BusinessObjects Enterprise servers is designed to
log messages to your operating system’s standard system log.On Windows
NT/2000, BusinessObjects Enterprise logs to the Event Log service. You
can view the results with the Event Viewer (in the Application Log).
• On UNIX, BusinessObjects Enterprise logs to the syslog daemon as a
User application. Each server prepends its name and PID to any
messages that it logs.
This example shows two messages logged to the syslog daemon on
UNIX:

Each server also logs assert messages to the logging directory of your
product installation. The programmatic information logged to these files is
typically useful only to Business Objects support staff for advanced
debugging purposes. The location of these log files depends upon your
operating system:
• On Windows, the default logging directory is C:\Program
Files\Business Objects\BusinessObjects Enterprise
11.5\Logging
• On UNIX, the default logging directory INSTALL_ROOT/bobje/logging
directory of your installation.
The important point to note is that these log files are cleaned up automatically,
so there will never be more than approximately 1 MB of logged data per
server.

130 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Advanced server configuration options 4
Advanced server configuration options
This section includes additional configuration tasks that you may want to
perform, depending upon your reporting environment. It includes:
• “Changing the default server port numbers” on page 131
• “Configuring a multihomed machine” on page 134
• “Adding and removing Windows server dependencies” on page 135
• “Changing the server startup type” on page 136
• “Changing the server user account” on page 136
• “Configuring servers for SSL” on page 137

Changing the default server port numbers


During installation, the CMS is set up to use default port numbers. The default
CMS port number is 6400. This ports fall within the range of ports reserved by
Business Objects (6400 to 6410). Thus, BusinessObjects Enterprise
communication on these ports should not conflict with third-party applications
that you have in place. (Although unlikely, it is possible that your custom
applications use these ports. If so, you can change the default CMS port.)
The Web Component Adapter is not a server. However, you can configure its
listening port by changing the connection.listeningPort context
parameter in web.xml. See “Configuring the Web Component Adapter” on
page 80.
When started and enabled, each of the other BusinessObjects Enterprise
servers dynamically binds to an available port (higher than 1024), registers
with this port on the CMS, and then listens for BusinessObjects Enterprise
requests. If necessary, you can instruct each server component to listen on a
specific port (rather than dynamically selecting any available port).
On Windows, you view and modify server command lines with the CCM. The
Command field appears on each server’s Properties tab. On UNIX, you view
and modify server command lines (also referred to as launch strings) in the
ccm.config file, which is installed in the crystal directory.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 131


4 Managing and Configuring Servers
Advanced server configuration options

This table summarizes the command-line options as they relate to port usage
for specific server types. For more information, see the BusinessObjects
Enterprise Administrator’s Reference Guide.

Option CMS Other Servers


-port Specifies the primary Used only in multihomed
BusinessObjects environments or for certain NAT
Enterprise port on which firewall environments. In both
the CMS listens for cases, specify -port interface
requests from all other only. (-port number has no
servers. The default is meaning for these servers).
6400.
-requestPort Specifies the secondary Specifies the port on which the
port that the CMS uses for server listens for
identifying other servers BusinessObjects Enterprise
and for registering with requests. The server registers
itself and/or a cluster. this port with the CMS.
Selected dynamically if Selected dynamically if
unspecified. unspecified.
-ns n/a Specifies the CMS that the
server will register with.
Before modifying any port numbers, consider the following:
• CMS port number, you must change the -ns option in every other
server’s command line, to ensure that each server connects to the
appropriate port of the CMS. (The -ns option stands for “nameserver.”
The CMS functions as the nameserver in BusinessObjects Enterprise,
because it maintains a list that includes the host name and port number
of each server that is started, enabled, and thus available to accept
BusinessObjects Enterprise requests.) You must also set the name and
port number of the CMS with the connection.cms context parameter in
web.xml. See “Configuring the Web Component Adapter” on page 80.
• If you are working with multihomed machines or in certain NAT firewall
configurations, you may wish to specify -port interface:number for the
CMS and -port interface for the other servers. For details, see
“Configuring a multihomed machine” on page 134 or “Configuring for
Network Address Translation” on page 171.
• On Windows, the CCM displays default port numbers on each server’s
Configuration tab. This displayed port corresponds to the -port option.
For servers other than the CMS, this default port is not actually in use
(each server registers its -requestPort number with the CMS instead).

132 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Advanced server configuration options 4
To change the default CMS port for BusinessObjects Enterprise servers
1. Use the CCM (on Windows) or ccm.sh (on UNIX) to stop all the
BusinessObjects Enterprise servers.
2. Add (or modify) the following option in the CMS command line:
-port number
Replace number with the port that you want the CMS to listen on. (The
default port is 6400.)
3. Add (or modify) the following option in the command line of all of the
remaining non-CMS BusinessObjects Enterprise servers:
-ns hostname:number
Replace hostname with the host name of the machine that is running the
CMS. The host name must resolve to a valid IP address within your
network. Replace number with the port that the CMS is listening on.
4. Start and enable all the BusinessObjects Enterprise servers.
The CMS begins listening on the port specified by number, and the non-CMS
servers broadcast to that port when attempting to register with the CMS.
5. Set the name and port number of the CMS with the connection.cms
context parameter in web.xml. See “Configuring the Web Component
Adapter” on page 80.
To change the port a server registers with the CMS
1. Use the CCM (on Windows) or ccm.sh (on UNIX) to stop the server.
2. Add (or modify) the following option in the server’s command line:
-requestPort number
Replace number with the port that you want the server to listen on.
3. Start and enable the server.
The server binds to the new port specified by number. It then registers with the
CMS and begins listening for BusinessObjects Enterprise requests on the
new port.
By default, each server registers itself with the CMS by IP address, rather
than by name. This typically provides the most reliable behavior. If you need
each server to register with the CMS by fully qualified domain name instead,
use the -requestPort option in conjunction with -port interface (where
interface is the server’s fully qualified domain name). Having the servers
register by name can be useful if a NAT firewall resides between the server
and the CMS. For more information, see “Configuring for Network Address
Translation” on page 171.
You may also need to specify -port interface when BusinessObjects
Enterprise is running on a multihomed machine.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 133


4 Managing and Configuring Servers
Advanced server configuration options

Configuring a multihomed machine


A multihomed machine is one that has multiple network addresses. You may
accomplish this with multiple network interfaces, each with one or more IP
addresses, or with a single network interface that has been assigned multiple
IP addresses.
If you have multiple interface cards, each with a single IP address, change
the binding order so that the card at the top of the binding order is the one you
want the BusinessObjects Enterprise servers to bind to. If your interface card
has multiple IP addresses, use the -port command-line option to specify a
IP address for the BusinessObjects Enterprise server.
Tip: This section shows how to restrict all servers to the same network
address, but it is possible to bind individual servers to different addresses. For
instance, you might want to bind the File Repository Servers to a private
address that is not routable from users’ machines. Advanced configurations
such as this require your DNS configuration to route communications
effectively between all the BusinessObjects Enterprise server components. In
this example, the DNS must route communications from the other
BusinessObjects Enterprise servers to the private address of the File
Repository Servers.

Configuring the CMS to bind to a network address


When you use the -port command-line option to configure the CMS to bind
to a specific IP address, you must also include the port number these servers
use (even if the server is using the default port). Add the following option to
both of their command lines:
-port interface:port
If the machine has multiple network interfaces, interface can be the fully
qualified domain name or the IP address of the interface that you want the
server to bind to. If the machine has a single network interface, interface
must be the IP address that you want the server to bind to.
Note:
• To retain the default port numbers, replace port with 6400 for the CMS. If
you change the default port numbers, you will need to make additional
configuration changes. For details, see “Changing the default server port
numbers” on page 131.
• To configure the WCA, use interface:port when setting the
connection.listeningPort context parameter in web.xml. (See
“Configuring the Web Component Adapter” on page 80.)

134 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Advanced server configuration options 4
Configuring the remaining servers to bind to a network address
The remaining BusinessObjects Enterprise servers select their ports
dynamically by default, so you need only add the following option to their
command lines:
-port interface
Replace interface with the same value that you specified for the CMS.
Ensure that each server’s -ns parameter points to the CMS, and that the
DNS resolves the value to the appropriate network address.

Adding and removing Windows server dependencies


When installed on Windows, each server in BusinessObjects Enterprise is
dependent on at least three services: the Event Log, NT LM Security Support
Provider, and Remote Procedure Call (RPC) services. If you are having
problems with a server, check to ensure that all three services appear on the
server’s Dependency tab.
To add and remove server dependencies
1. Use the CCM to stop the server whose dependencies you want to modify.
2. With the server selected, click Properties on the toolbar.
3. Click the Dependency tab.
As shown here, at least three services should be listed: Event Log, NT
LM Security Support Provider, and Remote Procedure Call (RPC).

4. To add a dependency to the list, click Add.


The Add Dependency dialog box provides you with a list of all available
dependencies. Select the dependency or dependencies, as required, and
then click Add.
5. To remove a dependency from the list, select it and click Remove.
6. Click OK.
7. Restart the server.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 135


4 Managing and Configuring Servers
Advanced server configuration options

Changing the server startup type


When installed on Windows, each server is configured to start automatically.
As with other Windows services, there are three startup types:
• Automatic starts the server each time the machine is started.
• Manual requires you to start the server before it will run.
• Disabled requires you to change the startup type to automatic or manual
before it can run.
To change the server startup type on Windows
1. Start the CCM.
2. Stop the server whose startup type you want to modify.
3. With the server selected, click Properties on the toolbar.
4. Click the Startup Type list and select Automatic, Disabled, or Manual.
5. Click OK.
6. Restart the server.
To change the server startup type on UNIX
On UNIX, this requires root privileges. See the BusinessObjects Enterprise
Administrator’s Reference Guide.

Changing the server user account


If the incorrect user account is running on a server on Windows, change it in
the Central Configuration Manager (CCM).
Tip: The Program Job Server must be configured to use the Local System
account, or a user account that has the rights “Act as part of the operating
system” and “Replace a process level token”.
To change a server’s user account
1. Use the CCM to stop the server.
2. Click Properties.
3. Clear the System Account check box.
4. Enter the Windows user name and password information.
When started, the server process will log on to the local machine with this
user account. In addition, all reports processed by this server will be
formatted using the printer settings associated with the user account that
you enter.
5. Click Apply, and then click OK.
6. Start the server.

136 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Advanced server configuration options 4
Configuring servers for SSL
You can use the Secure Sockets Layer (SSL) protocol for all network
communication between clients and servers in your BusinessObjects
Enterprise deployment.
To set up SSL for all server communication you need to perform the following
steps:
• Deploy BusinessObjects Enterprise with SSL enabled.
• Create key and certificate files for each machine in your deployment.
• Configure the location of these files in the Central Configuration Manager
(CCM) and your web application server.

Creating key and certificate files


To set up SSL protocol for your server communication, use the SSLC
command line tool to create a key file and a certificate file for each machine in
your deployment.
Note:
• You need to create certificates and keys for all machines in the
deployment, including machines running thick client components such as
Crystal Reports. For these client machines, use the sslconfig
command line tool to do the configuration.
• For maximum security, all private keys should be protected and should
not be transferred through unsecured communication channels.
• For more information about using the SSLC command line tool, consult
the SSLC documentation.
To create key and certificate files for a machine
1. Run the SSLC.exe command line tool.
The SSLC tool is installed with your BusinessObjects Enterprise
software. (On Windows, for example, it is installed by default in
C:\Program Files\Business Objects\BusinessObjects
Enterprise 11.5\win32_x86.)
2. Type the following command:
sslc req -config sslc.cnf -new -out cacert.req
This command creates two files, a Certificate Authority (CA) certificate
request (cacert.req) and a private key (privkey.pem).
3. To decrypt the private key, type the following command:
sslc rsa -in privkey.pem -out cakey.pem
This command creates the decrypted key, cakey.pem.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 137


4 Managing and Configuring Servers
Advanced server configuration options

4. To sign the CA certificate, type the following command:


sslc x509 -in cacert.req -out cacert.pem -req -signkey
cakey.pem -days 365
This command creates a self-signed certificate, cacert.pem, that
expires after 365 days. Choose the number of days that suits your
security needs.
5. Open the sslc.cnf file, stored in the same folder as the SSLC
command line tool. Perform the following steps based on settings in the
sslc.cnf file.
• Place the cakey.pem and cacert.pem files in the directories specified
by sslc.cnf file's certificate and private_key options.
By default, the settings in the sslc.cnf file are:
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
• Create a file with the name specified by the sslc.cnf file's
database setting.
Note: By default, this file is $dir/index.txt. The file can be empty.
• Create a file with the name specified by the sslc.cnf file's serial
setting.
Ensure that this file provides an octet-string serial number (in
hexadecimal format).
Note: To ensure that you can create and sign more certificates,
choose a large even hexadecimal number, such as
11111111111111111111111111111111.)’
• Create the directory specified by the sslc.cnf file's
new_certs_dir setting.
6. To create a certificate request and a private key, type the following
command:
sslc req -config sslc.cnf -new -out servercert.req
The certificate and key files generated are placed under the current
working folder.
7. Make a copy of the private key.
copy privkey.pem server.key
8. To sign the certificate with the CA certificate, type the following command:
sslc ca -config sslc.cnf -days 365 -out servercert.pem -
in servercert.req

138 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing and Configuring Servers
Advanced server configuration options 4
This command creates the servercert.pem file, which contains the
signed certificate.
9. Use the following commands to convert the certificates to DER encoded
certificates:
sslc x509 -in cacert.pem -out cacert.der -outform DER
sslc x509 -in servercert.pem -out servercert.der -outform
DER
Note: The CA certificate (cacert.der) and its corresponding private
key (cakey.pem) need to be generated only once per deployment. All
machines in the same deployment must share the same CA certificates.
All other certificates need to be signed by the private key of any of the CA
certificates.
10. Create a text file for storing the plain text passphrase used for
decrypting the generated private key.
11. Store the following key and certificate files in a secure location (under the
same directory) that can be accessed by the machines in your
BusinessObjects Enterprise deployment:
• the trusted certificate file (cacert.der)
• the generated server certificate file (servercert.der)
• the server key file (server.key)
• the passphrase file
This location will be used to configure SSL for the CCM and your web
application server.

Configuring the SSL protocol


After you create keys and certificates for each machine in your deployment,
and store them in a secure location, you need to provide the Central
Configuration Manager (CCM) and your web application server with the
secure location.
To configure the SSL protocol in the CCM
1. In the CCM, right-click a server and choose Properties.
2. In the Properties dialog box, click the Protocol tab.
3. Provide the file path for the directory where you stored the key and
certificate files.
Note: Make sure you provide the directory for the machine that the
server is running on.
4. Repeat steps 1 to 3 for all servers.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 139


4 Managing and Configuring Servers
Advanced server configuration options

To configure the SSL protocol for the web application server


1. If you have a J2EE web application server, run the Java SDK with the
following system properties set. For example:
-Dbusinessobjects.orb.oci.protocol=ssl
-DcertDir=d:\ssl
-DtrustedCert=cacert.der
-DsslCert=clientcert.der
-DsslKey=client.key
-Dpassphrase=passphrase.txt
The following table shows the descriptions that correspond to these
examples:

Example Description
DcertDir=d:\ssl The directory to store all the
certificates and keys.
DtrustedCert=cacert.der Trusted certificate file. If specifying
more than one, separate with
semicolons.
DsslCert=clientcert.der Certificate used by the SDK.
DsslKey=client.key Private key of the SDK certificate.
Dpassphrase=passphrase.txt The file that stores the passphrase for
the private key.
2. If you have an IIS web application server, run the sslconfig tool from
the command line and follow the configuration steps.

140 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Server Groups

chapter
5 Managing Server Groups
Server group overview

Server group overview


Server groups provide a way of organizing your BusinessObjects Enterprise
servers to make them easier to manage. That is, when you manage a group
of servers, you need only view a subset of all the servers on your system.
More importantly, server groups are a powerful way of customizing
BusinessObjects Enterprise to optimize your system for users in different
locations, or for objects of different types.
If you group your servers by region, you can easily set up default processing
settings, recurrent schedules, and schedule destinations that are appropriate
to users who work in a particular regional office. You can associate an object
with a single server group, so the object is always processed by the same
servers. And you can associate scheduled objects with a particular server
group to ensure that scheduled objects are sent to the correct printers, file
servers, and so on. Thus, server groups prove especially useful when
maintaining systems that span multiple locations and multiple time zones.
If you group your servers by type, you can configure objects to be processed
by servers that have been optimized for those objects. For example,
processing servers need to communicate frequently with the database
containing data for published reports. Placing processing servers close to the
database server that they need to access improves system performance and
minimizes network traffic. Therefore, if you had a number of reports that ran
against a DB2 database, you might want to create a group of Page Servers
that process reports only against the DB2 database server. If you then
configured the appropriate reports to always use this Page Server group for
viewing, you would optimize system performance for viewing these reports.
After creating server groups, configure objects to use specific server groups
for scheduling, or for viewing and modifying reports. For details, see
“Specifying default servers” on page 431. You can change the status, obtain
metrics, and configure your servers in the organize Server Groups area—just
as you would in the organize Servers area. The only difference is that you see
only the servers that you added to the server group.

Creating a server group


To create a server group, you need to specify the name and description of the
group, and then add servers to the group.
To create a server group
1. Go to the Server Groups management area of the CMC.
2. Click New Server Group.

142 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Server Groups
Creating a server group 5
The New Server Group Properties tab appears.

3. In the Server Group Name field, type a name for the new group of
servers.
4. Use the Description field to include additional information about the group.
5. Click OK.
6. On the Servers tab, click Add/Remove Servers.
7. Select the servers that you want to add to this group; then click the > arrow.
Tip: Use CTRL+click to select multiple servers.

8. Click OK.
This example adds the servers to a server group called Northern Office
Servers.
You are returned to the Servers tab, which now lists all the servers that
you added to the group. You can now change the status, view server
metrics, and change the properties of the servers in the group. For more
information, see “Server management overview” on page 70.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 143


5 Managing Server Groups
Working with server subgroups

Working with server subgroups


Subgroups of servers provide you with a way of further organizing your
servers. A subgroup is just a server group that is a member of another server
group.
For example, if you group servers by region and by country, then each
regional group becomes a subgroup of a country group. To organize servers
in this way, first create a group for each region, and add the appropriate
servers to each regional group. Then, create a group for each country, and
add each regional group to the corresponding country group.
There are two ways to set up subgroups: you can modify the subgroups of a
server group, or you can make one server group a member of another. The
results are the same, so use whichever method proves most convenient.
To add subgroups to a server group
1. Go to the Server Groups management area of the CMC.
2. Click the group that you want to add subgroups to.
This group is the parent group.
3. On the Subgroups tab, click Add/Remove Groups.
4. In the Available server groups list, select the server groups that you
want to add as subgroups; then click the > arrow.
5. Click OK.
You are returned to the Subgroups tab, which now lists all the server
groups that you added to the parent group.
To make one server group a member of another
1. Go to the Server Groups management area of the CMC.
2. Click the group that you want to add to another group.
3. On the Member of tab, click the Member of button.
4. In the Available server groups list, select the server groups that should
include your group as a member; then click the > arrow.
This example makes the Job Servers group a member subgroup of the
Northern Office Servers group.

144 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Server Groups
Modifying the group membership of a server 5

5. Click OK.
You are returned to the “Member of” tab, which now lists all the server
groups that the initial group is now a member of.

Modifying the group membership of a server


You can modify a server’s group membership to quickly add the server to (or
remove it from) any group or subgroup that you have already created on the
system.
For example, suppose that you created server groups for a number of
regions. You might want to use a single Central Management Server (CMS)
for multiple regions. Instead of having to add the CMS individually to each
regional server group, you can click the server’s “Member of” link to add it to
all three regions at once.
To modify a server’s group membership
1. Go to the Servers management area of the CMC.
2. Locate the server whose membership information you want to change.
3. In the Server Group column, click the server’s Member of link.
The “Member of” page lists any server groups that the server currently
belongs to.
4. Click the Member of button.
The “Modify Member Of” page appears.
5. Move server groups from one list to another to specify which groups the
server is a member of.
6. Click OK.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 145


5 Managing Server Groups
Modifying the group membership of a server

146 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Scaling Your System

chapter
6 Scaling Your System
Scalability overview

Scalability overview
The BusinessObjects Enterprise architecture is scalable in that it allows for a
multitude of server configurations, ranging from stand-alone, single-machine
environments, to large-scale deployments supporting global organizations.
The flexibility offered by the product’s architecture allows you to set up a
system that suits your current reporting requirements, without limiting the
possibilities for future growth and expansion.
This chapter details common scalability scenarios for administrators who
want to expand beyond a stand-alone installation of BusinessObjects
Enterprise. These three scenarios have received the most testing, and are
recommended for the majority of deployments, however, they are not the only
supported configurations. For details, see “Common configurations” on
page 149.
It must be emphasized, however, that the optimal configuration for your
deployment will vary depending upon your hardware configuration, your
database software, and your reporting requirements. It is recommended that
you contact your Business Objects sales representative and request
information about the BusinessObjects Enterprise Sizing Guide. A Business
Objects Services consultant can then assess your reporting environment and
assist in determining the configuration that will best integrate with your current
environment.
Note: If you customize or expand your system beyond these common
configurations without first contacting Business Objects Services, your
deployment may not be officially supported.
This chapter also provides the related procedures for adding and deleting
servers from your BusinessObjects Enterprise installation. Follow these steps
when you need to add server components to a machine that is already
running BusinessObjects Enterprise.
Tip: If you are adding new hardware to BusinessObjects Enterprise by
installing server components on additional machines, run the
BusinessObjects Enterprise installation and setup program. The setup
program allows you to perform an Expand installation. During the Expand
installation, you specify the existing CMS whose system you want to expand,
and you select the components that want to install on the local machine. For
details, see the BusinessObjects Enterprise Installation Guide.

148 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Scaling Your System
Common configurations 6
Common configurations
This section details the common ways in which you should begin to scale, or
expand, your BusinessObjects Enterprise system. The scenarios described
are those that have been most thoroughly tested by Business Objects. As a
baseline, this section assumes that you have not yet distributed the
BusinessObjects Enterprise servers across multiple machines; however, this
section does assume familiarity with the BusinessObjects Enterprise
architecture, installation, and server configuration. For preliminary installation
information, see the BusinessObjects Enterprise Installation Guide.
Tip: If you are deploying multi-processor machines, you may also want to run
one or more BusinessObjects Enterprise servers in multiple instances on that
machine. For details, see “Adding a server” on page 158.
This section describes the following common configurations:
• “One-machine setup” on page 149
• “Three-machine setup” on page 150
• “Six-machine setup” on page 151
Note: These are not the only supported configurations, rather some
examples of common configurations. You can customize or expand your
system in different ways besides these common configurations; You can add
many more machines than six, or use any number of machines between one
and six. However, we recommend you first contact Business Objects Services
to be sure your deployment configuration is officially supported.

One-machine setup
This basic configuration separates the BusinessObjects Enterprise servers
from the rest of your reporting environment and from your web server, and
installs all BusinessObjects Enterprise servers on a single machine. This
grants the BusinessObjects Enterprise servers their own set of processing
resources, which they do not have to share with database and web server
processes. These are the general steps to setting up this configuration for the
default Windows installation of BusinessObjects Enterprise:
• Install all of the BusinessObjects Enterprise servers on a single,
dedicated machine.
• Run the CMS database on your database server.
If you are still using the MySQL CMS database on Windows, migrate the
CMS database to a supported database server. See the Platforms.txt
file included with your product distribution for a list of supported database
servers.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 149


6 Scaling Your System
Common configurations

For a UNIX installation (or for a Windows installation that uses the
BusinessObjects Enterprise Java SDK), install your BusinessObjects
Enterprise servers on the same machine as your Java web application server
and the Web Component Adapter.

Three-machine setup
This second configuration divides the BusinessObjects Enterprise processing
load in a logical manner, based on the types of work performed by each server.
In this way, you prevent the server components from having to compete with
each other for the same hardware and processing resources. In addition, this
scenario prepares your system for further expansion to provide redundancy.
Note: It is recommended that you use three multi-processor machines (dual-
CPU or better), with at least 2 GB RAM installed on each machine.
These are the general steps to setting up this configuration for the default
Windows installation of BusinessObjects Enterprise:
• Install the CMS and the Event Server on one machine.
Tip: Here, the Event Server is installed on the same machine as the
CMS. In general, however, the Event Server should be installed on the
machine where your monitored, file-based events occur.
• Install the application server, the Web Component Adapter and the
Cache Server on the second machine.
• Install the Page Server, the Report Job Server, Program Job Server,
Destination Job Server, List of Values Job Server, Web Intelligence Job
Server, the Web Intelligence Report Server, the Report Application
Server (RAS), and the Input and Output File Repository Servers on the
third machine.
For a UNIX installation (or for a Windows installation that uses the
BusinessObjects Enterprise Java SDK), install the Java web application
server and the Web Component Adapter on the same machine as your
Cache Server.
Note: As with the one-machine setup, install your BusinessObjects
Enterprise servers on machines that are separate from your web server and
database servers. This grants the BusinessObjects Enterprise servers their
own set of processing resources, which they do not have to share with
database and web server processes.

150 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Scaling Your System
Common configurations 6
Six-machine setup
This third configuration mirrors the three-machine setup. You maintain the
logical breakdown of processing based on the types of work performed by
each server, but you increase the number of available machines and servers
for redundancy and fault-tolerance. For instance, if a server stops responding,
or if you need to take one or two machines offline completely, you need not
interrupt BusinessObjects Enterprise requests in order to service the system.
This tested configuration is designed to meet the reporting requirements of
85% of all deployment scenarios. If you have further requirements or more
advanced configuration needs, contact your Business Objects sales
representative for additional assistance.
Note: It is recommended that you use six multi-processor machines (dual-
CPU or better), with at least 2 GB RAM installed on each machine.
These are the general steps to setting up this configuration for the default
Windows installation of BusinessObjects Enterprise:
• Install the three-machine setup first. Verify that BusinessObjects
Enterprise is functioning correctly. For details, see “Three-machine setup”
on page 150.
• Install a second CMS/Event Server pair on the fourth machine. This
machine must have a fast network connection (minimum 10 Mbps) to the
CMS that you have already installed.
Cluster the two CMS services, so they share the task of maintaining the
CMS database. Ensure that each CMS accesses the CMS database in
exactly the same manner (the same database client software, the same
database user name and password, and so on).
Tip: Here, the Event Server is installed on the same machine as the
CMS. In general, however, the Event Server should be installed on the
machine where your monitored, file-based events occur.
• Install a second Page Server, Report Job Server, Program Job Server,
Destination Job Server, List of Values Job Server, Web Intelligence Job
Server, Web Intelligence Report Server, and RAS on the remaining
machine, along with a pair of Input and Output File Repository Servers.
Ensure that all Page Servers and job servers, including the Web
Intelligence Report Server, can access your reporting database in exactly
the same manner. Install and configure any required database client
software similarly on each machine, along with any ODBC DSNs that are
required for your reports.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 151


6 Scaling Your System
General scalability considerations

Note: As with the one-machine setup, install your BusinessObjects


Enterprise servers on machines that are separate from your web server and
database servers. This grants the BusinessObjects Enterprise servers their
own set of processing resources, which they do not have to share with
database and web server processes.

General scalability considerations


This section provides information about system scalability and the
BusinessObjects Enterprise servers that are responsible for particular
aspects of your system. Each subsection focuses on one aspect of your
system’s capacity, discusses the relevant components, and provides a
number of ways in which you might modify your configuration accordingly.
Before modifying these aspects of your system, it is strongly recommended
that you contact your Business Objects sales representative and request
information about the BusinessObjects Enterprise Sizing Guide. A Business
Objects Services consultant can then assess your reporting environment and
assist in determining the configuration that will best integrate with your current
environment.
General scalability considerations include the following:
• “Increasing overall system capacity” on page 152
• “Increasing scheduled reporting capacity” on page 153
• “Increasing on-demand viewing capacity for Crystal reports” on page 154
• “Increasing prompting capacity” on page 155
• “Enhancing custom web applications” on page 155
• “Improving web response speeds” on page 156
• “Getting the most from existing resources” on page 157
Increasing overall system capacity
As the number of report objects and users on your system increases, you can
increase the overall system capacity by clustering two (or more) Central
Management Servers (CMS). You can install multiple CMS services/daemons
on the same machine. However, to provide server redundancy and fault-
tolerance, you should ideally install each cluster member on its own machine.
CMS clusters can improve overall system performance because every
BusinessObjects Enterprise request results, at some point, in a server
component querying the CMS for information that is stored in the CMS
database. When you cluster two CMS machines, you instruct the new CMS to
share in the task of maintaining and querying the CMS database.
For more information, see “Clustering Central Management Servers” on
page 86.

152 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Scaling Your System
General scalability considerations 6
Increasing scheduled reporting capacity
Increasing Crystal reports processing capacity
All Crystal reports that are scheduled are eventually processed by a Job
Server. You can expand BusinessObjects Enterprise by running individual
Report Job Servers on multiple machines, or by running multiple Report Job
Servers on a single multi-processor machine.
If the majority of your reports are scheduled to run on a regular basis, there
are several strategies you can adopt to maximize your system’s processing
capacity:
• Install the Job Server in close proximity to (but not on the same machine
as) the database server against which the reports run. Ensure also that
the File Repository Servers are readily accessible to all Job Server (so
they can read report objects from the Input FRS and write report
instances to the Output FRS quickly). Depending upon your network
configuration, these strategies may improve the processing speed of the
Job Server, because there is less distance for data to travel over your
corporate network.
• Verify the efficiency of your reports. When designing reports in Crystal
Reports, there are a number of ways in which you can improve the
performance of the report itself, by modifying record selection formulas,
using the database server’s resources to group data, incorporating
parameter fields, and so on. For more information, see the “Designing
Optimized Web Reports” section in the Crystal Reports User’s Guide
(version 8.5 and later).
• Use event-based scheduling to create dependencies between large or
complex reports. For instance, if you run several very complex reports on
a regular, nightly basis, you can use Schedule events to ensure that the
reports are processed sequentially. This is a useful way of minimizing the
processing load that your database server is subject to at any given point
in time.
• If some reports are much larger or more complex than others, consider
distributing the processing load through the use of server groups. For
instance, you might create two server groups, each containing one or
more Job Servers. Then, when you schedule recurrent reports, you can
specify that it be processed by a particular server group to ensure that
especially large reports are distributed evenly across resources.
• Increase the hardware resources that are available to a Job Server. If the
Job Server is currently running on a machine along with other
BusinessObjects Enterprise components, consider moving the Job

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 153


6 Scaling Your System
General scalability considerations

Server to a dedicated machine. If the new machine has multiple CPUs,


you can install multiple Job Servers on the same machine (typically no
more than one service/daemon per CPU).
Increasing Web Intelligence document processing capacity
All Web Intelligence documents that are scheduled are eventually processed
by a Web Intelligence Job Server and Web Intelligence Report Server. You
can expand BusinessObjects Enterprise by running individual Web
Intelligence Report Servers on multiple machines, or by running multiple Web
Intelligence Report Servers on a single multi-processor machine.
When running multiple Web Intelligence Report Servers, you don’t need to
duplicate the Web Intelligence Job Server. One Web Intelligence Job Server
can be used to drive multiple Web Intelligence Report Servers. However, if
you are working with server groups, a Web Intelligence Job Server must exist
in the same group as the Web Intelligence Report Servers.
Note: When deciding whether to increase the number Web Intelligence
Report Servers, keep in mind that Web Intelligence Report Server processes
both scheduling and viewing requests, whereas requests for Crystal reports
are processed by three separate servers, the Report Job Server, the Cache
Server and Page Server.
Increasing on-demand viewing capacity for Crystal reports
When you provide many users with View On Demand access to reports, you
allow each user to view live report data by refreshing reports against your
database server. For most requests, the Page Server retrieves the data and
performs the report processing, and the Cache Server stores recently viewed
report pages for possible reuse. However, if users use the Advanced DHTML
viewer, the Report Application Server (RAS) processes the request.
If your reporting requirements demand that users have continual access to
the latest data, you can increase capacity in the following ways:
• Increase the maximum allowed size of the cache. For details, see
“Modifying Cache Server performance settings” on page 101.
• Verify the efficiency of your reports. When designing reports in Crystal
Reports, there are a number of ways in which you can improve the
performance of the report itself, by modifying record selection formulas,
using the database server’s resources to group data, incorporating
parameter fields, and so on. For more information, see the “Designing
Optimized Web Reports” section in the Crystal Reports User’s Guide
(version 8.5 and later).
• Increase the number of Page Servers that service requests on behalf of
Cache Servers. You can do this by installing additional Page Servers on
multiple machines. However, do not install more than one Page Server

154 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Scaling Your System
General scalability considerations 6
per machine. The Page Server has been re-designed to optimize the
processing capability of a machine. It is therefore no longer
recommended that you install multiple Page Servers on one machine.
• Increase the number of Page Servers, Cache Servers, and Report
Application Servers on the system, and then distribute the processing
load through the use of server groups. For instance, you might create two
server groups, each containing one or more Cache Server/Page Server
pairs along with one or more Report Application Servers. You can then
specify individual reports that should always be processed by a particular
server group.
Increasing prompting capacity
When reports use a list of values, the RAS processes on-demand list-of-values
objects for the report when the report is being viewed. Scheduled list-of-values
objects are processed by the List of Values Job Server without using RAS.
To avoid contention with other applications that use the RAS, you can add a
RAS server that will be dedicated to processing list-of-value objects. In CMC
you can then create a RAS server group and assign the dedicated RAS to the
RAS server group. In Business View Manager, you then assign the list-of-
values objects to be processed by the RAS server group.
Delegating XSL transformation to Internet Explorer
If your users access InfoView via the Internet Explorer 6.0 browser, you can
instruct the Web Intelligence Report Server to delegate the transformation of
XML to XSL to the browser. This substantially decreases the load on the server,
primarily during document display, but also during display of the portal itself.
By default, the XSL transformation delegation is not activated.
To delegate XSL transformation to the browser for document display:
1. On the application server, set the CLIENT_XSLT variable in
webiviewer.properties, located in the WEB-INF\classes subfolder of the
application server as follows:
CLIENT_XSLT=Y
2. Restart the application server.

Enhancing custom web applications


If you are developing your own custom desktops or administrative tools with
the BusinessObjects Enterprise Software Development Kit (SDK), be sure to
review the libraries and APIs. You can now, for instance, incorporate
complete security and scheduling options into your own web applications.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 155


6 Scaling Your System
General scalability considerations

You can also modify server settings from within your own code in order to
further integrate BusinessObjects Enterprise with your existing intranet tools
and overall reporting environment.
To improve the scalability of your system, consider distributing administrative
efforts by developing web applications for delegated content administration.
You can grant select users the ability to manage particular BusinessObjects
Enterprise folders, content, users, and groups on behalf of their team,
department, or regional office.
In addition, be sure to check the developer documentation available on your
BusinessObjects Enterprise product CD for performance tips and other
scalability considerations. The query optimization section in particular
provides some preliminary steps to ensuring that custom applications make
efficient use of the query language.

Improving web response speeds


Because all user interaction with BusinessObjects Enterprise occurs over the
Web, you may need to investigate a number of areas to determine exactly
where you can improve web response speeds. These are some common
aspects of your deployment that you should consider before deciding how to
expand BusinessObjects Enterprise:
• Assess your web server’s ability to serve the number of users who
connect regularly to BusinessObjects Enterprise. Use the administrative
tools provided with your web server software (or with your operating
system) to determine how well your web server performs. If the web
server is indeed limiting web response speeds, consider increasing the
web server’s hardware.
• If web response speeds are slowed only by report viewing activities, see
“Increasing scheduled reporting capacity” on page 153 and “Increasing
on-demand viewing capacity for Crystal reports” on page 154.
• Take into account the number of users who regularly access your system.
If you are running a large deployment, ensure that you have set up a
CMS cluster. For details, see “Increasing overall system capacity” on
page 152.
If you find that a single application server inadequately services the number of
scripting requests made by users who access your system on a regular basis,
consider the following options:
Note: Increase the hardware resources that are available to the application
server. If the application server is currently running on the web server, or on a
single machine with other BusinessObjects Enterprise components, consider

156 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Scaling Your System
General scalability considerations 6
moving the application server to a dedicated machine.BusinessObjects
Enterprise does not support the session-replication functionality provided by
some Java web application servers.

Getting the most from existing resources


One of the most effective ways to improve the performance and scalability of
your system is to ensure that you get the most from the resources that you
allocate to BusinessObjects Enterprise.

Optimizing network speed and database efficiency


When thinking about the overall performance and scalability of
BusinessObjects Enterprise, don’t forget that BusinessObjects Enterprise
depends upon your existing IT infrastructure. BusinessObjects Enterprise
uses your network for communication between servers and for communication
between BusinessObjects Enterprise and client machines on your network.
Make sure that your network has the bandwidth and speed necessary to
provide BusinessObjects Enterprise users with acceptable levels of
performance. Consult your network administrator for more information.
BusinessObjects Enterprise processes reports against your database
servers. If your databases are not optimized for the reports you need to run,
then the performance of BusinessObjects Enterprise may suffer. Consult your
database administrator for more information.

Using the appropriate processing server


When users view a report using the Advanced DHTML viewer, the report is
processed by the Report Application Server rather than the Page Server and
Cache Server. The Report Application Server is optimized for report
modification. For simple report viewing you can achieve better system
performance if users select the DHTML viewer, the Active X viewer, or the
Java viewer. These report viewers process reports against the Page Server.
If the ability to modify reports is not needed at your site, you can disable the
Advanced DHTML viewer for all users of BusinessObjects Enterprise.
Disabling the Advanced DHTML Viewer
1. In the Central Management Console, select Business Objects
Applications.
2. Select Web Desktop.
3. On the Properties tab, go to the Viewers area. Clear the option labeled
Allow users to use the Advanced DHTML Viewer.
4. Click Update.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 157


6 Scaling Your System
Adding and deleting servers

Optimizing BusinessObjects Enterprise for report viewing


BusinessObjects Enterprise allows you to enable data sharing, which permits
different users accessing the same report object to use the same data when
viewing a report on demand or when refreshing a report. Enabling data
sharing reduces the number of database calls, thereby reducing the time
needed to provide report pages to subsequent users of the same report while
greatly improving overall system performance under load. However, to get full
value from data sharing, you must permit data to be reused for some period of
time. This means that some users may see “old” data when they view a report
on demand, or refresh a report instance that they are viewing.
For details on data sharing options for reports, see “Setting report viewing
options” on page 430. For more information on configuring BusinessObjects
Enterprise to optimize report viewing in your system, see the planning chapter
in the BusinessObjects Enterprise Installation Guide.

Adding and deleting servers


This section shows how to add and delete servers from a machine that is
already running BusinessObjects Enterprise components. It includes the
following sections:
• “Adding a server” on page 158
• “Deleting a server” on page 160
Tip: If you are adding new hardware to BusinessObjects Enterprise by
installing server components on new, additional machines, run the
BusinessObjects Enterprise installation and setup program from your product
distribution. The setup program allows you to perform an Expand installation.
During the Expand installation, you specify the existing CMS whose system
you want to expand, and you select the components that you want to install
on the local machine. For details, see the BusinessObjects Enterprise
Installation Guide.

Adding a server
These steps add a new instance of a server to the local machine. You can run
multiple instances of the same BusinessObjects Enterprise server on the
same machine.
To add a Windows server
Note: To complete this procedure, you must log on as an Administrator of the
local machine.

158 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Scaling Your System
Adding and deleting servers 6
1. Start the CCM on the BusinessObjects Enterprise machine upon which
you want to install a new server.
2. On the toolbar, click Add Server.
The Add Business Objects Server Wizard displays its Welcome dialog
box.
3. Click Next.
The “Server Type and Display Name Configuration” dialog box appears

4. Click the Server Type list and select the kind of server you want to add.
5. Change the default Display Name field if you want a different name to
appear in the list of servers in the CCM.
Note: The display name for each server on the local machine must be
unique.
6. Change the default Server Name field if required.
Each server on the system must have a unique name. The default
naming convention is HOSTNAME.servertype (a number is appended if
there is more than one server of the same type on the same host
machine). This Server Name is displayed when you manage servers over
the Web in the Central Management Console (CMC).
When you add Input or Output File Repository Servers, the wizard always
precedes the server name you type with an “Input.” or “Output.” prefix.
So, if you add an Input FRS with the name SERVER02, the CCM actually
names the server Input.SERVER02. This “Input.” prefix is required by
the system. If you subsequently modify the server’s name through its
command line, do not remove the prefix.
7. Click Next.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 159


6 Scaling Your System
Adding and deleting servers

The “Set Configuration for this server” dialog box appears. The contents
of this dialog vary slightly, depending upon the type of server that you are
installing.
8. Type the name of the CMS that you want the server to communicate with.
If your CMS is not listening on the default port (6400), include the
appropriate port number, as in CMSname:port#
9. Click Next to accept any other default values, or modify them to suit your
environment.
Note: If port number options are displayed in this dialog box, do not
modify them. Instead, change ports through each server’s command line.
For details, see “Changing the default server port numbers” on page 131.
10. Confirm the summary information is correct; then click Finish.
The new server appears in the list, but it is neither started nor enabled
automatically.
11. Use the CCM (or the CMC) to start and then to enable the new server
when you want it to begin responding to BusinessObjects Enterprise
requests. For details, see “Viewing and changing the status of servers”
on page 74.
Tip: Auditing in BusinessObjects Enterprise is enabled on a per server basis.
If you add a new server to your BusinessObjects Enterprise installation you
must enable auditing of actions on each new server. If you do not, the actions
performed on the new server will not be audited. See the BusinessObjects
Enterprise Auditor’s Guide for more information.
To add a UNIX server
Use the serverconfig.sh script. For reference, see the BusinessObjects
Enterprise Administrator’s Reference Guide.
Deleting a server
To delete a Windows server
1. Start the CCM on the BusinessObjects Enterprise machine that you want
to delete a server from.
2. Stop the server that you want to delete from the system.
3. With the server selected, click Delete Server on the toolbar.
4. When prompted for confirmation, click Yes.
To delete a UNIX server
Use the serverconfig.sh script. For reference, see the BusinessObjects
Enterprise Administrator’s Reference Guide.

160 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Working with Firewalls

chapter
7 Working with Firewalls
Firewalls overview

Firewalls overview
BusinessObjects Enterprise works with firewall systems to provide reporting
across intranets and the Internet without compromising network security. This
chapter provides general information about what a firewall is and types of
firewalls:
• “What is a firewall?” on page 162
• “Firewall types” on page 163
If you are already familiar with firewalls and the configuration used in your
network, proceed directly to “Understanding firewall integration” on page 166.

What is a firewall?
A firewall is a security system that protects one or more computers from
unauthorized network access. A firewall restricts people to entering and
leaving your network at a carefully controlled point. It also prevents attackers
from getting close to your other defenses. Typically, a firewall protects a
company’s intranet from being improperly accessed through the Internet.
A firewall can enforce a security policy, log Internet activity, and be a focus for
security decisions. A firewall can’t protect against malicious insiders or
connections that don’t go through it. A firewall also can’t set itself up correctly
or protect against completely new threats.
To help explain how firewalls work, some basic networking terms are
described here:
• “TCP/IP and packets” on page 162
• “Ports” on page 163
If you are already familiar with these topics see “Understanding firewall
integration” on page 166.

TCP/IP and packets


TCP/IP (Transmission Control Protocol/Internet Protocol) is the
communications protocol used on the Internet. The units of data transmitted
through a TCP/IP network are called packets. Packets are typically too small
to contain all the data that is sent at any one time, so multiple packets are
required, each containing a portion of the overall data. When data is sent by
TCP/IP, the packets are constructed such that a layer for each protocol is
wrapped around each packet.

162 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Working with Firewalls
Firewalls overview 7
Typically, TCP/IP packets have the following layers:
• Application layer (for example, FTP, telnet, and HTTP).
• Transport layer (TCP or UDP).
• Internet layer (IP).
• Network Access layer (for example, ethernet and ATM).
At the application layer, the packet consists simply of the data to be
transferred. As the packet moves through the layers, each layer adds a
header to the packet, preserving the data from the previous level. These
headers are used to determine the packet’s destination and to ensure that it
arrives intact. When the packet reaches its destination, the process is
reversed: the layers are sequentially removed until the transferred data is
available to the destination application.

Ports
Ports are logical connection points that a computer uses to send and receive
packets. With TCP/IP, ports allow a client program to specify a particular
server program on a computer in a network. High-level applications that use
TCP/IP have ports with pre-assigned numbers. For instance, when you visit a
typical HTTP site over the Web, you communicate with the web server on port
80, which is the pre-assigned port for HTTP communication.
Other application processes are given port numbers dynamically for each
connection. When a service or daemon initially is started, it binds to its
designated port number. When any client program wants to use that server, it
must also request to bind to the designated port number. Valid port numbers
range from 0 to 65536, but ports 0 to 1024 are reserved for use by certain
privileged services.

Firewall types
Firewalls primarily function using at least one of the following methods:
• “Packet filtering” on page 164
• “Network Address Translation” on page 164
• “SOCKS proxy servers” on page 165
BusinessObjects Enterprise works with these firewall types.
Note: Business Objects will be moving away from supporting SOCKS proxy
servers. As a result SOCKS proxy servers are still supported in
BusinessObjects Enterprise XI. SOCKS proxy servers will be deprecated in a
future release of BusinessObjects Enterprise. If you are using SOCKS proxy
servers now, we recommend you switch to a different firewall method.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 163


7 Working with Firewalls
Firewalls overview

Packet filtering
Packet filtering rejects TCP/IP packets from unauthorized hosts and rejects
connection attempts to unauthorized services. Packet filtering can reject
packets based on the following:
• The address the data is coming from.
• The address the data is going to.
• The session and application ports being used to transfer the data.
• The data contained within the packet.
Typically there are two types of packet filtering:
• Stateful packet filters remember the state of connections at the network
and session layers by recording the established session information that
passes through the filter gateway. The filter then uses that information to
discriminate valid return packets from invalid connection attempts.
• Stateless packet filters do not retain information about connections in
use; instead, they make determinations packet-by-packet based only on
the information contained within the packet. Firewalls that employ packet
filtering will work with BusinessObjects Enterprise.

Network Address Translation


Network Address Translation (NAT) converts private IP addresses in a private
network to globally unique, public IP addresses for use external to that
network. NAT is also called IP masquerading. The main purpose of NAT is to
hide internal hosts.
As outgoing packets are routed through the firewall, NAT hides internal hosts
by converting their IP addresses to an external address. Once the translation
is complete, the firewall sends the data payload on to its original destination;
thus, NAT makes it appear that all traffic from your site comes from one (or
more) external IP addresses.
The firewall maintains a translation table to keep track of the address
conversions that it has performed. When an incoming response arrives at the
firewall, the firewall uses this translation table to determine which internal host
should receive the response. Because this type of firewall essentially sends
and receives data on behalf of internal hosts, NAT can also be described as a
simple proxy.

164 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Working with Firewalls
Firewalls overview 7
There are two basic types of NAT:
• Static translation (port forwarding) grants a specific internal host a fixed
translation that never changes. For example, if you run an email server
inside a firewall, you can establish a static route through the firewall for
that service.
• Dynamic translation (automatic, hide mode, or IP masquerade) shares
a small group of external IP addresses amongst a large group of internal
clients for the purpose of expanding the internal network address space.
Because a translation entry does not exist until an internal client
establishes a connection out through the firewall, external computers
have no way to address an internal host that is protected using a
dynamically translated IP address.
Note: Some protocols do not function correctly when the port is changed.
These protocols will not work through a dynamically translated connection.
BusinessObjects Enterprise and static translation NAT can be configured so
that they work together.

SOCKS proxy servers


Note: Business Objects will be moving away from supporting SOCKS proxy
servers. As a result SOCKS proxy servers are still supported in
BusinessObjects Enterprise XI. SOCKS proxy servers will be deprecated in a
future release of BusinessObjects Enterprise. If you are using SOCKS proxy
servers now, we recommend you switch to a different firewall method.
SOCKS is a networking protocol that enables computers on one side of a
SOCKS server to access computers on the other side of a SOCKS server
without requiring a direct IP connection. A SOCKS server redirects
connection requests from computers on one side of it to computers on the
other side of it. A SOCKS server typically authenticates and authorizes
requests, establishes a proxy connection, and relays data between the
internal and external networks. BusinessObjects Enterprise supports and
works with SOCKS servers.
SOCKS servers work by listening for service requests from internal clients.
When an external request is made, the SOCKS server sends the requests to
the internal network as if the SOCKS server itself was the originating client.
When the SOCKS server receives a response from the internal server, it
returns that response to the original client as if it were the originating external
server. This effectively hides the identity and the number of clients on the
internal network from examination by anyone on the external network.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 165


7 Working with Firewalls
Understanding firewall integration

Understanding firewall integration


This section gives a conceptual overview of internal communications between
BusinessObjects Enterprise servers and the implications for firewall
configuration. It also reviews the most common firewall scenarios. It includes:
• “Communication between servers” on page 166
• “Typical firewall scenarios” on page 168
• “Firewall configuration overview” on page 168
For detailed step-by-step instructions on how to configure your system to
work in a firewalled environment, see “Configuring the system for firewalls” on
page 170.

Communication between servers


It is helpful to understand the basics of internal communications between
BusinessObjects Enterprise servers before configuring your BusinessObjects
Enterprise system to work with firewalls. BusinessObjects Enterprise
connections include:
• “Communication between servers and the CMS directory listing service”
on page 166
• “Communication between the application tier and CMS” on page 167
Some examples also apply to communications between a BusinessObjects
Enterprise server and the BusinessObjects Enterprise SDK (or other
BusinessObjects Enterprise SDKs, such as the Report Application Server
SDK or the Viewer SDK). Where applicable, these examples are indicated in
the descriptions.

Communication between servers and the CMS directory listing service


The Central Management Server (CMS) manages a directory listing service
for the application server and the servers in the Intelligence tier and the
Processing tier. See “Architecture overview and diagram” on page 44 for a
listing of these servers.
When a BusinessObjects Enterprise server first connects to the
BusinessObjects Enterprise framework, it registers its IP address and port
number with the CMS. By default this port number is dynamically chosen.
When one BusinessObjects Enterprise server needs to communicate with
another, it contacts the directory listing service on the CMS to obtain the
connection information. The first server then uses this information to
communicate directly with the second server.

166 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Working with Firewalls
Understanding firewall integration 7
For example, before running a scheduled report, the Job Server must
communicate with the Input File Repository Server (FRS) to obtain the report
object. To do so:
1. The Job Server contacts the CMS and requests connection information
for the Input FRS.
2. The CMS replies to the Job Server with the IP address and port number
of the Input FRS.
3. The Job Server uses this information to connect directly to the Input FRS.
All subsequent communications between the two servers continues using
the same address and port.
Note:
• This communication model is also used when a BusinessObjects
Enterprise SDK or the WCA communicates directly with a server in the
Intelligence tier or the Processing tier.
• Communications between the CMS and the BusinessObjects Enterprise
SDK and WCA follow another model. See “Communication between the
application tier and CMS” on page 167.
• Using the -requestport command, you can configure any
BusinessObjects Enterprise server to register a fixed port number with
the CMS, rather than using one that is dynamically selected.

Communication between the application tier and CMS


Not all BusinessObjects Enterprise components use the directory listing
service on the CMS to make their initial connections with other elements of
BusinessObjects Enterprise.
The WSA contacts the CMS using a pre-defined address and port number.
The CMS replies with its address and a second port number, which by default
is selected dynamically. Subsequent communications continue using this
address and second port number.
You can use the -requestport command to configure the CMS to reply with
a fixed port number for subsequent communications, rather than one that is
dynamically selected. Using the -port option, you can also customize the
CMS to listen on a specific port for initial communications, rather than using
the pre-defined default value (port 6400 for the CMS).
Note:
• Before changing the default port numbers, see “Changing the default
server port numbers” on page 131 for additional configuration information.
• You may also change the default port that the CMS uses to listen for
initial communications from the Configuration tab of the Properties dialog
in the Central Configuration Manager.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 167


7 Working with Firewalls
Understanding firewall integration

Firewall configuration overview


By default BusinessObjects Enterprise uses dynamically chosen port
numbers for communications between components. You must change this
default when you place a stateful firewall that uses packet filtering or Network
Address Translation (NAT) between BusinessObjects Enterprise components
because these firewalls provide protection by permitting communications from
outside the firewall with only specified addresses and ports inside the firewall.
To enable BusinessObjects Enterprise to communicate across such a firewall,
you must:
1. Configure its components to use fixed addresses and ports.
2. Configure your firewall to allow communications to the services behind
the firewall using these addresses and ports.
The process is similar when you configure your BusinessObjects Enterprise
system to communicate across SOCKS proxy filters. But BusinessObjects
Enterprise provides direct support for SOCKS proxy filters, so you need only
configure each component to be aware of the location and type of the proxies
that they communicate with.
Note: When this section mentions firewalling different BusinessObjects
Enterprise components, it assumes that the components reside on separate
computers. If the components reside on the same computer, their
communication is uninterrupted by firewalls, and no additional configuration is
required.

Typical firewall scenarios


If all users of your BusinessObjects Enterprise system are on your internal
network, there is no need to perform any special configuration of your
firewalls or of BusinessObjects Enterprise. Simply place all BusinessObjects
Enterprise components on computers inside your firewall.
However, if you need to provide access to BusinessObjects Enterprise to
external users, you must consider where to place each BusinessObjects
Enterprise component, and how to configure both BusinessObjects
Enterprise and your firewalls in order to provide this access.
This section outlines the following common firewall scenarios:
• “Application tier separated from the CMS by a firewall” on page 169
• “Thick client separated from the CMS by a firewall” on page 169
These scenarios are general cases: once you understand the firewalling
issues involved, you should be able to support BusinessObjects Enterprise in
wide variety of contexts.

168 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Working with Firewalls
Understanding firewall integration 7
Application tier separated from the CMS by a firewall
In most cases, clients access protected information through a web server
running in a Demilitarized Zone (DMZ). A DMZ is a network area that is
neither part of the internal network nor directly part of the Internet. Typically,
the DMZ is set up between two firewalls: an outer firewall and an inner
firewall.
You may chose to place your application server in the DMZ, while placing the
CMS and all other BusinessObjects Enterprise servers on the internal
network. BusinessObjects Enterprise requires that the CMS and the
remaining server components are not separated from one another by
firewalls.
Note: Placing your application server in the DMZ is less secure than placing
it on your internal network. For maximum security, you may prefer to place
your BusinessObjects Enterprise application server on your internal network.
For more information, see:
• “Configuring NAT when application tier is separated from the CMS” on
page 171
• “Configuring packet filtering when application tier is separated from CMS”
on page 177
• “Configuring for SOCKS servers” on page 179

Thick client separated from the CMS by a firewall


You can publish reports or analytic objects to BusinessObjects Enterprise by
saving these objects to BusinessObjects Enterprise from within Crystal
Reports or OLAP Intelligence, or by using the Import Wizard or Publishing
Wizard. However, the thick clients communicate directly with the CMS. This
means that if there is a firewall between the computer running one of these
thick clients and the CMS, this operation fails. You must configure your CMS,
your File Repository Servers, and your firewall if you want to support this
network configuration.
For more information, see:
• “Configuring NAT when thick client is separated from the CMS” on
page 176
• “Configuring packet filtering when thick client is separated from the CMS”
on page 179

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 169


7 Working with Firewalls
Configuring the system for firewalls

Configuring the system for firewalls


This section gives practical step-by-step instructions for configuring your
BusinessObjects Enterprise system to work in a firewalled environment. It
includes:
• “Configuring desktop products across a firewall” on page 170
• “Configuring for Network Address Translation” on page 171
• “Configuring for packet filtering” on page 176
• “Configuring for SOCKS servers” on page 179
For a conceptual overview of communications between BusinessObjects
Enterprise components and of supported firewall configurations, see
“Understanding firewall integration” on page 166.
Note: If you have multiple BusinessObjects Enterprise servers of a given type,
the overall procedure for configuring your system to work with firewalls will not
change. Configure each server as described in the section that describes your
firewall environment, and then specify a firewall rule for the server.

Configuring desktop products across a firewall


This section explains how to configure desktop products such as Desktop
Intelligence and Designer across a firewall.
To specify the request ports for BusinessObjects Enterprise
1. Go to the CCM and stop the CMS.
2. Right-click on the CMS, and then select Properties.
3. Add the following entry at the end of the command field:
-port <FQDN>:6400 -requestport 6401
4. Click OK, and then restart the CMS.
5. Repeat steps 1 through 4 for the Input FRS but add this entry to the
Command field:
-port <FQDN> -requestport 6402
6. Repeat steps 1 through 4 for the Output FRS but add this entry to the
Command field:
-port <FQDN> -requestport 6403
Note:
• Replace FQDN with the fully qualified domain name of the server running
your BusinessObjects Enterprise servers.

170 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Working with Firewalls
Configuring the system for firewalls 7
• You can use different ports than in the previous examples. However, it is
not recommended you use port 6400 except as is shown in the example
since port 6400 is the default port number for the CMS.
To make the required changes on the firewall
1. Go to the area where you specify ports in your firewall software.
Note: Consult your specific firewall documentation for details.
2. Open the following TCP BI-Directional ports between the server running
your BusinessObjects Enterprise servers and the desktop:
• 6400
• 6401
• 6402
• 6403
3. Save your changes.

Configuring for Network Address Translation


If you use Network Address Translation (NAT) only on the outer firewall of the
DMZ, then no special configuration is required for BusinessObjects
Enterprise to communicate properly. However, if you separate
BusinessObjects Enterprise components using NAT, you need to configure
these components to communicate properly through the firewall.
Note: You can configure BusinessObjects Enterprise to communicate
properly across NAT firewalls that use static IP translation; however,
BusinessObjects Enterprise cannot communicate across a firewall whose IP
translation is dynamic.
Depending on your system configuring, configuring for Network Address
Translation can include one or both of the following tasks:
• “Configuring NAT when application tier is separated from the CMS” on
page 171
• “Configuring NAT when thick client is separated from the CMS” on
page 176

Configuring NAT when application tier is separated from the CMS


If the application server is separated from the CMS and other BusinessObjects
Enterprise servers by NAT, you must ensure that whenever a BusinessObjects
Enterprise server passes an address across the firewall to the application
server, it passes a fully qualified domain name (FQDN) that is routable by the
firewall.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 171


7 Working with Firewalls
Configuring the system for firewalls

Ports
The application server must be able to communicate with every
BusinessObjects Enterprise server behind the firewall. Therefore, you must
open a port on the firewall for each server. The application server must be a
Tomcat or IIS server.
Configuring BusinessObjects Enterprise for Network Address Translation
when the application tier is separated from the CMS by a firewall includes:
• “Configuring the CMS on Windows” on page 172
• “Configuring the CMS on UNIX” on page 172
• “Configuring the BusinessObjects Enterprise servers” on page 173
• “Configuring the hosts files” on page 174
• “Specifying firewall rules for NAT” on page 175
Configuring the CMS on Windows
To configure the CMS on Windows
1. Start the CCM.
2. Stop the Central Management Server.
3. On the toolbar, click Properties.
4. In the Command box, add the following option:
-port FQDN:6400 -requestport portnum
For the -port command, replace FQDN with the fully qualified domain
name of the machine that is running the CMS. This machine must be
routable from the application server.
For the -requestport command, substitute any valid free port number
for portnum.
Tip: If you want to customize the CMS so that it listens on a port other than
the default, substitute your new port number for the default value of 6400.
If you change the default port number of the CMS you must perform
additional system configuration. Before changing the port number, see
“Changing the default server port numbers” on page 131.
5. Click OK to return to the CCM.
6. Start the Central Management Server.
Configuring the CMS on UNIX
To configure the CMS on UNIX
1. Run ccm.sh.
By default the script and the ccm.config file are installed in the Business
Objects install directory, for example /export/home/businessobjects.

172 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Working with Firewalls
Configuring the system for firewalls 7
2. Stop the Central Management Server.
3. Edit the ccm.config file to insert the following command line:
-port FQDN:6400 -requestport portnum

For the -port command, replace FQDN with the fully qualified domain
name of the machine that is running the CMS. This machine must be
routable from the application server.
For the -requestport command, substitute any valid free port number
for portnum.
4. Use ccm.sh to start the Central Management Server.
Configuring the BusinessObjects Enterprise servers
The procedure for configuring the BusinessObjects Enterprise servers varies
for Windows and UNIX.
• “To configure BusinessObjects Enterprise servers on Windows” on
page 173
• “To configure BusinessObjects Enterprise servers on UNIX” on page 173
To configure BusinessObjects Enterprise servers on Windows
1. Start the CCM.
2. Stop the server.
3. On the toolbar, click Properties.
4. In the Command box, add the following option:
-port FQDN -requestport portnum

For the -port command, replace FQDN with the fully qualified domain
name of the machine that is running the server. This machine must be
routable from the application server.
For the -requestport command, substitute any valid free port number
for portnum. If more than one server is installed on the same machine,
each server on that machine must use a unique port number.
5. Click OK to return to the CCM.
6. Start the server.
7. Repeat for each BusinessObjects Enterprise server.
To configure BusinessObjects Enterprise servers on UNIX
1. Run ccm.sh.
By default the script and the ccm.config file are installed in the
Business Objects install directory, for example /export/home/
businessobjects.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 173


7 Working with Firewalls
Configuring the system for firewalls

2. Stop the server.


3. Edit the ccm.config file to insert the following command line:
-port FQDN -requestport portnum

For the -port command, replace FQDN with the fully qualified domain
name of the machine that is running the server. This machine must be
routable from the application server.
For the -requestport command, substitute any valid free port number
for portnum. If more than one server is installed on the same machine,
each server on that machine must use a unique port number.
4. Use ccm.sh to start the server.
5. Repeat for each BusinessObjects Enterprise server.
Configuring the hosts files
On each machine running a BusinessObjects Enterprise server, you must
configure the hosts file so that the server can map the FQDN it receives from
the Central Management Server (CMS) to an internally routable IP address.
This is necessary to enable communication between servers inside the firewall.
The procedure for configuring the hosts file is different for Windows and
UNIX. See:
• “To configure the hosts files on Windows” on page 174
• “To configure the hosts files on UNIX” on page 174
To configure the hosts files on Windows
1. Open the hosts file using a text editor like Notepad. The hosts file is
located at \WINNT\system32\drivers\etc\hosts.
2. Follow the instructions in the hosts file to add an entry for each machine
behind the firewall that is running a BusinessObjects Enterprise server or
servers. Use the internally routable IP address of the machine and its
externally routable fully qualified domain name.
3. Save the hosts file.
To configure the hosts files on UNIX
Note: Your UNIX operating system must be configured to first consult the
hosts file to resolve domain names, before consulting DNS. Consult your
UNIX systems documentation for details.
1. Open the hosts file using an editor like vi. The hosts file is located at
\etc\hosts.
2. Add an entry for each machine behind the firewall that is running a
BusinessObjects Enterprise server. Use the translated IP address of the
machine and its fully qualified domain name.

174 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Working with Firewalls
Configuring the system for firewalls 7
3. Save the hosts file.
4. On the firewall machine, add a route from the translated IP address to the
actual internal IP address:
route add translatedIPaddress actualIPaddress
Where translatedIPDaddress is the actual translated IP address, and
actualIPaddress is the actual internal IP address for the a server.

Specifying firewall rules for NAT


When there is a firewall between the application server and the rest of the
BusinessObjects Enterprise servers you need to specify the inbound access
rules and one outbound rule. The outbound rule is needed because the
application server may register listeners with any of the BusinessObjects
Enterprise servers
For details of how to specify these rules, consult your firewall documentation.
For details about the rules see:
• “Inbound Rules” on page 175
• “Outbound Rules” on page 176
The fixed port numbers specified in the chart are the port numbers you
specify for servers using -requestport. See “Configuring the CMS on
Windows” on page 172, and “Configuring the BusinessObjects Enterprise
servers” on page 173 for details.
Inbound Rules

Source Computer Port Destination Computer Port Action


Application server Any CMS 6400 Allow
Application server Any CMS fixed Allow
Application server Any Other BusinessObjects fixed Allow
Enterprise server
Any Any CMS Any Reject
Any Any Other BusinessObjects Any Reject
Enterprise Server
Note: There must be one inbound firewall rule for each BusinessObjects
Enterprise server behind the firewall. Whenever more than one server is
installed on the same machine, each server on that machine must use a
unique port number.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 175


7 Working with Firewalls
Configuring the system for firewalls

Outbound Rules

Source Computer Port Destination Computer Port Action


Machines hosting Any Application server Any Allow
BusinessObjects
Enterprise server
This outbound rule is needed because the application server may register
listeners on servers behind the firewall. These listeners may initiate
communication with the application server.

Configuring NAT when thick client is separated from the CMS


You can publish reports or analytic objects to BusinessObjects Enterprise by
saving these objects to BusinessObjects Enterprise from within Crystal
Reports or OLAP Intelligence, or by using the Import or Publishing Wizards.
However, if there is a firewall between the computer running one of these
thick clients and the Central Management Server (CMS), this operation fails.
Configuring your BusinessObjects Enterprise system to support this
configuration when the firewall uses Network Address Translation (NAT) is
very similar to configuring your system to support a NAT firewall between the
application tier and the Central Management Server.
For full instructions, follow the detailed steps in “Configuring NAT when
application tier is separated from the CMS” on page 171 but:
• Configure only the Central Management Server and the Input File
Repository Server.
• Establish inbound firewall rules for communication between the Crystal
Reports or OLAP Intelligence machine and the CMS and Input File
Repository Server. You do not need to establish an outbound firewall rule.

Configuring for packet filtering


If you use packet filtering only on the outer firewall of the DMZ, then no special
configuration is required for BusinessObjects Enterprise to communicate
properly. However, if you separate BusinessObjects Enterprise components
using packet filtering, you need to configure them to communicate properly
through the firewall.
This section includes:
• “Configuring packet filtering when application tier is separated from CMS”
on page 177
• “Configuring packet filtering when thick client is separated from the CMS”
on page 179.

176 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Working with Firewalls
Configuring the system for firewalls 7
Configuring packet filtering when application tier is separated from CMS
If your firewall performs packet filtering, you must configure the CMS and
every BusinessObjects Enterprise server inside the inner firewall to respond
to communications from the application server on a fixed port. This includes:
• “Configuring the BusinessObjects Enterprise servers” on page 177
• “Specifying firewall rules for packet filtering” on page 178
Configuring the BusinessObjects Enterprise servers
The procedure for configuring the BusinessObjects Enterprise servers varies
for Windows and UNIX. See:
• “To configure BusinessObjects Enterprise servers on Windows” on
page 177
• “To configure BusinessObjects Enterprise servers on UNIX” on page 177
To configure BusinessObjects Enterprise servers on Windows
1. Start the CCM.
2. Stop the first server.
3. On the toolbar, click Properties.
4. In the Command box, add the following option:
-requestport portnum
For the -requestport command, substitute any valid free port number
for portnum. If more than one server is installed on the same machine,
each server on that machine must use a unique port number.
Tip: If you want to customize the CMS so that it listens on a port other
than the default, also add -port cmsport to the command line, where
cmsport is the new port number for the default value of 6400. For example:
-port cmsport -requestport portnum
If you change the default port number of the CMS you must perform
additional system configuration. Before changing the port number, see
“Changing the default server port numbers” on page 131.
5. Click OK to return to the CCM.
6. Start the server.
7. Repeat for each BusinessObjects Enterprise server behind the firewall.
To configure BusinessObjects Enterprise servers on UNIX
1. Run ccm.sh.
By default the script and the ccm.config file are installed in the
BusinessObjects install directory, for example /export/home/
businessobjects.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 177


7 Working with Firewalls
Configuring the system for firewalls

2. Stop the server.


3. Edit the ccm.config file to insert the following command line:
-requestport portnum
For the -requestport command, substitute any valid free port number
for portnum. If more than one server is installed on the same machine,
each server on that machine must use a unique port number.
Tip: If you want to customize the CMS so that it listens on a port other
than the default, also add -port 6400 to the command line, substituting
your new port number for the default value of 6400.
If you change the default port number of the CMS you must perform
additional system configuration. Before changing the port number, see
“Changing the default server port numbers” on page 131.
4. Use ccm.sh to start the server.
5. Repeat for each BusinessObjects Enterprise server.
Specifying firewall rules for packet filtering
When there is a firewall between the application server and the rest of the
BusinessObjects Enterprise servers you need to specify the inbound access
rules and one outbound rule. The outbound rule is needed because the
application server may register listeners with any of the BusinessObjects
Enterprise servers.
For details of how to specify these rules, consult your firewall documentation.
For details about the rules see:
• “Inbound Rules” on page 178
• “Outbound Rules” on page 179
The fixed port numbers specified in the chart are the port numbers you specify for
the CMS and other BusinessObjects Enterprise servers using -requestport.
Inbound Rules

Source Computer Port Destination Computer Port Action


Application server Any CMS 6400 Allow
Application server Any CMS fixed Allow
Application server Any Other BusinessObjects fixed Allow
Enterprise server
Any Any CMS Any Reject
Any Any Other BusinessObjects Any Reject
Enterprise servers

178 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Working with Firewalls
Configuring the system for firewalls 7
Note: There must be an inbound firewall rule for each BusinessObjects
Enterprise server behind the firewall. Whenever more than one server is
installed on the same machine, each server on that machine must use a
unique port number.
Outbound Rules

Source Computer Port Destination Computer Port Action


Machines hosting Any Application server Any Allow
BusinessObjects
Enterprise server
This outbound rule is needed because the application server may register
listeners on servers behind the firewall. These listeners may initiate
communication with the application server.

Configuring packet filtering when thick client is separated from the CMS
You can publish reports or analytic objects to BusinessObjects Enterprise by
saving these objects to BusinessObjects Enterprise from within Crystal
Reports or OLAP Intelligence, or by using the Import or Publishing Wizards.
However, if there is a firewall between the computer running one of these
thick clients and the CMS, this operation fails.
Configuring your BusinessObjects Enterprise system to support this
configuration when the firewall uses packet filtering is very similar to
configuring your system to support a packet filtering firewall between the
application tier and the Central Management Server (CMS).
For full instructions, follow the detailed steps in “Configuring packet filtering
when application tier is separated from CMS” on page 177 but:
• Configure only the Central Management Server and the Input File
Repository Server to use fixed port numbers for communication.
• Establish inbound firewall rules for communication between the Crystal
Reports or OLAP Intelligence machine and the CMS and Input File
Repository Server. You do not need to establish an outbound firewall rule.

Configuring for SOCKS servers


Note: Business Objects will be moving away from supporting SOCKS proxy
servers. As a result SOCKS proxy servers are still supported in
BusinessObjects Enterprise XI. SOCKS proxy servers will be deprecated in a
future release of BusinessObjects Enterprise. If you are using SOCKS proxy
servers now, we recommend you switch to a different firewall method.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 179


7 Working with Firewalls
Configuring the system for firewalls

BusinessObjects Enterprise provides direct support for SOCKS proxy server


firewalls on Windows installations that use the BusinessObjects Enterprise
.NET SDK.
There is limited support of SOCKS for the UNIX installation of
BusinessObjects Enterprise, or for a Windows installation that uses the
BusinessObjects Enterprise Java SDK. You can configure the Web
Component Adapter to communicate through a SOCKS server, but the Java
SDK has no support for SOCKS. Therefore you may be able to configure your
system to support a custom CSP application and SOCKS, but you cannot use
JSP pages through a SOCKS firewall.
Note: The EBUS layer of the Java SDK does not support communications
using the SOCKs protocol. The means that applications written using the
Java SDK cannot be on the outside of a firewall from any components that
must be accessed, if the only means of traversing the firewall is using the
SOCKs protocol. Therefore only perform the test cases that utilize socks
when using IIS on a windows deployment
This list describes when to use the procedures that are provided in the
remainder of this section:
• Configuring the CMS for SOCKS Servers
Complete these steps if one or more SOCKS servers separate the WCA
from the CMS.
• Configuring the WCA for SOCKS servers
When configuring your WCA for SOCKS, complete these steps
regardless of the location of your SOCKS server(s).
BusinessObjects Enterprise requires that the CMS and the remaining server
components are not separated from one another by firewalls. The remaining
server components automatically obtain their SOCKS configuration from the
CMS, as required, so you don’t need to configure them separately.

Configuring the CMS for SOCKS Servers


Complete these steps if one or more SOCKS servers separate the application
server from the CMS. The remaining BusinessObjects Enterprise servers
automatically obtain their SOCKS configuration from the CMS, as required,
so you don’t need to configure them separately.
To configure the CMS on Windows
1. Start the CCM.
2. Stop all of the Business Objects servers, including the Central
Management Server.
3. Select the CMS and, on the toolbar, click Properties.

180 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Working with Firewalls
Configuring the system for firewalls 7
4. On the Connection tab, click Add.
5. In the SOCKS Proxy dialog box, type the Server Name or IP Address of
your SOCKS server.
6. In the Server Port field, type the number of the port that the SOCKS
server is listening on.
7. Select the SOCKS version that you are running (Ver 4 or Ver 5).
If you are using version 5 and you would like to secure access to the
server, select the authentication check box, and then enter your user
name and password.
8. Click OK.
If you have more than one SOCKS server, repeat steps 4 to 8 for each
additional server. Then click Up and Down to order the SOCKS servers
from the outermost (closest to the application server or Web Component
Server) to the innermost (closest to the CMS).
9. Click OK in all three dialog boxes to return to the CCM.
10. Start the BusinessObjects Enterprise server components.

Configuring the WCA for SOCKS servers


Complete these steps if one or more SOCKS servers separates the Web
Component Adapter (WCA) from the Central Management Server (CMS).
These steps provide the WCA with the required information about each
SOCKS server, in order, from the outermost to the innermost.
The outermost SOCKS server is the one closest to the web server. The
innermost SOCKS server is the last SOCKS server that the WCA
communicates with before the CMS.
The procedure for configuring the WCA is different for Windows and Unix.
See:
• “To configure the WCA on UNIX” on page 181
• “To configure the WCA on Windows” on page 181
To configure the WCA on UNIX
1. Run the sockssetup.sh script to configure the BusinessObjects
Enterprise servers and WCA to work with the SOCKS servers.
To configure the WCA on Windows
1. Add the SOCKS information to the WCA. Edit the web.xml deployment
descriptor file associated with the webcompadapter.war to insert a
SOCKS URI (universal resource identifier). This URI tells your WCA how
to contact the CMS through your SOCKS server(s).

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 181


7 Working with Firewalls
Configuring the system for firewalls

See “Configuring the Web Component Adapter” on page 80 for details on


editing web.xml.
2. Edit the file C:\Inetpub\wwwroot\Web.config.
a. Go to the line: <add key=”connection.socksUri” value-“*”/>
b. Add the following SOCKS server information:
*Socks://Version;User:Password@SOCKSserver:Port/
CMSmachine:Port
c. Save the file.
3. Configure the BusinessObjects Enterprise server:
a. Start the CCM.
b. Stop the CMS.
c. Double-click the CMS. The Properties dialog box appears.
d. Click Configuration tab.
e. Enter the SOCKS information.
f. Start the server again.
g. Repeat step 3 for all the BusinessObjects Enterprise server.

182 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing BusinessObjects
Enterprise Repository

chapter
8 Managing BusinessObjects Enterprise Repository
BusinessObjects Enterprise Repository overview

BusinessObjects Enterprise Repository


overview
The BusinessObjects Enterprise Repository is a database in which you
manage shared report elements such as text objects, bitmaps, custom
functions, and custom SQL commands. When you save any Business View, it
is also saved to the BusinessObjects Enterprise Repository. You can refresh
a report’s repository objects with the latest version from your BusinessObjects
Enterprise Repository when you publish reports to BusinessObjects
Enterprise. Alternatively, you can refresh a report’s repository objects on
demand over the Web.
The BusinessObjects Enterprise Repository is now hosted by the Central
Management Server (CMS) system database. Before publishing reports that
reference repository objects, move your existing Crystal Repository to the
Central Management Server database. See the rest of this chapter for details.

Copying data from one repository database


to another
BusinessObjects Enterprise enables you to copy the contents of one
repository database into another database. This procedure is also referred to
as migrating a BusinessObjects Enterprise Repository database. You can
migrate repository data from a different repository database (from version 10
of Crystal Reports, or version 10 of Crystal Enterprise) into your current CMS
database. Or, you can migrate the repository data from your current CMS
database into a different data source.
Throughout this section, the source CMS database refers to the database that
holds the data you are copying; this data is copied into the destination
database.

Importing data from a Crystal Enterprise 10 or


BusinessObjects Enterprise XI CMS
You may want to import repository objects from a Crystal Enterprise 10
installation, or you may want to import repository objects from one
BusinessObjects Enterprise XI installation to another. For example, you may
have repository data on a test system that you want to move onto a
production server.
Use the Import Wizard to copy repository data from the source CMS. You
can choose to merge the contents of the source repository into the
destination repository, or you can update the destination with the contents of
the source CMS.

184 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing BusinessObjects Enterprise Repository
Copying data from one repository database to another 8
Merging repositories
When you merge the contents of the source repository with the destination
repository, you add all repository objects from the source CMS into the
destination CMS without overwriting objects in the destination.
This is the safest import option. All of the objects in the destination repository
are preserved. Also, at a minimum, all repository objects from the source
system with a unique title are copied to the destination repository.
If an object from the source has the same title as an object in the destination,
the object is imported to the destination repository if:
• The object is not a Business View.
• You have selected “Automatically rename top-level folders that match
top-level folders on the destination system.”
The end result is a destination repository that contains all objects from the
source repository that have unique titles, copies of all non-Business View
objects from the source repository that have titles that match titles of objects
in the destination, and all objects originally in the destination repository.
When an object is copied from the source CMS to the destination CMS, the
folder or folders that contain the object are also copied, replicating the folder
hierarchy of the source system on the destination. However, the names of
top-level folders must be unique. Selecting “Automatically rename top-level
folders that match top-level folders on the destination system” allows these
folders to be renamed on the destination repository, and the objects in such
folders to be copied to these renamed folders.
Note: Top-level folders containing Business Views are not renamed,
regardless of the options set. Renaming these folders would change the
unique identifier associated with the Business View, causing the Business
View functionality to fail.

Updating the destination repository


When you update the contents of the destination repository using the source
repository as a reference, you add all objects in the source CMS to the
destination CMS. If an object in the source repository has the same unique
identifier as an object in the destination, the object in the destination is
overwritten.
All object titles in a folder must be unique. By default, if copying an object
from the source CMS to the destination CMS would result in more than one
object in a folder with the same title, the copy fails.
If you want these objects to be copied, select the check box “Automatically
rename objects if an object with that title already exists in the destination
folder.”

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 185


8 Managing BusinessObjects Enterprise Repository
Copying data from one repository database to another

Note: System Objects (users, user groups, servers, server groups, events,
and calendars), are not renamed when you import them from one CMS to
another, regardless of the options set. Changing the names of these objects
would cause user management, server management, and event
management for these objects to fail.
See “Using the Import Wizard” on page 387 for full instructions on using the
Import Wizard to copy objects from one BusinessObjects Enterprise XI
repository to another.

Specifying the source and destination environments


This procedure shows how to specify a source environment and a destination
environment using the initial screens of the Import Wizard.
To specify the source and destination environments
1. From the BusinessObjects Enterprise program group, click Import
Wizard.
2. Click Next.
The “Specify source environment” dialog box appears.
3. In the Source list, select BusinessObjects Enterprise XI.
4. In the CMS Name field, type the name of the source environment’s CMS
(Central Management Server).
5. Type the User Name and Password that provide you with administrative
rights to the source environment.

6. Click Next.
The “Specify destination environment” dialog box appears.
7. In the CMS Name field, type the name of the destination environment’s
Central Management Server.

186 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing BusinessObjects Enterprise Repository
Copying data from one repository database to another 8
8. Type the User Name and Password of an Enterprise account that
provides you with administrative rights to the BusinessObjects Enterprise
system; then click Next.

The “Choose objects to import” dialog box appears. Proceed to


“Selecting information to import” on page 187.

Selecting information to import


This procedure shows how to select the users, groups, folders, and reports
that you want to import. If you have not already started the Import Wizard, see
“Specifying the source and destination environments” on page 186.
To choose which objects to import
1. In the “Choose objects to import” dialog box, select the check box (or
boxes) corresponding to the information you want to import:
• Import users and user groups
• Import inbox documents
• Import personal categories
• Import personal Web Intelligence documents
• Import favorite folders for selected users
• Import application rights
• Import corporate categories
• Import corporate Web Intelligence documents
• Import folders and objects
• Import discussions associated with the selected reports
• Import events
• Import server groups
• Import repository objects

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 187


8 Managing BusinessObjects Enterprise Repository
Copying data from one repository database to another

• Import calendars
• Import universes
2. Click Next.
3. In the “Please choose an import scenario” dialog box, click one of the two
options:
• “I want to merge the source system into the destination system.”
Select this option if you want to add objects from the source system
to the destination system without overwriting objects in the
destination. For more information on this option, see “Merging
repositories” on page 185.
• “I want to update the destination system by using the source system
as a reference.”
Select this option if you want to add objects from the source system
to the destination system, overwriting objects in the destination when
they have the same unique identifier as those in the source. for more
information on this option, see “Updating the destination repository”
on page 185.
Click Next.
4. If you chose “Import repository objects”, the Import Progress dialog box
now displays status information and creates an Import Summary while
the Import Wizard completes its tasks.
5. If the Import Summary shows that some information was not imported
successfully, click View Detail Log for a description of the problem.
Otherwise, click Done.
Note: The information that appears in the Detail Log is also written to a
text file called ImportWiz.log, which you will find in the directory from
which the Import Wizard was run. By default, this directory is:
C:\Program Files\Business Objects\BusinessObjects
Enterprise 11.5\win32_x86\
The log file included a system-generated ID number, a title that describes
the imported information, and a field that describes the action taken and
the reason why.

Copying data from a Crystal Enterprise 9 repository


database
In Crystal Enterprise 9, the Crystal Repository database was hosted on a
separate database server that you could connect to through ODBC.

188 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing BusinessObjects Enterprise Repository
Copying data from one repository database to another 8
In a BusinessObjects Enterprise environment, begin by making a backup
copy of the source repository database. Then replace the repository by
importing its contents into the CMS database using the Repository Migration
Wizard.
When you use the Repository Migration Wizard, neither the source nor the
destination database is overwritten. Objects from the source repository will be
added to the destination repository database. If the Wizard finds identical
objects (that is, objects with the same unique identifier) in the source and
destination repositories, the source objects will not be copied.
When you copy repository objects into BusinessObjects Enterprise XI, only
the most recent version of each object is copied.
Note: Reports configured to use the source repository will now refer to the
destination data source.
To copy repository data from Crystal Enterprise 9
1. From the BusinessObjects Enterprise program group, click Repository
Migration Wizard. You must run the wizard on the machine containing
your source repository.
2. From the Source list in the Select Source Repository dialog, click the
name of the repository that you want to import.
3. Type the UserID and Password of a user with administrative rights to the
repository database. Click Next.
4. The Select Destination Data Source dialog appears. In the CMS field,
type the name of the destination data source’s Central Management
Server.
5. Type the User Name and Password of an Enterprise account that
provides you with administrative rights to the CMS; then click Next.
6. From the “Source Repository Objects” list, select the items that you want
to copy to your BusinessObjects Enterprise repository database. Click
Next.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 189


8 Managing BusinessObjects Enterprise Repository
Copying data from one repository database to another

BusinessObjects Enterprise exports the selected repository objects from


your BusinessObjects Enterprise Repository, reporting success or failure
for each object.
7. Select the folder in your destination repository where objects from your
source directory will be placed.
To add objects to a new folder, select “Insert a new folder”, and then type
the name of the folder.

8. To delete an existing folder from your repository, select it, and then click
“Delete the item/folder”.
9. Click Next, and then Finish to complete the transfer and close the
Repository Migration Wizard.
When you use the Repository Migration Wizard, neither the source nor the
destination database is overwritten. Objects from the source repository will be
added to the destination repository database. If the Wizard finds identical
objects in the source and destination repositories, the source objects will not
be copied.
When you copy repository objects into BusinessObjects Enterprise XI, only
the most recent version of each object is copied.
Note: Reports configured to use the source repository will now refer to the
destination data source.

Copying data from a Crystal Reports 9 repository database


The Crystal Repository shipped with Crystal Reports 9 was an Access
database (Repository.mdb). By default, it was located in the following
directory of your Crystal Reports installation:
C:\Program Files\Common Files\Crystal Decisions\2.0\bin\
Begin by making a backup copy of this default database. Then replace the
default repository by importing its contents into the CMS database using the
Repository Migration Wizard.

190 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing BusinessObjects Enterprise Repository
Copying data from one repository database to another 8
When you use the Repository Migration Wizard, neither the source nor the
destination database is overwritten. Objects from the source repository will be
added to the destination repository database. If the Wizard finds identical
objects in the source and destination repositories, the source objects will not
be copied.
When you copy repository objects into BusinessObjects Enterprise XI, only
the most recent version of each object is copied.
Note: Reports configured to use the source repository will now refer to the
destination data source.
To copy repository data from Crystal Reports 9
1. From the BusinessObjects Enterprise program group, click Repository
Migration Wizard. You must run the wizard on the machine containing
your source repository.
2. From the Source list in the Select Source Repository dialog, click the
name of the repository that you want to import.
If you created security for your repository database, type a User id and
Password valid for the repository database.
3. Click Next.
4. Log on to the CMS using a user name with administrative rights to
BusinessObjects Enterprise.
5. From the “Source Repository Objects” list, select the items that you want
to copy to your BusinessObjects Enterprise repository database. Click
Next.
6. Select the folder in your destination repository where objects from your
source directory will be placed.
• To add objects to a new folder, select “Insert a new folder”, and then
type the name of the folder.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 191


8 Managing BusinessObjects Enterprise Repository
Copying data from one repository database to another

• To delete an existing folder from your repository, select it, and then
click “Delete the item/folder”.
7. Click Next.
BusinessObjects Enterprise exports the selected repository objects from
your Crystal Reports repository, reporting success or failure for each object.
8. Click Next, and then Finish to complete the transfer and close the
Repository Migration Wizard.

Refreshing repository objects in published reports


As you update objects stored in your BusinessObjects Enterprise Repository,
you will want to update the published Crystal reports that reference those
repository objects. When you refresh a report in this way, the old repository
objects stored in the report are replaced with the latest versions from the
BusinessObjects Enterprise Repository.
Note: Although refreshing with the repository is faster, you can also refresh
reports by setting options that compare reports to their original source .rpt
files. For more information, see “Setting report refresh options” on page 428.
Tip: If you use Crystal Reports to open reports directly from your
BusinessObjects Enterprise folders, you can update repository objects at that
time. You can also refresh repository objects when you publish reports. For
details, see “Publishing Objects to BusinessObjects Enterprise” on page 345.
To refresh a published report’s repository objects
1. Go to the Objects management area of the CMC.
2. Click the link to the report you want to refresh.
3. On the Properties tab, click the Refresh Options link.
4. Verify that the Use Object Repository when refreshing report check
box is selected.
Note: If the check box is cleared, select it now and click Update.
5. Click Refresh Report.
Tip: Once you have enabled repository refresh for each report, you can
refresh multiple reports simultaneously using the Report Repository Helper.
The Report Repository Helper is available from Administrative Tools area in
the BusinessObjects Enterprise Admin Launchpad.

192 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


BusinessObjects Enterprise
Security Concepts

chapter
9 BusinessObjects Enterprise Security Concepts
Security overview

Security overview
The BusinessObjects Enterprise architecture addresses the many security
concerns that affect today’s businesses and organizations. The current release
supports features such as distributed security, single sign-on, resource access
security, granular object rights, and third-party Windows NT, LDAP, and
Windows AD authentication in order to protect against unauthorized access.
To allow for further customization of security, BusinessObjects Enterprise
supports dynamically loaded processing extensions. And, for monitoring and
auditing purposes, BusinessObjects Enterprise allows you to log various web
statistics, thus enabling you to detect potential security concerns.
Because BusinessObjects Enterprise provides the framework for an
increasing number of components from the Enterprise family of Business
Objects products, this chapter details the security features and related
functionality to show how the framework itself enforces and maintains security.
As such, this chapter does not provide explicit procedural details; instead, it
focuses on conceptual information and provides links to key procedures.
Related topics:
• For key procedures that show how to modify the default accounts,
passwords, and other security settings, see “Making initial security
settings” on page 28.
• For procedures that show how to set up authentication, users, and
groups, see “Managing User Accounts and Groups” on page 215.
• For procedures that show how to set object rights for your BusinessObjects
Enterprise content, see “Controlling User Access” on page 291.

Authentication and authorization


Authentication is the process of verifying the identity of a user who attempts
to access the system, and authorization is the process of verifying that the
user has been granted sufficient rights to perform the requested action upon
the specified object.
This section describes the authentication and authorization processes in
order to provide a general idea of how system security works within
BusinessObjects Enterprise. Each of the components and key terms is
discussed in greater detail later in this chapter.
Because BusinessObjects Enterprise is fully customizable, the authentication
and authorization processes may vary from system to system. This section uses
InfoView as a model and describes its default behavior. If you are developing

194 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


BusinessObjects Enterprise Security Concepts
Authentication and authorization 9
your own BusinessObjects Enterprise end-user or administrative applications
using the BusinessObjects Enterprise Software Development Kit (SDK), you
can customize the system’s behavior to meet your needs. For complete details,
see the developer documentation available on your product CD.
For procedures that show how to set up the different authentication types, see
“Available authentication types” on page 218.

Primary authentication
Primary authentication occurs when a user first attempts to access the
system. The user provides a user name and password and specifies an
authentication type. The authentication type may be Enterprise, Windows NT,
LDAP, or Windows AD authentication, depending upon which type(s) you
have enabled and set up in the Authorization management area of the Central
Management Console (CMC). The user’s web browser sends the information
by HTTP to your web server, which routes the information to the Web
Component Adapter (WCA).
The WCA passes the user’s information to logon.aspx and runs the script.
Internally, this script communicates with the SDK and, ultimately, the
appropriate security plug-in to authenticate the user against the user database.
For instance, if the user specifies Enterprise Authentication, the SDK ensures
that the BusinessObjects Enterprise security plug-in performs the
authentication. The Central Management Server (CMS) uses the
BusinessObjects Enterprise security plug-in to verify the user name and
password against the system database. Alternatively, if the user specifies
Windows NT, LDAP, or Windows AD Authentication, the SDK uses the
corresponding security plug-in to authenticate the user.
If the security plug-in reports a successful match of credentials (including a
match to an appropriate group membership for Windows NT, Windows AD, or
LDAP authentication), the CMS grants the user an active identity on the
system and the system performs several actions:
• The CMS stores the user’s information in memory in a CMS session
variable. While active, this session consumes one user license on the
system.
• The CMS generates and encodes a logon token and sends it to the WCA.
• The WCA stores the user’s information in memory in a WCA session
variable. While active, this session stores information that allows
BusinessObjects Enterprise to respond to the user’s requests.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 195


9 BusinessObjects Enterprise Security Concepts
Authentication and authorization

Note:
• If you are familiar with the SDK, you should note that the WCA here
instantiates the InfoStore object and stores it in the WCA session
variable.
• The session variable does not contain the user’s password.
• The WCA sends the logon token to the user’s web browser, and the web
browser caches the token in a cookie. Until the logon token expires, its
encoded information serves as the user’s valid ticket for the system.
Each of these steps contributes to the distributed security of BusinessObjects
Enterprise, because each step consists of storing information that is used for
secondary identification and authorization purposes. This is the model used in
InfoView. However, if you are developing your own client application and you
prefer not to store session state on the WCA, you can design your application
such that it avoids using WCA session variables.
Note:
• The third-party Windows NT, LDAP, and Windows AD security plug-ins
work only once you have mapped groups from the external user
database to BusinessObjects Enterprise. For details, see “Available
authentication types” on page 218.
• In a single sign-on situation, BusinessObjects Enterprise retrieves users’
credentials and group information directly from the Windows NT or
Windows AD system. Hence, users are not prompted for their credentials.

Secondary authentication and authorization


Secondary authentication is the process of double-checking the identity of
each user who attempts to view, run, schedule, or otherwise act upon an
object that is managed by BusinessObjects Enterprise. Authorization is the
process of verifying that the user has been granted sufficient rights to perform
the requested action upon the specified object.
When a user attempts to access an object on the system, the web browser
sends the request by HTTP to the WCA. Before fulfilling the user’s request,
the WCA performs a series of security-related steps.
1. First, the WCA ensures that the user has a valid logon token:
• If there is a valid logon token, the WCA proceeds to its next task.
• If there is no valid logon token, the primary authentication process is
repeated.
For more information about logon tokens, see “Logon tokens” on
page 209.

196 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


BusinessObjects Enterprise Security Concepts
Authentication and authorization 9
2. Second, the WCA checks internally for an active WCA session that
matches the user’s logon token:
• If the corresponding WCA session variable remains in memory, the
WCA proceeds to its next task.
• If the WCA session variable has timed out, the user is logged back
on with the logon token. The SDK authenticates the user against the
appropriate user database, and the CMS and the WCA recreate the
required session variables. In this case, BusinessObjects Enterprise
does not have to prompt the user for credentials, because the
encoded logon token contains the required information.
3. Third, the WCA ensures that the appropriate server component actually
processes the user’s request:
• If the WCA can process the request itself, it queries the CMS
database for the rights associated with the object that the user
requested.
For instance, if the user requests a list of reports in a specific folder,
the WCA queries the CMS database for a list of the reports that the
user is authorized to see. The WCA then dynamically lists the reports
in an HTML page, and sends the page to the user’s browser.
• If a different server component must process the request, the WCA
sends the request and the user’s logon token to the appropriate
server component. That server component then queries the CMS
database for the rights associated with the object that the user
requested.
For instance, if the user attempts to refresh a report’s data, the WCA
passes the request along to the Page Server. The Page Server
passes the logon token to the CMS to ensure that the user is
authorized to refresh the report.
For details about how the CMS calculates a user’s effective rights to
an object, see “Calculating a user’s effective rights” on page 304.
This secondary authentication and authorization process begins similarly to
initial identification; here, however, the authentication algorithm followed by
the WCA maintains system security in the fewest number of steps, thereby
providing the most efficient response to the user’s initial request.
Note: If the user does not have the right to perform the requested action, the
WCA displays an appropriate message. For details about setting object
rights, see “Controlling User Access” on page 291.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 197


9 BusinessObjects Enterprise Security Concepts
Authentication and authorization

About single sign-on


The term single sign-on is used to describe different scenarios. At its most
basic level, it refers to a situation where a user can access two or more
applications or systems while providing their log-on credentials only once,
thus making it easier for users to interact with the system.
Single sign-on to BusinessObjects Enterprise can be provided by
BusinessObjects Enterprise, or by different authentication tools such as
Windows NT, Windows AD, or LDAP with SiteMinder.
Within the context of BusinessObjects Enterprise, we distinguish the following
levels of single sign-on:
• “Single sign-on to BusinessObjects Enterprise” on page 198
• “Single sign-on to database” on page 199
• “End-to-end single sign-on” on page 199
Single sign-on to BusinessObjects Enterprise
Single sign-on to BusinessObjects Enterprise means that once users have
logged on to the operating system they can access BusinessObjects
Enterprise without having to provide their logon credentials again. When they
log on to the operating system, a logon token is created. The system uses this
token to authenticate the users and grant them access to BusinessObjects
Enterprise and its components.
The term “anonymous single sign-on” also refers to single sign-on to
BusinessObjects Enterprise, but it specifically refers to the single sign-on
functionality for the Guest user account. When the Guest user account is
enabled, which it is by default, anyone can log on to BusinessObjects
Enterprise as Guest and will have single sign-on access to BusinessObjects
Enterprise. For more information, see “Disabling a user account” on page 29.
Single sign-on to BusinessObjects Enterprise was already supported in
previous versions of Crystal Enterprise and continues to exist in
BusinessObjects Enterprise XI. For information on configuring single sign-on
to BusinessObjects Enterprise, see:
• “Managing Enterprise and general accounts” on page 219
• “Setting up NT single sign-on” on page 259
• “Configuring LDAP authentication” on page 230
• “Setting up AD single sign-on” on page 249

198 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


BusinessObjects Enterprise Security Concepts
Security management components 9
Single sign-on to database
Once users are logged on to BusinessObjects Enterprise, single sign-on to
the database enables them to perform actions that require database access,
in particular, viewing reports and Web Intelligence documents, without having
to provide their logon credentials again. Single sign-on to the database can
be combined with single sign-on to BusinessObjects Enterprise, to provide
users with even easier access to the resources they need. See “End-to-end
single sign-on” on page 199.
In BusinessObjects Enterprise XI single sign-on to the database is supported
through Windows AD using Kerberos. You may want to use single sign-on to
the database rather than end-to-end single sign-on, if you don’t want the
LocalSystem account for the IIS to be trusted for delegation.
For more information see “Configuring Kerberos single sign-on to the
database” on page 266, in particular “Configuring IIS for single sign-on to
databases only” on page 284, and “Configuring web applications for single
sign-on to the databases” on page 288.
End-to-end single sign-on
End-to-end single sign-on refers to a configuration where users have both
single sign-on access to BusinessObjects Enterprise at the front-end, and
single sign-on access to the databases at the back-end. Thus, users need to
provide their logon credentials only once, when they log on to the operating
system, to have access to BusinessObjects Enterprise and to be able to
perform actions that require database access, such as viewing reports.
In BusinessObjects Enterprise XI end-to-end single sign-on is supported
through Windows AD and Kerberos. For more information, see “Configuring
Kerberos single sign-on to the database” on page 266.

Security management components


System security within BusinessObjects Enterprise is distributed across most
components, but it is managed primarily by the WCA, the CMS, the security
plug-ins, and third-party authentication tools, such as SiteMinder and Kerberos.
These components work together to authenticate and to authorize users who
access BusinessObjects Enterprise, its folders, and its other objects.
This section discusses the key components as they relate to system security.
It includes:
• “Web Component Adapter” on page 200
• “Central Management Server” on page 200
• “Security plug-ins” on page 201

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 199


9 BusinessObjects Enterprise Security Concepts
Security management components

• “Processing extensions” on page 207


Note: Because these components are responsible for additional tasks,
several of the components discussed in this section are described in
additional detail in “BusinessObjects Enterprise Architecture” on page 43.

Web Component Adapter


The WCA is the gateway between the web server and the remaining
BusinessObjects Enterprise components. As such, the WCA receives all
HTTP requests that are sent to BusinessObjects Enterprise from users’ web
browsers.
The WCA ensures that each user has a valid logon token for the system. If
the logon token is missing, or if it has expired, the WCA initiates the primary
authentication process. For details, see “Primary authentication” on
page 195.
The WCA is also responsible for maintaining the user’s session state in the
WCA session variable. This session variable contains information that
BusinessObjects Enterprise uses when fulfilling user’s requests. For details,
see “Sessions and session tracking” on page 210.

Central Management Server


In relation to system security, the Central Management Server (CMS)
performs a number of important tasks. The majority of these tasks rely upon
the database that the CMS uses to keep track of BusinessObjects Enterprise
system data. This data includes security information, such as user accounts,
group memberships, and object rights that define user and group privileges.
When you first set up your system, the CMS allows you to create user
accounts and groups within BusinessObjects Enterprise. And, with its third-
party security plug-ins, the CMS allows you to reuse existing user accounts
and groups that are stored in a third-party system (a Windows NT user
database, an LDAP directory server, or a Windows AD server). The CMS
supports third-party authentication, so users can log on to BusinessObjects
Enterprise with their current Windows NT, LDAP, or Windows AD credentials.
When users log on, the CMS coordinates the authentication process with its
security plug-ins; the CMS then grants the user a logon token and an active
session on the system. The CMS also responds to authorization requests
made by the rest of the system. When a user requests a list of reports in a
particular folder, the CMS authorizes the request only when it has verified that
the user’s account or group membership provides sufficient privileges.

200 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


BusinessObjects Enterprise Security Concepts
Security management components 9
For details about the CMS and how it calculates a user’s effective rights to an
object, see “Calculating a user’s effective rights” on page 304.
For more information about the CMS and the CMS database, see “Central
Management Server (CMS)” on page 52.

Security plug-ins
Security plug-ins expand and customize the ways in which BusinessObjects
Enterprise authenticates users. BusinessObjects Enterprise currently ships
with the system default BusinessObjects Enterprise security plug-in and with
the Windows NT, LDAP, and Windows AD security plug-ins. Each security
plug-in offers several key benefits.
Security plug-ins facilitate account creation and management by allowing you
to map user accounts and groups from third-party systems into
BusinessObjects Enterprise. You can map third-party user accounts or groups
to existing BusinessObjects Enterprise user accounts or groups, or you can
create new Enterprise user accounts or groups that corresponds to each
mapped entry in the external system.
The security plug-ins dynamically maintain third-party user and group listings.
So, once you map a Windows NT, LDAP, or Windows AD group into
BusinessObjects Enterprise, all users who belong to that group can log on to
BusinessObjects Enterprise. When you make subsequent changes to the
third-party group membership, you need not update or refresh the listing in
BusinessObjects Enterprise. For instance, if you map a Windows NT group to
BusinessObjects Enterprise, and then you add a new NT user to the NT
group, the security plug-in dynamically creates an alias for that new user when
he or she first logs on to BusinessObjects Enterprise with valid NT credentials.
Moreover, security plug-ins enable you to assign rights to users and groups in
a consistent manner, because the mapped users and groups are treated as if
they were Enterprise accounts. For example, you might map some user
accounts or groups from Windows NT, and some from an LDAP directory
server. Then, when you need to assign rights or create new, custom groups
within BusinessObjects Enterprise, you make all of your settings in the CMC.
Each security plug-in acts as an authentication provider that verifies user
credentials against the appropriate user database. When users log on to
BusinessObjects Enterprise, they choose from the available authentication
types that you have enabled and set up in the Authorization management
area of the CMC: Enterprise (the system default), Windows NT, LDAP, or
Windows AD.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 201


9 BusinessObjects Enterprise Security Concepts
Security management components

Note: The Windows NT and Windows AD security plug-ins cannot


authenticate users if the BusinessObjects Enterprise server components are
running on UNIX, or if your system uses the BusinessObjects Enterprise Java
SDK.
BusinessObjects Enterprise supports the following security plug-ins:
• “BusinessObjects Enterprise security plug-in” on page 202
• “Windows NT security plug-in” on page 202
• “LDAP security plug-in” on page 204
• “Windows AD security plug-in” on page 206

BusinessObjects Enterprise security plug-in


The BusinessObjects Enterprise security plug-in (secEnterprise.dll) is
installed and enabled by default when you install BusinessObjects Enterprise.
This plug-in allows you to create and maintain user accounts and groups
within BusinessObjects Enterprise; it also enables the system to verify all
logon requests that specify Enterprise Authentication. In this case, user
names and passwords are authenticated against the BusinessObjects
Enterprise user list, and users are allowed or disallowed access to the system
based solely on that information. For details on setting up Enterprise users
and groups, see “Managing Enterprise and general accounts” on page 219.
Default accounts
When you first install BusinessObjects Enterprise, this plug-in sets up two
default Enterprise accounts: Administrator and Guest. Neither account has a
default password. For details on setting these passwords, see “Making initial
security settings” on page 28.
Single sign-on
The BusinessObjects Enterprise authentication provider supports anonymous
single sign-on for the Guest account. Thus, when users connect to
BusinessObjects Enterprise without specifying a user name and password,
the system logs them on automatically under the Guest account. If you assign
a secure password to the Guest account, or if you disable the Guest account
entirely, you disable this default behavior. For details, see “Disabling a user
account” on page 29.

Windows NT security plug-in


The Windows NT security plug-in (secWindowsNT.dll) allows you to map
user accounts and groups from your Windows NT user database to
BusinessObjects Enterprise; it also enables BusinessObjects Enterprise to
verify all logon requests that specify Windows NT Authentication. Users are

202 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


BusinessObjects Enterprise Security Concepts
Security management components 9
authenticated against the Windows NT user database, and have their
membership in a mapped NT group verified before the CMS grants them an
active BusinessObjects Enterprise session.
This plug-in is compatible with NT 4 and Windows 2000 Active Directory user
databases (when Windows 2000 Active Directory is configured in non-native
mode only). If a Windows 2000 Active Directory user database is configured
in native mode and contains universal groups that span several domains, you
must use the Windows AD security plug-in. For information on mapping
Windows NT users and groups to BusinessObjects Enterprise, see
“Managing NT accounts” on page 251. For information on the Windows AD
security plug-in, see “Windows AD security plug-in” on page 206.
Once you have mapped your NT users and groups, all of the
BusinessObjects Enterprise client tools support NT authentication, except for
the Import Wizard. You can also create your own applications that support NT
authentication. For more information, see the developer documentation
available on your product CD.
Note: The Windows NT and Windows AD security plug-ins cannot authenticate
users if the BusinessObjects Enterprise server components are running on
UNIX, or if your system uses the BusinessObjects Enterprise Java SDK.
Default account
If you install BusinessObjects Enterprise on Windows as an Administrator of
the local machine, then this plug-in is enabled by default. A new NT group
(called Business Objects NT Users) is created on the local machine, and your
NT user account is added to the group. The Business Objects NT Users
group is then mapped to BusinessObjects Enterprise. The result is that you
can log on to BusinessObjects Enterprise with your usual NT user
credentials.
Single sign-on
The Windows NT security plug-in supports single sign-on, thereby allowing
authenticated NT users to log on to BusinessObjects Enterprise without
explicitly entering their credentials. The single sign-on requirements depend
upon the way in which users access BusinessObjects Enterprise: either via a
thick client, or over the Web. In both scenarios, the security plug-in obtains
the security context for the user from the authentication provider, and grants
the user an active BusinessObjects Enterprise session if the user is a
member of a mapped NT group:
• To obtain NT single sign-on functionality from a thick-client application
(such as the Publishing Wizard), the user must be running a Windows
operating system, and the application must use the BusinessObjects
Enterprise SDK.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 203


9 BusinessObjects Enterprise Security Concepts
Security management components

In this scenario, the Windows NT security plug-in queries the operating


system for the current user’s credentials when the client is launched.
• To obtain single sign-on functionality over the Web, the system must use
Microsoft components only. Specifically, the user must be running
Internet Explorer on a Windows operating system, and the web server
must be running Internet Information Server (IIS).
In this scenario, Internet Explorer and IIS engage in Windows NT
Challenge/Response authentication before IIS forwards the user’s
credentials to BusinessObjects Enterprise.
Note: IIS performs the Challenge/Response authentication for every
web page viewed. This can result in severe performance degradation.
For details on configuring IIS for single sign-on, see “Setting up NT single
sign-on” on page 259.
Note: InfoView provides its own form of “anonymous single sign-on,” which
uses Enterprise authentication, as opposed to Windows NT authentication.
Design your own web applications accordingly (or modify InfoView) if you
want to use NT single sign-on. For information on NT single sign-on, see
“Setting up NT single sign-on” on page 259.

LDAP security plug-in


The LDAP security plug-in (secLDAP.dll) allows you to map user accounts
and groups from your LDAP directory server to BusinessObjects Enterprise; it
also enables the system to verify all logon requests that specify LDAP
Authentication. Users are authenticated against the LDAP directory server,
and have their membership in a mapped LDAP group verified before the CMS
grants them an active BusinessObjects Enterprise session. User lists and
group memberships are dynamically maintained by BusinessObjects
Enterprise. You can specify that BusinessObjects Enterprise use a Secure
Sockets Layer (SSL) connection to communicate to the LDAP directory
server for additional security.
LDAP authentication for BusinessObjects Enterprise is similar to NT and AD
authentication in that you can map groups and set up authentication,
authorization, and alias creation. Also as with NT or AD authentication, you
can create new Enterprise accounts for existing LDAP users, and can assign
LDAP aliases to existing users if the user names match the Enterprise user
names. In addition, you can do the following:
• Implement LDAP authentication when BusinessObjects Enterprise is
running on Windows or on UNIX.
• Map users and groups from the LDAP directory service.
• Specify multiple host names and their ports.

204 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


BusinessObjects Enterprise Security Concepts
Security management components 9
For information on mapping your LDAP users and groups to BusinessObjects
Enterprise, see “Managing LDAP accounts” on page 229.
Once you have mapped your LDAP users and groups, all of the
BusinessObjects Enterprise client tools support LDAP authentication, except
for the Import Wizard. You can also create your own applications that support
LDAP authentication.
More about LDAP
Lightweight Directory Access Protocol (LDAP), a common, application-
independent directory, enables users to share information among various
applications. Based on an open standard, LDAP provides a means for
accessing and updating information in a directory.
LDAP is based on the X.500 standard, which uses a directory access protocol
(DAP) to communicate between a directory client and a directory server.
LDAP is an alternative to DAP because it uses fewer resources and simplifies
and omits some X.500 operations and features.
The directory structure within LDAP has entries arranged in a specific
schema. Each entry is identified by its corresponding distinguished name
(DN) or common name (CN). Other common attributes include the
organizational unit name (OU), and the organization name (O). For example,
a member group may be located in a directory tree as follows:
cn=BusinessObjects Enterprise Users, ou=Enterprise Users A, o=Research.
Refer to your LDAP documentation for more information.
Because LDAP is application-independent, any client with the proper
authorization can access its directories. LDAP offers you the ability to set up
users to log on to BusinessObjects Enterprise through LDAP authentication. It
also enables users to be authorized when attempting to access objects in
BusinessObjects Enterprise. As long as you have an LDAP server (or
servers) running, and use LDAP in your existing networked computer
systems, you can use LDAP authentication (along with Enterprise, NT, and
Windows AD authentication).
If desired, the LDAP security plug-in provided with BusinessObjects
Enterprise can communicate with your LDAP server using an SSL connection
established using either server authentication or mutual authentication. With
server authentication, the LDAP server has a security certificate which
BusinessObjects Enterprise uses to verify that it trusts the server, while the
LDAP server allows connections from anonymous clients. With mutual
authentication, both the LDAP server and BusinessObjects Enterprise have
security certificates, and the LDAP server must also verify the client certificate
before a connection can be established.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 205


9 BusinessObjects Enterprise Security Concepts
Security management components

Note: The LDAP security plug-in provided with BusinessObjects Enterprise


can be configured to communicate with your LDAP server via SSL, but
always performs basic authentication when verifying users’ credentials.
Before deploying LDAP authentication in conjunction with BusinessObjects
Enterprise, ensure that you are familiar with the differences between these
LDAP types. For details, see RFC2251, which is currently available at http://
www.faqs.org/rfcs/rfc2251.html

Windows AD security plug-in


Windows AD security plug-in enables you to map user accounts and groups
from your Windows 2000 Active Directory (AD) user database to
BusinessObjects Enterprise; it also enables BusinessObjects Enterprise to
verify all logon requests that specify Windows AD Authentication.
Users are authenticated against the Windows AD user database, and have
their membership in a mapped AD group verified before the Central
Management Server grants them an active BusinessObjects Enterprise
session.
This plug-in is compatible with Windows 2000 Active Directory domains
running in either native mode or mixed mode. Note that in order to use the
Windows AD security plug-in, the CMS needs to run under a user account
that has the “Act as Part of the Operating System” right. See your Windows
2000 documentation for more information. For information on mapping
Windows AD users and groups to BusinessObjects Enterprise, see
“Managing AD accounts” on page 243.
Once you have mapped your AD users and groups, all of the
BusinessObjects Enterprise client tools support AD authentication, except for
the Import Wizard. You can also create your own applications that support AD
authentication. For more information, see the developer documentation
available on your product CD. For information on mapping Windows AD users
and groups to BusinessObjects Enterprise, see “Managing AD accounts” on
page 243.
Note:
• AD authentication only works for servers running on Windows systems.
• AD authentication and aggregation is not functional without a network
connection.
• AD authentication and aggregation may not continue to function if the
administration credentials become invalid (for example, if the
administrator changes his or her password or if the account becomes
disabled).

206 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


BusinessObjects Enterprise Security Concepts
Security management components 9
Single sign-on
The Windows AD security plug-in supports single sign-on, thereby allowing
authenticated AD users to log on to BusinessObjects Enterprise without
explicitly entering their credentials. The single sign-on requirements depend
upon the way in which users access BusinessObjects Enterprise: either via a
thick client, or over the Web. In both scenarios, the security plug-in obtains
the security context for the user from the authentication provider, and grants
the user an active BusinessObjects Enterprise session if the user is a
member of a mapped AD group:
• To obtain AD single sign-on functionality from a thick-client application
(such as the Publishing Wizard), the user must be running a Windows
operating system, and the application must use the BusinessObjects
Enterprise SDK.
In this scenario, the Windows AD security plug-in queries the operating
system for the current user’s credentials when the client is launched.
• To obtain single sign-on functionality over the Web, the system must use
Microsoft components only. Specifically, the user must be running
Internet Explorer on a Windows operating system, and the web server
must be running Internet Information Server (IIS).
Note: BusinessObjects Enterprise provides its own form of “anonymous
single sign-on,” which uses Enterprise authentication, as opposed to
Windows AD authentication. Design your own web applications accordingly
(or modify InfoView) if you want to use AD single sign-on. For information on
AD single sign-on, see “Setting up AD single sign-on” on page 249.

Processing extensions
BusinessObjects Enterprise offers you the ability to further secure your
reporting environment through the use of customized processing extensions.
A processing extension is a dynamically loaded library of code that applies
business logic to particular BusinessObjects Enterprise view or schedule
requests before they are processed by the system.
Note: On Windows systems, dynamically loaded libraries are referred to as
dynamic-link libraries (.dll file extension). On UNIX systems, dynamically
loaded libraries are often referred to as shared libraries (.so file extension). You
must include the file extension when you name your processing extensions.
Through its support for processing extensions, the BusinessObjects
Enterprise administration SDK essentially exposes a “handle” that allows
developers to intercept the request. Developers can then append selection
formulas to the request before the report is processed.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 207


9 BusinessObjects Enterprise Security Concepts
Active trust relationship

A typical example is a report-processing extension that enforces row-level


security. This type of security restricts data access by row within one or more
database tables. The developer writes a dynamically loaded library that
intercepts view or schedule requests for a report (before the requests are
processed by the Job Server, Page Server, or Report Application Server).
The developer’s code first determines the user who owns the processing job;
then it looks up the user’s data-access privileges in a third-party system. The
code then generates and appends a record selection formula to the report in
order to limit the data returned from the database. In this case, the processing
extension serves as a way to incorporate customized row-level security into
the BusinessObjects Enterprise environment.
Tip: In BusinessObjects Enterprise XI, you can also set and enforce row-
level security through the use of Business Views. For more information, see
the Business Views Administrator's Guide.
The CMC provides methods for registering your processing extensions with
BusinessObjects Enterprise and for applying processing extensions to
particular object. For details, see “Applying processing extensions to reports”
on page 442.
By enabling processing extensions, you configure the appropriate
BusinessObjects Enterprise server components to dynamically load your
processing extensions at runtime. Included in the SDK is a fully documented
API that developers can use to write processing extensions. For more
information, see the developer documentation available on your product CD.
Note: In the current release, processing extensions can be applied only to
Crystal report (.rpt) objects.

Active trust relationship


In a networked environment, a trust relationship between two domains is
generally a connection that allows one domain accurately to recognize users
who have been authenticated by the other domain. While maintaining
security, the trust relationship allows users to access resources in multiple
domains without repeatedly having to provide their credentials.
Within the BusinessObjects Enterprise environment, the active trust
relationship works similarly to provide each user with seamless access to
resources across the system. Once the user has been authenticated and
granted an active session, all other BusinessObjects Enterprise components
can process the user’s requests and actions without prompting for
credentials. As such, the active trust relationship provides the basis for
BusinessObjects Enterprise’s distributed security.

208 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


BusinessObjects Enterprise Security Concepts
Active trust relationship 9
Tip: When combined with single sign-on functionality, the active trust
relationship allows users to access their BusinessObjects Enterprise
resources without ever having to explicitly provide credentials to
BusinessObjects Enterprise.
When single sign-on functionality is combined third party ticket mechanisms,
such as Kerberos or SiteMinder, the active trust relationship allows users to
access BusinessObjects Enterprise and other network resources without ever
having to explicitly provide credentials to the system.

Logon tokens
A logon token is an encoded string that defines its own usage attributes and
contains a user’s session information. The logon token’s usage attributes are
specified when the logon token is generated. These attributes allow
restrictions to be placed upon the logon token to reduce the chance of the
logon token being used by malicious users. The current logon token usage
attributes are:
• Number of minutes
This attribute restricts the lifetime of the logon token.
• Number of logons
This attribute restricts the number of times that the logon token can be
used to log on to BusinessObjects Enterprise.
Both attributes hinder malicious users from gaining unauthorized access to
BusinessObjects Enterprise with logon tokens retrieved from legitimate users.
Note: When using logon tokens, it is good practice to use Secure Sockets
Layer (SSL). For more information on SSL, see “Configuring servers for SSL”
on page 137.

Ticket mechanism for distributed security


Enterprise systems dedicated to serving a large number of users typically
require some form of distributed security. An enterprise system may require
distributed security, for instance, to support features such as load balancing,
stateless environments, or transfer of trust (the ability to allow another
component to act on behalf of the user).
BusinessObjects Enterprise addresses distributed security by implementing a
ticket mechanism (one that is similar to the Kerberos ticket mechanism). The
CMS grants tickets that authorize components to perform actions on behalf of
a particular user. In BusinessObjects Enterprise, the ticket is referred to as
the logon token.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 209


9 BusinessObjects Enterprise Security Concepts
Sessions and session tracking

This logon token is most commonly used over the Web. When a user is first
authenticated by BusinessObjects Enterprise, he or she receives a logon
token from the CMS. The user’s web browser caches this logon token. When
the user makes a new request, other BusinessObjects Enterprise
components can read the logon token from the user’s web browser.
This use of the logon token provides the distributed security that is required for
load balancing to be implemented in conjunction with effective fault-protection.
The user’s active identity is stored as a session variable on the WCA that
processed the request; consequently, the user’s active identity is not
immediately accessible by the other WCA. For this reason, the user’s logon
token is used to route all of the user’s requests to the WCA that is storing the
user’s session. By doing so, security is maintained while providing optimal
performance: the user’s identity is verified, but the system does not have to
repeatedly prompt the user for his or her credentials; in addition, the user is
prevented from unnecessarily consuming resources on both Web Component
Adapters.
If the WCA that is storing the user’s active session is taken offline, the logon
token again serves a critical purpose. If one WCA ceases to respond to a
user’s requests, InfoView and the CMC are designed such that the request is
redirected to the remaining WCA. The client application logs the user on with
the valid logon token, and the remaining WCA can authenticate the user and
create a new, active session without prompting the user for his or her
credentials. The remaining WCA can then authorize and carry out the user’s
request. In this way, the logon token enables the system’s load-balancing and
fault-tolerance mechanisms to maintain a secure environment without
affecting the user’s experience.
In this scenario, when the original WCA is brought back online, the system
automatically resumes its load balancing responsibilities by routing each
subsequent request to the least used WCA.

Sessions and session tracking


In general, a session is a client-server connection that enables the exchange
of information between the two computers. A session’s state is a set of data
that describes the session’s attributes, its configuration, or its content. When
you establish a client-server connection over the Web, the nature of HTTP
limits the duration of each session to a single page of information; thus, your
web browser retains the state of each session in memory only for as long as
any single Web page is displayed. As soon as you move from one web page
to another, the state of the first session is discarded and replaced with the

210 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


BusinessObjects Enterprise Security Concepts
Sessions and session tracking 9
state of the next session. Consequently, Web sites and Web applications
must somehow store the state of one session if they need to reuse its
information in another.
BusinessObjects Enterprise uses two common methods to store session state:
• Cookies—A cookie is a small text file that stores session state on the
client side: the user’s web browser caches the cookie for later use. The
BusinessObjects Enterprise logon token is an example of this method.
• Session variables—A session variable is a portion of memory that stores
session state on the server side. When BusinessObjects Enterprise
grants a user an active identity on the system, information such as the
user’s authentication type is stored in a session variable. So long as the
session is maintained, the system neither has to prompt the user for the
information a second time nor has to repeat any task that is necessary for
the completion of the next request.
Ideally, the system should preserve the session variable while the user is
active on the system. And, to ensure security and to minimize resource
usage, the system should destroy the session variable as soon as the user
has finished working on the system. However, because the interaction
between a web browser and a web server can be stateless, it can be difficult
to know when users leave the system, if they do not log off explicitly. To
address this issue, BusinessObjects Enterprise implements session tracking.

WCA session tracking


The WCA implements session tracking similarly to most web servers. The
server-side script pages (Crystal Server Pages) programmatically save
variables to the WCA session. By default, the WCA retains the session until
the user explicitly logs off, or until 20 minutes after the user’s last request
(whichever occurs first).
Note:
• If you are familiar with the SDK, you should note that a WCA session is
an instance of an InfoStore object.
• The WCA session timeout can be programmatically configured in the
server-side .aspx pages to timeout earlier if the default of 20 minutes is
not desired.

CMS session tracking


The CMS implements a simple tracking algorithm. When a user logs on, he or
she is granted a CMS session, which the CMS preserves until the user logs
off, or until the WCA session variable is released.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 211


9 BusinessObjects Enterprise Security Concepts
Environment protection

The WCA session is designed to notify the CMS on a recurring basis that it is
still active, so the CMS session is retained so long as the WCA session
exists. If the WCA session fails to communicate with the CMS for a ten-minute
time period, the CMS destroys the CMS session. This handles scenarios
where client-side components shut down irregularly.
Note: If you are familiar with the SDK, you should note that a CMS session is
an instance of an EnterpriseSession object.

Environment protection
Environment protection refers to the security of the overall environment in
which client and server components communicate. Although the Internet and
web-based systems are increasingly popular due to their flexibility and range
of functionality, they operate in an environment that can be difficult to secure.
When you deploy BusinessObjects Enterprise, environment protection is
divided into two areas of communication:
• Web browser to web server
• Web server to BusinessObjects Enterprise

Web browser to web server


When sensitive data is transmitted between the web browser and the web
server, some degree of security is usually required. Relevant security
measures usually involve two general tasks:
• Ensuring that the communication of data is secure.
• Ensuring that only valid users retrieve information from the web server.
These tasks are typically handled by web servers through various security
mechanisms, including the Secure Sockets Layer (SSL) protocol, Windows
NT Challenge/Response authentication, and other such mechanisms.
You must secure communication between the web browser and the web
server independently of BusinessObjects Enterprise. For details on securing
client connections, refer to your web server documentation.

Web server to BusinessObjects Enterprise


Firewalls are commonly used to secure the area of communication between
the web server and the rest of the corporate intranet (including
BusinessObjects Enterprise). BusinessObjects Enterprise supports firewalls
that use IP filtering or static network address translation (NAT), or SOCKS

212 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


BusinessObjects Enterprise Security Concepts
Auditing web activity 9
proxy servers, and it supports a multitude of configurations. Supported
environments can involve multiple firewalls, web servers, or application
servers.
For complete details on BusinessObjects Enterprise and firewall interaction,
see “Working with Firewalls” on page 161.

Auditing web activity


BusinessObjects Enterprise provides insight into your system by recording
web activity and allowing you to inspect and to monitor the details. The WCA
allows you to select the web attributes—such as time, date, IP address, port
number, and so on—that you want to record. The auditing data is logged to
disk and stored in comma-delimited text files, so you can easily report off the
data or import it into other applications.

Protection against malicious logon attempts


No matter how secure a system is, there is often at least one location that is
vulnerable to attack: the location where users connect to the system. It is
nearly impossible to protect this location completely, because the process of
simply guessing a valid user name and password remains a viable way to
attempt to “crack” the system.
BusinessObjects Enterprise implements several techniques to reduce the
probability of a malicious user achieving access to the system. The various
restrictions listed below apply only to Enterprise accounts—that is, the
restrictions do not apply to accounts that you have mapped to an external
user database (Windows NT, LDAP, or Windows AD). Generally, however,
your external system will enable you to place similar restrictions on the
external accounts.

Password restrictions
Password restrictions ensure that Enterprise users create passwords that are
relatively complex. You can enable the following options:
• Enforce mixed-case passwords
This option ensures that passwords contain at least two of the following
character classes: upper case letters, lower case letters, numbers, or
punctuation.
• Must contain at least N characters
By enforcing a minimum complexity for passwords, you decrease a
malicious user’s chances of simply guessing a valid user’s password.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 213


9 BusinessObjects Enterprise Security Concepts
Protection against malicious logon attempts

Logon restrictions
Logon restrictions serve primarily to prevent dictionary attacks (a method
whereby a malicious user obtains a valid user name and attempts to learn the
corresponding password by trying every word in a dictionary). With the speed
of modern hardware, malicious programs can guess millions of passwords per
minute. To prevent dictionary attacks, BusinessObjects Enterprise has an
internal mechanism that enforces a time delay (0.5–1.0 second) between
logon attempts. In addition, BusinessObjects Enterprise provides several
customizable options that you can use to reduce the risk of a dictionary attack:
• Disable accounts after N failed attempts to log on
• Reset failed logon count after N minute(s)
• Re-enable account after N minute(s)

User restrictions
User restrictions ensure that Enterprise users create new passwords on a
regular basis. You can enable the following options:
• Must change password every N day(s)
• Cannot reuse the N most recent password(s)
• Must wait N minute(s) to change password
These options are useful in a number of ways. Firstly, any malicious user
attempting a dictionary attack will have to recommence every time passwords
change. And, because password changes are based on each user’s first logon
time, the malicious user cannot easily determine when any particular password
will change. Additionally, even if a malicious user does guess or otherwise
obtain another user’s credentials, they are valid only for a limited time.

Guest account restrictions


The BusinessObjects Enterprise authentication provider supports anonymous
single sign-on for the Guest account. Thus, when users connect to
BusinessObjects Enterprise without specifying a user name and password,
the system logs them on automatically under the Guest account. If you assign
a secure password to the Guest account, or if you disable the Guest account
entirely, you disable this default behavior. For details, see “Disabling a user
account” on page 29.

214 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts
and Groups

chapter
10 Managing User Accounts and Groups
What is account management?

What is account management?


Account management can be thought of as all of the tasks related to creating,
mapping, changing, and organizing user and group information. The Users
and Groups management areas of the Central Management Console (CMC)
provide you with a central place to perform all of these tasks.
In the Users area, you can specify everything required for a user to access
BusinessObjects Enterprise. To create user accounts, specify the following:
• Account name (required)
• Full name
• Email
• Description
• Password settings
• Connection type
• Group membership
In the Groups area, you can create groups that give a number of people
access to the report or folder. This enables you to make changes in one place
instead of modifying each user account individually. To create groups, specify
the following:
• Group name (required)
• Description
• Users who belong to the group
• Subgroups that belong to the group
• Group membership
After the user accounts and groups have been created, you can add report
objects and specify rights to them. When the users log on, they can view the
reports using InfoView or their custom web application. For more information
on objects and rights, see “Controlling users’ access to objects” on page 293.

Default users and groups


This section lists and describes the different types of default users and groups
that are found within BusinessObjects Enterprise.

216 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Default users and groups 10
Default users
For procedures on managing users, see “Managing Enterprise and general
accounts” on page 219.

Administrator
The Administrator user belongs to the Administrators and Everyone groups.
This user can perform all tasks in all BusinessObjects Enterprise applications
(for example, the Central Management Console, Central Configuration
Manager, Publishing Wizard, and InfoView).
By default, the Administrator is not assigned a password. For security
reasons, it is highly recommended that you create a password for the
Administrator user as soon as possible. See “Setting the Administrator
password” on page 29.
Note: To use the Central Configuration Manager, your operating system
account may require certain rights on the local machine. For more
information, see “Using the Central Configuration Manager” on page 26.

Guest
The Guest user is a member of the Everyone group. This user can view
reports that are found within the Report Samples folder. Generally, the Guest
user accesses reports through InfoView. This account is enabled by default.
To disable this default setting, see “Disabling the Guest account” on
page 229.
By default, the Guest user is not assigned a password. If you assign it a
password, the single sign-on to InfoView will be broken.
Note: If users in multiple time zones use the Guest account, see “Supporting
users in multiple time zones” on page 527.

Default groups
In addition to organizing users and simplifying administration, groups enable
you to determine the functionality a user has access to. In BusinessObjects
Enterprise, the following default groups are created. For procedures on
managing groups, see “Managing Enterprise and general accounts” on
page 219.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 217


10 Managing User Accounts and Groups
Available authentication types

Administrators
Users who belong to the Administrators group are able to perform all tasks in
all of the BusinessObjects Enterprise applications (Central Management
Console, Central Configuration Manager, Publishing Wizard, and InfoView).
By default, the Administrator group contains only the Administrator user.
Note: To use the Central Configuration Manager, your operating system
account may require certain rights on the local machine. For more
information, see “Using the Central Configuration Manager” on page 26.

BusinessObjects NT Users
When you install BusinessObjects Enterprise on Windows, BusinessObjects
Enterprise creates a BusinessObjects NT Users group. This group is also
added to Windows on the local machine and the user who installed
BusinessObjects Enterprise is automatically added to this group.
When NT authentication is enabled, BusinessObjects NT Users can use their
NT accounts to log on to BusinessObjects Enterprise. By default, members of
this group are able to view folders and reports.

Everyone
Each user is a member of the Everyone group. By default, the Everyone
group allows access to all the reports that are found in the Report Samples
folder.

Universe Designer Users


Users who belong to this group are granted access to the Universe Designer
folder and the Connections folder. They can control who has access rights to
the Designer application. You must add users to this group as needed. By
default, no user belongs to this group.

Available authentication types


Before setting up user accounts and groups within BusinessObjects
Enterprise, decide which type of authentication you want to use:
• Enterprise authentication
Use the system default Enterprise Authentication if you prefer to create
distinct accounts and groups for use with BusinessObjects Enterprise, or
if you have not already set up a hierarchy of users and groups in a
Windows NT user database, an LDAP directory server, or a Windows AD
server. See “Managing Enterprise and general accounts” on page 219.

218 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Managing Enterprise and general accounts 10
• Windows NT authentication
If you are working in a Windows NT environment, you can use existing
NT user accounts and groups in BusinessObjects Enterprise. When you
map NT accounts to BusinessObjects Enterprise, users are able to log on
to BusinessObjects Enterprise applications with their NT user name and
password. This can reduce the need to recreate individual user and
group accounts within BusinessObjects Enterprise. For more information,
see “Managing NT accounts” on page 251.
• LDAP authentication
If you set up an LDAP directory server, you can use existing LDAP user
accounts and groups in BusinessObjects Enterprise. When you map
LDAP accounts to BusinessObjects Enterprise, users are able to access
BusinessObjects Enterprise applications with their LDAP user name and
password. This eliminates the need to recreate individual user and group
accounts within BusinessObjects Enterprise. For more information, see
“Managing LDAP accounts” on page 229.
• Windows AD authentication
If you are working in a Windows 2000 environment, you can use existing
AD user accounts and groups in BusinessObjects Enterprise. When you
map AD accounts to BusinessObjects Enterprise, users are able to log
on to BusinessObjects Enterprise applications with their AD user name
and password. This eliminates the need to recreate individual user and
group accounts within BusinessObjects Enterprise. For more information,
see “Managing AD accounts” on page 243.
Note: You can use Enterprise Authentication in conjunction with either NT,
LDAP, or AD authentication, or with all of the three authentication plug-ins.

Managing Enterprise and general accounts


Since Enterprise authentication is the default authentication method for
BusinessObjects Enterprise, it is automatically enabled when you first install
the system. When you add and manage users and groups, BusinessObjects
Enterprise maintains the user and group information within its database.
This section focuses on the following account management tasks:
• “Creating an Enterprise user account” on page 220
• “Modifying a user account” on page 222
• “Deleting a user account” on page 222
• “Changing password settings” on page 223
• “Creating a group” on page 225

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 219


10 Managing User Accounts and Groups
Managing Enterprise and general accounts

• “Adding a user to groups” on page 221


• “Adding users to a group” on page 226
• “Modifying a group” on page 227
• “Viewing group members” on page 228
• “Deleting a group” on page 228
• “Disabling the Guest account” on page 229
• “Granting access to users and groups” on page 229
Note: In many cases, these procedures also apply to NT, LDAP, and AD
account management. For specific information on NT authentication, see
“Managing NT accounts” on page 251. For specific information on LDAP
authentication, see “Managing LDAP accounts” on page 229. For specific
information on AD authentication, see “Managing AD accounts” on page 243.

Creating an Enterprise user account


When you create a new user, you specify the user’s properties and select the
group or groups for the user. For information on setting rights for the user, see
“Granting access to users and groups” on page 229.
To create a user account
1. Go to the Users management area of the CMC.
2. Click New User.
3. Select the Enterprise authentication type.
4. Type the account name, full name, email, and description information.
Use the description area to include extra information about the user or
account.
5. Specify the password information and settings. Options include:
• Password
Enter the password and confirm. This is the initial password that you
assign to the user. The maximum password length is 64 characters.
• Password never expires
Select the check box.
• User must change password at next logon
This check box is selected by default. If you do not want to force
users to change the password the first time they log on, clear the
check box.

220 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Managing Enterprise and general accounts 10
• User cannot change password
Select the check box.
6. Select the connection type.
• Concurrent User
Choose Concurrent user if this user belongs to a license agreement
that states the number of users allowed to be connected at one time.
• Named User
Choose Named user if this user belongs to a license agreement that
associates a specific user with a license. Named user licenses are
useful for people who require access to BusinessObjects Enterprise
regardless of the number of other people who are currently
connected.
7. Click OK.
The user is added to the system and is automatically added to the Everyone
group. You can now add the user to a group or specify rights for the user.
See “Adding a user to groups” on page 221, Chapter 11: Controlling User
Access. An inbox is also automatically created for the user.
The user is also automatically assigned an Enterprise alias, for example,
secEnterprise:bsmith. For more information, see “Managing aliases”
on page 261.

Adding a user to groups


Use the following procedure to add a user to one or more groups directly from
the user page.
Note: You can also add users to a group from the group page. See “Adding
users to a group” on page 226.
To add a user to a group
1. Go to the Users management area of the CMC.
2. Under Account Name, click the link to the user whose properties you
want to change.
3. Click the Member of tab to specify the group or groups the user should
belong to.
Note: All BusinessObjects Enterprise users of the system are part of the
Everyone group.
4. Click the Member of button to view the available groups.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 221


10 Managing User Accounts and Groups
Managing Enterprise and general accounts

5. In the Available groups area, select the group(s) that the new user should
be a member of.
Use SHIFT+click or CTRL+click to select multiple groups.
6. Click the > arrow to add the group(s); click the < arrow to remove the
group(s).
7. Click OK.
The “Member of” tab appears and lists the groups in which the user is a
member.

Modifying a user account


Use this procedure to modify a user’s properties or group membership.
Note: The user will be affected if he or she is logged on when you are making
the change.
To modify a user account
1. Go to the Users management area of the CMC.
2. Under Account Name, click the link to the user whose properties you
want to change.
3. Make the required changes, as necessary, in the available fields.
In addition to all of the options that were available when you initially
created the account, you now can disable the account by selecting the
“Account is disabled” check box.
You can also assign aliases. For more information, see “Managing
aliases” on page 261.
4. Click Update.

Deleting a user account


Use this procedure to delete a user’s account. The user might receive an
error if they are logged on when their account is deleted. When you delete a
user account, the Favorites folder, personal categories, and inbox for that
user are deleted as well.
If you think the user might require access to the account again in the future,
select the “Account is disabled” check box in the Properties page of the
selected user, instead of deleting the account. See “Modifying a user account”
on page 222.

222 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Managing Enterprise and general accounts 10
Note: Deleting a user account won’t necessarily prevent the user from being
able to log on to BusinessObjects Enterprise again. If the user account also
exists in a third-party system, and if the account belongs to a third-party group
that is mapped to BusinessObjects Enterprise, the user may still be able to
log on. For details, see “Deleting an alias” on page 265 and “Disabling an
aliases” on page 265.
To delete a user account
1. Go to the Users management area of the CMC.
2. Select the check box associated with the user you want to delete.
3. Click Delete.
The delete confirmation dialog box appears.
4. Click OK.
The user account is deleted.

Changing password settings


Within the Central Management Console, you can change the password
settings for a specific user or for all users in the system. For information, see
“Protection against malicious logon attempts” on page 213.
The various restrictions listed below apply only to Enterprise accounts—that
is, the restrictions do not apply to accounts that you have mapped to an
external user database (Windows NT, LDAP, or Windows AD). Generally,
however, your external system will enable you to place similar restrictions on
the external accounts.
To change user password settings
1. Go to the Users management area of the CMC.
2. Click the user whose password settings you want to change.
The Properties tab appears.
3. Select or clear the check box associated with the password setting you
wish to change.
The available options are:
• Password never expires
• User must change password at next logon
• User cannot change password
4. Click Update.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 223


10 Managing User Accounts and Groups
Managing Enterprise and general accounts

To change password settings


1. Go to the Authentication management area of the CMC.
2. Click the Enterprise tab.
3. Select the check box for each password setting that you want to use, and
provide a value if necessary.
The table below identifies the minimum and maximum values for each of
the settings you can configure:

Password Setting Minimum Recommended


Maximum
Enforce mixed-case passwords N/A N/A
Must contain at least N characters 0 characters 64 characters
Must change password every N days 1 day 100 days
Cannot reuse the N most recent 1 password 100 passwords
passwords
Must wait N minutes to change 0 minutes 100 minutes
password
Disable account after N failed attempts 1 failed 100 failed
to log on
Reset failed logon count after N 1 minute 100 minutes
minutes
Re-enable account after N minutes 0 minutes 100 minutes
For information about setting Trusted Authentication, see “Enabling
Trusted Authentication” on page 224.
4. Click Update.

Enabling Trusted Authentication


Users prefer to log on to the system once, without needing to provide
passwords several times during a session. Trusted Authentication provides a
single sign-on solution for integrating your BusinessObjects Enterprise
authentication solution with third-party authentication solutions. Applications
that have established trust with the Central Management Server can use
Trusted Authentication to allow users to log on without providing their
passwords.
To enable Trusted Authentication, you must configure both the server and the
client.

224 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Managing Enterprise and general accounts 10
To configure the server to use Trusted Authentication
1. Log on to the Central Management Console with administrative rights.
2. Go to the Authentication management area of the CMC.
3. Click the Enterprise tab.
4. Enable Trusted Authentication.
5. Create a shared secret for your users.
Note: The shared secret is used by the client and the CMS to create a
trusted authentication password. This password is used to establish trust.
6. Enter a timeout value for your trusted authentication requests.
Note: The timeout value determines how long the CMS waits for the
IEnterpriseSession.logon() call from the client application.

To configure the client to use Trusted Authentication


1. Create a valid configuration file on the client machine.
The following conditions apply for the configuration file:
• The name of the file must be TrustedPrincipal.conf.
• The file must be located at businessobjects_root/win32_x86/
plugins/auth/secEnterprise.
• The file must contain SharedSecret=secretPassword, where
secretPassword is the trusted authentication password.
2. Use the session manager to create a trusted principal and log on to the
CMS:
ISessionMgr sessionMgr =
CrystalEnterprise.getSessionMgr();
ITrustedPrincipal trustedPrincipal =
sessionMgr.createTrustedPrincipal("userName",
"cmsName");
IEnterpriseSession enterpriseSession =
sessionMgr.logon(trustedPrincipal);

Creating a group
Groups are collections of users who share the same account privileges. For
instance, you may create groups that are based on department, role, or
location. Groups enable you to change the rights for users in one place (a
group) instead of modifying the rights for each user account individually. Also,
you can assign object rights to a group or groups.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 225


10 Managing User Accounts and Groups
Managing Enterprise and general accounts

For information on object rights, see “Managing objects overview” on


page 418. For information on granting users and groups administrative rights
to other groups, see “Granting access to users and groups” on page 229.
After creating a new group, you can add users, add subgroups, or specify
group membership so that the new group is actually a subgroup. Because
subgroups provide you with additional levels of organization, they are useful
when you set object rights to control users’ access to your BusinessObjects
Enterprise content.
To create a new group
1. Go to the Groups management area of the CMC.
2. Click New Group.
3. On the Properties tab, enter the group name and description.
4. Click OK.

Adding users to a group


Use the following procedure to add users to a group, directly from the group
page.
Note: You can also add a user to groups from the user page. See “Adding a
user to groups” on page 221.
To add users to a group
1. In the Groups management area of the CMC, click the link for the group.
2. Click the Users tab.
3. Click Add Users.
4. Select the users to add to the group; then click the > arrow.
Tip:
• To select multiple users, use the SHIFT+click or CTRL+click
combination.
• To search for a specific user, use the Look For field.
• If there are many users on your system, click the Previous and Next
buttons to navigate through the list of users.
5. Click OK.
The Users tab appears. It lists all of the users who belong to this group.

226 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Managing Enterprise and general accounts 10
Adding subgroups
You can add an existing group as a subgroup to another group. A subgroup
inherits the rights of the parent group.
Note: Adding a subgroup is similar to specifying group membership. See
“Specifying group membership” on page 227.
To add subgroups
1. In the Groups management area of the CMC, click the link for the group.
2. Click the Subgroups tab.
3. Click Add/Remove Subgroups.
4. Select the groups that should be members of this new group; then click
the > arrow.
5. Click OK.

Specifying group membership


You can make a group a member of another group. The group that becomes
a member is referred to as a subgroup. The group that you add the subgroup
to is the parent group. A subgroup inherits the rights of the parent group.
To make a group a member of another group
1. In the Groups management area of the CMC, click the link for the group.
2. Click the Member of tab.
3. Click the Member of button.
4. Select the parent groups that this new group will be a member of; then
click the > arrow.
Any rights associated with the parent group will be inherited by the new
group you have created.
5. Click OK.

Modifying a group
You can modify a group by making changes to any of the settings.
Note: The users who belong to the group will be affected by the modification
if they are logged on when you are making changes.
To modify a group
1. In the Groups management area of the CMC, click the link for the group.
2. Under the Group Name column, click the link to the group whose
configuration you want to change.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 227


10 Managing User Accounts and Groups
Managing Enterprise and general accounts

3. Make the necessary changes in one of the six tabs:


• Properties
• Users
• Subgroups
• Member of
• Profiles
• Rights
4. Depending on which tab you have selected, click OK or Update after you
have made your changes.

Viewing group members


You can use this procedure to view the users who belong to a specific group.
To view group members
1. In the Groups management area of the CMC, click the link for the group.
2. Click Users.
3. Click Refresh.
Note: It may take a few minutes for your list to refresh if you have a large
number of users in the group or if your group is mapped to an NT user
database, LDAP user directory, or AD user directory.

Deleting a group
You can delete a group when that group is no longer required. You cannot
delete the default groups Administrator and Everyone.
Note: The users who belong to the deleted group will be affected by the
change if they are logged on when the group is deleted.
To delete a third-party authentication groups, such as the BusinessObjects
NT Users group, use the Authentication management area in CMC. See
“Unmapping LDAP groups” on page 240, “Unmapping AD groups” on
page 247, and “Mapping NT accounts” on page 251.
To delete a group
1. Go to the Groups management area of the CMC.
2. Select the check box associated with the group you want to delete.
3. Click Delete.
The delete confirmation dialog box appears.
4. Click OK.

228 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Managing LDAP accounts 10
Disabling the Guest account
By disabling the Guest account, you ensure that no one can log on to
BusinessObjects Enterprise with this account. By disabling the Guest
account, you also disable the anonymous single sign-on functionality of
BusinessObjects Enterprise, so users will be unable to access InfoView
without providing a valid user name and password.
To disable the Guest account
1. Go to the Users management area of the CMC.
2. In the Account Name column, click Guest.
3. On the Properties tab, select the Account is disabled check box.
4. Click Update.
5. If you are prompted for confirmation, click OK.

Granting access to users and groups


You can grant users and groups administrative access to other users and
groups. Administrative rights include: viewing, editing, and deleting objects;
viewing and deleting object instances; and pausing object instances. For
example, for troubleshooting and system maintenance, you may want to grant
your IT department access to edit and delete objects.
For more information about granting rights to users and groups, see
“Controlling access to users and groups” on page 327.

Managing LDAP accounts


To use LDAP authentication, you need to first ensure that you have your
respective LDAP directory set up. For more information about LDAP, refer to
your LDAP documentation. For more information on the LDAP security plug-
in, see “LDAP security plug-in” on page 204.
Note: When you install BusinessObjects Enterprise, the LDAP authentication
plug-in is installed automatically, but not enabled by default.
This section describes tasks related to LDAP accounts in BusinessObjects
Enterprise. In particular, it includes information on:
• “Configuring LDAP authentication” on page 230
• “Mapping LDAP groups” on page 237
• “Unmapping LDAP groups” on page 240
• “Viewing mapped LDAP users and groups” on page 241

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 229


10 Managing User Accounts and Groups
Managing LDAP accounts

• “Changing LDAP connection parameters and member groups” on


page 241
• “Managing multiple LDAP hosts” on page 242
• “Troubleshooting LDAP accounts” on page 242

Configuring LDAP authentication


To simplify administration, BusinessObjects Enterprise supports LDAP
authentication for user and group accounts. Before users can use their LDAP
user name and password to log on to BusinessObjects Enterprise, you need
to map their LDAP account to BusinessObjects Enterprise. When you map an
LDAP account, you can choose to create a new BusinessObjects Enterprise
account or link to an existing BusinessObjects Enterprise account.
Before setting up and enabling LDAP authentication, ensure that you have
your LDAP directory set up. For more information, refer to your LDAP
documentation.
Configuring LDAP authentication includes the following main steps:
• “Configuring the LDAP host” on page 230.
• “Configuring the Secure Socket Layer authentication for LDAP” on
page 232.
• “Configuring LDAP single sign-on with SiteMinder” on page 234.
• “Configuring LDAP mapping options” on page 235.

Configuring the LDAP host


To configure the LDAP host
1. Go to the Authentication management area of the CMC.
2. Click the LDAP tab, and then click “Start LDAP Configuration Wizard”.
The LDAP Configuration Wizard will lead you through the setup of LDAP
authentication, step by step.
3. The first screen of the wizard asks for information about your LDAP host.
Type your LDAP host and port information in the Add LDAP host
(hostname:port) field (for example, “myserver:123”); then click Add.
Repeat this step to add more than one LDAP host of the same server
type if you want to add hosts that can act as failover servers. If you want
to remove a host, highlight the host name and click Delete. For more
information on multiple hosts, refer to “Managing multiple LDAP hosts” on
page 242.

230 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Managing LDAP accounts 10
4. Click Next.
5. Select your server type from the LDAP Server Type list. Click Show
Attribute Mappings if you want to view or change any of the LDAP
Server Attribute Mappings or the LDAP Default Search Attributes.
By default, each supported server type’s server attribute mappings and
search attributes are already set.
6. Click Next.
7. In the Base LDAP Distinguished Name field, type the distinguished
name (for example, o=SomeBase).
8. Click Next.
9. Enter the credentials required by the LDAP hosts.
• In the “LDAP Server Administration Credentials” area, type the
distinguished name and password for a user account that is
authorized to administer your LDAP server.
If your LDAP Server allows anonymous binding, leave this area
blank—BusinessObjects Enterprise servers and clients will bind to
the primary host via anonymous logon.
• Enter another distinguished name and password in the “LDAP
Referral Credentials” area if all of the following apply:
• The primary host has been configured to refer to another
directory server that handles queries for entries under a
specified base.
• The host being referred to has been configured to not allow
anonymous binding.
• A group from the host being referred to will be mapped to
BusinessObjects Enterprise.
Although groups can be mapped from multiple hosts, only one set of
referral credentials can be set. Therefore if you have multiple referral
hosts, you must create a user account on each host that uses the
same distinguished name and password.
10. Enter the number of referral hops in the Maximum Referral Hops field.
If this field is set to zero, no referrals will be followed.
11. Click Next.
12. Proceed with configuring the Secure Socket Layer.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 231


10 Managing User Accounts and Groups
Managing LDAP accounts

Configuring the Secure Socket Layer authentication for LDAP


Note: This section describes the CMC related information for configuring
SSL for LDAP only. For additional information or for information on
configuring the LDAP host server, refer to http://
www.techsupport.businessobjects.com or your LDAP vendor documentation.
To configure the Secure Socket Layer authentication
1. If necessary, go to the Authentication management area of the CMC
again. Click the LDAP tab, and then click Start LDAP Configuration
Wizard. Click Next until the screen of the wizard asks for the Secure
Socket Layer authentication information. Otherwise, skip to step 2.
2. Select the type of SSL authentication (Basic (no SSL), Server
Authentication, or Mutual Authentication) your LDAP hosts uses to
establish a connection with BusinessObjects Enterprise. Click Next.
3. If you selected Server Authentication or Mutual Authentication, choose
one of the following options:
• Always accept server certificate
This is the lowest security option. Before BusinessObjects Enterprise
can establish an SSL connection with the LDAP host (to authenticate
LDAP users and groups), it must receive a security certificate from
the LDAP host. BusinessObjects Enterprise does not verify the
certificate it receives.
• Accept server certificate if it comes from a trusted Certificate
Authority
This is a medium security option. Before BusinessObjects Enterprise
can establish an SSL connection with the LDAP host (to authenticate
LDAP users and groups), it must receive and verify a security
certificate sent to it by the LDAP host. To verify the certificate,
BusinessObjects Enterprise must find the Certificate Authority that
issued the certificate in its certificate database.
Tip: Java applications (such as the Java version of InfoView) always use
this option, regardless of the setting you choose.
• Accept server certificate if it comes from a trusted Certificate
Authority and the CN attribute of the certificate matches the
DNS hostname of the server
This is the highest security option. Before BusinessObjects
Enterprise can establish an SSL connection with the LDAP host (to
authenticate LDAP users and groups), it must receive and verify a
security certificate sent to it by the LDAP host. To verify the
certificate, BusinessObjects Enterprise must find the Certificate

232 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Managing LDAP accounts 10
Authority that issued the certificate in its certificate database. It must
also be able to confirm that the CN attribute on the server certificate
exactly matches the host name of the LDAP host as you typed it in
the “Add LDAP host” field in the first step of the wizard. That is, if you
entered the LDAP host name as ABALONE.rd.crystald.net:389,
using CN =ABALONE:389 in the certificate would not work.
Tip: The host name on the server security certificate is the name of the
primary LDAP host. Therefore if you select this option you cannot use a
failover LDAP host.
4. In the SSL host box, you must next add the host name of each machine
in your BusinessObjects Enterprise system that uses the
BusinessObjects Enterprise SDK. (This includes the machine running
your Central Management Server and the machine running your WCA.)
Type the host name of each machine in the SSL Host box, and then click
Add.

5. Now configure the SSL settings for each SSL host in the list, starting with
the default host.
• To select settings for the default host, first clear the Use default
value boxes. Then type your values for the path to the certificate and
key database files, the password for the key database. Type a
nickname for the client certificate in the cert7.db if you selected
mutual authentication.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 233


10 Managing User Accounts and Groups
Managing LDAP accounts

The settings for the default host are used:


• for any setting (for any host) where you leave the “Use default
value” box checked.
• for any machine whose name you do not explicitly add to the list
of SSL hosts.
• To select settings for another host, select its name in the list on the
left. Then type the appropriate values in the boxes on the right.
6. Click Next.
7. Proceed with configuring LDAP for single sign-on.

Configuring LDAP single sign-on with SiteMinder


SiteMinder is a third-party user access and authentication tool that you can
use with the LDAP security plug-in to create single sign-on to
BusinessObjects Enterprise. In order to use SiteMinder, you need to
configure the single sign-on authentication for the LDAP plug-in.
Note: Please ensure that the Siteminder administrator has enabled support
for 4.x agents before the shared secret is set up. This must be done
regardless of what supported version of SiteMinder you are using. For more
information about SiteMinder and how to install it, refer to the SiteMinder
documentation.
To configure LDAP for single sign-on with SiteMinder
1. If necessary, go to the Authentication management area of the CMC
again. Click the LDAP tab, and then click Start LDAP Configuration
Wizard. Click Next until the screen of the wizard asks for the LDAP
single sign-on authentication. Otherwise, skip to step 2.
2. Select the type of single sign-on authentication (Basic (no SSO) or
SiteMinder).
3. Click Next.
4. If you selected SiteMinder, configure the SiteMinder hosts:
• In the Policy Server Host box, type the name of each Policy Server,
and then click Add.
• For each Policy Server Host, specify the Accounting, Authentication
and Authorization port numbers.
• Enter the name of the Web Agent and the Shared Secret. Enter the
shared secret again.
5. Click Next.
6. Proceed with configuring the LDAP options.

234 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Managing LDAP accounts 10
Troubleshooting SiteMinder single sign-on
If you are using SiteMinder with IIS, you may receive an error message in the
Central Management Console regarding the failure of single sign-on. If you
encounter this message, you may need to manually create two registry keys
for SiteMinder:
1. Create the following key, set its type to REG_DWORD, and set its value to 1:
HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 11.5\
Enterprise\Admin Plugins\CrystalEnterprise.CMSAdmin\
EnableSiteMinderSingleSignOn
2. Create a second key, set its type to REG_SZ, and set its value to the
authentication type that you want to use for Siteminder single sign-on
(secLDAP or secWinAD):
HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 11.5\
Enterprise\Admin Plugins\CrystalEnterprise.CMSAdmin\
SiteMinderAuthentication
Ensure that the Siteminder Administrator has enabled support for 4.x agents
prior to the shared secret is set. This must be done regardless of what
supported version of SiteMinder you are using.

Configuring LDAP mapping options


To configure LDAP mapping options
1. If necessary, go to the Authentication management area of the CMC
again. Click the LDAP tab, and then click Start LDAP Configuration
Wizard. Click Next until the screen of the wizard asks you to map the LDAP
users to BusinessObjects Enterprise users. Otherwise, skip to step 2.
2. The next screen of the wizard controls how BusinessObjects Enterprise
maps LDAP users to BusinessObjects Enterprise users.
New Alias Options allow you to specify how LDAP aliases are mapped to
Enterprise accounts. Select either:
• Assign each added LDAP alias to an account with the same
name
Use this option when you know users have an existing Enterprise
account with the same name; that is, LDAP aliases will be assigned
to existing users (auto alias creation is turned on). Users who do not
have an existing Enterprise account, or who do not have the same
name in their Enterprise and LDAP account, are added as new
LDAP users.
or

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 235


10 Managing User Accounts and Groups
Managing LDAP accounts

• Create a new account for every added LDAP alias


Use this option when you want to create a new account for each
user.
3. Update Options allow you to specify if LDAP aliases are automatically
created for all new users. Select either:
• New aliases will be added and new users will be created
Use this option to automatically create a new alias for every LDAP
user mapped to BusinessObjects Enterprise. New LDAP accounts
are added for users without BusinessObjects Enterprise accounts, or
for all users if you selected the “Create a new account for every
added LDAP alias” option.

or
• No new aliases will be added and new users will not be created
Use this option when the LDAP directory you are mapping contains
many users, but only a few of them will use BusinessObjects
Enterprise. BusinessObjects Enterprise does not automatically
create aliases and Enterprise accounts for all users. Instead, it
creates aliases (and accounts, if required) only for users who log on
to BusinessObjects Enterprise.

236 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Managing LDAP accounts 10
4. New User Options allow you to specify properties of the new Enterprise
accounts that are created to map to LDAP accounts. Select either:
• New users are created as named users
New user accounts are configured to use named user licenses.
Named user licenses are associated with specific users and allow
people to access the system based on their user name and
password. This provides named users with access to the system
regardless of how many other people are connected. You must have
a named user license available for each user account created using
this option.
or
• New users are created as concurrent users
New user accounts are configured to use concurrent user licenses.
Concurrent licenses specify the number of people who can connect
to BusinessObjects Enterprise at the same time. This type of
licensing is very flexible because a small concurrent license can
support a large user base. For example, depending on how often
and how long users access BusinessObjects Enterprise, a 100 user
concurrent license could support 250, 500, or 700 users.
5. Click Finish to save your LDAP settings.
The LDAP Server Summary page appears.

Mapping LDAP groups


Once you have configured LDAP authentication using the LDAP configuration
wizard, you can map LDAP groups to Enterprise groups. See “Configuring
LDAP authentication” on page 230.
To map LDAP groups using BusinessObjects Enterprise
1. Go to the Authentication management area of the CMC.
2. Click the LDAP tab.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 237


10 Managing User Accounts and Groups
Managing LDAP accounts

If LDAP authorization is configured, the LDAP summary page appears.

3. In the “Mapped LDAP Member Groups” area, specify your LDAP group
(either by common name or distinguished name) in the Add LDAP group
(by cn or dn) field; click Add.
You can add more than one LDAP group by repeating this step. To
remove a group, highlight the LDAP group and click Delete.

238 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Managing LDAP accounts 10
4. New Alias Options allow you to specify how LDAP aliases are mapped to
Enterprise accounts. Select either:
• Assign each added LDAP alias to an account with the same
name
Use this option when you know users have an existing Enterprise
account with the same name; that is, LDAP aliases will be assigned
to existing users (auto alias creation is turned on). Users who do not
have an existing Enterprise account, or who do not have the same
name in their Enterprise and LDAP account, are added as new
LDAP users.
or
• Create a new account for every added LDAP alias
Use this option when you want to create a new account for each
user.
5. Update Options allow you to specify if LDAP aliases are automatically
created for all new users. Select either:
• New aliases will be added and new users will be created
Use this option to automatically create a new alias for every LDAP
user mapped to BusinessObjects Enterprise. New LDAP accounts
are added for users without BusinessObjects Enterprise accounts, or
for all users if you selected the “Create a new account for every
added LDAP alias” option.
or
• No new aliases will be added and new users will not be created
Use this option when the LDAP directory you are mapping contains
many users, but only a few of them will use BusinessObjects
Enterprise. BusinessObjects Enterprise does not automatically
create aliases and Enterprise accounts for all users. Instead, it
creates aliases (and accounts, if required) only for users who log on
to BusinessObjects Enterprise.
6. New User Options allow you to specify properties of the new Enterprise
accounts that are created to map to LDAP accounts. Select either:
• New users are created as named users
New user accounts are configured to use named user licenses.
Named user licenses are associated with specific users and allow
people to access the system based on their user name and
password. This provides named users with access to the system

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 239


10 Managing User Accounts and Groups
Managing LDAP accounts

regardless of how many other people are connected. You must have
a named user license available for each user account created using
this option.
or
• New users are created as concurrent users
New user accounts are configured to use concurrent user licenses.
Concurrent licenses specify the number of people who can connect
to BusinessObjects Enterprise at the same time. This type of
licensing is very flexible because a small concurrent license can
support a large user base. For example, depending on how often
and how long users access BusinessObjects Enterprise, a 100 user
concurrent license could support 250, 500, or 700 users.
7. Click Update.

Unmapping LDAP groups


Similar to mapping, it is possible to unmap groups using BusinessObjects
Enterprise.
To unmap LDAP groups using BusinessObjects Enterprise
1. Go to the Authentication management area of the CMC.
2. Click the LDAP tab.
If LDAP authorization is configured, the LDAP summary page will appear.
3. In the “Mapped LDAP Member Groups” area, select the LDAP group you
would like to remove.
4. Click Delete.
5. Click Update.
The users in this group will not be able to access BusinessObjects
Enterprise.
Tip: To deny LDAP Authentication for all groups, clear the “LDAP
Authentication is enabled” check box and click Update.
Note: The only exceptions to this occur when a user has an alias to an
Enterprise account. To restrict access, disable or delete the user’s
Enterprise account. For more information, see “Managing Enterprise and
general accounts” on page 219.

240 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Managing LDAP accounts 10
Viewing mapped LDAP users and groups
You can view your LDAP mapped groups in BusinessObjects Enterprise by
clicking the LDAP tab (located in the Authentication management area). If
LDAP authorization is configured, the Mapped LDAP Member Groups area
displays the LDAP groups that have been mapped to BusinessObjects
Enterprise.

Changing LDAP connection parameters and member


groups
After you have configured LDAP authentication using the LDAP configuration
wizard, you can change LDAP connection parameters and member groups
using the LDAP Server Configuration Summary Page.
For information on configuring LDAP authentication using the LDAP
configuration wizard, see “Configuring LDAP authentication” on page 230.
To change connection settings
1. Go to the Authentication management area of the CMC.
2. Click the LDAP tab.
If LDAP authorization is configured, the LDAP Server Configuration
Summary page appears. On this page you can change any of the
connection parameter areas or fields. You can also modify the Mapped
LDAP Member Groups area.
3. Delete currently mapped groups that will no longer be accessible under
the new connection settings.
4. Click Update.
5. Change your connection settings.
6. Click Update.
7. Change your Alias and New User options.
8. Click Update.
9. Map your new LDAP member groups.
10. Click Update.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 241


10 Managing User Accounts and Groups
Managing LDAP accounts

Managing multiple LDAP hosts


Using LDAP and BusinessObjects Enterprise, you can add fault tolerance to
your system by adding multiple LDAP hosts. BusinessObjects Enterprise
uses the first host that you add as the primary LDAP host. Subsequent hosts
are treated as failover hosts.
The primary LDAP host and all failover hosts must be configured in exactly
the same way, and each LDAP host must refer to all additional hosts from
which you wish to map groups. For more information about LDAP hosts and
referrals, see your LDAP documentation.
To add multiple LDAP Hosts, enter all hosts when you configure LDAP using
the LDAP configuration wizard (see “Configuring LDAP authentication” on
page 230 for details.) Or if you have already configured LDAP, go to the
Authentication management area of the Central Management Console and
click the LDAP tab. In the LDAP Server Configuration Summary area, click
the name of the LDAP host to open the page that enables you to add or
delete hosts.
Note:
• The order in which the hosts are communicated with matters, so ensure
that you add the primary host first, followed by the remaining failover
hosts.
• If you use failover LDAP hosts, you cannot use the highest level of SSL
security (that is, you cannot select “Accept server certificate if it comes
from a trusted Certificate Authority and the CN attribute of the certificate
matches the DNS hostname of the server.”) For more information, see
“Configuring LDAP authentication” on page 230.

Troubleshooting LDAP accounts


Creating a new LDAP user account
• If you create a new LDAP user account, and the account does not belong
to a group account that is mapped to BusinessObjects Enterprise, either
map the group to BusinessObjects Enterprise, or add the new LDAP user
account to a group that is already mapped to BusinessObjects
Enterprise. For more information, see “Configuring LDAP authentication”
on page 230.
• If you create a new LDAP user account, and the account belongs to a
group account that is mapped to BusinessObjects Enterprise, refresh the
user list. For more information, see “Viewing mapped LDAP users and
groups” on page 241.

242 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Managing AD accounts 10
Creating a new LDAP group account
• If you create a new LDAP group account, and the group account does not
belong to a group account that is mapped to BusinessObjects Enterprise,
add it to BusinessObjects Enterprise. For more information, see
“Configuring LDAP authentication” on page 230.
• If you create a new LDAP group account, and the account belongs to a
group account that is mapped to BusinessObjects Enterprise, refresh the
group list. For more information, see “Viewing mapped LDAP users and
groups” on page 241.

Disabling an LDAP user account


If you disable an LDAP user account, and that LDAP user account is mapped
to BusinessObjects Enterprise, the user will not be able to log on to
BusinessObjects Enterprise. However, if the user also has an account that
uses Enterprise authentication, the user can still access BusinessObjects
Enterprise using that account.

Disabling an LDAP group account


If you disable an LDAP group account, and that LDAP group account is
mapped to BusinessObjects Enterprise, the users who belong to that group
will not be able to log on to BusinessObjects Enterprise. However, if the user
also has an account that uses Enterprise authentication, the user can still
access BusinessObjects Enterprise using that account.

Managing AD accounts
This section provides an overview of AD authentication and the tasks related
to managing it. For information on how AD authentication works in
conjunction with BusinessObjects Enterprise, see “Windows AD security
plug-in” on page 206.
Once you have mapped your AD users and groups, all of the BusinessObjects
Enterprise client tools support AD authentication, except for the Import
Wizard. You can also create your own applications that support AD
authentication. For more information, see the developer documentation
available on your product CD.
Note:
• AD authentication only works for servers running on Windows systems.
• AD authentication and aggregation is not functional without a network
connection.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 243


10 Managing User Accounts and Groups
Managing AD accounts

• AD authentication and aggregation may not continue to function if the


administration credentials become invalid (for example, if the administrator
changes his or her password or if the account becomes disabled).
Managing AD accounts includes the following tasks:
• “Mapping AD accounts” on page 244
• “Unmapping AD groups” on page 247
• “Viewing mapped AD users and groups” on page 247
• “Troubleshooting AD accounts” on page 248
• “Setting up AD single sign-on” on page 249

Mapping AD accounts
To simplify administration, BusinessObjects Enterprise supports AD
authentication for user and group accounts. However, before users can use
their AD user name and password to log on to BusinessObjects Enterprise,
their AD user account needs to be mapped to BusinessObjects Enterprise.
When you map an AD account, you can choose to create a new
BusinessObjects Enterprise account or link to an existing BusinessObjects
Enterprise account.
To map AD users and groups
Before starting this procedure, ensure that you have the appropriate AD
domain and group information. As well, you must have created a domain user
account on your AD server for BusinessObjects Enterprise to use when
authenticating AD users and groups.
1. Go to the Authentication management area of the CMC.
2. Click the Windows AD tab.
3. Ensure that the “Windows Active Directory Authentication is
enabled” check box is selected.
4. If you will be using single sign-on, select the Enable Single Sign On for
selected authentication mode check box.
Note: If you select this option, you must also configure the IIS for single
sign-on. For details, see “Setting up AD single sign-on” on page 249.
Failing to configure IIS could compromise your system security if the
account that IIS runs under belongs to a mapped group, because users
who use one of the web applications would automatically have the same
access privileges as the IIS machine account.

244 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Managing AD accounts 10
5. In the “AD Administration Credentials” area, enter the name and password
of the domain user account you’ve set up on your AD server for
BusinessObjects Enterprise to use when authenticating AD users and
groups.
Administration credentials can use one of the following formats:
• NT name (DomainName\UserName)
• UPN (user@DNS_domain_name)
Administration credentials must be entered to enable AD authentication,
map groups, check rights, and so on.
6. Complete the Default AD Domain field.
Note:
• Groups from the default domain can be mapped without specifying
the domain name prefix.
• By entering the Default AD Domain name, users from the default
domain do not have to specify the AD domain name when they log
on to BusinessObjects Enterprise via AD authentication.
7. In the “Mapped AD Member Groups” area, enter the AD domain\group in
the Add AD Group (Domain\Group) field.
Groups can be mapped using one of the following formats:
• NT name (DomainName\GroupName)
• DN (cn=GroupName, ......, dc=DomainName, dc=com)
Note: If you want to map a local group, you can use only the NT name
format (\\ServerName\GroupName). Windows AD does not support
local users. This means that local users who belong to a mapped local
group will not be mapped to BusinessObjects Enterprise. Therefore they
will not be able to access BusinessObjects Enterprise.
8. Click Add.
The group is added to the list.
9. New Alias Options allow you to specify how AD aliases are mapped to
Enterprise accounts. Select either:
• Assign each added AD alias to an account with the same name
Use this option when you know users have an existing Enterprise
account with the same name; that is, AD aliases will be assigned to
existing users (auto alias creation is turned on). Users who do not
have an existing Enterprise account, or who do not have the same
name in their Enterprise and AD account, are added as new AD users.
or

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 245


10 Managing User Accounts and Groups
Managing AD accounts

• Create a new account for every added AD alias


Use this option when you want to create a new account for each
user.
10. Update Options allow you to specify if AD aliases are automatically
created for all new users. Select either:
• New aliases will be added and new users will be created
Use this option to automatically create a new alias for every AD user
mapped to BusinessObjects Enterprise. New AD accounts are
added for users without BusinessObjects Enterprise accounts, or for
all users if you selected the “Create a new account for every added
AD alias” option.
or
• No new aliases will be added and new users will not be created
Use this option when the AD directory you are mapping contains
many users, but only a few of them will use BusinessObjects
Enterprise. BusinessObjects Enterprise does not automatically
create aliases and Enterprise accounts for all users. Instead, it
creates aliases (and accounts, if required) only for users who log on
to BusinessObjects Enterprise.
Note: You can also add AD users individually by adding them as a
new user in BusinessObjects Enterprise and selecting Windows AD
authentication. For details, see “Creating a user and a third-party
alias” on page 262.
11. New User Options allow you to specify properties of the new Enterprise
accounts that are created to map to AD accounts. Select either:
• New users are created as named users
New user accounts are configured to use named user licenses.
Named user licenses are associated with specific users and allow
people to access the system based on their user name and password.
This provides named users with access to the system regardless of
how many other people are connected. You must have a named user
license available for each user account created using this option.
• New users are created as concurrent users
New user accounts are configured to use concurrent user licenses.
Concurrent licenses specify the number of people who can connect
to BusinessObjects Enterprise at the same time. This type of
licensing is very flexible because a small concurrent license can

246 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Managing AD accounts 10
support a large user base. For example, depending on how often
and how long users access BusinessObjects Enterprise, a 100 user
concurrent license could support 250, 500, or 700 users.
12. Click Update.
A message appears stating that it will take several seconds to update the
member groups.
13. Click OK.

Unmapping AD groups
Similar to mapping, it is possible to unmap groups using BusinessObjects
Enterprise.
To unmap AD groups using BusinessObjects Enterprise
1. Go to the Authentication management area of the CMC.
2. Click the Windows AD tab.
3. In the “Mapped AD Member Groups” area, select the AD group you
would like to remove.
4. Click Delete.
5. Click Update.
The users in the deleted group will no longer be able to access
BusinessObjects Enterprise.
Tip: To deny AD authentication for all users, clear the “Windows Active
Directory Authentication is enabled” check box and click Update.
Note: The only exceptions to this occur when a user has an alias other
than the one assigned for AD authentication. To restrict access, disable
or delete the user’s Enterprise account. For more information, see
“Managing Enterprise and general accounts” on page 219.

Viewing mapped AD users and groups


1. Go to the Groups management area of the CMC.
2. Under Group Name, click the hyperlink to a Windows AD group.
3. Click the Users tab.
Note: You can view the groups by clicking the Windows AD tab from the
Authentication management area and then viewing the “Mapped AD
Member Groups” area; users cannot be viewed from the Windows AD tab.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 247


10 Managing User Accounts and Groups
Managing AD accounts

Troubleshooting AD accounts
Creating a new AD user account
• If you create a new AD user account, and the account belongs to a group
account that is mapped to BusinessObjects Enterprise, ensure that you
update the user list by clicking Update in the Windows AD tab found in
the Authentication management area. Note that you must click Update to
ensure that new users are imported properly. For information on viewing
AD users and groups, see “Viewing mapped AD users and groups” on
page 247.
• User accounts are automatically created for AD users who are added to
an AD group when these users successfully log on to BusinessObjects
Enterprise.

Adding an AD group account to a mapped AD group


• When you add an AD group account to an AD group that was previously
mapped to BusinessObjects Enterprise, and you would like the users of
this nested group to get imported into BusinessObjects Enterprise, you
need to click Update in the Windows AD tab (found in the Authentication
management area).
Note: The nested AD group will not get mapped to BusinessObjects
Enterprise by this operation.
• When you have added a new account in AD, and the AD group to which the
account belongs is already mapped to BusinessObjects Enterprise, there
are three ways you can get the new AD account into BusinessObjects
Enterprise. Choose the method that works best for your situation:
• When the new AD user logs on to BusinessObjects Enterprise and
selects AD authentication, the system will add the user to
BusinessObjects Enterprise. This is the simplest method and it doesn’t
require any extra steps, but the user won’t be added until he or she logs
on to BusinessObjects Enterprise.
• You can add the new user to BusinessObjects Enterprise and select
Windows AD authentication. The user is added and is automatically
assigned a Windows AD alias. See “Creating a user and a third-party
alias” on page 262.
• You can go to the Windows AD tab in the Authentication management
area and select the option to add all new aliases and create all new
users, and then click Update. In this case all AD users will be added to
BusinessObjects Enterprise. For details, see “Mapping AD accounts” on

248 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Managing AD accounts 10
page 244. However, if the AD group contains many users who don’t
require access to BusinessObjects Enterprise, you may want to add the
user individually instead.

Setting up AD single sign-on


Installation of the Active Directory plug-in for BusinessObjects Enterprise
enables you to use AD single sign-on. However, for AD single sign-on to
work, you have to configure the IIS Business Objects virtual directory.
Note:
• AD single sign-on is not supported on client machines running on
Windows 98.
• By default, AD single sign-on is not enabled.
Setting up AD single sign-on to BusinessObjects Enterprise includes the
following tasks:
• “Configuring IIS for AD single sign-on” on page 249
• “Enabling AD single sign-on in CMC” on page 250
• “Modifying the web.config file for AD single sign-on” on page 250
Note: For information on how to set up end-to-end single sign on with AD
and Kerberos, see “Configuring Kerberos single sign-on to the database” on
page 266.

Configuring IIS for AD single sign-on


To configure the IIS web server for AD single sign-on
1. Using the documentation included with your IIS server, change the access
and authentication settings for the Enterprise virtual directory as follows:
• Deselect the Anonymous access and Basic authentication check
boxes.
• Ensure that Integrated Windows authentication check box is
selected.
Note: You must also enable AD single sign-on in the CMC. For
details, see “Enabling AD single sign-on in CMC” on page 250.
2. Modify the web.config file. See “Modifying the web.config file for AD
single sign-on” on page 250.
3. Restart your IIS server.
Note: For AD single sign-on to function correctly, make sure you
complete all tasks listed in “Setting up AD single sign-on” on page 249.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 249


10 Managing User Accounts and Groups
Managing AD accounts

Enabling AD single sign-on in CMC


To enable the Windows AD plug-in for single sign-on in CMC
1. Go to the Authentication management area of the CMC.
2. Click the Windows AD tab.
3. Select the Enable Single Sign On for selected authentication mode
check box.
Note: If you select this option, you must also configure the IIS for single
sign-on. For details, see “Configuring IIS for AD single sign-on” on
page 249. Failing to configure IIS could compromise your system security
if the account that IIS runs under belongs to a mapped group, because
users who use one of the web applications would automatically have the
same access privileges as the IIS machine account.
4. Click Update.
Note: For AD single sign-on to function correctly, make sure you
complete all tasks listed in “Setting up AD single sign-on” on page 249.

Modifying the web.config file for AD single sign-on


Make the following modifications to the web.config file to make sure Windows
authentication is enabled.
To modify the web.config file for AD single sign-on
1. Modify either of the following web.conf file based on what you want to
configure for single sign-on. To configure both CMC and InfoView for
single sign-on, configure the web.config file in the Web Content directory;
To configure only InfoView for single sign-on, configure the web.config file
in the Infoview directory.
• Add the following lines to the <system.web> block in the
C:\Program Files\Business Objects\BusinessObjects
Enterprise 11.5\Web Content\Web.config file:
<identity impersonate="true" />
<Authentication mode="Windows" />
• Add the following lines to the <system.web> block in the
C:\Program Files\Business Objects\BusinessObjects
Enterprise 11.5\Web
Content\Enterprise115\InfoView\Web.config file:
<identity impersonate="true" />
<Authentication mode="Windows" />
2. Add the following lines in the <WebDesktopSettings> section, above
<!-- Default Authentication progID (secEnterprise,
secLDAP, secWindowsNT, secWinAD) -->:

250 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Managing NT accounts 10
<add key="cmsDefault" value="CMSMachineName" />
<add key="ssoEnabled" value="true" />
<add key="authenticationDefault" value="secWinAD" />
Note:
• Replace CMSMachineName with the name of your CMS. You may
also have to change the value in the authenticationDefault to
match the authentication type you will be using.
• For AD single sign-on to function correctly, make sure
you complete all tasks listed in “Setting up AD single sign-
on” on page 249.

Managing NT accounts
This section provides an overview of NT authentication and the tasks related
to managing it. For information on how NT authentication works in
conjunction with BusinessObjects Enterprise, see “Windows NT security plug-
in” on page 202.
Note:
• NT authentication only works for servers running on Windows systems. If
you install BusinessObjects Enterprise on a Windows NT, 2000, or 2003
machine, NT authentication is installed and enabled by default.
• NT accounts refer to Windows NT, 2000, or 2003 accounts.
Managing NT accounts includes the following tasks:
• “Mapping NT accounts” on page 251
• “Unmapping NT groups” on page 255
• “Viewing mapped NT users and groups” on page 257
• “Troubleshooting NT accounts” on page 257
• “Setting up NT single sign-on” on page 259

Mapping NT accounts
To simplify administration, BusinessObjects Enterprise supports user and
group accounts that are created using Windows NT. However, before users
can use their NT user name and password to log on to BusinessObjects
Enterprise, their NT user account needs to be mapped to BusinessObjects
Enterprise. When you map an NT account, you can choose to create a new
BusinessObjects Enterprise account or link to an existing BusinessObjects
Enterprise account.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 251


10 Managing User Accounts and Groups
Managing NT accounts

You can map NT accounts to BusinessObjects Enterprise through Windows,


by using the User Manager in Windows NT or Computer Management in
Windows 2000, or through the CMC.
Note: NT accounts refer to both Windows NT and 2000 accounts.
To map NT users and groups using Windows NT
1. From the Windows Administrative Tools program group, click User
Manager.
Note: Ensure that you have selected the domain that contains the
BusinessObjects NT Users group.
2. Select the BusinessObjects NT Users group.
Note: The BusinessObjects NT Users group is created automatically in
Windows NT when you install BusinessObjects Enterprise on Windows NT.
3. From the User menu, click Properties.
4. Click Add.
5. Select the group(s) and/or user(s); then click Add.
6. Click OK to add the group(s) and/or user(s).
7. Click OK to complete the process.
Tip: Users will now be able to log on to InfoView using their NT account
if they use the following format:
\\NTDomainName\NTusername or
NTMachineName\LocalUserName
Users do not have to specify the NT Domain Name if it is specified in the
“Default NT Domain” field on the Windows NT tab.
To map NT users and groups using Windows 2000
1. From the Windows Administrative Tools program group, click Computer
Management.
2. Under System Tools, select Local Users and Groups.
3. Click the Groups folder.
4. Select the BusinessObjects NT Users and from the Action menu,
select Properties.
5. Click Add.
6. Select the group(s) and/or user(s); then click Add.
7. Click OK to add the group(s) and/or user(s).
8. Click OK or Apply (and then Close) to complete the process.
Tip: Users will now be able to log on to InfoView using their NT account
if they use the following format:

252 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Managing NT accounts 10
\\NTDomainName\NTusername or
NTMachineName\LocalUserName
Users do not have to specify the NT Domain Name if it is specified in the
“Default NT Domain” field on the Windows NT tab.
To map NT users and groups using BusinessObjects Enterprise
Before starting this procedure, ensure you have the NT domain and group
information.
1. Go to the Authentication management area of the CMC.
2. Click the Windows NT tab.

3. Ensure that the NT Authentication is enabled check box is selected.


4. If you will be using single sign-on, select the Single Sign On is enabled
check box.
Note: If you select this option, you must also configure the IIS for single
sign-on. For details, see “Setting up NT single sign-on” on page 259.
Failing to configure IIS could compromise your system security if the
account that IIS runs under belongs to a mapped group, because users
who use one of the web applications would automatically have the same
access privileges as the IIS machine account.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 253


10 Managing User Accounts and Groups
Managing NT accounts

5. To change the Default NT domain, click the domain name. Complete the
Default NT Domain field.
Note: By typing the default NT Domain Name, users do not have to
specify the NT Domain Name when they log on to BusinessObjects
Enterprise via NT authentication. Also, you don’t have to specify the NT
domain name when you map groups.
6. In the Mapped NT Member Groups area, enter the NT domain\group in
the Add NT Group (NT Domain\Group) field.
Note: If you want to map a local NT group, you must type
\\NTmachinename\groupname.
7. Click Add.
The group is added to the list.
8. New Alias Options allow you to specify how NT aliases are mapped to
Enterprise accounts. Select either:
• Assign each added NT alias to an account with the same name
Use this option when you know users have an existing Enterprise
account with the same name; that is, NT aliases will be assigned to
existing users (auto alias creation is turned on). Users who do not
have an existing Enterprise account, or who do not have the same
name in their Enterprise and NT account, are added as new NT users.
or
• Create a new account for every added NT alias
Use this option when you want the system to create a new account
for each user. The system ensures that the users are created with
unique names. For example, if BusinessObjects Enterprise user
bsmith already exists and an NT user with the same is added, the
new user will be bsmith01.
9. Update Options allow you to specify if NT aliases are automatically
created for all new users. Select either:
• New aliases will be added and new users will be created
Use this option to automatically create a new alias for every NT user
mapped to BusinessObjects Enterprise. New NT accounts are added
for users without BusinessObjects Enterprise accounts, or for all
users if you selected the “Create a new account for every added NT
alias” option.
or

254 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Managing NT accounts 10
• No new aliases will be added and new users will not be created
Use this option when the NT directory you are mapping contains
many users, but only a few of them will use BusinessObjects
Enterprise. BusinessObjects Enterprise does not automatically
create aliases and Enterprise accounts for all users. Instead, it
creates aliases (and accounts, if required) only for users who log on
to BusinessObjects Enterprise.
10. New User Options allow you to specify properties of the new Enterprise
accounts that are created to map to NT accounts. Select either:
• New users are created as named users
New user accounts are configured to use named user licenses.
Named user licenses are associated with specific users and allow
people to access the system based on their user name and
password. This provides named users with access to the system
regardless of how many other people are connected. You must have
a named user license available for each user account created using
this option.
• New users are created as concurrent users
New user accounts are configured to use concurrent user licenses.
Concurrent licenses specify the number of people who can connect
to BusinessObjects Enterprise at the same time. This type of
licensing is very flexible because a small concurrent license can
support a large user base. For example, depending on how often
and how long users access BusinessObjects Enterprise, a 100 user
concurrent license could support 250, 500, or 700 users.
11. Click Update.
A message appears stating that it will take several seconds to update the
member groups.
12. Click OK.

Unmapping NT groups
Similar to mapping, it is possible to unmap groups using the administrative
tool in Windows NT/2000, or BusinessObjects Enterprise.
To unmap NT users and groups using Windows NT
1. From the Administrative Tools program group, click User Manager.
2. Select BusinessObjects NT Users.
3. From the User menu, click Properties.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 255


10 Managing User Accounts and Groups
Managing NT accounts

4. Select the user(s) or group(s); then click Remove.


5. Click OK.
The user or group will no longer be able to access BusinessObjects
Enterprise.
Note: The only exceptions to this occur when a user has an alias to an
Enterprise account. To restrict access, disable or delete the user’s
Enterprise account. For more information, see “Managing Enterprise and
general accounts” on page 219.
To unmap NT users and groups using Windows 2000
1. From the Administrative Tools program group, click Computer
Management.
2. Under System Tools, select Local Users and Groups.
3. Click the Groups folder.
4. Select BusinessObjects NT Users.
5. From the Action menu, click Properties.
6. Select the user(s) or group(s); then click Remove.
7. Click OK or Apply (and then Close) to complete the process.
The user or group will no longer be able to access BusinessObjects
Enterprise.
Note: The only exceptions to this occur when a user has an alias to an
Enterprise account. To restrict access, disable or delete the user’s
Enterprise account. For more information, see “Managing Enterprise and
general accounts” on page 219.
To unmap NT groups using BusinessObjects Enterprise
1. Go to the Authentication management area of the CMC.
2. Click the Windows NT tab.
3. In the Mapped NT Member Groups area, select the NT group you would
like to remove.
4. Click Delete.
5. Click Update.
The users in this group will not be able to access BusinessObjects
Enterprise.
Tip: To deny NT Authentication for all groups, clear the “NT
Authentication is enabled” check box and click Update.

256 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Managing NT accounts 10
Note: The only exceptions to this occur when a user has an alias to an
Enterprise account. To restrict access, disable or delete the user’s
Enterprise account. For more information, see “Managing Enterprise and
general accounts” on page 219.

Viewing mapped NT users and groups


There are two methods to view mapped users and groups in BusinessObjects
Enterprise. The method you use depends on the way the groups and users
have been mapped.
To view users and groups that have been added using Windows NT/
2000 or BusinessObjects Enterprise
1. Go to the Groups management area of the CMC.
2. If you added users and groups through Windows NT/2000, then click
BusinessObjects NT Users.
If you added users and groups through the CMC, then select the
appropriate group.
3. Click the Users tab.
4. Click OK to the message which states that accessing the user list may
take several seconds.
5. Click Refresh.
6. Click OK.
To view users and groups that have been added using BusinessObjects
Enterprise
1. Go to the Authentication management area of the CMC.
2. Click the Windows NT tab.
The “Mapped NT Member Groups” area displays the groups that have
been mapped to BusinessObjects Enterprise.
Note: You can view the groups and users by selecting the appropriate
group from the Groups management area and then clicking the Users tab.

Troubleshooting NT accounts
Creating a new NT user account
• If you create a new NT user account, and the account does not belong to
a group account that is mapped to BusinessObjects Enterprise, add it to
BusinessObjects Enterprise. For more information, see “Mapping NT
accounts” on page 251.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 257


10 Managing User Accounts and Groups
Managing NT accounts

• If you create a new NT user account, and the account belongs to a group
account that is mapped to BusinessObjects Enterprise, refresh the user
list. For more information, see “Viewing mapped NT users and groups” on
page 257.

Adding an NT account to a mapped NT group


When you have added a new account in NT, and the NT group to which the
account belongs is already mapped to BusinessObjects Enterprise, there are
three ways you can get the new NT account into BusinessObjects Enterprise.
Choose the method that works best for your situation:
• When the new NT user logs on to BusinessObjects Enterprise and
selects NT authentication, the system will add the user to
BusinessObjects Enterprise. This is the simplest method and it doesn’t
require any extra steps, but the user won’t be added until he or she logs
on to BusinessObjects Enterprise.
• You can add the new user to BusinessObjects Enterprise and select
Windows NT authentication. The user is added and is automatically
assigned a Windows NT alias. See “Creating a user and a third-party
alias” on page 262.
• You can go to the Windows NT tab in the Authentication management
area and select the option to add all new aliases and create all new
users, and then click Update. In this case all NT users will be added to
BusinessObjects Enterprise. For details, see “Mapping NT accounts” on
page 251. However, if the NT group contains many users who don’t
require access to BusinessObjects Enterprise, you may want to add the
user individually instead.

Creating a new NT group account


• If you create a new NT group account, and the group account does not
belong to a group account that is mapped to BusinessObjects Enterprise,
add it to BusinessObjects Enterprise. For more information, see
“Mapping NT accounts” on page 251.
• If you create a new NT group account, and the account belongs to a
group account that is mapped to BusinessObjects Enterprise, refresh the
group list. For more information, see “Viewing mapped NT users and
groups” on page 257.

258 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Managing NT accounts 10
Disabling an NT user account
• If you disable an NT user account (using Windows Administrative Tools),
the user will not be able to log on to BusinessObjects Enterprise using
the mapped NT account. However, if the user also has an account that
uses Enterprise authentication, the user can still access BusinessObjects
Enterprise using that account.

Setting up NT single sign-on


You can configure BusinessObjects Enterprise to allow users to use various
BusinessObjects Enterprise applications without being prompted to log on.
Users need only to enter their NT user name and password information once
at the beginning of the NT session. For instance, if you have set up NT single
sign-on, when you launch the CMC, NT authentication occurs in the
background. You are not required to enter any additional information.
Note: This feature is available if you are using a Microsoft Internet
Information Server (IIS) web server and users are using Internet Explorer as
their web browser. See the Platforms.txt file included with your product
distribution for a complete list of version requirements.
BusinessObjects Enterprise provides its own form of “anonymous single sign-
on,” which uses Enterprise authentication, as opposed to Windows NT
authentication. Design your own web applications accordingly (or modify
InfoView) if you want to use NT single sign-on.
When a user launches InfoView, he or she can log on using the Guest
account (Enterprise authentication). You can disable this feature—for more
information, see “Disabling the Guest account” on page 229. However, even
when you disable the Guest account, BusinessObjects Enterprise is designed
to display a logon page. With single sign-on enabled, the user can select
Windows NT from the Authentication list and click Log On without entering his
or her user name or password. In the developer documentation, refer to the
tutorial for an example on creating a web application that uses single sign-on.
Setting up NT single sign-on to BusinessObjects Enterprise includes the
following tasks:
• “Configuring IIS for NT single sign-on” on page 260
• “Enabling NT single sign-on in CMC” on page 260
• “Modifying the web.config file for NT single sign-on” on page 260
Note: BusinessObjects Enterprise does not support the Kerberos protocol for
Windows NT. For information on how to set up end-to-end single sign on with
AD and Kerberos, see “Configuring Kerberos single sign-on to the database”
on page 266.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 259


10 Managing User Accounts and Groups
Managing NT accounts

Configuring IIS for NT single sign-on


To configure the IIS web server for NT single sign-on
1. Using the documentation included with your IIS server, change the access
and authentication settings for the Enterprise virtual directory as follows:
• Deselect the Anonymous access and Basic authentication check
boxes.
• Ensure that the Integrated Windows authentication check box is
selected.
2. Modify the web.config file. See “Modifying the web.config file for NT
single sign-on” on page 260.
3. Restart your IIS server.
Note: For NT single sign-on to function correctly, make sure you
complete all tasks listed in “Setting up NT single sign-on” on page 259.

Enabling NT single sign-on in CMC


To enable the Windows NT plug-in for single sign-on in CMC
1. Go to the Authentication management area of the CMC.
2. Click the Windows NT tab.
3. Select the Single Sign On is enabled check box.
Note: If you select this option, you must also configure the IIS for single
sign-on. For details, see “Configuring IIS for NT single sign-on” on
page 260. Failing to configure IIS could compromise your system security
if the account that IIS runs under belongs to a mapped group, because
when users access one of the web applications they would automatically
have the same access privileges as the IIS machine account.
4. Click Update.
Note: For NT single sign-on to function correctly, make sure you
complete all tasks listed in “Setting up NT single sign-on” on page 259.

Modifying the web.config file for NT single sign-on


Make the following modifications to the web.config file to make sure Windows
authentication is enabled.
To modify the web.config file for NT single sign-on
1. Modify either of the following web.conf file based on what you want to
configure for single sign-on. To configure both CMC and InfoView for
single sign-on, configure the web.config file in the Web Content directory;
To configure only InfoView for single sign-on, configure the web.config file
in the Infoview directory.

260 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Managing aliases 10
• Add the following lines to the <system.web> block in the
C:\Program Files\Business Objects\BusinessObjects
Enterprise 11.5\Web Content\Web.config file:
<identity impersonate="true" />
<Authentication mode="Windows" />
• Add the following lines to the <system.web> block in the
C:\Program Files\Business Objects\BusinessObjects
Enterprise 11.5\Web
Content\Enterprise115\InfoView\Web.config file:
<identity impersonate="true" />
<Authentication mode="Windows" />
2. Add the following lines in the <WebDesktopSettings> section, above
<!-- Default Authentication progID (secEnterprise,
secLDAP, secWindowsNT, secWinAD) -->:
<add key="cmsDefault" value="CMSMachineName" />
<add key="ssoEnabled" value="true" />
<add key="authenticationDefault" value="secWindowsNT" />
Note:
• Replace CMSMachineName with the name of your CMS. You may
also have to change the value in the authenticationDefault to
match the authentication type you will be using.
• For NT single sign-on to function correctly, make sure you complete
all tasks listed in “Setting up NT single sign-on” on page 259.

Managing aliases
If a user has multiple accounts in BusinessObjects Enterprise, you can link
the accounts using the assign alias feature. This is useful when a user has a
third-party account that is mapped to Enterprise and an Enterprise account.
By assigning an alias to the user, the user can log on using either a third-party
user name and password or an Enterprise user name and password. Thus,
an alias enables a user to log on via more than one authentication type.
You can also reassign an alias in BusinessObjects Enterprise. For example,
after you map your third-party accounts to BusinessObjects Enterprise, you
can use the Reassign Alias feature to reassign an alias to a different a user.
In CMC, the alias information is displayed at the bottom of the properties
page for a user. A user can have any combination of BusinessObjects
Enterprise, LDAP, AD, or NT aliases.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 261


10 Managing User Accounts and Groups
Managing aliases

Managing aliases includes:


• “Creating a user and a third-party alias” on page 262
• “Creating an alias for an existing user” on page 263
• “Assigning an alias” on page 263
• “Reassigning an alias” on page 264
• “Deleting an alias” on page 265
• “Disabling an aliases” on page 265

Creating a user and a third-party alias


When you create a user and select an authentication type other than
Enterprise, the system creates the new user in BusinessObjects Enterprise
and creates a third-party alias for the user.
Note: For the system to create the third-party alias, the following criteria must
be met:
• The authentication tool needs to have been enabled in CMC.
• The format of the account name must agree with the format required for
the authentication type.
• The user account must exist in the third-party authentication tool, and it
must belong to a group that is already mapped to BusinessObjects
Enterprise.
To create a user and add a third-party alias
1. Go to the Users management area of the CMC.
2. Click New User.
The New User Properties page appears.
3. Select the authentication type for the user, for example, Windows NT.
The New User Properties page appears.

4. Type in the third-party account name for the user, for example, bsmith.

262 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Managing aliases 10
5. Select the connection type for the user.
6. Click OK.
The user is added to BusinessObjects Enterprise and is assigned an
alias for the authentication type you selected, for example,
secWindowsNT:ENTERPRISE:bsmith. If required, you can add, assign,
and reassign aliases to user.

Creating an alias for an existing user


You can create aliases for existing BusinessObjects Enterprise users. The
alias can be an Enterprise alias, or an alias for a third-party authentication
tool.
Note: For the system to create the third-party alias, the following criteria must
be met:
• The authentication tool needs to have been enabled in CMC.
• The format of the account name must agree with the format required for
the authentication type.
• The user account must exist in the third-party authentication tool, and it
must belong to a group that is mapped to BusinessObjects Enterprise.
To create a new alias for a user
1. Go to the Users management area of the CMC.
2. Click the link for the user that you want to add an alias to.
3. Click New Alias.
The New Alias page appears.
4. Select the authentication type for the user, for example, Windows NT.
5. Type in the account name for the user.
6. Click OK.
An alias is created for the user. When you view the user in CMC, at least
two aliases are shown, the one that was already assigned to the user and
the one you just created.

Assigning an alias
When you assign an alias to a user, you move a third-party alias from another
user to the user you are currently viewing. You cannot assign or reassign
Enterprise aliases.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 263


10 Managing User Accounts and Groups
Managing aliases

Note: If a user has only one alias and you assign that last alias to another
user, the system will delete the user account, and the Favorites folder,
personal categories, and inbox for that account.
To assign an alias from another user
1. Go to the Users management area of the CMC.
2. Click the link for the user you want to assign an alias to.
3. Click Assign Alias.
The Assign Alias page appears.
4. Select the alias you want in the list of available aliases.
5. Click the > arrow.
Tip:
• To select multiple aliases, use the SHIFT+click or CTRL+click
combination.
• To search for a specific alias, use the Look For field.
6. Click OK.

Reassigning an alias
When you reassign an alias, you move a third-party alias from the user that
you are currently viewing to another user. You cannot assign or reassign
Enterprise aliases.
Note: If a user has only one alias and you reassign that alias to another user,
the system will delete the user account, and the Favorites folder, personal
categories, and inbox for that account.
To reassign an alias to another user
1. Go to the Users management area of the CMC.
2. Click the link for the user whose alias you want to reassign, for example,
bsmith.
3. Click the Reassign Alias button for the alias.
The Reassign Alias page appears.
4. In the list, click the name of the user that you want to assign the alias to,
for example, jbrown.
5. Click OK.
The alias for bsmith has now been assigned to the user jbrown, and the
Properties page for user jbrown is displayed. The user jbrown can now
log on using the third-party user account and authentication method. The
user bsmith can no longer use this alias.

264 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Managing aliases 10
Deleting an alias
When you delete an alias, the alias is removed from the system. If a user has
only one alias and you delete that alias, the system automatically deletes the
user account and the Favorites folder, personal categories, and inbox for that
account.
To delete an alias
1. Go to the Users management area of the CMC.
2. Click the link for the user whose alias you want to delete.
3. Click the Delete Alias button for the alias.
The alias is deleted from the system.
Note: Deleting a user’s alias does not necessarily prevent the user from
being able to log on to BusinessObjects Enterprise again. If the user account
still exists in the third-party system, and if the account belongs to a group that
is mapped to BusinessObjects Enterprise, then BusinessObjects Enterprise
will still allow the user to log on. Whether the system creates a new user or
assigns the alias to an existing user, depends on which Update Options you
have selected for the authentication tool in the Authentication management
area of CMC.

Disabling an aliases
You can prevent a user from logging on to BusinessObjects Enterprise using
a particular authentication method by disabling the user’s alias associated
with that method. To prevent a user from accessing BusinessObjects
Enterprise altogether, disable all aliases for that user.
Note: Deleting a user from BusinessObjects Enterprise does not necessarily
prevent the user from being able to log on to BusinessObjects Enterprise
again. If the user account still exists in the third-party system, and if the
account belongs to a group that is mapped to BusinessObjects Enterprise,
then BusinessObjects Enterprise will still allow the user to log on. To ensure a
user can no longer use one of his or her aliases to log on to BusinessObjects
Enterprise, it is best to disable the alias. See also “Deleting an alias” on
page 265.
To disable an alias
1. Go to the Users management area of the CMC.
2. Click the name of the user whose alias you want to disable.
3. In the Alias area on the Properties page, clear the Enabled check box for
the alias you want disable.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 265


10 Managing User Accounts and Groups
Configuring Kerberos and Active Directory

Repeat this step for each alias you want to disable.


4. Click Update.
The user can no longer log on using the type of authentication that you
just disabled.

Configuring Kerberos and Active Directory


This section summarizes the workflow for when you configure Kerberos with
Active Directory.
Configuring Kerberos includes the following main steps:
1. “Setting up a service account” on page 267
Note: The order in which you complete these steps is not important.
However, before you can proceed you must have set up the service
account.
2. “Configuring the server machines” on page 268
3. “Configuring the servers to use the service account” on page 269
4. “Configuring the Windows AD plug-in for Kerberos authentication” on
page 269
5. “Configuring Kerberos for Windows Active Directory authentication” on
page 271
6. “Modifying your Java options for Kerberos” on page 274
In addition to the main steps outlined, the following information is also
available to help you when you are configuring Kerberos and Active Directory:
• “Sample multiple domain Krb5.ini file” on page 275
• “Sample single domain Krb5.ini file” on page 276
• “Troubleshooting Kerberos and enabling logging” on page 276

Configuring Kerberos single sign-on to the


database
This section tells you how to set up end-to-end single sign-on to your
BusinessObjects Enterprise system and its back-end databases by using
Kerberos and Windows AD authentication.
For general information about the levels of single sign-on that are supported
in BusinessObjects Enterprise, see “About single sign-on” on page 198.

266 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Configuring Kerberos single sign-on to the database 10
BusinessObjects Enterprise currently supports single sign-on to the database
with Windows AD using Kerberos. See the Platforms.txt file included with
your product distribution for a complete list of version requirements.
Configuration process overview
Configuring end-to-end single sign-on using Kerberos includes the following
main steps:
1. “Setting up a service account” on page 267
Note: The order in which you complete these steps is not important.
However, before you can proceed you must have set up the service
account.
2. “Configuring the server machines” on page 268
3. “Configuring the servers to use the service account” on page 269
4. “Configuring the Windows AD plug-in for Kerberos authentication” on
page 269
5. “Configuring Kerberos for Windows Active Directory authentication” on
page 271
Note: If your using IIS, this step is not required.
6. “Modifying your Java options for Kerberos” on page 274
7. “Configuring the IIS and browsers” on page 278
8. “Configuring IIS for end-to-end single sign-on” on page 279
9. “Configuring BusinessObjects Enterprise web applications” on page 286
10. “Configuring the databases for single sign-on” on page 288
In addition to the main steps outlined, the following information is also
available to help you when you are configuring Kerberos and Active Directory:
• “Sample multiple domain Krb5.ini file” on page 275
• “Sample single domain Krb5.ini file” on page 276
• “Troubleshooting Kerberos and enabling logging” on page 276

Setting up a service account


To configure BusinessObjects Enterprise for Kerberos and Windows AD
authentication, you require a service account. This must be a domain account
that has been trusted for delegation. You can either create a new domain
account or use an existing domain account. The service account will be used
to run the BusinessObjects Enterprise servers.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 267


10 Managing User Accounts and Groups
Configuring Kerberos single sign-on to the database

To set up the service account


On the domain controller, set up the domain service account. For detailed
instructions, refer to http://msdn.microsoft.com.
1. Create a user in your Active Directory.
2. Ensure these settings are used for the user.
• In a Windows 2000 domain, on the account tab, select Account is
the trusted for delegation and Use DES encryption types for this
account for this user.
• In Windows 2003 domain, from the Delegation tab, select Trust this
user for delegation to any service (Kerberos only); from the
account tab select, Use DES encryption types for this account.
Note: If you are using Windows 2003, you may have to first add a service
principal name (SPN) for the domain account so that the Delegation tab is
visible. This is done with the following command setspn -R servact, where
servact is the user name you created.

Configuring the servers


Configuring the BusinessObjects Enterprise servers includes:
• “Configuring the server machines” on page 268
• “Configuring the servers to use the service account” on page 269

Configuring the server machines


In order to support end-to-end single sign-on, you must grant the service
account the right to act as part of the operating system. This must be done on
each machine running the following servers:
• CMS
• Page Server
• Report Application Server
• Web Intelligence Report Server
To configure the server machines
Note: To complete this procedure, you require a service account that has
been trusted for delegation. See “Setting up a service account” on page 267.
1. Click Start > Administrative Tools > Local Security Policy.
2. Click Local Policies, then click User Rights Assignment.
3. Double-click Act as part of the operating system.
4. Click Add.

268 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Configuring Kerberos single sign-on to the database 10
5. Double-click the service account, and then click OK.
6. Ensure that the Local Policy Setting check box is selected, and then
click OK.
7. Repeat the above steps on each machine running a BusinessObjects
Enterprise server.
For detailed instructions, see “Controlling users’ access to objects” on
page 293.

Configuring the servers to use the service account


In order to support Kerberos single sign-on, you must use CCM and configure
the following servers to log on as the service account:
• CMS server
• Page Server
• Report Application Server
• Web Intelligence Report Server
To configure a server
Note: To complete this procedure, you require a service account that has
been trusted for delegation. See “Setting up a service account” on page 267.
1. Start the CCM.
2. Stop the server you want to configure, for example, the CMS server.
3. Double-click the server you want to configure. The Properties dialog box
is displayed.
4. On the Properties tab:
a. In the Log On As area, deselect the System Account check box.
b. Enter the user name and password for the service account.
c. Click Apply, and then click OK.
5. Start the server again.
6. Repeat steps 2 through 5 for each BusinessObjects server that has to be
configured.

Configuring the Windows AD plug-in for Kerberos


authentication
In order to support Kerberos single sign-on, you have to configure the Windows
AD security plug-in in the CMC to use Kerberos authentication. This includes:
• Ensuring Windows AD authentication is enabled.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 269


10 Managing User Accounts and Groups
Configuring Kerberos single sign-on to the database

• Setting up an AD Administrator account. This account requires read


access to Active Directory only; it does not require any other rights.
• Enabling Kerberos single sign-on and setting the service principal name
(SPN) to use a service account.
To configure the Windows AD security plug-in
1. Go to the Authentication management area of the CMC.
2. Click the Windows AD tab.
3. Ensure that the Windows Active Directory Authentication is enabled
check box is selected.
4. Select the Enable Single Sign On for selected authentication mode
check box.
Note: For related information about configuring the Windows AD plug-in,
see “Managing AD accounts” on page 243.
5. Specify the AD administrator account:
a. Click AD Administrator Name.
b. Enter the name and password for the account and the default AD
Domain.
Note:
• The format for the AD Administrator Name field is
Domain\User.
• Use FQDN format for the default AD Domain field.
• The AD Administrator account requires read access to Active
Directory only; it does not require any other rights.
c. Click Update.
6. In the “Mapped AD Member Group” area, map the AD group for the AD
users who require access to BusinessObjects Enterprise via AD
authentication and single sign-on. See “Mapping AD accounts” on
page 244.
7. Under Authentication Options select the following:
• Select the Use Kerberos authentication check box.
• If you want to configure single sign-on to a database, select the
Cache Security context (required for SSO to database) check
box.
• In the Service Principal Name box, enter the service principal name
of the service account.
Note:

270 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Configuring Kerberos single sign-on to the database 10
• This must be the same account that you use to run the
BusinessObjects Enterprise servers. This is the AD account you
created in this step: “Setting up a service account” on page 267.
• The Service Principal Name is case sensitive. The case must
match exactly what you have set up on your AD domain. This
must be the same account that you use to run the
BusinessObjects Enterprise servers. See “Setting up a service
account” on page 267.
8. Click Update.

Configuring Kerberos for Windows Active Directory


authentication
You must modify your system configuration before you can use Kerberos with
Windows Active Directory authentication and a Java application server. If your
using IIS, this step is not required.
See the following section in that applies to your application server.
Note:
• The default Active Directory domain must be in uppercase DNS format.
• User names are case sensitive in Kerberos.
• You do not need to configure Kerberos for single sign-on; Kerberos single
sign-on is optional.
• You are no longer required to download and install MIT Kerberos for
Windows. You also no longer require a keytab for your service account.

Configuring Java Application servers to use AD with Kerberos


When you configure Kerberos with AD for Tomcat or WebLogic, WebSphere
or WebLogic, you must complete these steps:
• Complete all the steps, except this one, specified in “Configuring
Kerberos and Active Directory” on page 266.
• Create
To configure Kerberos to use with Tomcat or WebLogic
1. Configure Kerberos with Windows Active Directory authentication on your
BusinessObjects Enterprise system. For more information, see
“Configuring the Windows AD plug-in for Kerberos authentication” on
page 269.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 271


10 Managing User Accounts and Groups
Configuring Kerberos single sign-on to the database

2. Create the file krb5.ini, if it does not exist, and store it under it the
following platform dependant location:

Platform Location
Windows c:\WINNT
Solaris /etc/krb5/krb5.conf
Linux /etc/krb5.conf
Note: You can store this file in a different location, however if you do, you
will need to specify its location in your java options. See “Modifying your
Java options for Kerberos” on page 274 for procedural details.
3. Add the required information in the Kerberos configuration file.
• If your using Tomcat, Oracle Application Server or Weblogic on
Windows, add the following to your Kerberos krb5.ini
configuration file, where DNS.COM is the DNS name of your domain
which must be entered in FQDN format and entered in uppercase:
[libdefaults]
default_realm = DNS.COM
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]
DNS.COM = {
default_domain = DNS.COM
kdc = hostname.DNS.COM

}
Note: You can add multiple domain entries to the [realms] section
if your users log in from multiple domains. kdc is the Host name of
the Domain Controller. To see a sample of this file with multiple
domain entries, see “Sample single domain Krb5.ini file” on
page 276 or “Sample multiple domain Krb5.ini file” on page 275. For
further information see http://java.sun.com/j2se/1.5.0/docs/guide/
security/jgss/tutorials/KerberosReq.html.
• If you are using WebSphere, add the following to your Kerberos
krb5.ini configuration file, where DNS.COM is the DNS name of
your domain which must be entered in FQDN format and entered in
uppercase:
[libdefaults]
default_realm = DNS.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc

272 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Configuring Kerberos single sign-on to the database 10
[realms]
DNS.COM = {
default_domain = DNS.COM
kdc = hostname.DNS.COM
}
Note: Consult the release notes should you experience difficulty
with WebSphere and Kerberos.
4. If you are using a Java web application server, create bscLogin.conf if
it does not exist.
5. Add the appropriate code to your JAAS Login Configuration file.
• If your using Tomcat or Weblogic on Windows, add the following
code to your JAAS bscLogin.conf configuration file:
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule
required;
};
Note: For more information on how to configure JAAS
authentication, see the following:
http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/
LoginConfigFile.html
• If your using Oracle Application Server, add the following content
between the <jazn-loginconfig> tags in the jazn-data.xml file:
<application>
<name>com.businessobjects.security.jgss.initiate</
name>
<login-modules>
<login-module>
<class>com.sun.security.auth.module.Krb5LoginModule</
class>
<control-flag>required</control-flag>
</login-module>
</login-modules>
</application>
Note: This default location for this file is C:\OraHome_1\j2ee
\home\config. If you installed Oracle Application Server in a different
location, find the file specifc to your installation.
• If you are using WebSphere on Windows, add the following code to
your JAAS bscLogin.conf configuration file:
com.businessobjects.security.jgss.initiate {
com.ibm.security.auth.module.Krb5LoginModule
required;
6. };Go to the Authentication management area of the CMC.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 273


10 Managing User Accounts and Groups
Configuring Kerberos single sign-on to the database

7. Click the Windows AD tab.


8. In the Service Principal Name box, enter the service principal name of the
service account.
Use the following format, where svcacct is the name of your service
account, and DNS.COM is your domain in uppercase:
Note: svcacct@DNS.COMThe service account is case sensitive. The
case of the account you enter here must match with what is set up in your
Active Directory Domain.

Modifying your Java options for Kerberos


There are two ways you can modify your java options as required for
Kerberos: either in the java.security file or on the Java tab for Tomcat.
To change the options in the java. security file
• In the following file, JAVA_HOME\jre\lib\security\java.security, add a line
which specifies the location of the file bscLogin.conf.
# Default login configuration file
#
#login.config.url.1=file:${user.home}/.java.login.config
login.config.url.1=file:C:/winnt/bscLogin.conf
To modify the Java options from the Java tab for Tomcat
1. From the Start menu, select Programs >Tomcat > Tomcat
Configuration.
2. Click the Java tab.
3. Add the following options:
-Djava.security.auth.login.config=C:\XXX\bscLogin.conf
-Djava.security.krb5.conf=C:\XXX\krb5.ini
Replace XXX with the location you stored the file.
4. Close the Tomcat configuration file.
5. Restart Tomcat.
To modify the Java options from the Java tab for WebLogic
1. Stop the domain of WebLogic that runs your BusinessObjects Enterprise
applications.

274 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Configuring Kerberos single sign-on to the database 10
2. Open the script that starts the domain of WebLogic that runs your
BusinessObjects Enterprise applications.

Operating System Script name


Windows startWeblogic.cmd
Unix startWebLogic.sh
3. Add the following information to the Java_Options section of the file.
set JAVA_OPTIONS=-Djava.security.auth.login.config=C:/
XXX/bscLogin.conf -Djava.security.krb5.conf=C:/XXX/
krb5.ini
Replace XXX with the location you stored the file.
4. Restart the domain of WebLogic that runs your BusinessObjects
Enterprise applications.
To modify the Java options for Oracle Application Server
1. Logon to the administration console of your Oracle Application server.
2. Click on the name of the OC4J instance that runs your BusinessObjects
Enterprise applications.
3. Select Server Properties.
4. Scroll down to the Multiple VM Configuration section.
5. In the Command Line Options section, append the following at the end
of the Java Options text field:
-Djava.security.krb5.conf=C:/XXX/krb5.ini
Replace XXX with the location you stored the file.

Sample multiple domain Krb5.ini file


Following is a sample file with multiple domains.
[domain_realm]
.domain03.com = DOMAIN03.COM
domain03.com = DOMAIN03.com
.child1.domain03.com = CHILD1.DOMAIN03.COM
child1.domain03.com = CHILD1.DOMAIN03.com
.child2.domain03.com = CHILD2.DOMAIN03.COM
child2.domain03.com = CHILD2.DOMAIN03.com
.domain04.com = DOMAIN04.COM
domain04.com = DOMAIN04.com

[libdefaults]
default_realm = DOMAIN03.COM
dns_lookup_kdc = true
dns_lookup_realm = true
[logging]

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 275


10 Managing User Accounts and Groups
Configuring Kerberos single sign-on to the database

[realms]
DOMAIN03.COM = {
admin_server = testvmw2k07
kdc = testvmw2k07
default_domain = domain03.com
}
CHILD1.DOMAIN03.COM = {
admin_server = testvmw2k08
kdc = testvmw2k08
default_domain = child1.domain03.com
}
CHILD2.DOMAIN03.COM = {
admin_server = testvmw2k09
kdc = testvmw2k09
default_domain = child2.domain03.com
}
DOMAIN04.COM = {
admin_server = testvmw2k011
kdc = testvmw2k011
default_domain = domain04.com
}

Sample single domain Krb5.ini file


Following is a sample krb5.ini file with a single domain.
[libdefaults]
default_realm = MFAD.MFROOT.ORG
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]
MFAD.MFROOT.ORG = {
kdc = MFADIR20.MFAD.MFROOT.ORG
kdc = MFADIR21.MFAD.MFROOT.ORG
kdc = MFADIR22.MFAD.MFROOT.ORG
kdc = MFADIR23.MFAD.MFROOT.ORG
default_domain = MFAD.MFROOT.ORG
}

Troubleshooting Kerberos and enabling logging


These two steps may help you if you encounter problems when configuring
kerberos:
• Enabling logging
• Testing your Java SDK Kerberos configuration
To enable logging
1. From the Start menu, select Programs >Tomcat > Tomcat
Configuration.
2. Click the Java tab.

276 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Configuring Kerberos single sign-on to the database 10
3. Add the following options:
-Dcrystal.enterprise.trace.configuration=verbose
This will create a log file in the following location:
C:\Documents and Settings\<user
name>\.businessobjects\jce_verbose.log
To test your Java kerberos configuration
• Run the following command to test your Kerberos configuration, where
servact is the service account and domain under which the CMS is
running, and password is the password associated with the service
account.
C:\Program Files\Business
Objects\j2sdk1.4.2_04\bin\kinit.exe"
servact@TESTM03.COM Password
If you receive a message that the ticket is granted, the kerberos
configuration is correct. If you still have a problem, ensure that the case
you entered for your domain and service principal name match exactly
with what is set in Active Directory.

Configuring the cache expiry


When the system is using AD and Kerberos single sign-on, it uses the cache
expiry for certain BusinessObjects Enterprise servers to determine whether a
logon ticket is still valid. This applies to the CMS, Page Server, Report
Application Server, and Web Intelligence Report Server.
The CMS uses the cache expiry as follows:
• If the CMS cache expiry is greater than that of the ticket, the system
renews the ticket until the CMS cache expiry is reached.
• If the CMS cache expiry is less than that of the ticket, the ticket will expire
when the CMS cache expiry is reached.
• If the CMS cache expiry is zero, the system will use the globally set ticket
expiry.
The other servers use either their cache expiry or the ticket expiry, whichever
has the lowest value. Regardless of whether the cache expiry for the server is
greater or less than that of the ticket, the ticket will expire when the lowest
expiry value is reached.
The system comes configured with default values for the server cache expiry.
Use the following procedure to change these settings when needed.
Note: If you are running multiple instances of a server, you can control the
cache expiry for each instance individually.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 277


10 Managing User Accounts and Groups
Configuring Kerberos single sign-on to the database

To configure the servers in CMC


1. Go to the Servers management area of the CMC.
2. Click the link for the server.
3. Click the Single Sign-On tab.
4. Type in a new cache expiry value.
5. Click Update.

Configuring the IIS and browsers


In order to support Kerberos end-to-end single sign-on, you have to configure
the BusinessObjects Enterprise clients. This includes:
• “Configuring the BusinessObjects Enterprise clients on the IIS” on
page 278
• “Configuring the Internet Explorer browser on a client machine” on
page 278

Configuring the BusinessObjects Enterprise clients on the IIS


To support Kerberos single sign-on, you have to configure the
BusinessObjects clients on the IIS to use integrated Windows authentication.
To configure the clients for Windows authentication
1. On the IIS, in the Internet Information Services window, expand the tree
on the left and go to businessobjects under Default Web Site.
2. Right-click businessobjects and select Properties.
3. On the Directory Security tab, click Edit.
4. Turn off Anonymous Access and Basic authentication.
5. Turn on Integrated Windows Authentication.
6. Click OK, and then click OK again.
7. Repeat the above for crystalreportviewers115 and Styles.

Configuring the Internet Explorer browser on a client machine


To support Kerberos end-to-end single sign-on, you have to configure the
Internet Explorer (IE) browser on the BusinessObjects Enterprise client
machines. This includes:
• Setting up the client machines for integrated Windows authentication.
• Adding the IIS to the trusted sites.
Note:

278 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Configuring Kerberos single sign-on to the database 10
• If configuring the IIS for single sign-on to the database only, you do not
need to configure the browser for single sign-on. See also “Configuring
IIS for single sign-on to databases only” on page 284.
• You can automate the following steps through a registry key. For details,
refer to you Windows documentation.
To configure the IE browser on the client machines
1. On the client machine, open an Internet Explorer browser window.
2. Enable integrated windows authentication:
a. Click Tools > Internet Options. The Internet Options dialog box
appears.
b. Click the Advanced tab.
c. Navigate to the Security settings.
d. Click the Enable integrated windows authentication option, and
then click Apply.
3. Modify the trusted sites. You can enter the full domain name of the site:
a. Click Tools > Internet Options. The Internet Options dialog box
appears.
b. Click the Security tab.
c. Click Sites.
d. Click Advanced.
e. Ensure that the web server site has been removed from your
‘Trusted Sites’.
f. Ensure that the web server site has been added to your ‘Local
Intranet” sites.
g. Click OK, and then click OK twice more to close the Internet Options
dialog box.
4. Close the Internet Explorer browser windows and then open them again
for the changes to take effect.
5. Repeat the above steps on each BusinessObjects Enterprise client machine.

Configuring IIS for end-to-end single sign-on


To support Kerberos end-to-end single sign-on, the worker processes of the
IIS have to run under a domain account that is trusted for delegation. Refer to
either of the following procedures, depending on whether you are using IIS5
or IIS6:
• “Configuring IIS5 for Kerberos end-to-end single sign-on” on page 280

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 279


10 Managing User Accounts and Groups
Configuring Kerberos single sign-on to the database

• “Configuring IIS6 for Kerberos end-to-end single sign-on” on page 282


Note: Instead of configuring the IIS worker processes for end-to-end single
sign-on you can configure them to use single sign-on to the database only.
You may want to do this, for example, if you don’t want to run the IIS worker
processes under an account that has been trusted for delegation. For more
information, see:
• “Configuring IIS for single sign-on to databases only” on page 284
• “Configuring web applications for single sign-on to the databases” on
page 288.

Configuring IIS5 for Kerberos end-to-end single sign-on


To support Kerberos end-to-end single sign-on, you have to set the IIS and
the Aspnet_wp.exe worker process to run as a domain account that has
been trusted for delegation.
You can run the IIS either under the machine domain account or under a user
domain account. Each approach has advantages and disadvantages:
• If you use a machine domain account, the password will be automatically
generated and won’t expire, nor can it be exposed or modified.
• If you use a user domain account you have more control over the rights
for the account, but the password could be exposed or modified, and it
may expire, which would result in an error condition.
Which approach you use, depends on how you want to manage your system
security.
For complete information about security risks associated with system or user
domain accounts, refer to the Microsoft web site: http://www.microsoft.com.
Refer to either of the following procedures, depending on whether you want to
use a machine or user domain account:
• “To run the IIS5 worker process under the machine domain account” on
page 280
• “To run the IIS5 worker process under a user domain account” on
page 281
To run the IIS5 worker process under the machine domain account
1. On the domain controller, set the domain account of the IIS machine to
be trusted for delegation.
Changing this property can take several minutes to propagate.

280 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Configuring Kerberos single sign-on to the database 10
2. Set the Aspnet_wp.exe to run as a machine domain account. To do this,
change the following parameters in the <processModel> block in the
\WINDOWS\Microsoft.NET\Framework\version\CONFIG\machine.c
onfig file:
• userName="SYSTEM"
• Password="AutoGenerate"
In the above path name, version represents the software version.
Note: Configuring the Aspnet_wp.exe account to run as a machine
domain account will cause all ASP.NET web applications on the web
server to run as privileged system accounts.
Note: For security reasons, make sure that the account which the IIS
helper processes run under does not belong to a mapped group.
3. If the machine name for the web server is different from the name that is
used to access it, add an SPN for HTTP access on the web server
machine:
setspn -A HTTP/serverhost.domainname.com serverhost
For example, if access is via www.domainname.com but the machine name
is web.domainname.com.
To run the IIS5 worker process under a user domain account
1. Set the Aspnet_wp.exe to run as a user domain account that has been
trusted for delegation. To do this, change the following parameters in the
<processModel> block in the \WINDOWS\Microsoft.NET\Framework\
version\CONFIG\machine.config file:

• userName="domainaccount"
• Password="password"
Where domainaccount is a domain account that you have set to be trusted
for delegation, and password is the password for the domain account.
In the above path name, version represents the software version.
Note: For security reasons, make sure that the account which IIS helper
processes run under does not belong to a mapped group.
2. If the machine name for the web server is different from the name that is
used to access it, add an SPN for HTTP access on the web server
machine:
setspn -A HTTP/serverhost.domainname.com serverhost
For example, if access is via www.domainname.com but the machine name
is web.domainname.com.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 281


10 Managing User Accounts and Groups
Configuring Kerberos single sign-on to the database

Configuring IIS6 for Kerberos end-to-end single sign-on


To support Kerberos for end-to-end single sign-on, you have to set the IIS and
w3wp.exe worker process to run as an account that has been trusted for
delegation.
You can run the IIS either under the machine domain account or under user
domain account. Each approach has advantages and disadvantages:
• If you use a machine domain account, the password will be automatically
generated and won’t expire, nor can it be exposed or modified.
• If you use a user domain account you have more control over the rights
for the account, but the password could be exposed or modified, and it
may expire, which would result in an error condition.
Which approach you use, depends on how you want to manage your system
security.
For complete information about security risks associated with system or user
domain accounts, refer to the Microsoft web site: http://www.microsoft.com.
Refer to either of the following procedures, depending on whether you want to
use a machine or user domain account:
• “To run the IIS6 worker process under the machine domain account” on
page 282
• “To run the IIS6 worker process under a user domain account” on
page 283
To run the IIS6 worker process under the machine domain account
1. On the domain controller, set account of the IIS machine to be trusted for
delegation.
Changing this property can take several minutes to propagate!
If you don’t want to use end-to-end single sign-on but want to provide
single sign-on to the database, skip step 1. See also “Configuring IIS for
single sign-on to databases only” on page 284.
2. Configure the account for the w3wp.exe worker process:
a. In the Internet Service Manager window, right-click the machine
name and select Application Pool > New.
b. Type in a name for the application pool.
c. In the tree panel on the left, expand to Default Web Site >
businessobjects > EnterpriseX (where X equals your version
number).
d. Right-click InfoView and select Properties.

282 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Configuring Kerberos single sign-on to the database 10
e. On the Directory tab select the new application pool name from the
list, and then click Apply.
f. Right-click the application pool you created, and select Properties.
g. On the Identity tab select LocalSystem from the list, and then click
Apply.
Note: Configuring the w3wp.exe account to run as a LocalSystem
account will cause all ASP.NET web applications on the web server to
run as privileged system accounts.
Note: For security reasons, make sure that the account which the IIS
worked processes run under does not belong to a mapped group.
3. If the machine name for the web server is different from the name that is
used to access it, add an SPN for HTTP access on the web server machine:
setspn -A HTTP/serverhost.domainname.com serverhost
For example, if access is via www.domainname.com but the machine name
is web.domainname.com.
To run the IIS6 worker process under a user domain account
1. Set the w3wp.exe to run as a user domain account that has been trusted
for delegation. To do this, change the following parameters in the
<processModel> block in the \WINDOWS\Microsoft.NET\Framework\
version\CONFIG\machine.config file:

• userName="domainaccount"
• Password="password"
In the above path name, version represents the software version.
Where domainaccount is a domain account that you have set to be trusted
for delegation, and password is the password for the domain account.
Note: If you don’t want to use end-to-end single sign-on but want to
provide single sign-on to the database, skip step 1. See also “Configuring
IIS for single sign-on to databases only” on page 284. For security
reasons, make sure that the account which the IIS worker processes run
under does not belong to a mapped group.
2. Add the domain account to the IIS_WPG local group, and give it the
relevant rights to access the needed files. For more information, see
http://msdn.Microsoft.com.
3. If the machine name for the web server is different from the name that is
used to access it, add an SPN for HTTP access on the web server machine:
setspn -A HTTP/serverhost.domainname.com serverhost

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 283


10 Managing User Accounts and Groups
Configuring Kerberos single sign-on to the database

For example, if access is via www.domainname.com but the machine name


is web.domainname.com.

Configuring IIS for single sign-on to databases only


When using Kerberos with Windows AD, you can choose whether you want to
provide end-to-end single sign-on, or whether you want users to provide their
logon credentials when they log in to BusinessObjects Enterprise. When
users log on to BusinessObjects Enterprise, the system generates a logon
token to provide single sign-on access to the databases.
To use single sign-on to the databases only
1. Configure the IIS worker processes to run as a domain account in order
for the network to recognize their accounts, but the account does not
have to be trusted for delegation. Refer to either of the following
procedures, depending on whether you are using IIS5 or IIS6:
• “Configuring IIS5 for single sign-on to database only” on page 284
• “Configuring IIS6 for single sign-on to database only” on page 285
2. Configure the web applications for single sign-on to the database instead
of end-to-end single sign-on. See “Configuring web applications for single
sign-on to the databases” on page 288.
Note: If configuring the IIS for single sign-on to the database only, you
do not need to configure the browser for single sign-on. See “Configuring
the Internet Explorer browser on a client machine” on page 278.
3. Clear the Enable Single Sign On for selected authentication mode
check box on the Windows AD page in the Authentication management
area in CMC.

Configuring IIS5 for single sign-on to database only


To support single sign-on to the database only, you have to set the
Aspnet_wp.exe worker process to run as a domain account, but the account
does not have to be trusted for delegation. You can run the IIS worker
process either under the machine domain account or under a user domain
account. Each approach has advantages and disadvantages:
• If you use a machine domain account, the password will be automatically
generated and won’t expire, nor can it be exposed or modified.
• If you use a user domain account you have more control over the rights
for the account, but the password could be exposed or modified, and it
may expire, which would result in an error condition.

284 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Configuring Kerberos single sign-on to the database 10
Which approach you use, depends on how you want to manage your system
security.
For complete information about security risks associated with system or user
domain accounts, refer to the Microsoft web site: http://www.microsoft.com.
To configure the IIS5 for single sign-on to databases
1. Make sure IIS is running as a domain account
2. Set the Aspnet_wp.exe to run as a machine domain account. To do this,
change the following parameters to the <processModel> block in the
\WINDOWS\Microsoft.NET\Framework\version\CONFIG\machine.c
onfig file:
• userName="SYSTEM"
• Password:="AutoGenerate"
In the above path name, version represents the software version.
Note:
• Configuring the Aspnet_wp.exe account to run as a machine
domain account will cause all ASP.NET web applications on the web
server to run as privileged system accounts.
• For security reasons, make sure that the account which IIS runs
under does not belong to a mapped group.
3. If the machine name for the web server is different from the name that is
used to access it, add an SPN for HTTP access on the web server
machine:
setspn -A HTTP/serverhost.domainname.com serverhost
For example, if access is via www.domainname.com but the machine name
is web.domainname.com.

Configuring IIS6 for single sign-on to database only


To support single sign-on to the database only, you have to set the w3wp.exe
worker process to run as a machine or user domain account, but the account
does not have to be trusted for delegation. You can run the IIS worker
process either under the machine domain account or under a user domain
account. Each approach has advantages and disadvantages:
• If you use a machine domain account, the password will be automatically
generated and won’t expire, nor can it be exposed or modified.
• If you use a user domain account you have more control over the rights
for the account, but the password could be exposed or modified, and it
may expire, which would result in an error condition.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 285


10 Managing User Accounts and Groups
Configuring Kerberos single sign-on to the database

Which approach you use, depends on how you want to manage your system
security.
For complete information about security risks associated with system or user
domain accounts, refer to the Microsoft web site: http://www.microsoft.com.
To configure the IIS6 for single sign-on to databases
1. Make sure IIS is running as a domain account.
2. Configure the account for the w3wp.exe worker process:
a. In the Internet Service Manager window, right-click the machine
name and select Application Pool > New.
b. Type in a name for the application pool.
c. In the tree panel on the left, expand to Default Web Site >
businessobjects > EnterpriseX (where X equals your version
number).
d. Right-click InfoView and select Properties.
e. On the Directory tab select the new application pool name from the
list, and then click Apply.
f. Right-click the application pool you created, and select Properties.
g. On the Identity tab select LocalSystem from the list, and then click
Apply.
Note:
• Configuring the w3wp.exe account to run as a machine domain
account will cause all ASP.NET web applications on the web server
to run as privileged system accounts.
• For security reasons, make sure that the account which IIS runs
under does not belong to a mapped group.
3. If the machine name for the web server is different from the name that is
used to access it, add an SPN for HTTP access on the web server
machine:
setspn -A HTTP/serverhost.domainname.com serverhost
For example, if access is via www.domainname.com but the machine name
is web.domainname.com.

Configuring BusinessObjects Enterprise web applications


In order for the end-to-end single sign on to work, you have to configure the
BusinessObjects Enterprise web applications to impersonate the user. See
“Configuring web applications for end-to-end single sign-on” on page 287.

286 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Configuring Kerberos single sign-on to the database 10
Note: If you want to use single sign-on to the databases instead of end-to-
end single sign-on, you have to set the BusinessObjects Enterprise web
applications to not impersonate a user. See “Configuring web applications for
single sign-on to the databases” on page 288.

Configuring web applications for end-to-end single sign-on


In order to use up end-to-end single sign-on, you have to set both the CMC
and InfoView web applications to impersonate the user. To do this, edit the
respective Web.config files on the IIS as follows.
To configure the web applications for full single sign-on
1. Modify either of the following web.conf file based on what you want to
configure for single sign-on. To configure both CMC and InfoView for
single sign-on, configure the web.config file in the Web Content directory;
To configure only InfoView for single sign-on, configure the web.config file
in the Infoview directory.
• Add the following lines to the <system.web> block in the
C:\Program Files\Business Objects\BusinessObjects
Enterprise 11.5\Web Content\Web.config file:
<identity impersonate="true" />
<Authentication mode="Windows" />
• Add the following lines to the <system.web> block in the
C:\Program Files\Business Objects\BusinessObjects
Enterprise 11.5\Web
Content\Enterprise115\InfoView\Web.config file:
<identity impersonate="true" />
<Authentication mode="Windows" />
2. Add the following lines in the <WebDesktopSettings> section, above
<!-- Default Authentication progID (secEnterprise,
secLDAP, secWindowsNT, secWinAD) -->:
<add key="cmsDefault" value="CMSMachineName" />
<add key="ssoEnabled" value="true" />
<add key="authenticationDefault" value="secWinAD" />
Note: Replace CMSMachineName with the name of your CMS. You may
also have to change the value in the authenticationDefault to
match the authentication type you will be using.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 287


10 Managing User Accounts and Groups
Configuring Kerberos single sign-on to the database

Configuring web applications for single sign-on to the databases


If you want to use single sign-on to the databases instead of end-to-end
single sign-on, you have to set BusinessObjects Enterprise web applications
to not impersonate the user. To do this, edit their Web.config files on the IIS
as follows.
Note: If you want to use single sign-on to the database only, see also
“Configuring IIS for single sign-on to databases only” on page 284.
To configure the web applications for single sign-on to the databases
1. Set the CMC to not impersonate the user.
Add the following lines to the <system.web> block in the C:\Program
Files\Business Objects\BusinessObjects Enterprise
11.5\Web Content\Web.config file:
<identity impersonate="false" />
<Authentication mode="Windows" />
2. Set InfoView to not impersonate the users, by adding the following lines
to the <system.web> block in the C:\Program Files\Business
Objects\BusinessObjects Enterprise 11.5\Web
Content\Enterprise115\InfoView\Web.config file:
<identity impersonate="false" />
<Authentication mode="Windows" />
Note: Make sure you set identity impersonate to false.
Users will now be able to log on to BusinessObjects Enterprise by providing
their logon credentials in the InfoView or CMC logon dialog box and selecting
Windows AD authentication. Once they are logged on, the users will have
single sign-on access to the databases associated with BusinessObjects
Enterprise.
Mapping AD accounts for Kerberos single sign-on
In order for the Kerberos single sign-on to work, you must map the groups
containing the AD users that are to have access to BusinessObjects
Enterprise to a BusinessObjects Enterprise group. See “Mapping AD
accounts” on page 244.
Note: For security reasons, ensure that the mapped groups do not contain
the domain account that the IIS is running under.

Configuring the databases for single sign-on


This section provides information that is specific to setting up single sign-on to
SQL Server databases.

288 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing User Accounts and Groups
Configuring Kerberos single sign-on to the database 10
See the Platforms.txt file included with your product distribution for a
complete list of tested database software and version requirements. For
general information and for information about single sign-on to other
supported databases, refer to the database vendors support documentation.

Configuring SQL Server for single sign-on


In order for Kerberos single sign-on to work, the machines running SQL
Server database must be trusted for delegation. How to set up security
delegation varies, depending on whether SQL Server has been configured to
run under the LocalSystem account or under a service account:
• If SQL Server is running under the LocalSystem account, no additional
configuration is required. SQL Server registers itself when it starts and
the system registers the SPN. When SQL Server shuts down, the system
automatically un-registers the SPNs for the LocalSystem account.
• If SQL Server is running under a service account, you have to configure
to be trusted for delegation.
To run SQL Server under a service account
1. In Active Directory, set up the SQL Server service account for security
delegation:
a. Select Start > Programs > Administrative Tools > Active
Directory Users and Computers.
b. Right-click the domain account and select Properties.
c. On the Accounts tab, make sure the following options are selected:
• In Windows 2000, ensure that the Account is trusted for
delegation option has been selected for the account.
• In Windows 2003, ensure that the following two options have
been selected for the account: Trust this user for delegation to
specified service only and Use Kerberos only.
If you are using Windows 2003, you may have to first add a service
principal name (SPN) for the domain account.
2. Set the machine running SQL Server as follows:
• Computer is trusted for delegation
a. Click Apply, and then click OK.
3. Add an SPN for the service account of the SQL Server:
setspn -A MSSQLSvc/host:port serviceaccount
Where host:port is the name of the machine running SQL Server and the
port that, and serviceaccount is the name of the SQL Server service
account.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 289


10 Managing User Accounts and Groups
Configuring Kerberos single sign-on to the database

290 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Controlling User Access

chapter
11 Controlling User Access
Controlling user access overview

Controlling user access overview


Rights are the base units for controlling users’ access to objects, users,
applications, servers, and other features in BusinessObjects Enterprise.
When granted, each right provides a user or group with permission to perform
a particular action. Using rights, you can set security levels that affect
individual users and groups. Rights allow you to control access to your
BusinessObjects Enterprise content, to delegate user and group
management to different departments, and to provide your IT people with
administrative access to servers and server groups.
To set rights within the Central Management Console (CMC), you first locate
the object, user, or server and then you specify the rights for different users
and groups. Each right can be Explicitly Granted, Explicitly Denied, or
Inherited. The BusinessObjects Enterprise security model is designed such
that, if a right is left “not specified,” the right is denied by default. Additionally,
if contradictory settings result in a right being both granted and denied to a
user or group, the right is denied by default. This “denial based” design
assists in ensuring that users and groups do not automatically acquire rights
that are not explicitly granted.
To facilitate administration and maintenance, BusinessObjects Enterprise
includes a set of predefined access levels that allow you to set common
security levels quickly. Each access level grants a set of rights that combine
to allow users to accomplish common tasks (such as view reports, schedule
reports, and so on). It is recommended that you use the predefined access
levels whenever possible, because they can greatly reduce the complexity of
your object security model. For more information, see “Setting common
access levels” on page 296.
Whether or not you use access levels, you can also take advantage of the
inheritance patterns recognized by BusinessObjects Enterprise: users can
inherit rights as the result of group membership; subgroups can inherit rights
from parent groups; and both users and groups can inherit rights from parent
folders. When you need to disable inheritance or to customize security levels
for particular objects, users, or groups, the Advanced Rights pages allow you
to choose from the complete set of available object rights. Most importantly,
the advanced object rights allow you to explicitly deny any user or group the
right to perform a particular task.
Users require specific licensing and rights to create or modify reports through
the Report Application Server (RAS).

292 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Controlling User Access
Controlling users’ access to objects 11
Controlling users’ access to objects
To secure the content that you publish to BusinessObjects Enterprise, you
can set rights for each object. By setting object rights, you can control users’
access to specific content. For each object, you can grant or deny access to
users and groups in your system. For example, you can use rights to make
sure that you are the only one who can access your reports. You can ensure
that confidential employee records can be accessed only by the human
resources department.
You can set rights for folders, report objects, program objects, and other
BusinessObjects Enterprise objects.
Tip: For detailed tutorials that walk you through sample implementations of
object rights, see “Customizing a ‘top-down’ inheritance model” on page 307.

Setting object rights for users and groups


Object rights enable you to set access levels for your users and groups. You
control which folders, reports, and other objects users and groups can access
using BusinessObjects Enterprise. You set security settings at the object
level. For objects that can be scheduled, the security settings are also
reflected in the object instances object.
To facilitate administration, BusinessObjects Enterprise includes a set of
predefined rights (“access modes”) that allow you to set common security
levels quickly. These include the following:
• Inherited Rights
• No Access
• View
• Schedule
• View On Demand
• Full Control
• Advanced
In addition to setting user and group rights for report objects from the Objects
management area, you can also set user and group rights at the folder level.
When you set rights at the folder level, these limits will be in effect for all
objects that inherit rights from the folder (including any objects found within
the subfolders).
For detailed information on the different “access modes” for object rights and
information on inherited rights, see “Controlling users’ access to objects” on
page 293.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 293


11 Controlling User Access
Controlling users’ access to objects

To add groups or users to an object’s rights settings


1. In the Objects management area of the CMC, select an object by clicking
its link.
2. Click the Rights tab.
The Rights tab appears.
3. Click Add/Remove.

4. Select an option in the Select Operation list.


5. Select the group(s) or user(s) you would like to add or remove.
6. Click the > arrow to add the group(s) or user(s); click the < arrow to
remove the group(s) or user(s).
7. Click OK.
To change a group or user’s report rights
1. In the Objects management area of the CMC, select an object by clicking
its link.
2. Click the Rights tab.
The Rights tab appears.

294 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Controlling User Access
Controlling users’ access to objects 11
3. Change the access level for a group or user by selecting a right from the
appropriate list in the Access Level column; then click Update.
If you select Advanced from the list, you grant or deny granular rights
from the Advanced Rights page. For more information, see “Setting
advanced object rights” on page 298.

Viewing object rights settings


Use the CMC to view the object rights that a user or group has to any folder,
report, or other BusinessObjects Enterprise object. This section shows how to
locate the rights for any object and briefly explains the information displayed
on the Rights tab.
You can locate any given object in several ways. Go to the Folders
management area in the CMC to browse your folder hierarchy for an object,
or go to the Objects management area in the CMC to view a list of all the
objects on the system.
Click the link that corresponds to the folder or other object whose rights you
want to see, then click the object’s Rights tab. A page similar to the following
appears:

This example shows the rights for the Report Samples folder. The Name
column lists all users and groups who have been given rights to the object.
The Object column shows whether the entry is a User or a Group. In this
case, users have not been specified individually; instead, users have been
divided into two groups—Everyone and Administrators—which have been
granted rights to the folder object. Click Add/Remove to add or remove a user
or group to this object.
The Access Level column shows how each user’s or group’s rights are
determined. In this example, both groups possess Inherited Rights. You can
change the rights for either group by selecting a predefined access level (or
by selecting Advanced) from the list in the Access Level column. When you
change an entry in the Access Level column, click Update to effect your
changes. For more information, see “Setting common access levels” on
page 296.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 295


11 Controlling User Access
Controlling users’ access to objects

The Net Access column displays the net effect of whatever is selected in the
Access Level column. That is, the Net Access column shows the effective
rights that each user or group has to the object. The Net Access column is
particularly useful when you are working with inheritance. In this example, the
Everyone group inherits rights from a parent folder—one that is not displayed
on this screen. The Net Access column shows that the rights inherited from
the parent folder are equivalent to the Schedule access level.
Tip: If you want to view the individual object rights that make up a user’s (or
group’s) Net Access, click the corresponding Access Level list and select
Advanced. The Advanced Rights page displays the user’s full array of object
rights that have been specified explicitly and/or inherited. Click Cancel to exit
without making changes. For more information, see “Setting advanced object
rights” on page 298.
For detailed tutorials that walk you through sample implementations of object
rights, see “Customizing a ‘top-down’ inheritance model” on page 307.

Setting common access levels


An access level is essentially a predefined set of object rights.
BusinessObjects Enterprise provides a set of access levels that allow you to
set common object security levels quickly. The available predefined access
levels are No Access, View, Schedule, View On Demand, and Full Control.
Access levels are based on a model of increasing rights: beginning with No
Access and ending with Full Control, each access level builds upon the rights
granted by the previous level. For example, the Schedule access level
includes and adds to the rights that are granted by the View access level. For
a complete listing of the object rights that make up each access level, see the
BusinessObjects Enterprise Administrator’s Reference Guide.
Tip: By default, users or groups who have rights to a folder will inherit the
same rights for any object that you subsequently publish to that folder.
Consequently, the best strategy is to set the appropriate rights for users and
groups at the folder level first. Then publish objects to that folder.
Although access levels grant predefined sets of object rights, they do not
explicitly deny any object rights. Instead, each access level grants some
rights and leaves the other rights “not specified.” The system then denies the
“not specified” rights by default. This is important, because it allows users to
inherit the greatest rights when they belong to multiple groups:
• When you assign an access level to a group, each user in the group will
have at least that level of access to the object. If the user is a member of
multiple groups, then he or she inherits the combination of each group’s
rights. Thus, when a user is a member of multiple groups, he or she
inherits the greatest possible rights.

296 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Controlling User Access
Controlling users’ access to objects 11
• When you assign an access level directly to a user, you ensure that the
user has only that level of access to the object. In other words, you
prevent the user from inheriting rights that he or she may have otherwise
acquired by virtue of group membership.
This list provides a brief description of each access level:
• No Access
The user or group is not able to access the object or folder. InfoView, the
Publishing Wizard, and the CMC enforce this right by ensuring that the
object is not visible to the user.
• View
If this access level is set at the folder level, the user or group is able to
view the folder, the objects contained within the folder, and all generated
instances of each object. If this access level is set at the object level, the
user can view the object, the history of the object, and all generated
instances of the object. The user cannot, however, schedule the object or
refresh it against its data source.
• Schedule
The user or group is able to view the object or folder and its contents, and
to generate instances by scheduling the object to run against the
specified data source once or on a recurring basis. The user or group can
view, delete, and pause the scheduling of instances that they own. They
can also schedule to different formats and destinations, set parameters
and database logon information, pick servers to process jobs, add
contents to the folder, and copy the object or folder.
• View On Demand
In addition to the rights provided by the Schedule access level, the user
gains the right to refresh data “on demand” against the data source.
• Full Control
This access level grants all of the available advanced rights. It is the only
access level that allows users to delete objects (folders, objects, and
instances). This access level also allows users to modify all of the object’s
properties, including the object rights that are set on the folder or object.
Basically, this access level is designed to provide a user or group with
administrative control over one or more folders or objects. Users can then
log on to the CMC and add, edit, and remove content as required, without
being members of the actual Administrators group.
• Advanced
This access level does not include a predefined set of object rights.
Instead, it allows you to customize a user’s or group’s access to an object
by selecting from the complete range of available object rights. For more
information, see “Setting advanced object rights” on page 298.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 297


11 Controlling User Access
Controlling users’ access to objects

Note: There is no predefined access level to grant users the rights required
to create or modify reports through the Report Application Server (RAS). For
details, see the BusinessObjects Enterprise Administrator’s Reference Guide.
Note: In the developer documentation, access levels are referred to as roles.
To set an access level for a user or group
1. Go to the Objects or Folders management area of the CMC.
2. Locate the object whose rights you want to modify.
3. Click the link to the object, and then click its Rights tab.
4. In the Name column, locate the user or group whose rights you want to
specify.
If the user or group is not listed, click Add/Remove. Add the appropriate
user or group and click OK. You are returned to the object’s Rights tab.
5. In the Access Level column, select the access level (No Access, View,
Schedule, View On Demand, or Full Control) that is appropriate for the
user or group.
6. Click Update.
Tip: For detailed tutorials that walk you through sample implementations of
object rights, see “Customizing a ‘top-down’ inheritance model” on page 307.

Setting advanced object rights


To provide you with full control over object security, the CMC allows you to
make Advanced object rights settings for any user or group. These Advanced
settings enable you to choose from a complete set of granular object rights.
The result is an increased flexibility as you define security levels for objects
that you have published to BusinessObjects Enterprise.
Use advanced rights, for instance, if you need to customize a user’s or
group’s rights to a particular object or set of objects, or if you want to
customize the default inheritance patterns. Most importantly, use advanced
rights to explicitly deny a user or group any right that should not be permitted
to change when, in the future, you make changes to group memberships or
folder security levels.
Tip: By default, users or groups who have rights to a folder will inherit the
same rights for any object that you subsequently publish to that folder.
Consequently, the best strategy is to set the appropriate rights for users and
groups at the folder level first. Then publish objects to that folder.
Note: Because of the relative priorities assigned by BusinessObjects
Enterprise to granted and denied rights, you must disable inheritance entirely
when you need to explicitly grant a right that has been denied elsewhere to
the user or group. For complete details, see “Priorities affecting advanced
inheritance settings” on page 307.

298 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Controlling User Access
Controlling users’ access to objects 11
To view or set advanced rights
1. Go to the Objects or Folders management area of the CMC.
2. Locate the object whose rights you want to modify.
3. Click the link to the object, and then click its Rights tab.
4. In the Name column, locate the user or group whose rights you want to
specify.
If the user or group is not listed, click Add/Remove. Add the appropriate
user or group and click OK. You are returned to the object’s Rights tab.
5. The next step depends upon the entry that already appears in the
Access Level list for this user or group:
• If the Access Level is not already set to Advanced, click the list and
select Advanced.
• If the Access Level is already set to Advanced, click the Advanced
link in the Net Access column.
The available object rights are displayed in the Advanced Rights page.
This example shows advanced rights being applied to the Guest user for
an Employee Profile report.

The first two options specify which types of inheritance affect the Guest user’s
rights to this object. In this example, the Guest user cannot inherit rights by
virtue of group membership. But, the Guest user may inherit any rights that he
or she has been granted to this report’s parent folder.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 299


11 Controlling User Access
Controlling users’ access to objects

The remainder of the Advanced Rights page lists all available object rights
and shows how each right applies to the Guest user. To customize the overall
security levels, you can explicitly grant or deny any given right, or you can
specify that you want certain rights to be inherited.
The Inherited column serves as an indicator to show how inherited rights
affect the Guest user’s effective rights to this report object. A user or group
can be granted or denied a right by virtue of inheritance. In addition, some
rights may remain “not specified”—that is, they are neither granted nor
denied. If an inherited right is labelled as “Not Specified”, BusinessObjects
Enterprise treats it as having been denied. (And if the right is later granted for
a parent group or object, the user or group will automatically inherit the right
at this level.)
In this example, the Guest user has two inherited rights (the right to “View
document instances that the user owns” and to “Pause and Resume
document instances that the user owns”). Currently, these rights are not
specified, so the rights are denied by default. However, if the Guest user’s
rights should change on the report’s parent folder, the rights will also change
for this report object. This demonstrates how inheritance can facilitate future
changes to the overall security model.
Tip: For scalability and manageability, it is recommended that you leave as
many rights as possible inherited, because the system automatically updates
those rights as you modify and update your security settings throughout the
folder and group hierarchies.
The Explicitly Granted column shows which actions the Guest user is allowed
to perform on this report. The Guest user is currently granted eleven rights to
this report (the right to “View objects,” “Schedule the document to run,” and so
on). Because group inheritance is disabled, the Guest user will retain these
rights, even if its group membership is modified or changed completely. This
demonstrates how you can use explicit rights to override a group’s rights for a
particular group member.
The Explicitly Denied column works similarly to the Explicitly Granted column.
Regardless of any future changes to the user’s group membership, an
explicitly denied right always prevents a user from performing the associated
action. In this example, the Guest user has been explicitly denied eleven
rights (the right to “Add objects to the folder,” “Edit objects,” and so on). Again,
this demonstrates how you can use explicit rights to override a group’s rights
for a particular group member.
When you have made your changes on the Advanced Rights page, click OK.
Tip: For detailed tutorials that walk you through sample implementations of
object rights, see “Customizing a ‘top-down’ inheritance model” on page 307.

300 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Controlling User Access
Controlling users’ access to objects 11
Base rights and available rights
The BusinessObjects Enterprise system defines a set of base rights that
apply to all objects in the system. For example, the “View objects” right is a
base right: it applies equally well to folders, to reports, and to other
BusinessObjects Enterprise objects. In addition to these base rights,
however, each type of object provides an additional set of rights that apply
only to that object type. For example, the “Refresh the report’s data” right
applies only to report objects.
The Central Management Server (CMS) is the component that keeps track of
available rights. The list of available rights includes the base rights and all
other object-specific rights that have been provided by particular object types,
such as Crystal report objects.
On the Advanced Rights pages, you will find that all of the available rights are
displayed for every object on the system. These rights are grouped based on
what type of file they apply to. The four groups are General, Report, Text, and
Web Intelligence Document. When you are setting rights for folders, these
groups make it easier to see where the rights will be applied. For example,
the object-specific right “Refresh the report’s data” appears in the Report
folder because it only applies to report objects.
Available rights are displayed for every object on the system for purposes of
inheritance, so that you can set object security at the folder level (rather than
repeating the same settings for every object in the folder). Although certain
object-specific rights do not strictly apply to the folder object itself, these rights
may apply to objects that inherit rights from the folder. In other words, the
“Refresh the report’s data” right is displayed for the folder object so that you
can grant a user the right to refresh the data in all reports for which the user
inherits rights from this folder.
Note: This is only one type of object inheritance. For more information, see
“Group and folder inheritance” on page 302.

Using inheritance to your advantage


In regards to object rights, BusinessObjects Enterprise recognizes two types
of inheritance: group inheritance and folder inheritance. By taking advantage
of the ways in which object rights are inherited, you can reduce the amount of
time it takes to secure the content that you have published to BusinessObjects
Enterprise. Additionally, you can set up BusinessObjects Enterprise such that
you can integrate new users and new content quickly and easily.
To facilitate administration, it is recommended that you enable and disable
inheritance with access levels whenever possible (instead of with advanced
rights). Additionally, it is recommended that you make your initial settings at

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 301


11 Controlling User Access
Controlling users’ access to objects

the top-level BusinessObjects Enterprise folder and disable inheritance only


when necessary. For detailed tutorials that walk you through sample
implementations of object rights, see “Customizing a ‘top-down’ inheritance
model” on page 307.
Tip: By default, users or groups who have rights to a folder will inherit the
same rights for any object that you subsequently publish to that folder.
Consequently, the best strategy is to set the appropriate rights for users and
groups at the folder level first. Then publish objects to that folder.

Group and folder inheritance


Group inheritance allows users to inherit rights as the result of group
membership. Group inheritance proves especially powerful when you
organize all of your users into groups that coincide with your organization’s
current security conventions. For example, if you create a user called Sample
User, and add it to an existing group called Sales, then Sample User will
automatically inherit the appropriate rights for each of the reports and folders
that the Sales group has been added to.
When group inheritance is enabled for a user who belongs to more than one
group, the rights of both groups are considered when the system checks
credentials. The user is denied any right that is explicitly denied in any group,
and the user is denied any right that remains completely “not specified”; thus,
the user is granted only those rights that are granted in one or more groups
(explicitly or through access levels) and never explicitly denied.
Folder inheritance allows users to inherit any rights that they have been
granted on an object’s parent folder. Folder inheritance proves especially
powerful when you organize BusinessObjects Enterprise content into a folder
hierarchy that reflects your organization’s current security conventions. For
example, suppose that you create a folder called Sales Reports, and you
provide your Sales group with View On Demand access to this folder. By
default, every user that has rights to the Sales Reports folder will inherit the
same rights to the reports that you subsequently publish to this folder.
Consequently, the Sales group will have View On Demand access to all of the
reports, and you need only set the object rights once, at the folder level.
Note: If you need to disable or modify inheritance patterns for a particular
folder or object within your folder hierarchy, you can do so with access levels
or with advanced rights.

302 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Controlling User Access
Controlling users’ access to objects 11
Enabling and disabling inheritance with access levels
With access levels, you can enable or disable group inheritance, folder
inheritance, or both. You can alternatively enable one or both types of
inheritance with Advanced rights settings. For details, see “Inheritance with
advanced rights” on page 304.
To enable inheritance with an access level
1. Go to the Objects or Folders management area of the CMC.
2. Locate the object whose rights you want to modify.
3. Click the link to the object, and then click its Rights tab.
4. In the Name column, locate the user or group whose rights you want to
specify.
If the user or group is not listed, click Add/Remove. Add the appropriate
user or group and click OK. You are returned to the object’s Rights tab.
5. In the Access Level column, select Inherited Rights for the user or
group.
6. Click Update.
The Net Access column now displays the effective rights that the user or
group has inherited for this object.
Note: If the entry displayed in the Net Access column is Advanced,
ensure that both types of inheritance are enabled in the parent folder’s
advanced rights settings. For details, see “Setting advanced object
rights” on page 298.
To disable inheritance with an access level
Note: This procedure disables group and folder inheritance for a user
account. When applied to a group, this procedure does not prevent group
members from inheriting rights by virtue of membership in other groups.
1. Go to the Objects or Folders management area of the CMC.
2. Locate the object whose rights you want to modify.
3. Click the link to the object, and then click its Rights tab.
4. In the Name column, locate the user whose rights you want to specify.
If the user is not listed, click Add/Remove. Add the appropriate user and
click OK. You are returned to the object’s Rights tab.
5. In the Access Level column, select the access level (No Access, View,
Schedule, View On Demand, or Full Control) that is appropriate for the user.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 303


11 Controlling User Access
Controlling users’ access to objects

6. Click Update.
The Net Access column now displays the effective rights that the user
has to the object. Because you have disabled all inheritance, the Net
Access entry equals the Access Level entry.

Inheritance with advanced rights


When you apply an Advanced set of object rights to a user or group for a
particular object, you can enable or disable group and folder inheritance
together or individually. On the Advanced Rights pages, the settings for
inheriting rights from parent folders or groups serve as powerful tools that
allow you to customize inheritance patterns in many ways.
Note: You see the “Username will inherit rights from its parent groups” option
if you are setting rights for a user; this option does not appear if you are
setting rights for a group.
Tip: When modifying inheritance patterns with Advanced rights settings,
keep in mind that you can always assign a user a specific set of rights, either
by explicitly applying a predefined access level, or by explicitly applying an
Advanced setting in which both types of inheritance are disabled.
To take full advantage of inheritance patterns and Advanced rights settings, it
is useful to understand not only the types of inheritance that are available, but
also the ways in which a user’s effective rights are calculated by the CMS.
For more information on the two types of inheritance, see “Group and folder
inheritance” on page 302.

Calculating a user’s effective rights


When a user attempts to perform an action on a BusinessObjects Enterprise
object, the CMS determines the user’s rights to that object. If the user
possesses sufficient rights, the CMS permits the user to perform the
requested action.
Although the calculations performed by the CMS can become quite complex,
there are several ways to keep your object security model clear, consistent,
and easy to maintain. For complete details on setting up a system that makes
sense for your BusinessObjects Enterprise system, see “Customizing a ‘top-
down’ inheritance model” on page 307.

304 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Controlling User Access
Controlling users’ access to objects 11
To calculate the user’s effective rights, the CMS follows a complex algorithm.
This sequence of steps, and its various possible outcomes, is provided for
administrators and/or system architects who prefer to know exactly how the
CMS calculates the rights a user has to any object. The algorithm is
described here and then illustrated in a different way using pseudocode:
1. The CMS checks the rights that have been directly granted or denied to
the user’s account. The CMS immediately denies any right that is
explicitly denied.
Tip: If an individual user’s account has not been assigned any rights to
the object, then group inheritance is enabled by default. As the result, you
can make all your object rights settings at the group level to save
administrative effort.
2. If folder inheritance is enabled for the user, the CMS determines the
rights that the user has to the object’s parent folder. The CMS determines
these rights by ascending the inheritance tree to the level at which the
inherited rights begin to take effect. The CMS denies any right that is
explicitly denied (even if the right had already been explicitly granted).
3. If group inheritance is enabled for the user, the CMS determines the
rights specified on the object for each of the groups that the user belongs
to. The CMS denies any right that is explicitly denied in any group (even if
the right had already been explicitly granted).
4. If group inheritance is enabled for the user, and folder inheritance is
enabled for a group that the user belongs to, then the CMS determines
the rights that the group has to the parent folder. The CMS denies any
right that is explicitly denied in any group (even if the right had already
been explicitly granted).
5. The CMS completes the algorithm by denying any rights that remain “Not
Specified.”
As the result, when both types of inheritance are enabled, the CMS grants the
user only those rights that are explicitly granted in one or more locations and
never explicitly denied.
When you disable both types of inheritance for a user, you reduce this
algorithm to two steps (1 and 5). Thus, the CMS grants the user only those
rights that he or she has been explicitly granted. This provides you with the
least complicated way of ensuring that a user has only those rights that you
have explicitly granted to him or her for a particular object.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 305


11 Controlling User Access
Controlling users’ access to objects

When you disable folder inheritance for a user, you reduce this algorithm to
three steps (1, 3, and 5). When you disable group inheritance for a user, you
reduce this algorithm to three different steps (1, 2, and 5). In both cases, the
CMS grants the user only those rights that are explicitly granted in one or
more locations and never explicitly denied.
This pseudocode is provided as another way to illustrate and describe the
algorithm that the CMS follows in order to determine whether a user is
authorized to perform an action on a particular object:
IF {
(User granted right to object = True)
OR [
(Inherit Parent Folder Rights = True) AND (User
granted right to parent folder = True)
]
OR [
(Inherit Group Rights = True) AND (Group granted right
to object = True)
]
OR [
(Inherit Group Rights = True) AND (Group granted right
to parent folder = True)
]
}
AND {
(User denied right to object = False)
AND [
(Inherit Parent Folder Rights = False)
OR ((Inherit Parent Folder Rights = True) AND (User
denied right to parent folder = False))
]
AND [
(Inherit Group Rights = False)
OR ((Inherit Group Rights = True) AND (Group denied
right to object = False))
]
AND [
(Inherit Group Rights = False)
OR ((Inherit Group Rights = True) AND (Group denied
right to parent folder = False))
]
}
THEN {
User action authorized = True
}
ELSE {
User action authorized = False
}

306 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Controlling User Access
Controlling users’ access to objects 11
Priorities affecting advanced inheritance settings
When you modify inheritance patterns with advanced rights, there are several
important considerations to keep in mind. Where relevant, these
considerations appear elsewhere in this chapter. They have been
summarized here for reference.
Denied rights take precedence over granted rights. This can cause seemingly
contradictory results when inheritance is enabled. Suppose that the “View
objects” right is explicitly denied to a Sales group for a particular folder of
reports. For the same folder, the “View objects” right has been explicitly granted
to a Manager user, and the “Respect current security by inheriting rights from
parent groups” check box is selected. The Manager user is a member of the
Sales group. In this scenario, the Manager user is both granted and denied the
“See object” right to the folder. Because denied rights take precedence, the
Manager user is effectively denied the ability to see the folder, so long as the
user account inherits rights from its parent group (Sales). To remedy this
situation, you could clear the “Respect current security by inheriting rights from
parent groups” check box on the Advanced Rights page for the Manager user,
or you could remove the Manager user from the Sales group.
Rights that are not specified are denied by default. On the Advanced Rights
page for any object, the Inherited Rights column may label certain rights as
“Not Specified.” This entry denotes rights that are neither granted nor denied
by inheritance. To prevent possible security breaches, BusinessObjects
Enterprise automatically denies rights that are not specified.

Customizing a ‘top-down’ inheritance model


With the flexibility offered by object rights, inheritance, and advanced rights,
you can customize your object-level security environment in many ways.
However, as the complexity of any security system increases, so too can that
system become more difficult and time-consuming to maintain. This section
recommends two general ways of setting up object security such that you
achieve the desired security levels without complicating future administrative
tasks. To this purpose, this section provides two tutorials that shows how to
set up object security from the top-level folder (the root folder) down:
• “Setting up an open system of decreasing rights” on page 311
This detailed tutorial creates an open security model. By default, all users
and groups are first granted rights to all objects on the system. As you
add folders and subfolders to the system, you decrease the rights of
users and groups, as required, in order to secure particular
BusinessObjects Enterprise content.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 307


11 Controlling User Access
Controlling users’ access to objects

• “Setting up a closed system of increasing rights” on page 322


This shorter tutorial creates the basis for closed security model. By
default, users and groups cannot access any objects on the system. As
you add folders and subfolders to the system, you increase the rights of
users and groups, as required, in order to grant access to particular
BusinessObjects Enterprise content.
You can use your own Enterprise, NT, or LDAP groups when following along
with these tutorials, or you can create new groups that correspond to those
used in the tutorial. For details on setting up these groups and subgroups, see
“Creating groups for the tutorials” on page 308.
In each tutorial, you will specify the object rights that particular groups have to
certain folders on the system. By making all of your security settings at the
group and folder levels, you reduce the administrative efforts now and later.
After finishing each tutorial, you may decide to add users to each group and
to publish objects to each folder. If you do so, each user will inherit the
appropriate rights for every folder and object on the system.

Creating groups for the tutorials


The object security tutorials make use of eight Enterprise groups. The four
primary groups are named Administrators, Everyone, Sales, and Marketing.
The Sales group has four additional subgroups: Sales USA, Sales Japan,
Sales Managers, and Sales Report Designers. The Administrators and
Everyone groups are created by default when you install BusinessObjects
Enterprise, so these two procedures show only how to create the remaining
groups for the tutorials.
Note: For the shorter tutorial entitled “Setting up a closed system of
increasing rights” on page 322, you need only create the Sales group and its
Sales USA, Sales Japan, and Sales Managers subgroups.
To create the Sales and Marketing groups
1. Go to the Groups management area of the CMC.
2. Click New Group.
The new group’s Properties tab appears.

308 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Controlling User Access
Controlling users’ access to objects 11

3. In the Group Name field, type Marketing.


4. In the Description field, type This group contains all users who
work in Marketing.
5. Click OK.
The Marketing group is added to the system and the page is refreshed.
Tip: Click the Users tab if you want to add your own users to this group.
6. Repeat steps 1 to 5 to create another group called Sales. Use this
description for the group: This group contains all users who
work in Sales (worldwide).

To create the Sales subgroups


1. Go to the Groups management area of the CMC.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 309


11 Controlling User Access
Controlling users’ access to objects

2. Click New Group.


3. In the Group Name field, type Sales USA
4. In the Description field, type This group contains all users who
work in Sales in the USA.
5. Click OK.
The Sales USA group is added to the system and the page is refreshed.
Tip: Click the Users tab if you want to add your own users to this group.
6. Click the Member of tab; then click the Member of button.
The Modify Member of page appears.
7. In the Available groups list, select Sales; then click the > arrow.
The Sales group is added to the “Sales USA is a member of” list, as
displayed here:

8. Click OK.
You are returned to the “Member of” tab. The Sales USA group is now a
member (or subgroup) of the Sales group.
9. Repeat steps 1 to 8 to create the remaining Sales subgroups for the tutorials.
Use the following values for the Group Name and Description fields:

Group Name Description


Sales Japan This group contains all users who work in Sales in
Japan.
Sales Managers This group contains all users who manage a Sales
team.
Sales Report This group contains all users who design and publish
Designers reports for the Sales teams.

310 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Controlling User Access
Controlling users’ access to objects 11
If you now return to the Groups management area of the CMC, all of the new
groups are displayed as follows:

You are now ready to proceed to either of the object security tutorials:
• “Setting up an open system of decreasing rights” on page 311.
• “Setting up a closed system of increasing rights” on page 322.

Setting up an open system of decreasing rights


This tutorial shows how to create an open security model, wherein groups of
users are first granted rights to all objects on the system by default. As you
add folders and subfolders to the system, you decrease the rights of users
and groups, as required, in order to secure particular BusinessObjects
Enterprise content.
In this scenario, you are creating folders for several groups within your
organization. You have some reports that you want to add to the system
immediately. Because some groups plan to add their own reports later, you
also need to give some users the ability to add subfolders and to publish
reports. These are your security requirements for each folder:
• Everyone must be able to view the majority of your reports.
• Administrators require Full Control access to all folders and objects on
the system.
• Sales Managers are allowed to refresh most reports against the database
to view the most recent data.
• The Marketing group needs Full Control access to its own set of folders
that no other user can access (other than Administrators).
• The Sales groups need a hierarchy of folders containing worldwide
reports, regional reports, and management reports:
• All Sales staff can view worldwide reports.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 311


11 Controlling User Access
Controlling users’ access to objects

• Sales staff can also view reports for their own regions. If the staff
member is also a Manager, he or she can view and refresh reports
from all regions.
• Sales Managers require Full Control access to the management
reports.
• Sales Report Designers require custom administrative privileges to
all Sales folders.
For a shorter, less detailed tutorial, see “Setting up a closed system of
increasing rights” on page 322.
Changing default rights on the top-level folder
The first step is to set object rights on the top-level BusinessObjects
Enterprise folder. This folder serves as the root for all other folders and
objects that you add to the system. Each subfolder, report, or other object that
you add to this top-level folder will by default inherit rights from this folder. So,
by setting rights here first, you minimize the need to repeatedly customize
object rights throughout your folder hierarchy.
With this procedure, you set security on the top-level folder in order to meet
your first three security requirements:
• Everyone must be able to view the majority of your reports.
• Administrators require Full Control access to all folders and objects on
the system.
• Sales Managers are allowed to refresh most reports against the database
to view the most recent data.
To change the rights on the top-level folder
1. Go to the Settings management area of the CMC.
2. Click the Rights tab.
By default, the Everyone and the Administrators groups are granted
access to this folder. You now need to reduce the rights of the Everyone
group and to increase the rights of the Sales Managers.
3. Click the Access Level list that corresponds to the Everyone group, and
select View.
4. Click Update.
The rights for the Everyone group are reduced and the View access level
is now displayed in the Net Access column.
Now you will customize the top-level rights for the Sales Managers group.

312 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Controlling User Access
Controlling users’ access to objects 11
5. Click Add/Remove.
The Add/Remove page appears.
6. In the Select Operation list, click Add/Remove Groups.
7. In the Available groups list, select Sales Managers.
8. Click the > arrow; then click OK.
You are returned to the Rights tab on the Settings page. Ensure that you
grant the Sales Managers group View On Demand access. If necessary,
change the Access Level list and click Update. This provides the Sales
Managers group with sufficient rights to refresh reports.
Now, your system meets your first three security requirements. The
Everyone, Administrators, and Sales Managers groups will initially inherit
these rights for any folders, subfolders, or reports that you subsequently
publish to BusinessObjects Enterprise. You might, for instance, create folders
for all of your generally accessible inventory reports, customer list reports,
purchasing order reports, and so on.
Now that you have created an open basis for your object security model, you
will proceed to restricting access to certain folders within the system.
Decreasing rights to a private folder
Another security requirement for this tutorial is that the Marketing group
needs Full Control access to their own set of folders that no other user can
access. To accomplish this, you will create a private folder called Marketing
Only and ensure that only the appropriate group of users has access to its
contents.
To decrease rights to a private folder
1. Go to the Folders management area of the CMC.
2. Click New Folder.
3. On the Properties tab, in the Folder Name field, type Marketing Only
4. In the Description field, type This folder is accessible only to
Marketing.
5. Click OK.
6. Click the Rights tab.
7. In the Access Level column, select the following rights for each group:
• Administrators: (Inherited Rights)
• Everyone: No Access
• Sales Managers: No Access

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 313


11 Controlling User Access
Controlling users’ access to objects

8. Click Update.
The Net Access column shows that you have secured this folder from all
users other than Administrators.
Next, you will grant the Marketing group Full Control access to this folder.
9. Click Add/Remove.
The Add/Remove page appears.
10. In the Select Operation list, click Add/Remove Groups.
11. In the Available groups list, select Marketing.
12. Click the > arrow; then click OK.
You are returned to the Rights tab. The Marketing group is granted
access to the folder. You need to change the default setting to grant them
Full Control access.
13. Click the Access Level list that corresponds to the Marketing group, and
select Full Control.
14. Click Update.
The Net Access column shows that you have granted the Marketing
group Full Control access to this folder.
Members of this group now have the ability to perform all tasks in this folder.
They can add and delete reports, folders, and subfolders, and they can view,
schedule, and export reports to all available destinations and formats.
To complete this tutorial, you need to customize the rights that various Sales
groups have to a hierarchical set of Sales folders. Before setting the rights for
each group, you will see how to create multiple folders quickly when you
publish a set of reports to BusinessObjects Enterprise.
Publishing a set of folders and reports
The final security requirements for this tutorial are related to the Sales group
and its subgroups. They require a hierarchy of folders containing worldwide
reports, regional reports, and management reports.
Because this tutorial sets up a system of decreasing rights, you will first
create a set of folders that places the most general content at the top of the
directory tree. In this case, all Sales staff can view the worldwide reports, so
the folder for those reports requires the lowest level of security. The regional
reports will go in subfolders that are accessible only to users who belong to
the appropriate regional Sales group. The management reports will be
located in subfolders of each of the regional folders.

314 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Controlling User Access
Controlling users’ access to objects 11
You could create this set of folders using the CMC, as in the earlier sections
of this tutorial. However, if you already have a set of reports, the Publishing
Wizard provides the quickest way to add content and create folders at the
same time.
To create a set of folders while publishing reports
1. On your local hard drive, create a set of folders that correspond to the
folders you want to add to BusinessObjects Enterprise.
For this tutorial, the Sales folders are named and arranged hierarchically
as follows:

2. Arrange your reports (.rpt files) in the new folders on your local hard
drive.
If you do not have any of your own reports, use some of the sample
reports included with BusinessObjects Enterprise. The sample reports
are typically installed to C:\Program Files\Business
Objects\BusinessObjects Enterprise 11.5\Samples\language
\Reports (replace language with, for example, en, de, fr, or jp,
depending upon your version of BusinessObjects Enterprise).
Note: To complete this procedure, you must place at least one report file
in each of the folders that you have created on your local hard drive.
Otherwise, the Publishing Wizard will not create the appropriate
directories on the BusinessObjects Enterprise system.
3. From the BusinessObjects Enterprise XI Programs group, start the
Publishing Wizard and, when it appears, click Next.
4. In the System field, type the name of the CMS to which you want to add
objects.
5. In the User Name and Password fields, type your BusinessObjects
Enterprise credentials.
6. From the Authentication list, select the appropriate authentication type.
7. Click Next.
The Select A File dialog box appears.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 315


11 Controlling User Access
Controlling users’ access to objects

8. Click Add Folders.

9. Select the top level Worldwide Sales folder that you created on your
local hard drive.
10. Select the Include subfolders check box, and then click OK.
You are returned to the Select A File dialog box. All of the reports are
added to the list.

11. Click Next.


The Specify Location dialog box appears.
12. In the Specify Location dialog box, click New Folder.

316 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Controlling User Access
Controlling users’ access to objects 11
13. Name the folder Worldwide Sales and ensure that it is located at the top
of the directory tree, as shown here:

14. Click Next.


The Specify Folder Hierarchy dialog box appears.
15. Select Duplicate the folder hierarchy to duplicate the local folder
hierarchy on the BusinessObjects Enterprise system; then click Next.
The Confirm Location dialog box appears. You can see here that the
Regional Sales folders will be created below the Worldwide Sales folder,
and the Managers Only folders will be created as additional subfolders.
The actual report files are arranged in the appropriate folders.

16. Click Next.


17. Proceed through the rest of the Publishing Wizard and make any desired
changes to your reports.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 317


11 Controlling User Access
Controlling users’ access to objects

Tip: If you are publishing sample reports for the purpose of this tutorial,
click Next to accept all the default values. For more information on the
rest of the Publishing Wizard, see “Publishing with the Publishing Wizard”
on page 346.
When the Publishing Wizard has added the reports and folders to the
system, it displays a summary:
18. Click Finish to close the Publishing Wizard.
You are now ready to set each Sales group’s object rights for the new set
of Sales folders.
Setting the base rights on the Sales folders
Now that you have used the Publishing Wizard to add reports and create the
appropriate folders and subfolders, you are ready to set the object rights for
each level of reporting content.
The security requirements are as follows:
• All Sales staff can view worldwide reports.
• Sales staff can also view reports for their own regions. If the staff member
is also a Manager, he or she can view and refresh reports from all
regions.
• Sales Managers require Full Control access to the management reports.
• Sales Report Designers require custom administrative privileges to all
Sales folders.
To set the base rights on the Worldwide Sales folder
1. Go to the Folders management area of the CMC.
2. Click the link to the Worldwide Sales folder.
3. On the folder’s Rights tab, click Add/Remove.
4. In the Select Operation list, click Add/Remove Groups.
5. In the Available groups list, select Sales and Sales Report Designers.
Tip: Use CTRL+click to select multiple groups.
6. Click the > arrow; then click OK.
You are returned to the Rights tab.
7. In the Access Level column, select the following rights for each group:
• Administrators: Inherited Rights
• Everyone: No Access
• Sales: View
• Sales Managers: Inherited Rights

318 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Controlling User Access
Controlling users’ access to objects 11
• Sales Report Designers: This group requires additional rights to
publish content to this folder. You will use advanced rights to make
these changes in the next procedure. For now, leave the Access
Level list with the default settings.
8. Click Update.
The Net Access column is updated to show your new security settings.
You now need to grant the Sales Report Designers group a set of advanced
rights, so group members can administer all the Sales folders.
Creating a group of folder administrators
This section of the tutorial shows how to provide a particular group of users
with a customized level of administrative control over a set of folders. In
general, you can accomplish this with the Full Control access level. This
example, however, uses advanced rights to grant the Sales Report Designers
group a particular set of administrative privileges to all Sales folders.
To create a group of Sales folder administrators
1. If you are not already there, go to the Rights tab of the Worldwide Sales
folder.
2. In the Access Level list for the Sales Report Designers group, select
Advanced.
The Advanced Rights page appears. You will use this page to grant group
members a high level of control over the folder and its contents. However,
you will not let any group member delete objects that have been added to
a Sales folder.
3. To ensure that you completely break all inheritance patterns, clear the
“Worldwide Sales” will inherit rights from its parent folders check
box.
4. Click Apply.
Now that you have disabled all rights inheritance, the advanced rights that
you specify will be the only rights that group members have to the folder.
5. In the Explicitly Denied column, select the following rights:
• Modify the rights users have to objects
• Delete objects
Tip: You may choose to explicitly deny additional rights to suit your
needs. For instance, to prevent these folder administrators from copying
confidential reports to public folders, you could deny the “Copy objects to
another folder” right. Or, if you prefer to retain all administrative control
over report-processing servers, you could deny the “Define server groups
to process jobs” right.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 319


11 Controlling User Access
Controlling users’ access to objects

6. In the Explicitly Granted column, select all remaining rights.


7. Click OK.
You are returned to the Rights tab for the Worldwide Sales folder. The
Net Access column now shows that the Sales Report Designers group
has Advanced rights to this folder.
Tip: Click the Advanced link in the Net Access column when you need to
review or modify a set of advanced rights that have already been applied to a
user or group.
Now that you have set object rights on the uppermost Sales folder, you will
proceed to decrease rights as you descend the folder hierarchy.
Decreasing rights to the Sales subfolders
Recall that the security requirements for the regional sales reports are as
follows:
• Sales staff can view reports for their own region and can refresh these
reports against the database to view the most recent data.
• If the staff member is also a Manager, he or she can view and refresh
reports from all regions.
You will use the various Sales groups to decrease rights appropriately for
each Regional Sales folder.
To decrease rights to the regional Sales folders
1. Go to the Regional Sales - JP folder and click its Rights tab.
2. Click Add/Remove.
3. In the Select Operation list, click Add/Remove Groups.
4. In the Available groups list, select Sales Japan.
5. Click the > arrow; then click OK.
You are returned to the Rights tab of the Regional Sales - JP folder.
6. In the Access Level column, select the following rights for each group:
• Administrators: Inherited Rights
• Everyone: Inherited Rights
• Sales: No Access
• Sales Japan: View On Demand
• Sales Managers: Inherited Rights
• Sales Report Designers: Inherited Rights
7. Click Update.

320 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Controlling User Access
Controlling users’ access to objects 11
The Net Access column shows your new security settings. As required,
the Sales Japan and the Sales Managers groups have View On Demand
access, which allows them to refresh reports against the database to
view the latest data. The Sales Report Designers retain their advanced
rights, and all other users are prevented from accessing the folder
(except for Administrators).
8. Repeat steps 1 to 6 for the Regional Sales - USA folder, but grant View
On Demand access to the Sales USA group (instead of to the Sales
Japan group).
You are now ready to complete the tutorial by customizing security for the
final level of Sales folders—the Managers Only folders.
To decrease rights to the Managers Only folders
1. Go to the Regional Sales - JP folder and click its Subfolders tab.
2. Click the link to the Managers Only folder and click its Rights tab.
3. In the Access Level column, select the following rights for each group:
• Administrators: Inherited Rights
• Everyone: Inherited Rights
• Sales: Inherited Rights
• Sales Japan: No Access
• Sales Managers: Full Control
• Sales Report Designers: Inherited Rights
4. Click Update.
The Rights tab of this Managers Only folder now shows that the
Administrators, Sales Managers, and Sales Report Designers groups all
have Full Control access to the folder. Members who do not belong to
one of these groups are completely restricted from the folder.
5. Go to the Regional Sales - USA folder and click its Subfolders tab.
6. Click the link to the Managers Only folder and click its Rights tab.
7. In the Access Level column, select the following rights for each group:
• Administrators: Inherited Rights
• Everyone: Inherited Rights
• Sales: Inherited Rights
• Sales Managers: Full Control
• Sales Report Designers: Inherited Rights
• Sales USA: No Access

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 321


11 Controlling User Access
Controlling users’ access to objects

8. Click Update. The Rights tab of this Managers Only folder shows again
that the Administrators, Sales Managers, and Sales Report Designers
groups all have Full Control access to the folder. Members who do not
belong to one of these groups are completely restricted from the folder.
You have now reached the end of this tutorial.

Setting up a closed system of increasing rights


This tutorial shows how to set up the basis for a closed security model,
wherein groups of users are first denied rights to all objects on the system by
default. As you add folders and subfolders to the system, you increase the
rights of users and groups, as required, so they can access their
BusinessObjects Enterprise content.
In this scenario, you are creating folders for several groups within your
organization. These are your security requirements for each folder:
• The majority of your reports should be inaccessible to most users.
• Administrators require Full Control access to all folders and objects on
the system.
• The Sales groups need a hierarchy of folders containing management
reports and regional reports:
• Only the Sales Managers can view the management reports and all
regional reports.
• Sales staff can only view reports for their own region.
Because this scenario first completely restricts access to the top-level folders,
and then gradually increases access to subfolders further down the folder
hierarchy, the results are essentially incompatible with the design of InfoView.
The closed security model works best when you deploy a web desktop or
other application that provides users with a list of all reports and/or folders to
which they have access. The sample Report Thumbnail Client and the In-
frame Client applications provide examples that are compatible with a closed
security model. You can access these applications from the Client Samples
area of the Crystal Enterprise Launchpad.
InfoView, by contrast, adheres to a hierarchical view of the system’s folder
structure. Thus, if users cannot access a top-level folder, they have no way of
browsing its subfolders (even if they have Full Control over those subfolders
and their contents). If you implement this closed security model in conjunction
with InfoView, users will need to search for specific reports by name or
description.
For a lengthier, more detailed tutorial, see “Setting up an open system of
decreasing rights” on page 311.

322 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Controlling User Access
Controlling users’ access to objects 11
Restricting access from the top-level folder
The first step is to set object rights on the top-level BusinessObjects
Enterprise folder. This folder serves as the root for all other folders and
objects that you add to the system. Each subfolder, report, or other object that
you add to this top-level folder will inherit rights from this folder by default. So,
by setting rights here first, you minimize the need to repeatedly customize
object rights throughout your folder hierarchy.
With this procedure, you set security on the top-level folder in order to meet
your first two security requirements:
• The majority of your reports should be inaccessible to most users.
• Administrators require Full Control access to all folders and objects on
the system.
This procedure gives the Everyone group No Access to all published content.
This is how you set the basis for a closed security model. Do not use
advanced rights to explicitly deny rights to the Everyone group (or any other
group) at the top-level folder of your BusinessObjects Enterprise system,
because once a right has been explicitly denied, you have to break all
inheritance patterns in order to grant the same right further down the folder
hierarchy.
To change the rights on the top-level folder
1. Go to the Settings management area of the CMC.
2. Click the Rights tab.
You need only reduce the rights of the Everyone group.
3. Click the Access Level list that corresponds to the Everyone group, and
select No Access.
Note: If users access reports through BusinessObjects Enterprise, they
will be unable to browse subfolders once you make this initial security
setting. Users will, however, be able to search for reports by name or
description.
4. Click Update.
The rights for the Everyone group are reduced and No Access is
displayed in the Net Access column.
Now, your system meets your first two security requirements. The Everyone
group is prevented from seeing all subsequently published content, and the
Administrators group retains Full Control in order to maintain the system.
Now that you have created a closed basis for your object security model, you
will increase access to certain folders within the system.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 323


11 Controlling User Access
Controlling users’ access to objects

Increasing access by descending the folder hierarchy


The remaining security requirements for this tutorial are related to the Sales
group and its subgroups. They require a hierarchy of folders containing
management reports and regional reports. Because this tutorial sets up a
system of increasing rights, the most secure content will be stored at the top
of the directory tree.
With these procedures, you create the folder hierarchy and set access levels
in order to meet the remaining security requirements:
• Only the Sales Managers can view the management reports and all
regional reports.
• Sales staff can only view reports for their own region.
To provide minimal access to the management reports
1. Go to the Folders management area of the CMC.
2. Click New Folder.
3. On the Properties tab, in the Folder Name field, type Management
Reports
4. Click OK.
The new folder is created and the page is refreshed.
5. On the Rights tab, click Add/Remove.
6. In the Select Operation list, click Add/Remove Groups.
7. In the Available Groups list, select Sales Managers.
8. Click the > arrow; then click OK.
You are returned to the Rights tab of the Management Reports folder.
9. Click the Access Level list for the Sales Managers group, and select
View.
10. Click Update.
The Rights tab now shows that the Sales Managers group has View
access to this folder and to any objects that you subsequently publish to
it. As required, the Everyone and Administrators groups have inherited
the rights that you set on the top-level BusinessObjects Enterprise folder.
Now you need only create folders for the regional reports and grant access to
the appropriate regional Sales groups.
To provide selective access to the regional reports
1. If you are not already there, go to the Management Reports folder.
2. On the Subfolders tab, click New Folder.

324 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Controlling User Access
Controlling access to applications 11
3. On the Properties tab, in the Folder Name field, type Regional
Reports - JP
4. Click OK.
The new folder is created and the page is refreshed.
5. On the Rights tab, click Add/Remove.
6. In the Select Operation list, click Add/Remove Groups.
7. In the Available Groups list, select Sales Japan.
8. Click the > arrow; then click OK.
You are returned to the Rights tab of the Management Reports folder.
9. In the Access Level list for the Sales Japan group, select View.
10. Click Update.
The Rights tab now shows that the Sales Japan group has View access
to this folder and to any objects that you subsequently publish to it. The
Administrators, Everyone, and Sales Managers groups automatically
inherit the appropriate rights for this folder.
11. Repeat this procedure to create a subfolder called Regional Reports -
USA and to provide the Sales USA group with View access to the folder.
When you finish, the Rights tab of the Regional Reports - USA folder
shows that you have set the rights as required for this tutorial.
You have now reached the end of this tutorial.

Controlling access to applications


You can use rights to control users’ access to certain features in
BusinessObjects Enterprise applications. You can grant or deny users access
to the Central Management Console. For InfoView, you can grant users or
groups the ability to:
• change their preferences
• organize folders
• search
• filter object listings by object type
• view the Favorites folder
For example, if you have already created your users’ folders using a standard
naming convention, you may want to deny your users the ability to organize
their own folders.
Note: By default, all users have access to these features.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 325


11 Controlling User Access
Controlling administrative access

To grant access to a Business Objects application’s features


1. Go to the BusinessObjects Enterprise Applications management area
of the CMC.
2. Click the link for the application whose access rights you want to change.
3. Click the Rights tab.
4. Click Add/Remove to add users or groups you want to give access to the
features.
5. On the Add/Remove page, in the Select Operation list, select Add/
Remove Groups, Add Users, or Remove Users.
6. Select the user or group you want to grant access to the features.
Tip: If you have many users on your system, select the Add Users
operation; then use the “Look for” field to search for a particular account.
7. Click OK.
8. On the Rights tab, click Advanced.
9. For each feature, choose Inherited, Explicitly Granted, or Explicitly
Denied for the user or group.
Note: For the Web Intelligence application, make sure you grant access
to the Allows interactive HTML viewing option in order for users to be
able use the Interactive view format and use the Query HTML panel. The
user can select this view format and report panel option in the Web
Intelligence Document Preferences tab in InfoView.
10. Click OK.

Controlling administrative access


In addition to controlling access to objects and settings, you can use rights to
divide administrative tasks between functional groups within your
organization. For example, you may want people from different departments
to manage their own BusinessObjects Enterprise users and groups. Or you
may have one administrator who handles high-level management of
BusinessObjects Enterprise, but you want all server management to be
handled by people in your IT department. With all of the tasks facing a
BusinessObjects Enterprise administrator, it can be very helpful to delegate
responsibility to other managers and groups.
This section describes how to grant rights for managing users, groups,
servers, and server groups.

326 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Controlling User Access
Controlling administrative access 11
Controlling access to users and groups
You can delegate user and group administration to the appropriate people in
your organization by granting specific access rights.
To grant access to a user or group
1. Go to the Users or Groups management area of the CMC.
2. Select the user or group you want to grant access to.
3. Click the Rights tab.
4. Click Add/Remove to add users or groups that you want to give access
to the selected user or group.
The Add/Remove page appears.
5. In the Select Operation list, select Add/Remove Groups, Add Users,
or Remove Users.
6. Select the user or group you want to grant access to the specified user or
group.
Tip: If you have many users on your system, select the Add Users
operation; then use the “Look for” field to search for a particular account.
7. Click OK.
8. On the Rights tab, change the Access Level for each user or group, as
required.
9. To choose specific rights, choose Advanced.
Note: For more details on specific rights, see “Rights in the CMC” on
page 565.
10. Click Update.

Controlling access to user inboxes


When you add a user, the system automatically creates an inbox for that user.
The inbox has the same name as the user. By default, only the user and the
administrator have the right to access a user’s inbox. Use the following
procedure to change the access rights to a user’s inbox as needed.
User inboxes can serve as destinations for scheduled reports. When
scheduling a report, you can specify that you want the system to store the
report instances in the inbox of one or more users. You can also send existing
report objects or instances to a user’s inbox by using the “Send to” feature.
For more information, see “Selecting a destination” on page 480, and
“Sending an object or instance” on page 422.
To grant a user access to another user’s inbox
1. Go to the Inbox management area of the CMC.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 327


11 Controlling User Access
Controlling administrative access

2. Select the inbox you want to grant access to.


3. Click the Rights tab.
4. Click Add/Remove to add users or groups that you want to give access
to the selected user or group.
The Add/Remove page appears.
5. In the Select Operation list, select Add/Remove Groups, Add Users,
or Remove Users.
6. Select the user or group you want to grant access to the specified inbox.
7. Click OK.
8. On the Rights tab, change the Access Level for each user or group, as
required.
9. To choose specific rights, choose Advanced.
Note: For more details on specific rights, see “Rights in the CMC” on
page 565.
10. Click Update.
Controlling access to servers and server groups
You can use rights to grant people access to servers and server groups,
allowing them to perform tasks such as starting and stopping servers.
Depending on your system configuration and security concerns, you may
want to limit server management to the BusinessObjects Enterprise
administrator. However, you may need to provide access to other people
using those servers. Many organizations have a group of IT professionals
dedicated to server management. If your server team needs to perform
regular server maintenance tasks that require them to shut down and start up
servers, you need to grant them rights to the servers. You may also want to
delegate BusinessObjects Enterprise server administration tasks to other
people. Or you may want different groups within your organization to have
control over their own server management.
To grant access to a server or server group
1. Go to the Servers or Server Groups management area of the CMC.
2. Select the server or server group you want to grant access to.
3. Click the Rights tab.
4. Click Add/Remove to add users or groups that you want to give access
to the selected server or server group.
The Add/Remove page appears.

328 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Controlling User Access
Controlling administrative access 11
5. In the Select Operation list, select Add/Remove Groups, Add Users,
or Remove Users.
6. Select the user or group you want to grant access to the specified server
or server group.
Tip: If you have many users on your system, select the Add Users
operation; then use the “Look for” field to search for a particular account.
7. Click OK.
8. On the Rights tab, change the Access Level for each user or group, as
required.
9. To choose specific rights, choose Advanced.
Note: For more details on specific rights, see “Rights in the CMC” on
page 565.
Click Update.

Controlling access to universes


You can use rights to grant people access to universes, allowing them to
create and view Web Intelligence documents that use universes and
connections.
To control who has access to a universe
1. Go to the Universes management area of the CMC.
2. Click the link for the universe.
3. Click the Rights tab.
4. In the Name column, locate the user or group whose rights you want to
specify.
If the user or group is not listed, click Add/Remove. Add the appropriate
user or group and click OK. You are returned to the object’s Rights tab.
5. The next step depends upon the entry that already appears in the
Access Level list for this user or group:
• If the Access Level is not already set to Advanced, click the list and
select Advanced.
• If the Access Level is already set to Advanced, click the Advanced
link in the Net Access column.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 329


11 Controlling User Access
Controlling administrative access

Controlling access to universe connections


You can use rights to grant people access to universe connections, allowing
them to create and view Web Intelligence documents that use universes and
universe connections. You can either set the rights to all universes by using
the Rights button on the Universe Connections page, or you can set the rights
to individual universe connections.
To view or set the access levels for all universe connections
1. Go to the Universe Connections management area of the CMC.
2. Click the Rights button.
3. In the Name column, locate the user or group whose rights you want to
specify.
If the user or group is not listed, click Add/Remove. Add the appropriate
user or group and click OK. You are returned to the object’s Rights tab.
4. The next step depends upon the entry that already appears in the Access
Level list for this user or group:
• If the Access Level is not already set to Advanced, click the list and
select Advanced.
• If the Access Level is already set to Advanced, click the Advanced
link in the Net Access column.
To view or set who has access to a specific universe connection
1. Go to the Connections management area of the CMC.
2. Click the link for the connection.
3. Click the Rights tab.
4. In the Name column, locate the user or group whose rights you want to
specify.
If the user or group is not listed, click Add/Remove. Add the appropriate
user or group and click OK. You are returned to the object’s Rights tab.
5. The next step depends upon the entry that already appears in the Access
Level list for this user or group:
• If the Access Level is not already set to Advanced, click the list and
select Advanced.
• If the Access Level is already set to Advanced, click the Advanced
link in the Net Access column.

330 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Organizing Objects

chapter
12 Organizing Objects
Organizing objects overview

Organizing objects overview


Creating an intuitive and logical organizational structure is the key to ensuring
that your users can find the information they need quickly and easily.
BusinessObjects Enterprise provides two methods for organizing content:
folders and categories. By combining folders and categories, and setting
appropriate rights for them, you can organize data according to multiple
criteria and improve both security and navigation.

About folders and categories


Folders and categories provide you with the ability to organize and facilitate
content administration. They are useful when there are a number of reports
that a department or area requires frequent access to, because you can set
object rights and limits once at the folder or category level, rather than setting
them for each report or object.
By default, new objects that you add to a folder or category inherit the object
rights that are specified for the folder or category.
It’s good practice to set up folders that represent a structure that already
exists in your organization, such as departments, regions, or even your
database table structure. Then use categories to set up an alternate system
of organization.
For example, you could organize your content into departmental folders, and
then use categories to create an alternate filing system that divides content
according to different roles in your organization, such as managers or VPs.
This organizational model allows you set security on groups of documents
based on department or job role.

Working with folders


Folders are objects used to organize documents. You can use folders to
separate content into logical groups. Because you can set security at the
folder level, you can use folders as a tool for controlling access to information.

Creating and deleting folders


There are several ways to create new folders in BusinessObjects Enterprise.
In the Central Management Console (CMC), go to the Folders management
area to create new folders and to add subfolders to the existing hierarchy of
folder objects.

332 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Organizing Objects
Working with folders 12
Tip: When you publish local directories and subdirectories of reports with the
Publishing Wizard, you can duplicate your local directory structure on the
BusinessObjects Enterprise system. This method provides you with an
efficient way of creating multiple folders and subfolders at the same time. For
details, see “Publishing with the Publishing Wizard” on page 346.

Creating a new folder


This procedure shows how to create a new folder at the top of your folder
hierarchy. Folders created in this way are, in effect, subfolders of the top-level
(or root) BusinessObjects Enterprise folder.
1. Go to the Folders management area of the CMC.
2. Click New Folder.
3. On the Properties tab, type the name, description, and keywords of the
new folder.
This example creates a new Marketing folder:

4. Click OK.
The new folder is added to the system, and its Properties tab is
refreshed. You can now use the Objects, Subfolders, Limits, and Rights
tabs to add objects and to change settings for this folder.

Creating a new subfolder at any level


1. Go to the Folders management area of the CMC.
The initial level of folders is displayed.
2. In the Title column, click the link to the folder where you want to add a
subfolder.
3. Click the Subfolders tab.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 333


12 Organizing Objects
Working with folders

Tip: You can browse through existing subfolders to add a new folder
elsewhere in the folder hierarchy. When you have found the right parent
folder, go to its Subfolders tab.
The Subfolders tab appears.

4. Click New Folder.


5. On the Properties tab, type the name and description of the new folder.
6. Click OK.
The new folder is added to the system, and its Properties tab is
refreshed. You can now use the Objects, Subfolders, Limits, and Rights
tabs to add objects and to change settings for this folder.

Deleting folders
When you delete a folder, all subfolders, reports, and other objects contained
within it are removed entirely from the system.
To delete folders
1. Go to the Folders management area of the CMC.
2. Select the check box associated with the folder you want to delete.
If the folder you want to delete is not at the top level, locate its parent
folder. Then make your selection on the parent folder’s Subfolders tab.
Tip: Select multiple check boxes to delete several folders from their
parent folder.
3. Click Delete, and click OK to confirm.

Copying and moving folders


When you copy or move a folder, the objects contained within it are also
copied or moved. BusinessObjects Enterprise treats the folder’s object rights
differently, depending upon whether you copy or move the folder:

334 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Organizing Objects
Working with folders 12
• When you copy a folder, the newly created folder does not retain the
object rights of the original. Instead, the copy inherits the object rights
that are set on its new parent folder. For instance, if you copy a private
Sales folder into a Public folder, the contents of the new Sales folder will
be accessible to all users who have rights to the Public folder.
• When you move a folder, all of the folder’s object rights are retained. For
instance, if you move a private Sales folder into a publicly accessible
folder, the Sales folder will remain inaccessible to most users.
To copy or move a folder
1. Go to the Folders management area of the CMC.
2. Select the check box associated with the folder that you want to copy or
move.
If the folder you want to copy or move is not at the top level, locate its
parent folder. Then make your selection on the parent folder’s Subfolders
tab.
Tip: Select multiple check boxes to copy or move several folders from
their parent folder to a different folder.
3. Click Copy/Move.
The Copy/Move Folder page appears.

4. Select the action to perform:


• Copy to: Makes a copy of the folder.
• Move to: Moves the folder.
5. Select the Destination folder from the list.
Tip: If there are many folders on your system, use the “Look for” field to
search, or click Previous, Next, and Show Subfolders to browse the
folder hierarchy.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 335


12 Organizing Objects
Working with folders

6. Click OK.
The folder you selected is copied or moved, as requested, to the new
destination.

Adding an object to a new folder


You can add objects individually to any folder in a number of ways. Follow this
procedure to add an object to a new folder that you have just created. For
complete information on publishing objects, see “Overview” on page 346.
To add an object to a new folder
1. Once you’ve created the new folder, click its Objects tab.
2. Click New Object.
The New Object page appears.

3. On the left side of the New Object page, click the type of object you want
to add.
4. On the right side of the New Objects page, browse to select an existing
object.
5. If you are adding an object package or a publication, you need to provide
a title and description for the new object instead of selecting an existing
one.
6. Ensure that the correct folder name appears in the Destination field.

336 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Organizing Objects
Working with folders 12
Tip: If there are many folders on your system, use the “Look for” field to
search, or click Previous, Next, and Show Subfolders to browse the
folder hierarchy.
7. If necessary, provide information for other properties.
Some objects, such as program objects and report objects, require you to
provide additional information for the required fields. For example, if you
are adding a report, you can choose to display a thumbnail preview of the
report in BusinessObjects Enterprise.
Tip: To display thumbnails for a report, open the report in Crystal
Reports and click Summary Info on the File menu. Select the “Save
preview picture” check box and click OK. Preview the first page of the
report and save your changes.
If the report references objects in your BusinessObjects Enterprise
Repository, select the Use Object Repository when refreshing report
check box to update these objects now.
For details about setting up the BusinessObjects Enterprise Repository,
see “BusinessObjects Enterprise Repository overview” on page 184.
8. Click Submit.
The object is published to BusinessObjects Enterprise.

Specifying folder rights


Follow this procedure to change the object rights for a new folder that you
have just created. By default, new objects that you add to a folder inherit the
object rights that are specified for the folder. For complete information on
object rights, see “Controlling users’ access to objects” on page 293.
To specify rights for a new folder
1. Once you’ve created the new folder, click its Rights tab.
2. Click Add/Remove to select the groups or users that you want to have
explicit rights (as opposed to inherited rights) to access the folder.
The Add/Remove page appears.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 337


12 Organizing Objects
Working with folders

3. In the Select Operation list, select Add/Remove Groups, Add Users,


or Remove Users.
The page is refreshed and displays options that depend upon whether
you are working with users or with groups. The example above shows the
options that are available when you are working with groups.
4. Select the user or group whose rights you want to specify and click the
arrows to specify whether the user or group has explicit rights to the
folder.
Tip: If you have many users on your system, select the Add Users
operation; then use the “Look for” field to search for a particular account.
5. Click OK.
You are returned to the Rights tab.

6. Change the Access Level for each user or group, as required.


Note: For complete details on the predefined access levels and
advanced rights, see “Controlling users’ access to objects” on page 293.
7. Click Update.

338 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Organizing Objects
Working with folders 12
Setting limits for folders, users, and groups
Limits allow you to delete report instances on a regular basis. You set limits to
automate regular clean-ups of old BusinessObjects Enterprise content. Limits
that you set on a folder affect all objects that are contained within the folder.
At the folder level, you can limit the number of instances that remain on the
system for each object or for each user or group; you can also limit the
number of days that an instance remains on the system for a user or group.
Follow this procedure to enforce default limits on a folder that you have just
created. For more information on limits, see “Setting instance limits for an
object” on page 493.
To limit instances at the folder level
1. Once you’ve created the new folder, click its Limits tab.

2. Modify the available settings according to the types of instance limits that
you want to implement, and click Update after each change.
The available settings are:
• Delete excess instances when there are more than N instances of an
object
To limit the number of instances per object, select this check box.
Then type the maximum number of instances that you want to
remain on the system. (The default value is 100.)
• Delete excess instances for the following users/groups
To limit the number of instances per user or group, click Add/Remove
in this area. Select from the available users and groups and click OK.
Then type the maximum number of instances in the Instance Limit
column. (The default value is 100.)

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 339


12 Organizing Objects
Working with categories

• Delete instances after N days for the following users/groups


To limit the age of instances per user or group, click Add/Remove in
this area. Select from the available users and groups and click OK.
Then type the maximum age of instances in the Maximum Days
column. (The default value is 100.)

Managing User Folders


BusinessObjects Enterprise creates a folder for each user on the system.
These folders are organized within the CMC as User Folders. By default,
there are User Folders for the Administrator and Guest accounts. When you
log on to the CMC and view the list of User Folders, you will see only those
folders to which you have View access (or greater).
Within InfoView, these folders are referred to as the Favorites folders. When a
user logs on to BusinessObjects Enterprise, he or she is redirected
immediately to his or her Favorites folder. (Users can change this default
behavior by modifying their Preferences.)
To view the User Folders
1. Go to the Folders management area of the CMC.
2. Click the User Folders link.
3. If it is not already displayed, click the Subfolders tab.
A list of subfolders appears. Each subfolder corresponds to a user
account on the system. Unless you have View access (or greater) to a
subfolder, it will not appear in the list.

Working with categories


Like folders, categories are objects used to organize documents. You can
associate documents with multiple categories, and you can create
subcategories within categories.
BusinessObjects Enterprise provides two types of categories:
• Administrative (or corporate) categories are created by the administrator,
or other users who have been granted access to these categories. If you
have the appropriate rights, you can create administrative categories.
• Personal categories can be created by each user to organize their own
personal documents.
Note: For information about importing existing categories, see “Importing
information” on page 362.

340 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Organizing Objects
Working with categories 12
Creating and deleting categories
There are several ways to create new categories in BusinessObjects
Enterprise. In the Central Management Console (CMC), go to the Categories
management area to create new categories and to add subcategories to the
existing hierarchy of category objects.

Creating a new category


1. Go to the Categories management area of the CMC.
2. Click New Category.
3. On the Properties tab, type the name and description of the new
category.
4. Click Update.
The new category is added to the system, and its Properties tab is
refreshed. You can now use the Objects, Subcategories, and Rights tabs
to add objects and to change settings for this category.

Creating a new subcategory at any level


1. Go to the Categories management area of the CMC.
The initial level of categories is displayed.
2. In the Title column, click the link for the category where you want to add
a subcategory.
3. Click the Subcategories tab.
Tip: You can browse through existing subcategories to add a new
category elsewhere in the hierarchy. When you have found the right
parent category, go to its Subcategories tab.
4. Click New Category.
5. On the Properties tab, type the name and description of the new folder.
6. Click Update.
The new category is added to the system, and its Properties tab is
refreshed. You can now use the Objects, Subcategories, and Rights tabs
to add objects and to change settings for this category.

Deleting categories
When you delete a category, all subcategories within it are remove entirely
from the system. Unlike folder deletion, the reports and other objects
contained within the category are not deleted from the system.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 341


12 Organizing Objects
Working with categories

To delete categories
1. Go to the Categories management area of the CMC.
2. Select the check box associated with the category you want to delete.
If the category you want to delete is not at the top level, locate its parent
category. Then make your selection on the parent category’s
Subcategories tab.
Tip: Select multiple check boxes to delete several categories from their
parent category.
3. Click Delete, and click OK to confirm.

Moving categories
When you move a category, any object assigned to the category maintains its
association with it. All of the category’s object rights are retained.
For example, you may have a South American Sales category that is
accessible only by sales people in that region. You also have a World Sales
category that contains worldwide sales reports needed by all sales people.
For more intuitive organization, you want to move the region categories into
the World Sales category. When you move the South American Sales
category into the World Sales category, it retains its rights settings and
associated objects, even though it has become a subcategory of the World
Sales category.
To move a category
1. Go to the Categories management area of the CMC.
2. Select the check box associated with the category that you want move.
If the category you want to move is not at the top level, locate its parent
category. Then make your selection on the parent category’s
Subcategories tab.
Tip: Select multiple check boxes to copy or move several categories
from their parent category to a different category.
3. Click Move.
The Move page appears.
4. Select the Destination category from the list.
Tip: If there are many categories on your system, use the “Look for” field
to search, or click Previous, Next, and Show Subcategories to browse the
category hierarchy.
5. Click OK.
The category you selected is moved to the new destination.

342 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Organizing Objects
Working with categories 12
Adding an object to a new category
You can add objects individually to any category in a number of ways. Follow
this procedure to add a report to a new category that you have just created.
For complete information on publishing reports and other objects, see
“Overview” on page 346.
To add a report to a new category
1. Once you’ve created the category, click its Objects tab.
2. Click New Object.
The New Object page appears.

Removing or deleting objects from a category


You can either remove or delete objects from a category. When you remove
an object, you remove it from the category only. When you delete an object,
you remove it from the category and also delete it from the system.
To remove or delete objects from a category
1. Go to the Categories or Personal Categories management area of the
CMC.
2. Click the link for the category from which you want to remove or delete an
object.
3. Click the Objects tab.
4. Select the check box for the object or objects you want to remove or
delete.
5. Click either of the following buttons, depending on what you want to do:
• Click Remove to remove the object from the category only. In this
case, the object continues to exist in the system.
• Click Delete to remove the object from the category and at the same
time delete it from the system.

Specifying category rights


Follow this procedure to change the object rights for a new category that you
have just created. By default, new objects that you add to a category inherit
the object rights that are specified for the category. For complete information
on object rights, see “Controlling users’ access to objects” on page 293.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 343


12 Organizing Objects
Working with categories

To specify rights for a new category


1. Once you’ve created the category, click its Rights tab.
2. Click Add/Remove to select the groups or users that you want to have
explicit rights (as opposed to inherited rights) to access the category.
The Add/Remove page appears.
3. In the Select Operation list, select Add/Remove Groups, Add Users,
or Remove Users.
The page is refreshed and displays options that depend upon whether
you are working with users or with groups.
4. Select the user or group whose rights you want to specify and click the
arrows to specify whether the user or group has explicit rights to the
category.
Tip: If you have many users on your system, select the Add Users
operation; then use the “Look for” field to search for a particular account.
5. Click OK.
You are returned to the Rights tab.
6. For each added user or group, select the access level you want from the
Access Level list.
Note: For complete details on the predefined access levels and
advanced rights, see “Controlling users’ access to objects” on page 293.
7. Click Update.

Managing personal categories


If you are granted the appropriate rights, you can view, edit, and delete users’
personal categories. For more information, see “Managing User Accounts
and Groups” on page 215.
To view the Personal Categories
1. Go to the Personal Categories management area of the CMC.
2. Click the user account whose personal categories you want to view.
A list of the user’s personal categories appears.

344 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Publishing Objects to
BusinessObjects Enterprise

chapter
13 Publishing Objects to BusinessObjects Enterprise
Overview

Overview
Publishing is the process of adding objects to the BusinessObjects Enterprise
environment and making them available to authorized users. There are
several types of objects that you can publish to BusinessObjects Enterprise:
• reports (from Crystal Reports and OLAP Intelligence)
• documents (from Desktop Intelligence)
• programs
• Microsoft Excel/Word/PowerPoint files
• Adobe Acrobat PDFs
• text files
• rich text format files
• hyperlinks
• object packages (which consist of report and/or program objects)
You can publish objects to BusinessObjects Enterprise in three ways. For
more information, see the following sections:
• “Publishing with the Publishing Wizard” on page 346.
• “Publishing with the Central Management Console” on page 357.
• “Saving objects directly to the CMS” on page 359.
Note: You can also create and add new objects directly to BusinessObjects
Enterprise from within InfoView.

Publishing with the Publishing Wizard


The Publishing Wizard is a locally installed, Windows application that is made
up of a series of dialog boxes. When you use the wizard, only the dialog
boxes that are applicable to the objects/folders that you are publishing
appear. For example, the settings for parameters and schedule format do not
appear when you publish OLAP Intelligence reports.
Use the Publishing Wizard if you have access to the application and you want
to publish multiple objects or an entire directory of objects to BusinessObjects
Enterprise. Once an object is published, it appears in the folder that you
specified in InfoView (or your customized web desktop) and in the Objects
management area of the Central Management Console (CMC).
Note: Depending on the rights that are assigned by your BusinessObjects
Enterprise administrator, you may not be able to publish objects by using the
Publishing Wizard. Contact your BusinessObjects Enterprise administrator for
more information.

346 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Publishing Objects to BusinessObjects Enterprise
Publishing with the Publishing Wizard 13
Publishing options
During the publishing process, you specify how often an object is run. You
can choose to set a recurring schedule, or you can choose to let users set the
schedule themselves. For example, for Crystal reports, you can specify
whether the data in the report is automatically refreshed according to a set
schedule or if the data is refreshed only when users manually refresh the
report.
Each publishing option has several features:
• Specifying the data that users see
This option is recommended for objects that are accessed by a large
number of people and/or do not require separate database logon
credentials. When you publish an object, users can access the same
instance of the object and reduce the number of times that the system is
prompted for information.
• Allowing users to update the data in the report
This option is recommended for objects that require separate database
logon credentials. It is also recommended when you publish smaller
objects that have frequent data changes and/or make use of parameters
and record selection formulas. When you publish an object, users are
able to determine the frequency in which the object is updated. However,
users who access the object at the same time increase the load on the
system by increasing the number of times that it is prompted for
information.
Note:
• BusinessObjects Enterprise supports reports that are created in versions
6 through XI of Crystal Reports. However, once a report is published to
BusinessObjects Enterprise, it is saved, processed, and displayed in
version XI format.
• You can publish OLAP Intelligence reports to BusinessObjects
Enterprise; however, you cannot set them to run on a recurring schedule.

Logging on to BusinessObjects Enterprise


When you use the Publishing Wizard, you are prompted to log on to the
BusinessObjects Enterprise system where you want to publish your objects.
1. On Windows, click Start > Programs > BusinessObjects XI Release 2
> BusinessObjects Enterprise > Publishing Wizard.
The Welcome to the Publishing Wizard dialog box appears.
2. Click Next.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 347


13 Publishing Objects to BusinessObjects Enterprise
Publishing with the Publishing Wizard

The Log On to BusinessObjects Enterprise dialog box appears.

3. In the System field, type the name of the CMS where you want to publish
objects.
4. In the User Name and Password fields, type your BusinessObjects
Enterprise logon credentials.
5. From the Authentication list, select the appropriate authentication type.
6. Click Next.
The Select Files dialog box appears.

Adding objects
1. In the Select Files dialog box, click Add Files or Add Folders.

348 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Publishing Objects to BusinessObjects Enterprise
Publishing with the Publishing Wizard 13
2. Select the file/folder that you want to publish.
Tip:
• Ensure that the appropriate file type is listed in the Files of Type field;
by default this value is set to Report (*.rpt).
• If you are publishing a folder, you can also publish its subfolders by
selecting the Include Subfolders option.
3. Repeat steps 1 and 2 for each of the files/folders that you want to publish.
4. Click Next.
5. If the Specify Object Type dialog box appears, choose a file type for each
unrecognized object, and then click Next.
The Specify Location dialog box appears.

Creating and selecting a folder on the CMS


To publish the selected objects, you must create or select a folder on the host
CMS. Only the folders to which you have access appear in the Specify
Location dialog box.
1. In the Specify Location dialog box, select the folder where you want to
publish the objects.

Tip:
• To add a new folder to the CMS, select a folder and then click New
Folder.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 349


13 Publishing Objects to BusinessObjects Enterprise
Publishing with the Publishing Wizard

• To add a new object package to the CMS, select a folder, and then
click New Object Package.
• To delete a folder or an object package, select the object, and click
Delete.
Note: From the wizard, you can delete only new folders and object
packages. (New folders are green; existing folders are yellow.)
If you are publishing multiple objects, and you want to place them in
separate directories, see “Duplicating the folder structure” on page 351.
2. Click Next.
The Confirm Location dialog box appears.

Moving objects between folders


1. In the Confirm Location dialog box, you can move objects to folders by
selecting each object, and then clicking Move Up or Move Down.

You can also add folders and object packages by selecting a parent
folder and clicking the New Folder or New Object Package button. To
delete a folder or object packages, select it and click the Delete button.
You can drag-and-drop objects to place them where you want, and you
can right-click objects to rename them.
By default, the title of the objects are displayed. You can display the local
file names of the objects by clicking the Show file names button.
2. Click Next.
The Specify Categories dialog box appears.

350 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Publishing Objects to BusinessObjects Enterprise
Publishing with the Publishing Wizard 13
Duplicating the folder structure
If you are adding multiple objects from a directory and its subdirectories, you
are asked if you want to duplicate the existing folder hierarchy on the CMS.
1. In the Specify Folder Hierarchy dialog box, choose a folder hierarchy
option:
• To place all of the objects in a single folder, select Put the files in the
same location.
• To recreate all of the folders and subfolders on the CMS as they
appear on your hard drive, select Duplicate the folder hierarchy.
Choose the topmost folder that you want to include in the folder
hierarchy.
2. Click Next.
The Confirm Location dialog box appears.

Adding objects to a category


If you want to add the selected objects to a category, you can create or select
a category on the host CMS. You can add objects to more than one category.
1. In the Specify Categories dialog box, click the category to which you
want to assign the objects. Click + to the left of the category to view the
subcategories.
To add a new category to the CMS, select a category and then click New
Category. The new category appears and can be renamed.
2. If you are publishing more than one objects, choose the object you want
to add to the category from the File list.
Note: Each object must be added to the category individually.
3. Click Insert File.
4. To delete a category or to remove an object from a category, select the
item and click Delete.
Note: From the wizard, you can delete only new categories. (New
categories are green; existing categories are blue.)
5. Click Next.
The Specify Schedule dialog box appears.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 351


13 Publishing Objects to BusinessObjects Enterprise
Publishing with the Publishing Wizard

Changing scheduling options


The Specify Schedule dialog box allows you to schedule the objects you are
publishing to run at specific intervals.
Note: This dialog box appears only for objects that can be scheduled.
1. In the Specify Schedule dialog box, select the object that you want to
schedule.
2. Select one of three intervals:
• Run once only
Selecting the “Run once only” option provides two more sets of options:
• when finished this wizard
This option runs the object once when you finish publishing it. The
object is not run again until you reschedule it.
• at the specified date and time
This option runs the object once at a date and time you specify. The
object is not run again until you reschedule it.
• Let users update the object
This option does not schedule the object. Instead, it leaves the task
of scheduling up to the user.
• Run on a recurring schedule
Once you have selected this option, click the Set Recurrence button
to set the scheduling options.
The “Pick a recurrence schedule” dialog box appears.
The options in this dialog box allow you to choose when and how often
the object runs. Select the appropriate options and click OK.
3. Click Next after you have set the schedule for each object you are
publishing.

Refreshing repository fields


The BusinessObjects Enterprise Repository is a central location in which
shared elements such as text objects, bitmaps, custom functions, universes,
and custom SQL commands are stored. You can choose to refresh the
repository fields of an object if the object references the repository. To
complete this task, the Publishing Wizard needs to connect to your
BusinessObjects Enterprise Repository database from the local machine. For
more details, see the BusinessObjects Enterprise Administrator’s Guide.

352 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Publishing Objects to BusinessObjects Enterprise
Publishing with the Publishing Wizard 13
Note: The Specify Repository Refresh dialog box appears only when you
publish report objects.
1. In the Specify Repository Refresh dialog box, select a report, and then
select the Use Object Repository when refreshing report check box if
you want to refresh it against the repository.
Tip: Click the Enable All button if you want to refresh all of the objects
that reference the repository; click the Disable All button if you want to
refresh none of the objects.
2. Click Next.

Publishing with saved data


If you publish a report that include saved data, you are prompted by the
Specify Keep Saved Data dialog box.
Note: The Specify Keep Saved Data dialog box appears only when you
publish report objects.
1. In the Specify Keep Saved Data dialog box, select a report, and then
select the Keep saved data when publishing report check box if you
want to keep the report’s saved data.
Tip: Click the Enable All button if you want to keep the saved data for all
of the reports; click the Disable All button if you do not want to keep
saved data for any of the reports.
2. Click Next.

Selecting a program type


The Program Type dialog box appears only when you publish program
objects. For details about program objects and program object types, see the
BusinessObjects Enterprise Administrator’s Guide.
1. In the Program Type dialog box, select a program.
2. Choose one of the following program types:
• Binary/Batch
Binary/batch programs are executables, such as binary files, batch
files, or shell scripts. They generally have file extensions such as
.com, .exe, .bat, or .sh. You can publish any executable program that
can be run from the command line on the machine where the
Program Job Server is running.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 353


13 Publishing Objects to BusinessObjects Enterprise
Publishing with the Publishing Wizard

• Java
You can publish any Java program to BusinessObjects Enterprise as
a Java program object. They typically have a .jar file extension.
• Script
Script program objects are JScript and VBScript scripts.
3. After you specify the type of program that you are adding, click Next.
The Program Credentials dialog box appears.

Specifying program credentials


1. In the Program Credentials dialog box, select a program.
2. In the User Name and Password fields, specify the user credentials for
the account that you want to use for the program to run.
The rights of the program are limited to those of the account with which it
runs.
3. After you specify the user credentials for each program to use, click Next.
The Change Default Values dialog box appears.

Changing default values


You can publish objects without changing any of the default properties.
However, if you use the default values, your object may not schedule properly
if the database logon information is incorrect or if the parameter values are
invalid.
1. Select Publish without modifying properties.
2. Click Next through the wizard’s remaining dialog boxes.
Alternatively, you can go through the remaining screens in the Publishing
Wizard and make changes.
1. Select Review or modify properties.
2. Click Next.
The Review Object Properties dialog box appears.

Changing object properties


1. In the Review Object Properties dialog box, select the object that you
want to modify.
2. Enter a new title or description.

354 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Publishing Objects to BusinessObjects Enterprise
Publishing with the Publishing Wizard 13
3. If you are publishing a report object, select the Generate thumbnail
image check box if you want users to see a thumbnail of the object
before they open it.
Tip: The “Generate thumbnail image” check box is available only if the
object is a .rpt file and was saved appropriately. (To be able to display
thumbnails for a report, open the report in Crystal Reports and, on the
File menu, click Summary Info. Select the Save preview picture option,
and click OK. Preview the first page of the report and save your
changes.)
4. Click Next.
The Specify Database Credentials dialog box appears if it is needed.

Entering database logon information


Some objects use data sources that require logon information. If the objects
that you are publishing are of this type, do the following steps:
1. In the Specify Database Credentials dialog box, double-click the object,
or click + to the left of the object to expose the database.

2. Select the database and change the logon information in the appropriate
fields. If the database does not require a user name or password, leave
the fields blank.
Note: Enter user name and password information carefully. If it is
entered incorrectly, the object cannot retrieve data from the database.
3. After you finish typing the logon information for each object, click Next.
The Set Report Parameters dialog box appears if it is needed.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 355


13 Publishing Objects to BusinessObjects Enterprise
Publishing with the Publishing Wizard

Setting parameters
Some objects contain parameters for data selection. Before these objects can
be scheduled, you must set the parameters to determine the objects’ default
prompts.
1. In the Set Report Parameters dialog box, select the object that includes
the prompts that you want to change.
The object’s prompts and default values appear in a list on the right-hand
side of the screen.
2. Click Edit Prompt to change the value of a prompt.
Depending on the type of parameter that you have chosen, different
dialog boxes appear.
3. If you want to set the prompts to contain a null value (where possible),
then click Set Prompts to NULL.
4. Click Next after you have finished editing the prompts for each object.
The Specify Format dialog box appears.

Setting the schedule output format


You can choose an output format for each scheduled report that you publish.
For some of the formats, you can customize the schedule format options.
1. In the Specify Format dialog box, select the object that you want to set
up to produce a different schedule output format.
2. Select a format from the list (Crystal Report, Microsoft Excel, Microsoft
Word, Adobe Acrobat, and so on).
Where applicable, customize the schedule format options. For example,
if you select Paginated Text, enter the number of lines per page.
3. Click Next.

Adding extra files for programs


Some programs require access to other files in order to run.
1. Select a program.
2. Click Add to select the necessary file.
3. After you add all the necessary extra files for each program, click Next.
The Command line for Program dialog box appears.

356 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Publishing Objects to BusinessObjects Enterprise
Publishing with the Central Management Console 13
Specifying command line arguments
For each program, you can specify any command-line arguments that are
supported by your program’s command-line interface. They are passed
directly to the command-line interface without parsing.
1. Select a program.
2. In the Command line area, type the command-line arguments for your
program.
Note: Use the same format you normally use at the command line.
3. After you specify all necessary command-line arguments for each
program, click Next.

Finalizing the objects to be added


After you provide the required information for the objects, the Publishing
Wizard displays a list of all the objects that you chose to publish.
1. Ensure that all of the objects that you want to publish are on the list, and
click Next.
The objects are published to the CMS, scheduled, and/or run as
specified. Afterwards, you return to the final screen of the Publishing
Wizard.
2. To view the details of an object, select it from the list.
3. Click Finish to close the wizard.

Publishing with the Central Management


Console
If you have administrative rights to BusinessObjects Enterprise, you can
publish objects over the Web from within the Central Management Console
(CMC). Use the CMC to publish single objects or to perform administrative
tasks remotely.
To publish an object with the CMC
1. Go to the Objects management area of the CMC.
2. Click New Object.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 357


13 Publishing Objects to BusinessObjects Enterprise
Publishing with the Central Management Console

The New Object page appears.

3. On the left side of the page, select the type of object that you want to
publish.
4. Specify the properties of the object:
Note: The properties that appear vary according to the type of object
that you chose to publish.
• File name
Type the full path to the object, or click Browse to perform a search.
• Title
Type the name of the object.
• Description
Type a description for the object.
• Generate thumbnail for the report
If you are publishing a Crystal report, select this option if you want
users to see a thumbnail preview of the report in BusinessObjects
Enterprise.

358 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Publishing Objects to BusinessObjects Enterprise
Saving objects directly to the CMS 13
Note: To be able to display thumbnails for a report, open the report
in Crystal Reports and, on the File menu, click Summary Info. Select
the Save preview picture option, and click OK. Preview the first page
of the report and save your changes.
• Use Object Repository when refreshing report
Select this option if you want to refresh the repository fields of a
Crystal report against the repository every time the report runs.
• Program type
Select Executable, Java, or Script.
Note: Select Java for Java programs, Script for JScript and VBScript
programs, and Executable for all other program objects.
• URL
Type the URL of the page to which you want a hyperlink object to
link.
5. If you want to assign the object to a category, select the category from the
list.
6. Ensure that the correct folder name appears in the Destination field.
Tip: To expand a folder, select the folder, and click Show Subfolders.
7. Click OK.
When the object is published to BusinessObjects Enterprise, the CMC
displays the Properties screen. If necessary, you can modify properties such
as title, description, database logon information, scheduling information, user
rights, and so on for the object.

Saving objects directly to the CMS


If you have installed one of the Business Objects designer components, such
as Crystal Reports, Designer, or OLAP Intelligence, you can use the Save As
command to publish objects directly to BusinessObjects Enterprise from
within the designer.
For example, after you design a report in OLAP Intelligence, on the File
menu, click Save As. In the Save As dialog box, click Enterprise Folders;
then, when prompted, log on to the Central Management Server (CMS).
Specify the folder where you want to save the report, and click Save.
Desktop Intelligence documents can be published directly to the Central
Management Server using the File>Export to Repository command in the
Desktop Intelligence Designer.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 359


13 Publishing Objects to BusinessObjects Enterprise
Saving objects directly to the CMS

360 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to
BusinessObjects Enterprise

chapter
14 Importing Objects to BusinessObjects Enterprise
Importing information

Importing information
The Import Wizard is a locally installed Windows application that allows you to
import existing user accounts, groups, folders, and reports to your new
BusinessObjects Enterprise system. The Import Wizard runs only on
Windows, but you can use it to import information from a source environment
that is running on Windows or UNIX to a new BusinessObjects Enterprise
system that is running on Windows or on UNIX.
You can import information from any of these products:
• BusinessObjects Enterprise XI or XI R2
• Crystal Enterprise 8.5, 9, or 10
• Business Intelligence Archive Resource (BIAR) files
Note: A BIAR file is a packaged BI Application Resource. It is a portable,
deployable package of the contents of a BI Application that can be used
to easily deploy the entire set of interrelated content in a single simple
action. From a technical perspective, it is a ZIP file containing the
following:
• A Deployment Manifest (BusinessObjects.xml).
• A series of other compressed files for all of the reports, universes,
and other FRS objects contained in the BI Application.
• BusinessObjects 5.x or 6.x
Note: The Import Wizard migrates Application Foundation objects from
your 6.x deployment to performance management XI R2.
For information on migration from BusinessObjects 5.x/6.x, see the
BusinessObjects 5.x to XI Release 2 Migration Guide or the
BusinessObjects 6.x to XI Release 2 Migration Guide.
• Text files
Text files can be used to import users, groups and profiles or data source
credentials. See “Using text files with the Import Wizard” on page 411 for
further information.
The functionality provided by the Import Wizard varies, depending upon the
product from which you are importing information. In general, the Import
Wizard imports settings that are specific to each object, rather than global
system settings. For instance, a global “minimum number of characters”
password restriction is not imported. But a user-level “must change password
at next log on” restriction is imported with the user account.

362 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Importing information from Crystal Enterprise 14
The Import Wizard also has an option that allows you to control what happens
when you import an object that already exists in the destination environment.
This feature, know as incremental import allows you to decide whether or not
to overwrite object contents and object rights. You may want to use this
feature if the objects have changed or if passwords, profiles or group
memberships have changed since you imported them the first time. See
“Choosing an import scenario” on page 401.
For details, see the section for the product from which you are importing
information:
• “Importing information from Crystal Enterprise” on page 363
• “Importing Application Foundation objects” on page 367
• “Importing information from BusinessObjects 5.x or 6.x” on page 367
For procedural details, see “Using the Import Wizard” on page 387.
BusinessObjects documents
Desktop Intelligence (.rep,.rea,.ret) documents, previously known as
BusinessObjects “full-client” documents, are now supported in
BusinessObjects Enterprise XI R2. To migrate .rep documents you can use
the Import Wizard.

Importing information from Crystal Enterprise


If you have upgraded from Crystal Enterprise, use the Import Wizard to import
existing user accounts, groups, folders, report objects, and report instances to
BusinessObjects Enterprise XI.
You can also use the Import Wizard to import information from an existing
version XI installation to a new version XI R2. When doing so, you have the
additional option of importing calendars, events, repository objects, and
server groups. Events and server groups can also be imported from a version
8.5 or 9 installation.
When using the Import Wizard, if any of an object’s dependencies are not
imported, the wizard makes appropriate modifications to the object (in most
cases, the dependency is removed). For example, if a user has Full Control
rights on an object, but the user is not imported, the Full Control right for that user
is discarded when the object is imported. In the case of objects brought across
without their owners, the Administrator becomes the new owner of the objects.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 363


14 Importing Objects to BusinessObjects Enterprise
Importing information from Crystal Enterprise

As another, more involved example, User A owns an object and has Full
Control rights while User C has View rights on the same object. If User D runs
the Import Wizard and brings the object across along with User C, but not
User A, the object becomes owned by the Administrator: User A loses Full
Control rights, but User C still has View rights on the object.
Note: Always import users if you want to bring across the associated rights
for an object, even if the user already exists in the destination system. If the
user already exists, the Import Wizard maps all rights for the user on the
source system to the existing user on the destination system. If the user is not
brought across, all rights information for that user is discarded.

Importing objects from Crystal Enterprise


The following sections describe what happens to the objects that are
imported to XI R2. Generally, if the object will not overwrite an object that is
already in the BusinessObjects Enterprise system, then the Import Wizard
imports the object.

Users and groups


The Import Wizard imports users and groups and their hierarchical relationships.
A user or group is imported only if it does not exist already by name.
If you import a group that already exists in the destination environment, the
list of group members is updated with any additional users who were
members of the group in the source environment. These additional users are
added to BusinessObjects Enterprise if their accounts do not exist already.
User licensing can affect the behavior of the Import Wizard. If the source
environment uses Concurrent licensing, the wizard imports all users as
Concurrent Users. However, if the source environment uses Named User
licensing, the wizard first checks the number of Named User license keys in
the destination environment. If there are enough Named User licenses in the
destination environment, the wizard imports all users as Named Users. If
there are not enough Named User licenses in the destination environment,
the wizard imports all users as Concurrent Users. For more information about
licensing, see the BusinessObjects Enterprise Administrator’s Guide.
Note: BusinessObjects Enterprise XI does not include a New Sign-Up
feature. However, if your Crystal Enterprise source environment includes
users that belong to the New Sign-Up group, the group is migrated to the
destination BusinessObjects Enterprise XI environment.

364 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Importing information from Crystal Enterprise 14
Aliases
If a user in the destination system has an alias that is identical to a user who
is being imported, the destination user keeps all aliases, and the imported
user loses that particular alias.
Windows AD
When importing users that employ Windows Active Directory authentication,
ensure that the administrative credentials are the same on both the source
and destination systems. Active Directory authentication must also be
enabled on the destination system.
LDAP
When importing users that employ LDAP authentication, the Host list and Base
LDAP name need to be the same on both the source and destination systems.
LDAP authentication must also be enabled on the destination system.

Folders
Folders are imported, whether or not they exist already in the destination
environment. To ensure that existing folders are not overwritten, make sure
you choose the “Automatically rename top-level folders that match top-level
folders on the destination system.” option in the “Please choose an import
scenario” dialog box. When this option is selected, the Import Wizard
appends a number to the end of any duplicated folder names to indicate the
number of copies. For example, if you import a folder called Sales Reports
when a folder called Sales Reports already exists, then the imported folder is
added to BusinessObjects Enterprise with the name Sales Reports(2).

Report objects
The Import Wizard can import Crystal report objects only if they are based on
native drivers, ODBC data sources, OLAP data sources, Crystal Info Views,
or Business Views. You can import the report instances for each report object,
and the scheduling patterns that you have set up in the source environment
are imported automatically.
Supported reports are always imported with their parent folders, whether or
not they exist already in the destination environment. However, so as not to
overwrite existing folders, the Import Wizard appends a number to the end of
any duplicated folder names to indicate the number of copies.
When you import content from one deployment to another, you can ensure
that a particular user account retains ownership of its objects and scheduled
instances by importing the user along with the content. If you don’t import the
user account, the ownership properties of its objects and instances are reset

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 365


14 Importing Objects to BusinessObjects Enterprise
Importing information from Crystal Enterprise

to your current administrative account. In the SDK, ownership is reflected by


an object’s SI_OWNERID property and by a scheduled instances’s
SI_SUBMITTERID properties.

Rights
When you import folders and reports from one BusinessObjects Enterprise
system to another, the associated object rights are imported for every user or
group who is imported at the same time. If the user or group is not imported at
the same time, the object rights are discarded. For instance, suppose that you
import a report that explicitly grants View On Demand rights to the Everyone
group in the source environment—but you do not import the Everyone group.
In this case, the newly imported report in the destination environment will not
grant the same explicit rights to the Everyone group. Instead, the report
inherits any rights that have been set on its parent folder.
If you do import the appropriate user or group, and it already exists by name
in the destination environment, then the corresponding object rights are
imported and applied to the existing user or group. For instance, modifying
the example above, suppose that you import the report and the Everyone
group. In this case, the Import Wizard imports the object rights along with the
report. So the newly imported report in the destination environment will
explicitly grant the View On Demand right to the Everyone group.

Events and server groups


When you use the Import Wizard to import information from a Crystal
Enterprise 8.5 or later system, you have the additional option to import events
and server groups from the source environment.
When importing server groups, the wizard does not bring across the servers
that belong to that group. You need to manually add servers to the imported
group in the Central Management Console (CMC). For more information about
how to do this, see the BusinessObjects Enterprise Administrator’s Guide.
Note:
• When importing report objects associated with a server group, if the server
group exists on the destination system, the report objects are added to the
existing group and the source system’s server group is not imported.
• If you have jobs scheduled or pending on a server or server group that
you are importing, you might notice odd behavior on the destination
system with the individual jobs involved until they run or time out.
Objects that have server group restrictions lose the restrictions if the objects
are imported and the server group is not. For example, if a report is scheduled
to run only under server group A and that server group is not imported, the

366 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Importing information from BusinessObjects 5.x or 6.x 14
report loses that restriction and will run under any server group. You need to
import the server group at the same time as the objects that use it to keep the
relationship between them.
The same logic applies for events: if an object is set up to wait for an event or
to trigger an event, you need to import the event at the same time as the
object. Otherwise, the object is imported without the dependency and no
longer waits for, or triggers, the event.
Note:
• If Event A is being imported from the source system but there is already
an Event A on the destination system, and it is a different type (for
example, a File event instead of a Custom event), the wizard removes
the dependency on Event A from the object when it is imported.
• Events are based on Event Servers and, since servers are not imported,
you need to manually reset the event server and file name information on
the event in the destination system. Once this is set, the event should
work as expected.

Importing information from


BusinessObjects 5.x or 6.x
For information on importing information from BusinessObjects 5.x/6.x, see
the BusinessObjects 5.x to XI Release 2 Migration Guide or the
BusinessObjects 6.x to XI Release 2 Migration Guide.
If you have upgraded from BusinessObjects 5.x/ 6.x, you can use the Import
Wizard to import existing user accounts, groups, categories, Desktop
Intelligence, Web Intelligence documents, universes, connection objects,
universe restriction sets, and third-party documents to BusinessObjects
Enterprise XI Release 2.

Importing Application Foundation objects


The Import Wizard migrates Application Foundation objects from your 6.x
deployment to performance management XI R2. One of two things happen to
objects stored in the Application Foundation repository and locally on the
Application Foundation server:

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 367


14 Importing Objects to BusinessObjects Enterprise
Importing information from BusinessObjects 5.x or 6.x

• The objects are migrated to the performance management XI R2


repository.
The Import Wizard writes new tables and columns to the Application
Foundation repository during the upgrade. Business Objects strongly
recommends that you copy the source repository before migrating, and
that you run the Import Wizard on the copy of the source. This enables
you to keep your source environment intact during and after migration.
See the BusinessObjects 5.x to XI Release 2 Migration Guide or the
BusinessObjects 6.x to XI Release 2 Migration Guide for more
information on migrating the application foundation repository.
• The objects are imported and published by the Import Wizard to the XI
R2 Central Management Server (CMS).
As in previous versions, performance management relies on its own
dedicated repository as well as the Business Objects repository previously,
now the CMS. When you migrate Application Foundation 6.1 or 6.5 to
BusinessObjects Enterprise XI, you must run the Import Wizard to import
certain objects to the CMS. You must also upgrade the performance
management repository in the Import Wizard if you are migrating from version
6.x, or after completion of the Import Wizard in t
The Import Wizard publishes the following objects from Application
Foundation 6.1 and 6.5 as InfoObjects to the BusinessObjects Enterprise XI
CMS:
• Applications, menus and submenus.
• Corporate and personal dashboards.
• Corporate and personal analytics.
• Certain agnostic documents, including *.gif, *.bmp, *.png, *.jpg files used
in dashboards, Strategy Maps or Metric Trees, as well as SVG, *.xml and
*.swf, and *.csv used in custom calendar definitions.
• Schedules and events.
• Links in dashboards to analytics or corporate documents.
• Universes used in metric definitions or referenced by migrated
documents (and the corresponding connections).
For details on migrating Application Foundation, refer to the section called
“Understanding Application Foundation object migration” in the
BusinessObjects 5.x to XI Release 2 Migration Guide or the BusinessObjects
6.x to XI Release 2 Migration Guide.

368 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Importing information from BusinessObjects 5.x or 6.x 14
Limitations on importing objects
Legacy Web Connect documents can be opened in XI R2, but not edited or
refreshed.
When VBA macros from BusinessObjects 5.x/6.x are updated in XI R2, they
can no longer be used in previous versions.
XI R2 can open and use LOV (list of values), UDO (user-defined objects), and
.rea files from BusinessObjects 5.x/6.x. The Import Wizard does not import
UDOs because UDOs are not usually stored in a repository.

Before importing from Application Foundation


Before running the Import Wizard, check the integrity of the source
environment. Business Objects recommends that you do the following:
• Copy the source Application Foundation repository before migrating, and
run the Import Wizard on the copy of the source.
• Run the Scan and Repair utility on the BusinessObjects repository.
• Check the integrity of universes referenced by Application Foundation
objects (in Setup > System Setup > Tools).
• Check the version and integrity of the source Application Foundation
repository.
• Check the location of the Application Foundation storage folder.
• Check the location of the inbox and personal folders.
• Ensure that your database connections are valid.
• Ensure that the appropriate middleware is installed.
The Import Wizard assumes that the source environment is clean. The Import
Wizard cannot resolve problems present in the source environment during
migration.
For example, if there are inconsistencies between universe IDs in the
Application Foundation repository (in the ci_source table) and the
BusinessObjects repository, the source ID will not be correctly mapped to the
CUID (the cluster unique ID that is assigned to the universe) assigned by the
Import Wizard during import. Double-check that universes referenced in the
ci_source table have the same id in the BusinessObjects repository before
running the Import Wizard. For information on checking the integrity of the
source environment, see Best Practices for Migrating to BusinessObjects
Performance Management XI R2.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 369


14 Importing Objects to BusinessObjects Enterprise
Importing information from BusinessObjects 5.x or 6.x

For details on migrating Application Foundation, refer to the section called


“Understanding Application Foundation object migration” in the
BusinessObjects 5.x to XI Release 2 Migration Guide or the BusinessObjects
6.x to XI Release 2 Migration Guide.

Before importing from BusinessObjects 5.x/6.x


Before you use the Import Wizard to import data into the new XI R2 system,
you need to check that certain prerequisites are met.
• “Appropriate rights” on page 370
• “Data sources” on page 370
• “Folder mapping” on page 370
• “UNIX servers” on page 371
• “Locally stored objects” on page 371
• “Updating platforms and versions if required” on page 372

Appropriate rights
To use the Import Wizard, you must have the following rights:
• In BusinessObjects 5.x/6.x, you must have a General Supervisor profile
in the repository.
• In XI R2, you must belong to the Administrator group in the CMS.
• To import any resource into the CMS, you must have the rights needed to
add objects to the destination folder to which the resource is assigned.

Data sources
Create data sources on each destination server machine for every repository
domain in the source deployment. The name and configuration details for the
data sources must match the data sources in the source deployment.
Certain databases that can host a version 6.x repository are not supported for
an XI R2 repository. For the latest information, see the list of supported
platforms at:
http://support.businessobjects.com/supported_platforms_xi_release2/

Folder mapping
On the Import Wizard machine, map the drives to the source environment
directories containing the deployment’s .key files, personal documents and
categories, and users’ Inboxes:
• $INSTALLDIR\locData for access to 5.1.x .key files

370 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Importing information from BusinessObjects 5.x or 6.x 14
• $WISTORAGEDIR\user if you are importing personal documents and
categories
• $WISTORAGEDIR\mail if you are importing the read content of users’
Inbox folders
• $INSTALLDIR\nodes\<nodename>\<clustername>\locdata for access to
6.x .key files
• $INSTALLDIR\nodes\<nodename>\<clustername>\storage\user if you
are importing 6.x personal documents and categories
• $INSTALLDIR\nodes\<nodename>\<clustername>\storage\mail if you
are importing the read content of 6.x users’ Inbox folders

UNIX servers
If your XI R2 server runs on UNIX, you need to install the Import Wizard on a
separate Windows machine. You will also need to use a third-party utility to
map Windows drives to UNIX.
For example, see the Microsoft documentation on “Interoperability with UNIX/
Planning and Installing Services for UNIX on Windows 2000 Professional.” As
of this writing, the URL is:
http://www.microsoft.com/resources/documentation/Windows/2000/server/
reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/
server/reskit/en-us/prork/prci_unx_houn.asp
Import ing Inbox and personal files from one UNIX environment to
another
To import Inbox and personal files from one UNIX environment to another,
you must tar the source files from each cluster node, then unzip them into
folders on the Import Wizard Windows machine before running the import.
On the Import Wizard machine, map drives to the local folders containing the
unzipped source environment directories.

Locally stored objects


Objects that you are planning to import to the destination environment using
the Import Wizard must reside in the BusinessObjects 5.x/6.x repository.
If objects are stored locally on users’ computers, you must make sure the
users export the objects to the repository before you begin the import.
Tip: Create a specific category to store local content.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 371


14 Importing Objects to BusinessObjects Enterprise
Importing information from BusinessObjects 5.x or 6.x

Updating platforms and versions if required


For performance or support reasons, you may be required to update various
components (operating system, web server, application server, web
browsers, databases, etc.) in your Business Intelligence environment either to
more recent versions, or to different platforms altogether.
Business Objects recommends reading the official list of supported platforms
carefully for the most up-to-date support information. You can find it at:
http://support.businessobjects.com/supported_platforms_xi_release2/

Migrating to a different repository database


The databases supported as repository databases in BusinessObjects 5.x/6.x
may not be supported as CMS databases in version XI R2.
Nonetheless, the Import Wizard can import objects from any supported type
of source repository database seamlessly into any supported CMS repository
database.

Migrating query databases


All data access is kept from BusinessObjects 5.x/6.x. Connection Server is an
integral part of BusinessObjects Enterprise XI R2, and all the databases it
supported in BusinessObjects 5.x/6.x continue to be supported in the new
environment. Check the list of supported platforms at http://
support.businessobjects.com/supported_platforms_xi_release2/, however,
for the specifically supported driver versions.
All connectivities supported for BusinessObjects 5.x/6.x are not necessarily
supported for version XI R2. Check the list of supported platforms at http://
support.businessobjects.com/supported_platforms_xi_release2/ for detailed
information.
If you do not migrate data in unsupported database platforms to a supported
platform, universes based on them will not work in the destination
environment.

Stopping and starting servers


• Stop all servers in the source deployment.
• Start the following servers in the XI R2 deployment:
• Central Management Server
• Input File Repository Server and Output File Repository Server

372 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Importing information from BusinessObjects 5.x or 6.x 14
What kinds of objects can be imported?
The table below summarizes the types of objects the Import Wizard can
migrate, as well as those it cannot.

Import Wizard can migrate: Import Wizard cannot migrate:


Users and user groups Individual LDAP users (inbox and
personal)
Inbox, personal, and corporate BusinessQuery
documents
Third party documents (such as .pdf, Web Intelligence OLAP
.ppt, .doc)
Universes Custom applications and interfaces
created using the SDK
Connections InfoView personal settings
Stored procedures BusinessObjects Auditor
Broadcast Agent Scheduler tasks Broadcast Agent Scheduler tasks
that are supported in XI R2 that are not supported in XI R2
Personal and corporate categories Broadcast Agent Publisher tasks
Application Foundation 6.x objects BusinessObjects Services
Administrator settings
Third party documents used by Administration Console settings and
Application Foundation objects (such some user settings (such as
as .svg, .xml, .gif) timestamps

Note: The Import Wizard can import objects only if they are located in the
repository or in personal and inbox folders.

Importing objects from BusinessObjects 5.x/6.x


The following sections describe what happens to objects that are imported
from BusinessObjects 5.x/6.x into XI R2.
By default, the Import Wizard does not overwrite objects with the same name
that are already stored in the XI R2 database.
In general, the Wizard imports settings that are specific to each object, rather
than global system settings.
The Import Wizard can migrate most document types from BusinessObjects
5.x and 6.x to XI R2. This section provides information on the following
document-migration related topics:

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 373


14 Importing Objects to BusinessObjects Enterprise
Importing information from BusinessObjects 5.x or 6.x

• “Inbox, personal and corporate documents” on page 374


• “BusinessObjects documents” on page 375
• “Web Intelligence documents” on page 377
• “Third-party documents” on page 378
• “When documents contain no locale” on page 378
For details, see the BusinessObjects 5.x to XI Release 2 Migration Guide or
the BusinessObjects 6.x to XI Release 2 Migration Guide.
Inbox, personal and corporate documents
You can import these types of documents:
• “Inbox documents” on page 374
• “Personal documents” on page 374
• “Corporate documents” on page 375

Inbox documents
In BusinessObjects 5.x/6.x, Inbox documents are stored in the repository until
recipients have read them. When a document has been read by a given user,
it is copied to the user’s Inbox folder . See “Folder mapping” on page 370 for
information on the location of these documents in each version. After all
recipients have read them, the documents are removed from the repository.
The Import Wizard will import both read and unread Inbox documents to XI
R2; therefore, you will have to specify the location of the mail folder.
The documents are migrated to XI R2 users’ Inbox folders in the CMS.
Documents inherit the rights of the 5.x/6.x Inbox folder.
The above two paragraphs seem contradictory to me...
If the Inbox contains duplicate documents, they are also migrated to the FRS.
To import 5.x/6.x Inbox documents that reside on a UNIX machine, you need
to map a drive from the Windows server running the Import Wizard to the
directories on the UNIX machine containing the documents.

Personal documents
In BusinessObjects5.x/6.x personal documents are imported to the user’s
Favorites folder in the destination CMS. Documents inherit the rights of this
folder. See “Folder mapping” on page 370 for information on the location of
these documents in each version. The document owner and the Business
Objects Administrator have access to these documents. Personal or
Corporate categories that referred to these documents in 5.x/6.x continue to
refer to them in XI R2.

374 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Importing information from BusinessObjects 5.x or 6.x 14
To import 5.x/6.x personal documents that reside on a UNIX machine, you
need to map a drive from the Windows server running the Import Wizard to
the directories on the UNIX machine containing the documents.

Corporate documents
In BusinessObjects 5.x/6.x corporate storage is mapped to the Public Folders
folder in the XI R2 CMS repository. Corporate documents are saved in this
folder after the import.
Each domain is migrated as a folder in the Public folder of the CMS
repository.
If your 5.x/6.x repository was a distributed one, all the domains are imported
into a single place.

BusinessObjects documents
When you import a 5.x/6.x BusinessObjects (.rep) document to XI R2, the
following occur:
• The universe ID pointer is updated so that it references a universe in the
CMS.
• An InfoObject is created in the CMS for this document and for the saving
of this document.
• Properties are updated and displayed in the CMC.
BusinessObjects template (.ret) documents do not contain cubes or a
connection to a universe; therefore, all that occurs is:
• The locale of the document is updated.
• An InfoObject is created in the CMS.

Converting BusinessObjects documents


To convert 5.x/6.x .rep documents to .wid format, you can use the Report
Conversion Tool, delivered with the XI R2 suite. Alternatively, you can use the
Report Conversion Tool to convert .rep documents to .wqy (Web Intelligence
2.x) format. Then, the Import Wizard converts them from .wqy to .wid. See the
Report Conversion Tool Guide for more information.
Note: .wid documents for which there is no universe (so-called orphan
documents) can be imported into XI R2.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 375


14 Importing Objects to BusinessObjects Enterprise
Importing information from BusinessObjects 5.x or 6.x

BusinessObjects document rights


If you migrate security during the import of BusinessObjects documents,
BusinessObjects 5.x/6.x security commands are converted to XI R2
application-level and document-level rights. Some commands have been
eliminated and others renamed.
Note: In XI R2, the Administrators group has Full-Control access to
documents and the Everyone group has View access.
For a detailed summary of how BusinessObjects security commands are
migrated, see the BusinessObjects 5.x to XI Release 2 Migration Guide or the
BusinessObjects 6.x to XI Release 2 Migration Guide.

Limitations
Keep in mind the following limitations when you import BusinessObjects
documents:
• XI R2 can read BusinessObjects 5.x/6.x .rep documents, but after you
save these documents in XI R2, they can’t be read by BusinessObjects
5.x/6.x of the software.
• BusinessObjects 5.x/6.x cannot open XI R2 Desktop Intelligence
documents.
• OLAP data providers are not supported in XI R2.
BusinessObjects 5.x/6.x documents based on an OLAP data provider are
view-only in XI R2.
• In XI R2, there is no document password protection on the server side.
• XI R2 Desktop Intelligence cannot access a BusinessObjects 5.x/6.x
repository.
BusinessObjects SDK
The platform-related portion of the BusinessObjects SDK has evolved, which
means that code developed for 5.1/6.x will require updates for platform
interactions (authentication, send document, receive document).
Send to Users and Send to Broadcast Agent Server are not available in XI
R2. Instead, you need to use the Platform COM SDK.
The server-side report engine is not multi-document. This means that add-ins
will not be loaded on the server. For example, for a document based on a
custom data provider (DPVBAInterface) implemented in an add-in, refresh will
fail.

376 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Importing information from BusinessObjects 5.x or 6.x 14
Calculator changes
XI R2 uses a different report engine than BusinessObjects 5.x/6.x; therefore,
there are differences in the way the calculator is handled and there may be
issues with BusinessObjects documents after they are imported to XI R2.
See the BusinessObjects 5.x to XI Release 2 Migration Guide or the
BusinessObjects 6.x to XI Release 2 Migration Guide for more information.

Web Intelligence documents


The Import Wizard can import Web Intelligence documents in .wid format
only. It can, however, convert .wqy (Web Intelligence 2.x) documents to .wid
format before importing them. The .wid documents can then be used in XI R2.
When you import a Web Intelligence document, the following occur:
• Universe ID is updated so that it references a universe in the CMS.
• IDs in the Web Intelligence documents, universes, and connections are
converted to cluster unique identifiers (CUIDs), which will distinguish
these objects from objects subsequently imported from the source
environment.
• An InfoObject is created in the CMS for this document and for the saving
of this document.
• Properties are updated.
• If a .wqy and .wid document have the same name, they are both
imported, but the .wqy document is renamed to <name of
document>_WQY.wid.

Web Intelligence rights


If you choose to migrate security, all security commands in BusinessObjects
5.x/6.x Web Intelligence documents are migrated to XI R2.
A number of rights are new in Web Intelligence XI R2. For example:
• Edit SQL
• Allow user to merge dimension for synchronization
• Interactive Editing rights
The BusinessObjects 5.x/6.x security command Allow use of the
WebIntelligence HTML Report Panel has been renamed to Enable Query -
HTML. After it is migrated, set it to Denied.

Limitations
There may be an issue with the migration of the following .wqy features to
.wid:

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 377


14 Importing Objects to BusinessObjects Enterprise
Importing information from BusinessObjects 5.x or 6.x

• Autofit/Column width/Wrap text


There may be a difference in the column widths.
• Locale
In some Web Intelligence 2.x versions, locale was not stored in the .wqy file. If
no locale is found in the .wqy file, the Import Wizard prompts you for a locale.

Third-party documents
BusinessObjects 6.x supports third-party (also known as “agnostic”)
documents. The Import Wizard imports these documents into XI R2 if the
format is supported. Formats supported in XI R2 include Adobe Acrobat PDF;
Microsoft Power Point, Word, RTF, and Excel; and *.txt documents.
For the most up-to-date list of supported formats for third-party documents,
see the list of supported platforms.

When documents contain no locale


In the 5.x/6.x repository, it is possible that some .wqy and .rep (as well as
associated .rea and .ret files) documents do not store their locale. To set the
locales in these documents when they are saved in the CMS after their
conversion into XI R2 format, the Import Wizard asks for the following default
locales:
• The document’s locale
• The locale of the machine used to create the document
Once you select these locales, they are stored in the document itself when it
is imported to the CMS. The default locales apply to all documents in the
current import without locales. Applying wrong locales to a document may
cause difficulties; for example, the date or currency may be incorrectly
displayed.
If the repository contains documents with different locales, it is best practice to
run the import step by step (one step for each document language) in order to
avoid, for example, setting a default English locale for a Japanese document.

Importing Broadcast Agent jobs


This section provides information on migrating Broadcast Agent jobs. It
covers the following topics:
• “About migrating Broadcast Agent jobs” on page 379
• “Task scheduling options” on page 379
• “Associated universes” on page 380

378 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Importing information from BusinessObjects 5.x or 6.x 14
About migrating Broadcast Agent jobs
A Broadcast Agent job can be migrated from BusinessObjects 5.x/6.x to XI
R2 only if the job is supported in XI R2. If a job contains non-supported
elements or features, you must drop the feature or recreate it in the 5.x/6.x
system so that it is consistent with the XI R2 platform. You can also recreate
non-migrated jobs in XI R2 using the CMC’s scheduling features.
In XI R2, the first action for scheduled documents is always a refresh.
Therefore, a job can be imported from 5.x/6.x only if its first action is a refresh.
A job cannot be imported if it has any of the following attributes:
• Multiple outputs
• Conditional processing
• Custom macros
Note: You can have embedded VBA macros (those that include calls to
the platform, such as Login or Logout, will need to be updated).
• Report bursting (“refresh with the profile of each recipient”)
• Saved in XML, RTF, HTML, or TXT format

Task scheduling options


The following 5.x/6.x task scheduling options (in either BusinessObjects or
Web Intelligence) are not supported in XI R2:
Daily
• Week periodicity
Weekly
• Week periodicity
Monthly interval
• Business day
• Weekend day
• Month periodicity
User-defined
• Weekday
• Business day
• Weekend day
Note: The migrated document may be assigned a different periodicity in XI
R2.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 379


14 Importing Objects to BusinessObjects Enterprise
Importing information from BusinessObjects 5.x or 6.x

File Watcher
Although the Import Wizard will transfer File Watcher details to the Event
Server, deletes set in Broadcast Agent 6.x may not function in XI R2. You can
set these deletes in Broadcast Agent 6.x:
• Delete the file each time the task starts.
• Delete the file only if the task succeeded.
• Delete the file after execution of the task.

Associated universes
When you import scheduled documents from 5.x/6.x, you must also import
the universes used by these documents. As the universes are not selected
automatically during the import, you must manually select the ones you need
for Broadcast Agent jobs if you are not importing all your universes.

How scheduled documents are migrated


The way scheduled documents are migrated varies, based on whether the job
schedules a document in Corporate or Inbox.

Corporate
If the document is not already imported in the domain or is not imported at the
same time to the CMS, then the job is not migrated. Verification is performed
by comparing the CUIDs.
Otherwise, the Import Wizard creates an instance of this document using the
schedule parameters of the original job.
• No ACL is set at this instance level. The instance inherits the ACL set at
the document level.
• If the document has been scheduled several times in Corporate, then the
same number of instances are created

Inbox
If the sender of the original schedule already exists in the CMS or if the
sender is migrated at the same time, then the following occurs:
• The Import Wizard imports the scheduled document into the Favorites
folder of this user in the CMS. A folder named Scheduled migrated
documents/<BCA Name> is created under Favorites.
• The document is renamed to <doc_name>_<docID>.<ext> .
• An instance is created for the document using the schedule parameters
of the original job.

380 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Importing information from BusinessObjects 5.x or 6.x 14
• No ACL is set at this instance level. The instance inherits the ACL set at
the folder level.
• The recipients (user or group) of the schedules are the recipients of the
original schedule, if they already exist in the CMS or if they are migrated
at the same time (name is verified).
If the sender of the original schedule does not exist in the CMS, the following
occurs:
• The Import Wizard imports the scheduled document into Public Folders/
Scheduled migrated documents/<BCA name>.
• The document is renamed to <doc_name>_<docID>.<ext> .
• An instance is created for this document using the schedule parameters
of the original job.
• No ACL is set at this instance level. The instance inherits the ACL set at
the folder level.
• The recipients (user or group) of the schedules are the recipients of the
original schedule, if they already exist in the CMS or if they are migrated
at the same time (name is verified).

Migrating documents with identical names


Sometimes, when a document with an associated job is migrated, a
document with the same name already exists in the destination folder. The
system manages these documents differently, depending on whether you are
migrating in Merge mode or Update mode.
Merge mode
If a document with the same name as the 6.x document exists in the
destination folder, a new folder is created. For example, for the 5.x/6.x
document Annual.rep being migrated into the folder named Agent, a new
folder named Agent(2) is created, and Annual.rep is reposted within Agent(2).
The document name and instance name do not change.
Update mode
The document ID is checked in the CMS. If an older document exists, it is
updated with the properties of the newly migrated document. The instances
are also replaced by the newly migrated schedules. The schedules and the
instances are identified by the ID received in the Scheduled Jobs table of the
repository.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 381


14 Importing Objects to BusinessObjects Enterprise
Importing information from BusinessObjects 5.x or 6.x

Universes and universe connections


This section contains information on using the Import Wizard to import
universes and universe connections. It covers the following topics:
• “Importing universes and connections” on page 382
• “Options for importing universes and connections” on page 382
• “Configuring connections” on page 383

Importing universes and connections


The Import Wizard will import universes from a 5.x/6.x deployment into a XI
R2 deployment. During this process, the relationship between universes,
connections, and Web Intelligence documents is maintained. The IDs in the
web intelligence documents, universes, and connections will be converted to
cluster unique identifier (CUIDS) and the relationship preserved.
When you import BusinessObjects Enterprise 5.x/6.x universes, the
associated connections are imported automatically. They are converted into
connection objects.
• The Import Wizard imports any associated connection objects.
• The connection is saved in the FRS and an InfoObject is created in the
CMS.
• The universe and its linked documents are copied into the FRS.
• Universe overloads defined in 5.1/6.x, if migrated, are mapped to access
restrictions in XI R2.
• ACEs are created to migrate universe-related security commands.
• The locale is preserved.This is the process when a universe is imported.

Options for importing universes and connections


The information below was formerly presented in a table.
The Import Wizard has three modes for importing universes:
• Import all universes and all connection objects
Note: This option does not permit you to select individual universes or
connections.
• Import all universes and only connection objects used by these universes
• Import the universes and connections that the selected Web Intelligence
and BusinessObjects documents use directly
Note: This option enables you to select additional universes to import,
even if they are not used by any document.

382 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Importing information from BusinessObjects 5.x or 6.x 14
When you select a Web Intelligence or BusinessObjects document to import,
the Import Wizard automatically selects the associated universes for import. It
does not do this, however, for universes used by scheduled documents
(Broadcast Agent jobs). This means that if you are not importing all your
universes, you must manually select the ones you need for Broadcast Agent
jobs.
Note: The Import Wizard also imports any universes with the same name
that exist in other domains.
BusinessObjects documents may have been created outside the repository,
using a “short name”; that is, a reference to a universe stored on a local
machine. If the universe has a short name, its linked documents may not be
imported if more than one universe is found in the CMS with the same short
name.
Universe domains are converted into subfolders under the Universe folder.
Each universe folder is named after the corresponding BusinessObjects 5.x/
6.x universe domain. When you import a universe from a domain, it is placed
in the corresponding domain folder.
If the universe is a derived universe, then all relevant core universes and their
connections are also imported.
Note: Designer 5.x/6.x cannot open universes created with Designer XI R2,
due to a file format change.

Configuring connections
When you import BusinessObjects 5.x/6.x universes, the associated
connections are imported automatically. They are converted into connection
objects.
Make sure that the Import Wizard can access the 5.x/6.x database the same
way that BusinessObjects 5.x/6.x accesses it. You may need to install
database drivers or configure connection settings on the machine.
For example, if you import SQL Server connection objects from a 5.x/6.x
source environment, you must configure the connections on the destination
machine via the Control Panel before you import the connection objects. You
must use the same name and settings as the connection used on the source
machine when you created the domain key.

BOUSER/BOPASS
In BusinessObjects 5.x/6.x, users could use @Variable('BOUSER') and
@Variable('BOPASS') in the connection information for the universe. The
variables were replaced at runtime with the user’s enterprise username and
password, and used to log on to the database.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 383


14 Importing Objects to BusinessObjects Enterprise
Importing information from BusinessObjects 5.x or 6.x

For security reasons, XI R2 does not permit the retrieval of users’ passwords.
Therefore, universe connections that previously used the BOUSER and
BOPASS variables associated with the BusinessObjects user name and
password must now use database credentials (DBUSER and DBPASS).
Those database credentials can be populated by the Import Wizard and later
edited in the CMC, on the Properties tab for each user account.
When migrating, Import Wizard automatically does the following:
• Replaces BOUSER and BOPASS with DBUSER and DBPASS in
universes.
• Proposes automatically populating these variables for users to migrate.
You can, however, re-synchronize if users change their passwords.
Synchronizing enterprise and database credentials
There are three ways to synchronize enterprise and database credentials in
the XI R2 system:
• Choose the Import Wizard option that batch imports user names and
passwords from BusinessObjects 5.x/6.x to auto-populate database
credentials in XI R2.
• Run a batch upload of a user’s file.
User names and passwords are loaded from a file, stored and used as
database credentials.
• Create a custom application using Enterprise SDK to set DBUSER and
DBPASS information.

Importing access restrictions


In a BusinessObjects5.x/6.x system, access restrictions (that is, object
restrictions, table mapping, and row restrictions) are defined with the
Supervisor application and associated with users and groups. A user who
belongs to multiple groups is said to have multiple user instances (one
instance per group).
Note: Universe overloads in BusinessObjects 5.x/6.x are called access
restrictions in XI R2. They are managed in Designer.
The Import Wizard enables you to import all access restrictions that are
associated with the imported universes for any of the selected users and
groups being imported. If no principal users or groups are selected for import,
no access restrictions are imported and none are created.

384 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Importing information from BusinessObjects 5.x or 6.x 14
The imported access restrictions are converted into objects. They remain
connected to the universes to which they were connected in the source
environment. The Import Wizard may create additional access restrictions in
the destination environment in order to preserve the restrictions for all
imported users.
Connections for access restrictions are not migrated automatically. You must
manually migrate these connections.
Access restrictions are migrated using both object names and object IDs to
identify universe components.

Access restriction aggregation


In both BusinessObjects 5.x/6.x and XI R2, there are two types of access
restrictions: exclusive and non-exclusive. Row restrictions are combined
using the AND operator, while object restrictions and compatible table
mappings are aggregated.
Exclusive access restrictions require a different mechanism. The Import
Wizard deduces a global ordering of groups for each universe, based on the
access restrictions prior to migration. For a given user, the Wizard considers
the set of parent groups of that user and, in that set, the group with the
highest priority determines which restriction set gets applied to that particular
user.

Access restriction collapsing


Sometimes the global group ordering that is deduced during migration cannot
account for all of the individual user priority settings in BusinessObjects 5.x/
6.x. In this case, access restrictions will be collapsed, meaning that the
effective BusinessObjects 5.x/6.x access restriction will be copied onto the
user, which always has highest priority. This means that there might be more
access restrictions in the destination than in the source environment

Importing stored procedures


In BusinessObjects 5.x/6.x, you can allocate stored procedures to users; in XI
R2, Use Connection for Stored Procedures is introduced as a new right for
the connection object. During the import, for all stored procedures accessible
to a user, an ACE (Access Control Entry) is created for the user, with a
corresponding connection. Stored Procedures Access is enabled and the
ACE is set to Granted.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 385


14 Importing Objects to BusinessObjects Enterprise
Importing information from BusinessObjects 5.x or 6.x

Importing folders, domains, and categories


You select the domains and documents you want to import into XI R2. When
you select a document, the document's domain is also imported. Documents
and universes cannot be imported without importing the domain.
BusinessObjects 5.x/6.x document and universe domains are saved as sub-
folders in the Public Folder of the CMS of XI R2. Objects corresponding to the
universes and documents contained in the domains are imported to these
folders.
If you have chosen to import security, access rights are preserved. User and
group access to the folders are equivalent to the rights they had on the
BusinessObjects 5.x/6.x domains.
XI R2 preserves the hierarchy of subcategories. Corporate (or administrative)
categories are imported as categories under the Categories folder. For each
imported user, selected personal categories are imported to a new subfolder
(named after the user) under the Personal Categories folder.
You can select individual Corporate categories and import Web Intelligence
documents grouped by Corporate category. Personal categories, however,
can be imported only as part of the batch import.

Users and groups


All existing BusinessObjects 5.x/6.x users and groups can be migrated to
BusinessObjects Enterprise XI. Users are imported into the BusinessObjects
Enterprise repository. For each BusinessObjects 5.x/6.x user,
BusinessObjects Enterprise XI creates a user folder, a personal category, and
an Inbox folder.
User profiles from BusinessObjects 6.x are mapped to default groups in
BusinessObjects Enterprise XI as follows:

BusinessObjects 5.x/6.x user BusinessObjects Enterprise XI


profile default group
• All user profiles Added to the Everyone group.
• General Supervisor Added to the Administrators group.
• Supervisor Granted appropriate rights on all
imported objects, but not added to
the Administrators group.
• User/Versatile Added to the Everyone group.

386 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Using the Import Wizard 14
Whenever possible, BusinessObjects 6.x security settings are preserved in
BusinessObjects Enterprise XI. If a BusinessObjects 6.x right does not map
exactly to a BusinessObjects Enterprise XI right, the right will not be granted
to the user.
Note:
• The Import Wizard migrates external user groups (LDAP or Windows AD
user groups, for example).

Using the Import Wizard


The Import Wizard provides a series of screens that guide you through the
process of importing user accounts, groups, folders, and reports. The screens
that appear depend on the source environment and the types of information
that you choose to import.
When you import information, you first connect to the Central Management Server
(CMS) of your existing installation (the source environment) and specify the CMS
of your new BusinessObjects Enterprise system (the destination environment).
You then select the information that you want to import, and the Import Wizard
copies the requested information from the source to the destination.
You can choose to merge the contents of the source repository into the
destination repository, or you can update the destination with the contents of
the source CMS.
Before starting this procedure, ensure that you have the Administrator
account credentials for both the source and the destination environment.
The overall process is divided into the following procedures:
• “Specifying the source environment” on page 388
• “Specifying the destination environment” on page 394
• “Selecting the type of objects to import” on page 395
• “Selecting specific objects to import” on page 402
• “Finalizing the import” on page 410
Note:
• If you are migrating from BusinessObjects 5.x or 6.x, see the
BusinessObjects 5.x to XI Release 2 Migration Guide or the
BusinessObjects 6.x to XI Release 2 Migration Guide for detailed Import
Wizard instructions.
• The process of importing users, groups and profiles from a text files is a
less complex task. Both the format for the text file and the procedure are
outlined in “Using text files with the Import Wizard” on page 411.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 387


14 Importing Objects to BusinessObjects Enterprise
Using the Import Wizard

Specifying the source environment


These procedures show how to specify a source environment on the initial
screen of the Import Wizard.
• “Specifying a BusinessObjects 5.x source environment” on page 388
• “Specifying a BusinessObjects 6.x source environment” on page 389
Note: This includes Application Foundation.
• “Specifying a Crystal Enterprise 8.5 source environment” on page 391
• “Specifying a Crystal Enterprise 9 source environment” on page 392
• “Specifying a Crystal Enterprise 10 source environment” on page 392
• “Specifying a BusinessObjects Enterprise XI or XI R2 source
environment” on page 393
• “Specifying a BIAR file or Text file as your source environment” on
page 393

Specifying a BusinessObjects 5.x source environment


To specify a BusinessObjects 6.x source environment
1. Start the Import Wizard. From the Start menu, select Programs >
BusinessObjects > BusinessObjects Enterprise > Import Wizard.
The Import Wizard dialog box appears.
2. Click Next.
The Source Environment dialog box appears.
3. Choose BusinessObjects 5.x from the Source list.
Note: If your source environment is on UNIX server, you should map the
UNIX server to your local machine before you start the Import Wizard.
4. Type the User Name and Password that provides you with
administrative rights to the source environment.
Note: You must have a General Supervisor profile in the repository.

5. In the Domain Key File field, type or browse for the path to the .key file
you created for the repository in your source environment.
6. Click Next.
The Destination Environment dialog box appears. Proceed to “Specifying
the destination environment” on page 394.

388 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Using the Import Wizard 14
Specifying a BusinessObjects 6.x source environment
To specify a BusinessObjects 6.x source environment
1. Start the Import Wizard. From the Start menu, select Programs >
BusinessObjects > BusinessObjects Enterprise > Import Wizard.
The Import Wizard dialog box appears.
2. Click Next.
The Source Environment dialog box appears.
3. Choose BusinessObjects 6.x from the Source list.

4. Type the User Name and Password that provides you with
administrative rights to the source environment.
Note: You must have a General Supervisor profile in the repository.
5. If you want to import Application Foundation objects proceed to
“Specifying the Application Foundation source information” on page 389.
6. If you do not want to import Application Foundation objects, make sure
the Import Application Foundation Contents check box is not
selected, and then click Next.
7. The Destination Environment dialog box appears. Proceed to “Specifying
the destination environment” on page 394.
Specifying the Application Foundation source information
This procedure assumes you have completed the step “Specifying a
BusinessObjects 6.x source environment” on page 389.
To specify the Application Foundation source information
1. Select the Import Application Foundation contents check box on the
Source Environment dialog box, and then click Next.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 389


14 Importing Objects to BusinessObjects Enterprise
Using the Import Wizard

Note: You can import Application Foundation objects only if you selected
BusinessObjects 6.x (or XI) in the Source list. If you import Application
Foundation objects, the Import Wizard displays additional screens and
options.
The Import Wizard verifies the following:
• The connection to the repository.
• The credential.
• The validity of the General Supervisor login.
• The repository version.
2. In the Dashboard files section of the Application Foundation source
screen, browse to the location of the Application Foundation storage
folder.
By default, it is $INSTALLDIR/Application Foundation/server/conf.
3. In the Application Foundation source repository section, indicate the
repository’s details using one of the following methods:
• Check the Use conf file option.
This option allows you to specify the location of the AF config file that
contains the repository database information rather than entering it
manually.
Note: If you check this option, the option to upgrade the AF
repository in this Import Wizard session will be grayed out. You can
only use this option to point to the source repository connection if you
are not planning to upgrade the repository using this connection. It is
highly recommended that you upgrade a copy of the source
repository, and that you point to the connection to the copy when you
upgrade the repository.
• Manually enter the following information:
• The name of the source repository.
• The database engine.
• The network layer of the source repository.
• The user name and password to access the database.
Note: The user name and password you type must belong to an
Administrator profile. It is highly recommended that you upgrade a
copy of the source repository, and that you point to the connection to
the copy when you upgrade the repository.
4. Click Next.
The Application Foundation Repository Update dialog box appears.

390 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Using the Import Wizard 14
5. Select one of the following options:
• Yes to update the repository in the Import Wizard
• No to skip the repository update and migrate the repository later
Note: If you want to perform the migration in several steps, the
Application Foundation repository must be updated at the end of the
migration process. You can only update the repository once. If you
are migrating rules and schedules, you must migrate them in the
same Import Wizard session as the repository update. If you choose
not to upgrade the repository, you cannot import rules and
schedules. In addition, if you choose not to upgrade the repository,
your repository connections will not be active on the migrated
environment.
6. Click Next.
• If you chose not to upgrade the repository, a dialog box listing the
objects you can import appears. Click Next to continue.
• If you chose to upgrade the repository, a warning screen appears.
You must acknowledge that you have read the warning by checking
the “I understand. I want to continue.” box to proceed with the
repository upgrade.
The Destination Environment dialog box appears. Proceed to “Specifying
the destination environment” on page 394.

Specifying a Crystal Enterprise 8.5 source environment


To specify a Crystal Enterprise 8.5 source environment
1. Start the Import Wizard. From the Start menu, select Programs >
BusinessObjects > BusinessObjects Enterprise > Import Wizard.
The Import Wizard dialog box appears.
2. Click Next.
The Source Environment dialog box appears.
3. Choose Crystal Enterprise 8.5 from the Source list.
4. Enter either the name of the source CMS in the CMS Name field or the
name of the source APS in the APS Name field.

5. Type the User Name and Password that provide you with administrative
rights to the source environment.
6. Click Next.
The Destination Environment dialog box appears. Proceed to “Specifying
the destination environment” on page 394.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 391


14 Importing Objects to BusinessObjects Enterprise
Using the Import Wizard

Specifying a Crystal Enterprise 9 source environment


To specify a Crystal Enterprise 9 source environment
1. Start the Import Wizard. From the Start menu, select Programs >
BusinessObjects > BusinessObjects Enterprise > Import Wizard.
The Import Wizard dialog box appears.
2. Click Next.
The Source environment dialog box appears.
3. Choose Crystal Enterprise 9 from the Source list.
4. Enter either the name of the source CMS in the CMS Name field or the
name of the source APS in the APS Name field.

5. Type the User Name and Password that provide you with administrative
rights to the source environment.
6. Click Next.
The Destination environment dialog box appears. Proceed to “Specifying
the destination environment” on page 394.

Specifying a Crystal Enterprise 10 source environment


To specify a Crystal Enterprise 10 source environment
1. Start the Import Wizard. From the Start menu, select Programs >
BusinessObjects > BusinessObjects Enterprise > Import Wizard.
The Import Wizard dialog box appears.
2. Click Next.
The Source environment dialog box appears.
3. Choose Crystal Enterprise 10 from the Source list.
4. Enter either the name of the source CMS in the CMS Name field or the
name of the source APS in the APS Name field.

5. Type the User Name and Password that provide you with administrative
rights to the source environment.
6. Click Next.
The Destination Environment dialog box appears. Proceed to “Specifying
the destination environment” on page 394.

392 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Using the Import Wizard 14
Specifying a BusinessObjects Enterprise XI or XI R2 source environment
To set the source environment
1. Start the Import Wizard. From the Start menu, select Programs >
BusinessObjects > BusinessObjects Enterprise > Import Wizard.
The Import Wizard dialog box appears.
2. Click Next.
The Source environment dialog box appears.
3. Choose BusinessObjects Enterprise XI or BusinessObjects Enterprise XI
R2 from the Source list.
4. Enter either the name of the source CMS in the CMS Name field or the
name of the source APS in the APS Name field.

5. Type the User Name and Password that provide you with administrative
rights to the source environment.
6. Click Next.
The Destination Environment dialog box appears. Proceed to “Specifying
the destination environment” on page 394.

Specifying a BIAR file or Text file as your source environment


This section explains how to import from a Text or BIAR file. For details, on
how to structure your text files so the Import Wizard can import them, see
“Using text files with the Import Wizard” on page 411.
To specifying a BIAR file or Text file as your source
1. Start the Import Wizard. From the Start menu, select Programs >
BusinessObjects > BusinessObjects Enterprise > Import Wizard.
The Import Wizard dialog box appears.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 393


14 Importing Objects to BusinessObjects Enterprise
Using the Import Wizard

2. Click Next.
The Source environment dialog box appears.
3. Choose either Business Intellignece Archive Resource (BIAR) File or
Text file from the Source list.
4. Enter the location of the file in the BIAR file or Import file field, and then
click Next.

The Destination Environment dialog box appears. Proceed to “Specifying


the destination environment” on page 394.

Specifying the destination environment


This procedure shows how to specify a destination environment.
To set the destination environment
1. Choose the destination environment in which to export.
• If you want to export to a CMS
a. Type the name of the destination environment’s Central
Management Server in the CMS Name field.
b. Type the User Name and Password of an Enterprise account
that provides you with administrative rights to the
BusinessObjects Enterprise system.
c. Click Next.

394 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Using the Import Wizard 14

• If you want to export to a BIAR file, specify the name and location
where you want the BIAR file to be stored.
Note: This option only applies if your source environment is XI R2.

2. Click Next.
The Select Objects to import dialog box appears.

Selecting the type of objects to import


In this stage of the import process, you select the types of objects you want to
import and select options related to their import. At a later stage, you will
select the objects themselves. You may select BusinessObjects Enterprise XI
InfoObjects, including the following performance management InfoObjects:
• universes and documents referenced by analytics you are importing
• analytics (*.afd)
• rules and schedules (rules remain in the performance management
repository. Only schedules and named events that trigger rules are
imported here)
• named events

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 395


14 Importing Objects to BusinessObjects Enterprise
Using the Import Wizard

• dashboards (corporate and personal)


The options available on the Choose object to import dialog box depend on
the version of the source environment. By default, all available objects are
checked for import.Events and server groups can be imported from Crystal
Enterprise 8.5 or later. Repository objects and calendars can be imported
from Crystal Enterprise 10. Universes, categories, Desktop Intelligence and
Web Intelligence documents can be imported from BusinessObjects 6.x. All
objects except Desktop Intelligence documents can be imported from
BusinessObjects Enterprise XI and XI R2.
If you have not already started the Import Wizard, see “Specifying the source
environment” on page 388 and “Specifying the destination environment” on
page 394.
To select the types of objects to import
1. Choose the types of object to import.
Note: The options that appear depend on the source environment and
its version, and on whether you selected the “Import Application
Foundation contents” check box.
By default, all object types are selected, so you must do one of the
following:
• Clear the check boxes for the items you don’t want to import, and
then click Next.

• Accept the defaults, which is to import all documents, and then click
Next.

396 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Using the Import Wizard 14
2. In the Import Scenario dialog box, select the type of import you want.

• To merge the source and destination environments, select I want to


merge the source system into the destination system.
• If you want to automatically rename top-level folders that match
top-level folders on the destination system, select the check box
beneath the merge option.
• To update the destination environment without merging, select I want
to update the destination system by using the source system as
a reference.
• If you want to automatically rename objects when an object with
the same title already exists in the destination folder, select the
check box beneath the update option.
For more details on the different scenarios, see “Choosing an import
scenario” on page 401.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 397


14 Importing Objects to BusinessObjects Enterprise
Using the Import Wizard

3. If you see the Incremental Import dialog box, select the type of objects
whose content you want to overwrite.

These are your choices:


• Documents (including dashboards and analytics)
• Universes
• Connections
Note: The Incremental Import dialog box appears if you selected the
Update option a previous step.
4. If you want to overwrite object rights, select the Overwrite object rights
check box, and then click Next; If you don’t want to overwrite objects
rights, click Next.
5. If you are prompted to select specific objects for import, see “Selecting
specific objects to import” on page 402 for details on your specific object
type.
Note: The specific dialog box that appears will vary based on what you
are importing. However, the reason you will see one is because you
selected the Merge option a previous step.

398 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Using the Import Wizard 14
6. If you opted to import users or groups, select one of the security
migration options, and then click Next.

These are three security migration options:


• Yes, migrate security on imported objects and secure the destination
system.
This is the most secure option.
• Yes, migrate security on imported objects
Users in the destination system may end up with more rights than in
the source system.
• No, don’t migrate security
Note:
• The Security Migration Options dialog box appear if you selected
Import users and user groups.
• Universe overloads are not included in the Security migration.
You select overload migration on the Import Options for
Universes and Connections dialog box . For more information,
see “Universe and connection objects” on page 409.
For a full discussion of these options, see the BusinessObjects 5.x to
XI Release 2 Migration Guide.
7. If you selected the import of objects stored either in inbox or personal
folders, type or browse for the path of your Personal and/or Inbox
documents in the source environment, and then click Next.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 399


14 Importing Objects to BusinessObjects Enterprise
Using the Import Wizard

Note:
• If the files are located on a remote server, you must have mapped
the remote server to your local machine.
• If the files are located on a UNIX server, you must have mapped the
UNIX server to a local drive.
• You do not need to provide a path for corporate documents because
they are stored in the repository.
.

8. If you chose to import universes in the Select Objects to Import dialog


box, select one of these import options:
• Import all universes and all connection objects
This imports all universes from the source environment in one batch.
You cannot select individual universes or connections.
• Import all universes, and only connection objects used by those
universes
• Import universes and connections that the selected Web Intelligence
and BusinessObjects documents use directly
In a later dialog box, you will be able to select additional universes to
import.
9. If you want to migrate universe overloads, select the Keep universe
overloads for imported users and groups check box.

If you do not select this, then no universe overloads will be migrated.

400 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Using the Import Wizard 14
10. Click Next.
11. If the Ready to Import dialog box appears, go to “Finalizing the import” on
page 410.
Proceed to “Selecting specific objects to import” on page 402.
For more information about merging and updating systems, see Crystal
Repository chapter in the BusinessObjects Enterprise Administration guide.

Choosing an import scenario


When you choose an import scenario, you can merge the source and
destination environments, or you can update the destination environment
without merging.
• When you merge the environments, the Import Wizard adds all objects
from the source to the destination CMS without overwriting objects in the
destination environment. This is the safest import option. All of the
objects in the destination environment are preserved.
• When you update the destination environment, all objects in the source
are added to the destination CMS, but if a source object has the same
unique identifier as an object in the destination environment, the
destination object is overwritten.
Note: When CUIDs are changed, links between documents, rules, and
other objects that refer to each other using CUIDs may be impacted. If
you import objects with links to other objects, the safest option for
migration is the second option (Updating the destination environment).
This procedure assumes you have already specified the source and
destination environment and selected the type of objects to import. If you
have not already started the Import Wizard, see “Specifying the source
environment” on page 388, “Specifying the destination environment” on
page 394 and “Selecting the type of objects to import” on page 395.

Updating previously imported objects


You may need to import some objects more than once from the source
repository to the destination repository.
In this situation, you have the following update options:
• Overwrite object contents
You must select the types of objects for which the content overwrite
applies:

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 401


14 Importing Objects to BusinessObjects Enterprise
Using the Import Wizard

• Documents (including dashboards and analytics)


• Universes
• Connections
When you reimport an object, it will completely overwrite and replace the
object (and its associated files) that you imported earlier.
• Overwrite object rights
When you reimport an object, its associated security rights will overwrite
the rights of the object you imported earlier.
If you decided not to import security in the Security Migration Options
dialog box, then the Overwrite object rights option is not relevant, and is
therefore not available.
Note: If you don’t select any overwrite options, the object in the destination
repository will not change when you try to import it again.

Selecting specific objects to import


This procedure assumes you have already specified the source and
destination environment and selected the type of objects to import. It also
assumes you have chosen an import scenario. If you have not already started
the Import Wizard, see “Specifying the source environment” on page 388,
“Specifying the destination environment” on page 394 and “Selecting the type
of objects to import” on page 395. For further information about import
scenarios, see “Choosing an import scenario” on page 401.
After you choose an import scenario, you are prompted to choose the specific
objects you want to import. You can import all of the objects or select
individual objects.
You may be prompted to select any of the following to import:
• “Users and groups” on page 403
• “Populating database credentials” on page 404
• “Dashboards” on page 404
• “Broadcast Agent” on page 404
• “Categories” on page 405
• “Document domains and documents” on page 406
• “Universes” on page 407
• “Universe and connection objects” on page 409

402 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Using the Import Wizard 14
Users and groups
If you chose to import users and groups, the “Users and Groups” dialog box
appears. It may take some time before the users and groups are displayed,
because the Import Wizard is retrieving them from the repository.
Note: For detailed information on the import of users and groups, see the
BusinessObjects 5.x to XI Release 2 Migration Guide or the BusinessObjects
6.x to XI Release 2 Migration Guide.
To select users and groups
1. In the Groups list, select the groups that you want to import.

2. In the Users list, select specific members of any group.


3. Click Next.
Note: Only the General Supervisor type is added to the Administrators
Users group:
4. If the Import Groups Option dialog box appears, select if you want group
mappings from LDAP and Active Directory to be migrated to XI R2.
Note:
• If the Import Groups Option dialog box appears, the 6.x source and
the XI R2 destination environments are configured for LDAP or
Active Directory. You need to have the same LDAP or Active
Directory configuration on the source and destination.
• For information about setting alias creation and assignment for LDAP
and Active Directory users, see the BusinessObjects Enterprise
Administrator’s Guide.
5. Choose the third-party group mapping you want to migrate and then click
Next.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 403


14 Importing Objects to BusinessObjects Enterprise
Using the Import Wizard

Populating database credentials


After users and groups are imported, the Populate Database Credentials
dialog box appears.
This dialog box enables you to automatically set the DBUSER and DBPASS
attributes, for all imported users, with their login and password. These can be
used as default database credentials for connections.
1. Decide if you want the Import wizard to import database credentials for
users.
• If you want to populate the database credentials of imported users
with their BusinessObjects user name and password, select Yes.
• If you do not want to do this, select No.
2. Click Next.

Broadcast Agent
If you are importing Broadcast Agents, the Broadcast Agent dialog box
appears.This dialog box enables you to select the Broadcast Agents you want
to import.
Note: A Broadcast Agent job can be migrated from BusinessObjects 6.x to XI
R2 only if the job is supported in XI R2. (For details, see the BusinessObjects
5.x to XI Release 2 Migration Guide or the BusinessObjects 6.x to XI Release
2 Migration Guide.)
To select Broadcast Agents for import
1. In the Broadcast Agent dialog box, select the Broadcast Agents whose
jobs you want to import.
Note that all the jobs, for each Broadcast Agent, are selected by default.
2. Click Next.

Dashboards
If you are importing dashboards, the Dashboards dialog box appears.
To select dashboards
1. Select the dashboards you want to import.
When you select an application, its submenus are also selected.
2. Click Next.
The Import Wizard checks whether any dashboards in the source
repository include security. If the Import Wizard detects security on any
dashboards, the Import Dashboard Option dialog box appears. If none of
the dashboards selected for import includes security, skip to step 4.

404 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Using the Import Wizard 14
3. If dashboards selected for import include security, select one of the
following options:
• Import and apply page security on all page elements
The Import Wizard migrates the dashboard and any sub-menus and
applies standard page-level security, which is translated as an ACL
in the CMS. With this option, the least restrictive set of rights is
applied.
• Don’t import such dashboards
The Import Wizard imports all dashboards, including dashboards
with analytic-level security restrictions, but empties all content from
pages containing secured elements. Dashboard menu structures are
preserved.
• Import but move to administrator’s Favorites folder for revision
The Import Wizard imports all dashboards, including secured
dashboards, but empties the content of all secured dashboards.
When you choose this option, dashboard menu structures are
preserved and a copy of each secured dashboard, including its
contents, is moved to the administrator’s favorite folder. A prefix is
added to the secured dashboard’s name so that the administrator
can easily identify it after migration, then modify it manually before
publishing it to a wider audience.

Categories
If you are importing categories, the Categories dialog box appears.
To select categories
1. Select the check boxes for the categories that you want to import.

For large document domains, you can import incrementally, and import
documents one category at a time.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 405


14 Importing Objects to BusinessObjects Enterprise
Using the Import Wizard

2. If you want to import all the objects associated with the category, select
the Import all objects that belong to the selected categories check box.
3. Click Next.

Document domains and documents


The Domains and Documents dialog box appears if you choose to import any
of the following document types:
• Web Intelligence
• Desktop Intelligence (BusinessObjects)
• performance management (Application Foundation)
• Analytics (Performance Management) (6.x only)
• Third-party
The list contains a separate branch for each domain. Domains that cannot be
opened are greyed out. If you previously chose to import all the documents of
a given category, they are preselected and cannot be cleared.
To select domains and documents
1. Select the check boxes for domains or individual documents that you
want to import.

2. Click Next.

406 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Using the Import Wizard 14
The Locales and Platform Options dialog box appears.

In a BusinessObjects 5.x/6.x repository, some Web Intelligence 2.x (.wqy)


documents and BusinessObjects documents may not store their locales.
In order to set locales in these documents when they are saved in the
CMS (after conversion to .wid), the default locales provided by the user
are added to the documents.
3. Select the locale of the source from the top list.
4. Select the local of the destination from the bottom list.
5. Click Next.

Universes
To select universes or universe folders
1. Select the check boxes for the universes that you want to import.
The universes that are linked to specific documents cannot be cleared
from the list.You can select additional universes that are not used by any
imported document.
2. Click Next.
If no universe is found, the associated documents will not be imported
and a warning message appears. If this occurs, link the documents to a
universe, republish them to the repository, and retry the import.
Note: When you import a universe, its connection objects are imported
automatically. Before you can import connection objects from
BusinessObjects 5.x/6.x, ensure that the Import Wizard can access the
database the same way that the source environment accesses it. This
may involve installing database drivers or configuring connection settings
on the machine. For example, if you import SQL Server connection

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 407


14 Importing Objects to BusinessObjects Enterprise
Using the Import Wizard

objects from a BusinessObjects 6.x source environment, you must


configure the connections on the destination machine via the Control
Panel before you import the connection objects. You must use the exact
same name and settings as the connection used on the source machine
when you created the domain key.
To select folders and objects
• If you chose to import folders and objects, the “Select Folders and
Objects” dialog box appears. Select the check boxes for the folders and
reports that you want to import. Then click Next.
Tip: You can also choose to “Import all instances of each selected report
and object package.”
This example imports the Report Samples folder and a subset of its
contents.

To select repository objects


• If you chose to import repository objects, the “Import repository objects
options” dialog box appears. Choose an importing option for repository
objects, then click Next.

408 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Using the Import Wizard 14
Universe and connection objects
If you chose to import universes in the Select Objects to Import dialog box,
the Import Options for Universes and Connections dialog box appears.
To import universe and connection objects
1. Select an import option:
• Import all universes and all connection objects
This imports all universes from the source environment in one batch.
You cannot select individual universes or connections.
• Import all universes, and only connection objects used by those
universes
• Import universes and connections that the selected Web Intelligence
and BusinessObjects documents use directly
In a later dialog box, you will be able to select additional universes to
import.
2. If you want to migrate universe overloads, select the Keep universe
overloads for imported users and groups check box.
If you do not select this, then no universe overloads will be migrated.
3. Click Next. If you chose to import a subset of the universes from the
source environment, the “Select Universe Folder and Universes” dialog
box appears.

Finalizing the import


To finalize the import
1. When the Ready to Import dialog box appears, click Import to begin
importing the information.
The Import Progress dialog box appears. It shows the progress of the
import and a summary of the events taking place.

2. If the import summary shows that some information was not imported
successfully, click View Detail Log for a description of the problem. If the
import summary shows no failures, click Done.
Note: The information that appears in the Detail Log is also written to a
text file called ImportWiz.log, which you will find in the directory from
which the Import Wizard was run. By default, this directory is:
C:\Program Files\Business Objects\BusinessObjects
Enterprise 11\win32_x86\

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 409


14 Importing Objects to BusinessObjects Enterprise
Using text files with the Import Wizard

The log file includes a system-generated ID number, a title that describes


the imported information, and a field that describes the action and the
reason why it was taken.

Using text files with the Import Wizard


The Import Wizard can import any of the following from text files:
• Users
• Groups
• Profiles
• Data source credentials
A combination of users, groups and profiles can be in one file, but data source
credential must be in a separate text file.

Text file format


All text import file data must be in the comma-separated value (CSV) file
format. For specific details on what each field represents, see “Importing
users, groups and profiles” on page 411 and “Importing data source
credentials” on page 413. The CSV format stipulates the following:
• The comma (,) is the default separator.
• The default delimiter is double quotes (").
• The fields that contain a separator must begin and end with a delimiter.

410 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Using text files with the Import Wizard 14
For example, if you wanted the value Smith, John in a field, you would
enter “Smith, John”.
• The fields that contain a delimiter, must begin and end with a delimiter
and use two delimiters where one is required.
For example, if you wanted the value “quotes”, you would enter
"""quotes""", if your delimiter was double quotes. If your delimiter was a
single quote ('), and you wanted the value dog’s, you would enter 'dog''s'.
Note: The default delimiter and the default separator can be changed on the
“Select options for file import” dialog box.

Importing users, groups and profiles


The Import Wizard can import users, groups and profiles from text files. Files
used to import users, groups or profiles must be structured as follows:
• Each row in the text file defines 1 record.
• Each record consists of 6 fields.
• Each field must have separator between it and the next field.
• Each field, can potentially be blank except for field 1.
One single record can define either a group or a user or a group, a user and a
profile. Text files must be saved in UTF-8 format.
Note:
• The default separator is a comma but this can be changed on the
Select options for file import dialog box.
• If a character in the any field of the record is the same as the
character used for a separator it must be delimit. The default
delimiter character is a double quote.
User record Format
e

Field Number Contents of field


Field 1 Group name
Field 2 User Name
Field 3 Full name of user
Field 4 Email address of user
Field 5 Profile name for user.
Field 6 Profile value for user.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 411


14 Importing Objects to BusinessObjects Enterprise
Using text files with the Import Wizard

Note: Profile values must be enclosed in quotes. See “Text file format” on
page 411 for information on using delimiter.
Example user record
Sales,Psanders,Paula Sanderson,psanders@Acme.com,
Manager,West Region
The previous record would create an account name or username of
“psanders” in BusinessObjects Enterprise. The name Paula Sanderson, and
the e-mail address of psanders@Acme.com would be associated with this
account name. The username “psanders” would be member of the group
“Sales”. The username psanders and would be assigned the profile
“Manager” with the profile value of “West Region”.
Group Record Format

Field Number Contents of field


Field 1 Group name
Field 2 Null
Field 3 Description of group.
Field 4 Field is ignored.
Field 5 Profile name for group.
Field 6 Profile value for group.
Note: Profile values must be enclosed in quotes. See “Text file format” on
page 411 for information on using delimiter.
Example Group record
Best,,Group for sales people,,Sales,General
The previous record would create the “Best” group, with description of “Group
for sales”. The profile Sales would be assigned the profile value “General”.

Importing data source credentials


The Import Wizard can import data source credentials from text files. These
are the database credentials used for Business Object Universes. Files used
to import secondary database credentials must be structured as follows:
• Each row in the text file defines 1 record.
• Each record consists of 3 fields.
• Each field must have separator between it and the next field.

412 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Using text files with the Import Wizard 14
• Each database username must be associated with a Enterprise
username that already exists.

Field Number Contents of field


Field 1 Existing username
Field 2 Database Username
Field 3 Database password

Example database credential


Psanders,dbuser,Dbpasw0rd
The previous example create the account name “dbuser” and the password
“Dbpasw0rd” associated with Enterprise user Psanders. The option “Enable
Data Source Credentials for Business Object Universes” would also be
selected for username Psanders.
Importing from text files
This section explains how to import any of the following from text file:
• Users
• Groups
• Profiles
• Data source credentials
For details about the format of these files, see “Text file format” on page 411.
To import from text files
1. Start the Import Wizard. From the Start menu, select Programs >
BusinessObjects XI R2 > BusinessObjects Enterprise > Import
Wizard.
The Import Wizard dialog box appears.
2. Click Next.
The Source Environment dialog box appears.
3. Select Text file from the Source list.
4. Click the browse icon.
5. Locate the file to import, and then click Next.
6. Enter the name and credentials for the CMS, and then click Next.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 413


14 Importing Objects to BusinessObjects Enterprise
Using text files with the Import Wizard

The Select options for file import appears.

7. Decide what you want to import.


• To import profiles, users and groups
a. Make sure the select type of file to import list is set to Profiles,
Users and Groups.
b. If you want your text file to only create profiles, users or groups,
but not update the data already entered, clear the update
options.
c. If you want your text file to only update profiles, users or groups,
but not create new profiles, users or groups, clear the create
options.
d. To remove all existing users from a group specified in the import
file, whose membership in the group is not specified in the file,
select Remove users from a group if not included and clear
Add users to a group if not a member.
e. To add existing users or users in the import file to a group if they
are not a member, make sure Add users to a group if not a
member is selected.
f. Click Next.
• To import data source credentials
a. Select Data Source Credentials from the list.
b. Click Next.

414 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Importing Objects to BusinessObjects Enterprise
Using text files with the Import Wizard 14
c. Click Finish.
The file will be imported.
Note: If you are importing data source credentials, none of the
remaining steps in this procedure apply.
The select application folders and objects dialog box appears.
8. Click Next.
9. The Preview results from file import dialog box appear.

10. Review that the results are what you expect, and then click Next.
The results on this screen show the how the first user or group will be
created, after all the records in the import file have been parsed.
If your record includes both a user and a group, the user preview will be
displayed by default. To see how the what group may be created, click
Group.
11. Click Finish to begin the import.
12. Click Import to exit the Import Wizard.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 415


14 Importing Objects to BusinessObjects Enterprise
Using text files with the Import Wizard

416 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Objects

chapter
15 Managing Objects
Managing objects overview

Managing objects overview


There are several types of objects that can exist in BusinessObjects
Enterprise: reports, Web Intelligence documents, programs, Microsoft Excel
files, Microsoft Word files, Microsoft PowerPoint files, Adobe Acrobat PDFs,
rich text format files, text files, and hyperlinks, as well as object packages,
which consist of report and/or program objects. After publishing objects to
BusinessObjects Enterprise, you manage them through the Central
Management Console (CMC) by going to the Objects management area.
Tip:
• Go to the Object management area by clicking the Objects link on the
CMC Home page.
• Use folders to organize and facilitate object administration for you and
your users. For more information, see “Managing User Folders” on
page 340.
This chapter is broken up into four sections:
• “General object management” on page 419
This section describes general object management concepts that apply
to all objects, such as moving, copying, and deleting objects. It also
describes how to search for objects, how to modify object properties, and
how to set object rights for users and groups.
• “Report object management” on page 427
This section explains report objects and instances, and how to manage
them through the Central Management Console (CMC). Managing report
objects includes applying processing extensions, specifying alert
notification, changing database information, updating parameters, using
filters, and working with hyperlinked reports.
• “Program object management” on page 449
This section explains program objects and instances, and how to manage
them through the Central Management Console (CMC). Additionally, this
section covers type-specific program object configuration, and security
considerations for program objects.
• “Object package management” on page 457
This section explains object packages and instances, and how to
manage them through the Central Management Console (CMC).
Additionally, this section explains how to create an object package and
how to add objects to an object package.

418 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Objects
General object management 15
General object management
This section describes general tasks related to managing objects and their
instances. It includes the following sections:
• “Copying, moving, or creating a shortcut for an object” on page 419
• “Deleting an object” on page 421
• “Searching for an object” on page 421
• “Sending an object or instance” on page 422
• “Changing properties of an object” on page 424
• “Assigning an object to categories” on page 426
Tip: You can also manage an object by going to the Folders management
area in the CMC, selecting a folder (and any subfolders) by clicking the
appropriate link(s), and selecting the object that is located under the Object
Title column. See Chapter 12: Organizing Objects.
Note: For information setting the rights for an object, see “Setting object
rights for users and groups” on page 293.

Copying, moving, or creating a shortcut for an object


Use this procedure to copy or move an object, or to create a shortcut to an
object within BusinessObjects Enterprise:
• “Copy” creates another copy of the object in a different location. The new
copy of the object inherits all object rights from its new parent folder.
You use copy, for example, when scheduling objects by using an object
package, to copy the objects to the package. See “Scheduling objects
using object packages” on page 469.
• “Move” changes the location of the object from one folder to another. The
object retains its original set of object rights.
• “Create shortcut” enables you to create an alternate, more convenient,
access route for an object. You can also create a shortcut to give users
access to the object when you don’t want them to access the folder that
the actual object is located in. The shortcut inherits object rights from its
parent folder. However, the shortcut object rights do not override the
rights of the original object. For example, if a user does not have rights to
schedule a report, they are not able to schedule that report even through
a shortcut that allows them full rights.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 419


15 Managing Objects
General object management

To copy, move, or create a shortcut for an object


1. Go to the Objects management area of the CMC.
2. Select the check boxes associated with the object(s) you want to copy,
move, or create a shortcut for.
3. Click Copy/Move/Shortcut.
The Copy/Move/Create Shortcut page appears.

4. Select one of the following options:


• Copy to
• Move to
• Create shortcut in
Tip: You may want to create a shortcut if you want to give someone
access to an object without giving that user access to the entire folder
that the object is located in. After you create the shortcut, users who have
access to the folder where the shortcut is located can access this object
and its instances. For more information on folder rights, see “Specifying
folder rights” on page 337.
5. Select the appropriate destination folder; then click OK.
Tip:
• To expand a folder, select it and click Show Subfolders.
• To search for a specific folder or object package, use the Look For
field.

420 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Objects
General object management 15
Deleting an object
This procedure explains how to delete either a single object or multiple
objects. You can also delete a folder (by selecting a folder and clicking Delete
in the Folders management area), which deletes all of the objects and
instances that are stored in that folder. As well, you have the option of
deleting object instances, rather than the object itself. For more information,
see “Managing and viewing the history of instances” on page 491.
Note: When you delete an object, all of its existing instances and scheduled
instances will be deleted.
To delete an object
1. Go to the Objects management area of the CMC.
2. Select the check boxes associated with the object(s).
3. Click Delete.
4. Click OK.

Searching for an object


The search feature enables you to search for specific text within object titles
or descriptions.
To search for an object or objects
1. Go to the Objects management area of the CMC.
2. Specify the search criteria.
In the “Search for” fields, specify the object field to search (title or
description) and the matching method to use (is, is not, contains, does
not contain). In the Text field, type the text to search for.

3. Click Search.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 421


15 Managing Objects
General object management

Sending an object or instance


You can use the “Send to” feature to send existing objects or instances of an
object to different destinations. You can send an object, for example, a Word
or Excel file, or you can send instances of an object, for example, a report
instance.
The “Send to” function handles existing objects or instances only. It does not
cause the system to run the object and create new instances, nor does it
refresh the data for a report instance.
You can send either a copy of an object or instance, or a shortcut to the object
or instance. You can also select the destination, for example, FTP or Inbox.
Not all types of objects can be sent to all destinations. For details about which
types of objects can be sent to which destinations, see “Available destinations
by object type” on page 423.
To send an object or an instance to a destination
1. Go to the Objects management area of the CMC.
2. Select the check boxes for the objects that you want to send.
To send an instance of the object, click the link for the object. Click the
History tab, and then select the check boxes for the instances you want
to send.
Select only instances with a status of Success or Failed. Instances with a
status or Recurring or Pending are scheduled and do not contain any
data yet.
3. Click Send to.
The Send to page appears.

422 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Objects
General object management 15
4. If you want, you can keep the temporary instances that are created when
you send an object or instance, deselect Clean up temporary objects
created after objects have been sent.
By default, this option is selected and the system deletes any temporary
objects or instances after they have been sent.
5. Select the destination option you want:
• Each selected object’s scheduling destination
Sends the objects or instances to the destination specified on the
Destination pages for the objects.
• A new destination for all selected objects
Allows you to specify a destination.
If you select this option, you must specify additional parameters for
the destination information. See “Available destinations by object
type” on page 423 and “Selecting a destination” on page 480.
If you want the destination to become the default destination for the
object, select the Set this destination as the selected object’s
scheduling destination option. The system will update the
destination information for the object when you click Send.
Note: Send Web Intelligence documents to the “Inbox” destination
only, or to an Email destination configured within BusinessObjects
Enterprise.
6. Click Send.
The system sends the selected objects or instances to the specified
destinations.
Available destinations by object type
Most destinations can be used for most types of objects, but there are some
exceptions. In some cases recipients must have access to the
BusinessObjects Enterprise system to be able to open the object. The
following table summarizes which objects cannot use certain destinations. For
example, for a Web Intelligence document you cannot specify an unmanaged
disk destination.

Object type Unm. Email (SMTP) Inbox


DIsk
FTP File Link File Link
Report Yes Yes Yes Yes Yes Yes
Object Package - - - - Yes Yes
Program Yes Yes Yes Yes Yes Yes

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 423


15 Managing Objects
General object management

Object type Unm. Email (SMTP) Inbox


DIsk
FTP File Link File Link
Web Intelligence - - - Yes Yes Yes
document
Desktop Yes Yes Yes Yes Yes Yes
Intelligence
document
OLAP Intelligence Yes Yes Yes Yes Yes Yes
documents
Excel file Yes Yes Yes Yes Yes Yes
Word file Yes Yes Yes Yes Yes Yes
PDF file Yes Yes Yes Yes Yes Yes
Text file Yes Yes Yes Yes Yes Yes
RTF file Yes Yes Yes Yes Yes Yes
PowerPoint file Yes Yes Yes Yes Yes Yes
Hyperlink - - - Yes Yes Yes

Changing properties of an object


In the Properties page of an object, you can modify an object’s title and
description. As well, you can view its file name, its location, and the date it
was created. For objects that can be scheduled (reports, programs, and
object packages), you can see the last times the object was modified and/or
run.
To change the properties of an object
1. In the Objects management area of the CMC, select an object by clicking
its link.
2. On the Properties page, change any of the properties as required.
3. Click Update.
Note that once you have clicked Update, you cannot click Reset to undo
changes.
View button
For Microsoft Word, Microsoft Excel, Microsoft PowerPoint, Adobe Acrobat,
Text, and Rich Text objects, a View button appears on the Properties page.
Provided that you have the appropriate software installed on your browser
machine, you can click the View button to open and view the object.

424 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Objects
General object management 15

Preview button
Similarly, for report objects, Desktop Intelligence documents, and Web
Intelligence documents, a Preview button appears. The Preview button
enables you to view a report on demand with all of your current report
settings. BusinessObjects Enterprise connects to the report’s data source(s) if
no cached pages are available. To use the Preview function, the user will
need to have rights at the Schedule level or higher. (To preview a report with
saved data, the user will need to have rights at the View level or higher.) By
default, administrators have rights at the Full Control level (the highest rights
setting) for all report objects. For details about object rights, see “Report
object management” on page 427.
Show report thumbnail option
For Crystal reports, the “Show report thumbnail” check box is selected by
default. If you do not want a thumbnail preview of this report to be available in
InfoView or another web application, clear the Show report thumbnail check box.
Note: A thumbnail is a graphical representation of the first page of a report. If
the original report does not contain a thumbnail, then a thumbnail will not be
stored on BusinessObjects Enterprise. The Show report thumbnail checkbox
does not apply to Web Intelligence document objects.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 425


15 Managing Objects
General object management

Scheduled package fails upon individual component failure option


For object packages, the “Scheduled package fails upon individual
component failure” check box is selected by default. (A component is an
object in an object package.) This means that if one of objects in a package
fails, the object package instance in the History will appear as Failed. If you
do not want the object package instance to fail if one of the objects fails, clear
the “Scheduled package fails upon individual component failure” check box.

Assigning an object to categories


Like folders, categories are objects used to organize documents. You can
associate objects with multiple categories, or subcategories within categories.
A category can be a corporate or a personal category. For complete
information, see Chapter 12: Organizing Objects.
Use the following procedure to assign an object to a category by using the
objects page. You can also assign objects to a category by using the
categories page. See “Adding an object to a new category” on page 343.
To assign an object to a category
1. In the Object management area of the CMC, select an object by clicking
its link.
2. Click the Categories tab.
3. To assign an object to a personal category, click the Personal link.
Otherwise, skip this step.
4. Click Assign Categories.
The Assign Corporate Categories page appears.
5. In the Available Categories list, select the category that you want the
object to belong to and use the arrow buttons to move to the Assigned
Categories list.
The Available Categories list includes all corporate or personal
categories and their subcategories.
Repeat this step for each category that you want the object to be
assigned to.
6. Click OK.
Note: To remove an object from a category, see “Removing or deleting
objects from a category” on page 343.

426 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Objects
Report object management 15
Report object management
This section explains report objects and instances, and how to manage them
through the Central Management Console (CMC). It includes the following
sections:
• “What are report objects and instances?” on page 427
• “Setting report refresh options” on page 428
• “Setting report processing options” on page 429
• “Applying processing extensions to reports” on page 442
• “Working with hyperlinked reports” on page 446
• “Viewing the universes for a Web Intelligence document” on page 429
Note: Most information in this section also applies to Web Intelligence
document objects. Any exceptions have been identified.

What are report objects and instances?


A report object is an object that is created using a Business Objects designer
component (such as Crystal Reports or OLAP Intelligence). A Web
Intelligence document object is created using the Report panel and HTML
Query panel in InfoView. Both types of objects contain report information
(such as database fields). Both types of objects can also contain saved data.
A report object or Web Intelligence document object can be made available to
everyone or to individuals in selected user groups.
Scheduled instances
When you schedule an object, the system creates a scheduled instance for
the object. A scheduled instance contains object and schedule information. It
does not contain any data yet. Scheduled instances appear on the History
page of the respective object and have a status of Recurring or Pending.
You can schedule objects either from CMC or by using a BusinessObjects
Enterprise application, such as InfoView or a custom web application.
Typically, report objects are designed such that you can create several
instances with varying characteristics. For example, if you run a report object
with parameters, you can schedule one instance that contains report data that
is specific to one department and schedule another instance that contains
information that is specific to another department, even though both instances
originate from the same report object. For more information about scheduling,
see Chapter 16: Scheduling Objects.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 427


15 Managing Objects
Report object management

Object instances
At the specified time, the system runs the object and creates an object
instance. The instance contains actual data from the database. It appears on
the History page of the object and has a status of Success or Failed.
Making changes to an object
Any changes you make to the an object (by making the changes and then
clicking Update) affect the default settings for the object only. Those changes
do not affect any existing scheduled instances or object instances. The next
time you schedule the object, whether you use CMC or an application such as
InfoView, the new default settings are displayed. You can then change these
settings as needed for the scheduled instance you want to create.
Note: BusinessObjects Enterprise supports reports created in versions 6
through XI of Crystal Reports. Once published to BusinessObjects Enterprise,
reports are saved, processed, and displayed in version XI format.

Setting report refresh options


Note: This feature does not apply to Web Intelligence document objects.
You can set report refresh options that determine which settings of a report
object are updated when you refresh it in BusinessObjects Enterprise.
When you refresh a report object, BusinessObjects Enterprise compares the
report object stored in BusinessObjects Enterprise with the original .rpt file
stored in the Input File Repository Server. BusinessObjects Enterprise
deletes or adds report elements in the report object to make it match the .rpt
file, overwriting any changes you’ve made in BusinessObjects Enterprise.
Where report elements are the same in the source report and the report
object, the report refresh settings allow you to control which settings in the
report object are updated with values from the source .rpt file.
For example, if a prompt appears only in the source .rpt file, then refreshing
the report adds the prompt to the report object. This holds true no matter
which report refresh options you select.
If a prompt appears in both the source .rpt and the report object and you have
selected the “Prompt Values” option, then BusinessObjects Enterprise
updates the default value of the prompt in the report object. Any changes that
you have made to the default value of the parameter in BusinessObjects
Enterprise are overwritten.
To preserve your changes to the values of report elements when you refresh
a report, clear the appropriate report refresh option.

428 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Objects
Report object management 15
Note:
• If you select Prompt Values, BusinessObjects Enterprise ensures that
changes to either the default value of a prompt or to the current value of a
prompt are updated in the report object when the report is refreshed.
• If you select Prompt Options, BusinessObjects Enterprise ensures that
changes to the metadata describing a prompt is updated in the report
object. For example, “Can be null” is a prompt option.
• If you select “Use Object Repository when refreshing report”, repository
objects in the report object will be refreshed against the repository. For
more information, see “Copying data from a Crystal Reports 9 repository
database” on page 190.
To set a report object’s refresh options
1. In the Objects management area of the CMC, select a report object by
clicking its link.
2. On the Properties page, click the Refresh Options link.
3. Choose the report elements that you want to refresh from the source
report file.
4. Click Refresh Report.

Viewing the universes for a Web Intelligence document


You build queries for Web Intelligence documents using objects in a universe.
A universe is a representation of the information available in the database. In
the CMC, you can view which universes are used by a Web Intelligence
document.
To view the universes for a Web Intelligence document
1. In the Objects management area of the CMC, select a Web Intelligence
document object by clicking its link.
2. On the Properties page, click the Universes link.
The Universes page appears, listing the universes that are used by the
document.

Setting report processing options


For each object you can set several processing options. These options
appear on the Process page for the object. Setting the report processing
options includes the following tasks:
• “Setting report viewing options” on page 430

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 429


15 Managing Objects
Report object management

• “Specifying default servers” on page 431


• “Changing database information” on page 434
• “Updating parameters” on page 436
• “Using filters” on page 438
• “Setting printer and page layout options” on page 440
• “Applying processing extensions to reports” on page 442

Setting report viewing options


Note: This feature does not apply to Web Intelligence document objects.
The report viewing options available in BusinessObjects Enterprise allow you
to balance users’ need for up-to-date information with the need to optimize
data retrieval times and overall system performance.
BusinessObjects Enterprise allows you to enable data sharing, which permits
different users accessing the same report object to use the same data when
viewing or refreshing a report. Enabling data sharing reduces the number of
database calls, thereby reducing the time needed to generate a report
instance for subsequent users of the same report, while greatly improving
overall system performance under load.
You can control data sharing settings on either a per-report or a per-server
basis:
• If you specify which servers a report uses for viewing, you can use per-
server settings to standardize data sharing settings for groups of reports,
and centrally administer these settings. (See “Specifying default servers”
on page 431.)
• Per-report settings permit you to specify that particular reports will not
share data. They also allow you to tailor the data sharing interval for each
report to meet the needs of that report’s users. In addition, per-report
settings enable you to decide on a report-by-report basis whether it is
appropriate to allow users to access the database whenever they refresh
reports.
Data sharing may not be ideal for all organizations, or for all reports. To get
full value from data sharing, you must permit data to be reused for some
period of time. This means that some users may see “old” data when they
view a report on demand, or refresh a report instance that they are viewing.
The default report viewing options for BusinessObjects Enterprise emphasize
data freshness and integrity. By default, when you add a report to
BusinessObjects Enterprise it is configured to use per-server settings for
report sharing. The default server settings ensure that users always receive
up-to-date information when they refresh a report, and guarantee that the

430 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Objects
Report object management 15
oldest data given to any user is 0 minutes old. If you choose to enable per-
report settings, the default settings allow data sharing, allow a viewer refresh
to retrieve fresh data from the database, and ensure that the oldest data given
to a client is 5 minutes old.
Tip: Disabling the sharing of report data between clients is not the same as
setting the “Oldest on-demand data given to a client” to 0 minutes. Under high
load, your system may receive more than one request for the same report
instance at the same time. In this case, if the data sharing interval is set to 0
but the “Share report data between clients” option is enabled,
BusinessObjects Enterprise shares data between the client requests. If it is
important that data not be shared between different clients (for example,
because the report uses a User Function Library (UFL) that is personalized
for each user), disable data sharing for that report.
For details on setting report viewing options on a per-server basis, see:
• “Modifying Cache Server performance settings” on page 101
• “Modifying Page Server performance settings” on page 105
• “Modifying performance settings for the RAS” on page 111
• “Configuring the Web Intelligence Report Server” on page 113
For more information on configuring BusinessObjects Enterprise to optimize
report viewing in your system, see the planning chapter in the
BusinessObjects Enterprise Installation Guide.
Note: This feature does not apply to Web Intelligence document objects.
To set report viewing options for a report
1. In the Objects management area of the CMC, select a report by clicking
its link.
2. Click the Process tab.
3. In the “Data Refresh for Viewing” area, click “Use report specific viewing
settings.” Then select the options that you want to set for this report.
4. Click Update.

Specifying default servers


You can specify the default servers that BusinessObjects Enterprise will use
to run an object, and to schedule and process instances. For report objects
and Web Intelligence documents, you can specify the default servers that
BusinessObjects Enterprise will use when a user views or modifies a report or
Web Intelligence document. For Desktop Intelligence documents, you can
specify the default servers that BusinessObjects Enterprise will use when
processing and caching documents.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 431


15 Managing Objects
Report object management

When specifying your servers, you have three options:


• Use the first available server
BusinessObjects Enterprise will use the server that currently has the
most available resources.
• Give preference to servers belonging to the selected group (and, if
the servers from that group are not available, use any available server).
Select a server group from the list. This option will attempt to process the
object on the servers that are found within your server group. If the
specified servers are not available, then the object will be processed on
the next available server.
• Only use servers belonging to the selected group
This option ensures that BusinessObjects Enterprise will use only the
specified servers that are found within the selected server group. If all of
the servers in the server group are unavailable, then the object will not be
processed.
Depending on the type of object, BusinessObjects Enterprise uses the
following servers:
• Crystal reports run on the Report Job Server.
• Desktop Intelligence documents run on the Desktop Intelligence Report,
Job and Cache Servers.
• Web Intelligence documents run on the Web Intelligence Report Server.
By selecting a particular server or server group, you can balance the load on
your system by processing specific objects on specific job servers. You must
first create server groups by using the Server Groups management area in
the CMC, before you can select servers that belong to a selected group.
Note:
• If you choose the “Use the first available server” option, the Central
Management Server (CMS) will check the job servers to see which one
has the lowest load. The CMS does this by checking the percentage of
the maximum load on each job server. If all of the job servers have the
same load percentage, then the CMS will randomly pick a job server.
• You can also set the maximum number of jobs that a server will accept.
For more information, see the following sections of Chapter 4: Managing
and Configuring Servers:
• “Modifying Cache Server performance settings” on page 101
• “Modifying Page Server performance settings” on page 105
• “Modifying performance settings for the RAS” on page 111
• “Modifying performance settings for job servers” on page 112

432 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Objects
Report object management 15
• If you are scheduling a program object that requires access to files stored
locally on a Program Job Server, but you have multiple Program Job
Servers, you must specify which server to use to run the program.
To specify default servers for processing an object
1. In the Objects management area of the CMC, select an object by clicking
its link.
2. Click the Process tab.

3. In the “Default Servers To Use For Scheduling” area, choose one of the
server options.
4. If the object is a report object or a Web Intelligence document, choose
one of the server options in the “Default Servers To Use For Viewing and
Modification” area.
If the object is a Desktop Intelligence document, choose one of the server
options in the “Default Servers to Use For Processing” area and in the
“Default Servers to Use For Caching” area.
5. Click Update.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 433


15 Managing Objects
Report object management

Changing database information


Note: This feature does not apply to Desktop Intelligence and Web
Intelligence document objects.
You can select your database type and set the default database logon
information on the Database page for a report object. The Database page
displays the data source or data sources for your report object and its
instances. You can choose to prompt the user for a logon name and
password when he or she views a report instance.
To change database settings
1. In the Objects management area of the CMC, select a report object by
clicking its link.
2. Click the Process tab, and then click the database link.
The Database page appears.

434 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Objects
Report object management 15
3. In the Data Source(s) list, select the data source.
4. Select Use original database logon information from the report or
Use custom database logon information specified here.
If you select the first option, you can specify a user name and password
to be used with the original report database.
If you select the second option, you can specify a server name (or a DSN
in the case of an ODBC data source), a database name, a user name,
and a password for a number of predefined database drivers, or for a
custom database driver that you’ve specified. If you’ve changed the
default table prefix in your database, specify a custom table prefix here.
For a complete list of supported databases and drivers, refer to the
platform.txt file included with your installation.
5. Select the database logon option you want.
• Prompt the user for database logon
The system will prompt users for a password when they refresh a
report.
Note: This option has no effect on a scheduled instance. Also,
BusinessObjects Enterprise only prompts users when they first
refresh a report; that is, if they refresh the report a second time, they
will not be prompted.
• Use SSO context for database logon
The system will use the user’s security context, that is, the user’s
logon and password, to log on to the database.
Note: For this option to work, you must have your system configured
for end-to-end single sign-on, or for single sign-on to the database.
For more information, see “Configuring Kerberos single sign-on to
the database” on page 266.
• Use same database logon as when report is run
The system will use the same database logon information as was
used when the report was run on the job server.
6. Click Update.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 435


15 Managing Objects
Report object management

Updating parameters
Note: This feature does not apply to Desktop Intelligence and Web
Intelligence document objects.
Parameter fields (with preset values) enable users to view and to specify the
data that they want to see. If a report contains parameters, you can set the
default parameter value for each field or fields (which is used whenever a
report instance is generated). Through a BusinessObjects Enterprise
application such as InfoView, your users are either able to use the report with
the preset default value(s) or choose another value or values. If you do not
specify a default value, users will have to choose a value when they schedule
the report.
Note: The Parameters link is available only if the report object contains
parameters.
To view parameter settings
1. In the Objects management area of the CMC, select a report object by
clicking its link.
2. Click the Process tab, and then click the Parameters link.

3. Under the Value column, select the value associated with the parameter
you want to change.
A page opens that allows you to change the parameter value. Depending
on the parameter value type, you either type a value in the field or choose
a value from a list. If there is a list, you can also click Edit to type a new
value.

436 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Objects
Report object management 15

4. Select the Clear the current parameter value(s) check box if you want
to clear the current value that is set for the specified parameter.
5. Select the Prompt the user for new value(s) when viewing check box
if you want your users to be prompted when they view a report instance
through a BusinessObjects Enterprise application such as InfoView.
6. Click Update.

Updating prompts for Web Intelligence document objects


Note: This feature does not apply to Crystal reports objects. See “Updating
parameters” on page 436 instead.
Prompt fields (with preset values) enable users to view and to specify the
data that they want to see. If a report contains parameters, you can set the
default prompt value for each field or fields (which is used whenever a report
instance is generated). Through a BusinessObjects Enterprise application
such as InfoView, your users can either use the report with the preset default
value(s) or choose another value or values. If you do not specify a default
value, users will have to choose a value when they schedule the report.
Note: The Prompts link is available only if the Web Intelligence document
object contains prompts.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 437


15 Managing Objects
Report object management

To update the prompts for a Web Intelligence document object


1. In the Objects management area of the CMC, select a report object by
clicking its link.
2. Click the Process tab, and then click the Prompts link.
The Prompts page appears, showing a dialog box with prompts.
3. Select the prompt and enter a value for the prompt. Repeat this step for
every prompt whose you want to change.
4. Click Update.

Using filters
Note: This feature does not apply to Desktop Intelligence and Web
Intelligence document objects. Alternatively, you can use profiles to
personalize views of the data. For more information, see Chapter 19:
Managing Profiles.
In the Filters page, you set the default selection formulas for the report.
Selection formulas are similar to parameter fields in that they are used to filter
results so that only the required information is displayed. Unlike parameters,
end users will not be prompted for selection formula values when they view or
refresh the report. When users schedule reports through a web-based client
such as InfoView, they can choose to modify the selection formulas for the
reports. By default, if any formulas are set in the CMC, they will be used by
the web-based client. For more information on selection formulas, see the
Crystal Reports User’s Guide.
In addition to changing selection formulas, if you have developed your own
processing extensions, you can select the processing extensions that you
want to apply to your report.
For more information, see “Applying processing extensions to reports” on
page 442. When you use filters in conjunction with processing extensions, a
subset of the processed data is returned. Selection formulas and processing
extensions act as filters for the report.
To use filters
1. In the Objects management area of the CMC, select a report object by
clicking its link.
2. Click the Process tab, and then click the Filters link.

438 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Objects
Report object management 15
The Filters page appears.

3. Update or add new selection formulas.


• Record Selection Formula
Use the Record Selection Formula to create or edit a record
selection formula or formulas that limit the records used when you or
a user schedules a report.
• Group Selection Formula
Use the Group Selection Formulas to create or edit a group selection
formula or formulas that limit the groups used when you or a user
schedules a report.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 439


15 Managing Objects
Report object management

4. In the processing extensions area, select a processing extension you


want from the Available Processing Extensions list, and move it to the
Use these Processing Extensions list.
Repeat this step until you have selected the processing extensions you
want.
5. Click Update.

Setting printer and page layout options


Note: This feature does not apply to Desktop Intelligence and Web
Intelligence document objects.
You can choose to print a report instance when scheduling it; report instances
are always printed in Crystal Reports format. When printing a report, you can
set the number of copies and the page range.
The Print Setup page contains two areas: the first area specifies whether or
not a report instance is printed, and if printed, the printer to use, the number
of copies, and the page range; the second area specifies custom layout
settings for changing the page size and orientation (regardless of whether the
report instance is printed or not).
Specifying a printer
Note: This feature does not apply to Web Intelligence document objects.
You can choose to print a report (each time it runs) using the Job Server’s
default printer or a different printer. By selecting the Printer destination,
BusinessObjects Enterprise prints your report after it is processed.
Note: The Job Server must run under an account that has sufficient
privileges to access the printer you specify. See “Changing the server user
account” on page 136 for information on changing the user account.
To assign a printer
1. In the Objects management area of the CMC, select a report object by
clicking its link.
2. On the Process tab, click the Print Setup link.
The Print Setup page appears.
3. Select Print in Crystal Reports format using the selected printer
when scheduling if you want report instances to be sent directly to a
printer.
The report instances are automatically sent to the printer in Crystal
Reports format. This does not interfere with the format selected when
scheduling the report.

440 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Objects
Report object management 15
4. Leave Default printer selected if you want to print to the Job Server’s
default printer, otherwise, select Specify a printer.
5. Enter a printer’s path and name, select the number of copies, and choose
the print page range.
If your job server is using Windows, in the “Specify a printer” field, type:
\\printserver\printername
Where printserver is the name of your printer server, and
printername is the name of your printer.
If your job server is running on UNIX, in the “Specify a printer” field, type
the print command that you normally use. For instance, type:
lp -d printername
Note: Ensure that the printer you are using (on UNIX) is “shown” and not
“hidden.”
6. Click Update.
Specifying page layout
Note: This feature does not apply to Desktop Intelligence and Web
Intelligence document objects.
When viewing or scheduling a report instance to any format, you can first
specify page layout criteria such as page orientation, page size, and so on.
The settings you choose in this section of the Print Setup page affect how
you’ll see a report instance when displaying it.
Note: Page layout settings are not specifically related only to scheduling a
report to a printer, but also to the overall look of the report. The overall look is
affected by the properties of the device for which the report is displayed in (that
is, the font metrics and other layout settings of the display and/or the printer).
To set a report’s page layout
1. In the Objects management area of the CMC, select a report object by
clicking its link.
2. On the Process tab, click the Print Setup link.
The Print Setup page appears.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 441


15 Managing Objects
Report object management

3. Make your settings according to the type of layout you want. The options
are as follows:
• Report file default
Choose this option if you want the page layout to conform to the
settings that were chosen for the report in Crystal Reports.
• Specified printer settings
Choose this option if you want the page layout to conform to the
settings of a specified printer. You can choose the Job Server’s
default printer or another printer. For information about specifying
another printer, see “Specifying a printer” on page 440.
When you choose this option, you can print scheduled report
instances only to the printer you specify in the “Specified printer
settings” area. In other words, you cannot set your report to display
with one printer’s setting and then print to a different printer.
• Custom settings
Choose this option if you want to customize all page layout settings.
You can choose page orientation, page size, measurement units
(inches or millimeters), page width, and page height.
4. Click Update.

Applying processing extensions to reports


Note: This feature does not apply to Desktop Intelligence and Web
Intelligence document objects.
BusinessObjects Enterprise supports the use of customized processing
extensions. A processing extension is a dynamically loaded library of code
that applies your business logic to particular BusinessObjects Enterprise view
or schedule requests before they are processed by the system. This section
shows how to register your processing extension with BusinessObjects
Enterprise, and how to apply an available processing extension to a particular
report object.
For general information about processing extensions and how you can use
them to customize report processing and security, see “Processing
extensions” on page 207. For information on writing your own processing
extensions with the Processing Extension API, see the developer
documentation available on your product CD.
Note: On Windows systems, dynamically loaded libraries are referred to as
dynamic-link libraries (.dll file extension). On UNIX systems, dynamically
loaded libraries are often referred to as shared libraries (.so file extension).
You must include the file extension when you name your processing
extensions. Also, file names cannot include the \ or / characters.

442 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Objects
Report object management 15
Registering processing extensions with the system
Note: This feature does not apply to Desktop Intelligence and Web
Intelligence document objects.
Before you can apply your processing extensions to particular objects, you
must make your library of code available to each machine that will process
the relevant schedule or view requests. The BusinessObjects Enterprise
installation creates a default directory for your processing extensions on each
Job Server, Page Server, and Report Application Server (RAS). It is
recommended that you copy your processing extensions to the default
directory on each server. On Windows, the default directory is C:\Program
Files\Business Objects\BusinessObjects Enterprise
11.5\win32_x86\ProcessExt. On UNIX, it is the bobje/processext
directory.
Tip: It is possible to share a processing extension file. For details, see
“Sharing processing extensions between multiple servers” on page 446.
Depending upon the functionality that you have written into the extension,
copy the library onto the following machines:
• If your processing extension intercepts schedule requests only, copy your
library onto each machine that is running as a Job Server.
• If your processing extension intercepts view requests only, copy your
library onto each machine that is running as a Page Server or RAS.
• If your processing extension intercepts schedule and view requests, copy
your library onto each machine that is running as a Job Server, Page
Server, or RAS.
Note: If the processing extension is required only for schedule/view requests
made to a particular Server Group, you need only copy the library onto each
processing server in the group.
To register a processing extension with the system
1. Go to the Objects management area of the CMC.
2. Click Object Settings.

3. In the Name field, type a display name for your processing extension.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 443


15 Managing Objects
Report object management

4. In the Location field, type the file name of your processing extension
along with any additional path information:
• If you copied your processing extension into the default directory on
each of the appropriate machines, just type the file name (but not the
file extension).
• If you copied your processing extension to a subfolder below the
default directory, type the location as: subfolder/filename
Note: Although the actual file name must include the .dll or .so extension
(as appropriate to the server’s operating system), you must not include
the file extension in the Location field.
5. Use the Description field to add information about your processing
extension.
6. Click Add.
You can now select this processing extension to apply its logic to
particular objects. For details, see “Selecting a processing extension for a
report” on page 444.
Tip: To delete a processing extension, select its check box and click
Delete. (Make sure that no recurring jobs are based on this processing
extension because any future jobs based on this processing extension
will fail.)

Selecting a processing extension for a report


Note: This feature does not apply to Desktop Intelligence and Web
Intelligence document objects.
To select a processing extension for a report
1. Go to the Objects management area of the CMC.
2. Click the link to the report object that you want to apply your processing
extension to.
3. Click the Process tab, and then click the Filters link.

444 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Objects
Report object management 15

4. Select your processing extension in the Available Processing


Extensions list.
Note: Your processing extensions appear in this list only after you have
registered them with the system. For details, see “Registering processing
extensions with the system” on page 443.
Tip: You may apply more than one processing extension to a report
object. Repeat steps 4 and 5 for each processing extension; then use the
up and down arrows to specify the order in which the processing
extensions should be used.
5. Click Update.
Your processing extension is now enabled for this report object.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 445


15 Managing Objects
Report object management

Sharing processing extensions between multiple servers


Note: This feature does not apply to Desktop Intelligence and Web
Intelligence document objects.
If you want to put all processing extensions in a single location, you can
override the default processing extensions directory for each Job Server,
Page Server, and RAS. First, copy your processing extensions to a shared
directory on a network drive that is accessible to all of the servers. Map (or
mount) the network drive from each server’s machine.
Note: Mapped drives on Windows are valid only until you reboot the
machine. For details, see “Ensuring that server resources are available on
local drives” on page 526.
If you are running servers on both Windows and on UNIX, you must copy a
.dll and an .so version of every processing extension into the shared directory.
In addition, the shared network drive must be visible to Windows and to UNIX
machines (through Samba or some other file-sharing system).
Finally, change each server’s command line to modify the default processing
extensions directory. Do this by adding “-report_ProcessExtPath
<absolute path>” to the command line. Replace <absolute path> with the path
to the new folder, using whichever path convention is appropriate for the
operating system that the server is running on (for example,
M:\code\extensions, /home/shared/code/extensions, and so on).
The procedure for making this modification depends upon your operating
system:
• On Windows, use the CCM to stop the server. Then open the server’s
Properties to modify the command line. Start the server again when you
have finished.
• On UNIX, run ccm.sh to stop the Job Server/Page Server. Then edit
ccm.config to modify the server’s command line. Start the server again
when you have finished. For reference, see the BusinessObjects
Enterprise Administrator’s Reference Guide.

Working with hyperlinked reports


Note: This feature does not apply to Desktop Intelligence and Web
Intelligence document objects.
Crystal Reports lets you use hyperlinks to navigate from one report object to
another. You can move to a Report Part within the report itself, to other report
objects or their parts, or to specific instances of reports or Report Parts. This
navigation is available only in the new script-based DHTML viewers (zero-

446 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Objects
Report object management 15
client, server-side viewers) included in BusinessObjects Enterprise XI. By
linking directly from one object to another, the required data context is passed
automatically so that you navigate to the object and data that is relevant.
Initially, when you add hyperlinks between reports in Crystal Reports, you
create a link from one file directly to another. However, when you publish
linked report files simultaneously to the same object package, the links are
modified to point to managed report objects. (Each link is changed, so that it
references the appropriate destination report by Enterprise ID, rather than by
file path.) Also, the modified links become relative inside the object package.
When you schedule the object package, BusinessObjects Enterprise
processes its reports, and again modifies hyperlinks within each report
instance: hyperlinks between report objects in an object package are
converted to hyperlinks between report instances in a specific instance of the
object package. For more information on object packages, see “Scheduling
objects using object packages” on page 469.
To view hyperlinked reports, you must publish both the home and destination
reports to the same BusinessObjects Enterprise system. (A home report is
one that contains a hyperlink to another report: the destination report.)
Note: For information about how to create hyperlinks between report objects,
see the Crystal Reports Online Help.

Publishing and hyperlinking reports


Note: This feature does not apply to Desktop Intelligence and Web
Intelligence document objects.
To avoid breaking hyperlinks between reports, it is best to publish the reports
first and then to create the hyperlinks.
To publish and then hyperlink reports
1. Create the reports, without hyperlinks, in Crystal Reports.
2. Publish them to BusinessObjects Enterprise.
3. Use Crystal Reports to log on to your BusinessObjects Enterprise system.
4. Create the hyperlinks between the home and destination reports. See the
Crystal Reports Online Help.
Crystal Reports automatically determines what type of link—relative or
absolute—to establish between the reports. In BusinessObjects Enterprise,
relative links are those between reports in the same object package, and
absolute links are links to specific report objects or instances.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 447


15 Managing Objects
Report object management

Publishing reports with existing hyperlinks


Note: This feature does not apply to Desktop Intelligence and Web
Intelligence document objects.
The recommended method for creating hyperlinked reports is first to publish
the individual reports, then create hyperlinks between them. See “Publishing
and hyperlinking reports” on page 447.) However, because this is not always
possible, use the following procedure to publish reports after they have been
hyperlinked. When you publish reports this way, the hyperlinks are converted
to relative links.
To publish reports with existing hyperlinks
Using the Publishing Wizard, publish the reports (that are linked to each
other) to the same object package.
Note: If you publish hyperlinked reports independently of each other, rather
than publishing them simultaneously to the same object package, all
hyperlinks between the reports will break. You must re-establish the links
using Crystal Reports and save the report back to BusinessObjects
Enterprise. (For more information, see the Crystal Reports Online Help.)

Viewing hyperlinks in a report


Note: This feature does not apply to Desktop Intelligence and Web
Intelligence document objects.
You can view a list of the links in a report by clicking the Links link on the
report’s Properties page. The links are listed as either relative or absolute. In
BusinessObjects Enterprise, relative links are those between reports in the
same object package, and absolute links are links to specific report objects or
instances.
To view a list of links in a report object
1. In the Objects management area of the CMC, select the report object by
clicking its link.
2. Click the Properties tab, and then click the Links link.
The Links page appears.

Viewing hyperlinked reports


Note: This feature does not apply to Desktop Intelligence and Web
Intelligence document objects.
BusinessObjects Enterprise supports navigation between hyperlinked reports
only with script-based viewers, specifically the DHTML and Advanced
DHTML viewers in InfoView. To change your preferred viewer in the CMC,

448 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Objects
Program object management 15
click the Preferences button in the upper-right corner of the CMC, and select
the appropriate viewer from the Viewer list. For information on how to change
your preferred viewer, see the BusinessObjects Enterprise User’s Guide.
Parameter information is not carried over between the home and destination
reports. That is, when you view a destination report by clicking a hyperlink in a
home report, you are prompted to enter any parameters that the destination
report requires.
Security considerations
To view hyperlinked reports through BusinessObjects Enterprise, you must
have the appropriate rights both in BusinessObjects Enterprise and at the
database level.
In BusinessObjects Enterprise, to view a destination report through a
hyperlink in a home report, you must have View rights to the destination
report. When the hyperlink points to a report object, you must have View On
Demand rights to be able to refresh the data against the data source. For
information about setting the levels of access to objects, see “Setting
common access levels” on page 296.
Database logon information is carried over between hyperlinked reports. If the
credentials you specified to view the home report are not valid for the
destination report, you are prompted for a valid set of database logon
credentials for the destination report.

Program object management


This section explains program objects and instances, and how to manage
them through the Central Management Console (CMC). It includes the
following sections:
• “What are program objects and instances?” on page 449
• “Setting program processing options” on page 451

What are program objects and instances?


A program object is an object in BusinessObjects Enterprise that represents an
application. Publishing a program object to BusinessObjects Enterprise allows
you to use BusinessObjects Enterprise to schedule and run the program object
and to manage user rights in relation to the program object. For information
about publishing program objects, see “Overview” on page 346.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 449


15 Managing Objects
Program object management

When you publish a program object or its associated files to BusinessObjects


Enterprise, they are stored in the Input File Repository Server (FRS). Each
time a BusinessObjects Enterprise program runs, the program and files are
passed to the Program Job Server, and BusinessObjects Enterprise creates a
program instance. Unlike report instances, which you can view in their
completed format, program instances exist as records in the object history.
BusinessObjects Enterprise stores the program’s standard out and standard
error in a text output file. This file appears when you click a program instance
in the object History.
Program types
Three types of applications can be published to BusinessObjects Enterprise
as program objects:
• Executable
Executable programs are binary files, batch files, or shell scripts. They
generally have file extensions such as: .com, .exe, .bat, .sh. You can
publish any executable program that can be run from the command line
on the machine that runs the Program Job Server.
• Java
You can publish any Java program to BusinessObjects Enterprise as a
Java program object. For Java program objects to have access to Java
SDK objects, your class must implement the IProgramBase interface
from the BusinessObjects Enterprise Java SDK
(com.businessobjects.sdk.plugin.desktop.program.IProgramBase). For
details, see the BusinessObjects Enterprise Java SDK Guide.
• Script
Script program objects are JScript and VBScript scripts. They are run on
Windows using an embedded COM object and can—once published—
reference the BusinessObjects Enterprise SDK objects. For details, see
the BusinessObjects Enterprise COM SDK Guide.
Note: Script program objects are not supported on UNIX.
Note: As the administrator, you can choose to enable or disable any of the
types of program objects. For details, see “Authentication and program
objects” on page 456.
Once you have published a program object to BusinessObjects Enterprise,
you can configure it in the Objects management area of the CMC. For each
type of program object (Executable, Java, or Script) you can choose to
specify command-line arguments and a working directory. For executable and
Java programs, there are additional ways, both required and optional, to
configure the program objects and provide them with access to other files.

450 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Objects
Program object management 15
Tip: Program objects allow you to write, publish, and schedule scripts or
Java programs that run against BusinessObjects Enterprise, and perform
maintenance tasks, such as deleting instances from the history. Furthermore,
you can design these scripts and Java programs to access BusinessObjects
Enterprise session information. This ensures that the scheduled program
objects retain the security rights or restrictions of the user who scheduled the
job. (Your scripts or java programs require access to the BusinessObjects
Enterprise SDK. For details, see the BusinessObjects Enterprise COM SDK
Guide or the BusinessObjects Enterprise Java SDK Guide.)

Setting program processing options


For each object you can set several processing options. These options
appear on the Process page for the object. Setting the program processing
options includes the following tasks:
• “Specifying command-line arguments” on page 451
• “Setting a working directory for a program object” on page 452
• “Configuring executable programs” on page 453
• “Configuring Java programs” on page 455
• “Authentication and program objects” on page 456

Specifying command-line arguments


For each program object you can specify command-line arguments on the
Parameters page for the object. You can specify any argument that is
supported by the command-line interface for your program. Arguments are
passed directly to the command-line interface, without parsing.
To specify command-line arguments
1. In the Objects management area of the CMC, select the program object
by clicking its link.
2. Click the Process tab, then click the Parameters link.
The Parameters page appears.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 451


15 Managing Objects
Program object management

3. In the Arguments field, type the command-line arguments for your


program, using the same format you would use at the command line
itself.
For example, if your program has a loops option, to set the loops value to
100, you might type -loops 100
4. Click Update.

Setting a working directory for a program object


By default, when a program object runs, BusinessObjects Enterprise creates
a temporary subdirectory in the Program Job Server’s working directory, and
uses this subdirectory as the working directory for the program. The
subdirectory is automatically deleted when the program finishes running.
You can specify an alternative working directory for the program object by
modifying the Working Directory field on the Parameters page of the object.
Or, you can modify the default setting for the working directory for the
Program Job Server.
Note: The account under which the program runs must have appropriate
rights to the folder that you set as the working directory. The level of file
permissions required depend on what the program does; however, the
program’s account generally needs read, write, and execute permissions to
the working directory. For information about setting credentials for an account
under which a program object will run, see “Authentication and program
objects” on page 456.
To set a working directory for a program object
1. In the Objects management area of the CMC, select the program object
by clicking its link.
2. Click the Process tab, then click the Parameters link.
The Parameters page appears.
3. In the Working Directory field, type the full path to the directory that you
want to set as the program object’s working directory.
For example, on Widows, if you created a working directory named
working_directory, type C:\working_directory
On UNIX, type /working_directory
4. Click Update.

452 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Objects
Program object management 15
To modify the default working directory for the Program Job Server
1. Go to the Servers management area of the CMC.
2. Click the link for Program Job Server.
The Properties page appears.
3. In the Temp Directory field, type the full path to the directory you want to
set as the working directory for the Program Job Server.
4. Click Update.

Configuring executable programs


When you publish an executable program object to the CMC, you can:
• Configure the object to have access to external or auxiliary files. See
“Providing Java programs with access to other files” on page 455.
• Customize environment variables for the shell in which BusinessObjects
Enterprise runs the program. See “Specifying environment variables” on
page 454.
Providing executable programs with access to other files
Some binary files, batch files, and shell scripts require access to external or
auxiliary files to run. Aside from setting a working directory for the program
object, there are two ways to provide access to these files:
• If a required file is on the same machine as the Program Job Server, you
can specify the full path to the file.
• Alternatively, if the file is not located on the Program Job Server, you can
upload the file to the File Repository Server, which will pass the files to
the Program Job Server as necessary.
To specify paths to required files
1. In the Objects management area of the CMC, select the executable
program object by clicking its link.
2. Click the Process tab, then click the Parameters link.
The Parameters page appears.
3. In the External Dependencies field, type the full path to the required file
and click Add.
4. Repeat step 3 for each file required.
5. Click Update.
Tip: To edit or remove external dependencies that you have specified, select
the file path (in the list of external dependencies on the Parameters page) and
click the appropriate button, either Edit or Remove.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 453


15 Managing Objects
Program object management

To upload required files


1. In the Objects management area of the CMC, select the executable
program object by clicking its link.
2. Click the Process tab, then click the Auxiliary Files link.
The Auxiliary Files page appears.
3. Click Browse to navigate to the required file, then click Add File.
4. Repeat step 3 for each required file.
5. Click Update.
Tip: To remove auxiliary files that you have specified, select the file(s) (in the list
of external dependencies on the Parameters page) and click Remove File(s).
Specifying environment variables
In the CMC, you can configure your program by adding or modifying
environment variables. Modifications to an existing environment variable
override this variable, rather than append to it. Any changes you make to
environment variables exist only in the temporary shell in which
BusinessObjects Enterprise runs the program. Thus, when the program exits,
the environment variables are destroyed.
To add an environment variable
1. In the Objects management area of the CMC, click the link for the
program object.
2. Click the Process tab, then click the Parameters link.
The Parameters page appears.
3. In the Environment Variables field, type the environment variables you
want to set.
Use the form name=value, where name is the environment variable name
and value is the value for the environment variable. For example, you can
set the path variable to append a user’s bin directory to the existing path:
• On Windows, you might type: path=%path%;c:\usr\bin
• On UNIX, you might type:PATH=$PATH:/usr/bin
Note: BusinessObjects Enterprise sets your environment variables using
the syntax that is appropriate for your operating system. However, on
UNIX you must follow convention, and use the appropriate case. For
example, all name values on UNIX must be typed in upper-case.
4. Click Update.
Tip: To edit or remove environment variables that you have specified, select
the variable (in the list of environment variables on the Parameters page), and
click the appropriate button, either Edit or Remove.

454 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Objects
Program object management 15
Configuring Java programs
To successfully schedule and run Java programs in BusinessObjects
Enterprise, you must specify the required parameters for the program object.
See “Setting required parameters for Java programs” on page 455.
Additionally, you can provide the Java program with access to other files
located on the Program Job Servers, and you can specify Java Virtual
Machine options. See “Providing Java programs with access to other files” on
page 455.
Setting required parameters for Java programs
To successfully schedule and run a Java program, you must provide
BusinessObjects Enterprise with the base name of the .class file that
implements the IProgramBase interface from the BusinessObjects Enterprise
Java SDK.
Note: The Java Runtime Environment must be installed on each machine
that is running a Program Job Server.
To specify required parameters for Java programs
1. In the Objects management area of the CMC, click the link for the Java
program object.
2. Click the Parameters tab.
The Parameters page appears.
3. In the Class to run field, type the base name of the .class file that
implements the IProgramBase from the BusinessObjects Enterprise Java
SDK (com.businessobjects.sdk.plugin.desktop.program.IProgramBase).
For example, if the file name is Arius.class, type Arius
4. Click Update.
Providing Java programs with access to other files
You can provide Java programs with access to files, such as Java libraries,
located on the Program Job Server.
To provide Java programs with access to other files
1. In the Objects management area of the CMC, click the link for the Java
program object.
2. Click the Process tab, then click the Parameters link.
The Parameters page appears.
3. In the Classpath field, type the full paths to the locations of any Java
library files that are required by the Java program, and stored on the
Program Job Server.
You must separate multiple paths with the classpath separator that is
appropriate to your operating system: a semi-colon for Windows, a colon
for UNIX.
4. Click Update.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 455


15 Managing Objects
Program object management

Authentication and program objects


Be aware of the potential security risks associated with the publication of
program objects. As the administrator, you must protect the system against
abuse. The level of file permissions for the account under which a program object
runs will determine what modifications, if any, the program can make to files.
You can control the types of program objects users can run, and you can
configure the credentials required to run program objects.
Enabling or disabling a type of program object
As a first level of security, you can configure the types of program objects
available for use.
To enable or disable a type of program object
1. In the Objects management area of the CMC, click Object Settings.
2. Click the Program Objects tab.
3. Select the type or types of program objects you want users to run.
4. Click Update.
Authentication on all platforms
In the Objects management area of the CMC, you must specify credentials for
the account under which the program runs. This feature allows you, the
administrator, to set up a specific user account for the program, and assign it
appropriate rights, to have the program object run as that account. For
details, see “Controlling users’ access to objects” on page 293.
Alternatively, users who publish program objects to BusinessObjects
Enterprise can assign their own credentials to a program object, to give the
program access to the system. Thus, the program will run under that user
account, and the rights of the program will be limited to those of the user. If
you choose not to specify a user account for a program object, it runs under
the default system account, which generally has rights locally but not across
the network.
Note: By default, when you schedule a program object, the job fails if
credentials are not specified. To provide default credentials, click Object
Settings in the Objects management area, then click the Program Objects
tab. Click “Schedule with the following operating system credentials” and
provide a default user name and password.
To specify a user account for a program object
1. In the Objects management area of the CMC, click the link for the
program object.
2. Click the Process tab, then click the Logon link.

456 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Objects
Object package management 15
The Logon page appears.
3. In the User Name and Password fields, type the credentials for the user
account under which the program should run.
4. Click Update.
Authentication for Java programs
BusinessObjects Enterprise allows you to set security for all program objects.
For Java programs, BusinessObjects Enterprise forces the use of a Java
Policy File, which has a default setting that is consistent with the Java default
for unsecure code. Use the Java Policy Tool (available with the Java
Development Kit) to modify the Java Policy File, to suit your specific needs.
The Java Policy Tool has two code base entries. The first entry points to the
BusinessObjects Enterprise Java SDK and allows program objects full rights
to all BusinessObjects Enterprise JAR files. The second code base entry
applies to all local files. It uses the same security settings for unsecure code
as the Java default for unsecure code.
Note:
• The settings for the Java Policy are universal for all Program Job Servers
running on the same machine.
• By default, the Java Policy File is installed to the Java SDK directory in
the BusinessObjects Enterprise install root directory. For example, a
typical location on Windows is:
C:\Program Files\Business Objects\BusinessObjects
Enterprise 11.5\conf\crystal-program.policy
On UNIX, a typical location is
.../solaris_install/bobje/enterprise11/JavaSDK/crystal-
program.policy

Object package management


This section explains object packages and instances, and how to manage
them through the Central Management Console (CMC). It includes:
• “What are object packages, components, and instances?” on page 458
• “Creating an object package” on page 458
• “Adding objects to an object package” on page 459
• “Configuring object packages and their objects” on page 460
• “Authentication and object packages” on page 461

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 457


15 Managing Objects
Object package management

What are object packages, components, and instances?


Object packages function as distinct objects in BusinessObjects Enterprise.
Think of them as folders you can schedule, along with all of their contents.
Object packages can be composed of any combination of report and program
objects that are published to the BusinessObjects Enterprise system. (Non-
BusinessObjects Enterprise objects, such as Excel, Word, Acrobat, Text, Rich
Text, PowerPoint, and Hyperlink objects, cannot be added to object packages.)
Placing multiple objects in a single object package allows you to schedule them
simultaneously. For reports, object packages allow users to view synchronized
data across reports. Component objects are not autonomous. They have more
limited configuration options than other objects, and they do not appear in the
list of all objects on the first page of the Objects management area of the CMC.
Rather, you can only view them by opening their object package.
BusinessObjects Enterprise creates an object package instance each time it runs
an object package. The object package instance contains individual instances of
each of its component objects. Component instances are tied to object package
instances, rather than to component objects. For example, if you run an object
package, and thereby create an instance, then remove a report object from the
object package, the existing object package instance does not change; it still
contains the report instance from the report object that you removed. Future
instances of the object package, however, will reflect the change.
For hyperlinked report instances in object package instances, the hyperlinks
point to the other report instances in the same object package instance. For
details about hyperlinked reports, see “Working with hyperlinked reports” on
page 446.
Creating an object package
1. Go to the Objects management area of the CMC.
2. Click New Object, then click the Object Package tab.
The Object Package tab appears.
3. In the Title field, type the name of the object package you want to create.
4. In the Description field, type a description of the object package.
This field is optional.
5. Ensure the correct folder name appears in the Destination field.
Note: You cannot place object packages in the top level folder or inside
other object packages.
Tip:
• To expand a folder, select it and click Show Subfolders.
• To search for a specific folder, use the Look For field.

458 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Objects
Object package management 15
6. Click OK.
Note: When the object package has been added to the system, the CMC
displays the Properties page. You can now modify the properties,
contents, scheduling information, destination, user rights, object settings,
and notification for the object package.

Adding objects to an object package


In the CMC, after you have created an object package, you can add report
and/or program component objects to it. You can add previously unpublished
objects directly to the object package, or you can copy existing objects into
the object package. You can only move copies of existing objects into the
object package, or between object packages; you cannot move the existing
objects themselves. For details on copying objects, see “Copying, moving, or
creating a shortcut for an object” on page 419.
When you copy an object into an object package, the component object
retains the same settings as the original object. However, once you create the
copy of the original object inside the object package, the component and the
original are separate entities. Changes in one object are not reflected in the
other.
Note: You publish objects to new or existing object package using the
Publishing Wizard. For details, see “Publishing with the Publishing Wizard” on
page 346.
To publish a new object directly to an object package
1. In the Objects management area of the CMC, view an object package by
clicking its link.
2. Click the Objects tab, then click the New Object button.
3. A list of object tabs appears. Note that you can add only report objects or
program objects to an object.
4. Click the appropriate tab, Report or Program.
5. Specify the file name or, or click browse to navigate to the object you
want to publish.
6. Set the appropriate properties.
• For reports, set whether to generate a thumbnail for the report, and
whether to use the Object Repository when refreshing the report.
• For programs, set the program type: Executable, Java, or Script.
7. Click OK.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 459


15 Managing Objects
Object package management

Configuring object packages and their objects


Object packages are intended to save you time scheduling objects that have
similar scheduling requirements. As a result, you configure some parameters
at the object package level, and some at the object level, that is, for the
individual objects in the object package.
For example, you have to specify the destination for an object package, but
you cannot specify destinations for the individual objects in the package.
When the system runs the object package, it will save the output instances to
the destination you specified for the object package.
Note: Because the objects in an object package are copies of objects that
exist outside the package, the changes you make will not affect the objects
outside the object package.
The following table indicates which configuration parameters you can modify
for an object package or for individual objects in a package. The parameters
are identified by tab or link. For information on how to set or modify these
parameters, see:
• “General object management” on page 419
• “Report object management” on page 427
• “Program object management” on page 449
• Chapter 16: Scheduling Objects

Configuration Configure for an Configure for


tabs and links object package individual objects in
a package
Properties tab yes yes
Refresh Options -- yes
Links -- yes
History tab yes --
Process tab Scheduling server View & Modify server
Database -- yes
Parameters -- yes
Filters -- yes
Print Setup -- yes
Schedule tab yes --
Notification -- yes
Alert Notification -- yes

460 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Objects
Object package management 15
Configuration Configure for an Configure for
tabs and links object package individual objects in
a package
Format -- yes
Destination yes --
Schedule For yes --
Categories tab n/a n/a
Corporate yes yes
Personal yes yes
Rights tab yes --

Authentication and object packages


Object packages simplifies both Enterprise and database authentication. You
enter your Enterprise authentication only once to schedule the object
package, including all of its component objects. Consequently, you must have
scheduling rights for each of the objects inside the object package. If you
attempt to schedule a package that contains one or more component objects
to which you do not have schedule rights, the component instance(s) fail(s).
For database authentication, you specify database logon information for each
report component object in the object package. (If you copied the report into
the object package, it initially inherits the database logon information of the
original report.)

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 461


15 Managing Objects
Object package management

462 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Scheduling Objects

chapter
16 Scheduling Objects
Scheduling objects overview

Scheduling objects overview


Scheduling an object lets you run it automatically at specified times. You can
schedule report objects, Web Intelligence documents, Desktop Intelligence
documents, publications, program objects, and object packages. For details
about object types and object management, see Chapter 15: Managing
Objects.
When you schedule an object, the system creates a scheduled instance for
the object. A scheduled instance contains object and schedule information. It
does not contain any data yet. Scheduled instances appear on the History
page of the respective object and have a status of Recurring or Pending.
When the system runs the object, it creates an output instance for the object
(for example, a report or program instance). A report instance contains actual
data from the database. A program instance is a text file that contains the
standard output and standard error produced when the program object was
run. Output instances also appear on the History page of an object and have
a status of Success or Failed.
This chapter contains the following sections:
• “Scheduling objects” on page 464
This section provides information on how to schedule objects.
• “Managing instances” on page 490
This section describes how to manage instances for an object.
• “Setting the scheduling options” on page 474
This section describes the options on the different Schedule pages for an
object, such as Notification, or Destination.

Scheduling objects
When you schedule an object, the system creates a scheduled instance for
the object. A scheduled instance contains object and schedule information. It
does not contain any data yet. Scheduled instances appear on the History
page of the respective object and have a status of Recurring or Pending.
Scheduled instances use the settings that are presently configured for the
object in CMC.
In order for a program object to be successfully scheduled and run, you must
provide logon information for the account that the program object will run as.
For details, see “Authentication and program objects” on page 456.

464 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Scheduling Objects
Scheduling objects 16
For end users to schedule and run objects, they must use a web-based client
such as InfoView or a custom web application. InfoView is designed primarily
to schedule objects and view reports, whereas CMC enables you to manage
and administer objects in addition to scheduling objects and viewing reports.
Many scheduling options allow you to schedule an instance with events. For
details, see “Scheduling an object with events” on page 471.
Note: If a Web Intelligence document has been set to “refresh on open” then
the system will access the database to obtain the latest information each time
a user views the document. Therefore, it may not be advantageous to
schedule Web Intelligence documents that are set to “refresh on open”,
because running the document at scheduled times will not reduce the number
of database hits.
To schedule an object
1. In the Objects management area of the CMC, select an object by clicking
its link.
2. Click the Schedule tab.
The Schedule page appears, showing the default settings for the object.
3. Select the recurrence pattern you want. For example, select Weekly.
For a list and descriptions of the recurrence patterns, see “Recurrence
patterns” on page 467.
4. Specify the Run option and parameters that you want. For example,
select “Every week on” and then specify Monday, Wednesday, and
Friday.
For a list and descriptions of the Run options and parameters, see “Run
options and parameters” on page 467.
5. Set any of the other schedule options and parameters as required. For
details, see “Setting the scheduling options” on page 474.
6. Click Schedule.
The system creates a scheduled instance and it will run the instance
according to the schedule information you just specified. You can view
the scheduled instance on the History page for the object. See also
“Managing and viewing the history of instances” on page 491.
Note: To save the schedule settings as the new default setting for the
object, click Update. The new settings on the Schedule tab for the object
are saved.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 465


16 Scheduling Objects
Scheduling objects

About the scheduling options and parameters


When you schedule an object, you choose the recurrence pattern that you
want. For example, you select Daily or Weekly, and then the run option (for
example, “Every week on”). You then specify additional parameters to control
exactly when and how often the object will be run.
The recurrence patterns appear on the left of the Schedule page. The Run
options list and related parameters appear to the right of the recurrence
patterns.

466 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Scheduling Objects
Scheduling objects 16
Which run options and parameters are available depends on the recurrence
pattern you selected. In many cases the same parameters appear, such as
start and end dates. The names of the recurrence patterns, options, and fields
are generally self explanatory, but for a complete description, see:
• “Recurrence patterns” on page 467
• “Run options and parameters” on page 467

Recurrence patterns
When scheduling an object, you can choose from the following recurrence
patterns:
• On demand—The object will be run only when a user request it to be
run.
• Once—The object will be run only once. It can be run now or in the
future, or when a specified event has occurred.
• Daily—The object will be run every day. It can be run once or several
times a day. You can specify what time as well as a start and end date.
• Weekly—The object will be run every week. It can be run once a week or
several times a week. You can specify which days, what time, and a start
and end date.
• Monthly—The object will be run every month or every several months.
You can specify on which days of the month, what time, and a start and
end date you want it to run.
• Calendar—The object will be run on the dates specified in a calendar.
You can specify which calendar. The calendar must have been previously
created. See Chapter 17: Managing Calendars.

Run options and parameters


This section describes the Run parameters for scheduling an object. Not all
parameters apply in all cases, but when they apply, their function is the same.
Run
This list always appears, but the options vary depending on which recurrence
pattern you select.
For example, if you select Daily, you can select to run the object “Once each
day” or “Every X day(s).” If you select Monthly, you can select to run the
object “On the Nth day of the month” or “On the first Monday of the month.” To
see all the Run options for a recurrence pattern, refer to the software.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 467


16 Scheduling Objects
Scheduling objects

X and N variables
Applies to certain Daily and Monthly recurrence patterns only. When you
select a Run option that contains these variables, the system displays their
default values. You can then changes these values as needed.
For example, if you select the “Daily” recurrence pattern and the “Every X
hour(s), N minute(s)” Run option, you could specify to run the report every 4
(X) hours and 30 (N) minutes. If you don’t change the X or N value, the
system will run the report every hour.
Start Date
Applies to most, but not all recurrence patterns and Run options. The default
is the current date and time. The system will run the object according to the
schedule that you specified, as soon as it can, after the Start Date has
passed.
For example, if you specify a start date that is three months into the future,
the system won’t run the object until the start date has passed, even if all the
other criteria are met. After that, the system will run the report at the specified
time.
End Date
Applies to most, but not all, recurrence patterns and Run options. The default
is the current time and a date in the distant future, to ensure an object will be
run indefinitely. Specify a different End Date if required. Once the End Date
has passed, the system no longer runs the object.
Available Events
Applies to all Run options that include “with events.” Select an event and click
the Add button to move it to the “Events to wait for” box. You can select one or
several events. The system will run the object only when those events have
been successfully completed. See also “Scheduling an object with events” on
page 471.
Available Schedule Events
Applies to all Run options that include “with events.” Select an event and click
the Add button to move it to the “Events to trigger on completion” box. You
can select one or several events. A successful run of the object will trigger the
events that you specified. This list of events contains schedule events only.
You cannot trigger file or custom events. See also “Scheduling an object with
events” on page 471, and Chapter 18: Managing Events.
Number of retries allowed
Always applies. The number of times the system attempts to process an
object if the first attempt is not successful. By default, the number is zero.

468 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Scheduling Objects
Scheduling objects 16
Retry interval in seconds
Always applies. The period, in seconds, that the system will wait before it
attempts to process the object again if the first attempt is unsuccessful.

Scheduling objects using object packages


You can schedule objects in batches using the object packages feature.
Object packages function as distinct objects in BusinessObjects Enterprise.
They can contain any combination of objects that can be scheduled, such as
report and program objects, and Web Intelligence documents. Using object
packages simplifies authentication. In terms of reports and Web Intelligence
document, it allows users to view synchronized data across instances.
This procedure describes how to use the CMC to schedule objects by using
object packages.
First you publish an object package. Then, you copy existing objects into the
object package. Finally, you schedule the object package as you would any
object. Alternatively, you can publish objects directly to an object package,
and then you can schedule that object packages as you would any object. For
details on publishing directly to an object package, see “Overview” on
page 346. For details on configuring object packages, see “Object package
management” on page 457.
Note:
• You must configure the processing information of each of the
components of an object package individually. For example, if you want a
report object in an object package to print when scheduled, you must
configure it through the Print Setup link available on the report object’s
Process tab. For more information about configuring objects, see
“Managing Objects” on page 417.
• For information about publishing hyperlinked report objects, see “Working
with hyperlinked reports” on page 446.
To schedule objects using object packages
1. Go to the Objects management area of the CMC.
2. If the object package already exist, skip this step. Otherwise:
a. Click New Object, and then click the Object Package tab.
b. Type the package name and a description.
c. Select a destination for the object package.
d. If you want, assign the object package to a category.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 469


16 Scheduling Objects
Scheduling objects

e. Click Submit.
f. Go to the Objects management area of the CMC again.
See also “Publishing with the Central Management Console” on
page 357.
3. Select the check boxes associated with each object you want to place in
the object package.
4. Click Copy/Move/Shortcut.
The Copy/Move/Create Shortcut page appears.

5. Select Copy to.


Note: Existing objects cannot be moved into an object packages; they
must be copied to the object package.
6. Select the object package you created as the Destination for the objects,
and then click OK.
Tip:
• Object packages are indicated by [square brackets].
• To expand a folder, select it and click Show Subfolders.
• To search for a specific folder or object package, use the Look For
field.
7. Schedule the object package.
See “Scheduling objects” on page 464.

470 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Scheduling Objects
Scheduling objects 16
Scheduling an object with events
When you schedule an object with events, the object will be run only when the
additional condition (that is, the event) occurs. You can tell an object to wait
for any, or all of the three event types: file-based, custom-based, and
schedule-based. If you want a scheduled object to trigger an event, you must
choose a schedule-based event.
Note: A file-based event is triggered upon the existence of a specified file. A
custom-based event is triggered manually. A schedule-based event is
triggered by another object being run.
Scheduling objects based on an event
When you schedule an object that waits for a specified event, the object will
run only when the event is triggered, and only when the rest of the schedule
conditions are met. If the event is triggered before the start date of the object,
the object will not run. If you have specified an end date for this object, and if
the event is not triggered before the end date occurs, the object will not run
because not all of the conditions will have been met. Also, if you choose a
weekly, monthly, or calendar schedule, the object will have a specified time
frame in which it can be processed. The event must be triggered within this
specified time for the object to run. For example, if you schedule a weekly
report object that runs every Monday, the event must be triggered within the
24-hour period on Monday; if the event is triggered outside of the 24-hour
period, then the report will not run.
Scheduling objects to trigger an event
You can also schedule an object which triggers a schedule-based event upon
completion of the object being run. When the object is run, BusinessObjects
Enterprise will trigger the specified event. For a schedule-based event, if the
event is based on the instance being run successfully, for example, the event
won’t be triggered if the instance fails. For a sample scenario on when you would
use a schedule-based event, see “Schedule-based events” on page 506.
Note: To schedule an object with events, first ensure that you have created
the event. See “Managing events overview” on page 504.
To schedule an object to run based on events
1. In the Objects management area of the CMC, select an object by clicking
its link.
2. Click the Schedule tab.
3. Select the recurrence pattern you want. For example, select Weekly.
For a list and descriptions of the recurrence patterns, see “Recurrence
patterns” on page 467.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 471


16 Scheduling Objects
Scheduling objects

4. In the Run list, select a run option that contains the words, “with events.”

5. Select and complete the schedule parameters for your object (scheduling
option, Start Date, End Date, and so on).
For a list and descriptions of the Run options and parameters, see “Run
options and parameters” on page 467.
6. In the Available Events area, select from the list of events, and click Add.
For example, the report object above is set to wait for a Custom-based
event to occur before the report is processed.
7. To update the default scheduling information, click Update.
If you don’t click Update, any changes you made to the scheduling
information are not saved.
8. Click the Schedule button to schedule the object.

472 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Scheduling Objects
Scheduling objects 16
To schedule an object to trigger an event
1. In the Objects management area of the CMC, select an object by clicking
its link.
2. Click the Schedule tab.
3. From the list on the left of the page, select a recurrence pattern: Once,
Daily, Weekly, Monthly, or by Calendar.
For a list and descriptions of the recurrence patterns, see “Recurrence
patterns” on page 467.
4. In the Run list, select a run option that contains the words, “with events.”
5. Select and complete the schedule parameters for your object (scheduling
option, Start Date, End Date, and so on).

6. In the Available Schedule Events area, select from the list of events and
click Add.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 473


16 Scheduling Objects
Setting the scheduling options

For example, the report object above is set to trigger a Schedule-based


event only if the report is successfully processed.
Note: You can only select schedule-based events in this list.
7. To update the default scheduling information, click Update.
If you don’t click Update, any changes you made to the scheduling
information are not saved.
8. Click the Schedule button to schedule the object.

Setting the scheduling options


BusinessObjects Enterprise allows you to control the process and schedule
settings for an object. Setting the scheduling options includes the following
tasks:
• “Scheduling objects” on page 464
• “Setting notification for an object’s success or failure” on page 474
• “Specifying alert notification” on page 477
• “Selecting a destination” on page 480
• “Choosing a format” on page 487
• “Scheduling an object for a user or group” on page 489
• “Selecting cache options for Web Intelligence documents” on page 489

Setting notification for an object’s success or failure


You can set scheduling options that automatically send notification when an
object instance succeeds or fails. You can send notification using audit or
email notification. You can also combine multiple notification methods, and
provide different notification settings for successful and failed instances.
For example, you may have a large number of reports that run every day. You
need to check each instance to make sure it ran properly, and then send out
emails to the users who need to know that the new report is available. With
thousands of reports, it would take too much time to manually check the
reports and contact the users who need the information. Using notification
settings in BusinessObjects Enterprise, you can set each object to notify you
automatically when the report fails to run properly, and you can automatically
inform users when new report instances run successfully.

474 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Scheduling Objects
Setting the scheduling options 16
Determining an object’s success or failure
When you schedule an object, the scheduled instance either succeeds or
fails. The conditions required for an instance’s success or failure depend on
the type of object you schedule:
• Report objects, Desktop Intelligence document objects, and Web
Intelligence document objects
A report instance or document object instance runs successfully if it
doesn’t encounter any errors while processing the object or accessing
the database. An instance may fail if the user does not provide the
correct parameters or logon information.
• Program objects
For program objects, the program must run in order to succeed. If the
program does not run, the instance is considered a failure. If the program
runs, but does not perform the tasks it is supposed to, it is still considered
a successful instance because the program object ran. BusinessObjects
Enterprise does not monitor problems with the program object’s code.
• Object packages
An object package may fail if one of its components fails. To change this
setting, click the object package’s Properties tab and clear the
“Scheduled package fails upon individual component failure” option.
You can also set scheduling options for individual objects within an object
package.
Note: You cannot set audit or email notification for object packages, but
you can set any type of notification for the individual objects in the object
package. You can also schedule object packages with events on the
Schedule tab. For more information about events, see “Schedule-based
events” on page 506.

About notification
You can set notification at the object level. You can select unique notification
options for each object, sending different types of notification for different
conditions. For object packages, you can set only event notification, which will
trigger an event based on success or failure of the object package. To monitor
object successes and failures from a more general perspective, use the
auditing functionality within BusinessObjects Enterprise.
If notification fails, then the object instance fails. For example, if an email
notification sends a message to an invalid email address, then the notification
fails and the object instance is recorded as a failure in the object’s history.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 475


16 Scheduling Objects
Setting the scheduling options

You can choose to notify using:


• Audit notification
To use audit notification, you must configure the auditing database and
enable auditing for the servers. If you use auditing to monitor your
BusinessObjects Enterprise system, you can use audit notification. For
more information about configuring the auditing database and enabling
auditing, see the BusinessObjects Enterprise Auditor’s Guide.
When you select audit notification, information about the scheduled
object is written to the auditing database. You can choose to have a
notification sent to the auditing database when the job runs successfully,
when it fails to run, or both.
Note: For the job servers you can also set audit notification on the
Auditing tab.
• Email notification
You can send an email as a notification of an object instance’s success or
failure. You can choose the sender and recipients of the email message.
You can send an email when the instance fails and when it succeeds. For
example, you could send your administrator an email if the report fails,
but when the report succeeds you can automatically send a notification to
everyone who needs the report to let them know it is now available.
Note: To enable email notification, you must have the Email SMTP
destination enabled and configured on the job servers. See “Configuring
the destinations for job servers” on page 116.
Note: Notification of a scheduled object’s success or failure is not the same
as alert notification. Alert notification must be built into the design of the
report. For example, alert notification can send an email to you whenever a
specific value in the report exceeds $1,000,000. In this case, the notification
has nothing to do with the contents of the report — it’s just about whether or
not the report object instance has failed or succeeded.
To set notification for an instance’s success or failure
1. Select an object in the Objects management area of the CMC.
2. Click the Schedule tab, then click the Notification link.
3. Click the notification type (or types) you want to use.
Note: If the notification type is already being used, it will be labelled
“Enabled”. If not, it will be labelled “Not in use”.
4. Choose the specific settings for the notification.

476 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Scheduling Objects
Setting the scheduling options 16
Audit notification
To send a record to the auditing database when the job succeeds, select
“A job has been run successfully.”
To send a record when the job fails, select “A job has failed to run.”
Email notification
Choose whether you want to send a notification when the job fails or
when it succeeds.
To specify the contents and recipients of the email notification, select “Set
the vales to be used here” and provide the From and To email addresses,
the email subject line, and the message.
Note: By default, the notification is sent to the server’s default email
destination. For details on how to change the default email settings, see
“Email (SMTP) destination properties” on page 119.
5. Click Update.

Specifying alert notification


Note: This feature does not apply to Desktop Intelligence and Web
Intelligence document objects.
Alerts are custom messages, created in Crystal Reports, that appear when
certain conditions are met by data in a report. Alerts may indicate actions to
be taken by the user or information about report data. If the alert condition (as
defined in Crystal Reports) is true, the alert is triggered and its message is
displayed.
In BusinessObjects Enterprise, you can choose to send alert notification
when scheduling a report. If you enable alert notification, messages are sent
through an SMTP server. You can configure email delivery options, specify
the “To,” “Cc,” and “From” fields for the email, add subject and message
information, set a URL for the viewer you want the email recipient to use, and
set the maximum number of alert records to send.
Note:
• The Alert Notification link is available only if the report object contains
alerts.
• Alerts are triggered in the report object even if you disable alert
notification.
• To enable alert notification, you must have the Email SMTP destination
enabled and configured on the job servers. See “Configuring the
destinations for job servers” on page 116.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 477


16 Scheduling Objects
Setting the scheduling options

To set alert notification


1. In the Objects management area of the CMC, select a report object by
clicking its link.
2. Click the Schedule tab, and then click the Alert Notification link.
The Alert Notification page appears.

3. Select the Enable alert notification check box if you want to send an
alert notification.
4. Select either Use the Job Server’s defaults or Set the values to be
used at schedule time here.
If you select the first option, BusinessObjects Enterprise will deliver the
alert notification using the Job Server’s default settings. You can change
these settings in the Servers management area. For more information,
see “Configuring the destinations for job servers” on page 116.

478 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Scheduling Objects
Setting the scheduling options 16
If you select the second option, you can specify the email settings:
• From
Type a return address or distribution list.
• To
Type the addresses or distribution list that you wish to send the
report to.
• Cc
Type the addresses or distribution list that you wish to send a copy of
the alert notification to.
• Subject
Complete the subject field.
• Message
Type a short message, if required.
Note: Separate multiple addresses or distribution lists using semicolons.
5. Type the URL for the viewer in which you want the email recipient to view
the report. Alternatively, you can select the default viewer by clicking Use
default.
The viewer URL appears in the hyperlink that is sent in the alert
notification email. You can set the default URL by clicking Object Settings
on the main page of the objects management area of the CMC. For more
information, see the developer documentation available on your product
CD.
Note: You must use World Wide Web Consortium (W3C) URL encoding
when typing the viewer URL. For example, replace spaces in the path
with %20. For more information, see http://www.w3.org/
6. Type the maximum number of alert records to be included in the alert
notification.
The hyperlink in the alert notification displays a report page that contains
the records that triggered the alert. Use this field to limit the number of
records displayed.
Tip: The Alert Name and Status fields are set in Crystal Reports.
7. Click Update.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 479


16 Scheduling Objects
Setting the scheduling options

Selecting a destination
Using BusinessObjects Enterprise, you can configure an object or instance
for output to a destination other than the default Output File Repository Server
(FRS). When the system runs an object, it always stores the output instance
on the Output FRS. Being able to choose an additional destination gives you
the flexibility to deliver instances across your enterprise system or to
destinations outside your enterprise system.
For example, you can set an object to have its output automatically delivered
by email to other users.
Note: You can also configure object instances to be printed after they have
been run. See “Setting printer and page layout options” on page 440.
When you specify a destination other than “Default”, BusinessObjects
Enterprise generates a unique name for the output file or files. To generate a
file name, you can use a combination of ID, name or title of the object, owner
information, or the date and time information.
The following destinations are available:
• “Default destination support” on page 481
• “Unmanaged Disk destination support” on page 481
• “FTP support” on page 483
• “Email (SMTP) support” on page 484
• “Inbox support” on page 486
Note: You can change the destination setting for an object or instance either
in the Central Management Console (CMC) or in InfoView. When you specify
the destination settings through the CMC, these settings are also reflected in
the default scheduling settings for InfoView.
For most objects you can specify any of the available destinations. However,
for object packages and Web Intelligence documents you cannot do this,
because the recipients must have access to the BusinessObjects Enterprise
system to be able to open these types of objects. For example, you cannot
specify Unmanaged Disk as a destination for a Web Intelligence document.
The following table summarizes which destinations you can configure for
which types of objects.

Object type Unm. Email (SMTP) Inbox


DIsk
FTP File Link File Link
Report - - - - - -
Object Package No No No No - -

480 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Scheduling Objects
Setting the scheduling options 16
Object type Unm. Email (SMTP) Inbox
DIsk
FTP File Link File Link
Program - - - - - -
Web Intelligence No No No - - -
document
Desktop - - - - - -
Intelligence
document

Default destination support


By default, object instances are saved to the Output File Repository Server
(FRS). If you want to save instances to the FRS only and not to any other
destinations, select that option.
To set your destination to default
1. In the Objects management area of the CMC, select an object by clicking
its link.
2. Click the Schedule tab, then click the Destination link.
The Destination page appears.
3. Select Default from the Destination list.
4. Click Update.

Unmanaged Disk destination support


When scheduling objects, you can configure the objects for output to an
unmanaged disk. In that case, the system will save an output instance to both
the Output File Repository Server and the specified destination.
If the object is a Web Intelligence document or an object package, you cannot
specify Unmanaged Disk as a destination. However, for an object package
you can configure the individual objects in the object package for output to
Unmanaged Disk.
Note:
• To use a destination, you must have the destination enabled and
configured on the job servers. See “Configuring the destinations for job
servers” on page 116.
• The location must be a local or mapped directory on the processing
server. For servers using Windows, the location can also be a Universal
Naming Convention (UNC) path.
• The processing server must have sufficient rights to the specified
location.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 481


16 Scheduling Objects
Setting the scheduling options

To set your destination to unmanaged disk


1. In the Objects management area of the CMC, select an object by clicking
its link.
2. Click the Schedule tab, then click the Destination link.
The Destination page appears.
Select Unmanaged Disk from the Destination list.
3. If you want, select the Clean up instance after scheduling option.
When that option is selected, the system automatically deletes the report
or program instance from the Output File Repository Server to keep the
number of instances on the server to a minimum.
4. Select either Use the Job Server’s defaults or Set the values to be
used at schedule time here.
If you select the first option, BusinessObjects Enterprise will schedule an
object using the Job Server’s default settings. You can change these
settings in the Servers management area. For more information, see
“Configuring the destinations for job servers” on page 116.
If you select the second option, you can set the file name properties and
enter user information:
• Destination Directory
Enter a local location, mapped location, or a UNC path.
• Default File Name (randomly generated)
Select this option if you want BusinessObjects Enterprise to
generate a random file name.
• Specified File Name
Select this option if you want to specify a file name—you can also
add a variable to the file name. To add a variable, choose a
placeholder for a variable property from the list and click Add. When
the instance is run, the variable will be replaced with the specified
information from the instance. For example, if you add the variable
“Owner,” when you schedule an object, its file name will include the
object owner’s name.
• User Name
Specify a user who has permission to write files to the destination
directory.
• Password
Type the password for the user.
Note: You can specify a user name and password only for servers using
Windows.
5. Click Update.

482 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Scheduling Objects
Setting the scheduling options 16
FTP support
When scheduling objects, you can configure the objects for output to a File
Transfer Protocol (FTP) server. To connect to the FTP server, you must
specify a user who has the necessary rights to upload files to the server. If
you specify an FTP destination, the system will save an output instance to
both the Output File Repository Server and the specified destination.
If the object is a Web Intelligence document or an object package, you cannot
specify FTP as a destination. However, for an object package you can
configure the individual objects in the object package for output to FTP.
Note: To use a destination, you must have the destination enabled and
configured on the job servers. See “Configuring the destinations for job
servers” on page 116.
To set an FTP server as the destination
1. In the Objects management area of the CMC, select an object by clicking
its link.
2. Click the Schedule tab, then click the Destination link.
The Destination tab appears.
3. Select FTP from the Destination list.
4. If you want, select the Clean up instance after scheduling option.
When that option is selected, the system automatically deletes the report
or program instance from the Output File Repository Server to keep the
number of instances on the server to a minimum.
5. Select either Use the Job Server’s defaults or Set the values to be
used at schedule time here.
If you select the first option, BusinessObjects Enterprise will schedule an
object using the Job Server’s default settings. You can change these
settings in the Servers management area. For more information see
“Configuring the destinations for job servers” on page 116.
If you select the second option, you can set the FTP and file name
properties:
• Host
Enter the FTP host information.
• Port
Enter the FTP port number (the default is 21).
• FTP User Name
Specify a user who has the necessary rights to upload an object to
the FTP server.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 483


16 Scheduling Objects
Setting the scheduling options

• FTP Password
Enter the user’s password.
• Account
Enter the FTP account information, if required.
Account is part of the standard FTP protocol, but it is rarely
implemented. Provide the appropriate account only if your FTP
server requires it.
• Destination Directory
Enter the FTP directory that you want the object to be saved to.
• Default File Name (randomly generated)
Select this option if you want BusinessObjects Enterprise to
generate a random file name.
• Specified File Name
Select this option if you want to enter a file name—you can also add
a variable to the file name. To add a variable, choose a placeholder
for a variable property from the list and click Add.
6. Click Update.

Email (SMTP) support


With Simple Mail Transfer Protocol (SMTP) mail support, you can choose to
send the instances of an object, for example, a report instance, to one or more
email destinations. After it has run the object, the system will send a copy of
the output instance as an attachment to the email addresses you specified.
When you select the Email (SMTP) destination, the system will save the
instance to the Output File Repository Server as well as email it to the
specified destinations. BusinessObjects Enterprise supports Multipurpose
Internet Mail Extensions (MIME) encoding.
Note:
• To use a destination, you must have the destination enabled and
configured on the job servers. See “Configuring the destinations for job
servers” on page 116.
• If the object is a Web Intelligence document, you cannot specify Email
(SMTP) as a destination.
To send an object by email
1. In the Objects management area of the CMC, select an object by clicking
its link.
2. Click the Schedule tab, then click the Destination link.

484 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Scheduling Objects
Setting the scheduling options 16
The Destination page appears.
3. Select Email (SMTP) from the Destination list.
4. If you want, select the Clean up instance after scheduling option.
When that option is selected, the system automatically deletes the report
or program instance from the Output File Repository Server to keep the
number of instances on the server to a minimum.
5. Select either Use the Job Server’s defaults or Set the values to be
used at schedule time here.
If you select the first option, BusinessObjects Enterprise will schedule an
object using the Job Server’s default settings. You can change these
settings in the Servers management area. For more information, see
“Configuring the destinations for job servers” on page 116.
If you select the second option, you can specify the email settings and
the file name properties:
• From
Enter a return address.
• To
Enter an address or addresses that you wish to send the object to.
Separate multiple addresses with semicolons.
• Cc
Enter an address or addresses that you wish to send a carbon copy
of the object to.
• Subject
Complete the subject field.
• Add placeholder for a variable property
Select Title, ID, Owner, or DateTime, and click Add, to create a
placeholder in the subject for the property that you selected.
• Message
Type a short message, if required.
• Add placeholder for a variable property
Select Title, ID, Owner, DateTime, or Viewer Hyperlink, and click Add
to create a placeholder in the message body for the property that you
selected.
Note: Select Viewer Hyperlink to add the URL for the viewer in
which you want the email recipient to view the object. You can set the
default URL by clicking Object Settings on the main page of the
Objects management area of the CMC.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 485


16 Scheduling Objects
Setting the scheduling options

• Attach object instance to email message


Clear this check box if you do not want a copy of the instance
attached to the email.
• Default File Name (randomly generated)
Select this option if you want BusinessObjects Enterprise to
generate a random file name.
• Specified File Name
Select this option if you want to enter a file name—you can also add
a variable to the file name. To add a variable, choose a placeholder
for a variable property from the list and click Add.
6. Click Update.

Inbox support
When scheduling objects, you can configure objects for output to the inboxes
of users. In this case, the system will save the instance to both the Output File
Repository Server and the inboxes you specified. Instead of sending the
actual file to the inboxes, you can choose to send a shortcut.
Note: To use a destination, you must have the destination enabled and
configured on the job servers. See “Configuring the destinations for job
servers” on page 116.
To send an object to inboxes
1. In the Objects management area of the CMC, select an object by clicking
its link.
2. Click the Schedule tab, then click the Destination link.
The Destination tab appears.
3. Select Inbox from the Destination list.
4. If you want, select the Clean up instance after scheduling option.
When that option is selected, the system automatically deletes the report
or program instance from the Output File Repository Server to keep the
number of instances on the server to a minimum.
5. Select the processing option that you want:
• Use the Job Server’s defaults
BusinessObjects Enterprise will schedule the object with the job
server’s default settings. For more information, see “Configuring the
destinations for job servers” on page 116.

486 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Scheduling Objects
Setting the scheduling options 16
• Set the values to be used at schedule time here
BusinessObjects Enterprise will schedule the object with the
parameters you specify.
6. If you selected “Set the values to be used at schedule time here,” set the
parameters for that option, otherwise skip this step:
Send Document as
• Shortcut: The system will send a shortcut to the instance, rather
than send a copy of the instance itself.
• Copy: The system will send a copy of the instance.
Send List
Click Add/Remove, and specify the groups to receive the instance.
Tip:
• Select Add Users to add users to the list.
• Select Remove Users to remove users from the list.
7. Click OK.
8. Click Update.
Choosing a format
You can select the format that the document or report instance will be saved
in when it is generated. This format will be saved to the destination you have
selected. For more information on destinations, see “Selecting a destination”
on page 480. You can select from the following formats:
Web Intelligence document formats
For Web Intelligence documents, you can choose from the following formats:
• Web Intelligence
• Microsoft Excel
• Adobe Acrobat
Desktop Intelligence document formats
For Desktop Intelligence documents, you can choose from the following
formats:
• Desktop Intelligence
• Microsoft Excel
• Adobe Acrobat
Crystal report formats
For Crystal report instances, you can choose from the following formats:
• Crystal Report

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 487


16 Scheduling Objects
Setting the scheduling options

• Microsoft Excel
• Microsoft Excel (Data Only)
• Microsoft Word (RTF)
• Adobe Acrobat
• Rich Text
• Editable Rich Text
• Plain Text
• Paginated Text
• Tab-Separated Text
• Tab-Separated Values
• Character-separated Values
For Excel, Paginated Text, Tab-separated Values, and Character-separated
Values, you specify certain formatting properties for the report. For example, if
you select Character-separated Values, you can enter characters for the
separator and delimiter; you can also select the two check boxes: “Same
number formats as in report” and “Same date formats as in report.”
Note:
• If you choose to print the report when it is scheduled (by checking the
“Print in Crystal Reports format using the selected printer when
scheduling” check box on the Print Setup page), the report instance is
automatically sent to the printer in Crystal Reports format. This does not
conflict with the format you select when scheduling the report.
• The difference between Excel and Excel (Data only) is that Excel
attempts to preserve the look and feel of your original report, while Excel
(Data only) saves only the data, with each cell representing a field.
• The Tab-separated Values format places a tab character between values;
the Character-separated Values format places a specified character
between values. Each of these two formats produce data lists. In
contrast, the Tab-separated Text format attempts to preserve the
formatting of the report.
To select a format for the report
1. In the Objects management area of the CMC, select a report object by
clicking its link.
2. On the Schedule tab, click the Format link.
The Format page appears.
3. Select a format from the Format list.
4. Complete any fields that appear below the list and select (where
appropriate) the check boxes that appear.
5. Click Update.

488 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Scheduling Objects
Setting the scheduling options 16
Selecting cache options for Web Intelligence documents
When the system runs a scheduled Web Intelligence document it stores the the
instance it generates on the Output File Repository Server. In addition, you can
choose to have the system cache the report on the Web Intelligence Report
Server by selecting a cache format for the document. If you don’t select a cache
format, then the system won’t cache the document when it runs the document.
Note: To select a cache option, the format you specified on the Schedule tab
for the object must be Web Intelligence. If you select a different format, the
Cache Options link is disabled for the object.
To select a cache format for Web Intelligence documents
1. In the Objects management area of the CMC, select Web Intelligence
object by clicking its link.
2. On the Schedule tab, click the Caching Options link.
The Caching Options page appears.
3. Select the format you want.
4. Select the locale(s) with which to pre-load the cache.
When you schedule the document, BusinessObjects Enterprise
generates cached versions of the document in the locale(s) that you
specify.
5. Click Update.
Scheduling an object for a user or group
The Schedule For feature allows you to generate reports that contain data for
specific users only. It is intended to be used for either of the following types of
objects:
• Crystal reports that are based on Business Views
• Web Intelligence documents that use Universes
Using the Schedule For feature you can schedule an object and specify for
which users you want the system to run the object. The system will run the
object and generate multiple instances of the report or document. Each
instance will contain data that is relevant to the individual user only.
For example, you can schedule a sales report and on the Schedule For page
you can specify the users names for all your sales representatives. At the
specified time, the system runs the report object and generates the individual
report instances. Each instance would contain sales information for the
individual sales representative only.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 489


16 Scheduling Objects
Managing instances

To change the Schedule For settings for an object


1. In the Objects management area of the CMC, select a report object by
clicking its link.
2. On the Schedule tab, click the Schedule For link.
The Schedule For page appears.

3. Select who you want to schedule the object for.


• Schedule only for myself
• Schedule for specified users and user groups
4. If you selected Schedule for specified users and user groups, click
Add/Remove.
5. Select one or more users or groups and add them to the “Groups to be
added to the scheduling list” by using the arrow buttons.
Tip:
• Select Add Users to add users to the list.
• Select Remove Users to remove users from the list.
6. Click Update.

Managing instances
To view or manage instances, go to the History page for the object. That page
lists the scheduled instances and the output instances for an object:
• Scheduled instances will have a status of Recurring or Pending. The
system has not yet run these instances, and the instances do not contain
any data yet.
• Output instances, that is, actual report or program instances, will have a
status of Success or Failed, which indicate whether they were run
successfully:

490 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Scheduling Objects
Managing instances 16
• A report instance contains actual report data.
• A program instance stores the program’s standard out and standard
error in a text output file.
From the History page, you can also choose to delete, run, pause, and refresh
instances. See “Managing and viewing the history of instances” on page 491.
To manage storage space, it is good practice to limit the number of possible
instances for an object, or to provide a time limit for the instances. See
“Setting instance limits for an object” on page 493.

Managing and viewing the history of instances


The History page displays all of the instances for a selected object. The
Instance Time column displays the title of the instances and the date of the
last update for each instance. The Status column displays the status of each
instance. The Run By column indicates which user scheduled the instance.
For report objects, the Format column displays which format the report is, or
will be stored in and the Parameters column indicates what parameters were
or will be used for each instance. For program objects, the Arguments column
lists the command-line options that were or will be passed to the command
line interface for each instance.
BusinessObjects Enterprise creates instances from objects. That is, a report
instance is created when a report object is scheduled and run by the Job
Server. Essentially, a report instance is a report object that contains report
data that is retrieved from one or more databases. Each instance contains
data that is current at the time the report is processed. You can view specific
report instances on the History page of the report object.
BusinessObjects Enterprise creates a program instance each time that a
program object is scheduled and run by the Program Job Server. Unlike
report instances, which can be viewed in their completed format, program
instances exist as records in the object history. BusinessObjects Enterprise
stores the program’s standard output and standard error in a text output file.
This file appears when you click a program instance in the object History.
Managing instances includes the following tasks:
• “Viewing an instance” on page 492
• “Pausing or resuming an instance” on page 492
• “Deleting an instance” on page 493
• “Sending an object or instance” on page 422
To manage instances
1. In the Objects management area of the CMC, select an object by clicking
its link.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 491


16 Scheduling Objects
Managing instances

2. Click the History tab.


The History tab appears.
3. Select an instance or instances by selecting the appropriate check boxes.
To select all instances, click the check box in the column heading.
Note: To refresh the list, click Refresh. In this case you don’t need to
select an instance first.
4. Click either Run Now, Pause, Resume, Send to, or Delete.
If you click Run Now, the system schedules the object to be run
immediately. The scheduled job will have a status of Pending.
For information about the Send to button, see “Sending an object or
instance” on page 422.

Viewing an instance
To view an instance
1. Select a object in the Objects management area of the CMC.
2. Click the History tab.
The History page appears.

3. In the Instance Time column, click the instance you want to view.
You can also use the Instance Manager tool to view a list of instances by
status or by user. Access the Instance Manager by clicking its link in the
Administrative Tools area of the BusinessObjects Enterprise
Administration Launchpad.

Pausing or resuming an instance


You can pause and then resume an instance as needed. Pause and resume
can be applied to scheduled instances only (that is, instances that have a
status of Recurring or Pending).

492 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Scheduling Objects
Managing instances 16
For example, if a job server is down for maintenance reasons, you may want
to pause a scheduled instance. This prevents the system from running the
object, and the object from failing because the job server is not running.
When the job server is running again, you can resume the scheduled object.
To pause an instance
1. Go to the History page for an object.
2. Select the check box for the scheduled instance you want to pause.
3. Click Pause.
To resume a paused instance
1. Go to the History page for an object.
2. Select the check box for the scheduled instance you want to resume.
3. Click Resume.

Deleting an instance
You can delete instances from an object as needed. You can delete both
scheduled instances, which have a status of recurring or pending, and report
or program instances, which have a status of success of failed.
To delete an instance
1. Go to the History page for an object.
2. Select the check box for the instance or instances you want to delete.
3. Click Delete.

Setting instance limits for an object


In the Limits page, you can set the limits for the selected object and its
instances. You set limits to automate regular clean-ups of old
BusinessObjects Enterprise content. At the object level, you can limit the
number of instances that remain on the system for the object or for each user
or group; you can also limit the number of days that an instance remains on
the system for a user or group.
In addition to setting the limits for the objects from the Objects management
area, you can also set limits at the folder level. When you set limits at the
folder level, these limits will be in effect for all objects that reside within the
folder (including any objects found within the subfolders). For information on
setting folder limits, see “Setting limits for folders, users, and groups” on
page 339.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 493


16 Scheduling Objects
Managing instances

Note: When you set the limits at the object level, the object limits will override
the limits set for the folder; that is, the object will not inherit the limits of the
folder.
To set limits for instances
1. In the Objects management area of the CMC, select an object by clicking
its link.
2. On the History tab, click the Limits link.
The Limits page appears.

3. Make your settings according to the types of limits you want to set for
your instances. The options are as follows:
• Delete excess instances when there are more than N instances
of an object
To limit the number of instances per object, select this check box.
Then, type the maximum number of instances that you want to
remain on the system. (The default value is 100.)
• Delete excess instances for the following users/groups
To limit the number of instances for users or groups, click Add/
Remove in this area. Select from the available users and groups and
click OK. Then, type the maximum number of instances in the
Instance Limit column. (The default value is 100.)
• Delete instances after N days for the following users/groups
To limit the number of days that instances are saved for users or
groups, click Add/Remove in this area. Select from the available
users and groups and click OK. Then, type the maximum age of
instances in the Maximum Days column. (The default value is 100.)
4. Click Update.

494 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Calendars

chapter
17 Managing Calendars
Overview

Overview
Calendars make it easy for you to schedule complex recurring jobs efficiently.
A calendar is a customized list of run dates for scheduled jobs. When users
schedule objects, they can use a calendar to run the job on a predefined set
of dates. By providing calendars for your users, you can create more complex
processing schedules than you can with the standard scheduling options.
Calendars are particularly useful when you want to run a recurring job on an
irregular schedule, or if you want to provide users with sets of regular
scheduling dates to choose from. Calendars also allow you to create more
complex processing schedules, combining unique scheduling dates with
recurring ones.
For example, if you want a report object to run every business day except for
your country’s statutory holidays, you can create a calendar with the holidays
marked as “non-run” days, on which the report object cannot be run.
BusinessObjects Enterprise will run the job every day you have specified as a
“run” day in your calendar.
You can set up as many calendars as you want in BusinessObjects
Enterprise. Calendars you create appear in the Calendar selection list
available when you choose to schedule an object using a calendar. When you
apply the calendar to a job, BusinessObjects Enterprise runs the job on the
run dates as scheduled.
You can apply calendars to any object that can be scheduled, including report
objects, program objects, and object packages.
Managing calendars includes:
• “Creating calendars” on page 496
• “Adding dates to a calendar” on page 497
• “Deleting calendars” on page 501
• “Specifying calendar rights” on page 502

Creating calendars
In the Central Management Console (CMC), go to the Calendars
management area to create new calendars and to modify existing calendars.
To create a calendar, you need to provide a name and description. When the
calendar is created, you can add run dates to it using the Dates tab.

496 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Calendars
Adding dates to a calendar 17
Tip: It is good practice to create a calendar for users to use as a template for
creating new calendars. They can copy this template calendar and modify it
as necessary. For example, you can create a default Weekdays calendar that
includes all days as run dates except weekends and company holidays.
To create a calendar
1. Go to the Calendars management area of the CMC.
2. Click New Calendar.
3. On the Properties tab, type a name and description for the new calendar.
This example creates a calendar for Canadian employees that schedules
an object on all weekdays except statutory Canadian holidays.

4. Click OK.
The new calendar is added to the system, and its Properties tab is
refreshed. You can now use the Dates tab to add run dates to this
calendar. For details, see “Adding dates to a calendar” on page 497.

Adding dates to a calendar


You can add dates to a calendar using a number of different formats. You can
choose specific dates using a yearly, quarterly, or monthly view of the
calendar, or you can choose recurring dates using general formats based on
the day of the month or week. See “Recurring dates” on page 500.
To add dates to a calendar
1. Go to the Calendars management area of the CMC.
2. Click the link for the calendar you want to change.
3. Click the Dates tab.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 497


17 Managing Calendars
Adding dates to a calendar

4. In the “Select a calendar displaying format” list, choose from one of the
five calendar format options:
• Yearly
Yearly displays the calendar’s run dates for the year. To change the
year displayed, you can click the Previous Year and Next Year
buttons. To add a date from the Yearly format, click a month to open
it in Monthly format, where you can add run dates to specific days.
• Quarterly
Quarterly displays the calendar’s run dates for the current calendar
quarter. You can change the displayed quarter using the Previous
Quarter and Next Quarter buttons. To add a date from the Quarterly
format, click a month to open it in Monthly format, where you can add
run dates to specific days.
• Monthly
Monthly displays the calendar’s run dates for the current month. You
can change the displayed month using the Previous Month and Next
Month buttons.
• Generic Monthly, by Day of Week
Generic Monthly, by Day of Week allows you to add general
recurring dates based on the day of the week. The dates are applied
to the months specified between the Start and End Dates. Week 1
starts on the Sunday of the week of the Start Date you specify. Note
that this format does not display the currently selected dates from the
calendar; it only allows you to add new dates and update the
schedule.
• Generic Monthly, by Day of Month
Generic Monthly, by Day of Month allows you to add general
recurring dates based on the day of the month. The dates are
applied to the months specified between the Start and End Dates.
This format allows you to add new dates and update the schedule; it
does not display currently selected dates from the calendar.
See also “Specific dates” on page 499 and “Recurring dates” on
page 500.
5. Click the days of the month that you want to include as run days for the
calendar.
To remove a run day, click the day again.
Tip: For the Monthly and Generic Monthly, by Day of Week formats, you
can select multiple dates at once by clicking the row or column headings.
6. To add the new dates to the calendar, click Update.

498 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Calendars
Adding dates to a calendar 17
If you added dates using a generic format, the Yearly format will
automatically appear, displaying the new dates.
Note: When you change an existing calendar, BusinessObjects
Enterprise checks all currently scheduled instances in your system.
Objects that use the edited calendar are automatically updated to run on
the revised date schedule.
Specific dates
To add a specific date to a calendar, use the Yearly, Quarterly, and Monthly
formats to add dates to the calendars.
The Yearly format displays the run schedule for the entire year. The Quarterly
format displays the run dates for the current quarter. You can also view the
Monthly format for the calendar, which displays the run dates for the current
month. In all three formats, you can change the displayed time range by
clicking the previous and next buttons.
You can add specific dates in the Monthly calendar format. To add dates for
the Yearly and Quarterly calendar formats, click a month to open it in the
Monthly format, where you can select specific days as run dates.

For example, if your company ships products according to an irregular


schedule that cannot be defined using the daily or weekly settings, you can
create a list of these dates in a “Shipping dates” calendar. The Shipping
department can now check the inventory after each shipment by scheduling a
report that uses the calendar to run at the end of each shipping day.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 499


17 Managing Calendars
Adding dates to a calendar

Recurring dates
To create a recurring pattern of monthly run dates, use the generic Monthly
formats. You can add the generic dates based on the day of the week or the
day of the month. To view existing run dates, you must use the Yearly,
Quarterly, or Monthly format; the generic formats are used to add dates to the
calendar.
Although you can set a recurring schedule using the standard scheduling
options, calendars allow you to specify several different recurring run patterns
at once. You can also run instances on dates that do not follow the pattern by
adding individual days to a calendar.
For example, to schedule a report object to run on the first four days of every
month, and on the second and fourth Friday of every month, first create a new
calendar object and name it. Then, use the Generic Monthly, by Day of Month
format to add the first four days of the month to this calendar. When you
update the calendar, the Yearly format appears with the new run dates.

To add every second and fourth Friday to the calendar, use the Generic
Monthly, by Day of Week format.

500 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Calendars
Deleting calendars 17

Deleting calendars
When you delete a calendar, any objects that are scheduled according to the
deleted calendar will be run one more time by the system. After that, the
system won’t be able to schedule the objects again, because the calendar no
longer exists. To ensure the objects continue to be run, change the
scheduling information for the objects either by selecting a different calendar
or a different recurrence pattern. See “Scheduling objects” on page 464.
To delete a calendar
1. Go to the Calendars management area of the CMC.
2. Select the check box associated with the calendar you want to delete.
Tip: Select multiple check boxes to delete several calendars.
3. Click Delete, and click OK to confirm.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 501


17 Managing Calendars
Specifying calendar rights

Specifying calendar rights


You can grant or deny users and groups access to calendars. Depending how
you organize your calendars, you may have specific sets of dates that you
want to be available only for certain employees or departments. For example,
your finance team may use a series of financial tracking dates that aren’t
useful for other departments. Users will be able to see only the calendars they
have the rights to see, so you can use rights to hide calendars that aren’t
applicable to a particular group.
Follow this procedure to change the rights for a calendar. By default,
calendars are based on current security settings, inheriting rights from the
users’ parent folders.
To grant access to a calendar
1. Go to the Calendars management area of the CMC.
2. Select the calendar you want to grant access to.
3. Click the Rights tab.
4. Click Add/Remove to add users or groups that you want to give access
to the selected calendar.
The Add/Remove page appears.
5. In the Select Operation list, select Add/Remove Groups, Add Users,
or Remove Users.
6. Select the user or group you want to grant access to the specified
calendar.
If you have many users on your system, select the Add Users operation;
then use the “Look for” field to search for a particular account.
7. Click OK.
8. On the Rights tab, change the Access Level for each user or group, as
required.
9. To choose specific rights, choose Advanced.
For complete details on the predefined access levels and advanced
rights, see the BusinessObjects Enterprise Administrator’s Reference
Guide.
10. Click Update.

502 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Events

chapter
18 Managing Events
Managing events overview

Managing events overview


Event-based scheduling provides you with additional control over scheduling
objects: you can set up events so that objects are processed only after a
specified event occurs. Working with events consists of two steps: creating an
event and scheduling an object with events. That is, once you create an
event, you can select it as a dependency when you schedule an object. The
scheduled job is then processed only when the event occurs. This chapter
shows how to create events in the Events management area of the Central
Management Console (CMC).
You can create three kinds of events:
• File events
When you define a file-based event, you specify a filename that the
Event Server should monitor for a particular file. When the file appears,
the Event Server triggers the event. For instance, you might want to
make some reports dependent upon the regular file output of other
programs or scripts.
For details, see “File-based events” on page 505.
• Schedule events
When you define a schedule-based event, you select an object whose
existing recurrence schedule will serve as the trigger for your event. In
this way, schedule-based events allow you to set up contingencies or
conditions between scheduled objects. For instance, you might want
certain large reports to run sequentially, or you might want a particular
sales summary report to run only when a detailed sales report runs
successfully.
For details, see “Schedule-based events” on page 506.
• Custom events
When you create a custom event, you create a shortcut for triggering an
event manually. Basically, your custom event occurs only when you or
another administrator clicks the corresponding “Trigger this event” button
in the CMC.
For details, see “Custom events” on page 508.

504 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Events
File-based events 18
When working with events, keep in mind that an object’s recurrence schedule
still determines how frequently the object runs. For instance, a daily report
that is dependent upon a file-based event will run, at most, once a day (so
long as the file that you specify appears every day). In addition, the event
must occur within the time frame established when you actually schedule the
event-based report.
Note: For information on scheduling an event-based object in the Objects
management area of the CMC, see “Scheduling an object with events” on
page 471.

File-based events
File-based events wait for a particular file (the trigger) to appear before the
event occurs. Before scheduling an object that waits for a file-based event to
occur, you must first create the file-based event in the Events management
area of the CMC. Then, you can schedule the object and select this event.
For more information on scheduling an object with events, see “Scheduling
an object with events” on page 471.
File-based events are monitored by the Event Server. When the file that you
specify appears, the Event Server triggers the event. The Central
Management Server (CMS) then releases any schedule requests that are
dependent on the event.
For instance, suppose that you want your daily reports to run after your
database analysis program has finished and written its automatic log file. To
do this, you specify the log file in your file-based event, and then schedule
your daily reports with this event as a dependency. When the log file appears,
the event is triggered and the reports are processed.
Note: If the file already exists prior to the creation of the event, the event is
not triggered. In this case, the event is triggered only when the file is removed
and then recreated. If you want an event to be triggered multiple times, you
must remove and recreate the file each time.
To create a file-based event
1. Go to the Events management area of the CMC.
2. Click New Event.
The New Event page appears.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 505


18 Managing Events
Schedule-based events

3. In the Type list, select File.


4. Type a name for the event in the Event Name field.
5. Complete the Description field.
6. In the Server list, select the Event Server that will monitor the specified
file.
7. Type a filename in the Filename field.
Note: Type the absolute path to the file that the Event Server should look
for (for example, C:\folder\filename, or /home/folder/filename).
The drive and directory that you specify must be visible to the Event
Server. Ideally, the directory should be on a local drive.
8. Click OK.

Schedule-based events
Schedule-based events are dependent upon scheduled objects. That is, a
schedule-based event is triggered when a particular object has been
processed. When you create this type of event, it can be based on the
success or failure of a scheduled object, or it can be based simply on the
completion of the job.
Most importantly, you must associate your schedule-based event with at least
two scheduled objects. The first object serves as the trigger for the event:
when the object is processed, the event occurs. The second object is

506 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Events
Schedule-based events 18
dependent upon the event: when the event occurs, this second object runs.
For more information on scheduling objects with events, see “Scheduling an
object with events” on page 471.
For instance, suppose that you want report objects R1 and R2 to run after
program object P1 runs. To do this, you create a schedule-based event in the
Events management area. You specify the “Success” option for the event,
which means that the event is triggered only when program P1 runs
successfully. Then, you schedule reports R1 and R2 with events, and select
your new schedule-based event as the dependency. Schedule program P1
with events, and set program P1 to trigger the schedule-based event upon
successful completion. Now, when program P1 runs successfully, the
schedule-based event is triggered, and reports R1 and R2 are subsequently
processed.
To create a schedule-based event
1. Go to the Events management area of the CMC.
2. Click New Event.
The New Event page appears.

3. In the Type list, select Schedule.


4. Type a name for the event in the Event Name field.
5. Complete the Description field.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 507


18 Managing Events
Custom events

6. In the “Event based on” area, select from three options:


• Success
The event is triggered only upon successful completion of a specified
object.
• Failure
The event is triggered only upon non-successful completion of a
specified object.
• Success or Failure
The event is triggered upon completion of a specified object,
regardless of whether that object was processed successfully or not.
7. Click OK.

Custom events
A custom event occurs only when you explicitly click its “Trigger this event”
button. As with all other events, an object based on a custom event runs only
when the event is triggered within the time frame established by the object’s
schedule parameters. Custom events are useful because they allow you to
set up a shortcut that, when clicked, triggers any dependent schedule
requests.
Tip: When developing your own web applications, you can trigger Custom
events from within your own code, as required. For more information, see the
developer documentation available on your product CD.
For instance, you may have a scenario where you want to schedule a number
of reports, but you want to run them after you have updated information in
your database. To do this, create a new custom event, and schedule the
reports with that event. When you update the data in the database and you
need to run the reports, return to the event in the CMC and trigger it manually.
BusinessObjects Enterprise then runs the reports. For more information on
event-based scheduling, see “Scheduling an object with events” on page 471.
Note: You can trigger a custom event multiple times. For example, you might
schedule two sets of event-based program objects to run daily—one set runs
in the morning, and one set runs in the afternoon. When you first trigger the
related custom event in the morning, one set of programs is run; when you
trigger the event again in the afternoon, the remaining set of programs is run.
If you neglect to trigger the event in the morning and trigger it only in the
afternoon, both sets of programs run at that time.

508 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Events
Specifying event rights 18
To create a custom event
1. Go to the Events management area of the CMC.
2. Click New Event.
3. In the Type list, select Custom.
4. Type a name for the event in the Event Name field.
5. Complete the Description field.
6. Click OK.
Note: Before you trigger this custom event, schedule an object that is
dependent upon this event.
To trigger a custom event
1. Go to the Events management area of the CMC.
2. In the Event Name column, select a custom event by clicking its link.
3. Click Trigger this event.
A message appears: “This event has been triggered.”

Specifying event rights


You can grant or deny users and groups access to events. Depending how
you organize your events, you may have specific events that you want to be
available only for certain employees or departments. For example, you may
want certain events to be triggered only by management or IT.
Users will only be able to see events they have the rights to see, so you can
use rights to hide events that aren’t applicable to a particular group. For
example, by granting only the ITadmin group access to IT-related events,
those events won’t appear for a user from the HRadmin group; this makes the
event list easier for the HRadmin group to navigate.
Follow this procedure to change the rights for an event. By default, events are
based on current security settings, inheriting rights from the users’ parent
folders.
To grant access to an event
1. Go to the Events management area of the CMC.
2. Select the event you want to grant access to.
3. Click Rights.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 509


18 Managing Events
Specifying event rights

4. Click Add/Remove to add users or groups that you want to give access
to the event.
The Add/Remove page appears.
5. In the Select Operation list, select Add/Remove Groups, Add Users,
or Remove Users.
6. Select the user or group you want to grant access to the specified event.
7. If you have many users on your system, select the Add Users operation;
then use the “Look For” field to search for a particular account.
8. Click OK.
9. Change the Access Level for each user or group, as required.
Tip: To choose specific rights, select Advanced in the Access Level
column, and click Advanced in the Net Access column.
For complete details on the predefined access levels and advanced
rights, see the “Rights and Access Levels” chapter of the
BusinessObjects Enterprise Administrator’s Reference Guide.
10. Click Update.

510 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Profiles

chapter
19 Managing Profiles
What are profiles?

What are profiles?


Profiles are used in conjunction with publications to personalize the content
that users see when Desktop Intelligence documents are published using
single-pass report bursting. Profiles link users and groups to profile values,
which are values used to personalize data within a Desktop Intelligence
document. Profiles also include profile targets, which describe how a profile is
applied to a report. By assigning different profile values, the data within a
report can be tailored to specific users or groups.
Using profiles, you can schedule a publication (based on a Desktop
Intelligence document) once, and deliver many different personalized
versions of the report to your users (known as single-pass report bursting in
earlier versions of BusinessObjects).
For example, you could use a profile to associate regional class information
with users and groups, or you could combine the regional information with a
profile that provides details about the user’s status within the company.
To use a profile in the Publisher, you need to decide what level of
personalization you need and then create the profile in the Central
Management Console and assign it to users and groups. When you schedule
and distribute personalized documents through publications, the profile will
control what information your users see. For more information about the
Publisher, see the BusinessObjects Publisher guide.
Note: Profiles do not control users’ access to data. Profiles are used to refine
a document’s content, or filter it. When you use profiles to display a subset of
the data to a user, it is not the same as restricting the user from seeing that
data. If users have the appropriate rights, they can still see the complete data
for the document by viewing the instance in the InfoView. Profiles filter the
view of the data; they do not change or secure the data being queried from
the data source. For information about controlling user access, see
“Controlling User Access” on page 291.

Creating profiles
You create profiles in the Central Management Console.
To create a profile
1. Go to the Profiles management area of the CMC.
2. Click New Profile.
The New Profile page appears.
3. Type a name for the profile in the Profile Name field.

512 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Profiles
Personalizing data with profile targets 19
4. Complete the Description field.
5. Click OK.
You can now use the profile to perform the following tasks:
• Use profile targets to personalize the data on the universe and class
level. For more information, see “Personalizing data with profile
targets” on page 513.
• Use profile values to personalize the data on the user and group
level. For more information, see “Personalizing data for users and
groups” on page 514.
• Set rights on profiles. For more information, see “Specifying profile
rights” on page 515.

Personalizing data with profile targets


Profile targets describe how a profile will be applied to a publication by linking
the profile to an object within a universe that can be filtered to provide
personalization. You can also link a profile to a variable within a report when
creating a publication. For more information, see the BusinessObjects
Enterprise Publisher guide.
In the Central Management Console, you can choose profile targets for a
profile from the Profiles management area. You can then choose the
appropriate universe and specify the class and object that you want to use to
provide a personal view of the document.
Profile targets are especially useful when you want to personalize the data for
all users. Profile targets specify a subset of the data on the object level. If you
want to personalize content for each individual, you need to specify values for
each user or group on the Profile Values tab. For more information, see
“Personalizing data for users and groups” on page 514.
Note: You can also assign profile targets in the Publisher. For more
information, see the BusinessObjects Enterprise Publisher guide.
To specify a profile target for the profile
1. Go to the Profiles management area of the CMC, and click the profile
you want.
2. Click the Profile Targets tab.
3. Click New.
4. Choose the universe that you want the profile to be associated with.
Tip: If there are many folders on your system, you can use the drop-
down list and the Show Subfolders button to browse the folder hierarchy.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 513


19 Managing Profiles
Personalizing data for users and groups

5. To display only data from a specific object value, provide its class name in
the Class Name text box.
Note: The field is case-sensitive.
6. In the Object Name text box, type the value that you want.
Note: The value is case-sensitive.
7. Click OK.

Personalizing data for users and groups


By assigning a profile to a user or group, you associate a data restriction
detailed as a profile value to a user or group. The profile’s targets determine
which object will be filtered in order to generate the required personalization.
For example, you could assign a profile to Tony, the manager of the Mexico
City office, that uses profile values to personalize his documents to display
only data for Mexico. If you set this value as a profile value, all users would
see a personalized view that displayed only data for Mexico. Using profile
values, you can specify a unique value for each user and group.
Note: If you assign profile values to both users and groups, note that
inheritance works the same way for profiles as it does for security settings.
For more information, see the “Controlling User Access” on page 291.
To specify a profile value for a user or group
1. Go to the Profiles management area of the CMC.
2. Click the profile that you want to assign to a user or group.
3. Click the Profile Values tab.
4. Click New Value.
The New Profile Value page appears.
5. Select the users or groups that you want.
6. In the Profile Value text box, provide the value that you want to assign to
the selected users.
Note: The value must be specified as a valid Business Objects formula
that can be applied to an object within a report. For example, =”Mexico”
or InList(“North”,”South”).
7. Click OK.
The user or group and the associated values appear in the Profile Value
list.

514 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Profiles
Resolving conflicts between profiles 19
Resolving conflicts between profiles
You may encounter conflicts between profiles when users and groups have
been assigned multiple profiles either directly or through inheritance. If a
document is delivered to a user that has two profiles that conflict, the
difference must be resolved.
For example, Tony is a manager in the Mexico office. He is assigned a profile
called North America that personalizes his documents to show only data from
Canada, Mexico, and the United States. The Managers group is assigned a
different Management profile that personalizes the data to display data from
all countries where you have sales offices.
If a document uses both of these profiles, which data will Tony see? According
to one profile, he’ll see data for all countries with sales offices. According to
the other profile, he should see only data for North American countries.
BusinessObjects Enterprise can resolves these conflict two ways:
• Tree Walk - BusinessObjects Enterprise determines the different
possible views of a publication that could be delivered and produces a
unique view for each case. Determining these possible views is called
walking the tree, a metaphor for following the many possible branches of
the data. In the example, Tony would receive one publication
personalized to show countries with sales offices, and another
publication that displays North American data.
• Walk and Merge - With this setting, BusinessObjects Enterprise again
determines the different possible branches of the data, but this time the
non-conflicting profiles are merged into other branches of the tree. This
type of profile resolution is designed for role-based security.
You can set the Profile Resolution settings when you define your publications.
After you assign a profile to a document, you can set Advanced Options that
choose between a Tree Walk and a Walk and Merge. For more information,
see the BusinessObjects Enterprise Publisher guide.

Specifying profile rights


You can grant or deny users and groups access to profiles. Depending how
you organize your profiles, you may have specific profiles that you want to be
available only for certain employees or departments.
Users with access to the Central Management Console will only be able to
see profiles they have the rights to see, so you can use rights to hide profiles
that aren’t applicable to a particular group. For example, by granting only the

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 515


19 Managing Profiles
Specifying profile rights

ITadmin group access to IT-related profiles, those profiles won’t appear for a
user from the HRadmin group; this makes the profile list easier for the
HRadmin group to navigate.
Follow this procedure to change the rights for a profile. By default, rights to
profiles are based on current security settings, inheriting rights from the users’
parent folders.
To grant access to a profile
1. Go to the Profiles management area of the CMC.
2. Select the profile you want to grant access to.
3. Click the Rights tab.
4. Click Add/Remove to add the groups or users that you want to have
access to this profile.
The Add/Remove page appears.
5. In the Select Operation list, select Add/Remove Groups, Add Users,
or Remove Users.
The page is refreshed and displays options that depend upon whether
you are working with users or with groups.
6. Select the user/group whose rights you want to specify and click the
arrows to specify whether the user/group does or does not have access
to the profile.
7. Click OK.
8. On the Rights tab, change the Access Level for each user or group, as
required.
9. To choose specific rights, choose Advanced.
Note: For complete details on the predefined access levels and
advanced rights, see the “Rights and Access Levels” chapter of the
BusinessObjects Enterprise Administrator’s Reference Guide.
10. Click Update.

516 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


General Troubleshooting

chapter
20 General Troubleshooting
Troubleshooting overview

Troubleshooting overview
BusinessObjects Enterprise is designed to integrate with a multitude of
different operating systems, web servers, network and firewall configurations,
database servers, and reporting environments. Thus, any troubleshooting
that you may need to undertake will likely reflect the particularities of your
deployment environment. This chapter includes general troubleshooting
steps along with solutions to some specific configuration issues.
In general, consider the following key points when troubleshooting:
• Ensure that client and server machines are running supported operating
systems, database servers, database clients, and appropriate server
software. For details, consult the Platforms.txt file, included with your
product distribution.
• Verify that the problem is reproducible, and take note of the exact steps
that cause the problem to recur.
On Windows, use the sample reports and sample data included with the
product to confirm whether or not the same problem exists.
• Determine whether the problem is isolated to one machine or is occurring
on multiple machines. For instance, if a report fails to run on one
processing server, see if it runs on another.
If the problem is isolated to one machine, pay close attention to any
configuration differences in the two machines, including operating system
versions, patch levels, and general network integration.
• If the problem relates to connectivity or functionality over the Web, check
that BusinessObjects Enterprise is integrated properly with your web
environment. For details, see BusinessObjects Enterprise Installation
Guide and “Web accessibility issues” on page 519.
• If the problem relates to report viewing or report processing, verify your
database connectivity and functionality from each of the affected
machines. Use Crystal Reports to verify that the report can be viewed
properly. If the Job or Page Servers are running on Windows, open the
report in Crystal Reports on the server machine and check that you can
refresh the report against the database. For details, see “Report viewing
and processing issues” on page 521.
• Look for solutions in the documentation included with your product. For
details, see “Documentation resources” on page 519.
• Check out the Business Objects Customer Support technical support
web site for white papers, files and updates, user forums, and Knowledge
Base articles:
http://support.businessobjects.com/

518 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


General Troubleshooting
Documentation resources 20
Documentation resources
The BusinessObjects Enterprise Release Notes are provided in the root
directory of your product distribution, as is the Platforms.txt file. These
documents list supported third-party software along with any known issues or
implementation-specific configuration details.
BusinessObjects Enterprise also includes a number of manuals.
CHM and PDF files are located in the doc directory of your product
distribution. Access the HTML versions from the BusinessObjects Enterprise
Administrator Launchpad, or from within the CMC or InfoView.
Additional Compiled HTML Help (CHM) files are provided with the following
client tools:
• Central Configuration Manager
• Publishing Wizard
• Repository Migration Wizard
• Import Wizard
• Crystal Report Offline Viewer
Press F1 or click Help to launch the online help from within these
applications.

Web accessibility issues


Using an IIS web site other than the default
On Windows, the BusinessObjects Enterprise installation creates virtual
directories on the Internet Information Server (IIS) “Default Web Site.” If you
are using a web site other than the default, you must copy the virtual directory
configuration from the default web site to the web site you are using.
BusinessObjects Enterprise also sets up several application mappings on the
default site. These can be viewed and copied from the default web site to the
web site you are using. Restart the web server once you have made these
changes. For more information, see BusinessObjects Enterprise Installation
Guide.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 519


20 General Troubleshooting
Web accessibility issues

Unable to connect to CMS when logging on to the CMC


If you attempt to log on to the CMC while the Central Management Server
(CMS) is not running, the following error message appears:
Unable to connect to CMS (<servername>) to retrieve cluster
members. Logon can not continue.
Use the CCM to start the CMS. (If the CMS was already started, use the CCM
to restart it.)

Windows NT authentication cannot log you on


When you attempt to log on to the Central Management Console (CMC) or to
InfoView, the following error occurs:
NT Authentication could not log you on. Please make sure your
logon information is correct. If your account is in any
domain other than "DOMAIN NAME" you must enter your user
name as DomainName\UserName.
This error may occur for various reasons. Investigate these common
solutions:
• Ensure that the specified authentication type corresponds to the user
name and password provided on the log on page. To log on with a
Windows NT user name, verify that the authentication type is set to
Windows NT Authentication and not Enterprise.
• Netscape users must provide a valid Windows NT user name in the form
of Domain\User.
• Microsoft Internet Explorer users must provide a valid Windows NT user
name. It must be in the form of Domain\User if the user account does
not reside in the default domain of the CMS.
• If Windows NT Integrated security (NT Challenge/Response) is enabled
in Internet Information Services (IIS) and in the Web Component Adapter
(WCA), then users must use Microsoft Internet Explorer. In addition,
users must log on to the client machine with a valid NT domain user
account before logging on to BusinessObjects Enterprise. Users must log
on to BusinessObjects Enterprise with a valid Windows NT user name. It
must be in the form of Domain\User if the user account does not reside
in the default domain of the CMS.
• The web server and all BusinessObjects Enterprise components must be
running on Windows NT/2000 for Windows NT authentication to work.

520 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


General Troubleshooting
Report viewing and processing issues 20
Report viewing and processing issues
When troubleshooting reports, it is especially useful to determine whether the
problem is isolated to one machine or is occurring on multiple machines. For
instance, if a report fails to run on one processing server, see if it runs on
another.
If the problem is isolated to one machine, pay close attention to any
configuration differences in the two machines, including operating system
versions, patch levels, and general network integration.
In particular, check the database client configurations, the drivers and
versions, and the accounts under which the processing servers are running. If
the reports are based off ODBC data sources, compare the ODBC driver
versions, the DSN configurations, and the versions of the MDAC layer. Check
to see if the Page Server or Job Server is running under an account that has
the appropriate access rights to the report database server. If the report
database server is on a remote machine, change the Page Server or Job
Server to use a valid domain account with enough rights to view or process
the report.
If you follow these steps and the problem persists, contact Business Objects
technical support. Before you call, take note of the database client and
version you are running, the database server version that you are connecting
to, and the driver name and version that you are using to connect.

Troubleshooting reports with Crystal Reports


On Windows, you can install Crystal Reports on all Job Server, Page Server,
and RAS machines in order to speed up the troubleshooting of reports and
database connectivity. In this way, you use Crystal Reports to simulate the
steps that are performed by the BusinessObjects Enterprise processing
servers when a scheduled report is processed, or when a report is viewed on
demand over the Web. By locating the step where Crystal Reports is unable
to open, refresh, or save the report, you may be able to locate the source of
the problem.
Note: The exact steps and menu options may differ, depending on your
version of Crystal Reports.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 521


20 General Troubleshooting
Report viewing and processing issues

To troubleshoot a report
1. Start Crystal Reports on the appropriate machine:
• If the report runs successfully on demand, but fails when scheduled,
start Crystal Reports on the Job Server.
• If the report fails when viewed on demand, but runs successfully
when scheduled, start Crystal Reports on the Page Server.
• If the report fails when viewed on demand with the Advanced
DHTML viewer, start Crystal Reports on the RAS.
• If the report fails in all cases, first complete these troubleshooting
steps on one processing server; then verify whether or not the
problem is resolved on all processing servers. If not, repeat the steps
on a different processing server.
2. Open the report from the CMS.
On the File menu, click Open. Click Enterprise Folders and log on to your
CMS. If you cannot open the report, verify network connectivity between
the server you are working on, the CMS, and the Input File Repository
Server.
3. Test your database connection and authentication.
On the Database menu, click Log On/Off Server. If you cannot log on to
the database server, check the configuration of the database client
software and ensure that the report contains a valid database user name
and password.
4. If the report’s parameters or record selection need to be modified by
BusinessObjects Enterprise users when they schedule or view the report,
change the parameter values or record selection formula accordingly. If
the values are invalid, Crystal Reports will report an error.
5. Verify that the tables used in the report match the tables in the database.
On the File menu, clear the “Save Data with Report” check box. On the
Database menu, click Verify Database. Correct any issues reported by
Crystal Reports, and then save the report.
6. Refresh the report and, if current data is not returned from the database,
check these possible causes:
• If the report fails, ensure that the database credentials provide READ
rights to all tables in the report.
• If the database credentials are valid, the report’s SQL statement is
evaluated at this time. Check the join information. Note any ODBC
errors that are produced.

522 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


General Troubleshooting
Report viewing and processing issues 20
• If the SQL statement is valid, data begins to return to Crystal
Reports. As this happens, the temporary files increase in size. Verify
resource allocation in case the machine is running out of memory or
disk space.
7. Go to the last page of the report.
Crystal Reports will report any errors that it encounters within the report
(such as formulas, subreports, and other objects).
8. Export the report to Crystal Reports format (or any other desired format).
This step ensures that Crystal Reports is able to create temporary files
that are required in order to complete the processing of a report.
9. If the report now refreshes successfully, save it back to the CMS.
10. Close the report.
11. Close Crystal Reports.
12. Repeat the activity that caused the original report to fail: view the report
on demand over the Web, or schedule the report for processing.

Troubleshooting reports and looping database logon prompts


A common issue when viewing reports over the Web is a persistent database
logon prompt that is displayed repeatedly by the user’s browser. Regardless
of the credentials provided by the user, the report will not display. This
problem is typically caused by the configuration of the Page Server or the
Report Application Server (RAS). This section provides a series of
troubleshooting steps that should resolve this problem and others that are
specific to reports and database connectivity.
To troubleshoot reports and looping database logon prompts
1. Verify the report with Crystal Reports.
Use Crystal Reports to verify the report. If you have the Crystal Reports
Designer installed on the Page Server, Job Server, or RAS machine, test
database connectivity by opening the report in Crystal Reports on the
server. For details, see “Troubleshooting reports with Crystal Reports” on
page 521.
2. Change the server’s logon account.
BusinessObjects Enterprise servers require access to various local and/
or remote resources and to the database server. Experience shows that
running the Page Server, Job Server, RAS, and Web Component Adapter
(WCA) under a Domain Administrator account allows them to access the

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 523


20 General Troubleshooting
Report viewing and processing issues

components necessary to connect successfully to data sources. To


change a server’s logon account, see “Configuring Windows processing
servers for your data source” on page 123.
Tip: Running a background application under an Administrator account
does not inadvertently grant administrative privileges to another user,
because users cannot impersonate services.
3. Verify the server’s access to ODBC Data Source Names (DSNs).
Base reports off System DSNs (and not File or User DSNs), and set up
each System DSN identically on every Job Server, Page Server, and
RAS machine that will process the report.
If the report is based off an ODBC data source, the processing server
must have permission to access the corresponding DSN configuration.
This information is stored in the Windows registry. The Job Server, Page
Server, and RAS require Full Control or Special Access to the ODBC
registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI
Consult your Windows documentation for information about working with
the registry. Additional configuration may be required, depending upon
the database that you are reporting off of. For details, see “Configuring
Windows processing servers for your data source” on page 123.
4. Determine the configuration of the database client software.
If you are not using ODBC, the database client software must be installed
on each machine that will process reports. On Windows, many database
clients store their configuration in the registry below
HKEY_LOCAL_MACHINE.
If your database client stores its configuration below
HKEY_CURRENT_USER, the BusinessObjects Enterprise services cannot
use the database client software to communicate with the database.
5. Verify the NTFS permissions granted to the Job Server, Page Server, and
RAS.
Insufficient NTFS rights on the server may cause a number of problems
to arise when you view reports over the Web. As in step 2, changing each
server’s logon account to that of a Domain Administrator account should
resolve such problems. For the minimum set of NTFS permissions
required by BusinessObjects Enterprise, see the BusinessObjects
Enterprise Administrator’s Reference Guide.
6. Check whether or not NT authentication is performed by the database.
If you report against a database that uses NT authentication for access
control (Microsoft SQL Server, Sybase, and so on), the Job Server, Page
Server, and RAS must run under a Windows NT/2000 domain user

524 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


General Troubleshooting
Report viewing and processing issues 20
account that has access to the appropriate database tables. (In this
scenario, each server’s logon account determines the level of access it is
granted by the database. BusinessObjects Enterprise does not pass end-
users’ NT tokens through to the database server.)
To retain the access control levels that are set up within the database,
you can instead change each ODBC DSN so that it implements SQL
Server Login instead of NT authentication.
7. Check the available environment variables.
Environment variables are used by the operating system to govern and
manage system files for particular users. On Windows, BusinessObjects
Enterprise servers are generally most affected by the TMP and TEMP
environment variables. Because the servers are run as services, they
cannot access the User Environment variables that are created by
default. Therefore, it is recommended that you create System
Environment variables if they do not already exist. Consult your Windows
documentation for details.
8. Reference remote data sources with UNC paths.
Ensure that servers have access to remote databases through UNC
paths, instead of through mapped drives. For example, if you design a
report off a PC database that resides on a network drive, ensure that the
report references its data source with the appropriate UNC path. For
details, see “Ensuring that server resources are available on local drives”
on page 526.
9. Ensure that you have enough database client licenses.
If all database client licenses are in use, the BusinessObjects Enterprise
servers are unable to retrieve data from the database.
10. Check that database connections are closed in a timely fashion.
If a database connection is not closed quickly, the database may not
service another request until the connection has been closed. To
decrease the “Minutes Before an Idle Job is Closed” setting, see
“Modifying Page Server performance settings” on page 105.
11. Use multi-threaded database drivers.
Multi-threaded database drivers allow the processing servers to connect
to the database without having to wait for the database to fulfill initial
requests. ODBC connections are typically recommended because they
provide multithreaded connections to the database. However, Crystal
Reports now includes a number of thread-safe native and OLEDB
drivers. A list of these thread-safe drivers is available in the Crystal
Reports Release Notes.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 525


20 General Troubleshooting
Report viewing and processing issues

12. Check for problems with particular data sources.


If your report is based on a Lotus Notes database, you may need to
perform additional configuration. Download the latest instructions from
the Business Objects Customer Support Knowledge Base.
IBM offers several client applications for connecting to DB2. The
recommended client is IBM DB2 Direct Connect, whose ODBC drivers
were written for actual programmatic interaction with products like
BusinessObjects Enterprise. See the Business Objects Customer
Support Knowledge Base for discussions of this and other DB2 clients.
If you encounter problems with any other specific data sources, check the
Knowledge Base for the latest information.

Ensuring that server resources are available on local drives


When the BusinessObjects Enterprise servers are running on Windows,
many can be configured to use specific directories to store files. For example,
you can specify the root directory for each File Repository Server, the
temporary directories for the Cache and Page Servers, or the directory from
which the Job Servers load processing extensions. In all cases, the directory
that you specify must be on a local drive (such as C:\InputFRS or
C:\Cache). Do not use Universal Naming Convention (UNC) paths or
mapped drives.
Although some BusinessObjects Enterprise servers can recognize and use
UNC paths, do not configure the servers to access network resources in this
manner. Use local drives instead, because UNC paths can limit performance
due to limitations in the underlying protocol.
Tip: If your report runs against a PC database that resides on a network
drive, then the report itself must reference its data source through a UNC
path. In this case, the service must run under a domain user account with
network permissions. For details, see “Configuring Windows processing
servers for your data source” on page 123.
Similarly, if you configure a server to use a mapped drive, the server may
appear to function correctly. However, servers cannot access mapped
resources when the machine is restarted. Drives are mapped according to
your user profile when you log on to Windows NT/2000, but, once a drive is
mapped, it is available to the entire operating system. So, when you log on
and map a local or network drive, the mapped drive is accessible to the
LocalSystem account, and hence to the BusinessObjects Enterprise servers
running on the local machine. When you log off the local machine, the servers
may retain access to the mapped drive for some time (Windows will release

526 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


General Troubleshooting
InfoView considerations 20
the drive mapping if no application maintains a persistent connection to the
mapped resource). However, when you restart the local machine, the mapped
drive is not restored until you log back on.
Note: Changing a server’s log on account from the LocalSystem account to a
Windows NT/2000 user account with network privileges will not resolve the
problem, because the servers do not actually log on to the network with that
account. Instead, the servers perform “account impersonation.” This provides
access to some profile-specific resources (such as printers and email
profiles), but not others (such as ODBC User Data Source Names and
mapped drives).

Page Server error when viewing a report


When you attempt to run or preview a report, the following error message
appears:
There are no Page Servers connected to the Cache Server or
all the connected Page Servers are disabled. Please try
to reconnect later. [On Page Server :
<servername>.Cacheserver]
This error indicates that the Page Server is not started and enabled. Use the
CCM to start the Page Server and then enable it. (If the Page Server was
already started and enabled, use the CCM to restart it.)

InfoView considerations
Supporting users in multiple time zones
Avoid granting Schedule access to the default Guest account if you deploy
InfoView for users in different time zones. Instead, ensure that each user who
is allowed to schedule reports has a dedicated account on the system, and
that each user's InfoView preferences include the appropriate time-zone
setting. Dedicated accounts are recommended because the default Guest
account does not allow users to modify account preferences that would affect
other users. For more information about using specific time-zone properties in
your custom web applications, see the BusinessObjects Enterprise SDK
documentation.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 527


20 General Troubleshooting
InfoView considerations

Setting default report destinations


By default, a report's destination that is set in the CMC will be the selected
destination when a report is scheduled in InfoView. A user can also select
alternate destinations in InfoView by updating the Destination option. Note
that the destination set in InfoView applies only to the scheduled instance.
Thus, when a user schedules another instance in InfoView, the destination
that is set in the CMC will be selected, unless the user changes the
Destination option. If the user selects the Default destination setting in
InfoView, reports are processed on the Job Server and sent to the File
Repository Server. The Default destination setting in InfoView is equivalent to
the Default destination setting in the CMC.

528 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Auditing

chapter
21 Managing Auditing
How does auditing work?

How does auditing work?


The Central Management Server (CMS) acts as the system auditor, while
each BusinessObjects Enterprise server that controls actions that you can
monitor is an auditee.
To audit an action in BusinessObjects Enterprise, there are a few steps you
must complete:
• You must configure the auditing database. If you installed Auditor, and
provided the authentication details for your auditing database when you
installed BusinessObjects Enterprise, you have already configured the
auditing database. If you did not install Auditor, you must configure the
auditing database before you can use Auditor. For step by step
instructions, see “Configuring the auditing database” on page 531.
Note: Auditor is installed by default when you install and use a keycode
that authorizes you to Auditor, unless you cleared the “Auditing
Database” check box during the install, or did a custom install and
specifically excluded Auditor.
• You must first determine which server controls that action. To determine
which server controls an action, see “Reference list of auditable actions”
on page 533.
• You must enable auditing of that action in the Servers management area
of the Central Management Console (CMC). For step by step
instructions, see “Enabling auditing of user and system actions” on
page 537.
• You must configure the universe connection. The auditing reports are
written against the Activity universe, this universe connection must be
configured so it can connect to the auditing database. For step by step
instructions, see “Configuring the universe connection” on page 539.
As the auditee, the BusinessObjects Enterprise server will then begin to
record these audit actions in a local log file.
As the auditor, the CMS controls the overall audit process. Each server writes
audit records to a log file local to the server. At regular intervals the CMS
communicates with the auditee servers to request copies of records from the
auditee’s local log files. When the CMS receives these records it writes data
from the log files to the central auditing database.

530 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Auditing
Configuring the auditing database 21
The CMS also controls the synchronization of audit actions that occur on
different machines. Each auditee provides a time stamp for the audit actions
that it records in its log file. To ensure that the time stamps of actions on
different servers are consistent, the CMS periodically broadcasts its system
time to the auditees. The auditees then compare this time to their internal
clocks. If differences exist, they make a correction to the time stamp they
record in their log files for subsequent audit actions.
Once the data is in the auditing database, you can run the sample reports
against the database or design custom reports to suit your own needs.

Configuring the auditing database


If you entered the authentication details for your auditing database when you
installed Auditor, your auditing database is already configured and connected
to your Central Management Server (CMS). If you did not enter the
authentication details for your auditing database when you installed, you must
configure your CMS to connect to an auditing database.
You can use any database server supported for the CMS system database for
your auditing database. See the Platforms.txt file included with your
product distribution for a complete list of tested database software and
version requirements.
If you plan to use MySQL for your auditing database, you will require version
3.51 of the MySQL Connector/ODBC (MyODBC) driver. If you do not already
have this installed, you can download it from the following location:
http://dev.mysql.com/downloads/connector/odbc/3.51.html
It is recommended that you develop a back up strategy for your auditing
database. If necessary, contact your database administrator for more information.
Note:
• The CMS system database and the auditing database are independent. If
you choose, you can use different database software for the CMS system
database and the auditing database, or you can install these databases
on separate servers.
• If you have a CMS cluster, every CMS in the cluster must be connected
to the same auditing database, using the same connection method and
the same connection name. Note that connection names are case
sensitive. (See “Clustering Central Management Servers” on page 86 for
more information on setting up CMS clusters.)

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 531


21 Managing Auditing
Configuring the auditing database

To configure the auditing database on Windows


1. Start the Central Configuration Manager (CCM).
2. Stop the CMS.
3. Click Specify Auditing Data Source.
4. In the Select Database Driver dialog box, specify whether you want to
connect to the new database through SQL Server (ODBC), or through
one of the native drivers.
5. Click OK.
6. The remaining steps depend upon the connection type you selected:
• If you selected ODBC, the Windows “Select Data Source” dialog box
appears. Select the ODBC data source that you want to use as the
auditing database; then click OK. (Click New to configure a new Data
Source Name (DSN).) Use a System DSN, and not a User DSN or
File DSN. By default, server services are configured to run under the
System account, which only recognizes System DSNs.
When prompted, provide your database credentials and click OK.
• If you selected a native driver, you are prompted for your database
Server Name, your Login ID, and your Password. Provide this
information and then click OK.
The SvcMgr dialog box notifies you when the auditing database setup is
complete.
7. Click OK.
8. Start the CMS. When the CMS starts, it will create the auditing database.
Note: You can also configure the auditing database using the Properties
option for the CMS. Stop the CMS, select Properties, and then go to the
Configuration tab. Select “Write server audit information to specified data
source”, and then click Specify.
To configure the auditing database on UNIX
For more information on UNIX scripts, see “UNIX Tools” on page 591.
1. Use ccm.sh to stop the CMS.
2. Run cmsdbsetup.sh.

532 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Auditing
Configuring the auditing database 21
3. Choose the selectaudit option, and then supply the requested
information about your database server.
4. Run serverconfig.sh.
5. Choose the “Modify a server” option.
6. Select the CMS, and enable auditing. Enter the port number of the CMS
when prompted (the default value is 6400).
Use ccm.sh to start the CMS. When the CMS starts, it will create the
auditing database.
Note:
• The CMS acts as both an auditor and as an auditee when you configure it
to audit an action that the CMS itself controls.
• In a CMS cluster, the cluster will nominate one CMS to act as system
auditor. If the machine that is running this CMS fails, another CMS from
the cluster will take over and begin acting as auditor.

Which actions can I audit?


You can audit the actions of individual users of BusinessObjects Enterprise as
they log in and out of the system, access data, or create file-based events.
You can also monitor system actions like the success or failure of scheduled
objects. For each action, BusinessObjects Enterprise records the time of the
action, the name and user group of the user who initiated the action, the
server where it was performed, and a variety of other parameters more fully
documented in “Reference list of auditable actions” on page 533.

Reference list of auditable actions


This section contains the list of the audit actions you can enable in
BusinessObjects Enterprise. It is organized according to the types of actions
that you can audit, to help you find the server where you enable auditing of
these actions.
Note: The list of auditable actions for Desktop Intelligence only apply when
the documents are created and modified from within BusinessObjects
Enterprise.
For more information about the actions that are audited, and the data that is
recorded for each audit action, see the “Auditing database schema reference”
on page 554.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 533


21 Managing Auditing
Configuring the auditing database

User Actions
Actions BusinessObjects
Enterprise Server
Objects An object is created. CMS
An object is deleted.
An object is modified.
Crystal A report has been viewed successfully. Cache Server
reports A report could not be viewed.
A report is opened successfully using: RAS
• the Advanced DHTML viewer.
• a custom application that uses RAS SDK.
A report fails to open.
A report has been created successfully using:
• a custom application that uses the RAS
SDK.
A report fails to be created.
A report is saved successfully (using a custom
application based on the RAS SDK).
A report fails to save using a custom
application based on the RAS API.
Web Get list of universes. Web Intelligence
Intelligence • A user has begun creating a new Web Report Server
documents Intelligence document, which triggers a
request to the server for the list of
available universes.
Save document to repository.
• A user has saved a Web Intelligence
document within BusinessObjects
Enterprise.
Read Document.
• User opens an existing Web Intelligence
document.
Selection of universe.
• A user has selected a universe as they
create a new Web Intelligence document,
or as they edit an existing Web
Intelligence document.

534 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Auditing
Configuring the auditing database 21
Actions BusinessObjects
Enterprise Server
Web Refresh document. Web Intelligence
Intelligence • User manually refreshes a Web Report Server
documents Intelligence document, or the user opens
a Web Intelligence document that is set to
“refresh on open”.
Edit document.
• User enters “Edit document” mode for an
existing Web Intelligence document.
Apply format.
• User applies a formatting change to an
existing Web Intelligence document in a
query panel.
Get page.
• Server renders the pages of a Web
Intelligence document in response to a
user request to display all or part of a
document.
Generate SQL.
• Server generates an SQL query in
response to a user action that requires
data to be retrieved from a database.
Drill out of scope.
• User drills past the scope of the data
currently in memory, and triggers a call to
the database for more data.
List of values.
• A list of values is retrieved from the
database to populate a picklist associated
with a prompt used to filter the data in a
document.
Select prompt.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 535


21 Managing Auditing
Configuring the auditing database

Actions BusinessObjects
Enterprise Server
Desktop A job has been run successfully. Desktop Intelligence
Intelligence • Either a Desktop Intelligence document Job Server
documents has been scheduled or a publication
based of that document has been
scheduled.
A job has failed to run.
A job failed but will try to run again.
Users A concurrent user logon succeeds. CMS
A named user logon succeeds.
A user logon fails.
A user’s password is changed.
User logs off.
Send an A job has been run successfully. Destination Job
object to a (A user has successfully sent an object to a Server
destination destination.)
A job has failed to run.
(An object has failed to be sent to a
destination.)
A job failed but will try to run again.
File-based An event is registered. Event Server
events (Event is created, and registered with system)
An event is updated.
(The name, description, or filename of an event
is modified.)
An event is unregistered.
(Event is removed from system.)

536 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Auditing
Enabling auditing of user and system actions 21
System Actions
Actions BusinessObjects
Enterprise Server
Scheduled A job has been run successfully. Job Servers
objects For example, a scheduled Crystal report or
publication has run successfully.
A job has failed to run.
For example, a scheduled Crystal report or
publication has failed to run.
Tip: To audit every failure of a scheduled Crystal
report, a scheduled program, or a scheduled List of
Values, enable auditing of “A job has failed to run” on
the Job Server, and “Communication with a running
instance is lost.” on the Central Management Server.
A job failed but will try to run again.
Communication with a running instance is lost. CMS
For example, a scheduled Crystal report has failed
to run because communication with the instance
was lost, and the scheduled time for running the
report expired.
Note: You do not need to enable this option to
audit every failure of a scheduled Web Intelligence
document.
File-based An event is triggered. Event Server
events

Enabling auditing of user and system actions


After you determine which BusinessObjects Enterprise server controls the
action, you must enable auditing on the server from the Servers management
area of the Central Management Console (CMC).
If you have multiple BusinessObjects Enterprise servers of a given type, be
sure to enable identical audit actions on every server. This makes sure that
you collect information on all user or system actions in your BusinessObjects
Enterprise system. For example, if you are interested in the total number of
concurrent user logons, enable auditing of concurrent user logons on each of
your Central Management Servers. If you enable auditing on only one Central
Management Server, you will only collect audit information about actions that
occur on that server.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 537


21 Managing Auditing
Enabling auditing of user and system actions

In some special cases you may wish to enable auditing on only one server of
a given type. For example, if you are interested in the success or failure of
only one kind of scheduled report and you have configured your system so
that these reports are processed on one particular Job Server, it is not
necessary to enable auditing on every Job Server in your system. You only
need to enable auditing on the Job Server where the reports are processed.
Note: You must configure the auditing database before you can collect data
on audit actions. See “Configuring the auditing database” on page 531 for
information on how to configure the auditing database.
To enable audit actions
1. Go to the organize Servers area of the CMC.
2. Click the server that controls the action that you wish to audit.
(See the “Reference list of auditable actions” on page 533 to find the
correct server.)
3. Click the Auditing tab.

4. Select the Auditing is enabled check box.


5. Select the audit actions that you wish to record.
6. Ensure that your audit log file is located on a hard drive that has sufficient
space to store the log files. (See “Optimizing system performance while
auditing” on page 542 for information on adjusting the size of log files.)

538 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Auditing
Configuring the universe connection 21
7. Click Update.
Tip:
• To audit every failure of a scheduled Crystal report, a scheduled program,
or a scheduled List of Values, enable auditing of “A job has failed to run”
on the Job Server, and “Communication with a running instance is lost.”
on the Central Management Server.
• Auditing is enabled independently on each server. If you want to audit all
actions of a given type, enable identical audit actions on every server that
supports those actions. Otherwise your audit record will be incomplete.
For example, if you want to track the total number of concurrent logons to
your BusinessObjects Enterprise system, you must enable logging of
concurrent logons on every Central Management Server in your system.

Configuring the universe connection


The auditing reports use the Activity universe. Before you can view these
reports, you must configure the universe connection. This involves two steps:
first you must create a data source for your auditing database, next you must
specify this data source for your universe connection.
To create a data source
1. Go to the Start menu and select Settings >Control Panel.
2. Double-click on Administrative tools.
3. Double-click Data sources.
4. Click the System DSN tab, and then click Add.
5. Select the driver for your auditing database from the list, and then click
Finish.
6. Enter the authentication parameters, the database server name, and your
auditing database name, and then click OK.
7. Click OK.
Tip: You may want to write down the name of your data source as it will be
required when you create or edit the universe connection.
To configure the Activity universe connection
1. Start Designer from the BusinessObjects Enterprise program group.
2. Click on the connections icon in the toolbar.
The Connection List dialog box appears.
3. Click Add, and then click Next.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 539


21 Managing Auditing
Using sample audit reports

4. Expand the database type and the version that corresponds with the your
auditing database.
5. Select the driver or client to use.
6. Enter a name for your connection.
7. Enter the User Name and Password for your connection.
8. Select the Data source name from the list, and then click Next.
9. Click Next on the Perform a Test dialog box.
10. Click Next on the Advanced Parameters dialog box.
11. Click Finish on the Custom Parameters dialog box.
12. Click Finish to exit and finalize your connection.

Using sample audit reports


BusinessObjects Enterprise includes two sets of sample audit reports:
• One set was created using Crystal Reports.
• One set was created using Web Intelligence.
Both sets of reports are available in the collateral folder on your product
distribution in the file auditing.biar.
These sample reports are published to the Auditor folder when you install
BusinessObjects Enterprise with a product keycode which authorizes you to
use Auditor. The Crystal Reports audit reports are available as object
packages with the report sections as individual documents. The Web
Intelligence audit reports are available as Web Intelligence documents with
the report sections as tabs within the documents. Both sets of reports are
based on the Activity universe.
Note: You can also deploy the auditing samples to another node. To do this,
use the Import Wizard to deploy the auditing.biar to the CMS on the node
where you want the reports. For further details, see the Import Wizard help.
If you configured the auditing database when you installed BusinessObjects
Enterprise, you must do these things before using the sample audit reports:
• Enable the auditing of the user and server actions needed to provide data
for the sample reports.
For information on how to enable auditing on servers, see “Enabling
auditing of user and system actions” on page 537.
• Configure the universe connection used for the sample reports.
For procedural details, see “Configuring the universe connection” on
page 539.

540 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Auditing
Controlling synchronization of audit actions 21
If you did not configure the database when you installed BusinessObjects
Enterprise, before you use the reports, you must do these things:
• Configure the auditing database before you use the sample reports.
For information on how to configure the auditing database, see
“Configuring the auditing database” on page 531
• Enable the auditing of the user and server actions needed to provide data
for the sample reports.
For information on how to enable auditing on servers, see “Enabling
auditing of user and system actions” on page 537
• Configure the universe connection used for the sample reports.
For procedural details, see “Configuring the universe connection” on
page 539.
After you enable auditing of the user and server actions, the auditing
database will then begin to be populated with the audit data you specified.
Note: If you have recently enabled auditing, the sample audit reports may
contain little or no data the first time you view them.

Controlling synchronization of audit actions


The CMS controls the synchronization of audit actions that occur on different
machines. The CMS periodically broadcasts its system time to the auditees in
UTC (Coordinated Universal Time). The auditees compare this time to their
internal clocks, and then make the appropriate correction to the time stamp
(in UTC) they record for subsequent audit actions. This correction affects only
the time stamp that the auditee records in its audit log file. The auditee does
not adjust the system time of the machine on which it is running.
By default, the CMS broadcasts its system time every 60 minutes. You can
change the interval using the command-line option
-AuditeeTimeSyncInterval minutes
You can turn off this option by setting minutes to zero. For more information
on the CMS, see the Server Command Lines chapter in the BusinessObjects
Enterprise Administrator’s Reference Guide.
This built-in method of time synchronization will be accurate enough for most
applications. For more accurate and robust time synchronization, configure
the auditee and auditor machines to use an Network Time Protocol (NTP)
client, and then turn off internal synchronization by setting
-AuditeeTimeSyncInterval 0

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 541


21 Managing Auditing
Optimizing system performance while auditing

Tip: If you have a CMS cluster, apply the same command-line options to
each server. Only one CMS in the cluster acts as the auditor. However, if this
CMS fails, another CMS takes over auditing. This CMS will apply its own
command-line options. If these options are different than those of the original
auditor, audit behavior may not be what you expect.

Optimizing system performance while


auditing
Enabling auditing should have minimal effect on the performance of
BusinessObjects Enterprise. However, you can optimize system performance
by fine-tuning these command-line options:
• -AuditInterval minutes, where minutes is between 1 and 15. (The
default value is 5.) The CMS requests audit records from each audited
server every audit interval.
• -AuditBatchSize number, where number is between 50 and 500. (The
default value is 200.) The CMS requests this fixed number of records
from each audited server, every time interval.
• -auditMaxEventsPerFile number (number has a default value of 500
and must be greater than 0). The maximum number of records that an
audited server will store in a single audit log file. When this maximum
value is exceeded, the server opens a new log file.
Note: Log files remain on the audited server until all records have been
requested by the CMS.
Changing each of these options has a different impact on system performance.
For example, increasing the audit interval reduces frequency with which the CMS
writes events to the auditing database. Decreasing the audit batch size decreases
the rate at which records are moved from the audit log files on the audited servers
to the auditing database, thereby increasing the length of time that it takes these
records to get transferred to the central auditing database. Increasing the
maximum number of audit events stored in each audit log file reduces the number
of file open and close operations performed by audited servers.
You can use these options to optimize audit performance to meet your needs.
For example, if you frequently need up-to-date information about audited
actions, you can choose a short audit interval and a large audit batch size. In
this case, all audit records are quickly transferred to the auditing database,
and you can always report accurately on the latest audit actions. However,
choosing these options may have an impact on the performance of
BusinessObjects Enterprise.

542 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Managing Auditing
Optimizing system performance while auditing 21
Alternatively, you may only need to review audit results periodically (weekly,
for example). In this case you can choose to increase the audit interval, and
to decrease the number of audit records in each batch. Choosing these
options minimizes the impact that auditing has on the performance of
BusinessObjects Enterprise. However, depending upon activity levels in your
system, these options can create a backlog of records stored in audit log files.
This backlog is cleared at times of low system activity (such as overnight, or
over a weekend), but means that at times your audit reports may not contain
records of the most recent audit actions.
For more information on changing command-line options, see the “Server
Command Lines” appendix of the BusinessObjects Enterprise Administrator’s
Reference Guide.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 543


21 Managing Auditing
Optimizing system performance while auditing

544 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Auditing Reports

chapter
22 Auditing Reports
Using auditing reports

Using auditing reports


If you are an administrator who wants to view reports from the auditing
database, you have these choices:
• You can use the auditing reports that are included with BusinessObjects
Enterprise.
• You can modify the auditing reports that are included with
BusinessObjects Enterprise.
• You can create your own auditing reports.

Why are reports important?


Auditor includes reports that can answer questions you may have about your
BusinessObjects Enterprise deployment. Each report contains one or more
report sections that focus on a very specific area.

Auditor report names


This section contains the following:
• the list of the report names
• the report sections included with the reports
• the report prompts

Average Number of Users Logged In

Report sections Report prompts


Average Number of Logged In select reporting year
Sessions
Users Logged In select reporting month
Average Number of Users
Logged In

546 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Auditing Reports
Using auditing reports 22
Average Refresh Time

Report sections Report prompts


Average Refresh Time by Name of document
Document
Average Refresh Time by User
Average Refresh Time by
Server

Average Session Duration

Report sections Report prompts


Year choose user
Quarter
Month
Week
Day
Hour

Average Session Duration per Cluster

Report sections Report prompts


Average Session Duration in select reporting timeframe
Minutes over the Period
Average Session Duration in
Minutes per Week
Average Session Duration in
Minutes per Day

Average Session Duration per User

Report sections Report prompts


Average Session Duration in select reporting year
Minutes over the Year

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 547


22 Auditing Reports
Using auditing reports

Report sections Report prompts


Average Session Duration in
Minutes per Month per User
Average Session Duration in
Minutes per Week per User

Cluster Nodes

Report sections Report prompts


Servers in the Cluster None

Document Information Detail

Report sections Report prompts


None select document

Document Scheduling and Viewing Status

Report sections Report prompts


None select start date
select end date

Job Summary

Report sections Report prompts


Jobs per Status
Successful Jobs
Failed Jobs

548 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Auditing Reports
Using auditing reports 22
Jobs per Job Server

Report sections Report prompts


Jobs per Job Server Kind- None
Summary
Jobs per Job Server Kind
Jobs per Job Server

Jobs per User

Report sections Report prompts


Jobs per User - Summary None
Jobs per User
Job Duration per User

Job Servers on the System

Report sections Report prompts


Jobs per User - Summary None
Jobs per User
Job duration per User
Job Failure per User

Last Login for User

Report sections Report prompts


None select user

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 549


22 Auditing Reports
Using auditing reports

Least Accessed Documents

Report sections Report prompts


Least Accessed Documents - None
By times Read
Least Accessed Documents -
By Edits
Least Accessed Documents -
By Refreshes

Most Accessed Documents

Report sections Report prompts


Most Accessed Documents - None
By times Read
Most Accessed Documents -
By Edits
Most Accessed Documents -
By Refreshes

Most Active Users

Report sections Report prompts


Most Active Users by Logins None
Most Active Users by
Refreshes

Most Popular Actions

Report Sections Report Prompts


Most Popular Actions - By Year select year
Most Popular Actions - By select year
Quarter
Most Popular Actions - By select year
Month

550 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Auditing Reports
Using auditing reports 22
Report Sections Report Prompts
Most Popular Actions - By select year
Week
Most Popular Actions - By Day select year

Most Popular Actions per Document

Report sections Report prompts


Most Popular Actions per select document (s)
Document- By User
Most Popular Actions per
Document- By Session
Most Popular Actions per
Document- By Action
Most Popular Actions per
Document- By Month

Number of User Sessions

Report sections Report prompts


None select year(s)

Number of Users in the System


T

Report sections Report prompts


None None

Password Modifications

Report sections Report prompts


Password Modifications - By select start date
Month
Password Modifications - By select end date
Week
Password Modifications - By
Details

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 551


22 Auditing Reports
Using auditing reports

Peak Usage

Report sections Report prompts


Users Login Peaks select year
Session Login Peaks
Number of Action Peaks

Refresh and Edit Activity

Report sections Report prompts


None select user

Rights Modification

Report sections Report prompts


Rights Modification - By User select start date
Rights Modification - By Object select end date

Total Users Logged In by Day

Report sections Report prompts


Total Users Logged In by Day - enter a date
Total Number of Logged In
Users
Total Users Logged In by Day -
Total Number of Logged in
Sessions

User Activity

Report sections Report prompts


User Activity by Month select start date
User Activity by Week select end data
User Activity by Day

552 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Auditing Reports
Viewing sample auditing reports 22
User Activity per Session

Report sections Report prompts


User Activity per Session Per choose user(s)
Cluster
User Activity per Session Per
Session
User Activity per Session Per
Action Name
User Activity per Session Per
Date

Users Who Logged Off Incorrectly

Report sections Report prompts


Statistics
Users Who Logged Off
Incorrectly

Viewing sample auditing reports


To view sample audit reports
1. Log on to InfoView.
2. Expand Public Folders.
3. Select Auditing Reports to display the list of sample audit reports.
4. Open the report you want to view.
• To open a Web Intelligence audit report, click on the report you want
to view.
• To open a Crystal Reports audit report, open the object package, and
then open the report you want to view.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 553


22 Auditing Reports
Creating custom audit reports

Creating custom audit reports


This section contains information to help you understand the auditing
database, the Activity universe and the information it records about audit
actions. With this information, you can use Crystal Reports, Web Intelligence
or Desktop Intelligence to create custom audit reports of user and system
actions.

Auditing database schema reference


The auditing database contains six tables:
• “Audit_Event” on page 554
• “Audit_Detail” on page 555
• “Server_Process” on page 556
• “Detail_Type table” on page 558
• “Event_Type” on page 557
• “Application_Type” on page 557
The following diagram shows the Activity universe which is based on the
auditing database.

Audit_Event
The Auditt_Event table stores one record per action that is audited and
contains general information about each audit event.

554 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Auditing Reports
Creating custom audit reports 22
Field Description
Server_CUID Server process ID.
Combined with the Event_ID to form the primary
key for the Audit_Event table.
Event_ID A unique ID generated by the server to identify the
audit event.
Combined with Server_CUID to form the primary
key for the Audit_Event table.
User_Name Name of user who performed the action.
Start_Timestamp Time for start of action in UTC (Coordinated
Universal Time) to the nearest millisecond. The
time stamp is created by the server recording the
action in its log file, and includes any correction
necessary to synchronize with CMS time.
You may want to correct this time to your local
time zone when creating audit reports.
Duration Duration, in seconds, of the action that is audited.
Event_Type_ID Number that uniquely identifies the type of action
the entry represents.
Foreign key for the Event_Type table.
Object_CUID Info Object ID of object associated with the action.
This number uniquely identifies an object.
Error_Code Field reserved for error codes generated by the
Web Intelligence Report Server.

Audit_Detail
The Audit_Detail table records more details about each audit action
recorded in the Audit_Event table. For example, when a user logon fails,
the reasons for that failure are recorded as audit details.
There may be more than one record in this table for each audit action
recorded in the Audit_Event table.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 555


22 Auditing Reports
Creating custom audit reports

Field Description
Server_CUID Server process ID.
Combined with the Event_ID and the Detail_ID
to form the primary key for the Audit_Detail
table.
Event_ID A unique ID generated by the server to identify the
audit event.
Combined with Server_CUID and the Detail_ID
to form the primary key for the Audit_Detail
table.
Detail_ID The Detail_ID field is used to number the
individual details associated with each audit
action. That is, if there are two details associated
with a particular audit action, the first will have a
Detail_ID of 1, and the second will have a
Detail_ID of 2.
Detail_Type_ID Number that uniquely identifies the type of detail
about the audit action that the entry represents.
Foreign key for the Detail_Type table.
Detail_Text Information about the audit detail being recorded.
For example, if the Detail_Type_Description
were “universe name”, the detail text would
contain the name of that universe.

Server_Process
The Server_Process table contains information about the servers running
within your BusinessObjects Enterprise system which can generate audit
events.

Field Description
Server_CUID Server process ID.
Primary key for the Server_Process table.
Server_Name Machine name of the server that produced the
action. That is, the host name.
Application_Type_ID A unique ID that identifies the type of application
that generated the audit action.
Foreign key to the Application_Type table.

556 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Auditing Reports
Creating custom audit reports 22
Field Description
Server_FullName Friendly name of the server that produced the
action. The server’s friendly name is the name
displayed in the CMC. The default friendly name is
hostname.servertype.
Server_Version Version of BusinessObjects Enterprise on server
that produced the action.

Event_Type
The Event_Type table contains a static list of the kinds of events that can be
audited in your BusinessObjects Enterprise system. This table provides
information roughly equivalent to that provided by AuditIDs and AuditStrings
in Crystal Enterprise

Field Description
Event_Type_ID Number that uniquely identifies the type of
audit event that the entry represents.
Event_Type_Description Description of the type of audit event.

Application_Type
The Application_Type table contains a static list of the applications that
can produce audit events. In BusinessObjects Enterprise XI, the applications
that can be audited are servers.

Field Name Description


Application_Type_ID A unique ID that identifies the type of
application that generated the audit
action.
Application_Type_Description The description of the application
generating the audit event.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 557


22 Auditing Reports
Creating custom audit reports

Detail_Type table
The Detail_Type table contains a static list of the standard details that can
be recorded about audited events. For example, a user logon can fail for a
number of different reasons. These reasons are listed as entries in the
Detail_Type table.
The information in the Detail_Type table is equivalent to the information that
was recorded in variable AuditStrings in Crystal Enterprise 10.

Field Description
Detail_Type_ID Number that uniquely identifies the type of
audit detail that the entry represents.
Detail_Type_Description The description of the type of audit detail
generated by the audit event.

Event_Type table reference


The following tables list the Event_Type_ID and
Event_Type_Description of all events that can be audited in your system.
For your convenience, these events are ordered according to the server that
generates each type of event.
CMS audit events

Event_Type_ ID Event_Type_Description Description


65537 Concurrent user logon The user logged on
succeeded. successfully, using a
concurrent user license.
65538 Named user logon The user logged on
succeeded. successfully, using a named
user license.
65540 User logged off.
65541 User password has been
changed.
65539 User logon failed. Logon failed because there
was no valid license key
available.

558 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Auditing Reports
Creating custom audit reports 22
Event_Type_ ID Event_Type_Description Description
65542 New folder created. A new folder is created, or
an existing folder is copied.
Note that this audit string will
not be recorded when a new
user account is created,
even though creating a user
creates a user folder.
65543 Folder deleted. A folder is deleted.
Note that this audit string will
be recorded when a user
account (and therefore the
user’s folder) is deleted.
65544 Folder modified. The name, location, or
description of the folder was
changed.
65545 Job failed. Reason: A scheduled report or
Unresponsive Job Server scheduled program failed to
Child process. run because communication
with the running instance
was lost, and the scheduled
time for running the job
expired.
Note: This action must be
audited by the CMS as Job
Servers are not aware of
losing communications with a
job.

Cache Server audit events

Event_Type_ ID Event_Type_Description Description


196609 Crystal report viewed User successfully viewed a
successfully. Crystal report that has
saved or live data.
196610 A report could not be User attempted to view a
viewed. Crystal report, but was not
successful.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 559


22 Auditing Reports
Creating custom audit reports

Job Server audit events


For scheduled objects, the audit messages give you information about the
status of scheduled actions. For example, the audit messages can tell you if a
scheduled report ran successfully.
For the Destination Job Server, the audit messages give you information on
whether an object was sent to a destination, as requested by a user.

Event_Type Event_Type_Description Description


_ ID
327681 Job successful. The object ran as scheduled
(or requested) and the job
completed successfully.
327682 Job failed. The scheduled job did not
complete successfully.
327683 Job failed. Job will be The scheduled job did not
retried by the CMS. complete successfully. The job
will be retried by the CMS at a
later time.
For more information on
scheduling jobs, see
“Scheduling Objects” on
page 463.

Event Server audit events

Event_Type_ ID Event_Type_Description Description


262145 Event registered User creates a file-based
event that can be used to
schedule objects.
262146 Event unregistered User deletes a file-based
event.
262147 Event updated Event object was modified
by a user, or by the system.
Events are updated when a
user modifies the name or
description of the file-based
event.
262148 Event triggered File-based event was
initiated.

560 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Auditing Reports
Creating custom audit reports 22
Application_Type table reference

Application_Type_ID Application_Type_Description
1 Unknown Application
8 Web Intelligence Report Server
11 Central Management Server
(CMS)
12 Cache Server
13 Report Job Server
14 Report Application Server (RAS)
15 Event Server
16 Program Job Server
18 Destination Job Server
19 Web Intelligence Job Server

Report Application Server audit events


The Report Application Server (RAS) is used to view reports opened with the
Advanced DHTML viewer, and to create reports using custom applications
developed with the RAS SDK.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 561


22 Auditing Reports
Creating custom audit reports

Event_Type_ ID Event_Type_Description Description


458753 Report was opened for User opened a report for
viewing and/or modification viewing or modification.
Note: In a few cases, this
Event_Type_ID may be
generated when the report
opens but cannot be
viewed. This may occur
when:
• There are problems
with the database setup
for the report. For
example, you may see
this message when the
database driver for the
report is not present on
the client machine
• A processing extension
associated with the
report aborts viewing, or
fails.
• The report used
Business Views and the
user did not have
permissions to refresh
the underlying data
connections.
• The machine running
the RAS ran out of
space in its temporary
directory.
458754 Report was saved to the An existing report was
CMS. saved.
Note: This
Event_Type_ID is
generated when a custom
application created using
the RAS SDK saves a report
(using the Save method).
Consult your RAS SDK
documentation for details.

562 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Auditing Reports
Creating custom audit reports 22
Event_Type_ ID Event_Type_Description Description
458755 Report was created and A new report was created
saved to the CMS and saved.
This Event_Type_ID is
generated when a custom
application created using
the RAS SDK saves a new
report (using the Save As
method). Consult your RAS
SDK documentation for
details.
458756 Report could not be The report could not be
opened. opened by the RAS.
458757 Report could not be saved An existing report could not
to the CMS. be saved by RAS.
This Event_Type_ID is
generated when a custom
application created using
the RAS SDK cannot save
a new report (using the
Save As method). Consult
your RAS SDK
documentation for details.
458758 Report could not be A newly created report
created in the CMS. could not be saved by RAS.

Web Intelligence Report Server audit events

Event_Type_ ID Event_Type_Description Description


6 Get list of universes User accesses a list of
universes as part of a
document creation workflow.
9 Save document to User saves a Web
repository Intelligence document to
BusinessObjects Enterprise.
11 Read document User opens an existing Web
Intelligence document.
13 Selection of universe User selects a universe as
part of a document creation
workflow. This event occurs
when a user opens the query
panel.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 563


22 Auditing Reports
Creating custom audit reports

Event_Type_ ID Event_Type_Description Description


19 Document refresh User manually refreshes a
Web Intelligence document,
or user opens a Web
Intelligence document that
has the “refresh on open”
document property assigned.
21 List of values A list of values is retrieved
from the database to
populate a picklist associated
with a prompt used to filter
the data in a document.
22 Edit document User has moved into Edit
document mode.
28 Apply format User applies a formatting
change to a document, in a
query panel.
40 Get page User action results in a request
to server to generate the
necessary data and layout to
display all or part of a Web
Intelligence document.
41 Generate SQL Appears when a user
refreshes a document.
42 Drill out of scope User drills past the scope of
the data currently in memory,
and triggers a call to the
database for more data.

564 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


BusinessObjects Enterprise XI Release 2 Administrator’s Guide

Rights in the CMC

appendix
A Rights in the CMC
Overview

Overview
This appendix describes rights you can set on objects via the CMC:
• Folder rights
• Object rights
• User rights
• Category rights
• Group rights
• Universe rights
• Connection rights
• Server rights
• Desktop Intelligence document rights
• Web Intelligence document rights

Folder rights
The following rights can be set at the folder level.

The right to... Inherited Explicit Final Description


status
General
Add objects to the folder - - Denied Allows users to add folders
View objects - Granted Granted Allows users to view
folders
Edit objects - - Denied Allows users to edit folder
properties
Modify the rights users have to - - Denied Allows users to modify any
objects right, for any user on the
folder(s)
Schedule the document to run - Granted Granted Allows users to schedule
documents in the folder
Delete objects - - Denied Allows users to delete
folders
Define server groups to - Granted Granted Allows users to define
process jobs server groups
Delete instances - - Denied Allows users to delete
historical instances

566 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Rights in the CMC
Folder rights A
The right to... Inherited Explicit Final Description
status
Copy objects to another folder - Granted Granted Allows users to copy
objects from another folder
into a chosen folder they
have access to
Schedule to destinations - Granted Granted Allows users to schedule
to external destinations (for
example, disk, printer…)
View document instances - Granted Granted Allows users to retrieve
and view historical
instances
Pause and Resume document - - Denied Allows users to pause and/
instances or resume a scheduled
object.
Securely modify rights users - - Denied Allows users to grant or
have to objects deny for other users only
the rights that they
themselves have been
granted on the folder
object
Reschedule instances - - Denied Allows users to reschedule
instances that have
already run
Schedule on behalf of other - - Denied Allows users to schedule
users on behalf of other users -
used for report bursting
View objects that the user - - Denied Allows users to view
owns folders they own
Edit objects that the user owns - Granted Granted Allows users to edit folders
they own
Modify the rights users have to - - Denied Allows users to modify the
objects that the user owns rights other users have on
the objects they own
Delete objects that the user - - Denied Allows users to delete
owns objects they own
Delete instances that the user - Granted Granted Allows users to delete any
owns historical instances they
own

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 567


A Rights in the CMC
Folder rights

The right to... Inherited Explicit Final Description


status
View document instances that - - Denied Allows users to view
the user owns historical instances they
own
Pause and Resume document - Granted Granted Allows users to pause and/
instances that the user owns or resume a scheduled
object they own
Securely modify rights users - - Denied Allows users to grant or
have to objects that the user deny rights on the folder
owns. object. Applies only to the
rights that they themselves
have been granted on the
folder object.
Reschedule instances that the - Granted Granted Allows users to reschedule
user owns instances that have
already run that they own

Desktop Intelligence
Refresh the report’s data - Granted Granted Allows users to refresh
Desktop Intelligence report
content
Refresh List of Values - Granted Granted Allows users to refresh the
list of values associated
with a Desktop Intelligence
document
Use Lists of Values - Granted Granted Allows users to use list of
values associated with a
Desktop Intelligence
document
View SQL - - Denied Allows users to see the
SQL used to generate the
Desktop Intelligence
document content
Export the report’s data - Granted Granted Allows users to export the
Desktop Intelligence
document with data
Download files associated with - - Denied Allows users to download
the object the template document
(.rep, for example)

568 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Rights in the CMC
Folder rights A
The right to... Inherited Explicit Final Description
status
Desktop Intelligence add in
Download files associated with - - Denied Allows users to download
the object the object template
document
Desktop Intelligence template
Download files associated with - - Denied Allows users to download
the object the object template
document
Report
Print the report’s data - Granted Granted Allows users to print report
content
Refresh the report’s data - Granted Granted Allows users to refresh
report content
Export the report’s data - Granted Granted Allows users to export
report content
Download files associated with - - Denied Allows users to download
the report the object source
document (.rpt, for
example)
Text
Allow discussion threads - Granted Granted Allows discussion threads
to be added to text
object(s)
Web Intelligence document
Refresh the report’s data - Granted Granted Allows users to refresh the
Web Intelligence report
content
Edit Query - - Denied Allows users to edit the
query used to generate the
Web Intelligence report
content
Refresh List of Values - Granted Granted Allows users to refresh the
list of values associated
with a Web Intelligence
report

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 569


A Rights in the CMC
Object rights

The right to... Inherited Explicit Final Description


status
Use Lists of Values - Granted Granted Allows users to use the list
of values associated with a
Web Intelligence report
View SQL - - Denied Allows users to see the
SQL used to generate the
Web Intelligence report
content
Export the report’s data - Granted Granted Allows users to export the
Web Intelligence report
with data
Download files associated with - - Denied Allows users to download
the object the object template
document (.wid file, for
example)

Object rights
The following rights can be set at the object level.

The right to... Inherit- Explicit- Final Description


edly ly status
General
Add objects to the folder - - Denied Allows users to add objects
View objects - - Denied Allows users to view any
object
Edit objects - - Denied Allows users to edit any
object
Modify the rights users have to - - Denied Allows a users to modify any
objects right, for any user on the
object
Schedule the document to run - - Denied Allows users to schedule
objects
Delete objects - - Denied Allows users to delete any
object
Define server groups to - - Denied Allows users to define/
process jobs create server groups

570 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Rights in the CMC
Object rights A
The right to... Inherit- Explicit- Final Description
edly ly status
Delete instances - - Denied Allows users to delete any
instances
Copy objects to another folder - - Denied Allows users to copy objects
if they can be copied (i.e.
reports, text, application)
Schedule to destinations - - Denied Allows users to schedule
objects to available
destinations
View document instances - - Denied Allows users to view any
instances
Pause and Resume document - - Denied Allows users to pause and
instances resume (scheduling) any
instances
Securely modify rights users - - Denied Allows users to grant or
have to objects deny for other users on the
object only those rights that
they themselves have been
granted
Reschedule instances - - Denied Allows users to reschedule
any instances
Schedule on behalf of other - - Denied Allows users to be able to
users schedule on behalf of other
users - used for report
bursting
View objects that the user - - Denied Allows users to view only
owns those objects they own
Edit objects that the user owns - - Denied Allows users to edit only
those objects they own
Modify the rights users have to - - Denied Allows users to modify the
objects that the user owns rights other users have on
the objects they own
Delete objects that the user - - Denied Allows users to delete only
owns those objects they own
Delete instances that the user - - Denied Allows users to delete only
owns those instances they own
View document instances that - - Denied Allows users to view only
the user owns those document (i.e. report)
instances they own

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 571


A Rights in the CMC
Object rights

The right to... Inherit- Explicit- Final Description


edly ly status
Pause and Resume document - - Denied Allows users to pause and
instances that the user owns resume (scheduling) only
those report instances that
they own
Securely modify rights users - - Denied Allows users to grant or
have to objects that the user deny for other users on the
owns object only the rights that
they themselves have been
granted for objects they own
Reschedule instances that the - - Denied Allows users to reschedule
user owns only those report instances
that they own
Desktop Intelligence
Refresh the report’s data - - Denied Allows users to refresh
report data
Refresh List of Values - - Denied Allows users to refresh the
list of values associated with
a Desktop Intelligence
report
Use Lists of Values - - Denied Allows users to use an
associated list of values
View SQL - - Denied Allows users to see the SQL
used to generate the
Desktop Intelligence report
content
Export the report’s data - - Denied Allows users to export the
Desktop Intelligence report
with data
Download files associated with - - Denied Allows users to download
the object the object template
document (.rep file, for
example)
Desktop Intelligence add in
Download files associated with - - Denied Allows users to download
the object the object template
document (.rep file, for
example)
Desktop Intelligence template

572 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Rights in the CMC
Object rights A
The right to... Inherit- Explicit- Final Description
edly ly status
Download files associated with - - Denied Allows users to download
the object the object template
document (.rep file, for
example)
Report
Print the report’s data - - Denied Allows users to print report
content
Refresh the report’s data - - Denied Allows users to refresh
report content
Export the report’s data - - Denied Allows users to export report
content
Download files associated with - - Denied Allows users to download
the report the object source document
(.rep file, for example)
Text
Allow discussion threads - - Denied Allows discussion threads to
be added to text object
Web Intelligence document
Refresh the report’s data - - Denied Allows users to refresh the
Web Intelligence report
content
Edit Query - - Denied Allows users to edit query
used to generate the Web
Intelligence report content
Refresh List of Values - - Denied Allows users to refresh list of
values associated with a
Web Intelligence report
Use Lists of Values - - Denied Allows users to use list of
values associated with a
Web Intelligence report
View SQL - - Denied Allows users to see the SQL
used to generate the Web
Intelligence report content

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 573


A Rights in the CMC
User rights

The right to... Inherit- Explicit- Final Description


edly ly status
Export the report’s data - - Denied Allows users to export the
Web Intelligence report with
data
Download files associated with - - Denied Allows users to download
the object the object template
document (.wid file, for
example)

User rights
The following rights can be set at the user level.

The right to... Inherit- Explicit- Final Description


edly ly status
General
Add objects to the folder - - Denied Allows users to add users to
the system
View objects - - Denied Allows users to view any
user
Edit objects - - Denied Allows users to edit any user
Modify the rights users have to - - Denied Allows users to modify any
objects right, for any user on the
user object
Delete objects - - Denied Allows users to delete any
user
Change user password - - Denied Allows users to change their
own password
Copy objects to another folder - - Denied Allows users to copy objects
if they can be copied (i.e.
reports, text, application)
Schedule to destinations - - Denied NA
Securely modify rights users - - Denied Allows users to grant or
have to objects deny for other users only the
rights that they themselves
have been granted on the
user object

574 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Rights in the CMC
Category rights A
The right to... Inherit- Explicit- Final Description
edly ly status
Reschedule instances - - Denied Allows users to reschedule
any instances
Schedule on behalf of other - - Denied NA
users
View objects that the user - - Denied NA
owns
Edit objects that the user owns - - Denied NA
Modify the rights users have to - - Denied NA
objects that the user owns
Delete objects that the user - - Denied NA
owns
Change password for users - - Denied NA
that the object owns
Copy objects that the user - - Denied NA
owns to another folder
Subscribe to publications that - - Denied Allows users to subscribe to
the user owns publications if the
publication is owned by the
user
Securely modify rights users - - Denied NA
have to objects that the user
owns
Schedule on behalf of other - - Denied NA
users that the user owns

Category rights
The following rights can be set at the category level.

The right to... Inherit- Explicit- Final Description


edly ly status
Add objects to the folder - - Denied Allows users to add
categories
View objects - - Denied Allows users to view any
category
Edit objects - - Denied Allows users to edit any
category

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 575


A Rights in the CMC
Category rights

The right to... Inherit- Explicit- Final Description


edly ly status
Modify the rights users have to - - Denied Allows users to modify any
objects right, for any user on the
category object
Delete objects - - Denied Allows users to delete any
category
Copy objects to another folder - - Denied NA
Securely modify rights users - - Denied Allows users to grant or
have to objects deny for other users only
those rights they themselves
have been granted on the
category
View objects that the user - - Denied Allows users to view only
owns the categories they own
Edit objects that the user owns - - Denied Allows users to edit only the
categories they own
Modify the rights users have to - - Denied Allows users to modify any
objects that the user owns right for any user, only on
the category objects they
own
Delete objects that the user - - Denied Allows users to delete only
owns the categories they own
Securely modify rights users - - Denied Allows users to grant or
have to objects that the user deny for other users on the
owns category object only those
rights that they themselves
have been granted for
categories they own

576 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Rights in the CMC
Group rights A
Group rights
The following rights can be set at the group level.

The right to... Inherit- Explicit- Final Description


edly ly status
General
Add objects to the folder - - Denied Allows users to add groups
View objects - - Denied Allows users to view any
group
Edit objects - - Denied Allows users to edit any
group
Modify the rights users have to - - Denied Allows users to modify any
objects right, for any user on the
group object
Delete objects - - Denied Allows users to delete any
group
Change user password - - Denied NA
Copy objects to another folder - - Denied NA
Schedule to destinations - - Denied NA
Securely modify rights users - - Denied Allows users to grant or
have to objects deny for other users only
those rights that they
themselves have been
granted on the group object
Schedule on behalf of other - - Denied NA
users
View objects that the user - - Denied Allows users to view only
owns groups they own
Edit objects that the user owns - - Denied Allows users to edit only
groups they own
Modify the rights users have to - - Denied Allows users to modify any
objects that the user owns right, for any user in groups
they own
Delete objects that the user - - Denied Allows users to delete only
owns groups they own
Change password for users - - Denied NA
that the object owns

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 577


A Rights in the CMC
Universe rights

The right to... Inherit- Explicit- Final Description


edly ly status
Copy objects that the user - - Denied NA
owns to another folder
Subscribe to publications that - - Denied Allows users to subscribe to
the user owns publications if the
publication is owned by the
user
Securely modify rights users - - Denied Allows users to grant or
have to objects that the user deny for other users in the
owns group object only those
rights that they themselves
have been granted for
groups they own
Schedule on behalf of other - - Denied NA
users that the user owns

Universe rights
The following rights can be set at the universe level.

The right to... Inherit- Explicit- Final Description


edly ly status
General
Add objects to the folder - - Denied NA
View objects - - Denied Allows users to view
universe
Edit objects - - Denied Allows users to edit universe
Modify the rights users have to - - Denied Allows users to modify any
objects right for any user on the
universe object
Schedule the document to run - - Denied NA
Delete objects - - Denied Allows users to delete
universe
Copy objects to another folder - - Denied NA

578 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Rights in the CMC
Universe rights A
The right to... Inherit- Explicit- Final Description
edly ly status
Securely modify rights users - - Denied Allows users to grant or
have to objects deny for other users on the
universe object only those
rights that they themselves
have been granted on that
object
View objects that the user - - Denied NA
owns
Edit objects that the user owns - - Denied NA
Modify the rights users have to - - Denied NA
objects that the user owns
Delete objects that the user - - Denied NA
owns
Securely modify rights users - - Denied NA
have to objects that the user
owns.
Universe
New List of Values - - Denied Allows users to create new
list of values associated with
universe
Print Universe - - Denied Allows users to print
universe
Show Table or Object Values - - Denied Allows users to view the
tables or object values
associated with a universe
Edit Access Restrictions - - Denied Allows users to edit access
restrictions for universe
Unlock Universe - - Denied Allows users to unlock
universe
Data Access - - Denied Allows users to modify data
access elements of universe

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 579


A Rights in the CMC
Connection rights

Connection rights
The following rights can be set at the connection level.

The right to... Inherit- Explicit- Final Description


edly ly status
General
Add objects to the folder - - Denied Allows users to add
connections
View objects - - Denied Allows users to view
connection
Edit objects - - Denied Allows users to edit
connection
Modify the rights users have to - - Denied Allows users to modify any
objects right, for any user on the
connection object
Schedule the document to run - - Denied NA
Delete objects - - Denied Allows users to delete
connection
Copy objects to another folder - - Denied NA
Securely modify rights users - - Denied NA
have to objects
View objects that the user - - Denied NA
owns
Edit objects that the user owns - - Denied NA
Modify the rights users have to - - Denied NA
objects that the user owns
Delete objects that the user - - Denied NA
owns
Securely modify rights users - - Denied NA
have to objects that the user
owns
Connections

580 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Rights in the CMC
Server rights A
The right to... Inherit- Explicit- Final Description
edly ly status
Data Access - - Denied Allows users to modify data
access element of
connection
Use connection for Stored - - Denied Allows users to use
Procedures specified connection for
stored procedures

Server rights
The following rights can be set at the server level.

The right to... Inherit- Explicit- Final Description


edly ly status
General
Add objects to the folder - - Denied NA
View objects - - Denied Allows users to view server
objects
Edit objects - - Denied Allows users to edit server
objects
Modify the rights users have to - - Denied Allows users to modify any
objects right, for any user on the
server object
Delete objects - - Denied Allows users to delete
server objects
Copy objects to another folder - - Denied NA
Securely modify rights users - - Denied Allows users to grant or
have to objects deny for other users only
those rights on the server
object that they themselves
have been granted
View objects that the user - - Denied NA
owns
Edit objects that the user owns - - Denied NA
Modify the rights users have to - - Denied NA
objects that the user owns
Delete objects that the user - - Denied NA
owns

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 581


A Rights in the CMC
Desktop Intelligence document rights

The right to... Inherit- Explicit- Final Description


edly ly status
Copy objects that the user - - Denied NA
owns to another folder
Securely modify rights users - - Denied NA
have to objects that the user
owns

Desktop Intelligence document rights


The following rights can be set at the Desktop Intelligence document level.

The right to... Inherit- Explicit- Final Description


edly ly status
General
Log on to Desktop Intelligence - - Denied Allows users to view
and view this object in the Desktop Intelligence
CMC documents when they log in
to the CMC
Edit this object - - Denied Allows users to edit the
properties of the Desktop
Intelligence document
Modify the rights users have to - - Denied Allows users to modify any
this object right, for any user on the
Desktop Intelligence object
Securely modify rights users - - Denied Allows users to grant or
have to objects deny for other users only
those rights that they
themselves have been
granted on the Desktop
Intelligence document
Desktop Intelligence
Create Desktop Intelligence - - Denied Allows users to create new
Documents Desktop Intelligence
documents (.rep)
Create Templates - - Denied Allows users to create
Desktop Intelligence
templates

582 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Rights in the CMC
Desktop Intelligence document rights A
The right to... Inherit- Explicit- Final Description
edly ly status
Use Templates - - Denied Allows users to use existing
Desktop Intelligence
templates for creating new
documents
Save Desktop Intelligence - - Denied Allows users to save
Documents Desktop Intelligence
document
Save documents for all users - - Denied Allows users to save
Desktop Intelligence
documents that are
available to all users
Desktop Intelligence - - Denied Allows users to interact with
Document Interaction Desktop Intelligence
document
Desktop Intelligence Report - - Denied Allows users to interact with
Interaction Desktop Intelligence report
Refresh Desktop Intelligence - - Denied Allows users to refresh
Document Desktop Intelligence
document
Print Documents - - Denied Allows users to print
document
Copy to Clipboard - - Denied Allows users to copy
selected information to
clipboard
Euro Converter - - Denied Allows users to access the
Euro Converter
Edit Euro Converter Rate - - Denied Allows users to edit the
exchange rate in the Euro
Converter
Drill Through - - Denied Allows users to drill through
on Desktop Intelligence
documents
Edit Scope of Analysis - - Denied Allows users to edit the
scope of analysis
Work in Drill Mode - - Denied Allows users to interact and
work while in drill mode

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 583


A Rights in the CMC
Desktop Intelligence document rights

The right to... Inherit- Explicit- Final Description


edly ly status
Work in Slice-and-Dice Mode - - Denied Allows users to interact and
work while in slice and dice
mode
Edit VBA Code - - Denied Allows users to edit VBA
code associated with a
Desktop Intelligence
document
Run VBA Code - - Denied Allows users to run VBA
code
Install Add-Ins - - Denied Allows users to install
Desktop Intelligence add-ins
Manage All Corporate - - Denied Allows users to manage all
Categories corporate categories
Manage My Corporate - - Denied Allows users to manage all
Categories corporate categories
Refresh Document List and - - Denied Allows users to refresh
Categories document list and
categories
Send Documents to Repository - - Denied Allows users to send
Desktop Intelligence
documents to repository -
Input FRS
Send Documents to Mail - - Denied Allows users to send
Desktop Intelligence
documents to inbox
Retrieve Documents - - Denied Allows users to retrieve
Desktop Intelligence
documents from the
managed system
Create and Edit Connections - - Denied Allows users to create new
and edit existing connection
objects
Data Provider Manipulation - - Denied Allows users to edit data
provider information
Edit Free-Hand SQL - - Denied Allows users to edit free-
hand SQL if free-hand SQL
has been granted

584 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Rights in the CMC
Desktop Intelligence document rights A
The right to... Inherit- Explicit- Final Description
edly ly status
Use Free-Hand SQL - - Denied Allows users access to free-
hand SQL
Edit Personal Data Files - - Denied Allows users to edit any
personal data files if use of
personal data files has been
granted
Use Personal Data Files - - Denied Allows users to use
personal data files
Edit Stored Procedures - - Denied Allows users to edit any
stored procedures if use of
stored procedures has been
granted
Use Stored Procedures - - Denied Allows users to use stored
procedures
Always Regenerate SQL - - Denied Directs Desktop Intelligence
document always to
regenerate the associated
SQL
Edit Query SQL - - Denied Allows users to edit the SQL
used in the query
Use other SQL requests than - - Denied Allows users to use
Select commands other than
SELECT in the query SQL
View SQL - - Denied Allows users to view the
associated SQL
Edit Queries - - Denied Allows users to edit Desktop
Intelligence document
queries if granted use of
queries
Use Queries - - Denied Allows users to use queries
with Desktop Intelligence
documents
Edit List of Values - - Denied Allows users to edit the list
of values associated if
granted access to use list of
values

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 585


A Rights in the CMC
Web Intelligence document rights

The right to... Inherit- Explicit- Final Description


edly ly status
Use List of Values - - Denied Allows users to use list of
values when processing
Desktop Intelligence
documents
Refresh List of Values - - Denied Allows users to refresh the
list of values if granted
access to use list of values
Use User Objects - - Denied Allows users to use user-
defined objects

Web Intelligence document rights


The following rights can be set at the Web Intelligence document level.

The right to... Inherit- Explicit- Final Description


edly ly status
General
Log on to Web Intelligence and - - Denied Allows users to view Web
view this object in the CMC Intelligence documents
when they log in to the CMC
Edit this object - - Denied Allows users to edit the
properties of the Web
Intelligence document
Modify the rights users have to - - Denied Allows users to modify any
this object right, for any user on the
Web Intelligence object
Securely modify rights users - - Denied Allows users to grant or
have to objects deny for other users only
those rights that they
themselves have been
granted on the Web
Intelligence document
Web Intelligence
Enable interactive HTML - - Denied Allows interactive viewing if
viewing (if license permits) there is a license present
that permits this functionality

586 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Rights in the CMC
Web Intelligence document rights A
The right to... Inherit- Explicit- Final Description
edly ly status
Enable Query - HTML - - Denied Allows use of Web
Intelligence HTML Report
Panel
Enable Java Report Panel - - Denied Allows use of Web
Intelligence Java Report
Panel
Extend scope of analysis - - Denied Extends the reports scope
of analysis
Enable drill mode - - Denied Allows drill through in the
report
Create document - - Denied Allows a users to create a
new Web Intelligence
document
Java Report Panel: Enable - - Denied Allows use of and show the
formula toolbar formula toolbar in Java
Report Panel
Interactive: Formatting - - - Denied Enables the toolbar and
Enable toolbar and menus associated menu items for
formatting when in
interactive mode
Interactive: Formula - Enable - - Denied Enables the toolbar and
toolbar and variable creation associated menu items for
formula when in interactive
mode
Interactive: General - Enable - - Denied Enables the contextual
right click menu (right-click) menu when in
interactive mode
Interactive: Left pane - Enable - - Denied Enables the display of
document structure and filters document structure and
filters in the left pane when
in interactive mode
Interactive: Left pane - Enable - - Denied Enables list of available
available objects, tables and objects, tables and filters in
charts the left pane when in
interactive mode
Java Report Panel: Edit SQL - - Denied Allows users to edit the
report SQL in the Java
Report Panel

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 587


A Rights in the CMC
Web Intelligence document rights

The right to... Inherit- Explicit- Final Description


edly ly status
Merge dimensions for - - Denied Enables the merging of
synchronization dimensions to allow for
synchronization of
dimensions
Enable HTML Report Panel - - Denied Enables the HTML Report
Panel
Interactive: General - Edit 'My - - Denied Allows users to access and
Preferences' edit their preferences - My
Preferences, when in
interactive mode
Interactive: Left pane - Enable - - Denied Displays the document
document summary summary in the left pane
when in interactive mode
Interactive: Left pane - Enable - - Denied Enables the document data
data summary summary in the left pane
when in interactive mode
Interactive: Reporting - Create - - Denied Allows users to create and/
and edit report filter or edit the report filter when
in interactive mode
Interactive: Reporting - Create - - Denied Allows users to create and/
and edit sort or edit report sort when in
interactive mode
Interactive: Reporting - Create - - Denied Allows users to create and/
and edit break or edit break points when in
interactive mode
Interactive: Reporting - Create - - Denied Allows users to create and/
and edit predefined calculation or edit predefined
calculations when in
interactive mode
Interactive: Reporting - Apply - - Denied Allows users to create and/
and remove existing alerters or edit existing report
alerters when in interactive
mode

588 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Rights in the CMC
Web Intelligence document rights A
The right to... Inherit- Explicit- Final Description
edly ly status
Interactive: Reporting - Insert - - Denied Allows users to insert
report, table, chart and cell reports, tables charts and/or
cells into a report when in
interactive mode
Interactive: General - Ability to - - Denied Allows users to hide and/or
hide / show toolbars show toolbars when in
interactive mode

Troubleshooting
There are a few common problems and misconceptions that you may
encounter when assigning rights.

About objects
Note that BusinessObjects Enterprise treats all managed items as objects (or
InfoObjects). For example, a folder is a folder object, a Crystal Report is a
report object, a connection is a connection object, and so on.

Modify Rights and Securely Modify Rights


Both Modify Rights and Securely Modify Rights apply to one object at a time,
and are not intrinsically related to object ownership.
The Modify Rights right is very powerful, because a user who is granted the
Modify Rights right on an object can modify any right for any user on that
object. For example, if a user has only View and Modify Rights rights on an
object, she can grant herself or any other user full control over the object by
granting all missing rights.
The Securely Modify Rights right is more restrictive. It allows a user to grant
or deny only those rights that a user already has. For example, if a user has
only View and Securely Modify Rights rights on an object, he can grant or
deny only these rights for other users. He cannot grant himself more rights,
nor can he grant rights to users for whom he does not have the Securely
Modify Rights right.

Subscribing users to publications


To subscribe a user to a publication, you must be granted the Send to
destination for the user object.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 589


A Rights in the CMC
Web Intelligence document rights

590 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


UNIX Tools

appendix
B UNIX Tools
UNIX tools overview

UNIX tools overview


The UNIX distribution of BusinessObjects Enterprise includes a number of
scripts that, together, provide you with all the configuration options that are
available in the Windows version of the Central Configuration Manager
(CCM). There are a number of other scripts that provide you with UNIX-
specific options or serve as templates for your own scripts. Also, there are
several secondary scripts that are used by BusinessObjects Enterprise. Each
script is described here and the command-line options are provided where
applicable.

Script utilities
This section describes the administrative scripts that assist you in working
with BusinessObjects Enterprise on UNIX. The remainder of this guide
discusses the concepts behind each of the tasks that you can perform with
these scripts. This reference section provides you the main command-line
options and their arguments.

ccm.sh
The ccm.sh script is installed to the bobje directory of your installation. This
script provides you with a command-line version of the CCM. This section
lists the command-line options and provides some examples.
Note:
• Arguments in square brackets [ ] are optional.
• By default, servers are named with a hostname.servertype convention. If
the option requires the server name, use servertype as the server name.
If the option requires the fully qualified server name, use
hostname.servertype. If you are unsure of a server’s fully qualified name,
look in the ccm.config file, locate the server’s launch string, and use the
value that appears after the -name option.

592 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


UNIX Tools
Script utilities B
• Arguments denoted by other authentication information are provided in
the second table.

CCM Option Valid Arguments Description


-help n/a Display command-line help.
-start all or servername Start each server as a process. Use the
short form of the server name.
-stop all or servername Stop each server by terminating its
Process ID. Use the short form of the
server name.
-restart all or servername Stop each server by terminating its
Process ID; then each server is started.
Use the short form of the server name.
-enable all or hostname.servertype Enable a started server so that it
[other authentication information] registers with the system and starts
listening on the appropriate port. Use
the fully qualified form of the server
name.
-disable all or hostname.servertype Disable a server so that it stops
[other authentication information] responding to BusinessObjects
Enterprise requests but remains started
as a process. Use the fully qualified
form of the server name.
-display server [other authentication Reports the server’s current status
information] (enabled or disabled). The CMS must
be running before you can use this
option.
-updateobjects [other authentication information] Update objects migrated from a
previous version of BusinessObjects
Enterprise into your current CMS
system database. Use this option after
running cmsdbsetup.sh.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 593


B UNIX Tools
Script utilities

This table describes the options that make up the argument denoted by other
authentication information.

Authentication Valid arguments Description


Option
-cms cmsname:port# Specify the CMS that you want to log on
to. If not specified, the CCM defaults to the
local machine and the default port (6400).
-username username Specify an account that provides
administrative rights to BusinessObjects
Enterprise. If not specified, the default
Administrator account is attempted.
-password password Specify the corresponding password. If not
specified, a blank password is attempted.
Note: To specify the -password
argument, you must also specify the -
username argument.
-authentication secEnterprise, secLDAP Specify the appropriate authentication
type for the administrative account. If not
specified, secEnterprise is attempted.
The CCM reads the server launch strings and other configuration values from
the ccm.config file. For details, see “ccm.config” on page 595.

Examples
These two commands start and enable all the servers. The Central Management
Server (CMS) is started on the local machine and the default port (6400):
ccm.sh -start all
ccm.sh -enable all
These two commands start and enable all the servers. The CMS is started on
port 6701, rather than on the default port:
ccm.sh -start all
ccm.sh -enable all -cms MACHINE01:6701
These two commands start and enable all the servers with a specified
administrative account named SysAdmin:
ccm.sh -start all
ccm.sh -enable all -cms MACHINE01:6701 -username SysAdmin -
password 35%bC5@5 -authentication LDAP
This single command logs on with a specified administrative account to
disable a Job Server that is running on a second machine:
ccm.sh -disable MACHINE02.businessobjects.com.reportserver -
cms MACHINE01:6701 -username SysAdmin -password 35%bC5@5
-authentication secLDAP

594 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


UNIX Tools
Script utilities B
ccm.config
This configuration file defines the server launch strings and other values that
are used by the CCM when you run its commands. This file is maintained by
the CCM itself, and by the other BusinessObjects Enterprise script utilities.
You typically edit this file only when you need to modify a server’s command
line. For details, see the Command Lines appendix of the BusinessObjects
Enterprise Administrator’s Reference Guide.

cmsdbsetup.sh
The cmsdbsetup.sh script is installed to the bobje directory of your
installation. The script provides a text-based program that enables you to
configure the CMS database, CMS clusters, and to set up the audit database.
You can add a CMS to a cluster by selecting a new data source for its CMS
database. You can also delete and recreate (re-initialize) a CMS database,
copy data from another data source, or change the existing cluster name.
Note: Before running this script, back up your current CMS database. Also
be sure to see “Clustering Central Management Servers” on page 86 for
additional information about CMS clusters and configuring the CMS
database.
The script will prompt you for the name of your CMS. By default, the CMS
name is hostname.cms. That is, the default name of a CMS installed on a
machine called MACHINE01 is MACHINE01.cms. To check the name of your
CMS (or any other server), view the contents of ccm.config and look for the
server’s launch string. The server’s current name appears after the -name
option.
For more information about configuring the CMS database or setting up the
auditing database, see “Managing Auditing” on page 529.

configpatch.sh
The configpatch.sh script is installed to the bobje/enterprise/
generic directory of your installation. Use the configpatch.sh script when
installing patches that require updates to system configuration values. After
installing the patch, run configpatch.sh with the appropriate .cf file name
as an argument. The readme.txt file that accompanies BusinessObjects
Enterprise patches tells you when to run configpatch.sh, and the name of
the .cf file to use.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 595


B UNIX Tools
Script utilities

serverconfig.sh
The serverconfig.sh script is installed to the bobje directory of your
installation. This script provides a text-based program that enables you to view
server information and to add and delete servers from your installation. This
script adds, deletes, modifies, and lists information from the ccm.config file.
When you modify a server using serverconfig.sh, you can change the
location of its temporary files. For the Central Management Server, you can
change its port number or enable auditing. For the Input File Repository
Server or the Output File Repository Server, you can enter the root directory.
To add/delete/modify/list UNIX servers
1. Go to the bobje directory of your installation.
2. Issue the following command:
./serverconfig.sh
The script prompts you with a list of options:
• 1 - Add a server
• 2 - Delete a server
• 3 - Modify a server
• 4 - List all servers in the config file
3. Type the number that corresponds to the action you want to perform.
4. If you are adding, deleting, or modifying a server, provide the script with
any additional information that it requests.
Tip: The script will prompt you for the name of your CMS. By default, the
CMS name is hostname.cms. That is, the default name of a CMS
installed on a machine called MACHINE01 is MACHINE01.cms. However,
in this script you can enter hostname to check the name of your CMS (or
any other server), view the contents of ccm.config, and look for the
server’s launch string. The server’s current name appears after the -
name option.
5. Once you have added or modified a server, use the CCM to ensure that
the server is both started and enabled.
For more information about working with servers, see “Managing and
Configuring Servers” on page 69.

596 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


UNIX Tools
Script utilities B
sockssetup.sh
The sockssetup.sh script is installed to the bobje directory of your
installation. The script provides a text-based program that enables you to
configure the Web Component Adapter (WCA) and the Central Management
Server (CMS) when they must communicate across one or more SOCKS proxy
server firewalls. For technical information about BusinessObjects Enterprise
and firewalls, see “Working with Firewalls” on page 161.
To modify SOCKS configuration
1. Go to the bobje directory of your installation.
2. Issue the following command:
./sockssetup.sh
3. Type wca to configure the communication between the WCA and the
CMS. Or, type servers to configure SOCKS information between the
remaining servers.
The script may prompt you for the name or “friendly name” of the server. By
default, each server’s name is hostname.servertype. To check the name
of a server, view the contents of ccm.config and look for the server’s
launch string. The server’s current name appears after the -name option.
The “friendly name” of the WCA by default is hostname.wca. To check the
name of the WCA, look for the <display-name> of the WCA as listed in
the web.xml file in the WEB-INF directory of the webcompadapter.war
archive. (This archive is found in the businessobjects_root/
enterprise/JavaSDK/applications directory, where
businessobjects_root is the root directory of your BusinessObjects
Enterprise installation.)
4. Specify one of the available actions:
• Type show to display any SOCKS servers that have already been
entered with this script. A blank list is displayed if no servers have
been added.
• Type create to add a new SOCKS server to the list.
• Type modify to change one of the SOCKS servers in the list.
• Type delete to remove a SOCKS server from the list.
• Type moveup or movedown to modify the sequence of SOCKS servers.
5. Proceed through the script and provide any additional information that it
requests:
• If you are creating a new entry in the list, you will typically need to
provide the name or IP address of the SOCKS server, the port
number it is listening on, the version number of the SOCKS server (4

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 597


B UNIX Tools
Script templates

or 5), and any authentication information that the BusinessObjects


Enterprise servers will require in order to establish a connection with
your SOCKS server.
• If you choose to delete, modify, or move an existing entry, you will be
asked to specify the server “by index.” Type the number that
corresponds to the SOCKS server you want to modify.
For details about SOCKS and the importance of the sequence of servers, see
“Configuring for SOCKS servers” on page 179.

uninstallBOBJE.sh
The uninstallBOBJE.sh script is installed to the bobje directory of your
installation. This script deletes all of the files installed during your original
installation of BusinessObjects Enterprise by running the scripts in the
bobje/uninstall directory. Do not run the scripts in the uninstall
directory yourself: each of these scripts removes only the files associated with
a single BusinessObjects Enterprise component, which may leave your
BusinessObjects Enterprise system in an indeterminate state.
Before running this script, you must disable and stop all of the
BusinessObjects Enterprise servers.
Note:
• The uninstallBOBJE.sh script will not remove files created during the
installation process, or files created by the system or by users after
installation. To remove these files, after running installBOBJE.sh,
perform an rm -rf command on the bobje directory.
• If you performed the “system” installation type, you will also need to
delete the run control scripts from the appropriate /etc/rc# directories.

Script templates
These scripts are provided primarily as templates upon which you can base
your own automation scripts.

startservers
The startservers script is installed to the bobje directory of your
installation. This script can be used as a template for your own scripts: it is
provided as an example to show how you could set up your own script that
starts the BusinessObjects Enterprise servers by running a series of CCM
commands. For details on writing CCM commands for your servers, see
“ccm.sh” on page 592.

598 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


UNIX Tools
Script templates B
stopservers
The stopservers script is installed to the bobje directory of your
installation. This script can be used as a template for your own scripts: it is
provided as an example to show how you could set up your own script that
stops the BusinessObjects Enterprise servers by running a series of CCM
commands. For details on writing CCM commands for your servers, see
“ccm.sh” on page 592.

silentinstall.sh
The silentinstall.sh script is installed to the bobje directory of your
installation. Once you have set up BusinessObjects Enterprise on one
machine, you can use this template to create your own scripts that install
BusinessObjects Enterprise automatically on other machines. Essentially,
once you have edited the silentinstall.sh template accordingly, it
defines the required environment variables, runs the installation and setup
scripts, and sets up BusinessObjects Enterprise according to your
specifications, without requiring any further input.
The silent installation is particularly useful when you need to perform multiple
installations and do not want to interrupt people who are currently working on
machines in your system. You can also use the silent installation script in your
own scripts. For example, if your organization uses scripts to install software
on machines, you can add the silent BusinessObjects Enterprise installation
command to your scripts.
For information about script parameters, see the comments in the
silentinstall.sh script.
Note:
• Because the silentinstall.sh file is installed with BusinessObjects
Enterprise, you cannot install silently the first time you install
BusinessObjects Enterprise.
• The silent installation is not recommended if you need to perform custom
installations. The installation options are simplified and do not allow for
the same level of customization provided in the BusinessObjects
Enterprise install script.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 599


B UNIX Tools
Scripts used by BusinessObjects Enterprise

Scripts used by BusinessObjects Enterprise


These secondary scripts are often run in the background when you run the
main BusinessObjects Enterprise script utilities. You need not run these
scripts yourself.

bobjerestart.sh
This script is run internally by the CCM when it starts the BusinessObjects
Enterprise server components. If a server process ends abruptly without
returning its normal exit code, this script automatically restarts a new server
process in its place. Do not run this script yourself.

env.sh
The env.sh script is installed to the bobje directory of your installation. This
script sets up the BusinessObjects Enterprise environment variables that are
required by some of the other scripts. BusinessObjects Enterprise scripts run
env.sh as required. When you install BusinessObjects Enterprise on UNIX, you
must configure your Java application server to source this script on startup.
See the BusinessObjects Enterprise Installation Guide for more details.

env-locale.sh
The env-locale.sh script is used for converting the script language strings
between different types of encoding (for example, UTF8 or EUC or Shift-JIS).
This script is run by env.sh as needed.

initlaunch.sh
The initlaunch.sh script runs env.sh to set up the BusinessObjects
Enterprise environment variables, and then runs any command that you have
added as a command-line argument for the script. This script is intended
primarily for use as a debugging tool by Business Objects SA.

600 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


UNIX Tools
Scripts used by BusinessObjects Enterprise B
patchlevel.sh
The patchlevel.sh is installed to the bobje/enterprise/generic
directory of your installation. This script reports on the patch level of your
UNIX distribution. This script is intended primarily for use by Business Objects
SA support staff.

Option Valid Arguments Description


list n/a List all the installed patches.
query patch # Query the operating system for the presence
of a particular patch by numeric ID.
check textfile Check that all the patches listed in textfile are
installed on your operating system.

postinstall.sh
The postinstall.sh script is installed to the bobje directory of your
installation. This script runs automatically at the end of the installation script
and launches the setup.sh script. You need not run this script yourself.

setup.sh
The setup.sh script is installed to the bobje directory of your installation.
This script provides a text-based program that allows you to set up your
BusinessObjects Enterprise installation. This script is run automatically when
you install BusinessObjects Enterprise. It prompts you for the information that
is required in order to set up BusinessObjects Enterprise for the first time.
For complete details on responding to the setup script when you install
BusinessObjects Enterprise, see the BusinessObjects Enterprise Installation
Guide.

setupinit.sh
The setupinit.sh script is installed to the bobje directory of your
installation when you perform a system installation. This script copies the run
control scripts to your rc# directories for automated startup. When you run a
system installation you are directed to run this script after the setup.sh script
completes.
Note: You must have root privileges to run this script.

BusinessObjects Enterprise XI Release 2 Administrator’s Guide 601


B UNIX Tools
Scripts used by BusinessObjects Enterprise

602 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Business Objects
Information Resources

appendix
A Business Objects Information Resources
Documentation and information services

Documentation and information services


Business Objects offers a full documentation set covering its products and
their deployment. Additional support and services are also available to help
maximize the return on your business intelligence investment. The following
sections detail where to get Business Objects documentation and how to use
the resources at Business Objects to meet your needs for technical support,
education, and consulting.

Documentation
You can find answers to your questions on how to install, configure, deploy,
and use Business Objects products from the documentation.

What’s in the documentation set?


View or download the Business Objects Documentation Roadmap, available
with the product documentation at http://www.businessobjects.com/support/.
The Documentation Roadmap references all Business Objects guides and
lets you see at a glance what information is available, from where, and in
what format.

Where is the documentation?


You can access electronic documentation at any time from the product
interface, the web, or from your product CD.

Documentation from the products


Online help and guides in Adobe PDF format are available from the product
Help menus. Where only online help is provided, the online help file contains
the entire contents of the PDF version of the guide.

Documentation on the web


The full electronic documentation set is available to customers on the web
from support web site at: http://www.businessobjects.com/support/.

Documentation on the product CD


Look in the docs directory of your product CD for versions of guides in Adobe
PDF format.

604 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Business Objects Information Resources
Customer support, consulting and training A
Send us your feedback
Do you have a suggestion on how we can improve our documentation? Is
there something you particularly like or have found useful? Drop us a line,
and we will do our best to ensure that your suggestion is included in the next
release of our documentation: documentation@businessobjects.com.
Note: If your issue concerns a Business Objects product and not the
documentation, please contact our Customer Support experts. For
information about Customer Support visit: http://www.businessobjects.com/
support/.

Customer support, consulting and training


A global network of Business Objects technology experts provides customer
support, education, and consulting to ensure maximum business intelligence
benefit to your business.

How can we support you?


Business Objects offers customer support plans to best suit the size and
requirements of your deployment. We operate customer support centers in
the following countries:
• USA
• Australia
• Canada
• United Kingdom
• Japan

Online Customer Support


The Business Objects Customer Support web site contains information about
Customer Support programs and services. It also has links to a wide range of
technical information including knowledgebase articles, downloads, and
support forums.
http://www.businessobjects.com/support/

BusinessObjects Enterprise XI Release 2 Administrator’s Guide605


A Business Objects Information Resources
Useful addresses at a glance

Looking for the best deployment solution for your


company?
Business Objects consultants can accompany you from the initial analysis
stage to the delivery of your deployment project. Expertise is available in
relational and multidimensional databases, in connectivities, database design
tools, customized embedding technology, and more.
For more information, contact your local sales office, or contact us at:
http://www.businessobjects.com/services/consulting/

Looking for training options?


From traditional classroom learning to targeted e-learning seminars, we can
offer a training package to suit your learning needs and preferred learning
style. Find more information on the Business Objects Education web site:
http://www.businessobjects.com/services/training

Useful addresses at a glance

Address Content
Business Objects product Information about the full range of
information Business Objects products.
http://www.businessobjects.com
Product documentation Business Objects product
http://www.businessobjects.com/ documentation, including the
support Business Objects Documentation
Roadmap.
Business Objects Documentation Send us feedback or questions
mailbox about documentation.
documentation@businessobjects.com
Online Customer Support Information on Customer Support
http://www.businessobjects.com/ programs, as well as links to
support/ technical articles, downloads, and
online forums.

606 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Business Objects Information Resources
Useful addresses at a glance A
Address Content
Business Objects Consulting Information on how Business
Services Objects can help maximize your
http://www.businessobjects.com/ business intelligence investment.
services/consulting/
Business Objects Education Information on Business Objects
Services training options and modules.
http://www.businessobjects.com/
services/training

BusinessObjects Enterprise XI Release 2 Administrator’s Guide607


A Business Objects Information Resources
Useful addresses at a glance

608 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Index

Symbols on import of stored procedures 385


@Variable('BOPASS') 383 on import of universe-related security
@Variable('BOUSER') 383 commands 382
Active Directory 243
active sessions, viewing 73, 73, 73, 73
A active trust relationship 208
access AD authentication plug-in 206
to applications 325 adding
to universe connections 330 CMS cluster members 86
to universes 329 servers 158
Access Level column 295 add-ins
access levels migration 376
administration 326 administration 22
Advanced 297, 298 configuration tools 70
calendars 502 delegating 319, 326
enabling and disabling inheritance 303 events 509
events 509 folders 337, 343
folders 337, 343 over the Web 23
Full Control 297 profiles 515
groups 327 remote UNIX machines 28
InfoView 325 remote Windows machines 27
inheritance 301 rights 326
No Access 297 servers and server groups 328
profiles 515 tools 22
restricting from the top-level folder 323 users and groups 327
Schedule 297 Administrator account 217
server groups 328 setting password 29
servers 328 Administrator group 218
setting 296 Advanced access level 297
specifying on folders 337, 343 advanced rights 298
tutorials 307 and inheritance 301
types of 296 priorities affecting 307
users 327 denied by default 307
View 297 enabling and disabling inheritance 304
View On Demand 297 precedence 307
when copying/moving folders 334, 342 setting 298
access rights to Query HTML panel 39 viewing 298
accounts, managing 216 Advanced Rights page 299
ACEs affinity, and SSL 209

BusinessObjects Enterprise XI Release 2 Administrator’s Guide609


Index

agnostic documents Event Server 536


importing 378 Job Server 537
alerts, setting notification 477 auditee 530
aliases 365 auditing
assigning to a user 263 configuring database 531
creating database schema 554
for existing user 263 enabling 537
for new user 262 information flow 530
deleting 265 notification 475
disabling 265 optimizing performance 542
managing 261 reporting results 540, 554
reassigning for a user 264 synchronizing records 541
Allow user to merge dimension for synchronization user and system actions 533
right 377 web activity 213
anonymous single sign-on 198 auditing database
Application Foundation configuring 531
checking universe integrity 369 database schema 554
migration 362, 367 Application_Type table 557
Application Foundation repository Audit_Detail table 555
modification during import 368 Audit_Event table 554
application servers 49 Detail_Type table 558
application tier 48 Event_Type table 557
applications 46 Server_Process table 556
CCM 47 auditor 530
CMC 47 Auditor report names 546
Import Wizard 48 Average Number of Users Logged In 546
InfoView 46 Average Refresh Time 547
Publishing Wizard 47 Average Session Duration 547
APS. See CMS Average Session Duration per Cluster 547
apsdbsetup.sh 595 Average Session Duration per User 547
architecture 44 Cluster Nodes 548
diagram 44 Document Information Detail 548
areas, management 24 Document Scheduling and Viewing Status 548
assigning an alias 263 Job Servers on the System 549
associated documents 407 Job Summary 548
attributes, logon tokens 209 Jobs per Job Server 549
audience, intended 20 Jobs per User 549
audit actions Last Login for User 549
enabling auditing of 537 Least Accessed Documents 550
reference list 533 Modifications 551
synchronizing records 541 Most Accessed Documents 550
audit enablement 537 Most Active Users 550
auditable actions Most Popular Actions 550
CMS 537 Most Popular Actions per Document 551
Destination Job Server 536 Number of User Sessions 551

610 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Index

Number of Users in the System 551 Publishing Wizard 47


Peak Usage 552 BusinessObjects documents
Refresh and Edit Activity 552 import limitations 376
Rights Modification 552 importing 375
Total Users Logged in by Day 552 migrating OLAP data providers 376
User Activity 552 migration of rights 376
User Activity per Session 553 BusinessObjects Enterprise 346
Users Who Logged Off Incorrectly 553 communication between servers 166
authentication disabling Guest account 29
BusinessObjects Enterprise security plug-in firewall integration 166
202 primary authentication process 195
Kerberos configuration 271 publishing rights 346
LDAP 365 single sign-on 202
LDAP security plug-in 204 single sign-on with NT 203
object packages 461 system architecture 44
primary 195 BusinessObjects Enterprise 5.x/6.x 367
program objects 456 BusinessObjects Enterprise Central Management
secondary 196 Console. See CMC
security plug-ins 201 BusinessObjects Enterprise Repository 184
troubleshooting log on 520 refreshing objects in reports 192
Trusted Authentication 224 BusinessObjects Enterprise SDK 196, 207
Windows AD 365 Java SDK 49
Windows AD security plug-in 206 .NET SDK 49
Windows NT Challenge/Response 203, 207 BusinessObjects Enterprise security plug-in 202
Windows NT security plug-in 202 BusinessObjects Enterprise servers 51, 55
authentication, types of 218 Cache Server 54
authorization. See object rights configuring hosts file for firewall 174
Automated Process Scheduler. See CMS description 44
available rights 301 Event Server 53
File Repository Servers 54
B Job Server 56
Page Server 58
base rights 301
Program Job Server 56
business calendars. See calendars
Report Application Server 58
Business Objects
BusinessObjects Enterprise Sizing Guide 148
consulting services 606, 607
BusinessObjects NT Users group 218
support services 605
BusinessObjects SDK
training services 606, 607
Send to BCA 376
BusinessObjects
Send to Inbox 376
migration of document rights 376
BusinessObjects applications
CCM 47 C
CMC 47 cacert.der 137
CMS 52 cache format for Web Intelligence documents 489
Import Wizard 48 Cache Server 54
InfoView 46 configuring 101

BusinessObjects Enterprise XI Release 2 Administrator’s Guide611


Index

metrics 72 clusters 86, 88, 88


performance settings 101 changing names 92
viewing with 63 requirements 86
Cache Server auditable actions 534 viewing details 74
Cache Server for viewing reports 431 CMC 47
caching Web Intelligence documents, when access to 325
scheduling 489 changing password 26
cakey.pem 137 enabling and disabling servers 77
calendars logging off 26
adding dates to 497 logging on 23
creating 496 management areas 24
deleting 501 navigating 24
specifying rights 502 setting CMC Access URL 32
categories 340 setting preferences 24
assigning an object to 426 setting Query size threshold 32
creating 341 starting, stopping, and restarting servers 75
selecting for import 405 unable to connect 520
Categories folder 386 working with 23
CCM 47 CMC timeout setting 82
accessing 26 CMS 52, 200
adding a server 158 adding to a cluster 88
changing and Application Foundation objects 368
server startup type 136 and authentication 195, 196
server user account 136 and authorization 196
Windows server dependencies 135 and distributed security 209
copying server status 79 and security 200, 200
deleting a server 160 and security plug-ins 200
enabling and disabling servers 77 as nameserver 131
for UNIX 28 base rights and available rights 301
for Windows 27 calculating effective rights 304
printing server status 79 changing cluster name 92
refreshing the list of servers 79 clustering 86
starting, stopping, and restarting servers 75 installing new cluster member 88
working with 26 requirements 86
CCM, for UNIX 592 configuring 97, 98, 131
ccm.sh 28, 592 NAT 171
Help option 28 SOCKS 180
running 28 database 52
Central Configuration Manager. See CCM default port 131
Central Management Console. See CMC metrics 73, 74
Central Management Server. See CMS session variables 210
certificate files 137 and authentication 195, 196
characters, setting CMC preferences 24 tracking 211
client side viewers 59 stopping 77
client tier 46 unable to connect 520

612 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Index

when enabling and disabling other servers 77 connections. See universe connections
CMS auditable actions 537 connectivities
CMS database recreating in XI R2 372
changing password 98 consultants, Business Objects 606
configuring 93 content, folders 332
copying 93 converting
deleting 97 .rep files to .wid 375
migrating 93 .rep files to .wqy 375
recreating 97 cookies
selecting 98 and session tracking 210
command line arguments 357 logon tokens 209
specifying for program objects 451 copying/moving folders 334, 342
command-line options, SSL 137 corporate documents
communication storage after import 375
between browser and WCA 195 creating
between BusinessObjects Enterprise servers categories 341
166 folder administrators 319
components, security management 199 folders 332
configuration, common scenarios 149 server groups 142
configuring server subgroups 144
auditing database 531 subfolders 333, 341
auditing database on UNIX 532 creating custom audit reports 554
auditing database on windows 532 Crystal reports
Cache Server 101 choosing a format 487
CMS clusters 86, 92 job server for scheduling 432
CMS database 93, 97, 98 troubleshooting reports 521
Event Server 104 Crystal Reports Cache Server. See Cache Server
executable programs 453 Crystal Reports Page Server. See Page Server
File Repository Servers 100 Crystal Reports sample audit reports 540
firewalls 170 Crystal Repository. See BusinessObjects
intelligence tier 85 Enterprise Repository
Job Server 112, 112, 116, 123 CSV format 411
object packages 460 CUIDs 377
Page Server 105, 108, 123 custom audit report creation 554
processing tier 104 custom events 504, 508
server settings 70 custom web applications, enhancing 155
servers 70 customer support 605
universe connection 539 customizing
connecting to remote Windows machines 27 inheritance model 307
Connection folder, access to 218 object rights 298
Connection Server your configuration 148
metrics 73
connections D
BOUSER/BOPASS variables 383
data
stored procedures 385
choosing live/saved 66

BusinessObjects Enterprise XI Release 2 Administrator’s Guide613


Index

live 66 denied rights 307


saved 67 dependencies of servers on Windows 135
data sharing 70 derived universe 383
on Cache Server 101 Designer
on Page Server 105, 108 5/6 and XI R2 compatibility 383
on RAS 109 and access restrictions in XI R2 384
data sources firewall settings 170
creating on destination server machines 370 Desktop Intelligence 58
on UNIX 124 firewall settings 170
on Windows 123 metrics 73
data tier 59 destination environment, and importing 186, 394
databases destination environments 388
changing settings 434 Destination Job Server
configuring servers for 123 destinations
copying CMS data 93 configuring 117
initializing the CMS 97 enabling or disabling 116
modifying RAS interactions 109 enabling Inbox destination 116
selecting for the CMS 98 metrics 73
single sign-on access 199 performance settings 112
supported in XI R2 372 Destination Job Server auditable actions 536
synchronizing enterprise and database destinations 480
credentials 384 available, by object type 423
troubleshooting logon 523 default settings 481
using the DBUSER/DBPASS variables 384 email 484
default groups 217 for job servers
default settings configuring 117
authentication 202 enabling or disabling 116
Enterprise accounts 202 FTP 483
groups 216 sending to 422
modifying security 30 troubleshooting 528
NT account 203 unmanaged disk 481
ports 131 directories, publishing 346
security plug-in 202 directory servers
users 216 about LDAP 205
default timeout 82 security plug-in 204
default users 217 disabling
delegated administration. See administration aliases 265
deleting destinations for job servers 116
aliases 265 Guest account 29
CMS database 97 inheritance 303
folders 334, 341 program objects 456
report objects 421 servers 77
servers 160 discussion thread
universe connections 31 cancelling search 36
universes 30 searching 36

614 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Index

sorting search results 37 troubleshooting 518


Discussions Event Log 130, 135
access rights to objects 38 Event Server 53
accessing 35 auditable actions 537
DLL. See dynamic-link libraries configuring 104
document passwords 376 metrics 72
documentation polling time 104
additional 519 Event Server auditable actions 536
feedback on 605 events 366, 504
on product CD 604 access to 509
on the web 604 custom 508
roadmap 604 file-based 505
documents notification 475
importing without locales 378 polling time 104
Domain Key file 388 schedule-based 506
domains scheduling 471
importing 386 Everyone group 218
importing universe domains 383 executable programs 449
DSNs on UNIX 126 configuring 453
dynamic-link libraries as processing extensions expanding the system 148
207 Explicitly Denied column 299
Explicitly Granted column 299
E exporting objects 371
extensions, processing 207
Edit SQL right 377
education. See training
effective rights, calculating 304 F
email destination 484 failure, notification 474
setting defaults 119 Favorites folder 374
email notification 475 Favorites folders 340
enabling feedback, on documentation 605
destinations for a job server 116 file events 504, 505
inheritance 303 File Repository Servers 54
program objects 456 maximum idle times 100
servers 77 metrics 72
enabling auditing 537 Properties page 100
encoding logon tokens 209 root directories 100
end-to-end single sign-on 199 filters for report objects 438
Enterprise authentication 218 firewall rules
environment variables specifying for NAT 175
ODBC 126 specifying for packet filtering 178
specifying for program objects 454 firewall types 163
env.sh 600 NAT 164
ePortfolio. See InfoView packet filtering 164
errors SOCKS 165
Page Server 527 firewall, desktop product 170

BusinessObjects Enterprise XI Release 2 Administrator’s Guide615


Index

firewalls 162, 212 Full Control access level 297


configuration scenarios 168
configuring 170 G
NAT 171
General Supervisor login 390
packet filtering 176
granted rights 307
SOCKS 179
group inheritance 302
thick client 176
group rights 293
with application tier 171
grouping servers 142
with WCA 181
groups
forcing servers to register by name 133
access to 327
integration with BusinessObjects Enterprise
creating 225
166
for tutorials 308
server communications, and 166
default 217
folder administrators, creating 319
deleting 228
folders 332
importing 403
access to 337, 343
modifying 227
adding a report 336, 343
object rights
changing top-level rights 312
access levels 296
copying/moving 334, 342
advanced rights 298
creating 332
inheritance 302
default user folders 340, 344
of servers 142
delegated administration 319
setting
deleting 334, 341
instance limits on folders 339
Favorites folder 340, 344
object rights 293
inheritance 302
viewing members 228
moving 334, 342
Guest account 217
object rights 293
disabling 29, 229
access levels 296
advanced settings 298
inheritance 302 H
setting access levels 296 help, documentation resources 519
viewing 295 hosts file, configuring for NAT firewall 174
when copying/moving 334, 342 HTTP 195, 210
rights 337, 343 hyperlinks between reports 446
setting instance limits 339
specifying rights 337, 343 I
Universe 383
idle times
format
Cache Server 101
choosing for Crystal reports 487
File Repository Servers 100
choosing for Web Intelligence documents 487,
Page Server 105, 108
487
Import Groups Option dialog box 403, 403
FRS
Import Progress dialog box 410
connection storage 382
Import Universe and Connection Objects Options
FTP destination 483
dialog box 399, 409
setting defaults 120
Import Wizard 48, 362

616 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Index

and third-party documents 378 mapping Import Wizard to 370


how it imports Application Foundation 362, storage after import 374
367 index, setting CMC preferences 24
how it imports domains 386 information flow, between servers 60
how it imports universe connections 383 information resources 604
mapping to Inbox and personal files 370 InfoView 46
migrating Application Foundation 368 accessing 23
selecting information 187, 395 categories 344
specifying source 388 considerations 527
specifying source and destination 186, 388, controlling access to 325
394 folders 340
importing Java version 38, 80
categories 395, 405 managing 38
database credentials 411 scheduling 464
domains 386 troubleshooting 527
folders from Crystal Enterprise 365 inheritance 301
from BusinessObjects Enterprise 6.x 367 and advanced rights 299, 304
from Crystal Enterprise 363 base rights and available rights 301
groups 411 enabling and disabling 303
Import Wizard 362 priorities affecting 307
instances from Crystal Enterprise 365 tutorials 307
mapping Import Wizard to Inbox and personal Inherited column 299
documents 370 initializing CMS database 97
named events 395 initlaunch.sh 601
profiles 411 Input File Repository Server 54
rights 366 maximum idle time 100
selecting information 187, 395 metrics 72
specifying source and destination 186, 388, root directory 100
388, 394 instances
text files 411 deleting 493
users and groups 403 managing 490, 491
users with aliases 365 notification 475
users with LDAP authentication 365 object packages 458
importing groups from Crystal Enterprise 364 pausing 492
importing object rights from Crystal Enterprise 366 program objects 449
importing users 386 report objects 427
importing users, from BusinessObjects Enterprise resuming 492
6.x 386 sending 422
importing, Application Foundation 389 setting limits at the folder level 339
importing, BusinessObjects 5.x source intelligence tier 51
environment 388 configuring 85
importing, BusinessObjects 6.x source Interactive Editing right 377
environment 389 Internet Information Services (IIS), default web
Inbox documents site 519
importing 399

BusinessObjects Enterprise XI Release 2 Administrator’s Guide617


Index

J mapping 237
Java CMC timeout 82 troubleshooting 243, 243
Java InfoView timeout 83 unmapping 240
Java platform 50 viewing mapped groups 241
Java programs 449 LDAP hosts
authentication 457 configuring 230
configuring 455 managing multiple 242
providing access to other files 455 LDAP security plug-in 204
setting parameters 455 LDAP single sign-on, configuring 234
Java SDK 50 Least Accessed Documents 550
Job Server license keys
configuring 123 adding 41
on UNIX 124 and CMS database migration 90
destinations reinitializing the CMS database 97
configuring 117 viewing account activity 41
enabling or disabling 116 licensing, accessing information 40
metrics 73 Lightweight Directory Access Protocol. See LDAP
performance settings 113 limits, setting at the folder level 339
Job Servers 56, 56 List of Values Job Server
job servers auditable actions 537
configuring destinations 117 description 57
performance settings 112 destinations
Job Servers auditable actions 537 configuring 117
enabling or disabling 116
metrics 73
K performance settings 112
Kerberos configuration 271 live data 66
Kerberos single sign-on 199, 266, 266 load balancing
key files 137 and distributed security 209
CMS clustering 86
L Local System account 123
LDAP 205 locale
about 205 and .wqy files 378
and SSL 205 importing documents without locales 378
LDAP accounts 205 migration of universe 382
managing 229 log on
modifying processing server accounts 123
connection parameters 241 protection against malicious attempts 213
member groups 241 to the CMC 23
troubleshooting 242, 242 with token 196
LDAP authentication 219 logging
configuring 230 server activity 130
configuring mapping options 235 web activity 213
LDAP authentication plug-in 204 logon tokens 209
LDAP groups and authentication 195

618 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Index

and authorization 196 multihomed machines 134


and distributed security 209 My Password, setting CMC preferences 24
and secondary authentication 196
and session tracking 210 N
logon.csp 195
named events 395
LOVs
nameserver, role of CMS 131
access from XI R2 369
NAT. See Network Address Translation
native drivers 123
M on UNIX 124
malicious logon attempts, protection against 213 navigation between reports 446
management areas, defined 24 Net Access column 295
mapped drives 526 Network Address Translation
mapped groups application tier, and 171
aliases, managing 261 configuring 171
viewing CMS (Unix) 172
Windows AD 247 CMS (Windows) 172
Windows NT 257 server hosts file 174
mapped users, managing aliases 261 servers behind firewall 173
mapped Windows AD groups, viewing 247 definition 164
mapped Windows AD users, viewing 247 specifying firewall rules 175
mapping thick client, and 176
Windows AD accounts and groups 244 No Access level 297
Windows NT accounts 251 Not Specified rights, and access levels 296
menu styles, setting CMC preferences 24 notification 475
metrics alerts 477
viewing 71 audit 475
account activity 41 email 475
migrating event 475
Application Foundation 362, 367 for a scheduled object 474
BusinessObjects documents 375 NT authentication and UNIX 202
CMS database 93 NT authentication plug-in 202
connections 383 NT LM Security Support Provider 135
domains 386 NT single sign-on and Windows NT security plug-
from Crystal Enterprise 363 in 203
selecting information 187, 395 number of logons, logon tokens 209
specifying source and destination 186, 388, number of minutes, logon tokens 209
388, 394 Number of User Sessions 551
third-party documents 378 Number of Users in the System 551
migration
handling locales 378 O
modify InfoView timeout 83
object IDs 385
Most Accessed Documents 550
object packages
Most Active Users 550
adding objects to 459
Most Popular Actions 550
authentication 461
Most Popular Actions per Document 551

BusinessObjects Enterprise XI Release 2 Administrator’s Guide619


Index

configuring 460 objects displayed, setting maximum 32


creating 349, 458 objects per page, setting maximum 24
managing 457 objects, importing
moving 350 from Crystal Enterprise 365
publishing objects to 357 ODBC
scheduling 469 CMS database 88
object rights 293 connectivity 91
access levels 296 drivers 123
advanced setting 298 environment variables 126
base and available 301 processing server accounts 123
calculating effective 304 reporting on UNIX 125
inheritance 301, 302, 304 system information file 126
setting 296 .odbc.ini 126
specifying for a folder 337, 343 one-machine setup 149
tutorials 307 Online Customer Support 605
decreasing rights 311 optimizing system 542
increasing rights 322 Optimizing system performance 542
viewing 295 options 347
when copying/moving folders 334, 342 publishing 347
object scheduling, recurrence pattern 467 orphan documents
objects 346 defined 375
adding to an object package 459 Output File Repository Server 54
Advanced Rights page 298 maximum idle time 100
and access levels 296 metrics 72
assigning to a category 426 root directory 100
copying 419
creating a shortcut 419 P
enabling and disabling inheritance 303
packet filtering 164
exporting 371
configuring for 176
managing 418, 419
packets, firewalls and 162
moving 419
page index, setting CMC preferences 24
properties, changing 424
page layout, specifying 441
publishing 346
Page Server 58
multiple 346
configuring for data source 123
options 347
configuring on UNIX 124
with CMC 357
for viewing and modifying 431
refreshing from BusinessObjects Enterprise
metrics 73
Repository 192
performance settings 105, 108
restrictions 384
Properties page 105, 108
Rights tab 295
viewing with 63
saving to CMS 359
pages, setting CMC preferences 24
scheduling 464
parameters for Java programs 455
searching for 421
Password Modifications 551
sending 422
passwords
viewing rights 295

620 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Index

changing 223 postinstall.sh 601


for CMS database 98 predefined access levels 296
restrictions 213 preferences, setting in the CMC 24
setting primary authentication 195
for Administrator account 29 printer, specifying 440
for current CMC user 24 printing
using the DBUSER/DBPASS variables 384 setting printer options 440
patchlevel.sh 601 setting the default printer 440
pausing an instance 492 processing extensions 207
Peak Usage 552 applying to reports 442
performance 148, 542 registering 443
Cache Server settings 101 selecting 444
CMS clusters 86 sharing 446
common scenarios 149 processing servers, configuring 124
general considerations 152, 152 processing threads
load balancing 209 Cache Server 101
of jobs per server 112 Page Server 105, 108
Page Server settings 105, 108 processing tier 55
RAS settings 111 configuring 104
Windows NT Challenge/Response profiles 512
authentication 203, 207 access to 515
performance improvement, delegating XSL and security 512
transformation 155 conflicts 515
performance while auditing 542 creating 512
permissions 293 program credentials specifying 354
personal categories 344 Program Job Server 537
Personal Categories folder 386 destinations
personal documents configuring 117
importing 399 enabling or disabling 116
mapping Import Wizard to 370 metrics 73
storage after import 374 Program Job Server auditable actions 537
Platform COM SDK 376 program objects 449
platforms accessing other files 356
Java 50 authentication 456
updating 372 batch 353
Windows .NET 50 binary 353
plug-ins, security 201 command line arguments 357
polling time, setting for Event Server 104 configuring 453
Populate Database Credentials for Users dialog disabling 456
box 404 enabling 456
port numbers, changing 131 environment variables, specifying 454
ports Java 353
definition 163 configuring 455
firewalls, and 163 providing access to other files 455
opening on firewall 172 setting parameters 455

BusinessObjects Enterprise XI Release 2 Administrator’s Guide621


Index

processing options, setting 451 for viewing and modifying 431


properties, changing 424 metrics 73
providing executables with access to other performance settings 111
files 453 Properties page 111
script 353 .rea files
working directory, specifying 452 access from XI R2 369
programs. See program objects reassigning an alias 264
Properties tab for job servers 112 recurrence patterns, object scheduling 467
Public folder 375 recurring dates 497
publishing Refresh and Edit Activity 552
and object rights 314 refreshing
folders 332 cache files 101
object packages 357 reports 428
options 347 repository objects 192
reports and objects 346 registry keys 235
with CMC 357 Remote Procedure Call 135
with Publishing Wizard 346, 346 remote resources, troubleshooting 526
Publishing Wizard remote servers
adding CCM for UNIX 28
folders 348 CCM for Windows 27
objects 348 CMC 23
creating 351 .rep files
category on CMS 351 migrating 375
folder on CMS 349 Report Application Server 58
database logon 355 auditable actions 534
duplicating folder structure 351 viewing with 64
modifying 354 report instances
default values 354 description 428
object properties 354 managing 427, 491
moving reports between folders 350 history 491
repository refresh 352 setting limits 493
scheduling objects 352 viewing 492
selecting Report Job Server 537
category on CMS 351 auditable actions 537
folder on CMS 349 Report Job Server, performance settings 112
setting parameters 356 report objects
applying processing extensions 442
Q assigning to a category 426
database settings, specifying 434
.qry files 526
deleting 421
Query HTML panel, access rights 39
destination 480
filters, specifying 438
R managing 427
RAS page layout, specifying 441
database settings 109 parameters, specifying 436

622 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Index

properties, changing 424 password 213


refreshing against BusinessObjects Enterprise user 214
Repository 192 resuming instance 492
searching for 421 .ret files
setting and migration 375
instance limits 493 rights 293
rights 293 administration 326
specifying Job Servers for 431 Advanced 297
specifying servers for viewing and modifying available 301
431 base 301
report thumbnails, adding with reports 336, 343 calendars 502
Report Viewers 59 CMC 325
report_view_advanced.aspx 62 events 509
report_view_dhtml.aspx 62 folders 337, 343
reports Full Control 297
adding to a folder individually 336, 343 groups 327
audit 540, 554 importing from BusinessObject 5.x or 6.x 370
custom 554 InfoView 325
sample 540 migration of BusinessObjects document
configuring servers for data sources 123 rights 376
hyperlinking 446 No Access 297
managing 427 profiles 515
modifying RAS SQL options 109 Schedule 297
refresh options 428 server groups 328
scheduling 61 servers 328
scheduling with events 471, 471 setting object rights 293
troubleshooting 521, 523 specifying for a folder 337, 343
viewing 62 tutorials 307
viewing options 430 users 327
reports, importing View 297
from Crystal Enterprise 365 View On Demand 297
repositories 370 Rights Modification 552
exporting locally-stored objects 371 rights. See also object rights
Repository Migration Wizard 188, 190 Rights tab 295
repository. See BusinessObjects Enterprise rights, importing
Repository from Crystal Enterprise 366
required steps to audit actions 530 rights, importing from Crystal Enterprise 366
requirements, clustering 86 root directories, File Repository Servers 100
resources 604 root folders, modifying security 30
restarting servers 75 row restrictions 384
restart.sh 600 row-level security, processing extensions 207
restrictions run dates 497
access from the top level 323 run options, object scheduling 467
guest account 214
logon 214

BusinessObjects Enterprise XI Release 2 Administrator’s Guide623


Index

S environment protection 212


sample audit reports 540 firewalls 212
saved data 67 Guest account restrictions 214
scalability 148 initial settings 28
common scenarios 149 logon restrictions 214, 214
general considerations 152 modifying default levels 30
scaling the system 147 object rights 293
Schedule access level 297 inheritance 301
schedule events 504, 506 tutorials 307
Schedule page 466 open model 311
setting for an object 474 password restrictions 213, 213
scheduled documents, migration 380 plug-ins 201
scheduled instance, description 427 predefined access levels 296
scheduling processing extensions 207
an object 474 protection against malicious logon attempts
events 471 213
increasing capacity 153 restrictions 214
information flow 61 session tracking 210
notification 474 synchronizing enterprise and database
object packages 469 credentials 384
objects 464 user restrictions 214
in batches 469 web browser to web server 212
recurrence patterns 467 web servers 212
run options 467 security commands
specifying server for 431 and WebIntelligence document migration 377
scheduling, importing from Crystal Enterprise 365 migration of universe-related 382
script programs 449 security plug-ins 201
searches, setting CMC preferences 32 Enterprise authentication 202
searching LDAP authentication 204
discussion threads 36 Windows AD authentication 206
for objects 421 Windows NT authentication 202
secEnterprise.dll 202 secWindows.dll 202
secLDAP.dll 204 selecting CMS database 98
secondary authentication 196 selecting for import
Secure Sockets Layer 137 categories 405
Secure Sockets Layer (SSL) 205, 212 sending
and LDAP 205 objects or instances 422
and load balancing 209 to inboxes, default configuration 116
configuring for LDAP 232 server dependencies, changing 135
security 194 server groups 142
active trust relationship 208 access to 328
auditing web activity 213 creating 142
closed model 322 subgroups 144
components 199 server groups, importing from Crystal Enterprise
distributed 209 366

624 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Index

serverconfig.sh 596 viewing active 73, 73


servers 44, 51, 55, 70 settings
access to 328 access levels 296
accessing the CCM 26 advanced object rights 298
activity, logging 130 CMC Access URL 32
adding 158 InfoView 38
application tier 48 initial security levels 28
changing Query size threshold 32
status 74 report refresh 428
user account on Windows 136 report viewing 430
changing startup type 136 viewing account activity 41
communication 166 setup.sh 601
application tier and CMS 167 shared libraries, as processing extensions 207
CMS directory listing 166 silentinstall.sh 599
configuring 70 single sign-on
default 431 anonymous 198
default settings 70 disabling Guest account 29
deleting 160 authentication
dependencies, adding or removing 135 Enterprise 202
disabling 77 LDAP 205
enabling 77 NT 203
for viewing and modifying reports 431 Windows AD 207
grouping 142 end-to-end 199
information flow 60, 60 with Kerberos 266, 266
intelligence tier 51 setting up
logging activity 130 Kerberos 266, 266
managing 69 LDAP 234
metrics, viewing 71 SiteMinder 234
modifying group membership 145 Windows AD 249
processing tier 55 Windows NT 259
refreshing list using the CCM 79 to BusinessObjects Enterprise 198
registering by name 133 to database 199
restarting 75 troubleshooting 235
starting 75 single-pass report bursting 512
status SiteMinder
changing 74 error 235
copying 79 setting up single sign-on with LDAP 234
printing 79 troubleshooting 235
stopping 75 six-machine setup 151
troubleshooting 526 SMTP destinations, setting defaults 119
user account, changing 136 SOCKS 165
session variables 210 configuring 179
and authentication 195, 196 CMS 180
sessions WCA 181
tracking 210 sockssetup.sh 597

BusinessObjects Enterprise XI Release 2 Administrator’s Guide625


Index

source environment, specifying 186, 388, 388, 394 T


SQL Server table mapping 384
importing connection objects from 5/6 383 TCP/IP, firewalls and 162
SSL 137 technical support 605
certificates 137 temporary files, configuring Page Server 105, 108
configuring servers 137, 137 text file delimiter 411
keys 137 text file format 411
SSL. See Secure Sockets Layer (SSL) text file separator 411
sslc.cnf 137 thick client, firewall configuration 169
sslc.exe 137 NAT 176
starting third-party documents
CCM for UNIX 28 importing 378
CCM for Windows 27 third-party security plug-ins 201
servers 75 three-machine setup 150
startservers 598 thumbnails, adding with reports 336, 343
startup types tickets
changing for servers 136 for distributed security 209
configuring servers 136 logon tokens 209
statistics, auditing web activity 213 tiers 44
status, viewing and changing for servers 74 application 48
steps to audit actions 530 client 46
stopping data 59
CMS 77 intelligence 51
servers 75 processing 55
stopservers 599 time zones
Stored Procedures Access right 385 setting CMC preferences 24
styles, setting CMC preferences 24 supporting multiple 527
subfolders, creating 333, 341 timeout
subgroups of servers 142 CMC modify 82
success, notification 474 Infoview modify 83
Supervisor tools
universe access restrictions 384 administration 22
synchronizing Central Configuration Manager (CCM) 26, 26
enterprise and database credentials 384 Central Management Console (CMC) 23
synchronizing audit actions 541 tools, UNIX 592
syslog 130 top-level
system actions, list of auditable 537 creating new categories 341
system architecture 44 creating new folders 333
system data, copying 93 top-level folder, modifying security 30
system database, migrating 93 Total Users Logged in by Day 552
system information file (ODBC) 126 tracking, sessions 210
system metrics, viewing 74 training, on Business Objects products 606
system security 194 transfer of trust 209
tree walk 515
troubleshooting 518

626 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Index

InfoView deployments 527 UNIX tools, overview 592


LDAP accounts 242 unmanaged disk destination 481
report viewing and processing 521 setting defaults 122
single sign-on 235 unmapping
web accessibility 519 LDAP groups 240
Windows AD accounts 248 Windows AD accounts 247
Windows NT accounts 257 Windows NT accounts 255
trust, active trust relationship 208 updating
Trusted Authentication 224 platforms and versions 372
tutorials 307 upgrading
from BusinessObjects Enterprise 6.x 367
U from Crystal Enterprise 363
Import Wizard 362
UNC paths 526
user accounts 216
uninstall 598
configuring servers 136
uninstallCE.sh 598
creating 220
universe connection configuration 539
default 217
universe connections
deleting 222
deleting 31
managing 216
managing 31
modifying 222
universe connections see connections
user actions, list of auditable 534
Universe Designer Users group 218
User Activity 552
Universe Designer, access to 218
User Activity per Session 553
universes
user aliases
access to 329
assigning to 263
checking integrity of those used by Application
creating
Foundation objects 369
for existing user 263
deleting 30
for new user 262
exclusive overloads 385
deleting 265
importing associated universes 383
disabling 265
managing 30
reassigning 264
modes of import 382
user databases, NT4 and Windows 2000 Active
overload aggregation 385
Directory 202
overload collapsing 385
user folders 340
short name 383
user groups, default 217
the BOUSER/BOPASS variables 384
user rights 38, 293
using the DBUSER/DBPASS variables 384
users
UNIX
access to 327
and NT authentication 202
delegated administrators 319
application server 49
importing 403
Central Configuration Manager 28
object rights
importing Inbox and personal documents 371,
access levels 296
371
advanced rights 298
installation 50
effective rights 304
syslog 130
inheritance 303
WCA 50

BusinessObjects Enterprise XI Release 2 Administrator’s Guide627


Index

setting WCA 49
instance limits on folders 339 and authentication 195
object rights 293 and authorization 196
viewing active sessions 73 and logon tokens 200
Users Who Logged Off Incorrectly 553 and security 200
users with AD authentication, importing from auditing web activity 213
Crystal Enterprise 365 configuring for SOCKS 181
users, importing description 49
from Crystal Enterprise 364 WCA session variables 210
primary authentication 195
V secondary authentication 196
tracking 211
VBA macros
web
migration 369
customer support 605
version 5/6
getting documentation via 604
Inbox and personal storage 370
useful addresses 606
version XI R2
Web application environments 51
access restrictions 384
Web Component Adapter. See WCA
supported connectivities 372
web desktop. See InfoView
View access level 297
Web Intelligence
View On Demand access level 297
Allow user to merge dimension for
viewers
synchronization right 377
and InfoView 62
application rights 39
client-side 59
Edit SQL right 377
setting CMC preferences 24
Interactive Editing right 377
zero client 59
Query HTML access rights 39
viewing
Web Intelligence documents
active users 73
See also report objects
advanced object rights 299
assigning to a category 426
BusinessObjects Enterprise architecture 62
choosing a format 487, 487
CMS cluster details 74
delegating XSL transformation 155
current account activity 41
properties, changing 424
current metrics 71
scheduling 464
information flow 62
searching for 421
licensing information 40
selecting cache format 489
object rights 295
server for scheduling 432
server metrics 71
Web Intelligence Job Server
system metrics 74
auditable actions 537
with the Cache Server 63
destinations
with the Page Server 63
enabling or disabling 116
with the Report Application Server 64
metrics 73
viewrpt.aspx 63
performance settings 112
Web Intelligence Report Server
W auditable actions 534, 535
walk and merge 515 metrics 73

628 BusinessObjects Enterprise XI Release 2 Administrator’s Guide


Index

performance settings 113 Windows AD, viewing mapped groups and users
Web Intelligence sample audit reports 540 247
web response speeds, improving 156 Windows .NET platform 50
web servers 51 Windows NT accounts
improving response speeds 156 adding to mapped groups 258
securing 212 creating 257
web sites disabling 259
support 605 managing 251
training 606 mapping 251
WebConnect documents in CMC 253
access from XI R2 369 in Windows 2000 252
WebIntelligence in Windows NT 252
migrating orphan documents 375 troubleshooting 257
WebIntelligence documents unmapping 255
migration limitations 377 Windows NT authentication 219
rights migration 377 Windows NT Challenge/Response authentication
.wid files 203, 207, 212
migrating orphan documents 375 Windows NT groups
Windows creating 258
Central Configuration Manager 27 mapping 251
Event Log 130 unmapping 255, 255
Local System account 123 viewing 257
server dependencies 135 Windows NT security plug-in 202
Windows 2000 Active Directory 202 and UNIX 202
Windows 2000, unmapping accounts in 256 Windows NT single sign-on, setting up 259
Windows AD accounts Windows NT users, viewing 257
See also Windows AD users .wqy files
adding to mapped groups 248 and locale 378
creating 248
mapping 244 X
troubleshooting 248
XSL transformation for Web Intelligence
unmapping 247
documents 155
Windows AD authentication 219
Windows AD groups
mapped, viewing 247 Z
mapping 244 zero client viewers 59
unmapping 247
Windows AD security plug-in 206
Windows AD single sign-on 249
end-to-end 266, 266
to BusinessObjects Enterprise 249
Windows AD users
See also Windows AD accounts
viewing 247

BusinessObjects Enterprise XI Release 2 Administrator’s Guide629


Index

630 BusinessObjects Enterprise XI Release 2 Administrator’s Guide

Você também pode gostar