Escolar Documentos
Profissional Documentos
Cultura Documentos
2 Administrator’s Guide
Trademarks Business Objects, the Business Objects logo, Crystal Reports, and Crystal Enterprise are
trademarks or registered trademarks of Business Objects SA or its affiliated companies in the
United States and other countries. All other names mentioned herein may be trademarks of
their respective owners.
Third-party Business Objects products in this release may contain redistributions of software licensed
contributors from third-party contributors. Some of these individual components may also be available
under alternative licenses. A partial listing of third-party contributors that have requested or
permitted acknowledgments, as well as required notices, can be found at:
http://www.businessobjects.com/thirdparty
Contents
Chapter 1 Introduction to the BusinessObjects Enterprise XI Release 2
Administrator’s Guide 19
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Who should use this guide? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Business Objects information resources . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Managing InfoView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Managing Web Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Managing license information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Adding a license key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Viewing current account activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
postinstall.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
setup.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
setupinit.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
Index 609
chapter
1 Introduction to the BusinessObjects Enterprise XI Release 2 Administrator’s Guide
About this guide
chapter
2 Administering BusinessObjects Enterprise
Administration overview
Administration overview
The regular administrative tasks associated with BusinessObjects Enterprise
can be roughly divided into three major categories: user management,
content management, and server management. The remainder of this guide
provides technical and procedural information corresponding to each of these
management categories. This chapter briefly introduces new
BusinessObjects Enterprise administrators to some of the available
management tools. It also shows you how to make initial security settings,
such as setting the password for the system’s default Administrator account.
You will typically use the following applications to manage BusinessObjects
Enterprise:
• Central Management Console (CMC)
This web application is the most powerful administrative tool provided for
managing a BusinessObjects Enterprise system. It offers you a single
interface through which you can perform almost every task related to
user management, content management, and server management.
For an introduction to the CMC, see “Central Management Console” on
page 23.
• Central Configuration Manager (CCM)
This server administration tool is provided in two forms. In a Windows
environment, the CCM allows you to manage local and remote servers
through its Graphical User Interface (GUI) or from a command line. In a
UNIX environment, the CCM shell script (ccm.sh) allows you to manage
servers from a command line.
For an introduction to the CCM, see “Using the Central Configuration
Manager” on page 26.
• Publishing Wizard
This application allows you to publish your reporting content to
BusinessObjects Enterprise quickly. It also allows you to specify a
number of options on each report that you publish. Although this
application runs only on Windows, you can use it to publish reports to
BusinessObjects Enterprise servers that are running on Windows or on
UNIX.
For more information on publishing content to BusinessObjects
Enterprise, see “Overview” on page 346.
Managing universes
Web Intelligence users connect to a universe, and run queries against a
database. They can perform data analysis and create reports using the
objects in a universe, without seeing, or having to know anything about, the
underlying data structures in the database. You create a universe by using the
Designer. For complete information, see the Designer’s Guide.
Using CMC, you can view and delete universes. You can also control who has
access rights to a universe. See “Controlling access to universes” on
page 329.
To view a universe
1. Go to the Universes management area of the CMC.
The Universes page appears.
3. In the Prompt for search if the return size exceeds field, type the
maximum number of objects you want to be returned in searches and on
the initial pages of the Objects, Folders, Groups, and Users management
areas.
4. In the CMC Access URL field, type the URL for the CMC.
Specifying the URL here allows Crystal Reports to get this URL from the
CMS in order to call pages in the CMC. It needs to call these pages in
order to support the previewing of reports and to enable administration
tasks to be performed from Crystal Reports.
5. Click Update.
Note: To modify the number of objects displayed on a page (rather than the
total number of objects displayed), see “Setting console preferences” on
page 24.
Managing Designer
You can grant access to the Designer application by setting the rights through
the Central Management Console.
To manage settings for Designer
1. Go to the BusinessObjects Enterprise Applications management area
of the CMC.
2. Click Designer.
3. Click the Rights tab, then assign the appropriate rights to each group or
user.
4. Click Apply.
Managing Discussions
BusinessObjects Enterprise administrators are responsible for maintaining
the discussion threads and for granting the appropriate access rights to
BusinessObjects Enterprise users.
Managing Discussions includes the following tasks:
• “Accessing the Discussions page” on page 35
• “Searching for discussion threads” on page 36
• “Sorting search results” on page 37
• “Deleting discussion threads” on page 38
• “Setting user rights” on page 38
Managing InfoView
In the BusinessObjects Enterprise Applications area of the Central
Management Console, the Properties tab for the InfoView allows you to
change several display options.
You can also control user and administrator access by changing the rights
associated with each user and group on the Rights tab.
To change display settings for InfoView
1. Go to the BusinessObjects Enterprise Applications management area
of the CMC.
2. Click InfoView.
3. On the Properties tab, select the options that you want.
• Header and style: You can change the colors of the header and the
logo displayed in the header. If you have a cascading style sheet for
your intranet, you can specify it here to format InfoView with the
same styles.
chapter
3 BusinessObjects Enterprise Architecture
Architecture overview and diagram
The remainder of this chapter describes each tier, the key BusinessObjects
Enterprise components, and their primary responsibilities:
• “Client tier” on page 46
• “Application tier” on page 48
• “Processing tier” on page 55
• “Data tier” on page 59
Tip: When you are familiar with the architecture and want to customize your
system configuration, see Chapter 4: Managing and Configuring Servers and
Chapter 6: Scaling Your Systemthe BusinessObjects Enterprise
Administrator’s Guide.
Note: BusinessObjects Enterprise supports reports created in versions 6
through XI of Crystal Reports. Once published to BusinessObjects Enterprise,
reports are saved, processed, and displayed in version XI format.
Client tier
The client tier is the only part of the BusinessObjects Enterprise system that
administrators and end users interact with directly. This tier is made up of the
applications that enable people to administer, publish, and view reports and
other objects.
InfoView
BusinessObjects Enterprise comes with InfoView, a web-based interface that
end users access to view, schedule, and keep track of published reports.
Each BusinessObjects Enterprise request that a user makes is directed to the
BusinessObjects Enterprise application tier. The web server forwards the
user request directly to an application server where the request is processed
by the WCA.
InfoView also serves as a demonstration of the ways in which you can use the
BusinessObjects Enterprise Software Development Kit (SDK) to create a
custom web application for end users. In the case of .NET, InfoView also
Publishing Wizard
The Publishing Wizard is a locally installed Windows application that enables
both administrators and end users to add reports to BusinessObjects
Enterprise. By assigning object rights to BusinessObjects Enterprise folders,
you control who can publish reports and where they can publish them to. For
more information, see “Overview” on page 346 and “Controlling users’ access
to objects” on page 293the BusinessObjects Enterprise Administrator’s
Guide.
The Publishing Wizard publishes reports from a Windows machine to
BusinessObjects Enterprise servers running on Windows or on UNIX.
Import Wizard
The Import Wizard is a locally installed Windows application that guides
administrators through the process of importing users, groups, reports, and
folders from an existing BusinessObjects Enterprise, Crystal Enterprise, or
Crystal Info implementation to BusinessObjects Enterprise. For more
information, see “Using the Import Wizard” on page 387the BusinessObjects
Enterprise Administrator’s Guide.
The Import Wizard runs on Windows, but you can use it to import information
into a new BusinessObjects Enterprise system running on Windows or on
UNIX.
Application tier
The application tier hosts the server-side components that process requests
from the client tier as well as the components that communicate these requests
to the appropriate server in the intelligence tier. The application tier includes
support for report viewing and logic to understand and direct web requests to
the appropriate BusinessObjects Enterprise server in the intelligence tier.
The application tier includes:
• “Application tier components” on page 48
• “Web development platforms” on page 50
• “Web application environments” on page 51
Java platform
All UNIX installations of BusinessObjects Enterprise include a Web
Component Adapter (WCA). In this configuration, a Java application server is
required to host the WCA and the BusinessObjects Enterprise Java SDK. The
use of a web server is optional as you may choose to have static content
hosted by the application server.
Intelligence tier
The intelligence tier manages the BusinessObjects Enterprise system. It
maintains all of the security information, sends requests to the appropriate
servers, manages audit information, and stores report instances.
Event Server
The Event Server manages file-based events. When you set up a file-based
event within BusinessObjects Enterprise, the Event Server monitors the
directory that you specified. When the appropriate file appears in the
monitored directory, the Event Server triggers your file-based event: that is,
the Event Server notifies the CMS that the file-based event has occurred. The
CMS then starts any jobs that are dependent upon your file-based event.
After notifying the CMS of the event, the Event Server resets itself and again
monitors the directory for the appropriate file. When the file is newly created in
the monitored directory, the Event Server again triggers your file-based event.
Note: Schedule-based events, and custom events are managed by the
Central Management Server.
Cache Server
The Cache Server is responsible for handling all report viewing requests. The
Cache Server checks whether or not it can fulfill the request with a cached
report page. If the Cache Server finds a cached page that displays exactly the
required data, with data that has been refreshed from the database within the
interval that you have specified as the default, the Cache Server returns that
cached report page.
If the Cache Server cannot fulfil the request with a cached report page, it
passes the request along to the Page Server. The Page Server runs the
report and returns the results to the Cache Server. The Cache Server then
Processing tier
The processing tier accesses the data and generates the reports. It is the only
tier that interacts directly with the databases that contain the report data.
Job servers
A Job Server processes scheduled actions on objects at the request of the
CMS. When you add a Job Server to the BusinessObjects Enterprise system,
you can configure the Job Server to:
• Process report objects
• Process program objects
Page Server
The Page Server is primarily responsible for responding to page requests by
processing reports and generating Encapsulated Page Format (EPF) pages.
The EPF pages contain formatting information that defines the layout of the
report. The Page Server retrieves data for the report from an instance or
directly from the database (depending on the user’s request and the rights he
or she has to the report object). When retrieving data from the database, the
Page Server automatically disconnects from the database after it fulfills its
initial request and reconnects if necessary to retrieve additional data. (This
behavior conserves database licenses.)
Data tier
The data tier is made up of the databases that contain the data used in the
reports. BusinessObjects Enterprise supports a wide range of corporate
databases.
See the Platforms.txt file included with your product distribution for a
complete list of tested database software and version requirements.
Report viewers
BusinessObjects Enterprise includes report viewers that support different
platforms and different browsers in the client tier, and which have different
report viewing functionality. (For more information on the specific functionality
or platform support provided by each report viewer, see the BusinessObjects
Enterprise User’s Guide or the Crystal Reports Developer’s Guide.)
All of the viewers fall into two categories:
• client-side viewers
Client-side viewers are downloaded and installed in the users’ web
browser.
• zero client viewers
The code to support zero client viewers resides in the application tier.
Information flow
This section describes the interaction of the server components in order to
demonstrate how report-processing is performed. This section covers two
different scenarios:
• “What happens when you schedule an object?” on page 61
• “What happens when you view a report?” on page 62
Note:
• The Cache Server and the Page Server do not participate in scheduling
reports or in creating instances of scheduled reports. This can be an
important consideration when deciding how to configure BusinessObjects
Enterprise, especially in large installations. See “Scaling Your System” on
page 147the section on scaling your system in the BusinessObjects
Enterprise Administrator’s Guide.
• When you schedule program objects or object packages, the interaction
between servers follows the same pattern as it does for reports.
Users without schedule rights on an object will not see the schedule option in
BusinessObjects Enterprise.
g. The Cache Server sends the pages (.epf files) to the application
server.
4. The application server sends the report to the user’s Web browser in one
of two ways, depending on how the initial request was made:
• If the initial request was made through a DHTML viewer
(report_view_dhtml.aspx), the viewer SDK (residing on the
application server) is used to generate HTML that represents both
the DHTML viewer and the report itself. The HTML pages are then
returned through the web server to the user’s web browser.
• If the initial request was made through an Active X or Java viewer
(viewrpt.aspx), the application server forwards the cached pages
(.epf files) through the web server to the report viewer software in the
user’s web browser.
c. If the document is set to “refresh on open” and the user has the View
On Demand rights, the Web Intelligence Report Server refreshes the
data in the document with data from the database.
Note: If the document is set to “refresh on open” but the user does
not have View On Demand rights, an error message is displayed.
d. The Web Intelligence Report Server stores the document file and the
new document information in cache.
e. The Web Intelligence Report Server sends the document information
to the SDK.
8. The viewer script calls the SDK to get the requested page of the
document. The request is passed to the Web Intelligence Report Server.
9. If the Web Intelligence Report Server has cached content for the page, it
returns the cached XML to the SDK.
If the Web Intelligence Report Server does not have the cached content
for the page, it renders the page to XML using the current data for the
document. It then returns the XML to the SDK.
10. The SDK applies an XSLT style sheet to the XML to transform it to HTML.
11. The viewer script returns the HTML to the browser.
Live data
On-demand reporting gives users real-time access to live data, straight from
the database server. Use live data to keep users up-to-date on constantly
changing data, so they can access information that’s accurate to the second.
For instance, if the managers of a large distribution center need to keep track
of inventory shipped on a continual basis, then live reporting is the way to give
them the information they need.
Before providing live data for all your reports, however, consider whether or
not you want all of your users hitting the database server on a continual basis.
If the data isn’t rapidly or constantly changing, then all those requests to the
database do little more than increase network traffic and consume server
Saved data
To reduce the amount of network traffic and the number of hits on your
database servers, you can schedule reports to be run at specified times.
When the report has been run, users can view that report instance as
needed, without triggering additional hits on the database.
Report instances are useful for dealing with data that isn’t continually
updated. When users navigate through report instances, and drill down for
details on columns or charts, they don’t access the database server directly;
instead, they access the saved data. Consequently, reports with saved data
not only minimize data transfer over the network, but also lighten the
database server’s workload.
For example, if your sales database is updated once a day, you can run the
report on a similar schedule. Sales representatives then always have access
to current sales data, but they are not hitting the database every time they
open a report.
Tip: Users require only View access to display report instances.
chapter
4 Managing and Configuring Servers
Server management overview
This example shows the metrics for an Input File Repository Server that is
running on a machine called Crystal-E501888.crystald.net.
The Metrics tabs for the following servers include additional, server-specific
information:
Input and Output File Repository Servers
The Metrics tab of each File Repository Server lists the root directory of the
files that the server maintains, indicates the maximum idle time, and displays
the number of active files and active client connections. It also lists the total
available hard disk space, as well as the number of bytes sent and received.
Each File Repository Server also has an Active Files tab, which lists the
filename, the number of readers, and the number of writers for each active
file.
Cache Server
The Metrics tab of the Cache Server displays the maximum number of
processing threads, the maximum cache size, the minutes before an idle job
is closed, the minutes between refreshes from the database, whether or not
the database is accessed whenever a viewer’s file (object) is refreshed, the
location of the cache files, the total threads running, the number of requests
served, the number of bytes transferred, the cache hit rate, the number of
current connections, and the number of requests that are queued.
The Metrics tab also provides a table that lists the Page Servers that the
Cache server has connections to, along with the number of connections
made to each Page Server.
Event Server
The Metrics tab of the Event Server contains statistics on the files that the
server is monitoring. This tab includes a table showing the file name and the
last time the event occurred.
Action Description
Stopping a server You must stop BusinessObjects Enterprise servers
before you can modify certain properties and settings.
Starting a server If you have stopped a server to configure it, you need
to start it to effect your changes and to have the server
resume processing requests.
Restarting a server Restarting a server is a shortcut to stopping a server
completely and then starting it again. You can change
certain settings without stopping the server; however,
the changes typically do not take effect until your
restart the server.
For example, if you want to change the name of a CMS, then you must first
stop the server. Once you have made your changes, you start the server
again to effect your changes.
Tip: When you stop (or restart) a server, you terminate the server’s process,
thereby stopping the server completely. If you want to prevent a server from
receiving requests without actually stopping the server process, you can also
enable and disable servers. We recommend that you disable Job Servers and
Program Job Servers before stopping them so that they can finish processing
any jobs they have in progress before stopping. For details, see “Enabling
and disabling servers” on page 77.
To start, stop, or restart servers with CMC
Note: You cannot use CMC to stop the CMS. You must use the CCM instead.
See “Stopping a Central Management Server” on page 77 for more
information.
1. Go to the Servers management area of the CMC.
A list of servers appears. The icon associated with each server identifies
its status:
• Running is indicated by a server with a green arrow.
• Stopped is indicated by a server with a red arrow.
2. Select the check box for the server whose status you want to change.
3. Depending upon the action you need to perform, click Start, Stop, or
Restart.
You may be prompted for network credentials that allow you to start and
stop services running on the remote machine.
4. Click Refresh to update the page.
To start, stop, or restart a Windows server with the CCM
1. Start the CCM.
2. Select the server that you want to start, stop, or restart.
3. On the toolbar, click the appropriate button.
Toolbar Action
Icon
Start the selected server.
You may be prompted for network credentials that allow you to start and
stop services.
Note: When you provide your network credentials, they are first checked
against the machine hosting the CMS. If the server that you want to start,
stop, or restart is located on another machine, the same credentials are
Note: The CMS must be running in order for you to enable and/or disable
other servers.
To enable and disable servers with CMC
1. Go to the Servers management area of the CMC.
The icon associated with each server identifies its status. In this example,
the Event Server is disabled (but not stopped), and the remaining servers
are running and enabled.
1. Select the check box for the server whose status you want to change.
2. Depending upon the action you need to perform, click Enable or Disable.
To enable or disable a Windows server with the CCM
1. Start the CCM.
2. On the toolbar, click Enable/Disable.
3. When prompted, log on to your CMS with the credentials that provide you
with administrative privileges to BusinessObjects Enterprise.
4. Click Connect.
The Enable/Disable Servers dialog box appears.
To configure web.xml
Note: Your Java Web Application Server may provide tools to allow you to
edit web.xml directly from an administrative console.Otherwise use the
following procedure to configure web.xml.
1. Stop your application server.
2. Extract the web.xml file from the webcompadapter.war archive.
3. Edit the file by using a text editor such as Notepad or vi.
4. Reinsert the file into the WEB-INF directory in webcompadapter.war.
Tip: To reinsert web.xml into WEB-INF using WinZip, right-click on the
WEB-INF directory that contains your edited web.xml file and select “Add
to Zip File...”. Adding the file in this way ensures that it is placed in the
correct directory inside the archive.
5. Restart your application server.
When you install more than one WCA, each webcomponentadapter.war file
contains its own web.xml file containing configuration parameters for that
WCA. However, you can only set the parameters listed in the following table
individually for each WCA. The remaining parameters must be the same for
all WCA in your system.
Changing the default session timeout value for the Java CMC
The default session timeout value is 20 minutes in the CMC. Use this
procedure if you want to modify the default session timeout value.
To change the sesion timeout value
1. Verify that the Java SDK is installed and its location is in your PATH
environement variable.
If you are able to execucute the jar command, and receive usage
information on the command, proceed to the next step. If you receive a
error message, install the JAVA SDK and add is location to your PATH.
2. Stop the Web application server on the machine where
webcompadapter.war is deployed.
Changing the default session timeout value for the Java InfoView
The default session timeout value is 20 minutes in the InfoView. Use this
procedure if you want to modify the default session timeout value.
To change the sesion timeout value for InfoView
1. Verify that the Java SDK is installed and its location is in your PATH
environement variable.
If you are able to execucute the jar command, and receive usage
information on the command, proceed to the next step. If you receive a
error message, install the JAVA SDK and add is location to your PATH.
2. Stop the Web application server on the machine where desktop.war is
deployed.
3. Extract the web.xml file from the directory where desktop.war is deployed
or edit the deployed web.xml file.
• To extract web.xml, issue the following command.
jar -xvf desktop.war WEB-INF/web.xml
Note: Instead of extracting the web.xml from the specified location, you
can edit web.xml from the deployed location. If you installed Tomcat with
your installation, you can find this file in this location:
C:\Program Files\Business Objects\Tomcat\webapps
\businessobjects\enterprise115\desktoplaunch\WEB-INF
4. Open web.xml in a text editor like Notepad and search for the following
section:
<session-config>
<session-timeout>20</session-timeout>
</session-config>
5. Change the value between <session-timeout> to the number of minutes
you require for the session to timeout.
6. Save web.xml.
7. Update the desktop.war with the modified web.xml file. Use the following
command:
jar -uvf desktop.war WEB-INF/web.xml
Note: This step is not required if you did not extract the web.xml file.
8. Restart you web application server and reploy desktop.war.
Note: You don’t need to redploy desktop.war if you edited the web.xml
file from the deployed location; Restarting your web application server
will suffice.
Parameter Description
display-name Equivalent to WCA name.
cspApplication.defaultPage The default page that will be loaded if no
filename is specified in a particular request.
connection.cms This is the name (or name and port
number) of the CMS that you would like
your application(s) to connect to.
Tip: If you want to import users, groups, folders, and reports from one system
to another, without deleting the contents of the current CMS database, see
“Using the Import Wizard” on page 387.
Depending on the platform of your system and the version of your CMS
database, migrating a CMS database will include several of the following tasks:
• “Preparing to migrate a CMS database” on page 90
• “Changing the name of a CMS cluster” on page 92
When you finish copying data from the source database to the destination
database, complete these steps before allowing users to access the system.
When migrating from an older version of Crystal Enterprise, servers that
existed in the source installation do not appear in the migrated install. This
occurs because there cannot be a mix of old and new servers in a
BusinessObjects Enterprise installation.
Server groups from the old installation appear in the new system, but they will
be empty. New servers are automatically detected and added to the servers
list (outside of any group) in a disabled state. You must enable these servers
before they can be used. You may add the new servers to the imported
groups as appropriate.
Reports that depend on a particular server group for scheduled processing
will not execute until a job server is added to that group. Reports that depend
on a particular server group for processing are not available until servers are
added to that group.
To complete a CMS database migration on Windows
1. If errors occurred during migration, a db_migration log file was created
in the logging directory on the machine where you ran the CCM to carry
out the migration. The CCM will notify you if you need to check the log file.
The default logging directory is:
C:\Program Files\Business Objects\BusinessObjects
Enterprise 11.5\Logging\
2. If you migrated CMS data from a different CMS database into your
current CMS database, you need to make your old input and output
directories available to the new Input and Output File Repository Servers.
You can do this in several ways:
• Copy the contents of the original input root directory into the root
directory that the new Input File Repository Server is already
configured to use. Then copy the contents of the original output
directory into the root directory that the new Output File Repository is
already configured to use.
13. If there are objects that require updating, click Update, otherwise click
Cancel.
14. Start and enable the remaining BusinessObjects Enterprise servers.
Verify that BusinessObjects Enterprise requests are handled correctly, and
check that you can view and schedule reports successfully.
To complete a CMS database migration on UNIX
1. If errors occurred during migration, a db_migration log file was created
in the logging directory on the machine where you ran cmsdbsetup.sh
to carry out the migration. The script will notify you if you need to check
the log file.
The default logging directory is:
BusinessObjects_root/logging
where BusinessObjects_root is the absolute path to the root Business
Objects directory of your BusinessObjects Enterprise installation.
2. If you migrated CMS data from a different CMS database into your
current CMS database, you need to make your old input and output
directories available to the new Input and Output File Repository Servers.
You can do this in several ways:
• Copy the contents of the original input root directory into the root
directory that the new Input File Repository Server is already
configured to use. Then copy the contents of the original output
directory into the root directory that the new Output File Repository is
already configured to use.
• Reconfigure the new Input and Output File Repository Servers to use
the old input and output root directories.
• If the old Input and Output File Repository Servers are running on a
dedicated machine, you can run the BusinessObjects Enterprise
setup program to upgrade the servers directly. Then you need not
move the input and output directories. Instead, modify the -ns option
in both servers’ command lines to have them register with your new
CMS. For more information, see “Setting root directories and idle
times of the File Repository Servers” on page 100.
3. Use the ccm.sh script to start the CMS on the local machine. See the
BusinessObjects Enterprise Administrator’s Reference Guide for more
information.
4. Ensure that the Java web application server that hosts your Web
Component Adapter is running.
5. Log on to the Central Management Console with the default
Administrator account, using Enterprise authentication.
When you recreate the CMS database with the CCM, your existing license
keys should be retained in the database. However, if you need to enter
license keys again, log on to the CMC with the default Administrator account
(which will have been reset to have no password). Go to the Authorization
management area and enter your information on the License Keys tab.
Note: Remember that all data in your current CMS database will be
destroyed if you follow this procedure. Consider backing up your current CMS
database before beginning. If necessary, contact your database administrator.
To recreate the CMS database on Windows
1. Use the CCM to stop the Central Management Server.
2. With the CMS selected, click Specify CMS Data Source on the toolbar.
3. In the CMS Database Setup dialog box, click Recreate the current Data
Source.
4. Click OK and, when prompted to confirm, click Yes.
The SvcMgr dialog box notifies you when the CMS database setup is
complete.
5. Click OK.
You are returned to the CCM.
6. Start the Central Management Server.
While it is starting, the CMS writes required system data to the newly
emptied data source. You may need to click the Refresh button in the
CCM to see that the CMS has successfully started.
To recreate the CMS database on UNIX
Use the cmsdbsetup.sh script. For reference, see the BusinessObjects
Enterprise Administrator’s Reference Guide.
• If you selected ODBC, the Windows “Select Data Source” dialog box
appears. Select the ODBC data source that you want to use as the
CMS database; then click OK. (Click New to configure a new DSN.)
When prompted, provide your database credentials and click OK.
• If you selected a native driver, you are prompted for your database
Server Name, your Login ID, and your Password. Provide this
information and then click OK.
The SvcMgr dialog box notifies you when the CMS database setup is
complete.
7. Click OK.
8. Start the Central Management Server.
To select a new or existing database for a CMS on UNIX
Use the cmsdbsetup.sh script. For reference, see the BusinessObjects
Enterprise Administrator’s Reference Guide
2. Click the link to the Cache Server whose settings you want to change.
3. Make your changes on the Properties tab.
In this example, the Cache Server retains its default settings.
data. If it is very important that all users receive fresh data (perhaps because
important data changes very frequently) you may need to disallow this kind of
data reuse by setting the value to 0.
Viewer Refresh Always Yields Current Data
When enabled, the “Viewer Refresh Always Yields Current Data” setting
ensures that, when users explicitly refresh a report, all previously processed
data is ignored, and new data is retrieved directly from the database. When
disabled, the setting ensures that the Page Server will treat requests
generated by a viewer refresh in exactly the same way as it treats as new
requests.
Report Job Database Connection
The “Report Job Database Connection” settings can be used to make a trade-
off between the number of database licenses you use and the performance
you can expect for certain types of reports.
If you select “Disconnect when all records have been retrieved or the job is
closed”, the Page Server will automatically disconnect from the report
database as soon as it has retrieved the data it needs to fulfill a request.
Selecting this option limits the amount of time that Page Server stays
connected to your database server, and therefore limits the number of
database licenses consumed by the Page Server.
However, if the Page Server needs to reconnect to the database to generate
an on-demand sub-report or to process a group-by-on-server command for
that report, performance for these reports will be significantly slower than if
you had selected “Disconnect when the job is closed”. (The latter option
ensures that Page Server stays connected to the database server until the
report job is closed. Note that you can set the “Minutes before a Report Job is
Closed” above.)
Tip: On Windows, you can also change these settings in the CCM. Stop the
RAS and view its Properties. Click the Parameters tab. From the Option Type
list, select Server.
Minutes Before an Idle Connection is Closed
The “Minutes Before an Idle Connection is Closed” setting alters the length of
time that the RAS waits for further requests from an idle connection. Before
you change this setting, it is important to understand that setting a value too
low can cause a user’s request to be closed prematurely, and setting a value
that is too high can affect the server’s scalability (for instance, if the
ReportClientDocument object is not closed explicitly, the server will be waiting
unnecessarily for an idle job to close).
Maximum Simultaneous Report Jobs
The “Maximum Simultaneous Report Jobs” setting limits the number of
concurrent reporting requests that a RAS processes. The default value is
acceptable for most, if not all, reporting scenarios. The ideal setting for your
reporting environment, however, is highly dependent upon your hardware
configuration, your database software, and your reporting requirements.
Thus, it is difficult to discuss the recommended or optimum settings in a
general way.
It is recommended that you contact your Business Objects sales
representative and request information about the BusinessObjects Enterprise
Sizing Guide. A Business Objects services consultant can then assess your
reporting environment and assist you in customizing these advanced
configuration and performance settings.
Note: To improve system performance, set this value to zero when Enable
Real Time Caching is selected, but enter a value when Enable Real Time
Caching is deselected.
Send document as
Select the option you want:
• Shortcut—The systems sends a shortcut to the specified destination.
• Copy—The system sends a copy of the instance, for example, the .rpt
file, to the destination.
Send List
Specify which users or user groups you want to receive instances that have
been generated or processed by the job server.
See also “Configuring the destination properties for job servers” on page 117.
Domain Name
Enter the fully qualified domain of the SMTP server.
Server Name
Enter the name of the SMTP server.
Port
Enter the port that the SMTP server is listening on. (This standard SMTP port
is 25.)
Authentication
Select Plain or Login if the job server must be authenticated using one of
these methods in order to send email.
SMTP User Name
Provide the Job Server with a user name that has permission to send email
and attachments through the SMTP server.
SMTP Password
Provide the Job Server with the password for the SMTP server.
From
Provide the return email address. Users can override this default when they
schedule an object.
To, Cc, Subject, and Message
Set the default values for users who schedule reports to this SMTP
destination. Users can override these defaults when they schedule an object.
Add viewer hyperlink to message body
Click Add if you want to add the URL for the viewer in which you want the
email recipient to view the report. You can set the default URL by clicking
Object Settings on the main page of the Objects management area of the
CMC. If you send a hyperlink, the email recipient must log on to
BusinessObjects Enterprise to see the report.)
Users can override this default when they schedule an object.
Attach report instance to email message
Clear this check box if you do not want to attach a copy of the report or
program instance attached to the email. Users can override these defaults
when they schedule an object.
Default File Name (randomly generated)
Select this option if you want BusinessObjects Enterprise to generate a
random file name.
Specified File Name
Select this option if you want to enter a file name. You can also add a variable
to the file name. To add a variable, choose a placeholder for a variable
property from the list and click Add.
Add file extension
Adds the .%EXT% extension to the specified filename. This is similar to
selecting File Extension from the list and clicking Add. By adding an extension
to the file name, Windows will know which program to use to open the file
when users want to view the file.
See also “Configuring the destination properties for job servers” on page 117.
Host
Enter your FTP host information.
Port
Enter the FTP port number (the standard FTP port is 21).
FTP User Name
Specify a user who has the necessary rights to upload a report to the FTP server.
FTP Password
Enter the user’s password.
Account
Enter the FTP account information, if required. Account is part of the standard
FTP protocol, but it is rarely implemented. Provide the appropriate account
only if your FTP server requires it.
Destination Directory
Enter the FTP directory that you want the object to be saved to. A relative
path is interpreted relative to the root directory on the FTP server.
Default File Name (randomly generated)
Select this option if you want BusinessObjects Enterprise to generate a
random file name.
Destination Directory
Type the absolute path to the directory. The directory can be on a local drive
of the Job Server machine, or on any other machine that you can specify with
a UNC path.
Default File Name (randomly generated)
Select this option if you want BusinessObjects Enterprise to generate a
random file name.
Specified File Name
Select this option if you want to specify a file name—you can also add a
variable to the file name. To add a variable, choose a placeholder for a
variable property from the list and click Add. When each instance runs, the
Native drivers
If you design reports using native drivers, you must install the appropriate
database client software on each Job Server and/or Page Server machine
that will process the reports. The server loads the client software at runtime in
order to access the database that is specified in the report. The server locates
the client software by searching the library path environment variable that
corresponds to your operating system (LD_LIBRARY_PATH on Sun Solaris,
LIBPATH on IBM AIX, and so on), so this variable must be defined for the
login environment of each Job Server and Page Server.
Depending on your database, additional environment variables may be
required for the Job Server and Page Server to use the client software. These
include:
• Oracle
The ORACLE_HOME environment variable must define the top-level
directory of the Oracle client installation.
• Sybase
The SYBASE environment variable must define the top-level directory of
the Sybase client installation. The SYBPLATFORM environment variable
must define the platform architecture.
• DB2
The DB2INSTANCE environment variable must define the DB2 instance
that is used for database access. Use the DB2 instance initialization
script to ensure that the DB2 environment is correct.
Note: For complete details regarding these and other required environment
variables, see the documentation included with your database client software.
ODBC drivers
If you design reports off ODBC data sources (on Windows), you must set up
the corresponding data sources on the Job Server and Page Server
machines. In addition, you must ensure that each server is set up properly for
ODBC. During the installation, BusinessObjects Enterprise installs ODBC
drivers for UNIX, creates configuration files and templates related to ODBC
reporting, and sets up the required ODBC environment variables. This section
discusses the installed environment, along with the information that you need
to edit.
Note:
• Detailed documentation covering the various ODBC drivers is included in
the Merant Connect ODBC Reference (odbcref.pdf). This is installed
below the crystal/enterprise/platform/odbc directory; it is also
located in the doc directory of your product distribution.
• If you report off DB2 using ODBC, your database administrator must first
bind the UNIX version of the driver to every database that you report
against (and not just each database server). The bind packages are
installed below the crystal/enterprise/platform/odbc/lib
directory; their filenames are iscsso.bnd, iscswhso.bnd,
isrrso.bnd, isrrwhso.bnd, isurso.bnd, and isurwhso.bnd.
Because Crystal Reports runs on Windows, ensure also that the
Windows version of the driver has been bound to each database.
[ODBC]
Trace=0
TraceFile=odbctrace.out
TraceDll=/opt/bobje/enterprise115/platform/odbc/lib/
odbctrac.so
InstallDir=/opt/bobje/enterprise115/platform/odbc
As shown in the example above, the system information file is structured in
three major sections:
• The first section, denoted by [ODBC Data Sources], lists all the DSNs
that are defined later in the file. Each entry in this section is provided as
dsn=driver, and there must be one entry for every DSN that is defined in Kalu002fthis
driver are included in the file (Database=, LogonID=, and so on). Edit the file
and provide the corresponding values that are specific to your reporting
environment.
This example shows the entire contents of a system information file created
when BusinessObjects Enterprise was installed to the /usr/local directory.
[ODBC Data Sources]
CRDB2=MERANT 3.70 DB2 ODBC Driver
CRINF_CL=MERANT 3.70 Informix Dynamic Server ODBC Driver
CROR8=MERANT 3.70 Oracle8 ODBC Driver
CRSS=MERANT 3.70 SQL Server ODBC Driver
CRSYB=MERANT 3.70 Sybase ASE ODBC Driver
CRTXT=MERANT 3.70 Text ODBC Driver
[CRDB2]
Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/
crdb216.so
Description=MERANT 3.70 DB2 ODBC Driver
Database=
LogonID=
[CRINF_CL]
Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/
crifcl16.so
Description=MERANT 3.70 Informix Dynamic Server ODBC Driver
ServerName=
HostName=
PortNumber=
Database=
LogonID=
[CROR8]
Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/
cror816.so
Description=MERANT 3.70 Oracle8 ODBC Driver
ServerName=
ProcedureRetResults=1
LogonID=
[CRSS]
Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/
crmsss16.so
Description=MERANT 3.70 SQL Server ODBC Driver
Address=
Database=
QuotedId=Yes
LogonID=
[CRTXT]
Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/
crtxt16.so
Description=MERANT 3.70 Text ODBC Driver
Database=
[ODBC]
Trace=0
TraceFile=odbctrace.out
TraceDll=/usr/local/bobje/enterprise115/platform/odbc/lib/
odbctrac.so
InstallDir=/usr/local/bobje/enterprise115/platform/odbc
Adding a DSN to the default ODBC system information file
When you need to add a new DSN to the installed system information file
(.odbc.ini) file, first add the new DSN to the bottom of the [ODBC Data
Sources] list. Then add the corresponding [dsn] definition just before the
[ODBC] section.
For example, suppose that you have a Crystal report that uses ODBC drivers
to report off your Oracle8 database. The report is based off a System DSN
(on Windows) called SalesDB. To create the corresponding DSN, first append
this line to the [ODBC Data Sources] section of the system information file:
SalesDB=MERANT 3.70 Oracle8 ODBC Driver
Then define the new DSN by adding the following lines just before the system
information file’s [ODBC] section:
[SalesDB]
Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/
cror816.so
Description=MERANT 3.70 Oracle8 ODBC Driver
ServerName=MyServer
ProcedureRetResults=1
LogonID=MyUserName
Once you have added this information, the new DSN is available to the Job
Server and Page Server, so they can process reports that are based off the
SalesDB System DSN (on Windows).
Each server also logs assert messages to the logging directory of your
product installation. The programmatic information logged to these files is
typically useful only to Business Objects support staff for advanced
debugging purposes. The location of these log files depends upon your
operating system:
• On Windows, the default logging directory is C:\Program
Files\Business Objects\BusinessObjects Enterprise
11.5\Logging
• On UNIX, the default logging directory INSTALL_ROOT/bobje/logging
directory of your installation.
The important point to note is that these log files are cleaned up automatically,
so there will never be more than approximately 1 MB of logged data per
server.
This table summarizes the command-line options as they relate to port usage
for specific server types. For more information, see the BusinessObjects
Enterprise Administrator’s Reference Guide.
Example Description
DcertDir=d:\ssl The directory to store all the
certificates and keys.
DtrustedCert=cacert.der Trusted certificate file. If specifying
more than one, separate with
semicolons.
DsslCert=clientcert.der Certificate used by the SDK.
DsslKey=client.key Private key of the SDK certificate.
Dpassphrase=passphrase.txt The file that stores the passphrase for
the private key.
2. If you have an IIS web application server, run the sslconfig tool from
the command line and follow the configuration steps.
chapter
5 Managing Server Groups
Server group overview
3. In the Server Group Name field, type a name for the new group of
servers.
4. Use the Description field to include additional information about the group.
5. Click OK.
6. On the Servers tab, click Add/Remove Servers.
7. Select the servers that you want to add to this group; then click the > arrow.
Tip: Use CTRL+click to select multiple servers.
8. Click OK.
This example adds the servers to a server group called Northern Office
Servers.
You are returned to the Servers tab, which now lists all the servers that
you added to the group. You can now change the status, view server
metrics, and change the properties of the servers in the group. For more
information, see “Server management overview” on page 70.
5. Click OK.
You are returned to the “Member of” tab, which now lists all the server
groups that the initial group is now a member of.
chapter
6 Scaling Your System
Scalability overview
Scalability overview
The BusinessObjects Enterprise architecture is scalable in that it allows for a
multitude of server configurations, ranging from stand-alone, single-machine
environments, to large-scale deployments supporting global organizations.
The flexibility offered by the product’s architecture allows you to set up a
system that suits your current reporting requirements, without limiting the
possibilities for future growth and expansion.
This chapter details common scalability scenarios for administrators who
want to expand beyond a stand-alone installation of BusinessObjects
Enterprise. These three scenarios have received the most testing, and are
recommended for the majority of deployments, however, they are not the only
supported configurations. For details, see “Common configurations” on
page 149.
It must be emphasized, however, that the optimal configuration for your
deployment will vary depending upon your hardware configuration, your
database software, and your reporting requirements. It is recommended that
you contact your Business Objects sales representative and request
information about the BusinessObjects Enterprise Sizing Guide. A Business
Objects Services consultant can then assess your reporting environment and
assist in determining the configuration that will best integrate with your current
environment.
Note: If you customize or expand your system beyond these common
configurations without first contacting Business Objects Services, your
deployment may not be officially supported.
This chapter also provides the related procedures for adding and deleting
servers from your BusinessObjects Enterprise installation. Follow these steps
when you need to add server components to a machine that is already
running BusinessObjects Enterprise.
Tip: If you are adding new hardware to BusinessObjects Enterprise by
installing server components on additional machines, run the
BusinessObjects Enterprise installation and setup program. The setup
program allows you to perform an Expand installation. During the Expand
installation, you specify the existing CMS whose system you want to expand,
and you select the components that want to install on the local machine. For
details, see the BusinessObjects Enterprise Installation Guide.
One-machine setup
This basic configuration separates the BusinessObjects Enterprise servers
from the rest of your reporting environment and from your web server, and
installs all BusinessObjects Enterprise servers on a single machine. This
grants the BusinessObjects Enterprise servers their own set of processing
resources, which they do not have to share with database and web server
processes. These are the general steps to setting up this configuration for the
default Windows installation of BusinessObjects Enterprise:
• Install all of the BusinessObjects Enterprise servers on a single,
dedicated machine.
• Run the CMS database on your database server.
If you are still using the MySQL CMS database on Windows, migrate the
CMS database to a supported database server. See the Platforms.txt
file included with your product distribution for a list of supported database
servers.
For a UNIX installation (or for a Windows installation that uses the
BusinessObjects Enterprise Java SDK), install your BusinessObjects
Enterprise servers on the same machine as your Java web application server
and the Web Component Adapter.
Three-machine setup
This second configuration divides the BusinessObjects Enterprise processing
load in a logical manner, based on the types of work performed by each server.
In this way, you prevent the server components from having to compete with
each other for the same hardware and processing resources. In addition, this
scenario prepares your system for further expansion to provide redundancy.
Note: It is recommended that you use three multi-processor machines (dual-
CPU or better), with at least 2 GB RAM installed on each machine.
These are the general steps to setting up this configuration for the default
Windows installation of BusinessObjects Enterprise:
• Install the CMS and the Event Server on one machine.
Tip: Here, the Event Server is installed on the same machine as the
CMS. In general, however, the Event Server should be installed on the
machine where your monitored, file-based events occur.
• Install the application server, the Web Component Adapter and the
Cache Server on the second machine.
• Install the Page Server, the Report Job Server, Program Job Server,
Destination Job Server, List of Values Job Server, Web Intelligence Job
Server, the Web Intelligence Report Server, the Report Application
Server (RAS), and the Input and Output File Repository Servers on the
third machine.
For a UNIX installation (or for a Windows installation that uses the
BusinessObjects Enterprise Java SDK), install the Java web application
server and the Web Component Adapter on the same machine as your
Cache Server.
Note: As with the one-machine setup, install your BusinessObjects
Enterprise servers on machines that are separate from your web server and
database servers. This grants the BusinessObjects Enterprise servers their
own set of processing resources, which they do not have to share with
database and web server processes.
You can also modify server settings from within your own code in order to
further integrate BusinessObjects Enterprise with your existing intranet tools
and overall reporting environment.
To improve the scalability of your system, consider distributing administrative
efforts by developing web applications for delegated content administration.
You can grant select users the ability to manage particular BusinessObjects
Enterprise folders, content, users, and groups on behalf of their team,
department, or regional office.
In addition, be sure to check the developer documentation available on your
BusinessObjects Enterprise product CD for performance tips and other
scalability considerations. The query optimization section in particular
provides some preliminary steps to ensuring that custom applications make
efficient use of the query language.
Adding a server
These steps add a new instance of a server to the local machine. You can run
multiple instances of the same BusinessObjects Enterprise server on the
same machine.
To add a Windows server
Note: To complete this procedure, you must log on as an Administrator of the
local machine.
4. Click the Server Type list and select the kind of server you want to add.
5. Change the default Display Name field if you want a different name to
appear in the list of servers in the CCM.
Note: The display name for each server on the local machine must be
unique.
6. Change the default Server Name field if required.
Each server on the system must have a unique name. The default
naming convention is HOSTNAME.servertype (a number is appended if
there is more than one server of the same type on the same host
machine). This Server Name is displayed when you manage servers over
the Web in the Central Management Console (CMC).
When you add Input or Output File Repository Servers, the wizard always
precedes the server name you type with an “Input.” or “Output.” prefix.
So, if you add an Input FRS with the name SERVER02, the CCM actually
names the server Input.SERVER02. This “Input.” prefix is required by
the system. If you subsequently modify the server’s name through its
command line, do not remove the prefix.
7. Click Next.
The “Set Configuration for this server” dialog box appears. The contents
of this dialog vary slightly, depending upon the type of server that you are
installing.
8. Type the name of the CMS that you want the server to communicate with.
If your CMS is not listening on the default port (6400), include the
appropriate port number, as in CMSname:port#
9. Click Next to accept any other default values, or modify them to suit your
environment.
Note: If port number options are displayed in this dialog box, do not
modify them. Instead, change ports through each server’s command line.
For details, see “Changing the default server port numbers” on page 131.
10. Confirm the summary information is correct; then click Finish.
The new server appears in the list, but it is neither started nor enabled
automatically.
11. Use the CCM (or the CMC) to start and then to enable the new server
when you want it to begin responding to BusinessObjects Enterprise
requests. For details, see “Viewing and changing the status of servers”
on page 74.
Tip: Auditing in BusinessObjects Enterprise is enabled on a per server basis.
If you add a new server to your BusinessObjects Enterprise installation you
must enable auditing of actions on each new server. If you do not, the actions
performed on the new server will not be audited. See the BusinessObjects
Enterprise Auditor’s Guide for more information.
To add a UNIX server
Use the serverconfig.sh script. For reference, see the BusinessObjects
Enterprise Administrator’s Reference Guide.
Deleting a server
To delete a Windows server
1. Start the CCM on the BusinessObjects Enterprise machine that you want
to delete a server from.
2. Stop the server that you want to delete from the system.
3. With the server selected, click Delete Server on the toolbar.
4. When prompted for confirmation, click Yes.
To delete a UNIX server
Use the serverconfig.sh script. For reference, see the BusinessObjects
Enterprise Administrator’s Reference Guide.
chapter
7 Working with Firewalls
Firewalls overview
Firewalls overview
BusinessObjects Enterprise works with firewall systems to provide reporting
across intranets and the Internet without compromising network security. This
chapter provides general information about what a firewall is and types of
firewalls:
• “What is a firewall?” on page 162
• “Firewall types” on page 163
If you are already familiar with firewalls and the configuration used in your
network, proceed directly to “Understanding firewall integration” on page 166.
What is a firewall?
A firewall is a security system that protects one or more computers from
unauthorized network access. A firewall restricts people to entering and
leaving your network at a carefully controlled point. It also prevents attackers
from getting close to your other defenses. Typically, a firewall protects a
company’s intranet from being improperly accessed through the Internet.
A firewall can enforce a security policy, log Internet activity, and be a focus for
security decisions. A firewall can’t protect against malicious insiders or
connections that don’t go through it. A firewall also can’t set itself up correctly
or protect against completely new threats.
To help explain how firewalls work, some basic networking terms are
described here:
• “TCP/IP and packets” on page 162
• “Ports” on page 163
If you are already familiar with these topics see “Understanding firewall
integration” on page 166.
Ports
Ports are logical connection points that a computer uses to send and receive
packets. With TCP/IP, ports allow a client program to specify a particular
server program on a computer in a network. High-level applications that use
TCP/IP have ports with pre-assigned numbers. For instance, when you visit a
typical HTTP site over the Web, you communicate with the web server on port
80, which is the pre-assigned port for HTTP communication.
Other application processes are given port numbers dynamically for each
connection. When a service or daemon initially is started, it binds to its
designated port number. When any client program wants to use that server, it
must also request to bind to the designated port number. Valid port numbers
range from 0 to 65536, but ports 0 to 1024 are reserved for use by certain
privileged services.
Firewall types
Firewalls primarily function using at least one of the following methods:
• “Packet filtering” on page 164
• “Network Address Translation” on page 164
• “SOCKS proxy servers” on page 165
BusinessObjects Enterprise works with these firewall types.
Note: Business Objects will be moving away from supporting SOCKS proxy
servers. As a result SOCKS proxy servers are still supported in
BusinessObjects Enterprise XI. SOCKS proxy servers will be deprecated in a
future release of BusinessObjects Enterprise. If you are using SOCKS proxy
servers now, we recommend you switch to a different firewall method.
Packet filtering
Packet filtering rejects TCP/IP packets from unauthorized hosts and rejects
connection attempts to unauthorized services. Packet filtering can reject
packets based on the following:
• The address the data is coming from.
• The address the data is going to.
• The session and application ports being used to transfer the data.
• The data contained within the packet.
Typically there are two types of packet filtering:
• Stateful packet filters remember the state of connections at the network
and session layers by recording the established session information that
passes through the filter gateway. The filter then uses that information to
discriminate valid return packets from invalid connection attempts.
• Stateless packet filters do not retain information about connections in
use; instead, they make determinations packet-by-packet based only on
the information contained within the packet. Firewalls that employ packet
filtering will work with BusinessObjects Enterprise.
Ports
The application server must be able to communicate with every
BusinessObjects Enterprise server behind the firewall. Therefore, you must
open a port on the firewall for each server. The application server must be a
Tomcat or IIS server.
Configuring BusinessObjects Enterprise for Network Address Translation
when the application tier is separated from the CMS by a firewall includes:
• “Configuring the CMS on Windows” on page 172
• “Configuring the CMS on UNIX” on page 172
• “Configuring the BusinessObjects Enterprise servers” on page 173
• “Configuring the hosts files” on page 174
• “Specifying firewall rules for NAT” on page 175
Configuring the CMS on Windows
To configure the CMS on Windows
1. Start the CCM.
2. Stop the Central Management Server.
3. On the toolbar, click Properties.
4. In the Command box, add the following option:
-port FQDN:6400 -requestport portnum
For the -port command, replace FQDN with the fully qualified domain
name of the machine that is running the CMS. This machine must be
routable from the application server.
For the -requestport command, substitute any valid free port number
for portnum.
Tip: If you want to customize the CMS so that it listens on a port other than
the default, substitute your new port number for the default value of 6400.
If you change the default port number of the CMS you must perform
additional system configuration. Before changing the port number, see
“Changing the default server port numbers” on page 131.
5. Click OK to return to the CCM.
6. Start the Central Management Server.
Configuring the CMS on UNIX
To configure the CMS on UNIX
1. Run ccm.sh.
By default the script and the ccm.config file are installed in the Business
Objects install directory, for example /export/home/businessobjects.
For the -port command, replace FQDN with the fully qualified domain
name of the machine that is running the CMS. This machine must be
routable from the application server.
For the -requestport command, substitute any valid free port number
for portnum.
4. Use ccm.sh to start the Central Management Server.
Configuring the BusinessObjects Enterprise servers
The procedure for configuring the BusinessObjects Enterprise servers varies
for Windows and UNIX.
• “To configure BusinessObjects Enterprise servers on Windows” on
page 173
• “To configure BusinessObjects Enterprise servers on UNIX” on page 173
To configure BusinessObjects Enterprise servers on Windows
1. Start the CCM.
2. Stop the server.
3. On the toolbar, click Properties.
4. In the Command box, add the following option:
-port FQDN -requestport portnum
For the -port command, replace FQDN with the fully qualified domain
name of the machine that is running the server. This machine must be
routable from the application server.
For the -requestport command, substitute any valid free port number
for portnum. If more than one server is installed on the same machine,
each server on that machine must use a unique port number.
5. Click OK to return to the CCM.
6. Start the server.
7. Repeat for each BusinessObjects Enterprise server.
To configure BusinessObjects Enterprise servers on UNIX
1. Run ccm.sh.
By default the script and the ccm.config file are installed in the
Business Objects install directory, for example /export/home/
businessobjects.
For the -port command, replace FQDN with the fully qualified domain
name of the machine that is running the server. This machine must be
routable from the application server.
For the -requestport command, substitute any valid free port number
for portnum. If more than one server is installed on the same machine,
each server on that machine must use a unique port number.
4. Use ccm.sh to start the server.
5. Repeat for each BusinessObjects Enterprise server.
Configuring the hosts files
On each machine running a BusinessObjects Enterprise server, you must
configure the hosts file so that the server can map the FQDN it receives from
the Central Management Server (CMS) to an internally routable IP address.
This is necessary to enable communication between servers inside the firewall.
The procedure for configuring the hosts file is different for Windows and
UNIX. See:
• “To configure the hosts files on Windows” on page 174
• “To configure the hosts files on UNIX” on page 174
To configure the hosts files on Windows
1. Open the hosts file using a text editor like Notepad. The hosts file is
located at \WINNT\system32\drivers\etc\hosts.
2. Follow the instructions in the hosts file to add an entry for each machine
behind the firewall that is running a BusinessObjects Enterprise server or
servers. Use the internally routable IP address of the machine and its
externally routable fully qualified domain name.
3. Save the hosts file.
To configure the hosts files on UNIX
Note: Your UNIX operating system must be configured to first consult the
hosts file to resolve domain names, before consulting DNS. Consult your
UNIX systems documentation for details.
1. Open the hosts file using an editor like vi. The hosts file is located at
\etc\hosts.
2. Add an entry for each machine behind the firewall that is running a
BusinessObjects Enterprise server. Use the translated IP address of the
machine and its fully qualified domain name.
Outbound Rules
Configuring packet filtering when thick client is separated from the CMS
You can publish reports or analytic objects to BusinessObjects Enterprise by
saving these objects to BusinessObjects Enterprise from within Crystal
Reports or OLAP Intelligence, or by using the Import or Publishing Wizards.
However, if there is a firewall between the computer running one of these
thick clients and the CMS, this operation fails.
Configuring your BusinessObjects Enterprise system to support this
configuration when the firewall uses packet filtering is very similar to
configuring your system to support a packet filtering firewall between the
application tier and the Central Management Server (CMS).
For full instructions, follow the detailed steps in “Configuring packet filtering
when application tier is separated from CMS” on page 177 but:
• Configure only the Central Management Server and the Input File
Repository Server to use fixed port numbers for communication.
• Establish inbound firewall rules for communication between the Crystal
Reports or OLAP Intelligence machine and the CMS and Input File
Repository Server. You do not need to establish an outbound firewall rule.
chapter
8 Managing BusinessObjects Enterprise Repository
BusinessObjects Enterprise Repository overview
Note: System Objects (users, user groups, servers, server groups, events,
and calendars), are not renamed when you import them from one CMS to
another, regardless of the options set. Changing the names of these objects
would cause user management, server management, and event
management for these objects to fail.
See “Using the Import Wizard” on page 387 for full instructions on using the
Import Wizard to copy objects from one BusinessObjects Enterprise XI
repository to another.
6. Click Next.
The “Specify destination environment” dialog box appears.
7. In the CMS Name field, type the name of the destination environment’s
Central Management Server.
• Import calendars
• Import universes
2. Click Next.
3. In the “Please choose an import scenario” dialog box, click one of the two
options:
• “I want to merge the source system into the destination system.”
Select this option if you want to add objects from the source system
to the destination system without overwriting objects in the
destination. For more information on this option, see “Merging
repositories” on page 185.
• “I want to update the destination system by using the source system
as a reference.”
Select this option if you want to add objects from the source system
to the destination system, overwriting objects in the destination when
they have the same unique identifier as those in the source. for more
information on this option, see “Updating the destination repository”
on page 185.
Click Next.
4. If you chose “Import repository objects”, the Import Progress dialog box
now displays status information and creates an Import Summary while
the Import Wizard completes its tasks.
5. If the Import Summary shows that some information was not imported
successfully, click View Detail Log for a description of the problem.
Otherwise, click Done.
Note: The information that appears in the Detail Log is also written to a
text file called ImportWiz.log, which you will find in the directory from
which the Import Wizard was run. By default, this directory is:
C:\Program Files\Business Objects\BusinessObjects
Enterprise 11.5\win32_x86\
The log file included a system-generated ID number, a title that describes
the imported information, and a field that describes the action taken and
the reason why.
8. To delete an existing folder from your repository, select it, and then click
“Delete the item/folder”.
9. Click Next, and then Finish to complete the transfer and close the
Repository Migration Wizard.
When you use the Repository Migration Wizard, neither the source nor the
destination database is overwritten. Objects from the source repository will be
added to the destination repository database. If the Wizard finds identical
objects in the source and destination repositories, the source objects will not
be copied.
When you copy repository objects into BusinessObjects Enterprise XI, only
the most recent version of each object is copied.
Note: Reports configured to use the source repository will now refer to the
destination data source.
• To delete an existing folder from your repository, select it, and then
click “Delete the item/folder”.
7. Click Next.
BusinessObjects Enterprise exports the selected repository objects from
your Crystal Reports repository, reporting success or failure for each object.
8. Click Next, and then Finish to complete the transfer and close the
Repository Migration Wizard.
chapter
9 BusinessObjects Enterprise Security Concepts
Security overview
Security overview
The BusinessObjects Enterprise architecture addresses the many security
concerns that affect today’s businesses and organizations. The current release
supports features such as distributed security, single sign-on, resource access
security, granular object rights, and third-party Windows NT, LDAP, and
Windows AD authentication in order to protect against unauthorized access.
To allow for further customization of security, BusinessObjects Enterprise
supports dynamically loaded processing extensions. And, for monitoring and
auditing purposes, BusinessObjects Enterprise allows you to log various web
statistics, thus enabling you to detect potential security concerns.
Because BusinessObjects Enterprise provides the framework for an
increasing number of components from the Enterprise family of Business
Objects products, this chapter details the security features and related
functionality to show how the framework itself enforces and maintains security.
As such, this chapter does not provide explicit procedural details; instead, it
focuses on conceptual information and provides links to key procedures.
Related topics:
• For key procedures that show how to modify the default accounts,
passwords, and other security settings, see “Making initial security
settings” on page 28.
• For procedures that show how to set up authentication, users, and
groups, see “Managing User Accounts and Groups” on page 215.
• For procedures that show how to set object rights for your BusinessObjects
Enterprise content, see “Controlling User Access” on page 291.
Primary authentication
Primary authentication occurs when a user first attempts to access the
system. The user provides a user name and password and specifies an
authentication type. The authentication type may be Enterprise, Windows NT,
LDAP, or Windows AD authentication, depending upon which type(s) you
have enabled and set up in the Authorization management area of the Central
Management Console (CMC). The user’s web browser sends the information
by HTTP to your web server, which routes the information to the Web
Component Adapter (WCA).
The WCA passes the user’s information to logon.aspx and runs the script.
Internally, this script communicates with the SDK and, ultimately, the
appropriate security plug-in to authenticate the user against the user database.
For instance, if the user specifies Enterprise Authentication, the SDK ensures
that the BusinessObjects Enterprise security plug-in performs the
authentication. The Central Management Server (CMS) uses the
BusinessObjects Enterprise security plug-in to verify the user name and
password against the system database. Alternatively, if the user specifies
Windows NT, LDAP, or Windows AD Authentication, the SDK uses the
corresponding security plug-in to authenticate the user.
If the security plug-in reports a successful match of credentials (including a
match to an appropriate group membership for Windows NT, Windows AD, or
LDAP authentication), the CMS grants the user an active identity on the
system and the system performs several actions:
• The CMS stores the user’s information in memory in a CMS session
variable. While active, this session consumes one user license on the
system.
• The CMS generates and encodes a logon token and sends it to the WCA.
• The WCA stores the user’s information in memory in a WCA session
variable. While active, this session stores information that allows
BusinessObjects Enterprise to respond to the user’s requests.
Note:
• If you are familiar with the SDK, you should note that the WCA here
instantiates the InfoStore object and stores it in the WCA session
variable.
• The session variable does not contain the user’s password.
• The WCA sends the logon token to the user’s web browser, and the web
browser caches the token in a cookie. Until the logon token expires, its
encoded information serves as the user’s valid ticket for the system.
Each of these steps contributes to the distributed security of BusinessObjects
Enterprise, because each step consists of storing information that is used for
secondary identification and authorization purposes. This is the model used in
InfoView. However, if you are developing your own client application and you
prefer not to store session state on the WCA, you can design your application
such that it avoids using WCA session variables.
Note:
• The third-party Windows NT, LDAP, and Windows AD security plug-ins
work only once you have mapped groups from the external user
database to BusinessObjects Enterprise. For details, see “Available
authentication types” on page 218.
• In a single sign-on situation, BusinessObjects Enterprise retrieves users’
credentials and group information directly from the Windows NT or
Windows AD system. Hence, users are not prompted for their credentials.
Security plug-ins
Security plug-ins expand and customize the ways in which BusinessObjects
Enterprise authenticates users. BusinessObjects Enterprise currently ships
with the system default BusinessObjects Enterprise security plug-in and with
the Windows NT, LDAP, and Windows AD security plug-ins. Each security
plug-in offers several key benefits.
Security plug-ins facilitate account creation and management by allowing you
to map user accounts and groups from third-party systems into
BusinessObjects Enterprise. You can map third-party user accounts or groups
to existing BusinessObjects Enterprise user accounts or groups, or you can
create new Enterprise user accounts or groups that corresponds to each
mapped entry in the external system.
The security plug-ins dynamically maintain third-party user and group listings.
So, once you map a Windows NT, LDAP, or Windows AD group into
BusinessObjects Enterprise, all users who belong to that group can log on to
BusinessObjects Enterprise. When you make subsequent changes to the
third-party group membership, you need not update or refresh the listing in
BusinessObjects Enterprise. For instance, if you map a Windows NT group to
BusinessObjects Enterprise, and then you add a new NT user to the NT
group, the security plug-in dynamically creates an alias for that new user when
he or she first logs on to BusinessObjects Enterprise with valid NT credentials.
Moreover, security plug-ins enable you to assign rights to users and groups in
a consistent manner, because the mapped users and groups are treated as if
they were Enterprise accounts. For example, you might map some user
accounts or groups from Windows NT, and some from an LDAP directory
server. Then, when you need to assign rights or create new, custom groups
within BusinessObjects Enterprise, you make all of your settings in the CMC.
Each security plug-in acts as an authentication provider that verifies user
credentials against the appropriate user database. When users log on to
BusinessObjects Enterprise, they choose from the available authentication
types that you have enabled and set up in the Authorization management
area of the CMC: Enterprise (the system default), Windows NT, LDAP, or
Windows AD.
Processing extensions
BusinessObjects Enterprise offers you the ability to further secure your
reporting environment through the use of customized processing extensions.
A processing extension is a dynamically loaded library of code that applies
business logic to particular BusinessObjects Enterprise view or schedule
requests before they are processed by the system.
Note: On Windows systems, dynamically loaded libraries are referred to as
dynamic-link libraries (.dll file extension). On UNIX systems, dynamically
loaded libraries are often referred to as shared libraries (.so file extension). You
must include the file extension when you name your processing extensions.
Through its support for processing extensions, the BusinessObjects
Enterprise administration SDK essentially exposes a “handle” that allows
developers to intercept the request. Developers can then append selection
formulas to the request before the report is processed.
Logon tokens
A logon token is an encoded string that defines its own usage attributes and
contains a user’s session information. The logon token’s usage attributes are
specified when the logon token is generated. These attributes allow
restrictions to be placed upon the logon token to reduce the chance of the
logon token being used by malicious users. The current logon token usage
attributes are:
• Number of minutes
This attribute restricts the lifetime of the logon token.
• Number of logons
This attribute restricts the number of times that the logon token can be
used to log on to BusinessObjects Enterprise.
Both attributes hinder malicious users from gaining unauthorized access to
BusinessObjects Enterprise with logon tokens retrieved from legitimate users.
Note: When using logon tokens, it is good practice to use Secure Sockets
Layer (SSL). For more information on SSL, see “Configuring servers for SSL”
on page 137.
This logon token is most commonly used over the Web. When a user is first
authenticated by BusinessObjects Enterprise, he or she receives a logon
token from the CMS. The user’s web browser caches this logon token. When
the user makes a new request, other BusinessObjects Enterprise
components can read the logon token from the user’s web browser.
This use of the logon token provides the distributed security that is required for
load balancing to be implemented in conjunction with effective fault-protection.
The user’s active identity is stored as a session variable on the WCA that
processed the request; consequently, the user’s active identity is not
immediately accessible by the other WCA. For this reason, the user’s logon
token is used to route all of the user’s requests to the WCA that is storing the
user’s session. By doing so, security is maintained while providing optimal
performance: the user’s identity is verified, but the system does not have to
repeatedly prompt the user for his or her credentials; in addition, the user is
prevented from unnecessarily consuming resources on both Web Component
Adapters.
If the WCA that is storing the user’s active session is taken offline, the logon
token again serves a critical purpose. If one WCA ceases to respond to a
user’s requests, InfoView and the CMC are designed such that the request is
redirected to the remaining WCA. The client application logs the user on with
the valid logon token, and the remaining WCA can authenticate the user and
create a new, active session without prompting the user for his or her
credentials. The remaining WCA can then authorize and carry out the user’s
request. In this way, the logon token enables the system’s load-balancing and
fault-tolerance mechanisms to maintain a secure environment without
affecting the user’s experience.
In this scenario, when the original WCA is brought back online, the system
automatically resumes its load balancing responsibilities by routing each
subsequent request to the least used WCA.
The WCA session is designed to notify the CMS on a recurring basis that it is
still active, so the CMS session is retained so long as the WCA session
exists. If the WCA session fails to communicate with the CMS for a ten-minute
time period, the CMS destroys the CMS session. This handles scenarios
where client-side components shut down irregularly.
Note: If you are familiar with the SDK, you should note that a CMS session is
an instance of an EnterpriseSession object.
Environment protection
Environment protection refers to the security of the overall environment in
which client and server components communicate. Although the Internet and
web-based systems are increasingly popular due to their flexibility and range
of functionality, they operate in an environment that can be difficult to secure.
When you deploy BusinessObjects Enterprise, environment protection is
divided into two areas of communication:
• Web browser to web server
• Web server to BusinessObjects Enterprise
Password restrictions
Password restrictions ensure that Enterprise users create passwords that are
relatively complex. You can enable the following options:
• Enforce mixed-case passwords
This option ensures that passwords contain at least two of the following
character classes: upper case letters, lower case letters, numbers, or
punctuation.
• Must contain at least N characters
By enforcing a minimum complexity for passwords, you decrease a
malicious user’s chances of simply guessing a valid user’s password.
Logon restrictions
Logon restrictions serve primarily to prevent dictionary attacks (a method
whereby a malicious user obtains a valid user name and attempts to learn the
corresponding password by trying every word in a dictionary). With the speed
of modern hardware, malicious programs can guess millions of passwords per
minute. To prevent dictionary attacks, BusinessObjects Enterprise has an
internal mechanism that enforces a time delay (0.5–1.0 second) between
logon attempts. In addition, BusinessObjects Enterprise provides several
customizable options that you can use to reduce the risk of a dictionary attack:
• Disable accounts after N failed attempts to log on
• Reset failed logon count after N minute(s)
• Re-enable account after N minute(s)
User restrictions
User restrictions ensure that Enterprise users create new passwords on a
regular basis. You can enable the following options:
• Must change password every N day(s)
• Cannot reuse the N most recent password(s)
• Must wait N minute(s) to change password
These options are useful in a number of ways. Firstly, any malicious user
attempting a dictionary attack will have to recommence every time passwords
change. And, because password changes are based on each user’s first logon
time, the malicious user cannot easily determine when any particular password
will change. Additionally, even if a malicious user does guess or otherwise
obtain another user’s credentials, they are valid only for a limited time.
chapter
10 Managing User Accounts and Groups
What is account management?
Administrator
The Administrator user belongs to the Administrators and Everyone groups.
This user can perform all tasks in all BusinessObjects Enterprise applications
(for example, the Central Management Console, Central Configuration
Manager, Publishing Wizard, and InfoView).
By default, the Administrator is not assigned a password. For security
reasons, it is highly recommended that you create a password for the
Administrator user as soon as possible. See “Setting the Administrator
password” on page 29.
Note: To use the Central Configuration Manager, your operating system
account may require certain rights on the local machine. For more
information, see “Using the Central Configuration Manager” on page 26.
Guest
The Guest user is a member of the Everyone group. This user can view
reports that are found within the Report Samples folder. Generally, the Guest
user accesses reports through InfoView. This account is enabled by default.
To disable this default setting, see “Disabling the Guest account” on
page 229.
By default, the Guest user is not assigned a password. If you assign it a
password, the single sign-on to InfoView will be broken.
Note: If users in multiple time zones use the Guest account, see “Supporting
users in multiple time zones” on page 527.
Default groups
In addition to organizing users and simplifying administration, groups enable
you to determine the functionality a user has access to. In BusinessObjects
Enterprise, the following default groups are created. For procedures on
managing groups, see “Managing Enterprise and general accounts” on
page 219.
Administrators
Users who belong to the Administrators group are able to perform all tasks in
all of the BusinessObjects Enterprise applications (Central Management
Console, Central Configuration Manager, Publishing Wizard, and InfoView).
By default, the Administrator group contains only the Administrator user.
Note: To use the Central Configuration Manager, your operating system
account may require certain rights on the local machine. For more
information, see “Using the Central Configuration Manager” on page 26.
BusinessObjects NT Users
When you install BusinessObjects Enterprise on Windows, BusinessObjects
Enterprise creates a BusinessObjects NT Users group. This group is also
added to Windows on the local machine and the user who installed
BusinessObjects Enterprise is automatically added to this group.
When NT authentication is enabled, BusinessObjects NT Users can use their
NT accounts to log on to BusinessObjects Enterprise. By default, members of
this group are able to view folders and reports.
Everyone
Each user is a member of the Everyone group. By default, the Everyone
group allows access to all the reports that are found in the Report Samples
folder.
5. In the Available groups area, select the group(s) that the new user should
be a member of.
Use SHIFT+click or CTRL+click to select multiple groups.
6. Click the > arrow to add the group(s); click the < arrow to remove the
group(s).
7. Click OK.
The “Member of” tab appears and lists the groups in which the user is a
member.
Creating a group
Groups are collections of users who share the same account privileges. For
instance, you may create groups that are based on department, role, or
location. Groups enable you to change the rights for users in one place (a
group) instead of modifying the rights for each user account individually. Also,
you can assign object rights to a group or groups.
Modifying a group
You can modify a group by making changes to any of the settings.
Note: The users who belong to the group will be affected by the modification
if they are logged on when you are making changes.
To modify a group
1. In the Groups management area of the CMC, click the link for the group.
2. Under the Group Name column, click the link to the group whose
configuration you want to change.
Deleting a group
You can delete a group when that group is no longer required. You cannot
delete the default groups Administrator and Everyone.
Note: The users who belong to the deleted group will be affected by the
change if they are logged on when the group is deleted.
To delete a third-party authentication groups, such as the BusinessObjects
NT Users group, use the Authentication management area in CMC. See
“Unmapping LDAP groups” on page 240, “Unmapping AD groups” on
page 247, and “Mapping NT accounts” on page 251.
To delete a group
1. Go to the Groups management area of the CMC.
2. Select the check box associated with the group you want to delete.
3. Click Delete.
The delete confirmation dialog box appears.
4. Click OK.
5. Now configure the SSL settings for each SSL host in the list, starting with
the default host.
• To select settings for the default host, first clear the Use default
value boxes. Then type your values for the path to the certificate and
key database files, the password for the key database. Type a
nickname for the client certificate in the cert7.db if you selected
mutual authentication.
or
• No new aliases will be added and new users will not be created
Use this option when the LDAP directory you are mapping contains
many users, but only a few of them will use BusinessObjects
Enterprise. BusinessObjects Enterprise does not automatically
create aliases and Enterprise accounts for all users. Instead, it
creates aliases (and accounts, if required) only for users who log on
to BusinessObjects Enterprise.
3. In the “Mapped LDAP Member Groups” area, specify your LDAP group
(either by common name or distinguished name) in the Add LDAP group
(by cn or dn) field; click Add.
You can add more than one LDAP group by repeating this step. To
remove a group, highlight the LDAP group and click Delete.
regardless of how many other people are connected. You must have
a named user license available for each user account created using
this option.
or
• New users are created as concurrent users
New user accounts are configured to use concurrent user licenses.
Concurrent licenses specify the number of people who can connect
to BusinessObjects Enterprise at the same time. This type of
licensing is very flexible because a small concurrent license can
support a large user base. For example, depending on how often
and how long users access BusinessObjects Enterprise, a 100 user
concurrent license could support 250, 500, or 700 users.
7. Click Update.
Managing AD accounts
This section provides an overview of AD authentication and the tasks related
to managing it. For information on how AD authentication works in
conjunction with BusinessObjects Enterprise, see “Windows AD security
plug-in” on page 206.
Once you have mapped your AD users and groups, all of the BusinessObjects
Enterprise client tools support AD authentication, except for the Import
Wizard. You can also create your own applications that support AD
authentication. For more information, see the developer documentation
available on your product CD.
Note:
• AD authentication only works for servers running on Windows systems.
• AD authentication and aggregation is not functional without a network
connection.
Mapping AD accounts
To simplify administration, BusinessObjects Enterprise supports AD
authentication for user and group accounts. However, before users can use
their AD user name and password to log on to BusinessObjects Enterprise,
their AD user account needs to be mapped to BusinessObjects Enterprise.
When you map an AD account, you can choose to create a new
BusinessObjects Enterprise account or link to an existing BusinessObjects
Enterprise account.
To map AD users and groups
Before starting this procedure, ensure that you have the appropriate AD
domain and group information. As well, you must have created a domain user
account on your AD server for BusinessObjects Enterprise to use when
authenticating AD users and groups.
1. Go to the Authentication management area of the CMC.
2. Click the Windows AD tab.
3. Ensure that the “Windows Active Directory Authentication is
enabled” check box is selected.
4. If you will be using single sign-on, select the Enable Single Sign On for
selected authentication mode check box.
Note: If you select this option, you must also configure the IIS for single
sign-on. For details, see “Setting up AD single sign-on” on page 249.
Failing to configure IIS could compromise your system security if the
account that IIS runs under belongs to a mapped group, because users
who use one of the web applications would automatically have the same
access privileges as the IIS machine account.
Unmapping AD groups
Similar to mapping, it is possible to unmap groups using BusinessObjects
Enterprise.
To unmap AD groups using BusinessObjects Enterprise
1. Go to the Authentication management area of the CMC.
2. Click the Windows AD tab.
3. In the “Mapped AD Member Groups” area, select the AD group you
would like to remove.
4. Click Delete.
5. Click Update.
The users in the deleted group will no longer be able to access
BusinessObjects Enterprise.
Tip: To deny AD authentication for all users, clear the “Windows Active
Directory Authentication is enabled” check box and click Update.
Note: The only exceptions to this occur when a user has an alias other
than the one assigned for AD authentication. To restrict access, disable
or delete the user’s Enterprise account. For more information, see
“Managing Enterprise and general accounts” on page 219.
Troubleshooting AD accounts
Creating a new AD user account
• If you create a new AD user account, and the account belongs to a group
account that is mapped to BusinessObjects Enterprise, ensure that you
update the user list by clicking Update in the Windows AD tab found in
the Authentication management area. Note that you must click Update to
ensure that new users are imported properly. For information on viewing
AD users and groups, see “Viewing mapped AD users and groups” on
page 247.
• User accounts are automatically created for AD users who are added to
an AD group when these users successfully log on to BusinessObjects
Enterprise.
Managing NT accounts
This section provides an overview of NT authentication and the tasks related
to managing it. For information on how NT authentication works in
conjunction with BusinessObjects Enterprise, see “Windows NT security plug-
in” on page 202.
Note:
• NT authentication only works for servers running on Windows systems. If
you install BusinessObjects Enterprise on a Windows NT, 2000, or 2003
machine, NT authentication is installed and enabled by default.
• NT accounts refer to Windows NT, 2000, or 2003 accounts.
Managing NT accounts includes the following tasks:
• “Mapping NT accounts” on page 251
• “Unmapping NT groups” on page 255
• “Viewing mapped NT users and groups” on page 257
• “Troubleshooting NT accounts” on page 257
• “Setting up NT single sign-on” on page 259
Mapping NT accounts
To simplify administration, BusinessObjects Enterprise supports user and
group accounts that are created using Windows NT. However, before users
can use their NT user name and password to log on to BusinessObjects
Enterprise, their NT user account needs to be mapped to BusinessObjects
Enterprise. When you map an NT account, you can choose to create a new
BusinessObjects Enterprise account or link to an existing BusinessObjects
Enterprise account.
5. To change the Default NT domain, click the domain name. Complete the
Default NT Domain field.
Note: By typing the default NT Domain Name, users do not have to
specify the NT Domain Name when they log on to BusinessObjects
Enterprise via NT authentication. Also, you don’t have to specify the NT
domain name when you map groups.
6. In the Mapped NT Member Groups area, enter the NT domain\group in
the Add NT Group (NT Domain\Group) field.
Note: If you want to map a local NT group, you must type
\\NTmachinename\groupname.
7. Click Add.
The group is added to the list.
8. New Alias Options allow you to specify how NT aliases are mapped to
Enterprise accounts. Select either:
• Assign each added NT alias to an account with the same name
Use this option when you know users have an existing Enterprise
account with the same name; that is, NT aliases will be assigned to
existing users (auto alias creation is turned on). Users who do not
have an existing Enterprise account, or who do not have the same
name in their Enterprise and NT account, are added as new NT users.
or
• Create a new account for every added NT alias
Use this option when you want the system to create a new account
for each user. The system ensures that the users are created with
unique names. For example, if BusinessObjects Enterprise user
bsmith already exists and an NT user with the same is added, the
new user will be bsmith01.
9. Update Options allow you to specify if NT aliases are automatically
created for all new users. Select either:
• New aliases will be added and new users will be created
Use this option to automatically create a new alias for every NT user
mapped to BusinessObjects Enterprise. New NT accounts are added
for users without BusinessObjects Enterprise accounts, or for all
users if you selected the “Create a new account for every added NT
alias” option.
or
Unmapping NT groups
Similar to mapping, it is possible to unmap groups using the administrative
tool in Windows NT/2000, or BusinessObjects Enterprise.
To unmap NT users and groups using Windows NT
1. From the Administrative Tools program group, click User Manager.
2. Select BusinessObjects NT Users.
3. From the User menu, click Properties.
Troubleshooting NT accounts
Creating a new NT user account
• If you create a new NT user account, and the account does not belong to
a group account that is mapped to BusinessObjects Enterprise, add it to
BusinessObjects Enterprise. For more information, see “Mapping NT
accounts” on page 251.
• If you create a new NT user account, and the account belongs to a group
account that is mapped to BusinessObjects Enterprise, refresh the user
list. For more information, see “Viewing mapped NT users and groups” on
page 257.
Managing aliases
If a user has multiple accounts in BusinessObjects Enterprise, you can link
the accounts using the assign alias feature. This is useful when a user has a
third-party account that is mapped to Enterprise and an Enterprise account.
By assigning an alias to the user, the user can log on using either a third-party
user name and password or an Enterprise user name and password. Thus,
an alias enables a user to log on via more than one authentication type.
You can also reassign an alias in BusinessObjects Enterprise. For example,
after you map your third-party accounts to BusinessObjects Enterprise, you
can use the Reassign Alias feature to reassign an alias to a different a user.
In CMC, the alias information is displayed at the bottom of the properties
page for a user. A user can have any combination of BusinessObjects
Enterprise, LDAP, AD, or NT aliases.
4. Type in the third-party account name for the user, for example, bsmith.
Assigning an alias
When you assign an alias to a user, you move a third-party alias from another
user to the user you are currently viewing. You cannot assign or reassign
Enterprise aliases.
Note: If a user has only one alias and you assign that last alias to another
user, the system will delete the user account, and the Favorites folder,
personal categories, and inbox for that account.
To assign an alias from another user
1. Go to the Users management area of the CMC.
2. Click the link for the user you want to assign an alias to.
3. Click Assign Alias.
The Assign Alias page appears.
4. Select the alias you want in the list of available aliases.
5. Click the > arrow.
Tip:
• To select multiple aliases, use the SHIFT+click or CTRL+click
combination.
• To search for a specific alias, use the Look For field.
6. Click OK.
Reassigning an alias
When you reassign an alias, you move a third-party alias from the user that
you are currently viewing to another user. You cannot assign or reassign
Enterprise aliases.
Note: If a user has only one alias and you reassign that alias to another user,
the system will delete the user account, and the Favorites folder, personal
categories, and inbox for that account.
To reassign an alias to another user
1. Go to the Users management area of the CMC.
2. Click the link for the user whose alias you want to reassign, for example,
bsmith.
3. Click the Reassign Alias button for the alias.
The Reassign Alias page appears.
4. In the list, click the name of the user that you want to assign the alias to,
for example, jbrown.
5. Click OK.
The alias for bsmith has now been assigned to the user jbrown, and the
Properties page for user jbrown is displayed. The user jbrown can now
log on using the third-party user account and authentication method. The
user bsmith can no longer use this alias.
Disabling an aliases
You can prevent a user from logging on to BusinessObjects Enterprise using
a particular authentication method by disabling the user’s alias associated
with that method. To prevent a user from accessing BusinessObjects
Enterprise altogether, disable all aliases for that user.
Note: Deleting a user from BusinessObjects Enterprise does not necessarily
prevent the user from being able to log on to BusinessObjects Enterprise
again. If the user account still exists in the third-party system, and if the
account belongs to a group that is mapped to BusinessObjects Enterprise,
then BusinessObjects Enterprise will still allow the user to log on. To ensure a
user can no longer use one of his or her aliases to log on to BusinessObjects
Enterprise, it is best to disable the alias. See also “Deleting an alias” on
page 265.
To disable an alias
1. Go to the Users management area of the CMC.
2. Click the name of the user whose alias you want to disable.
3. In the Alias area on the Properties page, clear the Enabled check box for
the alias you want disable.
2. Create the file krb5.ini, if it does not exist, and store it under it the
following platform dependant location:
Platform Location
Windows c:\WINNT
Solaris /etc/krb5/krb5.conf
Linux /etc/krb5.conf
Note: You can store this file in a different location, however if you do, you
will need to specify its location in your java options. See “Modifying your
Java options for Kerberos” on page 274 for procedural details.
3. Add the required information in the Kerberos configuration file.
• If your using Tomcat, Oracle Application Server or Weblogic on
Windows, add the following to your Kerberos krb5.ini
configuration file, where DNS.COM is the DNS name of your domain
which must be entered in FQDN format and entered in uppercase:
[libdefaults]
default_realm = DNS.COM
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]
DNS.COM = {
default_domain = DNS.COM
kdc = hostname.DNS.COM
}
Note: You can add multiple domain entries to the [realms] section
if your users log in from multiple domains. kdc is the Host name of
the Domain Controller. To see a sample of this file with multiple
domain entries, see “Sample single domain Krb5.ini file” on
page 276 or “Sample multiple domain Krb5.ini file” on page 275. For
further information see http://java.sun.com/j2se/1.5.0/docs/guide/
security/jgss/tutorials/KerberosReq.html.
• If you are using WebSphere, add the following to your Kerberos
krb5.ini configuration file, where DNS.COM is the DNS name of
your domain which must be entered in FQDN format and entered in
uppercase:
[libdefaults]
default_realm = DNS.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
[libdefaults]
default_realm = DOMAIN03.COM
dns_lookup_kdc = true
dns_lookup_realm = true
[logging]
[realms]
DOMAIN03.COM = {
admin_server = testvmw2k07
kdc = testvmw2k07
default_domain = domain03.com
}
CHILD1.DOMAIN03.COM = {
admin_server = testvmw2k08
kdc = testvmw2k08
default_domain = child1.domain03.com
}
CHILD2.DOMAIN03.COM = {
admin_server = testvmw2k09
kdc = testvmw2k09
default_domain = child2.domain03.com
}
DOMAIN04.COM = {
admin_server = testvmw2k011
kdc = testvmw2k011
default_domain = domain04.com
}
• userName="domainaccount"
• Password="password"
Where domainaccount is a domain account that you have set to be trusted
for delegation, and password is the password for the domain account.
In the above path name, version represents the software version.
Note: For security reasons, make sure that the account which IIS helper
processes run under does not belong to a mapped group.
2. If the machine name for the web server is different from the name that is
used to access it, add an SPN for HTTP access on the web server
machine:
setspn -A HTTP/serverhost.domainname.com serverhost
For example, if access is via www.domainname.com but the machine name
is web.domainname.com.
• userName="domainaccount"
• Password="password"
In the above path name, version represents the software version.
Where domainaccount is a domain account that you have set to be trusted
for delegation, and password is the password for the domain account.
Note: If you don’t want to use end-to-end single sign-on but want to
provide single sign-on to the database, skip step 1. See also “Configuring
IIS for single sign-on to databases only” on page 284. For security
reasons, make sure that the account which the IIS worker processes run
under does not belong to a mapped group.
2. Add the domain account to the IIS_WPG local group, and give it the
relevant rights to access the needed files. For more information, see
http://msdn.Microsoft.com.
3. If the machine name for the web server is different from the name that is
used to access it, add an SPN for HTTP access on the web server machine:
setspn -A HTTP/serverhost.domainname.com serverhost
Which approach you use, depends on how you want to manage your system
security.
For complete information about security risks associated with system or user
domain accounts, refer to the Microsoft web site: http://www.microsoft.com.
To configure the IIS6 for single sign-on to databases
1. Make sure IIS is running as a domain account.
2. Configure the account for the w3wp.exe worker process:
a. In the Internet Service Manager window, right-click the machine
name and select Application Pool > New.
b. Type in a name for the application pool.
c. In the tree panel on the left, expand to Default Web Site >
businessobjects > EnterpriseX (where X equals your version
number).
d. Right-click InfoView and select Properties.
e. On the Directory tab select the new application pool name from the
list, and then click Apply.
f. Right-click the application pool you created, and select Properties.
g. On the Identity tab select LocalSystem from the list, and then click
Apply.
Note:
• Configuring the w3wp.exe account to run as a machine domain
account will cause all ASP.NET web applications on the web server
to run as privileged system accounts.
• For security reasons, make sure that the account which IIS runs
under does not belong to a mapped group.
3. If the machine name for the web server is different from the name that is
used to access it, add an SPN for HTTP access on the web server
machine:
setspn -A HTTP/serverhost.domainname.com serverhost
For example, if access is via www.domainname.com but the machine name
is web.domainname.com.
chapter
11 Controlling User Access
Controlling user access overview
This example shows the rights for the Report Samples folder. The Name
column lists all users and groups who have been given rights to the object.
The Object column shows whether the entry is a User or a Group. In this
case, users have not been specified individually; instead, users have been
divided into two groups—Everyone and Administrators—which have been
granted rights to the folder object. Click Add/Remove to add or remove a user
or group to this object.
The Access Level column shows how each user’s or group’s rights are
determined. In this example, both groups possess Inherited Rights. You can
change the rights for either group by selecting a predefined access level (or
by selecting Advanced) from the list in the Access Level column. When you
change an entry in the Access Level column, click Update to effect your
changes. For more information, see “Setting common access levels” on
page 296.
The Net Access column displays the net effect of whatever is selected in the
Access Level column. That is, the Net Access column shows the effective
rights that each user or group has to the object. The Net Access column is
particularly useful when you are working with inheritance. In this example, the
Everyone group inherits rights from a parent folder—one that is not displayed
on this screen. The Net Access column shows that the rights inherited from
the parent folder are equivalent to the Schedule access level.
Tip: If you want to view the individual object rights that make up a user’s (or
group’s) Net Access, click the corresponding Access Level list and select
Advanced. The Advanced Rights page displays the user’s full array of object
rights that have been specified explicitly and/or inherited. Click Cancel to exit
without making changes. For more information, see “Setting advanced object
rights” on page 298.
For detailed tutorials that walk you through sample implementations of object
rights, see “Customizing a ‘top-down’ inheritance model” on page 307.
Note: There is no predefined access level to grant users the rights required
to create or modify reports through the Report Application Server (RAS). For
details, see the BusinessObjects Enterprise Administrator’s Reference Guide.
Note: In the developer documentation, access levels are referred to as roles.
To set an access level for a user or group
1. Go to the Objects or Folders management area of the CMC.
2. Locate the object whose rights you want to modify.
3. Click the link to the object, and then click its Rights tab.
4. In the Name column, locate the user or group whose rights you want to
specify.
If the user or group is not listed, click Add/Remove. Add the appropriate
user or group and click OK. You are returned to the object’s Rights tab.
5. In the Access Level column, select the access level (No Access, View,
Schedule, View On Demand, or Full Control) that is appropriate for the
user or group.
6. Click Update.
Tip: For detailed tutorials that walk you through sample implementations of
object rights, see “Customizing a ‘top-down’ inheritance model” on page 307.
The first two options specify which types of inheritance affect the Guest user’s
rights to this object. In this example, the Guest user cannot inherit rights by
virtue of group membership. But, the Guest user may inherit any rights that he
or she has been granted to this report’s parent folder.
The remainder of the Advanced Rights page lists all available object rights
and shows how each right applies to the Guest user. To customize the overall
security levels, you can explicitly grant or deny any given right, or you can
specify that you want certain rights to be inherited.
The Inherited column serves as an indicator to show how inherited rights
affect the Guest user’s effective rights to this report object. A user or group
can be granted or denied a right by virtue of inheritance. In addition, some
rights may remain “not specified”—that is, they are neither granted nor
denied. If an inherited right is labelled as “Not Specified”, BusinessObjects
Enterprise treats it as having been denied. (And if the right is later granted for
a parent group or object, the user or group will automatically inherit the right
at this level.)
In this example, the Guest user has two inherited rights (the right to “View
document instances that the user owns” and to “Pause and Resume
document instances that the user owns”). Currently, these rights are not
specified, so the rights are denied by default. However, if the Guest user’s
rights should change on the report’s parent folder, the rights will also change
for this report object. This demonstrates how inheritance can facilitate future
changes to the overall security model.
Tip: For scalability and manageability, it is recommended that you leave as
many rights as possible inherited, because the system automatically updates
those rights as you modify and update your security settings throughout the
folder and group hierarchies.
The Explicitly Granted column shows which actions the Guest user is allowed
to perform on this report. The Guest user is currently granted eleven rights to
this report (the right to “View objects,” “Schedule the document to run,” and so
on). Because group inheritance is disabled, the Guest user will retain these
rights, even if its group membership is modified or changed completely. This
demonstrates how you can use explicit rights to override a group’s rights for a
particular group member.
The Explicitly Denied column works similarly to the Explicitly Granted column.
Regardless of any future changes to the user’s group membership, an
explicitly denied right always prevents a user from performing the associated
action. In this example, the Guest user has been explicitly denied eleven
rights (the right to “Add objects to the folder,” “Edit objects,” and so on). Again,
this demonstrates how you can use explicit rights to override a group’s rights
for a particular group member.
When you have made your changes on the Advanced Rights page, click OK.
Tip: For detailed tutorials that walk you through sample implementations of
object rights, see “Customizing a ‘top-down’ inheritance model” on page 307.
6. Click Update.
The Net Access column now displays the effective rights that the user
has to the object. Because you have disabled all inheritance, the Net
Access entry equals the Access Level entry.
When you disable folder inheritance for a user, you reduce this algorithm to
three steps (1, 3, and 5). When you disable group inheritance for a user, you
reduce this algorithm to three different steps (1, 2, and 5). In both cases, the
CMS grants the user only those rights that are explicitly granted in one or
more locations and never explicitly denied.
This pseudocode is provided as another way to illustrate and describe the
algorithm that the CMS follows in order to determine whether a user is
authorized to perform an action on a particular object:
IF {
(User granted right to object = True)
OR [
(Inherit Parent Folder Rights = True) AND (User
granted right to parent folder = True)
]
OR [
(Inherit Group Rights = True) AND (Group granted right
to object = True)
]
OR [
(Inherit Group Rights = True) AND (Group granted right
to parent folder = True)
]
}
AND {
(User denied right to object = False)
AND [
(Inherit Parent Folder Rights = False)
OR ((Inherit Parent Folder Rights = True) AND (User
denied right to parent folder = False))
]
AND [
(Inherit Group Rights = False)
OR ((Inherit Group Rights = True) AND (Group denied
right to object = False))
]
AND [
(Inherit Group Rights = False)
OR ((Inherit Group Rights = True) AND (Group denied
right to parent folder = False))
]
}
THEN {
User action authorized = True
}
ELSE {
User action authorized = False
}
8. Click OK.
You are returned to the “Member of” tab. The Sales USA group is now a
member (or subgroup) of the Sales group.
9. Repeat steps 1 to 8 to create the remaining Sales subgroups for the tutorials.
Use the following values for the Group Name and Description fields:
You are now ready to proceed to either of the object security tutorials:
• “Setting up an open system of decreasing rights” on page 311.
• “Setting up a closed system of increasing rights” on page 322.
• Sales staff can also view reports for their own regions. If the staff
member is also a Manager, he or she can view and refresh reports
from all regions.
• Sales Managers require Full Control access to the management
reports.
• Sales Report Designers require custom administrative privileges to
all Sales folders.
For a shorter, less detailed tutorial, see “Setting up a closed system of
increasing rights” on page 322.
Changing default rights on the top-level folder
The first step is to set object rights on the top-level BusinessObjects
Enterprise folder. This folder serves as the root for all other folders and
objects that you add to the system. Each subfolder, report, or other object that
you add to this top-level folder will by default inherit rights from this folder. So,
by setting rights here first, you minimize the need to repeatedly customize
object rights throughout your folder hierarchy.
With this procedure, you set security on the top-level folder in order to meet
your first three security requirements:
• Everyone must be able to view the majority of your reports.
• Administrators require Full Control access to all folders and objects on
the system.
• Sales Managers are allowed to refresh most reports against the database
to view the most recent data.
To change the rights on the top-level folder
1. Go to the Settings management area of the CMC.
2. Click the Rights tab.
By default, the Everyone and the Administrators groups are granted
access to this folder. You now need to reduce the rights of the Everyone
group and to increase the rights of the Sales Managers.
3. Click the Access Level list that corresponds to the Everyone group, and
select View.
4. Click Update.
The rights for the Everyone group are reduced and the View access level
is now displayed in the Net Access column.
Now you will customize the top-level rights for the Sales Managers group.
8. Click Update.
The Net Access column shows that you have secured this folder from all
users other than Administrators.
Next, you will grant the Marketing group Full Control access to this folder.
9. Click Add/Remove.
The Add/Remove page appears.
10. In the Select Operation list, click Add/Remove Groups.
11. In the Available groups list, select Marketing.
12. Click the > arrow; then click OK.
You are returned to the Rights tab. The Marketing group is granted
access to the folder. You need to change the default setting to grant them
Full Control access.
13. Click the Access Level list that corresponds to the Marketing group, and
select Full Control.
14. Click Update.
The Net Access column shows that you have granted the Marketing
group Full Control access to this folder.
Members of this group now have the ability to perform all tasks in this folder.
They can add and delete reports, folders, and subfolders, and they can view,
schedule, and export reports to all available destinations and formats.
To complete this tutorial, you need to customize the rights that various Sales
groups have to a hierarchical set of Sales folders. Before setting the rights for
each group, you will see how to create multiple folders quickly when you
publish a set of reports to BusinessObjects Enterprise.
Publishing a set of folders and reports
The final security requirements for this tutorial are related to the Sales group
and its subgroups. They require a hierarchy of folders containing worldwide
reports, regional reports, and management reports.
Because this tutorial sets up a system of decreasing rights, you will first
create a set of folders that places the most general content at the top of the
directory tree. In this case, all Sales staff can view the worldwide reports, so
the folder for those reports requires the lowest level of security. The regional
reports will go in subfolders that are accessible only to users who belong to
the appropriate regional Sales group. The management reports will be
located in subfolders of each of the regional folders.
2. Arrange your reports (.rpt files) in the new folders on your local hard
drive.
If you do not have any of your own reports, use some of the sample
reports included with BusinessObjects Enterprise. The sample reports
are typically installed to C:\Program Files\Business
Objects\BusinessObjects Enterprise 11.5\Samples\language
\Reports (replace language with, for example, en, de, fr, or jp,
depending upon your version of BusinessObjects Enterprise).
Note: To complete this procedure, you must place at least one report file
in each of the folders that you have created on your local hard drive.
Otherwise, the Publishing Wizard will not create the appropriate
directories on the BusinessObjects Enterprise system.
3. From the BusinessObjects Enterprise XI Programs group, start the
Publishing Wizard and, when it appears, click Next.
4. In the System field, type the name of the CMS to which you want to add
objects.
5. In the User Name and Password fields, type your BusinessObjects
Enterprise credentials.
6. From the Authentication list, select the appropriate authentication type.
7. Click Next.
The Select A File dialog box appears.
9. Select the top level Worldwide Sales folder that you created on your
local hard drive.
10. Select the Include subfolders check box, and then click OK.
You are returned to the Select A File dialog box. All of the reports are
added to the list.
Tip: If you are publishing sample reports for the purpose of this tutorial,
click Next to accept all the default values. For more information on the
rest of the Publishing Wizard, see “Publishing with the Publishing Wizard”
on page 346.
When the Publishing Wizard has added the reports and folders to the
system, it displays a summary:
18. Click Finish to close the Publishing Wizard.
You are now ready to set each Sales group’s object rights for the new set
of Sales folders.
Setting the base rights on the Sales folders
Now that you have used the Publishing Wizard to add reports and create the
appropriate folders and subfolders, you are ready to set the object rights for
each level of reporting content.
The security requirements are as follows:
• All Sales staff can view worldwide reports.
• Sales staff can also view reports for their own regions. If the staff member
is also a Manager, he or she can view and refresh reports from all
regions.
• Sales Managers require Full Control access to the management reports.
• Sales Report Designers require custom administrative privileges to all
Sales folders.
To set the base rights on the Worldwide Sales folder
1. Go to the Folders management area of the CMC.
2. Click the link to the Worldwide Sales folder.
3. On the folder’s Rights tab, click Add/Remove.
4. In the Select Operation list, click Add/Remove Groups.
5. In the Available groups list, select Sales and Sales Report Designers.
Tip: Use CTRL+click to select multiple groups.
6. Click the > arrow; then click OK.
You are returned to the Rights tab.
7. In the Access Level column, select the following rights for each group:
• Administrators: Inherited Rights
• Everyone: No Access
• Sales: View
• Sales Managers: Inherited Rights
8. Click Update. The Rights tab of this Managers Only folder shows again
that the Administrators, Sales Managers, and Sales Report Designers
groups all have Full Control access to the folder. Members who do not
belong to one of these groups are completely restricted from the folder.
You have now reached the end of this tutorial.
chapter
12 Organizing Objects
Organizing objects overview
4. Click OK.
The new folder is added to the system, and its Properties tab is
refreshed. You can now use the Objects, Subfolders, Limits, and Rights
tabs to add objects and to change settings for this folder.
Tip: You can browse through existing subfolders to add a new folder
elsewhere in the folder hierarchy. When you have found the right parent
folder, go to its Subfolders tab.
The Subfolders tab appears.
Deleting folders
When you delete a folder, all subfolders, reports, and other objects contained
within it are removed entirely from the system.
To delete folders
1. Go to the Folders management area of the CMC.
2. Select the check box associated with the folder you want to delete.
If the folder you want to delete is not at the top level, locate its parent
folder. Then make your selection on the parent folder’s Subfolders tab.
Tip: Select multiple check boxes to delete several folders from their
parent folder.
3. Click Delete, and click OK to confirm.
6. Click OK.
The folder you selected is copied or moved, as requested, to the new
destination.
3. On the left side of the New Object page, click the type of object you want
to add.
4. On the right side of the New Objects page, browse to select an existing
object.
5. If you are adding an object package or a publication, you need to provide
a title and description for the new object instead of selecting an existing
one.
6. Ensure that the correct folder name appears in the Destination field.
2. Modify the available settings according to the types of instance limits that
you want to implement, and click Update after each change.
The available settings are:
• Delete excess instances when there are more than N instances of an
object
To limit the number of instances per object, select this check box.
Then type the maximum number of instances that you want to
remain on the system. (The default value is 100.)
• Delete excess instances for the following users/groups
To limit the number of instances per user or group, click Add/Remove
in this area. Select from the available users and groups and click OK.
Then type the maximum number of instances in the Instance Limit
column. (The default value is 100.)
Deleting categories
When you delete a category, all subcategories within it are remove entirely
from the system. Unlike folder deletion, the reports and other objects
contained within the category are not deleted from the system.
To delete categories
1. Go to the Categories management area of the CMC.
2. Select the check box associated with the category you want to delete.
If the category you want to delete is not at the top level, locate its parent
category. Then make your selection on the parent category’s
Subcategories tab.
Tip: Select multiple check boxes to delete several categories from their
parent category.
3. Click Delete, and click OK to confirm.
Moving categories
When you move a category, any object assigned to the category maintains its
association with it. All of the category’s object rights are retained.
For example, you may have a South American Sales category that is
accessible only by sales people in that region. You also have a World Sales
category that contains worldwide sales reports needed by all sales people.
For more intuitive organization, you want to move the region categories into
the World Sales category. When you move the South American Sales
category into the World Sales category, it retains its rights settings and
associated objects, even though it has become a subcategory of the World
Sales category.
To move a category
1. Go to the Categories management area of the CMC.
2. Select the check box associated with the category that you want move.
If the category you want to move is not at the top level, locate its parent
category. Then make your selection on the parent category’s
Subcategories tab.
Tip: Select multiple check boxes to copy or move several categories
from their parent category to a different category.
3. Click Move.
The Move page appears.
4. Select the Destination category from the list.
Tip: If there are many categories on your system, use the “Look for” field
to search, or click Previous, Next, and Show Subcategories to browse the
category hierarchy.
5. Click OK.
The category you selected is moved to the new destination.
chapter
13 Publishing Objects to BusinessObjects Enterprise
Overview
Overview
Publishing is the process of adding objects to the BusinessObjects Enterprise
environment and making them available to authorized users. There are
several types of objects that you can publish to BusinessObjects Enterprise:
• reports (from Crystal Reports and OLAP Intelligence)
• documents (from Desktop Intelligence)
• programs
• Microsoft Excel/Word/PowerPoint files
• Adobe Acrobat PDFs
• text files
• rich text format files
• hyperlinks
• object packages (which consist of report and/or program objects)
You can publish objects to BusinessObjects Enterprise in three ways. For
more information, see the following sections:
• “Publishing with the Publishing Wizard” on page 346.
• “Publishing with the Central Management Console” on page 357.
• “Saving objects directly to the CMS” on page 359.
Note: You can also create and add new objects directly to BusinessObjects
Enterprise from within InfoView.
3. In the System field, type the name of the CMS where you want to publish
objects.
4. In the User Name and Password fields, type your BusinessObjects
Enterprise logon credentials.
5. From the Authentication list, select the appropriate authentication type.
6. Click Next.
The Select Files dialog box appears.
Adding objects
1. In the Select Files dialog box, click Add Files or Add Folders.
Tip:
• To add a new folder to the CMS, select a folder and then click New
Folder.
• To add a new object package to the CMS, select a folder, and then
click New Object Package.
• To delete a folder or an object package, select the object, and click
Delete.
Note: From the wizard, you can delete only new folders and object
packages. (New folders are green; existing folders are yellow.)
If you are publishing multiple objects, and you want to place them in
separate directories, see “Duplicating the folder structure” on page 351.
2. Click Next.
The Confirm Location dialog box appears.
You can also add folders and object packages by selecting a parent
folder and clicking the New Folder or New Object Package button. To
delete a folder or object packages, select it and click the Delete button.
You can drag-and-drop objects to place them where you want, and you
can right-click objects to rename them.
By default, the title of the objects are displayed. You can display the local
file names of the objects by clicking the Show file names button.
2. Click Next.
The Specify Categories dialog box appears.
• Java
You can publish any Java program to BusinessObjects Enterprise as
a Java program object. They typically have a .jar file extension.
• Script
Script program objects are JScript and VBScript scripts.
3. After you specify the type of program that you are adding, click Next.
The Program Credentials dialog box appears.
2. Select the database and change the logon information in the appropriate
fields. If the database does not require a user name or password, leave
the fields blank.
Note: Enter user name and password information carefully. If it is
entered incorrectly, the object cannot retrieve data from the database.
3. After you finish typing the logon information for each object, click Next.
The Set Report Parameters dialog box appears if it is needed.
Setting parameters
Some objects contain parameters for data selection. Before these objects can
be scheduled, you must set the parameters to determine the objects’ default
prompts.
1. In the Set Report Parameters dialog box, select the object that includes
the prompts that you want to change.
The object’s prompts and default values appear in a list on the right-hand
side of the screen.
2. Click Edit Prompt to change the value of a prompt.
Depending on the type of parameter that you have chosen, different
dialog boxes appear.
3. If you want to set the prompts to contain a null value (where possible),
then click Set Prompts to NULL.
4. Click Next after you have finished editing the prompts for each object.
The Specify Format dialog box appears.
3. On the left side of the page, select the type of object that you want to
publish.
4. Specify the properties of the object:
Note: The properties that appear vary according to the type of object
that you chose to publish.
• File name
Type the full path to the object, or click Browse to perform a search.
• Title
Type the name of the object.
• Description
Type a description for the object.
• Generate thumbnail for the report
If you are publishing a Crystal report, select this option if you want
users to see a thumbnail preview of the report in BusinessObjects
Enterprise.
chapter
14 Importing Objects to BusinessObjects Enterprise
Importing information
Importing information
The Import Wizard is a locally installed Windows application that allows you to
import existing user accounts, groups, folders, and reports to your new
BusinessObjects Enterprise system. The Import Wizard runs only on
Windows, but you can use it to import information from a source environment
that is running on Windows or UNIX to a new BusinessObjects Enterprise
system that is running on Windows or on UNIX.
You can import information from any of these products:
• BusinessObjects Enterprise XI or XI R2
• Crystal Enterprise 8.5, 9, or 10
• Business Intelligence Archive Resource (BIAR) files
Note: A BIAR file is a packaged BI Application Resource. It is a portable,
deployable package of the contents of a BI Application that can be used
to easily deploy the entire set of interrelated content in a single simple
action. From a technical perspective, it is a ZIP file containing the
following:
• A Deployment Manifest (BusinessObjects.xml).
• A series of other compressed files for all of the reports, universes,
and other FRS objects contained in the BI Application.
• BusinessObjects 5.x or 6.x
Note: The Import Wizard migrates Application Foundation objects from
your 6.x deployment to performance management XI R2.
For information on migration from BusinessObjects 5.x/6.x, see the
BusinessObjects 5.x to XI Release 2 Migration Guide or the
BusinessObjects 6.x to XI Release 2 Migration Guide.
• Text files
Text files can be used to import users, groups and profiles or data source
credentials. See “Using text files with the Import Wizard” on page 411 for
further information.
The functionality provided by the Import Wizard varies, depending upon the
product from which you are importing information. In general, the Import
Wizard imports settings that are specific to each object, rather than global
system settings. For instance, a global “minimum number of characters”
password restriction is not imported. But a user-level “must change password
at next log on” restriction is imported with the user account.
As another, more involved example, User A owns an object and has Full
Control rights while User C has View rights on the same object. If User D runs
the Import Wizard and brings the object across along with User C, but not
User A, the object becomes owned by the Administrator: User A loses Full
Control rights, but User C still has View rights on the object.
Note: Always import users if you want to bring across the associated rights
for an object, even if the user already exists in the destination system. If the
user already exists, the Import Wizard maps all rights for the user on the
source system to the existing user on the destination system. If the user is not
brought across, all rights information for that user is discarded.
Folders
Folders are imported, whether or not they exist already in the destination
environment. To ensure that existing folders are not overwritten, make sure
you choose the “Automatically rename top-level folders that match top-level
folders on the destination system.” option in the “Please choose an import
scenario” dialog box. When this option is selected, the Import Wizard
appends a number to the end of any duplicated folder names to indicate the
number of copies. For example, if you import a folder called Sales Reports
when a folder called Sales Reports already exists, then the imported folder is
added to BusinessObjects Enterprise with the name Sales Reports(2).
Report objects
The Import Wizard can import Crystal report objects only if they are based on
native drivers, ODBC data sources, OLAP data sources, Crystal Info Views,
or Business Views. You can import the report instances for each report object,
and the scheduling patterns that you have set up in the source environment
are imported automatically.
Supported reports are always imported with their parent folders, whether or
not they exist already in the destination environment. However, so as not to
overwrite existing folders, the Import Wizard appends a number to the end of
any duplicated folder names to indicate the number of copies.
When you import content from one deployment to another, you can ensure
that a particular user account retains ownership of its objects and scheduled
instances by importing the user along with the content. If you don’t import the
user account, the ownership properties of its objects and instances are reset
Rights
When you import folders and reports from one BusinessObjects Enterprise
system to another, the associated object rights are imported for every user or
group who is imported at the same time. If the user or group is not imported at
the same time, the object rights are discarded. For instance, suppose that you
import a report that explicitly grants View On Demand rights to the Everyone
group in the source environment—but you do not import the Everyone group.
In this case, the newly imported report in the destination environment will not
grant the same explicit rights to the Everyone group. Instead, the report
inherits any rights that have been set on its parent folder.
If you do import the appropriate user or group, and it already exists by name
in the destination environment, then the corresponding object rights are
imported and applied to the existing user or group. For instance, modifying
the example above, suppose that you import the report and the Everyone
group. In this case, the Import Wizard imports the object rights along with the
report. So the newly imported report in the destination environment will
explicitly grant the View On Demand right to the Everyone group.
Appropriate rights
To use the Import Wizard, you must have the following rights:
• In BusinessObjects 5.x/6.x, you must have a General Supervisor profile
in the repository.
• In XI R2, you must belong to the Administrator group in the CMS.
• To import any resource into the CMS, you must have the rights needed to
add objects to the destination folder to which the resource is assigned.
Data sources
Create data sources on each destination server machine for every repository
domain in the source deployment. The name and configuration details for the
data sources must match the data sources in the source deployment.
Certain databases that can host a version 6.x repository are not supported for
an XI R2 repository. For the latest information, see the list of supported
platforms at:
http://support.businessobjects.com/supported_platforms_xi_release2/
Folder mapping
On the Import Wizard machine, map the drives to the source environment
directories containing the deployment’s .key files, personal documents and
categories, and users’ Inboxes:
• $INSTALLDIR\locData for access to 5.1.x .key files
UNIX servers
If your XI R2 server runs on UNIX, you need to install the Import Wizard on a
separate Windows machine. You will also need to use a third-party utility to
map Windows drives to UNIX.
For example, see the Microsoft documentation on “Interoperability with UNIX/
Planning and Installing Services for UNIX on Windows 2000 Professional.” As
of this writing, the URL is:
http://www.microsoft.com/resources/documentation/Windows/2000/server/
reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/
server/reskit/en-us/prork/prci_unx_houn.asp
Import ing Inbox and personal files from one UNIX environment to
another
To import Inbox and personal files from one UNIX environment to another,
you must tar the source files from each cluster node, then unzip them into
folders on the Import Wizard Windows machine before running the import.
On the Import Wizard machine, map drives to the local folders containing the
unzipped source environment directories.
Note: The Import Wizard can import objects only if they are located in the
repository or in personal and inbox folders.
Inbox documents
In BusinessObjects 5.x/6.x, Inbox documents are stored in the repository until
recipients have read them. When a document has been read by a given user,
it is copied to the user’s Inbox folder . See “Folder mapping” on page 370 for
information on the location of these documents in each version. After all
recipients have read them, the documents are removed from the repository.
The Import Wizard will import both read and unread Inbox documents to XI
R2; therefore, you will have to specify the location of the mail folder.
The documents are migrated to XI R2 users’ Inbox folders in the CMS.
Documents inherit the rights of the 5.x/6.x Inbox folder.
The above two paragraphs seem contradictory to me...
If the Inbox contains duplicate documents, they are also migrated to the FRS.
To import 5.x/6.x Inbox documents that reside on a UNIX machine, you need
to map a drive from the Windows server running the Import Wizard to the
directories on the UNIX machine containing the documents.
Personal documents
In BusinessObjects5.x/6.x personal documents are imported to the user’s
Favorites folder in the destination CMS. Documents inherit the rights of this
folder. See “Folder mapping” on page 370 for information on the location of
these documents in each version. The document owner and the Business
Objects Administrator have access to these documents. Personal or
Corporate categories that referred to these documents in 5.x/6.x continue to
refer to them in XI R2.
Corporate documents
In BusinessObjects 5.x/6.x corporate storage is mapped to the Public Folders
folder in the XI R2 CMS repository. Corporate documents are saved in this
folder after the import.
Each domain is migrated as a folder in the Public folder of the CMS
repository.
If your 5.x/6.x repository was a distributed one, all the domains are imported
into a single place.
BusinessObjects documents
When you import a 5.x/6.x BusinessObjects (.rep) document to XI R2, the
following occur:
• The universe ID pointer is updated so that it references a universe in the
CMS.
• An InfoObject is created in the CMS for this document and for the saving
of this document.
• Properties are updated and displayed in the CMC.
BusinessObjects template (.ret) documents do not contain cubes or a
connection to a universe; therefore, all that occurs is:
• The locale of the document is updated.
• An InfoObject is created in the CMS.
Limitations
Keep in mind the following limitations when you import BusinessObjects
documents:
• XI R2 can read BusinessObjects 5.x/6.x .rep documents, but after you
save these documents in XI R2, they can’t be read by BusinessObjects
5.x/6.x of the software.
• BusinessObjects 5.x/6.x cannot open XI R2 Desktop Intelligence
documents.
• OLAP data providers are not supported in XI R2.
BusinessObjects 5.x/6.x documents based on an OLAP data provider are
view-only in XI R2.
• In XI R2, there is no document password protection on the server side.
• XI R2 Desktop Intelligence cannot access a BusinessObjects 5.x/6.x
repository.
BusinessObjects SDK
The platform-related portion of the BusinessObjects SDK has evolved, which
means that code developed for 5.1/6.x will require updates for platform
interactions (authentication, send document, receive document).
Send to Users and Send to Broadcast Agent Server are not available in XI
R2. Instead, you need to use the Platform COM SDK.
The server-side report engine is not multi-document. This means that add-ins
will not be loaded on the server. For example, for a document based on a
custom data provider (DPVBAInterface) implemented in an add-in, refresh will
fail.
Limitations
There may be an issue with the migration of the following .wqy features to
.wid:
Third-party documents
BusinessObjects 6.x supports third-party (also known as “agnostic”)
documents. The Import Wizard imports these documents into XI R2 if the
format is supported. Formats supported in XI R2 include Adobe Acrobat PDF;
Microsoft Power Point, Word, RTF, and Excel; and *.txt documents.
For the most up-to-date list of supported formats for third-party documents,
see the list of supported platforms.
File Watcher
Although the Import Wizard will transfer File Watcher details to the Event
Server, deletes set in Broadcast Agent 6.x may not function in XI R2. You can
set these deletes in Broadcast Agent 6.x:
• Delete the file each time the task starts.
• Delete the file only if the task succeeded.
• Delete the file after execution of the task.
Associated universes
When you import scheduled documents from 5.x/6.x, you must also import
the universes used by these documents. As the universes are not selected
automatically during the import, you must manually select the ones you need
for Broadcast Agent jobs if you are not importing all your universes.
Corporate
If the document is not already imported in the domain or is not imported at the
same time to the CMS, then the job is not migrated. Verification is performed
by comparing the CUIDs.
Otherwise, the Import Wizard creates an instance of this document using the
schedule parameters of the original job.
• No ACL is set at this instance level. The instance inherits the ACL set at
the document level.
• If the document has been scheduled several times in Corporate, then the
same number of instances are created
Inbox
If the sender of the original schedule already exists in the CMS or if the
sender is migrated at the same time, then the following occurs:
• The Import Wizard imports the scheduled document into the Favorites
folder of this user in the CMS. A folder named Scheduled migrated
documents/<BCA Name> is created under Favorites.
• The document is renamed to <doc_name>_<docID>.<ext> .
• An instance is created for the document using the schedule parameters
of the original job.
Configuring connections
When you import BusinessObjects 5.x/6.x universes, the associated
connections are imported automatically. They are converted into connection
objects.
Make sure that the Import Wizard can access the 5.x/6.x database the same
way that BusinessObjects 5.x/6.x accesses it. You may need to install
database drivers or configure connection settings on the machine.
For example, if you import SQL Server connection objects from a 5.x/6.x
source environment, you must configure the connections on the destination
machine via the Control Panel before you import the connection objects. You
must use the same name and settings as the connection used on the source
machine when you created the domain key.
BOUSER/BOPASS
In BusinessObjects 5.x/6.x, users could use @Variable('BOUSER') and
@Variable('BOPASS') in the connection information for the universe. The
variables were replaced at runtime with the user’s enterprise username and
password, and used to log on to the database.
For security reasons, XI R2 does not permit the retrieval of users’ passwords.
Therefore, universe connections that previously used the BOUSER and
BOPASS variables associated with the BusinessObjects user name and
password must now use database credentials (DBUSER and DBPASS).
Those database credentials can be populated by the Import Wizard and later
edited in the CMC, on the Properties tab for each user account.
When migrating, Import Wizard automatically does the following:
• Replaces BOUSER and BOPASS with DBUSER and DBPASS in
universes.
• Proposes automatically populating these variables for users to migrate.
You can, however, re-synchronize if users change their passwords.
Synchronizing enterprise and database credentials
There are three ways to synchronize enterprise and database credentials in
the XI R2 system:
• Choose the Import Wizard option that batch imports user names and
passwords from BusinessObjects 5.x/6.x to auto-populate database
credentials in XI R2.
• Run a batch upload of a user’s file.
User names and passwords are loaded from a file, stored and used as
database credentials.
• Create a custom application using Enterprise SDK to set DBUSER and
DBPASS information.
5. In the Domain Key File field, type or browse for the path to the .key file
you created for the repository in your source environment.
6. Click Next.
The Destination Environment dialog box appears. Proceed to “Specifying
the destination environment” on page 394.
4. Type the User Name and Password that provides you with
administrative rights to the source environment.
Note: You must have a General Supervisor profile in the repository.
5. If you want to import Application Foundation objects proceed to
“Specifying the Application Foundation source information” on page 389.
6. If you do not want to import Application Foundation objects, make sure
the Import Application Foundation Contents check box is not
selected, and then click Next.
7. The Destination Environment dialog box appears. Proceed to “Specifying
the destination environment” on page 394.
Specifying the Application Foundation source information
This procedure assumes you have completed the step “Specifying a
BusinessObjects 6.x source environment” on page 389.
To specify the Application Foundation source information
1. Select the Import Application Foundation contents check box on the
Source Environment dialog box, and then click Next.
Note: You can import Application Foundation objects only if you selected
BusinessObjects 6.x (or XI) in the Source list. If you import Application
Foundation objects, the Import Wizard displays additional screens and
options.
The Import Wizard verifies the following:
• The connection to the repository.
• The credential.
• The validity of the General Supervisor login.
• The repository version.
2. In the Dashboard files section of the Application Foundation source
screen, browse to the location of the Application Foundation storage
folder.
By default, it is $INSTALLDIR/Application Foundation/server/conf.
3. In the Application Foundation source repository section, indicate the
repository’s details using one of the following methods:
• Check the Use conf file option.
This option allows you to specify the location of the AF config file that
contains the repository database information rather than entering it
manually.
Note: If you check this option, the option to upgrade the AF
repository in this Import Wizard session will be grayed out. You can
only use this option to point to the source repository connection if you
are not planning to upgrade the repository using this connection. It is
highly recommended that you upgrade a copy of the source
repository, and that you point to the connection to the copy when you
upgrade the repository.
• Manually enter the following information:
• The name of the source repository.
• The database engine.
• The network layer of the source repository.
• The user name and password to access the database.
Note: The user name and password you type must belong to an
Administrator profile. It is highly recommended that you upgrade a
copy of the source repository, and that you point to the connection to
the copy when you upgrade the repository.
4. Click Next.
The Application Foundation Repository Update dialog box appears.
5. Type the User Name and Password that provide you with administrative
rights to the source environment.
6. Click Next.
The Destination Environment dialog box appears. Proceed to “Specifying
the destination environment” on page 394.
5. Type the User Name and Password that provide you with administrative
rights to the source environment.
6. Click Next.
The Destination environment dialog box appears. Proceed to “Specifying
the destination environment” on page 394.
5. Type the User Name and Password that provide you with administrative
rights to the source environment.
6. Click Next.
The Destination Environment dialog box appears. Proceed to “Specifying
the destination environment” on page 394.
5. Type the User Name and Password that provide you with administrative
rights to the source environment.
6. Click Next.
The Destination Environment dialog box appears. Proceed to “Specifying
the destination environment” on page 394.
2. Click Next.
The Source environment dialog box appears.
3. Choose either Business Intellignece Archive Resource (BIAR) File or
Text file from the Source list.
4. Enter the location of the file in the BIAR file or Import file field, and then
click Next.
• If you want to export to a BIAR file, specify the name and location
where you want the BIAR file to be stored.
Note: This option only applies if your source environment is XI R2.
2. Click Next.
The Select Objects to import dialog box appears.
• Accept the defaults, which is to import all documents, and then click
Next.
3. If you see the Incremental Import dialog box, select the type of objects
whose content you want to overwrite.
Note:
• If the files are located on a remote server, you must have mapped
the remote server to your local machine.
• If the files are located on a UNIX server, you must have mapped the
UNIX server to a local drive.
• You do not need to provide a path for corporate documents because
they are stored in the repository.
.
Broadcast Agent
If you are importing Broadcast Agents, the Broadcast Agent dialog box
appears.This dialog box enables you to select the Broadcast Agents you want
to import.
Note: A Broadcast Agent job can be migrated from BusinessObjects 6.x to XI
R2 only if the job is supported in XI R2. (For details, see the BusinessObjects
5.x to XI Release 2 Migration Guide or the BusinessObjects 6.x to XI Release
2 Migration Guide.)
To select Broadcast Agents for import
1. In the Broadcast Agent dialog box, select the Broadcast Agents whose
jobs you want to import.
Note that all the jobs, for each Broadcast Agent, are selected by default.
2. Click Next.
Dashboards
If you are importing dashboards, the Dashboards dialog box appears.
To select dashboards
1. Select the dashboards you want to import.
When you select an application, its submenus are also selected.
2. Click Next.
The Import Wizard checks whether any dashboards in the source
repository include security. If the Import Wizard detects security on any
dashboards, the Import Dashboard Option dialog box appears. If none of
the dashboards selected for import includes security, skip to step 4.
Categories
If you are importing categories, the Categories dialog box appears.
To select categories
1. Select the check boxes for the categories that you want to import.
For large document domains, you can import incrementally, and import
documents one category at a time.
2. If you want to import all the objects associated with the category, select
the Import all objects that belong to the selected categories check box.
3. Click Next.
2. Click Next.
Universes
To select universes or universe folders
1. Select the check boxes for the universes that you want to import.
The universes that are linked to specific documents cannot be cleared
from the list.You can select additional universes that are not used by any
imported document.
2. Click Next.
If no universe is found, the associated documents will not be imported
and a warning message appears. If this occurs, link the documents to a
universe, republish them to the repository, and retry the import.
Note: When you import a universe, its connection objects are imported
automatically. Before you can import connection objects from
BusinessObjects 5.x/6.x, ensure that the Import Wizard can access the
database the same way that the source environment accesses it. This
may involve installing database drivers or configuring connection settings
on the machine. For example, if you import SQL Server connection
2. If the import summary shows that some information was not imported
successfully, click View Detail Log for a description of the problem. If the
import summary shows no failures, click Done.
Note: The information that appears in the Detail Log is also written to a
text file called ImportWiz.log, which you will find in the directory from
which the Import Wizard was run. By default, this directory is:
C:\Program Files\Business Objects\BusinessObjects
Enterprise 11\win32_x86\
Note: Profile values must be enclosed in quotes. See “Text file format” on
page 411 for information on using delimiter.
Example user record
Sales,Psanders,Paula Sanderson,psanders@Acme.com,
Manager,West Region
The previous record would create an account name or username of
“psanders” in BusinessObjects Enterprise. The name Paula Sanderson, and
the e-mail address of psanders@Acme.com would be associated with this
account name. The username “psanders” would be member of the group
“Sales”. The username psanders and would be assigned the profile
“Manager” with the profile value of “West Region”.
Group Record Format
10. Review that the results are what you expect, and then click Next.
The results on this screen show the how the first user or group will be
created, after all the records in the import file have been parsed.
If your record includes both a user and a group, the user preview will be
displayed by default. To see how the what group may be created, click
Group.
11. Click Finish to begin the import.
12. Click Import to exit the Import Wizard.
chapter
15 Managing Objects
Managing objects overview
3. Click Search.
Preview button
Similarly, for report objects, Desktop Intelligence documents, and Web
Intelligence documents, a Preview button appears. The Preview button
enables you to view a report on demand with all of your current report
settings. BusinessObjects Enterprise connects to the report’s data source(s) if
no cached pages are available. To use the Preview function, the user will
need to have rights at the Schedule level or higher. (To preview a report with
saved data, the user will need to have rights at the View level or higher.) By
default, administrators have rights at the Full Control level (the highest rights
setting) for all report objects. For details about object rights, see “Report
object management” on page 427.
Show report thumbnail option
For Crystal reports, the “Show report thumbnail” check box is selected by
default. If you do not want a thumbnail preview of this report to be available in
InfoView or another web application, clear the Show report thumbnail check box.
Note: A thumbnail is a graphical representation of the first page of a report. If
the original report does not contain a thumbnail, then a thumbnail will not be
stored on BusinessObjects Enterprise. The Show report thumbnail checkbox
does not apply to Web Intelligence document objects.
Object instances
At the specified time, the system runs the object and creates an object
instance. The instance contains actual data from the database. It appears on
the History page of the object and has a status of Success or Failed.
Making changes to an object
Any changes you make to the an object (by making the changes and then
clicking Update) affect the default settings for the object only. Those changes
do not affect any existing scheduled instances or object instances. The next
time you schedule the object, whether you use CMC or an application such as
InfoView, the new default settings are displayed. You can then change these
settings as needed for the scheduled instance you want to create.
Note: BusinessObjects Enterprise supports reports created in versions 6
through XI of Crystal Reports. Once published to BusinessObjects Enterprise,
reports are saved, processed, and displayed in version XI format.
3. In the “Default Servers To Use For Scheduling” area, choose one of the
server options.
4. If the object is a report object or a Web Intelligence document, choose
one of the server options in the “Default Servers To Use For Viewing and
Modification” area.
If the object is a Desktop Intelligence document, choose one of the server
options in the “Default Servers to Use For Processing” area and in the
“Default Servers to Use For Caching” area.
5. Click Update.
Updating parameters
Note: This feature does not apply to Desktop Intelligence and Web
Intelligence document objects.
Parameter fields (with preset values) enable users to view and to specify the
data that they want to see. If a report contains parameters, you can set the
default parameter value for each field or fields (which is used whenever a
report instance is generated). Through a BusinessObjects Enterprise
application such as InfoView, your users are either able to use the report with
the preset default value(s) or choose another value or values. If you do not
specify a default value, users will have to choose a value when they schedule
the report.
Note: The Parameters link is available only if the report object contains
parameters.
To view parameter settings
1. In the Objects management area of the CMC, select a report object by
clicking its link.
2. Click the Process tab, and then click the Parameters link.
3. Under the Value column, select the value associated with the parameter
you want to change.
A page opens that allows you to change the parameter value. Depending
on the parameter value type, you either type a value in the field or choose
a value from a list. If there is a list, you can also click Edit to type a new
value.
4. Select the Clear the current parameter value(s) check box if you want
to clear the current value that is set for the specified parameter.
5. Select the Prompt the user for new value(s) when viewing check box
if you want your users to be prompted when they view a report instance
through a BusinessObjects Enterprise application such as InfoView.
6. Click Update.
Using filters
Note: This feature does not apply to Desktop Intelligence and Web
Intelligence document objects. Alternatively, you can use profiles to
personalize views of the data. For more information, see Chapter 19:
Managing Profiles.
In the Filters page, you set the default selection formulas for the report.
Selection formulas are similar to parameter fields in that they are used to filter
results so that only the required information is displayed. Unlike parameters,
end users will not be prompted for selection formula values when they view or
refresh the report. When users schedule reports through a web-based client
such as InfoView, they can choose to modify the selection formulas for the
reports. By default, if any formulas are set in the CMC, they will be used by
the web-based client. For more information on selection formulas, see the
Crystal Reports User’s Guide.
In addition to changing selection formulas, if you have developed your own
processing extensions, you can select the processing extensions that you
want to apply to your report.
For more information, see “Applying processing extensions to reports” on
page 442. When you use filters in conjunction with processing extensions, a
subset of the processed data is returned. Selection formulas and processing
extensions act as filters for the report.
To use filters
1. In the Objects management area of the CMC, select a report object by
clicking its link.
2. Click the Process tab, and then click the Filters link.
3. Make your settings according to the type of layout you want. The options
are as follows:
• Report file default
Choose this option if you want the page layout to conform to the
settings that were chosen for the report in Crystal Reports.
• Specified printer settings
Choose this option if you want the page layout to conform to the
settings of a specified printer. You can choose the Job Server’s
default printer or another printer. For information about specifying
another printer, see “Specifying a printer” on page 440.
When you choose this option, you can print scheduled report
instances only to the printer you specify in the “Specified printer
settings” area. In other words, you cannot set your report to display
with one printer’s setting and then print to a different printer.
• Custom settings
Choose this option if you want to customize all page layout settings.
You can choose page orientation, page size, measurement units
(inches or millimeters), page width, and page height.
4. Click Update.
3. In the Name field, type a display name for your processing extension.
4. In the Location field, type the file name of your processing extension
along with any additional path information:
• If you copied your processing extension into the default directory on
each of the appropriate machines, just type the file name (but not the
file extension).
• If you copied your processing extension to a subfolder below the
default directory, type the location as: subfolder/filename
Note: Although the actual file name must include the .dll or .so extension
(as appropriate to the server’s operating system), you must not include
the file extension in the Location field.
5. Use the Description field to add information about your processing
extension.
6. Click Add.
You can now select this processing extension to apply its logic to
particular objects. For details, see “Selecting a processing extension for a
report” on page 444.
Tip: To delete a processing extension, select its check box and click
Delete. (Make sure that no recurring jobs are based on this processing
extension because any future jobs based on this processing extension
will fail.)
chapter
16 Scheduling Objects
Scheduling objects overview
Scheduling objects
When you schedule an object, the system creates a scheduled instance for
the object. A scheduled instance contains object and schedule information. It
does not contain any data yet. Scheduled instances appear on the History
page of the respective object and have a status of Recurring or Pending.
Scheduled instances use the settings that are presently configured for the
object in CMC.
In order for a program object to be successfully scheduled and run, you must
provide logon information for the account that the program object will run as.
For details, see “Authentication and program objects” on page 456.
Recurrence patterns
When scheduling an object, you can choose from the following recurrence
patterns:
• On demand—The object will be run only when a user request it to be
run.
• Once—The object will be run only once. It can be run now or in the
future, or when a specified event has occurred.
• Daily—The object will be run every day. It can be run once or several
times a day. You can specify what time as well as a start and end date.
• Weekly—The object will be run every week. It can be run once a week or
several times a week. You can specify which days, what time, and a start
and end date.
• Monthly—The object will be run every month or every several months.
You can specify on which days of the month, what time, and a start and
end date you want it to run.
• Calendar—The object will be run on the dates specified in a calendar.
You can specify which calendar. The calendar must have been previously
created. See Chapter 17: Managing Calendars.
X and N variables
Applies to certain Daily and Monthly recurrence patterns only. When you
select a Run option that contains these variables, the system displays their
default values. You can then changes these values as needed.
For example, if you select the “Daily” recurrence pattern and the “Every X
hour(s), N minute(s)” Run option, you could specify to run the report every 4
(X) hours and 30 (N) minutes. If you don’t change the X or N value, the
system will run the report every hour.
Start Date
Applies to most, but not all recurrence patterns and Run options. The default
is the current date and time. The system will run the object according to the
schedule that you specified, as soon as it can, after the Start Date has
passed.
For example, if you specify a start date that is three months into the future,
the system won’t run the object until the start date has passed, even if all the
other criteria are met. After that, the system will run the report at the specified
time.
End Date
Applies to most, but not all, recurrence patterns and Run options. The default
is the current time and a date in the distant future, to ensure an object will be
run indefinitely. Specify a different End Date if required. Once the End Date
has passed, the system no longer runs the object.
Available Events
Applies to all Run options that include “with events.” Select an event and click
the Add button to move it to the “Events to wait for” box. You can select one or
several events. The system will run the object only when those events have
been successfully completed. See also “Scheduling an object with events” on
page 471.
Available Schedule Events
Applies to all Run options that include “with events.” Select an event and click
the Add button to move it to the “Events to trigger on completion” box. You
can select one or several events. A successful run of the object will trigger the
events that you specified. This list of events contains schedule events only.
You cannot trigger file or custom events. See also “Scheduling an object with
events” on page 471, and Chapter 18: Managing Events.
Number of retries allowed
Always applies. The number of times the system attempts to process an
object if the first attempt is not successful. By default, the number is zero.
e. Click Submit.
f. Go to the Objects management area of the CMC again.
See also “Publishing with the Central Management Console” on
page 357.
3. Select the check boxes associated with each object you want to place in
the object package.
4. Click Copy/Move/Shortcut.
The Copy/Move/Create Shortcut page appears.
4. In the Run list, select a run option that contains the words, “with events.”
5. Select and complete the schedule parameters for your object (scheduling
option, Start Date, End Date, and so on).
For a list and descriptions of the Run options and parameters, see “Run
options and parameters” on page 467.
6. In the Available Events area, select from the list of events, and click Add.
For example, the report object above is set to wait for a Custom-based
event to occur before the report is processed.
7. To update the default scheduling information, click Update.
If you don’t click Update, any changes you made to the scheduling
information are not saved.
8. Click the Schedule button to schedule the object.
6. In the Available Schedule Events area, select from the list of events and
click Add.
About notification
You can set notification at the object level. You can select unique notification
options for each object, sending different types of notification for different
conditions. For object packages, you can set only event notification, which will
trigger an event based on success or failure of the object package. To monitor
object successes and failures from a more general perspective, use the
auditing functionality within BusinessObjects Enterprise.
If notification fails, then the object instance fails. For example, if an email
notification sends a message to an invalid email address, then the notification
fails and the object instance is recorded as a failure in the object’s history.
3. Select the Enable alert notification check box if you want to send an
alert notification.
4. Select either Use the Job Server’s defaults or Set the values to be
used at schedule time here.
If you select the first option, BusinessObjects Enterprise will deliver the
alert notification using the Job Server’s default settings. You can change
these settings in the Servers management area. For more information,
see “Configuring the destinations for job servers” on page 116.
Selecting a destination
Using BusinessObjects Enterprise, you can configure an object or instance
for output to a destination other than the default Output File Repository Server
(FRS). When the system runs an object, it always stores the output instance
on the Output FRS. Being able to choose an additional destination gives you
the flexibility to deliver instances across your enterprise system or to
destinations outside your enterprise system.
For example, you can set an object to have its output automatically delivered
by email to other users.
Note: You can also configure object instances to be printed after they have
been run. See “Setting printer and page layout options” on page 440.
When you specify a destination other than “Default”, BusinessObjects
Enterprise generates a unique name for the output file or files. To generate a
file name, you can use a combination of ID, name or title of the object, owner
information, or the date and time information.
The following destinations are available:
• “Default destination support” on page 481
• “Unmanaged Disk destination support” on page 481
• “FTP support” on page 483
• “Email (SMTP) support” on page 484
• “Inbox support” on page 486
Note: You can change the destination setting for an object or instance either
in the Central Management Console (CMC) or in InfoView. When you specify
the destination settings through the CMC, these settings are also reflected in
the default scheduling settings for InfoView.
For most objects you can specify any of the available destinations. However,
for object packages and Web Intelligence documents you cannot do this,
because the recipients must have access to the BusinessObjects Enterprise
system to be able to open these types of objects. For example, you cannot
specify Unmanaged Disk as a destination for a Web Intelligence document.
The following table summarizes which destinations you can configure for
which types of objects.
• FTP Password
Enter the user’s password.
• Account
Enter the FTP account information, if required.
Account is part of the standard FTP protocol, but it is rarely
implemented. Provide the appropriate account only if your FTP
server requires it.
• Destination Directory
Enter the FTP directory that you want the object to be saved to.
• Default File Name (randomly generated)
Select this option if you want BusinessObjects Enterprise to
generate a random file name.
• Specified File Name
Select this option if you want to enter a file name—you can also add
a variable to the file name. To add a variable, choose a placeholder
for a variable property from the list and click Add.
6. Click Update.
Inbox support
When scheduling objects, you can configure objects for output to the inboxes
of users. In this case, the system will save the instance to both the Output File
Repository Server and the inboxes you specified. Instead of sending the
actual file to the inboxes, you can choose to send a shortcut.
Note: To use a destination, you must have the destination enabled and
configured on the job servers. See “Configuring the destinations for job
servers” on page 116.
To send an object to inboxes
1. In the Objects management area of the CMC, select an object by clicking
its link.
2. Click the Schedule tab, then click the Destination link.
The Destination tab appears.
3. Select Inbox from the Destination list.
4. If you want, select the Clean up instance after scheduling option.
When that option is selected, the system automatically deletes the report
or program instance from the Output File Repository Server to keep the
number of instances on the server to a minimum.
5. Select the processing option that you want:
• Use the Job Server’s defaults
BusinessObjects Enterprise will schedule the object with the job
server’s default settings. For more information, see “Configuring the
destinations for job servers” on page 116.
• Microsoft Excel
• Microsoft Excel (Data Only)
• Microsoft Word (RTF)
• Adobe Acrobat
• Rich Text
• Editable Rich Text
• Plain Text
• Paginated Text
• Tab-Separated Text
• Tab-Separated Values
• Character-separated Values
For Excel, Paginated Text, Tab-separated Values, and Character-separated
Values, you specify certain formatting properties for the report. For example, if
you select Character-separated Values, you can enter characters for the
separator and delimiter; you can also select the two check boxes: “Same
number formats as in report” and “Same date formats as in report.”
Note:
• If you choose to print the report when it is scheduled (by checking the
“Print in Crystal Reports format using the selected printer when
scheduling” check box on the Print Setup page), the report instance is
automatically sent to the printer in Crystal Reports format. This does not
conflict with the format you select when scheduling the report.
• The difference between Excel and Excel (Data only) is that Excel
attempts to preserve the look and feel of your original report, while Excel
(Data only) saves only the data, with each cell representing a field.
• The Tab-separated Values format places a tab character between values;
the Character-separated Values format places a specified character
between values. Each of these two formats produce data lists. In
contrast, the Tab-separated Text format attempts to preserve the
formatting of the report.
To select a format for the report
1. In the Objects management area of the CMC, select a report object by
clicking its link.
2. On the Schedule tab, click the Format link.
The Format page appears.
3. Select a format from the Format list.
4. Complete any fields that appear below the list and select (where
appropriate) the check boxes that appear.
5. Click Update.
Managing instances
To view or manage instances, go to the History page for the object. That page
lists the scheduled instances and the output instances for an object:
• Scheduled instances will have a status of Recurring or Pending. The
system has not yet run these instances, and the instances do not contain
any data yet.
• Output instances, that is, actual report or program instances, will have a
status of Success or Failed, which indicate whether they were run
successfully:
Viewing an instance
To view an instance
1. Select a object in the Objects management area of the CMC.
2. Click the History tab.
The History page appears.
3. In the Instance Time column, click the instance you want to view.
You can also use the Instance Manager tool to view a list of instances by
status or by user. Access the Instance Manager by clicking its link in the
Administrative Tools area of the BusinessObjects Enterprise
Administration Launchpad.
Deleting an instance
You can delete instances from an object as needed. You can delete both
scheduled instances, which have a status of recurring or pending, and report
or program instances, which have a status of success of failed.
To delete an instance
1. Go to the History page for an object.
2. Select the check box for the instance or instances you want to delete.
3. Click Delete.
Note: When you set the limits at the object level, the object limits will override
the limits set for the folder; that is, the object will not inherit the limits of the
folder.
To set limits for instances
1. In the Objects management area of the CMC, select an object by clicking
its link.
2. On the History tab, click the Limits link.
The Limits page appears.
3. Make your settings according to the types of limits you want to set for
your instances. The options are as follows:
• Delete excess instances when there are more than N instances
of an object
To limit the number of instances per object, select this check box.
Then, type the maximum number of instances that you want to
remain on the system. (The default value is 100.)
• Delete excess instances for the following users/groups
To limit the number of instances for users or groups, click Add/
Remove in this area. Select from the available users and groups and
click OK. Then, type the maximum number of instances in the
Instance Limit column. (The default value is 100.)
• Delete instances after N days for the following users/groups
To limit the number of days that instances are saved for users or
groups, click Add/Remove in this area. Select from the available
users and groups and click OK. Then, type the maximum age of
instances in the Maximum Days column. (The default value is 100.)
4. Click Update.
chapter
17 Managing Calendars
Overview
Overview
Calendars make it easy for you to schedule complex recurring jobs efficiently.
A calendar is a customized list of run dates for scheduled jobs. When users
schedule objects, they can use a calendar to run the job on a predefined set
of dates. By providing calendars for your users, you can create more complex
processing schedules than you can with the standard scheduling options.
Calendars are particularly useful when you want to run a recurring job on an
irregular schedule, or if you want to provide users with sets of regular
scheduling dates to choose from. Calendars also allow you to create more
complex processing schedules, combining unique scheduling dates with
recurring ones.
For example, if you want a report object to run every business day except for
your country’s statutory holidays, you can create a calendar with the holidays
marked as “non-run” days, on which the report object cannot be run.
BusinessObjects Enterprise will run the job every day you have specified as a
“run” day in your calendar.
You can set up as many calendars as you want in BusinessObjects
Enterprise. Calendars you create appear in the Calendar selection list
available when you choose to schedule an object using a calendar. When you
apply the calendar to a job, BusinessObjects Enterprise runs the job on the
run dates as scheduled.
You can apply calendars to any object that can be scheduled, including report
objects, program objects, and object packages.
Managing calendars includes:
• “Creating calendars” on page 496
• “Adding dates to a calendar” on page 497
• “Deleting calendars” on page 501
• “Specifying calendar rights” on page 502
Creating calendars
In the Central Management Console (CMC), go to the Calendars
management area to create new calendars and to modify existing calendars.
To create a calendar, you need to provide a name and description. When the
calendar is created, you can add run dates to it using the Dates tab.
4. Click OK.
The new calendar is added to the system, and its Properties tab is
refreshed. You can now use the Dates tab to add run dates to this
calendar. For details, see “Adding dates to a calendar” on page 497.
4. In the “Select a calendar displaying format” list, choose from one of the
five calendar format options:
• Yearly
Yearly displays the calendar’s run dates for the year. To change the
year displayed, you can click the Previous Year and Next Year
buttons. To add a date from the Yearly format, click a month to open
it in Monthly format, where you can add run dates to specific days.
• Quarterly
Quarterly displays the calendar’s run dates for the current calendar
quarter. You can change the displayed quarter using the Previous
Quarter and Next Quarter buttons. To add a date from the Quarterly
format, click a month to open it in Monthly format, where you can add
run dates to specific days.
• Monthly
Monthly displays the calendar’s run dates for the current month. You
can change the displayed month using the Previous Month and Next
Month buttons.
• Generic Monthly, by Day of Week
Generic Monthly, by Day of Week allows you to add general
recurring dates based on the day of the week. The dates are applied
to the months specified between the Start and End Dates. Week 1
starts on the Sunday of the week of the Start Date you specify. Note
that this format does not display the currently selected dates from the
calendar; it only allows you to add new dates and update the
schedule.
• Generic Monthly, by Day of Month
Generic Monthly, by Day of Month allows you to add general
recurring dates based on the day of the month. The dates are
applied to the months specified between the Start and End Dates.
This format allows you to add new dates and update the schedule; it
does not display currently selected dates from the calendar.
See also “Specific dates” on page 499 and “Recurring dates” on
page 500.
5. Click the days of the month that you want to include as run days for the
calendar.
To remove a run day, click the day again.
Tip: For the Monthly and Generic Monthly, by Day of Week formats, you
can select multiple dates at once by clicking the row or column headings.
6. To add the new dates to the calendar, click Update.
Recurring dates
To create a recurring pattern of monthly run dates, use the generic Monthly
formats. You can add the generic dates based on the day of the week or the
day of the month. To view existing run dates, you must use the Yearly,
Quarterly, or Monthly format; the generic formats are used to add dates to the
calendar.
Although you can set a recurring schedule using the standard scheduling
options, calendars allow you to specify several different recurring run patterns
at once. You can also run instances on dates that do not follow the pattern by
adding individual days to a calendar.
For example, to schedule a report object to run on the first four days of every
month, and on the second and fourth Friday of every month, first create a new
calendar object and name it. Then, use the Generic Monthly, by Day of Month
format to add the first four days of the month to this calendar. When you
update the calendar, the Yearly format appears with the new run dates.
To add every second and fourth Friday to the calendar, use the Generic
Monthly, by Day of Week format.
Deleting calendars
When you delete a calendar, any objects that are scheduled according to the
deleted calendar will be run one more time by the system. After that, the
system won’t be able to schedule the objects again, because the calendar no
longer exists. To ensure the objects continue to be run, change the
scheduling information for the objects either by selecting a different calendar
or a different recurrence pattern. See “Scheduling objects” on page 464.
To delete a calendar
1. Go to the Calendars management area of the CMC.
2. Select the check box associated with the calendar you want to delete.
Tip: Select multiple check boxes to delete several calendars.
3. Click Delete, and click OK to confirm.
chapter
18 Managing Events
Managing events overview
File-based events
File-based events wait for a particular file (the trigger) to appear before the
event occurs. Before scheduling an object that waits for a file-based event to
occur, you must first create the file-based event in the Events management
area of the CMC. Then, you can schedule the object and select this event.
For more information on scheduling an object with events, see “Scheduling
an object with events” on page 471.
File-based events are monitored by the Event Server. When the file that you
specify appears, the Event Server triggers the event. The Central
Management Server (CMS) then releases any schedule requests that are
dependent on the event.
For instance, suppose that you want your daily reports to run after your
database analysis program has finished and written its automatic log file. To
do this, you specify the log file in your file-based event, and then schedule
your daily reports with this event as a dependency. When the log file appears,
the event is triggered and the reports are processed.
Note: If the file already exists prior to the creation of the event, the event is
not triggered. In this case, the event is triggered only when the file is removed
and then recreated. If you want an event to be triggered multiple times, you
must remove and recreate the file each time.
To create a file-based event
1. Go to the Events management area of the CMC.
2. Click New Event.
The New Event page appears.
Schedule-based events
Schedule-based events are dependent upon scheduled objects. That is, a
schedule-based event is triggered when a particular object has been
processed. When you create this type of event, it can be based on the
success or failure of a scheduled object, or it can be based simply on the
completion of the job.
Most importantly, you must associate your schedule-based event with at least
two scheduled objects. The first object serves as the trigger for the event:
when the object is processed, the event occurs. The second object is
Custom events
A custom event occurs only when you explicitly click its “Trigger this event”
button. As with all other events, an object based on a custom event runs only
when the event is triggered within the time frame established by the object’s
schedule parameters. Custom events are useful because they allow you to
set up a shortcut that, when clicked, triggers any dependent schedule
requests.
Tip: When developing your own web applications, you can trigger Custom
events from within your own code, as required. For more information, see the
developer documentation available on your product CD.
For instance, you may have a scenario where you want to schedule a number
of reports, but you want to run them after you have updated information in
your database. To do this, create a new custom event, and schedule the
reports with that event. When you update the data in the database and you
need to run the reports, return to the event in the CMC and trigger it manually.
BusinessObjects Enterprise then runs the reports. For more information on
event-based scheduling, see “Scheduling an object with events” on page 471.
Note: You can trigger a custom event multiple times. For example, you might
schedule two sets of event-based program objects to run daily—one set runs
in the morning, and one set runs in the afternoon. When you first trigger the
related custom event in the morning, one set of programs is run; when you
trigger the event again in the afternoon, the remaining set of programs is run.
If you neglect to trigger the event in the morning and trigger it only in the
afternoon, both sets of programs run at that time.
4. Click Add/Remove to add users or groups that you want to give access
to the event.
The Add/Remove page appears.
5. In the Select Operation list, select Add/Remove Groups, Add Users,
or Remove Users.
6. Select the user or group you want to grant access to the specified event.
7. If you have many users on your system, select the Add Users operation;
then use the “Look For” field to search for a particular account.
8. Click OK.
9. Change the Access Level for each user or group, as required.
Tip: To choose specific rights, select Advanced in the Access Level
column, and click Advanced in the Net Access column.
For complete details on the predefined access levels and advanced
rights, see the “Rights and Access Levels” chapter of the
BusinessObjects Enterprise Administrator’s Reference Guide.
10. Click Update.
chapter
19 Managing Profiles
What are profiles?
Creating profiles
You create profiles in the Central Management Console.
To create a profile
1. Go to the Profiles management area of the CMC.
2. Click New Profile.
The New Profile page appears.
3. Type a name for the profile in the Profile Name field.
5. To display only data from a specific object value, provide its class name in
the Class Name text box.
Note: The field is case-sensitive.
6. In the Object Name text box, type the value that you want.
Note: The value is case-sensitive.
7. Click OK.
ITadmin group access to IT-related profiles, those profiles won’t appear for a
user from the HRadmin group; this makes the profile list easier for the
HRadmin group to navigate.
Follow this procedure to change the rights for a profile. By default, rights to
profiles are based on current security settings, inheriting rights from the users’
parent folders.
To grant access to a profile
1. Go to the Profiles management area of the CMC.
2. Select the profile you want to grant access to.
3. Click the Rights tab.
4. Click Add/Remove to add the groups or users that you want to have
access to this profile.
The Add/Remove page appears.
5. In the Select Operation list, select Add/Remove Groups, Add Users,
or Remove Users.
The page is refreshed and displays options that depend upon whether
you are working with users or with groups.
6. Select the user/group whose rights you want to specify and click the
arrows to specify whether the user/group does or does not have access
to the profile.
7. Click OK.
8. On the Rights tab, change the Access Level for each user or group, as
required.
9. To choose specific rights, choose Advanced.
Note: For complete details on the predefined access levels and
advanced rights, see the “Rights and Access Levels” chapter of the
BusinessObjects Enterprise Administrator’s Reference Guide.
10. Click Update.
chapter
20 General Troubleshooting
Troubleshooting overview
Troubleshooting overview
BusinessObjects Enterprise is designed to integrate with a multitude of
different operating systems, web servers, network and firewall configurations,
database servers, and reporting environments. Thus, any troubleshooting
that you may need to undertake will likely reflect the particularities of your
deployment environment. This chapter includes general troubleshooting
steps along with solutions to some specific configuration issues.
In general, consider the following key points when troubleshooting:
• Ensure that client and server machines are running supported operating
systems, database servers, database clients, and appropriate server
software. For details, consult the Platforms.txt file, included with your
product distribution.
• Verify that the problem is reproducible, and take note of the exact steps
that cause the problem to recur.
On Windows, use the sample reports and sample data included with the
product to confirm whether or not the same problem exists.
• Determine whether the problem is isolated to one machine or is occurring
on multiple machines. For instance, if a report fails to run on one
processing server, see if it runs on another.
If the problem is isolated to one machine, pay close attention to any
configuration differences in the two machines, including operating system
versions, patch levels, and general network integration.
• If the problem relates to connectivity or functionality over the Web, check
that BusinessObjects Enterprise is integrated properly with your web
environment. For details, see BusinessObjects Enterprise Installation
Guide and “Web accessibility issues” on page 519.
• If the problem relates to report viewing or report processing, verify your
database connectivity and functionality from each of the affected
machines. Use Crystal Reports to verify that the report can be viewed
properly. If the Job or Page Servers are running on Windows, open the
report in Crystal Reports on the server machine and check that you can
refresh the report against the database. For details, see “Report viewing
and processing issues” on page 521.
• Look for solutions in the documentation included with your product. For
details, see “Documentation resources” on page 519.
• Check out the Business Objects Customer Support technical support
web site for white papers, files and updates, user forums, and Knowledge
Base articles:
http://support.businessobjects.com/
To troubleshoot a report
1. Start Crystal Reports on the appropriate machine:
• If the report runs successfully on demand, but fails when scheduled,
start Crystal Reports on the Job Server.
• If the report fails when viewed on demand, but runs successfully
when scheduled, start Crystal Reports on the Page Server.
• If the report fails when viewed on demand with the Advanced
DHTML viewer, start Crystal Reports on the RAS.
• If the report fails in all cases, first complete these troubleshooting
steps on one processing server; then verify whether or not the
problem is resolved on all processing servers. If not, repeat the steps
on a different processing server.
2. Open the report from the CMS.
On the File menu, click Open. Click Enterprise Folders and log on to your
CMS. If you cannot open the report, verify network connectivity between
the server you are working on, the CMS, and the Input File Repository
Server.
3. Test your database connection and authentication.
On the Database menu, click Log On/Off Server. If you cannot log on to
the database server, check the configuration of the database client
software and ensure that the report contains a valid database user name
and password.
4. If the report’s parameters or record selection need to be modified by
BusinessObjects Enterprise users when they schedule or view the report,
change the parameter values or record selection formula accordingly. If
the values are invalid, Crystal Reports will report an error.
5. Verify that the tables used in the report match the tables in the database.
On the File menu, clear the “Save Data with Report” check box. On the
Database menu, click Verify Database. Correct any issues reported by
Crystal Reports, and then save the report.
6. Refresh the report and, if current data is not returned from the database,
check these possible causes:
• If the report fails, ensure that the database credentials provide READ
rights to all tables in the report.
• If the database credentials are valid, the report’s SQL statement is
evaluated at this time. Check the join information. Note any ODBC
errors that are produced.
InfoView considerations
Supporting users in multiple time zones
Avoid granting Schedule access to the default Guest account if you deploy
InfoView for users in different time zones. Instead, ensure that each user who
is allowed to schedule reports has a dedicated account on the system, and
that each user's InfoView preferences include the appropriate time-zone
setting. Dedicated accounts are recommended because the default Guest
account does not allow users to modify account preferences that would affect
other users. For more information about using specific time-zone properties in
your custom web applications, see the BusinessObjects Enterprise SDK
documentation.
chapter
21 Managing Auditing
How does auditing work?
User Actions
Actions BusinessObjects
Enterprise Server
Objects An object is created. CMS
An object is deleted.
An object is modified.
Crystal A report has been viewed successfully. Cache Server
reports A report could not be viewed.
A report is opened successfully using: RAS
• the Advanced DHTML viewer.
• a custom application that uses RAS SDK.
A report fails to open.
A report has been created successfully using:
• a custom application that uses the RAS
SDK.
A report fails to be created.
A report is saved successfully (using a custom
application based on the RAS SDK).
A report fails to save using a custom
application based on the RAS API.
Web Get list of universes. Web Intelligence
Intelligence • A user has begun creating a new Web Report Server
documents Intelligence document, which triggers a
request to the server for the list of
available universes.
Save document to repository.
• A user has saved a Web Intelligence
document within BusinessObjects
Enterprise.
Read Document.
• User opens an existing Web Intelligence
document.
Selection of universe.
• A user has selected a universe as they
create a new Web Intelligence document,
or as they edit an existing Web
Intelligence document.
Actions BusinessObjects
Enterprise Server
Desktop A job has been run successfully. Desktop Intelligence
Intelligence • Either a Desktop Intelligence document Job Server
documents has been scheduled or a publication
based of that document has been
scheduled.
A job has failed to run.
A job failed but will try to run again.
Users A concurrent user logon succeeds. CMS
A named user logon succeeds.
A user logon fails.
A user’s password is changed.
User logs off.
Send an A job has been run successfully. Destination Job
object to a (A user has successfully sent an object to a Server
destination destination.)
A job has failed to run.
(An object has failed to be sent to a
destination.)
A job failed but will try to run again.
File-based An event is registered. Event Server
events (Event is created, and registered with system)
An event is updated.
(The name, description, or filename of an event
is modified.)
An event is unregistered.
(Event is removed from system.)
In some special cases you may wish to enable auditing on only one server of
a given type. For example, if you are interested in the success or failure of
only one kind of scheduled report and you have configured your system so
that these reports are processed on one particular Job Server, it is not
necessary to enable auditing on every Job Server in your system. You only
need to enable auditing on the Job Server where the reports are processed.
Note: You must configure the auditing database before you can collect data
on audit actions. See “Configuring the auditing database” on page 531 for
information on how to configure the auditing database.
To enable audit actions
1. Go to the organize Servers area of the CMC.
2. Click the server that controls the action that you wish to audit.
(See the “Reference list of auditable actions” on page 533 to find the
correct server.)
3. Click the Auditing tab.
4. Expand the database type and the version that corresponds with the your
auditing database.
5. Select the driver or client to use.
6. Enter a name for your connection.
7. Enter the User Name and Password for your connection.
8. Select the Data source name from the list, and then click Next.
9. Click Next on the Perform a Test dialog box.
10. Click Next on the Advanced Parameters dialog box.
11. Click Finish on the Custom Parameters dialog box.
12. Click Finish to exit and finalize your connection.
Tip: If you have a CMS cluster, apply the same command-line options to
each server. Only one CMS in the cluster acts as the auditor. However, if this
CMS fails, another CMS takes over auditing. This CMS will apply its own
command-line options. If these options are different than those of the original
auditor, audit behavior may not be what you expect.
chapter
22 Auditing Reports
Using auditing reports
Cluster Nodes
Job Summary
Password Modifications
Peak Usage
Rights Modification
User Activity
Audit_Event
The Auditt_Event table stores one record per action that is audited and
contains general information about each audit event.
Audit_Detail
The Audit_Detail table records more details about each audit action
recorded in the Audit_Event table. For example, when a user logon fails,
the reasons for that failure are recorded as audit details.
There may be more than one record in this table for each audit action
recorded in the Audit_Event table.
Field Description
Server_CUID Server process ID.
Combined with the Event_ID and the Detail_ID
to form the primary key for the Audit_Detail
table.
Event_ID A unique ID generated by the server to identify the
audit event.
Combined with Server_CUID and the Detail_ID
to form the primary key for the Audit_Detail
table.
Detail_ID The Detail_ID field is used to number the
individual details associated with each audit
action. That is, if there are two details associated
with a particular audit action, the first will have a
Detail_ID of 1, and the second will have a
Detail_ID of 2.
Detail_Type_ID Number that uniquely identifies the type of detail
about the audit action that the entry represents.
Foreign key for the Detail_Type table.
Detail_Text Information about the audit detail being recorded.
For example, if the Detail_Type_Description
were “universe name”, the detail text would
contain the name of that universe.
Server_Process
The Server_Process table contains information about the servers running
within your BusinessObjects Enterprise system which can generate audit
events.
Field Description
Server_CUID Server process ID.
Primary key for the Server_Process table.
Server_Name Machine name of the server that produced the
action. That is, the host name.
Application_Type_ID A unique ID that identifies the type of application
that generated the audit action.
Foreign key to the Application_Type table.
Event_Type
The Event_Type table contains a static list of the kinds of events that can be
audited in your BusinessObjects Enterprise system. This table provides
information roughly equivalent to that provided by AuditIDs and AuditStrings
in Crystal Enterprise
Field Description
Event_Type_ID Number that uniquely identifies the type of
audit event that the entry represents.
Event_Type_Description Description of the type of audit event.
Application_Type
The Application_Type table contains a static list of the applications that
can produce audit events. In BusinessObjects Enterprise XI, the applications
that can be audited are servers.
Detail_Type table
The Detail_Type table contains a static list of the standard details that can
be recorded about audited events. For example, a user logon can fail for a
number of different reasons. These reasons are listed as entries in the
Detail_Type table.
The information in the Detail_Type table is equivalent to the information that
was recorded in variable AuditStrings in Crystal Enterprise 10.
Field Description
Detail_Type_ID Number that uniquely identifies the type of
audit detail that the entry represents.
Detail_Type_Description The description of the type of audit detail
generated by the audit event.
Application_Type_ID Application_Type_Description
1 Unknown Application
8 Web Intelligence Report Server
11 Central Management Server
(CMS)
12 Cache Server
13 Report Job Server
14 Report Application Server (RAS)
15 Event Server
16 Program Job Server
18 Destination Job Server
19 Web Intelligence Job Server
appendix
A Rights in the CMC
Overview
Overview
This appendix describes rights you can set on objects via the CMC:
• Folder rights
• Object rights
• User rights
• Category rights
• Group rights
• Universe rights
• Connection rights
• Server rights
• Desktop Intelligence document rights
• Web Intelligence document rights
Folder rights
The following rights can be set at the folder level.
Desktop Intelligence
Refresh the report’s data - Granted Granted Allows users to refresh
Desktop Intelligence report
content
Refresh List of Values - Granted Granted Allows users to refresh the
list of values associated
with a Desktop Intelligence
document
Use Lists of Values - Granted Granted Allows users to use list of
values associated with a
Desktop Intelligence
document
View SQL - - Denied Allows users to see the
SQL used to generate the
Desktop Intelligence
document content
Export the report’s data - Granted Granted Allows users to export the
Desktop Intelligence
document with data
Download files associated with - - Denied Allows users to download
the object the template document
(.rep, for example)
Object rights
The following rights can be set at the object level.
User rights
The following rights can be set at the user level.
Category rights
The following rights can be set at the category level.
Universe rights
The following rights can be set at the universe level.
Connection rights
The following rights can be set at the connection level.
Server rights
The following rights can be set at the server level.
Troubleshooting
There are a few common problems and misconceptions that you may
encounter when assigning rights.
About objects
Note that BusinessObjects Enterprise treats all managed items as objects (or
InfoObjects). For example, a folder is a folder object, a Crystal Report is a
report object, a connection is a connection object, and so on.
appendix
B UNIX Tools
UNIX tools overview
Script utilities
This section describes the administrative scripts that assist you in working
with BusinessObjects Enterprise on UNIX. The remainder of this guide
discusses the concepts behind each of the tasks that you can perform with
these scripts. This reference section provides you the main command-line
options and their arguments.
ccm.sh
The ccm.sh script is installed to the bobje directory of your installation. This
script provides you with a command-line version of the CCM. This section
lists the command-line options and provides some examples.
Note:
• Arguments in square brackets [ ] are optional.
• By default, servers are named with a hostname.servertype convention. If
the option requires the server name, use servertype as the server name.
If the option requires the fully qualified server name, use
hostname.servertype. If you are unsure of a server’s fully qualified name,
look in the ccm.config file, locate the server’s launch string, and use the
value that appears after the -name option.
This table describes the options that make up the argument denoted by other
authentication information.
Examples
These two commands start and enable all the servers. The Central Management
Server (CMS) is started on the local machine and the default port (6400):
ccm.sh -start all
ccm.sh -enable all
These two commands start and enable all the servers. The CMS is started on
port 6701, rather than on the default port:
ccm.sh -start all
ccm.sh -enable all -cms MACHINE01:6701
These two commands start and enable all the servers with a specified
administrative account named SysAdmin:
ccm.sh -start all
ccm.sh -enable all -cms MACHINE01:6701 -username SysAdmin -
password 35%bC5@5 -authentication LDAP
This single command logs on with a specified administrative account to
disable a Job Server that is running on a second machine:
ccm.sh -disable MACHINE02.businessobjects.com.reportserver -
cms MACHINE01:6701 -username SysAdmin -password 35%bC5@5
-authentication secLDAP
cmsdbsetup.sh
The cmsdbsetup.sh script is installed to the bobje directory of your
installation. The script provides a text-based program that enables you to
configure the CMS database, CMS clusters, and to set up the audit database.
You can add a CMS to a cluster by selecting a new data source for its CMS
database. You can also delete and recreate (re-initialize) a CMS database,
copy data from another data source, or change the existing cluster name.
Note: Before running this script, back up your current CMS database. Also
be sure to see “Clustering Central Management Servers” on page 86 for
additional information about CMS clusters and configuring the CMS
database.
The script will prompt you for the name of your CMS. By default, the CMS
name is hostname.cms. That is, the default name of a CMS installed on a
machine called MACHINE01 is MACHINE01.cms. To check the name of your
CMS (or any other server), view the contents of ccm.config and look for the
server’s launch string. The server’s current name appears after the -name
option.
For more information about configuring the CMS database or setting up the
auditing database, see “Managing Auditing” on page 529.
configpatch.sh
The configpatch.sh script is installed to the bobje/enterprise/
generic directory of your installation. Use the configpatch.sh script when
installing patches that require updates to system configuration values. After
installing the patch, run configpatch.sh with the appropriate .cf file name
as an argument. The readme.txt file that accompanies BusinessObjects
Enterprise patches tells you when to run configpatch.sh, and the name of
the .cf file to use.
serverconfig.sh
The serverconfig.sh script is installed to the bobje directory of your
installation. This script provides a text-based program that enables you to view
server information and to add and delete servers from your installation. This
script adds, deletes, modifies, and lists information from the ccm.config file.
When you modify a server using serverconfig.sh, you can change the
location of its temporary files. For the Central Management Server, you can
change its port number or enable auditing. For the Input File Repository
Server or the Output File Repository Server, you can enter the root directory.
To add/delete/modify/list UNIX servers
1. Go to the bobje directory of your installation.
2. Issue the following command:
./serverconfig.sh
The script prompts you with a list of options:
• 1 - Add a server
• 2 - Delete a server
• 3 - Modify a server
• 4 - List all servers in the config file
3. Type the number that corresponds to the action you want to perform.
4. If you are adding, deleting, or modifying a server, provide the script with
any additional information that it requests.
Tip: The script will prompt you for the name of your CMS. By default, the
CMS name is hostname.cms. That is, the default name of a CMS
installed on a machine called MACHINE01 is MACHINE01.cms. However,
in this script you can enter hostname to check the name of your CMS (or
any other server), view the contents of ccm.config, and look for the
server’s launch string. The server’s current name appears after the -
name option.
5. Once you have added or modified a server, use the CCM to ensure that
the server is both started and enabled.
For more information about working with servers, see “Managing and
Configuring Servers” on page 69.
uninstallBOBJE.sh
The uninstallBOBJE.sh script is installed to the bobje directory of your
installation. This script deletes all of the files installed during your original
installation of BusinessObjects Enterprise by running the scripts in the
bobje/uninstall directory. Do not run the scripts in the uninstall
directory yourself: each of these scripts removes only the files associated with
a single BusinessObjects Enterprise component, which may leave your
BusinessObjects Enterprise system in an indeterminate state.
Before running this script, you must disable and stop all of the
BusinessObjects Enterprise servers.
Note:
• The uninstallBOBJE.sh script will not remove files created during the
installation process, or files created by the system or by users after
installation. To remove these files, after running installBOBJE.sh,
perform an rm -rf command on the bobje directory.
• If you performed the “system” installation type, you will also need to
delete the run control scripts from the appropriate /etc/rc# directories.
Script templates
These scripts are provided primarily as templates upon which you can base
your own automation scripts.
startservers
The startservers script is installed to the bobje directory of your
installation. This script can be used as a template for your own scripts: it is
provided as an example to show how you could set up your own script that
starts the BusinessObjects Enterprise servers by running a series of CCM
commands. For details on writing CCM commands for your servers, see
“ccm.sh” on page 592.
silentinstall.sh
The silentinstall.sh script is installed to the bobje directory of your
installation. Once you have set up BusinessObjects Enterprise on one
machine, you can use this template to create your own scripts that install
BusinessObjects Enterprise automatically on other machines. Essentially,
once you have edited the silentinstall.sh template accordingly, it
defines the required environment variables, runs the installation and setup
scripts, and sets up BusinessObjects Enterprise according to your
specifications, without requiring any further input.
The silent installation is particularly useful when you need to perform multiple
installations and do not want to interrupt people who are currently working on
machines in your system. You can also use the silent installation script in your
own scripts. For example, if your organization uses scripts to install software
on machines, you can add the silent BusinessObjects Enterprise installation
command to your scripts.
For information about script parameters, see the comments in the
silentinstall.sh script.
Note:
• Because the silentinstall.sh file is installed with BusinessObjects
Enterprise, you cannot install silently the first time you install
BusinessObjects Enterprise.
• The silent installation is not recommended if you need to perform custom
installations. The installation options are simplified and do not allow for
the same level of customization provided in the BusinessObjects
Enterprise install script.
bobjerestart.sh
This script is run internally by the CCM when it starts the BusinessObjects
Enterprise server components. If a server process ends abruptly without
returning its normal exit code, this script automatically restarts a new server
process in its place. Do not run this script yourself.
env.sh
The env.sh script is installed to the bobje directory of your installation. This
script sets up the BusinessObjects Enterprise environment variables that are
required by some of the other scripts. BusinessObjects Enterprise scripts run
env.sh as required. When you install BusinessObjects Enterprise on UNIX, you
must configure your Java application server to source this script on startup.
See the BusinessObjects Enterprise Installation Guide for more details.
env-locale.sh
The env-locale.sh script is used for converting the script language strings
between different types of encoding (for example, UTF8 or EUC or Shift-JIS).
This script is run by env.sh as needed.
initlaunch.sh
The initlaunch.sh script runs env.sh to set up the BusinessObjects
Enterprise environment variables, and then runs any command that you have
added as a command-line argument for the script. This script is intended
primarily for use as a debugging tool by Business Objects SA.
postinstall.sh
The postinstall.sh script is installed to the bobje directory of your
installation. This script runs automatically at the end of the installation script
and launches the setup.sh script. You need not run this script yourself.
setup.sh
The setup.sh script is installed to the bobje directory of your installation.
This script provides a text-based program that allows you to set up your
BusinessObjects Enterprise installation. This script is run automatically when
you install BusinessObjects Enterprise. It prompts you for the information that
is required in order to set up BusinessObjects Enterprise for the first time.
For complete details on responding to the setup script when you install
BusinessObjects Enterprise, see the BusinessObjects Enterprise Installation
Guide.
setupinit.sh
The setupinit.sh script is installed to the bobje directory of your
installation when you perform a system installation. This script copies the run
control scripts to your rc# directories for automated startup. When you run a
system installation you are directed to run this script after the setup.sh script
completes.
Note: You must have root privileges to run this script.
appendix
A Business Objects Information Resources
Documentation and information services
Documentation
You can find answers to your questions on how to install, configure, deploy,
and use Business Objects products from the documentation.
Address Content
Business Objects product Information about the full range of
information Business Objects products.
http://www.businessobjects.com
Product documentation Business Objects product
http://www.businessobjects.com/ documentation, including the
support Business Objects Documentation
Roadmap.
Business Objects Documentation Send us feedback or questions
mailbox about documentation.
documentation@businessobjects.com
Online Customer Support Information on Customer Support
http://www.businessobjects.com/ programs, as well as links to
support/ technical articles, downloads, and
online forums.
when enabling and disabling other servers 77 connections. See universe connections
CMS auditable actions 537 connectivities
CMS database recreating in XI R2 372
changing password 98 consultants, Business Objects 606
configuring 93 content, folders 332
copying 93 converting
deleting 97 .rep files to .wid 375
migrating 93 .rep files to .wqy 375
recreating 97 cookies
selecting 98 and session tracking 210
command line arguments 357 logon tokens 209
specifying for program objects 451 copying/moving folders 334, 342
command-line options, SSL 137 corporate documents
communication storage after import 375
between browser and WCA 195 creating
between BusinessObjects Enterprise servers categories 341
166 folder administrators 319
components, security management 199 folders 332
configuration, common scenarios 149 server groups 142
configuring server subgroups 144
auditing database 531 subfolders 333, 341
auditing database on UNIX 532 creating custom audit reports 554
auditing database on windows 532 Crystal reports
Cache Server 101 choosing a format 487
CMS clusters 86, 92 job server for scheduling 432
CMS database 93, 97, 98 troubleshooting reports 521
Event Server 104 Crystal Reports Cache Server. See Cache Server
executable programs 453 Crystal Reports Page Server. See Page Server
File Repository Servers 100 Crystal Reports sample audit reports 540
firewalls 170 Crystal Repository. See BusinessObjects
intelligence tier 85 Enterprise Repository
Job Server 112, 112, 116, 123 CSV format 411
object packages 460 CUIDs 377
Page Server 105, 108, 123 custom audit report creation 554
processing tier 104 custom events 504, 508
server settings 70 custom web applications, enhancing 155
servers 70 customer support 605
universe connection 539 customizing
connecting to remote Windows machines 27 inheritance model 307
Connection folder, access to 218 object rights 298
Connection Server your configuration 148
metrics 73
connections D
BOUSER/BOPASS variables 383
data
stored procedures 385
choosing live/saved 66
J mapping 237
Java CMC timeout 82 troubleshooting 243, 243
Java InfoView timeout 83 unmapping 240
Java platform 50 viewing mapped groups 241
Java programs 449 LDAP hosts
authentication 457 configuring 230
configuring 455 managing multiple 242
providing access to other files 455 LDAP security plug-in 204
setting parameters 455 LDAP single sign-on, configuring 234
Java SDK 50 Least Accessed Documents 550
Job Server license keys
configuring 123 adding 41
on UNIX 124 and CMS database migration 90
destinations reinitializing the CMS database 97
configuring 117 viewing account activity 41
enabling or disabling 116 licensing, accessing information 40
metrics 73 Lightweight Directory Access Protocol. See LDAP
performance settings 113 limits, setting at the folder level 339
Job Servers 56, 56 List of Values Job Server
job servers auditable actions 537
configuring destinations 117 description 57
performance settings 112 destinations
Job Servers auditable actions 537 configuring 117
enabling or disabling 116
metrics 73
K performance settings 112
Kerberos configuration 271 live data 66
Kerberos single sign-on 199, 266, 266 load balancing
key files 137 and distributed security 209
CMS clustering 86
L Local System account 123
LDAP 205 locale
about 205 and .wqy files 378
and SSL 205 importing documents without locales 378
LDAP accounts 205 migration of universe 382
managing 229 log on
modifying processing server accounts 123
connection parameters 241 protection against malicious attempts 213
member groups 241 to the CMC 23
troubleshooting 242, 242 with token 196
LDAP authentication 219 logging
configuring 230 server activity 130
configuring mapping options 235 web activity 213
LDAP authentication plug-in 204 logon tokens 209
LDAP groups and authentication 195
setting WCA 49
instance limits on folders 339 and authentication 195
object rights 293 and authorization 196
viewing active sessions 73 and logon tokens 200
Users Who Logged Off Incorrectly 553 and security 200
users with AD authentication, importing from auditing web activity 213
Crystal Enterprise 365 configuring for SOCKS 181
users, importing description 49
from Crystal Enterprise 364 WCA session variables 210
primary authentication 195
V secondary authentication 196
tracking 211
VBA macros
web
migration 369
customer support 605
version 5/6
getting documentation via 604
Inbox and personal storage 370
useful addresses 606
version XI R2
Web application environments 51
access restrictions 384
Web Component Adapter. See WCA
supported connectivities 372
web desktop. See InfoView
View access level 297
Web Intelligence
View On Demand access level 297
Allow user to merge dimension for
viewers
synchronization right 377
and InfoView 62
application rights 39
client-side 59
Edit SQL right 377
setting CMC preferences 24
Interactive Editing right 377
zero client 59
Query HTML access rights 39
viewing
Web Intelligence documents
active users 73
See also report objects
advanced object rights 299
assigning to a category 426
BusinessObjects Enterprise architecture 62
choosing a format 487, 487
CMS cluster details 74
delegating XSL transformation 155
current account activity 41
properties, changing 424
current metrics 71
scheduling 464
information flow 62
searching for 421
licensing information 40
selecting cache format 489
object rights 295
server for scheduling 432
server metrics 71
Web Intelligence Job Server
system metrics 74
auditable actions 537
with the Cache Server 63
destinations
with the Page Server 63
enabling or disabling 116
with the Report Application Server 64
metrics 73
viewrpt.aspx 63
performance settings 112
Web Intelligence Report Server
W auditable actions 534, 535
walk and merge 515 metrics 73
performance settings 113 Windows AD, viewing mapped groups and users
Web Intelligence sample audit reports 540 247
web response speeds, improving 156 Windows .NET platform 50
web servers 51 Windows NT accounts
improving response speeds 156 adding to mapped groups 258
securing 212 creating 257
web sites disabling 259
support 605 managing 251
training 606 mapping 251
WebConnect documents in CMC 253
access from XI R2 369 in Windows 2000 252
WebIntelligence in Windows NT 252
migrating orphan documents 375 troubleshooting 257
WebIntelligence documents unmapping 255
migration limitations 377 Windows NT authentication 219
rights migration 377 Windows NT Challenge/Response authentication
.wid files 203, 207, 212
migrating orphan documents 375 Windows NT groups
Windows creating 258
Central Configuration Manager 27 mapping 251
Event Log 130 unmapping 255, 255
Local System account 123 viewing 257
server dependencies 135 Windows NT security plug-in 202
Windows 2000 Active Directory 202 and UNIX 202
Windows 2000, unmapping accounts in 256 Windows NT single sign-on, setting up 259
Windows AD accounts Windows NT users, viewing 257
See also Windows AD users .wqy files
adding to mapped groups 248 and locale 378
creating 248
mapping 244 X
troubleshooting 248
XSL transformation for Web Intelligence
unmapping 247
documents 155
Windows AD authentication 219
Windows AD groups
mapped, viewing 247 Z
mapping 244 zero client viewers 59
unmapping 247
Windows AD security plug-in 206
Windows AD single sign-on 249
end-to-end 266, 266
to BusinessObjects Enterprise 249
Windows AD users
See also Windows AD accounts
viewing 247