Escolar Documentos
Profissional Documentos
Cultura Documentos
BusinessObjects Enterprise XI
Patents
Business Objects owns the following U.S. patents, which may cover products that are offered and sold by Business Objects: 5,555,403, 6,247,008 B1, 6,578,027 B2, 6,490,593 and 6,289,352. Business Objects, the Business Objects logo, Crystal Reports, and Crystal Enterprise are trademarks or registered trademarks of Business Objects SA or its affiliated companies in the United States and other countries. All other names mentioned herein may be trademarks of their respective owners. Copyright 2004 Business Objects. All rights reserved.
Trademarks
Copyright
Contents
Chapter 1 Introduction to BusinessObjects Enterprise XI Administrators Guide 21 About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Who should use this guide? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Business Objects information resources . . . . . . . . . . . . . . . . . . . . . . . 22 Chapter 2 Whats New in BusinessObjects Enterprise 25
Welcome to BusinessObjects Enterprise XI . . . . . . . . . . . . . . . . . . . . . . . . 26 About this version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Supported products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 New features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 End-user experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Report design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Developer flexibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 System administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Chapter 3 Administering BusinessObjects Enterprise 35
Administration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Central Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Logging on to the Central Management Console . . . . . . . . . . . . . . . . 37 Navigating within the Central Management Console . . . . . . . . . . . . . . 38 Setting console preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Setting the Query size threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Logging off of the Central Management Console . . . . . . . . . . . . . . . . 41 Using the Central Configuration Manager . . . . . . . . . . . . . . . . . . . . . . . . . 42 Accessing the CCM for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Accessing the CCM for UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Making initial security settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Setting the Administrator password . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Disabling the Guest account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Contents
Modifying the default security levels . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Managing universes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Managing universe connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Managing InfoView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Managing Web Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Managing Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Accessing the Discussions page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Searching for discussion threads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Sorting search results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Deleting discussion threads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Setting user rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Chapter 4 BusinessObjects Enterprise Architecture 53
Architecture overview and diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Client tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 InfoView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Central Management Console (CMC) . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Central Configuration Manager (CCM) . . . . . . . . . . . . . . . . . . . . . . . . . 57 Publishing Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Import Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Application tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Application tier components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Web development platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Web application environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Intelligence tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Central Management Server (CMS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 File Repository Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Event Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Processing tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Report Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Program Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Web Intelligence Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Contents
Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Report Application Server (RAS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Destination Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 List of Values Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Page Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Data tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Report viewers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Information flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 What happens when you schedule an object? . . . . . . . . . . . . . . . . . . 70 What happens when you view a report? . . . . . . . . . . . . . . . . . . . . . . . 71 Choosing between live and saved data . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Live data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Saved data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Chapter 5 Managing and Configuring Servers 77
Server management overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Viewing current metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Viewing current server metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Viewing system metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Viewing and changing the status of servers . . . . . . . . . . . . . . . . . . . . . . . . 82 Starting, stopping, and restarting servers . . . . . . . . . . . . . . . . . . . . . . 82 Stopping a Central Management Server . . . . . . . . . . . . . . . . . . . . . . . 84 Enabling and disabling servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Printing, copying, and refreshing server status . . . . . . . . . . . . . . . . . . 86 Configuring the application tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Configuring the Web Component Adapter . . . . . . . . . . . . . . . . . . . . . . 89 Configuring the intelligence tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Clustering Central Management Servers . . . . . . . . . . . . . . . . . . . . . . . 92 Copying data from one CMS database to another . . . . . . . . . . . . . . . . 98 Deleting and recreating the CMS database . . . . . . . . . . . . . . . . . . . . 108 Selecting a new or existing CMS database . . . . . . . . . . . . . . . . . . . . 109 Setting root directories and idle times of the File Repository Servers 110 Modifying Cache Server performance settings . . . . . . . . . . . . . . . . . 112
Contents
Modifying the polling time of the Event Server . . . . . . . . . . . . . . . . . . 114 Configuring the processing tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Modifying Page Server performance settings . . . . . . . . . . . . . . . . . . . 115 Modifying database settings for the RAS . . . . . . . . . . . . . . . . . . . . . . 118 Modifying performance settings for the RAS . . . . . . . . . . . . . . . . . . . . 120 Modifying performance settings for job servers . . . . . . . . . . . . . . . . . 121 Configuring the Web Intelligence Report Server . . . . . . . . . . . . . . . . . 122 Configuring the destinations for job servers . . . . . . . . . . . . . . . . . . . . 125 Configuring Windows processing servers for your data source . . . . . 132 Configuring UNIX processing servers for your data source . . . . . . . . 133 Logging server activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Advanced server configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Changing the default server port numbers . . . . . . . . . . . . . . . . . . . . . 140 Configuring a multihomed machine . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Adding and removing Windows server dependencies . . . . . . . . . . . . 144 Changing the server startup type . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Changing the server user account . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Configuring servers for SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Chapter 6 Managing Server Groups 151
Server group overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Creating a server group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Working with server subgroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Modifying the group membership of a server . . . . . . . . . . . . . . . . . . . . . . 155 Chapter 7 Scaling Your System 157
Scalability overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Common configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 One-machine setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Three-machine setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Six-machine setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 General scalability considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Increasing overall system capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Contents
Increasing scheduled reporting capacity . . . . . . . . . . . . . . . . . . . . . . 163 Increasing on-demand viewing capacity for Crystal reports . . . . . . . 164 Increasing prompting capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Delegating XSL transformation to Internet Explorer . . . . . . . . . . . . . 165 Enhancing custom web applications . . . . . . . . . . . . . . . . . . . . . . . . . 166 Improving web response speeds . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Getting the most from existing resources . . . . . . . . . . . . . . . . . . . . . 167 Adding and deleting servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Adding a server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Deleting a server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Chapter 8 Managing BusinessObjects Enterprise Repository 173
BusinessObjects Enterprise Repository overview . . . . . . . . . . . . . . . . . . 174 Copying data from one repository database to another . . . . . . . . . . . . . . 174 Importing data from a Crystal Enterprise 10 or BusinessObjects Enterprise XI CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Copying data from a Crystal Enterprise 9 repository database . . . . . 176 Copying data from a Crystal Reports 9 repository database . . . . . . . 177 Refreshing repository objects in published reports . . . . . . . . . . . . . . . . . 179 Chapter 9 Working with Firewalls 181
Firewalls overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 What is a firewall? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Firewall types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Understanding firewall integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Communication between servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Firewall configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Typical firewall scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Configuring the system for firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Configuring for Network Address Translation . . . . . . . . . . . . . . . . . . 190 Configuring for packet filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Configuring for SOCKS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Contents
Chapter 10
Managing Auditing
203
Auditing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 How does auditing work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Which actions can I audit? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Configuring the auditing database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Enabling auditing of user and system actions . . . . . . . . . . . . . . . . . . . . . . 210 Controlling synchronization of audit actions . . . . . . . . . . . . . . . . . . . . . . . 212 Optimizing system performance while auditing . . . . . . . . . . . . . . . . . . . . . 213 Using sample audit reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Creating custom audit reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Auditing database schema reference . . . . . . . . . . . . . . . . . . . . . . . . . 218 Chapter 11 BusinessObjects Enterprise Security Concepts 227
Security overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Authentication and authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Primary authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Secondary authentication and authorization . . . . . . . . . . . . . . . . . . . . 230 About single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 Security management components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Web Component Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Central Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Security plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Processing extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Active trust relationship . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 Logon tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Ticket mechanism for distributed security . . . . . . . . . . . . . . . . . . . . . . 243 Sessions and session tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 WCA session tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 CMS session tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 Environment protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 Web browser to web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 Web server to BusinessObjects Enterprise . . . . . . . . . . . . . . . . . . . . . 246 Auditing web activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Contents
Protection against malicious logon attempts . . . . . . . . . . . . . . . . . . . . . . 247 Password restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 Logon restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 User restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Guest account restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Chapter 12 Managing User Accounts and Groups 249
What is account management? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 Default users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 Default users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 Default groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 Available authentication types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Managing Enterprise and general accounts . . . . . . . . . . . . . . . . . . . . . . . 253 Creating an Enterprise user account . . . . . . . . . . . . . . . . . . . . . . . . . 254 Adding a user to groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 Modifying a user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 Deleting a user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 Changing password settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Creating a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 Adding users to a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 Modifying a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Viewing group members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Deleting a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Disabling the Guest account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Granting access to users and groups . . . . . . . . . . . . . . . . . . . . . . . . 262 Managing LDAP accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 Configuring LDAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Mapping LDAP groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Unmapping LDAP groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Viewing mapped LDAP users and groups . . . . . . . . . . . . . . . . . . . . . 272 Changing LDAP connection parameters and member groups . . . . . 272 Managing multiple LDAP hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 Troubleshooting LDAP accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Contents
Managing AD accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Mapping AD accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Unmapping AD groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Viewing mapped AD users and groups . . . . . . . . . . . . . . . . . . . . . . . . 280 Troubleshooting AD accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Setting up AD single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Managing NT accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Mapping NT accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Unmapping NT groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Viewing mapped NT users and groups . . . . . . . . . . . . . . . . . . . . . . . . 289 Troubleshooting NT accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Setting up NT single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Managing aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Creating a user and a third-party alias . . . . . . . . . . . . . . . . . . . . . . . . 294 Creating an alias for an existing user . . . . . . . . . . . . . . . . . . . . . . . . . 296 Assigning an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 Reassigning an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Deleting an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Disabling an aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 Configuring Kerberos single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Setting up a service account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Configuring the servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 Configuring the Windows AD plug-in for Kerberos authentication . . . 301 Configuring the cache expiry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 Configuring the IIS and browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 Configuring IIS for end-to-end single sign-on . . . . . . . . . . . . . . . . . . . 305 Configuring IIS for single sign-on to databases only . . . . . . . . . . . . . . 309 Configuring BusinessObjects Enterprise web applications . . . . . . . . . 312 Mapping AD accounts for Kerberos single sign-on . . . . . . . . . . . . . . . 313 Configuring the databases for single sign-on . . . . . . . . . . . . . . . . . . . 313
Contents
Chapter 13
315
Controlling user access overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 Controlling users access to objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 Setting object rights for users and groups . . . . . . . . . . . . . . . . . . . . . 317 Viewing object rights settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 Setting common access levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 Setting advanced object rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 Using inheritance to your advantage . . . . . . . . . . . . . . . . . . . . . . . . . 325 Inheritance with advanced rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 Customizing a top-down inheritance model . . . . . . . . . . . . . . . . . . . 331 Controlling access to applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349 Controlling administrative access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 Controlling access to users and groups . . . . . . . . . . . . . . . . . . . . . . . 352 Controlling access to user inboxes . . . . . . . . . . . . . . . . . . . . . . . . . . 352 Controlling access to servers and server groups . . . . . . . . . . . . . . . . 353 Controlling access to universes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Controlling access to universe connections . . . . . . . . . . . . . . . . . . . . 355 Chapter 14 Organizing Objects 357
Organizing objects overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 About folders and categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 Working with folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 Creating and deleting folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 Copying and moving folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361 Adding a report to a new folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 Specifying folder rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364 Setting limits for folders, users, and groups . . . . . . . . . . . . . . . . . . . . 365 Managing User Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367 Working with categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 Creating and deleting categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 Moving categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 Adding an object to a new category . . . . . . . . . . . . . . . . . . . . . . . . . . 370 Removing or deleting objects from a category . . . . . . . . . . . . . . . . . . 370
Contents
Specifying category rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 Managing personal categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 Chapter 15 Publishing Objects to BusinessObjects Enterprise 373
Publishing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 Publishing options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 Publishing with the Publishing Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 Logging on to BusinessObjects Enterprise . . . . . . . . . . . . . . . . . . . . . 376 Adding objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 Creating and selecting a folder on the CMS . . . . . . . . . . . . . . . . . . . . 377 Moving objects between folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 Duplicating the folder structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 Adding objects to a category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 Changing scheduling options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 Refreshing repository fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 Selecting a program type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 Specifying program credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 Changing default values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 Changing object properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382 Entering database logon information . . . . . . . . . . . . . . . . . . . . . . . . . 382 Setting parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 Setting the schedule output format . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 Adding extra files for programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 Specifying command line arguments . . . . . . . . . . . . . . . . . . . . . . . . . 384 Finalizing the objects to be added . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 Publishing with the Central Management Console . . . . . . . . . . . . . . . . . . 385 Saving objects directly to the CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 Chapter 16 Importing Objects to BusinessObjects Enterprise 389
Importing information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Importing information from BusinessObjects Enterprise 6.x . . . . . . . . . . . 390 Before importing from BusinessObjects Enterprise 6.x . . . . . . . . . . . . 391 Importing objects from BusinessObjects Enterprise 6.x . . . . . . . . . . . 392
Contents
Importing information from Crystal Enterprise . . . . . . . . . . . . . . . . . . . . . 396 Importing objects from Crystal Enterprise . . . . . . . . . . . . . . . . . . . . . 397 Importing information from Crystal Info . . . . . . . . . . . . . . . . . . . . . . . . . . 400 Importing objects from Crystal Info . . . . . . . . . . . . . . . . . . . . . . . . . . 400 Importing with the Import Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 Specifying the source and destination environments . . . . . . . . . . . . . 402 Selecting information to import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 Importing objects with rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 Choosing an import scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 Importing specific objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Finalizing the import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 Chapter 17 Managing Objects 415
Managing objects overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 General object management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 Copying, moving, or creating a shortcut for an object . . . . . . . . . . . . 417 Deleting an object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419 Searching for an object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419 Sending an object or instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Changing properties of an object . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 Assigning an object to categories . . . . . . . . . . . . . . . . . . . . . . . . . . . 424 Report object management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425 What are report objects and instances? . . . . . . . . . . . . . . . . . . . . . . 425 Setting report refresh options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426 Viewing the universes for a Web Intelligence document . . . . . . . . . . 427 Setting report processing options . . . . . . . . . . . . . . . . . . . . . . . . . . . 428 Applying processing extensions to reports . . . . . . . . . . . . . . . . . . . . 443 Working with hyperlinked reports . . . . . . . . . . . . . . . . . . . . . . . . . . . 447 Program object management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451 What are program objects and instances? . . . . . . . . . . . . . . . . . . . . 451 Setting program processing options . . . . . . . . . . . . . . . . . . . . . . . . . 453 Object package management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 What are object packages, components, and instances? . . . . . . . . . 460
Contents
Creating an object package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460 Adding objects to an object package . . . . . . . . . . . . . . . . . . . . . . . . . 461 Configuring object packages and their objects . . . . . . . . . . . . . . . . . . 462 Authentication and object packages . . . . . . . . . . . . . . . . . . . . . . . . . . 463 Chapter 18 Scheduling Objects 465
Scheduling objects overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Scheduling objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 About the scheduling options and parameters . . . . . . . . . . . . . . . . . . 468 Scheduling objects using object packages . . . . . . . . . . . . . . . . . . . . . 471 Scheduling an object with events . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473 Setting the scheduling options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 Setting notification for an objects success or failure . . . . . . . . . . . . . 476 Specifying alert notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479 Selecting a destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 Choosing a format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 Selecting cache options for Web Intelligence documents . . . . . . . . . . 493 Scheduling an object for a user or group . . . . . . . . . . . . . . . . . . . . . . 493 Managing instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495 Managing and viewing the history of instances . . . . . . . . . . . . . . . . . . 495 Setting instance limits for an object . . . . . . . . . . . . . . . . . . . . . . . . . . . 498 Chapter 19 Managing Calendars 501
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502 Creating calendars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502 Adding dates to a calendar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503 Deleting calendars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507 Specifying calendar rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508 Chapter 20 Managing Events 509
Managing events overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510 File-based events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 Schedule-based events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512 Custom events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Contents
Troubleshooting overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 Documentation resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 Web accessibility issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 Using an IIS web site other than the default . . . . . . . . . . . . . . . . . . . 519 Unable to connect to CMS when logging on to the CMC . . . . . . . . . . 520 Windows NT authentication cannot log you on . . . . . . . . . . . . . . . . . 520 Report viewing and processing issues . . . . . . . . . . . . . . . . . . . . . . . . . . . 521 Troubleshooting reports with Crystal Reports . . . . . . . . . . . . . . . . . . 521 Troubleshooting reports and looping database logon prompts . . . . . 523 Ensuring that server resources are available on local drives . . . . . . . 526 Page Server error when viewing a report . . . . . . . . . . . . . . . . . . . . . 527 InfoView considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527 Supporting users in multiple time zones . . . . . . . . . . . . . . . . . . . . . . 527 Setting default report destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . 527 Chapter 22 Licensing Information 529
Licensing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530 Accessing license information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531 Adding a license key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532 Viewing current account activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532 Appendix A From BusinessObjects 6.x to BusinessObjects XI 535 Product offering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537 BusinessObjects 6.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537 BusinessObjects XI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538 Basic terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539 Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542 Migration and mapping of specific objects . . . . . . . . . . . . . . . . . . . . . 542 Migration of user rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Contents
Installation, configuration, and deployment . . . . . . . . . . . . . . . . . . . . . . . . 547 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551 Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554 Reporting, analysis, information sharing . . . . . . . . . . . . . . . . . . . . . . . . . . 558 SDK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562 Appendix B Rights and Access Levels 563
Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564 Access levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565 No Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565 View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565 View On Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566 Full Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567 Default rights on the top-level folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567 Object rights for the Report Application Server . . . . . . . . . . . . . . . . . . . . . 568 Appendix C Configuring NTFS Permissions 569
Configuring NTFS permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570 Configuring NTFS permissions for BusinessObjects Enterprise components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570 Appendix D Customizing the appearance of Web Intelligence documents 575
Customizing the appearance of Web Intelligence documents . . . . . . . . . 576 What you can do with the defaultconfig.xml file . . . . . . . . . . . . . . . . . 577 Locating and modifying defaultconfig.xml . . . . . . . . . . . . . . . . . . . . . . 578 List of key values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580 Example: Modifying the default font in table cells . . . . . . . . . . . . . . . . 581 Appendix E Server Command Lines 583
Command lines overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584 Standard options for all servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585 Central Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586 Page Server and Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588 Job servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590
Contents
Report Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591 Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593 Input and Output File Repository Servers . . . . . . . . . . . . . . . . . . . . . . . . 594 Event Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595 Appendix F UNIX Tools 597
UNIX tools overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598 Script utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598 ccm.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598 cmsdbsetup.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601 configpatch.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601 serverconfig.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602 sockssetup.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603 uninstallBOBJE.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604 Script templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604 startservers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 stopservers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 silentinstall.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 Scripts used by BusinessObjects Enterprise . . . . . . . . . . . . . . . . . . . . . . 606 bobjerestart.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606 env.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606 env-locale.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606 initlaunch.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606 patchlevel.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 postinstall.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 setup.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 setupinit.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 Appendix G International Deployments 609
International deployments overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610 Deploying BusinessObjects Enterprise internationally . . . . . . . . . . . . . . . 610 Planning an international BusinessObjects Enterprise deployment . . 611 Providing a client tier for multiple languages . . . . . . . . . . . . . . . . . . . 613
Contents
Appendix H
615
About accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616 Benefits of accessible reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616 About the accessibility guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617 Accessibility and Business Objects products . . . . . . . . . . . . . . . . . . . 618 Improving report accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619 Placing objects in reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619 Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621 Color . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625 Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626 Parameter fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627 Designing for flexibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628 Accessibility and conditional formatting . . . . . . . . . . . . . . . . . . . . . . . 629 Accessibility and suppressing sections . . . . . . . . . . . . . . . . . . . . . . . . 630 Accessibility and subreports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631 Improving data table accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631 Text objects and data table values . . . . . . . . . . . . . . . . . . . . . . . . . . . 632 Other data table design considerations . . . . . . . . . . . . . . . . . . . . . . . . 636 Accessibility and BusinessObjects Enterprise . . . . . . . . . . . . . . . . . . . . . . 637 Setting accessible preferences for BusinessObjects Enterprise . . . . . 637 Accessibility and customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640 Appendix I Business Objects Information Resources 641
Documentation and information services . . . . . . . . . . . . . . . . . . . . . . . . . 642 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642 Whats in the documentation set? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642 Where is the documentation? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642 Send us your feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643 Customer support, consulting and training . . . . . . . . . . . . . . . . . . . . . . . . 643 How can we support you? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643 Looking for the best deployment solution for your company? . . . . . . . 644 Looking for training options? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
Contents
Contents
chapter
Contents
Contents
Contents
chapter
Supported products
All Business Objects products are now available under the same platform. BusinessObjects Enterprise XI provides full support for the management, security, delivery, and interaction for the following products and versions:
Crystal Reports XI BusinessObjects Web Intelligence XI BusinessObjects OLAP Intelligence XI BusinessObjects Data Integrator XI
26
For information about these products, consult the documentation provided with each component. BusinessObjects Enterprise XI also supports the following add-in components:
BusinessObjects Enterprise Live Office XI Use Live Office to embed your business intelligence data into Word documents, Excel spreadsheets, and PowerPoint presentations. Then you can share the resulting Office documents securely using BusinessObjects Enterprise. By taking advantage of the security and management features of BusinessObjects Enterprise, you can manage your Office documents the same way you manage your business intelligence documents.
New features
BusinessObjects Enterprise XI represents the full integration of traditional Business Objects and Crystal products, combining the best features of each product line. Whether you have an existing BusinessObjects Enterprise system or a Crystal Enterprise system, you will notice a wide range of new features in BusinessObjects Enterprise XI.
End-user experience
BusinessObjects Enterprise XI provides a significantly enhanced user experience for all customers.
Categories
If you are upgrading or migrating from an existing Crystal Enterprise deployment, you will notice the addition of categories to BusinessObjects Enterprise XI. If youre migrating from BusinessObjects Enterprise 6.5, you can import your existing categories with the Import Wizard. Folders and categories work together to provide strong navigation capabilities. Folders are used as a location to store documents. Complimentary to folders, categories are used for classifying documents in BusinessObjects Enterprise. Categories provide an effective way of classifying documents that makes it easier for users to organize documents. The categorization of documents enables users to locate information more easily regardless of where it is stored within the system. Users can classify documents by using categories created by themselves and by others. By creating a combination of folders and categories, and setting appropriate rights for them, you can organize documents according to multiple criteria and improve both security and navigation.
27
For example, if you currently organize your files into departmental folders, you could use categories to create an alternate filing system that divides content according to different roles in your organization, such as managers or VPs. You can associate documents with multiple categories, and you can create subcategories within categories.
Discussions
Discussions provide threaded notes on all documents within BusinessObjects XI, allowing users to add comments to documents in BusinessObjects Enterprise. In BusinessObjects Enterprise XI, you can add discussions to any document in the system either by selecting it from the document list or while the user is viewing the document. By adding discussions to documents, you can share knowledge about the information in the documents. You can grant other users access to the threaded discussions to allow new users to keep track of historical comments added to the documents.
InfoView
BusinessObjects Enterprise XI introduces a new InfoView, a completely updated business intelligence portal. InfoView has been designed to allow users to do most tasks within the BI environment without the need of IT intervention. Users familiar with previous versions of InfoView or ePortfolio will see that old features have been fully updated and improved. New features allow users to be even more productive. Through extensive testing and design, the new look and feel is designed for intuitive user interaction, combined with comprehensive support for the entire product line. From a single web environment, users can view, create, and interact with information. InfoView is available as a .NET (ASPX) version or a J2EE version (JSP). The delivery of both .NET and J2EE versions gives the customer the flexibility of deploying InfoView in their established environment.
Publishing
In BusinessObjects Enterprise 6 systems, the term publishing is related to sending a document to multiple users containing different information depending on the user rights. This functionality, traditionally provided by the Broadcast Agent Publisher and is now part of BusinessObjects Enterprise XI itself. The important features provided by the Broadcast Agent Publisher are provided in BusinessObjects Enterprise XI, including scheduling to different formats, and scheduling directly to email or printers. For more information on migrating documents, see the BusinessObjects Enterprise Installation Guide.
28
Scheduling
BusinessObjects Enterprise XI provides scheduling capabilities for both Crystal reports and Web Intelligence documents. If you are migrating from an existing BusinessObjects Enterprise 6.x deployment, note that the Broadcast Agent Scheduler is no longer required. You will also notice that scheduling is more integrated in Business Objects XI and includes new features such as business calendars. BusinessObjects Enterprise XI also provides the ability to schedule documents on behalf of others. This secure mechanism allows a single report to serve the needs of multiple users by delivering only the specific subsets of information to each user according to their security profile. Unlike other techniques that require special programming efforts, this solution is more manageable and can be applied to all documents designed from secured Universes or Business Views.
Report design
BusinessObjects XI includes Crystal Reports, the leading report design tool in the market. Crystal ReportsXI provides improved report design, usability, and processing, including significant enhancements to parameters to allow for the dynamic generation of lists of values.
Semantic Layer
BusinessObjects Enterprise XI includes both Universes and Business Views, to help make the report design process even simpler.
Universes
Universes are patented Business Objects technology. They act as a semantic layer between the user and a database. All universe objects and their associated connections are stored and secured in the repository of BusinessObjects Enterprise XI itself. If youre migrating from an existing BusinessObjects Enterprise deployment, you can use Import Wizard to import your existing universes and their connection objects.
Business Views
Business Views is a flexible and reliable multi-tier system that enables companies to build detailed and specific Business Views objects that help report designers and end users access the information they require. Note: Business Views can be used only by Crystal Reports, while Universes are accessible by both Crystal Reports as well as Web Intelligence.
29
Developer flexibility
BusinessObjects Enterprise development tools
BusinessObjects Enterprise provides SDKs for enterprise application developers to build application and portal integration on top of the platform. Recognizing the need for comprehensive support for different development environments, BusinessObjects Enterprise XI provides extensive .NET and Java SDKs. Note: BusinessObjects Enterprise also continues to support existing development in COM, although we recommend migrating to .NET or Java. BusinessObjects Enterprise XI includes an enhanced version of the Unified Web Services provided with the BusinessObjects Crystal Integration Pack. Unified Web Services includes server components (the providers) and both .NET and Java APIs that are used to write applications that consume the provided web services. The consumers simplify application development.
Web Services
The integration pack Web Services have been updated to support the new BusinessObjects XI platform features:
The Web Intelligence documents are served by the BusinessObjects XI Web Intelligence report engine. The LDAP authentication is natively supported. Web Farm is support.
As in the integration pack, the BusinessObjects XI Web Services deliver a Session service (Session management, authentication, and so on), a BICatalog service (InfoObject list, category management, and so on), and a ReportEngine service (Crystal Reports and Web Intelligence document viewing including prompt and drill management).
30
JavaServer Faces for BusinessObjects Enterprise XI. Support for Web Intelligence, Inbox, Categories, Universes. Java and Web Farms support. Improved query language.
System administration
BusinessObjects Enterprise provides an efficient and scalable architecture for processing, managing, and delivering information to your users.
Management
The Central Management Console provides users with a centralized point for administering a variety of details including scheduling, security, and auditing.
Architecture
If you are upgrading from an existing BusinessObjects Enterprise 6.5 system, you will notice key differences in the architecture of BusinessObjects Enterprise XI. BusinessObjects Enterprise XI is built on a component- or services-based architecture. As a services-oriented architecture, it provides better flexibility, scalability, fault tolerance, and extensibility. BusinessObjects Enterprise XI inherits most of the new platform services from the proven Crystal Enterprise architecture, widely recognized as a highly scalable, reliable, and powerful platform by customers and industry experts alike. The service-oriented platform allows current Business Objects products such as Web Intelligence to plug directly into the framework without requiring extensive configuration.
Auditing
Instead of using a separate auditing component, BusinessObjects Enterprise XI features built-in auditing features.
31
The auditing functionality of BusinessObjects Enterprise XI focuses on enabling administrators to gain a better understanding of the users accessing the system and the documents they are interacting with. The auditing functionality within BusinessObjects Enterprise has been implemented with the concept of a central auditor and individual server auditees, The auditor role is fulfilled by the Central Management Server (CMS), while individual services with auditing functionality are considered the auditees. This means that the overall system, as well as the individual services, can be audited depending on the level of detail required. The CMS collects and collates the auditing data from the system interactions and writes the information into the auditing database. You can then create reports based on this auditing data. There is no migration or integration of the BusinessObjects Auditor product. For more information on auditing, see the auditing chapter of the BusinessObjects Enterprise Administrators Guide.
Fault tolerance
BusinessObjects Enterprise provides fail-over at the system management level (for scheduling, security, and authentication, for example). The system also provides full support for replication of all server components. Redundant components automatically take over the load if the system encounters a hardware failure or excessive wait times. BusinessObjects Enterprise XI includes enhanced support for session-level failover. If a processing service fails, another service identifies the failure and continues the processing. The enhanced fault tolerance ensures seamless reporting and query analysis for your users.
Load balancing
Intelligent load balancing algorithms eliminate bottlenecks and maximize hardware efficiency. In a multi-server environment, you need to balance the load across multiple machines, in order to enhance scalability and maintain efficient server performance. BusinessObjects Enterprise XI includes built-in load balancing across all system management and report processing functions. It applies a mixture of active and passive approaches to maximize server availability and minimize response time for your users.
Security
BusinessObjects Enterprise XI provides all of the existing security features currently supported in Crystal Enterprise. User, group, and object level security is controlled using Access Control Lists (ACL), an industry standard
32
method for controlling cascading security access. Security can be applied at the object level to all documents, categories, connections, universes, and universe restriction sets. The Central Management Console is a centralized management tool that can be used to administer security. For details on how rights are mapped, please see the BusinessObjects Enterprise XI Installation Guide. Business Objects XI now provides single sign-on with Active Directory authentication using the Kerberos protocol. By combining single sign-on and report viewing, you can provide end-to-end single sign-on, which allows a users security context to be retrieved from the host operating system and be used to access BusinessObjects Enterprise and the underlying databases for the reports and documents in the system. These capabilities require the system to run all components on the Windows operating system and for the users to use Internet Explorer with Active Directory authentication. Please see platforms.txt for more information on supported platforms. Business Objects XI has introduced single sign-on for LDAP authentication. When LDAP authentication is enabled, the administrator has the option to use Siteminder as an external system for authentication providing single sign-on capabilities to BusinessObjects Enterprise. Also, you can now configure your deployment to use the Secure Sockets Layer (SSL) protocol for all network communication between your BusinessObjects Enterprise XI servers.
Migration
An administrator will be able to create users and groups, and import users and groups from existing BusinessObjects Enterprise and Crystal Enterprise deployments into BusinessObjects Enterprise XI using the Import Wizard. The Import Wizard maps most security rights from current systems directly to new users and groups in BusinessObjects Enterprise XI. For details on how rights are mapped or for more information on the Import Wizard, please see the BusinessObjects Enterprise XI Installation Guide.
33
34
chapter
Administration overview
The regular administrative tasks associated with BusinessObjects Enterprise can be roughly divided into three major categories: user management, content management, and server management. The remainder of this guide provides technical and procedural information corresponding to each of these management categories. This chapter briefly introduces new BusinessObjects Enterprise administrators to some of the available management tools. It also shows you how to make initial security settings, such as setting the password for the systems default Administrator account. You will typically use the following applications to manage BusinessObjects Enterprise:
Central Management Console (CMC) This web application is the most powerful administrative tool provided for managing a BusinessObjects Enterprise system. It offers you a single interface through which you can perform almost every task related to user management, content management, and server management. For an introduction to the CMC, see Central Management Console on page 37.
Central Configuration Manager (CCM) This server administration tool is provided in two forms. In a Windows environment, the CCM allows you to manage local and remote servers through its Graphical User Interface (GUI) or from a command line. In a UNIX environment, the CCM shell script (ccm.sh) allows you to manage servers from a command line. For an introduction to the CCM, see Using the Central Configuration Manager on page 42.
Publishing Wizard This application allows you to publish your reporting content to BusinessObjects Enterprise quickly. It also allows you to specify a number of options on each report that you publish. Although this application runs only on Windows, you can use it to publish reports to BusinessObjects Enterprise servers that are running on Windows or on UNIX. For more information on publishing content to BusinessObjects Enterprise, see Publishing overview on page 374.
36
Replace webserver with the name of the web server machine. If you changed this default virtual directory on the web server, you will need to type your URL accordingly. Tip: On Windows, you can click Start > Programs > BusinessObjects XI> BusinessObjects Enterprise > BusinessObjects Enterprise .NET Administration Launchpad (or Java Administration Launchpad). 2. 3. Click Central Management Console. Type your User Name and Password. For this example, type Administrator as the User Name. This default Enterprise account does not have a password until you create one. For details, see Setting the Administrator password on page 44. If youre using LDAP or Windows NT authentication, you may log on using an account that has been mapped to the BusinessObjects Enterprise Administrators group. 4. Select Enterprise in the Authentication Type list.
37
Windows AD, Windows NT and LDAP authentication also appear in the list; however, you must map your third-party user accounts and groups to BusinessObjects Enterprise before you can use these types of authentication. 5. Click Log On. The CMC Home page appears.
Click the links or icons on the Home page to go to specific management areas. Select the same management areas from the drop-down list in the title area of the window. Click Go if your browser doesnt take you directly to the new page.
Once you leave the Home page, your location within the CMC is indicated by a path that appears above the title of each page. For example, Home > Users > New User indicates that youre on the New User page. You can click the hyperlinked portions of the path to jump quickly to different parts of the application. In this example, you could click Home or Users to go to the corresponding page.
38
CMC preferences
Viewer This list sets the default report viewer that is loaded when you view a report in the CMC. To set the available and default viewers for all users, see Configuring the processing tier on page 115. Maximum number of objects per page This option limits the number of objects listed on any page or tab in the CMC. Note: This setting does not limit the number of objects displayed, simply the number displayed per page. For details about limiting the number of objects displayed on a page or in a search, see Setting the Query size threshold on page 40. Maximum number of characters for each page index When a list of objects spans multiple pages, the full list is sorted alphanumerically and indexed before being subdivided. At the top of every page, hyperlinks are displayed as an index to each of the remaining pages. This setting determines the number of characters that are included in each hyperlink. In this example, the maximum number of characters is set to 3, so threecharacter hyperlinks are used to index the report objects on each page. Note: To specify an unlimited maximum number of characters, select the Unlimited check box. Measuring units for report page layout Specify inches or millimeters as the measuring units used by default when you customize a reports page layout on the report objects Print Setup tab. Time zone If you are managing BusinessObjects Enterprise remotely, use this list to specify your time zone. BusinessObjects Enterprise synchronizes scheduling patterns and events appropriately. For instance, if you select Eastern Time
39
(US & Canada), and you schedule a report to run at 5:00 a.m. every day on a server that is located in San Francisco, then the server will run the report at 2:00 a.m. Pacific Time. For more information about time zones, see Supporting users in multiple time zones on page 527. My Password Click the Change Password link to change the password for the account under which you are currently logged on.
40
3.
In the Prompt for search if the return size exceeds field, type the maximum number of objects you want to be returned in searches and on the initial pages of the Objects, Folders, Groups, and Users management areas. In the CMC Access URL field, type the URL for the CMC. Specifying the URL here allows Crystal Reports to get this URL from the CMS in order to call pages in the CMC. It needs to call these pages in order to support the previewing of reports and to enable administration tasks to be performed from Crystal Reports.
4.
5.
Click Update.
Note: To modify the number of objects displayed on a page (rather than the total number of objects displayed), see Setting console preferences on page 38.
41
A green arrow indicates the server is running. A yellow arrow indicates the server is starting. A red arrow indicates the server is not running.
Note: The status icons do not indicate whether servers are enabled or disabled. Servers must be enabled before they will respond to BusinessObjects Enterprise requests. Click Enable/Disable on the toolbar to log on and enable or disable servers. For details, see Enabling and disabling servers on page 85. 1. To connect to servers on a remote machine Once you have started the CCM, you can connect to a remote machine in several ways:
In the Computer Name field, type the name of the machine you want to connect to; then press Enter.
42
2.
In the Computer Name field, select a remote machine from the list. On the toolbar, click Browse. Select the appropriate computer; then click OK.
If prompted, log on to the remote machine with an account holding administrative rights. Note: You may need to type your user name as domain\username. The CCM lists the servers associated with this machine.
2.
Run ccm.sh with command-line options to manage one or more servers. For instance, the following set of commands starts the BusinessObjects Enterprise servers and enables each server on its default port:
./ccm.sh -start all ./ccm.sh -enable all
Note: The main options for the CCM are covered in more detail in UNIX Tools on page 597. To view additional help on ccm.sh The ccm.sh script also provides a detailed description of its command-line options. To see the command-line help, issue the following command:
./ccm.sh -help | more
Setting the Administrator password on page 44 Disabling the Guest account on page 44
43
Modifying the default security levels on page 45 Chapter 11: BusinessObjects Enterprise Security Concepts Available authentication types on page 252 Controlling User Access on page 315
For additional security information, you may also want to refer to:
44
4. 5.
For more information about user accounts, see Managing Enterprise and general accounts on page 253.
Managing universes
Web Intelligence users connect to a universe, and run queries against a database. They can do data analysis and create reports using the objects in a universe, without seeing, or having to know anything about, the underlying data structures
in the database. You create a universe by using the Designer. For complete information, see the Designers Guide. Using CMC, you can view and delete universes. You can also control who has access rights to a universe. See Controlling access to universes on page 354. 1. To view a universe Go to the Universes management area of the CMC.
45
The Universes page appears. 2. Click the link for the universe you want to view. The properties page for the universe appears. 1. 2. 3. To delete a universe Go to the Universes management area of the CMC. The Universes page appears. Select the universe you want to delete. Click Delete.
to your middleware. You must have a connection to access data. You must select or create a connection when you create a universe. For complete information, see the Designers Guide. Using CMC, you can view and delete connections. You can also control who has access rights to a connection. See Controlling access to universe connections on page 355. 1. 2. To view connections Go to the Universe Connections management area of the CMC. The Connections page appears. Click the link for the connection you want to view. The properties page for the connection appears. 1. 2. 3. To delete a universe connection Go to the Universe Connections management area of the CMC. The Universe Connections page appears. Select the connection you want to delete. Click Delete.
46
Managing InfoView
You can use the Business Objects Applications area of the Central Management Console to make minor changes to the appearance and functionality of InfoView, without doing any programming. You can also configure settings that control which viewers are available to users. When users view a report using the Advanced DHTML viewer, the report is processed by the Report Application Server. If you are using the Java version of InfoView and want users to be able to use the Active X or Java viewers, you must enter the context path of the Web Component Adapter. Consult the BusinessObjects Enterprise Installation Guide for more information.
47
1. 2. 3. 4.
To manage settings for InfoView Go to the BusinessObjects Enterprise Applications management area of the CMC. Click InfoView. On the Properties tab, select the options that you want. Click Update.
Managing Discussions
BusinessObjects Enterprise administrators are responsible for maintaining the discussion threads and for granting the appropriate access rights to BusinessObjects Enterprise users. Managing Discussions includes the following tasks:
Accessing the Discussions page on page 49 Searching for discussion threads on page 49 Sorting search results on page 51 Deleting discussion threads on page 51 Setting user rights on page 51
48
49
3.
In the Field name list, select which of the following criteria you want to search by:
4.
Thread title. Search by the title of a thread. Creation date. Search by the date the thread was created. Last modified date. Search based on the date a thread was last modified. Author. Search by the author of a specific thread.
From the second list, refine your search. If you search by Thread title or Author, the second field provides you with the following options.
is: The DMC searches for any discussion threads where the thread title, or the author name, exactly match the text that you type into the third field. Searches are not case sensitive. is not: The DMC searches for any discussion threads where the thread title, or the author name, do not exactly match the text that you type into the third field. contains: The DMC searches for any discussion threads that contain the search text string within any part of the thread title or the authors name. does not contain: The DMC searches for any discussion threads that do not contain the text string within any part of the thread title.
If you search by Creation date or Last modified date, there are the following options.
5.
before: The DMC searches for any discussion threads that were created or modified before the search date. after: The DMC searches for any discussion threads that were created or modified after the search date. between: The DMC searches for any discussion threads that were created or modified between the two search dates.
Use the third field to further refine your search. If you selected a text-based search in the first two fields, type in the text string. If you selected a date-based search, enter the date or dates in the appropriate fields.
6.
Click Search to display all the records that match your search criteria.
50
2. 3. 4.
Thread title. Sort by the title of a thread. Creation date. Sort by the date the thread was created. Last modified date. Sort based on the date a thread was last modified. Author. Sort by the author of a specific thread.
In the second list, select whether you want the records to be displayed in ascending or descending order. In the third category, enter how many results you want to be displayed on each page. Click Search.
51
52
chapter
54
The remainder of this chapter describes each tier, the key BusinessObjects Enterprise components, and their primary responsibilities:
Client tier on page 56 Application tier on page 58 Processing tier on page 64 Data tier on page 68
Tip: When you are familiar with the architecture and want to customize your system configuration, see Chapter 5: Managing and Configuring Servers and Chapter 7: Scaling Your System. Note: BusinessObjects Enterprise supports reports created in versions 6 through XI of Crystal Reports. Once published to BusinessObjects Enterprise, reports are saved, processed, and displayed in version XI format.
55
Client tier
The client tier is the only part of the BusinessObjects Enterprise system that administrators and end users interact with directly. This tier is made up of the applications that enable people to administer, publish, and view reports and other objects.
InfoView on page 56 Central Management Console (CMC) on page 56 Central Configuration Manager (CCM) on page 57 Publishing Wizard on page 57 Import Wizard on page 57
InfoView
BusinessObjects Enterprise comes with InfoView, a web-based interface that end users access to view, schedule, and keep track of published reports. Each BusinessObjects Enterprise request that a user makes is directed to the BusinessObjects Enterprise application tier. The web server forwards the user request directly to an application server where the request is processed by the WCA. InfoView also serves as a demonstration of the ways in which you can use the BusinessObjects Enterprise Software Development Kit (SDK) to create a custom web application for end users. In the case of .NET, InfoView also demonstrates how you can use the BusinessObjects Enterprise .NET Server Components. For more information, see the developer documentation available on your product CD.
56
manage servers and create server groups. Because the CMC is a web-based application, you can perform all of these administrative tasks remotely. For more information, see Central Management Console (CMC) on page 56. The CMC also serves as a demonstration of the ways in which you can use the administrative objects and libraries in the BusinessObjects Enterprise SDK to create custom web applications for administering BusinessObjects Enterprise. For more information, see the developer documentation available on your product CD.
Publishing Wizard
The Publishing Wizard is a locally installed Windows application that enables both administrators and end users to add reports to BusinessObjects Enterprise. By assigning object rights to BusinessObjects Enterprise folders, you control who can publish reports and where they can publish them to. For more information, see Publishing overview on page 374 and Controlling users access to objects on page 317. The Publishing Wizard publishes reports from a Windows machine to BusinessObjects Enterprise servers running on Windows or on UNIX.
Import Wizard
The Import Wizard is a locally installed Windows application that guides administrators through the process of importing users, groups, reports, and folders from an existing BusinessObjects Enterprise, Crystal Enterprise, or Crystal Info implementation to BusinessObjects Enterprise. For more information, see Importing with the Import Wizard on page 402.
57
The Import Wizard runs on Windows, but you can use it to import information into a new BusinessObjects Enterprise system running on Windows or on UNIX.
Application tier
The application tier hosts the server-side components that process requests from the client tier as well as the components that communicate these requests to the appropriate server in the intelligence tier. The application tier includes support for report viewing and logic to understand and direct web requests to the appropriate BusinessObjects Enterprise server in the intelligence tier. The application tier includes:
Application tier components on page 58 Web development platforms on page 59 Web application environments on page 60
Application server and BusinessObjects Enterprise SDK on page 59 Web Component Adapter (WCA) on page 59
Note: In Crystal Enterprise 10 on Windows, the communication between the web server and the application server was handled through the Web Connector; the functionality of the Web Component Adapter (WCA) was provided through the Web Component Server (WCS). In BusinessObjects Enterprise XI, the web server communicates directly with the application server and the WCA handles the WCS functionality, both on Windows and Unix platforms.
58
It processes ASP.NET (.aspx) and Java Server Pages (.jsp) files It also supports Business Objects applications such as the Central Management Console (CMC) and Crystal report viewers (that are implemented through viewrpt.aspx requests).
Note: In Crystal Enterprise 10 on Windows, the communication between the web server and the application server was handled through the Web Connector; the functionality of the Web Component Adapter (WCA) was provided through the Web Component Server (WCS). In BusinessObjects Enterprise XI, the web server communicates directly with the application server and the WCA handles the WCS functionality, both on Windows and Unix platforms.
59
Java platform
All UNIX installations of BusinessObjects Enterprise include a Web Component Adapter (WCA). In this configuration, a Java application server is required to host the WCA and the BusinessObjects Enterprise Java SDK. The use of a web server is optional as you may choose to have static content hosted by the application server.
60
Intelligence tier
The intelligence tier manages the BusinessObjects Enterprise system. It maintains all of the security information, sends requests to the appropriate servers, manages audit information, and stores report instances.
Central Management Server (CMS) on page 61 Cache Server on page 63 File Repository Servers on page 63 Event Server on page 64
Maintaining security By maintaining a database of users and their associated object rights, the CMS enforces who has access to BusinessObjects Enterprise and the types of tasks they are able to perform. These tasks include enforcing and maintaining the licensing policy of your BusinessObjects Enterprise system.
Managing objects The CMS keeps track of the location of objects and maintains the containment hierarchy, which includes folders, categories, and inboxes. By communicating with the Job Servers and Program Job Servers, the CMS is able to ensure that scheduled jobs run at the appropriate times.
61
Managing servers By staying in frequent contact with each of the servers in the system, the CMS is able to maintain a list of server status. Report viewers access this list, for instance, to identify which Cache Server is free to use for a report viewing request.
Managing auditing By collecting information about user actions from each BusinessObjects Enterprise server, and then writing these records to a central audit database, the CMS acts as the system auditor. This audit information allows system administrators to better manage their BusinessObjects Enterprise deployment.
Note: In previous versions of Crystal Enterprise, the Central Management Server (CMS) was known as the Crystal Management Server, and also as the Automated Process Scheduler (APS). Typically, you provide the CMS with database connectivity and credentials when you install BusinessObjects Enterprise, so the CMS can create its own system database and BusinessObjects Enterprise Repository database using your organizations preferred database server. For details about setting up CMS databases, see the BusinessObjects Enterprise Installation Guide, and Configuring the auditing database on page 209. See the Platforms.txt file included with your product distribution for a complete list of tested database software and version requirements. Note:
It is strongly recommended that you back up the CMS system database, and the audit database frequently. The backup procedure depends upon your database software. If you are unsure of the procedure, consult with your database administrator. The CMS database should not be accessed directly. System information should only be retrieved using the calls that are provided in the BusinessObjects Enterprise Software Development Kit (SDK). For more information, see the developer documentation available on your product CD. You can access the audit database directly to create custom audit reports. See Creating custom audit reports on page 217 for more information.
On Windows, the Setup program can install and configure its own Microsoft Data Engine (MSDE) database if necessary. MSDE is a client/server data engine that provides local data storage and is compatible with Microsoft SQL Server. If you already have the MSDE or SQL Server installed, the installation program uses it to create the CMS system database. You can migrate your default CMS system database to a supported database server later.
62
For details about configuring the CMS, its system database, and CMS clusters, see Configuring the intelligence tier on page 92. For more information about Auditing, see Managing Auditing on page 203.
Cache Server
The Cache Server is responsible for handling all report viewing requests. The Cache Server checks whether or not it can fulfill the request with a cached report page. If the Cache Server finds a cached page that displays exactly the required data, with data that has been refreshed from the database within the interval that you have specified as the default, the Cache Server returns that cached report page. If the Cache Server cannot fulfil the request with a cached report page, it passes the request along to the Page Server. The Page Server runs the report and returns the results to the Cache Server. The Cache Server then caches the report page for future use, and returns the data to the viewer. By storing report pages in a cache, BusinessObjects Enterprise avoids accessing the database each and every time a report is requested. If you are running multiple Page Servers for a single Cache Server, the Cache Server automatically balances the processing load across Page Servers. For more information, see Modifying Cache Server performance settings on page 112.
63
Note:
The Input and Output File Repository Servers cannot share the same directories. This is because one of the File Repository Servers could then delete files and directories belonging to the other. In larger deployments, there may be multiple Input and Output File Repository Servers, for redundancy. In this case, all Input File Repository Servers must share the same directory. Likewise, all Output File Repository Servers must share a directory. Objects with files associated with them, such as text files, Microsoft Word files, or PDFs, are stored on the Input File Repository Server.
Event Server
The Event Server manages file-based events. When you set up a file-based event within BusinessObjects Enterprise, the Event Server monitors the directory that you specified. When the appropriate file appears in the monitored directory, the Event Server triggers your file-based event: that is, the Event Server notifies the CMS that the file-based event has occurred. The CMS then starts any jobs that are dependent upon your file-based event. After notifying the CMS of the event, the Event Server resets itself and again monitors the directory for the appropriate file. When the file is newly created in the monitored directory, the Event Server again triggers your file-based event. Note: Schedule-based events, and custom events are managed by the Central Management Server.
Processing tier
The processing tier accesses the data and generates the reports. It is the only tier that interacts directly with the databases that contain the report data.
64
Report Job Server on page 65 Program Job Server on page 65 Web Intelligence Job Server on page 66 Web Intelligence Report Server on page 66 Report Application Server (RAS) on page 66 Destination Job Server on page 67 List of Values Job Server on page 67 Page Server on page 67
65
Unlike report instances, which can be viewed in their completed format, program instances exist as records in the object history. BusinessObjects Enterprise stores the programs standard out and standard error in a text output file. This file appears when you click a program instance in the object History.
66
If the request is for an object, it retrieves the object from the Input File Repository Server. If the request is for a report or program instance, it retrieves the instance from the Output File Repository Server.
The Destination Job Server can send objects and instances to destinations inside the BusinessObjects Enterprise system, for example, a users inbox, or outside the system, for example, by sending a file to an email address. The Destination Job Server does not run the actual report or program objects. It only handles objects and instances that already exist in the Input or Output File Repository Servers. For more information, see Sending an object or instance on page 420.
Page Server
The Page Server is primarily responsible for responding to page requests by processing reports and generating Encapsulated Page Format (EPF) pages. The EPF pages contain formatting information that defines the layout of the report. The Page Server retrieves data for the report from an instance or directly from the database (depending on the users request and the rights he or she has to the report object). When retrieving data from the database, the
67
Page Server automatically disconnects from the database after it fulfills its initial request and reconnects if necessary to retrieve additional data. (This behavior conserves database licenses.) The Cache Server and Page Server work closely together. Specifically, the Page Server responds to page requests made by the Cache Server. The Page Server and Cache Server also interact to ensure cached EPF pages are reused as frequently as possible, and new pages are generated as soon as they are required. BusinessObjects Enterprise takes advantage of this behavior by ensuring that the majority of report-viewing requests are made to the Cache Server and Page Server. (However, if a users default viewer is the Advanced DHTML viewer, the report is processed by the Report Application Server.) The Page Server also supports COM, ASP.NET, and Java viewer Software Development Kits (SDKs).
Data tier
The data tier is made up of the databases that contain the data used in the reports. BusinessObjects Enterprise supports a wide range of corporate databases.
See the Platforms.txt file included with your product distribution for a complete list of tested database software and version requirements.
Report viewers
BusinessObjects Enterprise includes report viewers that support different platforms and different browsers in the client tier, and which have different report viewing functionality. (For more information on the specific functionality or platform support provided by each report viewer, see the BusinessObjects Enterprise Users Guide or the Crystal Reports Developers Guide.) All of the viewers fall into two categories:
client-side viewers Client-side viewers are downloaded and installed in the users web browser.
68
zero client viewers The code to support zero client viewers resides in the application tier. client-side viewers Active X viewer Java viewer zero client viewers DHTML viewer Advanced DHTML viewer
All report viewers help process requests for reports, and present report pages that appear in the users browser. Client-side viewers Client-side viewers are downloaded and installed in the users browser. When a user requests a report, the application server processes the request, and retrieves the report pages in .epf format from the BusinessObjects Enterprise framework. The application server then passes the .epf file to the client-side viewer, which processes the .epf files and displays them directly in the browser. Zero client viewers Zero client viewers reside on the application server. When a user requests a report, the application server processes the request, and then retrieves the report pages in .epf format from the BusinessObjects Enterprise framework. The SDK creates a viewer object on the application server which processes the .epf and creates DHTML pages that represent both the viewer controls and the report itself. The viewer object then sends these pages through the web server to the users web browser. Installing viewers If they havent already done so, users are prompted to download and install the appropriate viewer software before the report is displayed in the browser. The Active X viewer is downloaded the first time a user requests a report, and then remains installed on the users machine. The user will be prompted to reinstall the ActiveX viewer only when a new version becomes available on the server.
Information flow
This section describes the interaction of the server components in order to demonstrate how report-processing is performed. This section covers two different scenarios:
What happens when you schedule an object? on page 70 What happens when you view a report? on page 71
69
7.
If the object is Web Intelligence document, it sends the job to the Web Intelligence Job Server, which sends the request to the Web Intelligence Report Server. If the object is a report, it sends the job to the Report Job Server. If the object is program, it sends the job to the Program Job Server.
The job server retrieves the object from the Input File Repository Server and runs the object against the database, thereby creating an instance of the object. The job server then saves the instance to the Output File Repository Server, and tells the CMS that it has completed the job successfully. If the job was for a Web Intelligence document, the Web Intelligence Report Server notifies the Web Intelligence Job Server. The Web Intelligence Job Server then notifies the CMS that the job was completed successfully.
8.
Tip: For details about multiple time zones, see Supporting users in multiple time zones on page 527. Note:
70
The Cache Server and the Page Server do not participate in scheduling reports or in creating instances of scheduled reports. This can be an important consideration when deciding how to configure BusinessObjects Enterprise, especially in large installations. See Scaling Your System on page 157. When you schedule program objects or object packages, the interaction between servers follows the same pattern as it does for reports.
Users without schedule rights on an object will not see the schedule option in BusinessObjects Enterprise.
The zero-client DHTML viewer is implemented through report_view_dhtml.aspx. When evaluated by the application server, this script communicates with the framework (through the published SDK interfaces) in order to create a viewer object and retrieve a report source from the Cache Server and Page Server.
The zero-client Advanced DHTML viewer is implemented through report_view_advanced.aspx. When evaluated by the application server, this script communicates with the framework (through the published SDK interfaces) in order to create a viewer object and retrieve a report source from the Report Application Server.
The client-side report viewers (the ActiveX and Java viewers) are implemented through viewrpt.aspx, hosted by the WCA.
71
The Crystal Web Request is executed internally through viewer code on the application server. The viewer code communicates with the framework in order to retrieve a report page in .epf format from the Cache Server and Page Server. If they havent already done so, users are prompted to download and install the appropriate viewer software.
2.
The application server sends the report to the users Web browser in one of two ways, depending on how the initial request was made:
72
If the initial request was made through a DHTML viewer (report_view_dhtml.aspx), the viewer SDK (residing on the application server) is used to generate HTML that represents both the DHTML viewer and the report itself. The HTML pages are then returned through the web server to the users web browser. If the initial request was made through an Active X or Java viewer (viewrpt.aspx), the application server forwards the .epf pages through the web server to the report viewer software in the users web browser.
2.
d.
73
4.
When the application server receives the .epf pages from the RAS, the viewer SDK generates HTML that represents both the Advanced DHTML viewer and the report itself. The application server sends the HTML pages through the web server to the users web browser.
5.
6.
7.
b.
74
Note: If the document is set to refresh on open but the user does not have View On Demand rights, an error message is displayed. d. e. 8. 9. The Web Intelligence Report Server stores the document file and the new document information in cache. The Web Intelligence Report Server sends the document information to the SDK.
The viewer script calls the SDK to get the requested page of the document. The request is passed to the Web Intelligence Report Server. If the Web Intelligence Report Server has cached content for the page, it returns the cached XML to the SDK. If the Web Intelligence Report Server does not have the cached content for the page, it renders the page to XML using the current data for the document. It then returns the XML to the SDK.
10. The SDK applies an XSLT style sheet to the XML to transform it to HTML. 11. The viewer script returns the HTML to the browser.
Live data
On-demand reporting gives users real-time access to live data, straight from the database server. Use live data to keep users up-to-date on constantly changing data, so they can access information thats accurate to the second. For instance, if the managers of a large distribution center need to keep track of inventory shipped on a continual basis, then live reporting is the way to give them the information they need. Before providing live data for all your reports, however, consider whether or not you want all of your users hitting the database server on a continual basis. If the data isnt rapidly or constantly changing, then all those requests to the database do little more than increase network traffic and consume server resources. In such cases, you may prefer to schedule reports on a recurrent basis so that users can always view recent data (report instances) without hitting the database server.
75
For more information about optimizing the performance of reports that are viewed on demand, see the Designing Optimized Web Reports section in the Crystal Reports Users Guide (version 8.5 and later). Tip: Users require View On Demand access to refresh reports against the database.
Saved data
To reduce the amount of network traffic and the number of hits on your database servers, you can schedule reports to be run at specified times. When the report has been run, users can view that report instance as needed, without triggering additional hits on the database. Report instances are useful for dealing with data that isnt continually updated. When users navigate through report instances, and drill down for details on columns or charts, they dont access the database server directly; instead, they access the saved data. Consequently, reports with saved data not only minimize data transfer over the network, but also lighten the database servers workload. For example, if your sales database is updated once a day, you can run the report on a similar schedule. Sales representatives then always have access to current sales data, but they are not hitting the database every time they open a report. Tip: Users require only View access to display report instances.
76
chapter
Central Management Console (CMC) The CMC is the web-based administration tool that allows you to view and to modify server settings while BusinessObjects Enterprise is running. For instance, you use the CMC to change the status of a server, change server settings, access server metrics, or create server groups. Because the CMC is a web-based interface, you can configure your BusinessObjects Enterprise servers remotely over the Internet or through your corporate intranet.
Central Configuration Manager (CCM) The CCM is a program that allows you to view and to modify server settings while Business Objects servers are offline. For instance, you use the CCM to stop servers, to modify performance settings, and to change the default server port numbers. With BusinessObjects Enterprise, the CCM allows you to configure BusinessObjects Enterprise remotely over your corporate network
You can accomplish some configuration tasks with both tools, while other tasks must be performed with a specific tool.
78
Related topics:
For an overview of the multi-tier architecture and the BusinessObjects Enterprise server components, see BusinessObjects Enterprise Architecture on page 53. For information about creating groups of servers, see Managing Server Groups on page 151. With the BusinessObjects Enterprise Software Development Kit (SDK), you can now access and modify server metrics and settings from your own web applications. For more information, see the developer documentation available on your product CD.
79
This example shows the metrics for an Event Server that is running on a machine called Crystal-E501888.crystald.net.
The Metrics tabs for the following servers include additional, server-specific information: Input and Output File Repository Servers The Metrics tab of each File Repository Server lists the root directory of the files that the server maintains, indicates the maximum idle time, and displays the number of active files and active client connections. It also lists the total available hard disk space, as well as the number of bytes sent and received. Each File Repository Server also has an Active Files tab, which lists the filename, the number of readers, and the number of writers for each active file. Cache Server The Metrics tab of the Cache Server displays the maximum number of processing threads, the maximum cache size, the minutes before an idle job is closed, the minutes between refreshes from the database, whether or not the database is accessed whenever a viewers file (object) is refreshed, the location of the cache files, the total threads running, the number of requests served, the number of bytes transferred, the cache hit rate, the number of current connections, and the number of requests that are queued. The Metrics tab also provides a table that lists the Page Servers that the Cache server has connections to, along with the number of connections made to each Page Server. Event Server The Metrics tab of the Event Server contains statistics on the files that the server is monitoring. This tab includes a table showing the file name and the last time the event occurred.
80
Page Server The Metrics tab of the Page Server contains information on how the server is running. It lists the maximum number of simultaneous report jobs, the location of temporary files, the number of minutes before an idle connection is closed, the minutes before a report job is closed, the maximum number of database records shown when previewing or refreshing a report, the oldest processed data given to a client, whether a viewer refresh always hits the database, and the setting for the Report Job Database Connection. It also shows the number of current connections, the number of requests queued, the current number of processing threads running, the total number of requests served, and the total bytes transferred. Report Application Server The Metrics tab of the Report Application Server (RAS) shows the number of reports that are open, and the number of reports that have been opened. It also shows the number of open connections, along with the number of open connections that have been created. Job servers and Web Intelligence servers The Metrics tabs of theses servers lists the current number of jobs that are being processed, the total number of requests received, the total number of failed job creations, the processing mode, and the location of its temporary files. Central Management Server The Metrics tab of the CMS lists only the general information about the machine it is running on. The Properties tab, however, shows a list of users who have active sessions on the system. Click any users link to view the associated account details.
81
Managing and Configuring Servers Viewing and changing the status of servers
Related topics:
For more information about licenses and account activity, see Licensing overview. For information about CMS clusters, see Clustering Central Management Servers.
Starting, stopping, and restarting servers on page 82 Enabling and disabling servers on page 85 Printing, copying, and refreshing server status on page 86
You must stop BusinessObjects Enterprise servers before you can modify certain properties and settings. If you have stopped a server to configure it, you need Starting a server to start it to effect your changes and to have the server resume processing requests. Restarting a server Restarting a server is a shortcut to stopping a server completely and then starting it again. You can change certain settings without stopping the server; however, the changes typically do not take effect until your restart the server.
82
Managing and Configuring Servers Viewing and changing the status of servers
For example, if you want to change the name of a CMS, then you must first stop the server. Once you have made your changes, you start the server again to effect your changes. Tip: When you stop (or restart) a server, you terminate the servers process, thereby stopping the server completely. If you want to prevent a server from receiving requests without actually stopping the server process, you can also enable and disable servers. We recommend that you disable Job Servers and Program Job Servers before stopping them so that they can finish processing any jobs they have in progress before stopping. For details, see Enabling and disabling servers on page 85. To start, stop, or restart servers with CMC Note: You cannot use CMC to stop the CMS. You must use the CCM instead. See Stopping a Central Management Server on page 84 for more information. 1. Go to the Servers management area of the CMC. A list of servers appears. The icon associated with each server identifies its status:
Running is indicated by a server with a green arrow. Stopped is indicated by a server with a red arrow. Disabled is indicated by a server with a red circle.
In this example, the Page Server Server is stopped, the Event Server is disabled, and the remaining servers are running and enabled.
2. 3.
Select the check box for the server whose status you want to change. Depending upon the action you need to perform, click Start, Stop, or Restart. You may be prompted for network credentials that allow you to start and stop services running on the remote machine.
4.
83
Managing and Configuring Servers Viewing and changing the status of servers
1. 2. 3.
To start, stop, or restart a Windows server with the CCM Start the CCM. Select the server that you want to start, stop, or restart. On the toolbar, click the appropriate button.
Toolbar Action Icon Start the selected server. Stop the selected server. Restart the selected server. You may be prompted for network credentials that allow you to start and stop services. Note: When you provide your network credentials, they are first checked against the machine hosting the CMS. If the server that you want to start, stop, or restart is located on another machine, the same credentials are used to access the other machine. If you supply credentials that are valid on the remote machine but not on the machine running the CMS, then you receive an error message. The CCM performs the action and refreshes the list of servers. To start, stop, or restart a UNIX server with the CCM Use the ccm.sh script. For reference, see ccm.sh on page 598.
84
Managing and Configuring Servers Viewing and changing the status of servers
Using a CMS cluster enables you to perform maintenance on each of your Central Management Servers in turn without taking BusinessObjects Enterprise out of service. For more information on CMS clusters, see Clustering Central Management Servers on page 92.
85
Managing and Configuring Servers Viewing and changing the status of servers
2. 3. 1. 2. 3. 4.
Select the check box for the server whose status you want to change. Depending upon the action you need to perform, click Enable or Disable. To enable or disable a Windows server with the CCM Start the CCM. On the toolbar, click Enable/Disable. When prompted, log on to your CMS with the credentials that provide you with administrative privileges to BusinessObjects Enterprise. Click Connect. The Enable/Disable Servers dialog box appears.
This dialog box lists all of the BusinessObjects Enterprise servers that are registered with your CMS, including servers running on remote machines. By default, servers running on remote machines are displayed as MACHINE.servertype. In this example, all of the listed servers are currently enabled. 5. 6. To disable a server, clear the check box in the Server Name column. Click OK to effect your changes and return to the CCM.
To enable or disable a UNIX server with the CCM Use the ccm.sh script. For reference, see ccm.sh on page 598.
86
Managing and Configuring Servers Viewing and changing the status of servers
1. 2.
To print the status of a server Start the CCM. Select the server(s).
87
3. 4.
Click Print. The Print dialog box appears. Click OK. A brief listing of the servers properties is printed, including the Display Name, Version, Command Line, Status, and so on.
To copy the status of a server To save the status of a server, you can copy the details from the CCM to a document or to an email message (if you want to send the status information to someone else). 1. 2. 3. 4. Start the CCM. Select the server(s). Click Copy. Paste the information into a document for future reference. To refresh the list of servers To ensure you are looking at the latest information, click Refresh.
Note: Disabled servers may not appear in this list. Click Enable/Disable to view a list of servers and ensure that each is enabled.
The majority of the settings discussed here allow you to integrate BusinessObjects Enterprise more effectively with your current hardware, software, and network configurations. Consequently, the settings that you choose will depend largely upon your own requirements.
88
Note: This section does not show how to configure your Web application server to deploy BusinessObjects Enterprise applications. This task is typically performed when you install BusinessObjects Enterprise. For details, see the BusinessObjects Enterprise Installation Guide. For further troubleshooting, see Working with Firewalls on page 181.
On a Java platform edit the web.xml file associated with the WCA. See Configuring the Java Web Component Adapter on page 89. On a .NET platform edit the web.config file associated with the WCA. See Configuring the .NET Web Component Adapter on page 91.
Windows: C:\Program Files\Business Objects\BusinessObjects Enterprise 11\java\applications directory UNIX: WEB-INF subdirectory of the webcompadapter.war archive file stored in the bobje_root/enterprise11/java/applications directory
For example, the context parameter that controls whether a group tree will be generated looks like this:
<context-param> <param-name>viewrpt.groupTreeGenerate</param-name> <param-value>true</param-value> <desctiption>true or false value determining whether a group tree will be generated.</description> </context-param>
To change the value of a context parameter, edit the value between the <param-value> </param-value> tags. To configure web.xml Note: Your Java Web Application Server may provide tools to allow you to edit web.xml directly from an administrative console.Otherwise use the following procedure to configure web.xml.
89
1. 2. 3. 4.
Stop your application server. Extract the web.xml file from the webcompadapter.war archive. Edit the file by using a text editor such as Notepad or vi. Reinsert the file into the WEB-INF directory in webcompadapter.war. Tip: To reinsert web.xml into WEB-INF using WinZip, right-click on the WEB-INF directory that contains your edited web.xml file and select Add to Zip File.... Adding the file in this way ensures that it is placed in the correct directory inside the archive.
5.
When you install more than one WCA, each webcomponentadapter.war file contains its own web.xml file containing configuration parameters for that WCA. However, you can only set the parameters listed in the following table individually for each WCA. The remaining parameters must be the same for all WCA in your system. Context Parameter display-name cspApplication.defaultPage Description Equivalent to WCA name. The default page that will be loaded if no filename is specified in a particular request. This is the real path to the directory containing the CSP/WAS application(s) that you would like to host. This is a required field. This is the name (or name and port number) of the CMS that you would like your application(s) to connect to. This field defaults to the port that the WCA related servlets are running on. Filename of the logfile including full real path to file, excluding extension. Defaults to WCA with no path File extension of logfile, defaults to .log Determines whether or not the logs will be rotated, defaults to true. If log rolling is turned on, this will govern the max size before logfile is rotated. Accepted suffix: MB, KB and GB.
cspApplication.dir
connection.cms
connection.listeningPort log.file
90
Description The default loglevel is error. Please refer to log4j documentation for accepted log entry patterns.
For example, the context parameter that controls whether a group tree will be generated looks like this: To configure web.config Note: Your .NET Web Application Server may provide tools to allow you to edit web.config directly from an administrative console. 1. 2. 3. Stop your application server. Edit the web.config file by using a text editor such as Notepad. Restart your application server. Description Equivalent to WCA name. The default page that will be loaded if no filename is specified in a particular request. This is the name (or name and port number) of the CMS that you would like your application(s) to connect to. This field defaults to the port that the WCA related servlets are running on. Filename of the logfile including full real path to file, excluding extension. Defaults to WCA with no path File extension of logfile, defaults to .log Determines whether or not the logs will be rotated, defaults to true.
connection.cms
connection.listeningPort log.file
log.ext log.isRolling
91
Parameter log.size
Description If log rolling is turned on, this will govern the max size before logfile is rotated. Accepted suffix: MB, KB and GB. The default loglevel is error. Please refer to log4j documentation for accepted log entry patterns.
log.level log.entryPattern
The majority of the settings discussed here allow you to integrate BusinessObjects Enterprise more effectively with your current hardware, software, and network configurations. Consequently, the settings that you choose will depend largely upon your own requirements. Configuring the intelligence tier includes the following tasks:
Clustering Central Management Servers on page 92 Copying data from one CMS database to another on page 98 Deleting and recreating the CMS database on page 108 Selecting a new or existing CMS database on page 109 Setting root directories and idle times of the File Repository Servers on page 110 Modifying Cache Server performance settings on page 112 Modifying the polling time of the Event Server on page 114
92
BusinessObjects Enterprise requests. This failover support helps to ensure that BusinessObjects Enterprise users can still access information when there is equipment failure. This section shows how to add a new CMS cluster member to a production system that is already up and running. When you add a new CMS to an existing cluster, you instruct the new CMS to connect to the existing CMS database and to share the processing workload with any existing CMS machines. For information about your current CMS and CMS cluster, go to the Settings management area of the CMC and click the Cluster tab. Before clustering CMS machines, you must make sure that each CMS is installed on a system that meets the detailed requirements (including version levels and patch levels) for operating system, database server, database access method, database driver, and database client outlined in the platforms.txt file included in your product distribution. In addition, you must meet the following clustering requirements:
For best performance, the database server that you choose to host the system database must be able to process small queries very quickly. The CMS communicates frequently with the system database and sends it many small queries. If the database server is unable to process these requests in a timely manner, BusinessObjects Enterprise performance will be greatly affected. For best performance, run each CMS cluster member on a machine that has the same amount of memory and the same type of CPU. Configure each machine similarly:
Install the same operating system, including the same version of operating system service packs and patches. Install the same version of BusinessObjects Enterprise (including patches, if applicable). Ensure that each CMS connects to the CMS database in the same manner: whether you use native or ODBC drivers, ensure that the drivers are the same on each machine, and are a supported version. Ensure that each CMS uses the same database client to connect to its system database, and that it is a supported version. Check that each CMS uses the same database user account and password to connect to the CMS database. This account must have create, delete, and update rights on the system database. Run each CMS service/daemon under the same account. (On Windows, the default is the LocalSystem account.) Verify that the current date and time are set correctly on each CMS machine (including settings for daylight savings time).
93
Ensure that each and every CMS in a cluster is on the same Local Area Network. If you wish to enable auditing, each CMS must be configured to use the same auditing database and to connect to it in the same manner. The requirements for the auditing database are the same as those for the system database in terms of database servers, clients, access methods, drivers, and user IDs. See also Chapter 10: Managing Auditing.
Tip: By default, a CMS cluster name reflects the name of the first CMS that you install, but the cluster name is prefixed by the @ symbol. For instance, if your existing CMS is called BUSINESSOBJECTSCMS, then the default cluster name is @BUSINESSOBJECTSCMS. To modify the default name, see Changing the name of a CMS cluster on page 96. There are two ways to add a new CMS cluster member. Follow the appropriate procedure, depending upon whether or not you have already installed a second CMS:
Installing a new CMS and adding it to a cluster on page 94 See this section if you have not already installed the new CMS on its own machine. Adding an installed CMS to a cluster on page 95 Follow this procedure if you have already installed a second, independent CMS on its own machine. While testing various server configurations, for instance, you might have set up an independent BusinessObjects Enterprise system with its own CMS. Follow this procedure when you want to incorporate this independent CMS into your production system.
Note: Back up your current CMS database before making any changes. If necessary, contact your database administrator.
94
For complete requirements for CMS added to a cluster, see Clustering Central Management Servers on page 92. For complete information on running the Setup program and performing the Expand installation, see the BusinessObjects Enterprise Installation Guide.
3.
95
4.
In the Select Database Driver dialog box, specify whether you want to connect to the production CMS database through ODBC, or through one of the native drivers. Click OK. The remaining steps depend upon the connection type you selected:
5. 6.
If you selected ODBC, the Windows Select Data Source dialog box appears. Select the ODBC data source that corresponds to your production CMS database; then click OK. If prompted, provide your database credentials and click OK. The CCM connects to the database server and adds the new CMS to the cluster. If you selected a native driver, you are prompted for your database Server Name, your Login ID, and your Password. Once you provide this information, the CCM connects to the database server and adds the new CMS to the cluster.
The SvcMgr dialog box notifies you when the CMS database setup is complete. 7. 8. Click OK. Start the Central Management Server.
To add an installed CMS to a cluster on UNIX Use the cmsdbsetup.sh script. For reference, see cmsdbsetup.sh on page 601.
96
3. 4. 5. 6.
Click the Configuration tab. Select the Change Cluster Name to check box. Type the new name for the cluster. Click OK and then start the Central Management Server. The CMS cluster name is now changed. All other CMS cluster members are dynamically notified of the new cluster name (although it may take several minutes for your changes to propagate across cluster members).
7.
Go to the Servers management area of the CMC and check that all of your servers remain enabled. If necessary, enable any servers that have been disabled by your changes.
To change the cluster name on UNIX Use the cmsdbsetup.sh script. For reference, see cmsdbsetup.sh on page 601. 1. 2. 3. 4. To register servers with the CMS cluster on Windows Use the CCM to stop a Business Objects server. Select the server from the list, and then click Properties. Click the Configuration tab. In the CMS Name box, type the name of the cluster. The name of the cluster begins with the @ symbol. For example, if the cluster name was changed to ENTERPRISE, type @ENTERPRISE in the box. 5. Click OK, and then start the server. Repeat for each Business Objects server in your installation. To registers servers with the CMS cluster on UNIX Use ccm.sh to stop each server. Use a text editor such as vi to open the ccm.config file found in the root directory of your BusinessObjects Enterprise installation. Find the -ns command in the launch string for each server, and change the name of the CMS to the name of the CMS cluster. The name of the cluster begins with the @ symbol. For example, if the cluster name was changed to ENTERPRISE, type @ENTERPRISE. Do not include a port number with the cluster name. 4. Save the file, and then use ccm.sh to restart the servers.
1. 2. 3.
97
Preparing to migrate a CMS database on page 98 Copying data from a CMS on Windows on page 100 Copying data from a Crystal Enterprise 8 APS on Windows on page 101 Completing a CMS database migration on page 104
98
Make a note of the license keys you purchased for the current version of BusinessObjects Enterprise. During migration, license keys that are present in the destination database are retained only if the source database contains no license keys that are valid for the current version of BusinessObjects Enterprise. License keys in the destination database are replaced with license keys from the source database when the source license keys are valid for the current version of BusinessObjects Enterprise. License keys from earlier versions of Crystal Enterprise are not copied. If you are copying CMS data from a different CMS database (version 8.0, 8.5, 9, or 10 of Crystal Enterprise or version XI of BusinessObjects Enterprise) into your current CMS database, your current CMS database is the destination database whose tables are deleted before they are replaced with the copied data. In this scenario, make note of the current root directories used by the Input and Output File Repository Servers in the source environment. The database migration does not actually move report files from one directory location to another. After you migrate the database, you will connect your new Input and Output File Repository Servers to the old root directories, thus making the report files available for the new system to process. Log on with an administrative account to the CMS machine whose database you want to replace. Complete the procedure that corresponds to the version of the source environment:
Copying data from a CMS on Windows on page 100 Copying data from a Crystal Enterprise 8 APS on Windows on page 101
If you are copying a CMS database from its current location to a different database server, your current CMS database is the source environment. Its contents are copied to the destination database, which is then established as the active database for the current CMS. This is the procedure to follow if you want to move the default CMS database on Windows from the local Microsoft Data Engine (MSDE) to a dedicated database server, such as Microsoft SQL Server, Informix, Oracle, DB2, or Sybase. Log on with an administrative account to the machine that is running the CMS whose database you want to move. Complete the following procedure:
Copying data from a CMS on Windows on page 100 Copying data from a CMS installed on UNIX on page 103 When you migrate a CMS database from an earlier version of Crystal Enterprise, the database and database schema are upgraded to the format required by the current version of BusinessObjects Enterprise. When you copy data from one database to another, the destination database is initialized before the new data is copied in. That is, if your destination database does not contain the four BusinessObjects
Note:
99
Enterprise XI system tables, these tables are created. If the destination database does contain BusinessObjects Enterprise XI system tables, the tables will be permanently deleted, new system tables will be created, and data from the source database will be copied into the new tables. Other tables in the database, including previous versions of Crystal Enterprise system tables, are unaffected.
4.
In the Source contains data from version list, click Autodetect (or explicitly select the version of the source CMS database). You must now specify the source CMS database whose contents you want to copy.
5. 6.
Click Specify. In the Select Database Driver dialog box, specify whether you want to connect to the source CMS database through ODBC, Informix, or through one of the native drivers. Click OK. The next steps depend upon the connection type you selected:
7. 8.
100
If you selected ODBC or Informix, the Windows Select Data Source dialog box appears. Select the data source that corresponds to the source CMS database; then click OK. If prompted, provide your database credentials and click OK. If you selected a native driver, provide your database Server Name, your Login ID, and your Password; then click OK.
You are returned to the Specify Data Source dialog box. You must now specify the destination CMS database whose contents you want to replace with the copied data. Tip: If the correct destination database already appears in the Copy to the following data source field, proceed to step 13. 9. Click Browse. 10. In the Select Database Driver dialog box, specify whether you want to connect to the destination CMS database through ODBC, or through one of the native drivers. 11. Click OK. 12. The next steps depend upon the connection type you selected:
If you selected ODBC, the Windows Select Data Source dialog box appears. Select the ODBC data source that corresponds to the destination CMS database; then click OK. If prompted, provide your database credentials and click OK. If you selected a native driver, provide your database Server Name, your Login ID, and your Password; then click OK.
You are returned to the Specify Data Source dialog box. You are now ready to copy the CMS data. 13. Click OK and, when prompted to confirm, click Yes. The SvcMgr dialog box notifies you when the CMS database setup is complete. 14. Click OK. 15. Proceed to Completing a CMS database migration on page 104.
101
1. 2. 3. 4.
To copy data from a Crystal Enterprise 8 APS on Windows Use the CCM to stop the Central Management Server. With the CMS selected, click Specify CMS Data Source on the toolbar. Click Copy data from another Data Source; then click OK. The Specify Data Source dialog box appears. In the Source contains data from version list, click Crystal Enterprise 8.0. You must now specify the source CMS database whose contents you want to copy.
5. 6.
Click Specify. In the Browse data dialog box, click one of the following:
CMS machine name Click this option if you have administrative rights to the Crystal Enterprise 8 CMS machine. Your administrative rights allow the CCM to read the data source information from the Windows Registry on the CMS machine. Click OK and use the Browse for Computer dialog box to specify the CMS machine.
CMS ODBC data source Click this option if you do not have administrative rights to the Crystal Enterprise 8 CMS machine. Use the Windows Select Data Source dialog box to select (or create) an ODBC data source that provides the local machine with access to the Crystal Enterprise 8 CMS database. If prompted, provide your database credentials and click OK.
You are returned to the Specify Data Source dialog box. You must now specify the destination CMS database whose contents you want to replace with the copied data. Tip: If the correct destination database already appears in the Copy to the following data source field, proceed to step 11. 7. 8. Click Browse. In the Select Database Driver dialog box, specify whether you want to connect to the destination CMS database through ODBC, or through one of the native drivers. Click OK.
9.
10. The next steps depend upon the connection type you selected:
If you selected ODBC, the Windows Select Data Source dialog box appears. Select the ODBC data source that corresponds to the destination CMS database; then click OK. If prompted, provide your database credentials and click OK.
102
If you selected a native driver, provide your database Server Name, your Login ID, and your Password; then click OK.
You are returned to the Specify Data Source dialog box. You are now ready to copy the CMS data. 11. Click OK and, when prompted to confirm, click Yes. The SvcMgr dialog box notifies you when the CMS database setup is complete. Note: Migration of a large source database could take several hours. 12. Click OK. 13. Proceed to Completing a CMS database migration on page 104.
On UNIX you can not migrate directly from a source environment that uses an ODBC connection to the CMS database. If your source CMS database uses ODBC, you must first migrate that system to a supported native driver. (See Copying data from a CMS on Windows on page 100.) If your CMS is installed on UNIX, you cannot migrate directly from a Crystal Enterprise version 8 APS. To copy data from a CMS installed on UNIX Use ccm.sh to stop the Central Management Server. See ccm.sh on page 598. Run cmsdbsetup.sh. When prompted, enter the name of your CMS or press enter to select the default name. Tip: For information on finding the name of your CMS, see ccm.sh on page 598.
1. 2.
3. 4.
Type copy to begin the database migration. The script prompts you to confirm that all data in the destination database will deleted. Type yes, and then press enter to proceed.
103
5.
Next the script asks you for the version of your source Crystal Enterprise installation. You can also select autodetect to have the version of the source detected automatically. Press Enter. Now the script asks you if you want to use the current CMS database as your destination. If you type no, you are first asked for information about the new destination database, and are then prompted for information on the source database. If you type yes, you are prompted for information about the source CMS database.
6.
7.
After entering the source information, the script will begin the migration process. Note: Migration of a large source database could take several hours. The script notifies you when migration is complete. If errors occurred during the migration, the script gives you the location of a log file explaining the migration results.
8.
9.
104
2.
If you migrated CMS data from a different CMS database into your current CMS database, you need to make your old input and output directories available to the new Input and Output File Repository Servers. You can do this in several ways:
Copy the contents of the original input root directory into the root directory that the new Input File Repository Server is already configured to use. Then copy the contents of the original output directory into the root directory that the new Output File Repository is already configured to use. Reconfigure the new Input and Output File Repository Servers to use the old input and output root directories. If the old Input and Output File Repository Servers are running on a dedicated machine, you can run the BusinessObjects Enterprise setup program to upgrade the servers directly. Then you need not move the input and output directories. Instead, modify the -ns option in both servers command lines to have them register with your new CMS. See Appendix E: Server Command Lines for more information.
For more information, see Setting root directories and idle times of the File Repository Servers on page 110. 3. 4. 5. Use the Central Configuration Manager (CCM) to start the CMS on the local machine. Make sure your web application server is running. Log on to the Central Management Console with the default Administrator account, using Enterprise authentication. Tip: If you just replaced your CMS database with data from an older system, keep in mind that you now need to provide the Administrator password that was valid in the older system. 6. 7. 8. Go to the Authorization management area and check that your BusinessObjects Enterprise license keys are entered correctly. In the CCM, start and enable the Input File Repository Server and the Output File Repository Server. Go to the Servers management area of the Central Management Console and verify that the Input File Repository Server and the Output File Repository Server are both started and enabled. Click the link to each File Repository Server and, on the Properties tab, check that the Root Directory points to the correct location.
9.
105
11. If objects in your source database require updating, the Update Objects button on the toolbar contains a flashing red exclamation mark. Click Update Objects. 12. When prompted, log on to your CMS with credentials that provide you with administrative privileges to BusinessObjects Enterprise. The Update Objects dialog box tells you how many objects require updating. Objects typically require updating because their internal representation has changed in the new version of BusinessObjects Enterprise, or because the objects require new properties to support the additional features offered by BusinessObjects Enterprise XI. Because your Central Management Server was stopped when the migration occurred, you need to update the objects now. 13. If there are objects that require updating, click Update, otherwise click Cancel. 14. Start and enable the remaining BusinessObjects Enterprise servers. 15. Verify that BusinessObjects Enterprise requests are handled correctly, and check that you can view and schedule reports successfully. 1. To complete a CMS database migration on UNIX If errors occurred during migration, a db_migration log file was created in the logging directory on the machine where you ran cmsdbsetup.sh to carry out the migration. The script will notify you if you need to check the log file. The default logging directory is: BusinessObjects_root/logging where BusinessObjects_root is the absolute path to the root Business Objects directory of your BusinessObjects Enterprise installation. 2. If you migrated CMS data from a different CMS database into your current CMS database, you need to make your old input and output directories available to the new Input and Output File Repository Servers. You can do this in several ways:
Copy the contents of the original input root directory into the root directory that the new Input File Repository Server is already configured to use. Then copy the contents of the original output directory into the root directory that the new Output File Repository is already configured to use. Reconfigure the new Input and Output File Repository Servers to use the old input and output root directories.
106
If the old Input and Output File Repository Servers are running on a dedicated machine, you can run the BusinessObjects Enterprise setup program to upgrade the servers directly. Then you need not move the input and output directories. Instead, modify the -ns option in both servers command lines to have them register with your new CMS. See Appendix E: Server Command Lines for more information.
For more information, see Setting root directories and idle times of the File Repository Servers on page 110. 3. 4. 5. Use the ccm.sh script to start the CMS on the local machine. See ccm.sh on page 598 for more information. Ensure that the Java web application server that hosts your Web Component Adapter is running. Log on to the Central Management Console with the default Administrator account, using Enterprise authentication. Tip: If you just replaced your CMS database with data from an older system, keep in mind that you now need to provide the Administrator password that was valid in the older system. 6. 7. 8. Go to the Authorization management area and check that your BusinessObjects Enterprise license keys are entered correctly. Use the ccm.sh script to start and enable the Input File Repository Server and the Output File Repository Server. Go to the Servers management area of the Central Management Console and verify that the Input File Repository Server and the Output File Repository Server are started and enabled. Click the link to each File Repository Server and, on the Properties tab, check that the Root Directory points to the correct location.
9.
10. Run the ccm.sh script again. If you migrated a source database from an earlier version of BusinessObjects Enterprise, enter the following command:
./ccm.sh -updateobjects authentication info
See Appendix F: UNIX Tools for information on the authentication information required by ccm.sh. Objects typically require updating because their internal representation has changed in the new version of BusinessObjects Enterprise, or because the objects require new properties to support the additional features offered by BusinessObjects Enterprise XI. 11. Use ccm.sh to start and enable the remaining BusinessObjects Enterprise servers.
107
12. Verify that BusinessObjects Enterprise requests are handled correctly, and check that you can view and schedule reports successfully.
108
If you have changed the password for the current CMS database, these steps allow you to disconnect from, and then reconnect to, the current database. When prompted, you can provide the CMS with the new password. If you want to select and initialize an empty database for BusinessObjects Enterprise, these steps allow you to select that new data source. If you have restored a CMS database from backup (using your standard database administration tools and procedures) in a way that renders the original database connection invalid, you will need to reconnect the CMS to the restored database. (This might occur, for instance, if you restored the original CMS database to a newly installed database server.)
Note: These steps are essentially the same as adding a CMS to an existing cluster; in this case, however, there are no other CMS machines already maintaining the database. For complete details about CMS clusters, see Clustering Central Management Servers on page 92. 1. 2. To select a new or existing database for a CMS on Windows Use the CCM to stop the Central Management Server. With the CMS selected, click Specify CMS Data Source on the toolbar. The CMS Database Setup dialog box appears. 3. 4. 5. 6. Click Select a Data Source; then click OK. In the Select Database Driver dialog box, specify whether you want to connect to the new database through ODBC, or through one of the native drivers. Click OK. The remaining steps depend upon the connection type you selected:
If you selected ODBC, the Windows Select Data Source dialog box appears. Select the ODBC data source that you want to use as the CMS database; then click OK. (Click New to configure a new DSN.) When prompted, provide your database credentials and click OK.
109
If you selected a native driver, you are prompted for your database Server Name, your Login ID, and your Password. Provide this information and then click OK.
The SvcMgr dialog box notifies you when the CMS database setup is complete. 7. 8. Click OK. Start the Central Management Server.
To select a new or existing database for a CMS on UNIX Use the cmsdbsetup.sh script. For reference, see cmsdbsetup.sh on page 601
Setting root directories and idle times of the File Repository Servers
The Properties tabs of the Input and Output File Repository Servers enable you to change the locations of the default root directories. These root directories contain all of the report objects and instances on the system. You may change these settings if you want to use different directories after installing BusinessObjects Enterprise, or if you upgrade to a different drive (thus rendering the old directory paths invalid). Note:
The Input and Output File Repository Servers must not share the same root directory, because modifications to the files and subdirectories belonging to one server could have adverse effects on the other server. In other words, if the Input and Output File Repository Servers share the same root directory, then one server might damage files belonging to the other.
110
If you run multiple File Repository Servers, all Input File Repository Servers must share the same root directory, and all Output File Repository Servers must share the same root directory (otherwise there is a risk of having inconsistent instances). It is recommended that you replicate the root directories using a RAID array or an alternative hardware solution. The root directory should be on a drive that is local to the server.
You can also set the maximum idle time of each File Repository Server. This setting limits the length of time that the server waits before it closes inactive connections. Before you change this setting, it is important to understand that setting a value too low can cause a user's request to be closed prematurely. Setting a value that is too high can result the uneasier consumption of system resources such as processing time and disk space. 1. 2. To modify settings for a File Repository Server Go to the Servers management area of the CMC. Click the link to the File Repository Server you want to change. By default, the File Repository Servers are named Input and Output, respectively. If you run multiple instances of each server, their names should be prefixed with Input. and Output. as appropriate. 3. Make your changes on the Properties tab. In this example, the Input File Repository Server is set to use D:\InputFRS\ as its root directory. The server will remain idle for a maximum of 15 minutes.
4.
Click Apply to submit changes and restart the server so that the changes take effect immediately. Click Update to save the changes. You must restart the server for the changes to take effect.
111
112
4.
Click Apply to submit changes and restart the server so that the changes take effect immediately. Click Update to save the changes. You must restart the server for the changes to take effect.
Location of the Cache Files The Location of the Cache Files setting specifies the absolute path to the directory on the Cache Server machine where the cached report pages (.epf files) are stored. Note: The cache directory must be on a drive that is local to the server. Maximum Cache Size Allowed The Maximum Cache Size Allowed setting limits the amount of hard disk space (in KBytes) that is used to cache reports. When the Cache Server has to handle large numbers of reports, or reports that are especially complex, a larger cache size is needed. The default value is 5000 Kbytes, which is large enough to optimize performance for most installations. Maximum Simultaneous Processing Threads The Maximum Simultaneous Processing Threads setting limits the number of concurrent reporting requests that the Cache Server processes. The default value is set to Automatic, and is acceptable for most, if not all, reporting scenarios. With this setting, the Cache Server sets the maximum number of threads using the number of processors in your system as a guide. If your Cache Server responds slowly under high load, and resource utilization on the machine is high (that is, either memory usage is high or CPU utilization is high, particularly in the kernel), you may wish to decrease the number of threads to improve performance. If the Cache Server is slow under high load but CPU utilization is low, increasing the number of threads may improve performance. However, the ideal setting for your reporting environment is highly dependent upon your hardware configuration, your database software, and your reporting requirements. Thus, it is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects services consultant can then assess your reporting environment and assist you in customizing these advanced configuration and performance settings. Minutes Before an Idle Connection is Closed The Minutes Before an Idle Connection is Closed setting alters the length of time that the Cache Server waits for further requests from an idle connection. Before you change this setting, it is important to understand that setting a
113
value too low can cause a users request to be closed prematurely, and setting a value that is too high can cause requests to be queued while the server waits for idle jobs to be closed. Oldest On-Demand Data Given To a Client (in minutes) The Oldest On-Demand Data Given To a Client (in minutes) setting determines how long cached report pages are used before new data is requested from the database. This setting is respected for report instances with saved data, and for report objects that do not have on-demand subreports or parameters and that do not prompt for database logon information. Generally, the default value of 15 minutes is acceptable: as with other performance settings, the optimal value is largely dependent upon your reporting requirements. Viewer Refresh Always Yields Current Data When enabled, the Viewer Refresh Always Yields Current Data setting ensures that, when users explicitly refresh a report, all cached pages are ignored, and new data is retrieved directly from the database. When disabled, this setting prevents users from retrieving new data more frequently than is permitted by the time specified in the Minutes Between Refreshes from Database setting.
114
The majority of the settings discussed here allow you to integrate BusinessObjects Enterprise more effectively with your current hardware, software, and network configurations. Consequently, the settings that you choose will depend largely upon your own requirements. Configuring the processing tier includes:
Modifying Page Server performance settings on page 115 Modifying database settings for the RAS on page 118 Modifying performance settings for the RAS on page 120 Modifying performance settings for job servers on page 121 Configuring the Web Intelligence Report Server on page 122 Configuring the destinations for job servers on page 125 Configuring Windows processing servers for your data source on page 132 Configuring UNIX processing servers for your data source on page 133
115
1. 2. 3. 4.
To modify Page Server performance settings Go to the Servers management area of the CMC. Click the link to the Page Server whose settings you want to change. Make your changes on the Properties tab. Click either Apply or Update:
Click Apply to submit changes and restart the server so that the changes take effect immediately. Click Update to save the changes. You must restart the server for the changes to take effect.
Location of Temp Files The Location of Temp Files setting specifies the absolute path to a directory on the Page Server machine.This directory must have plenty of free hard disk space. If not enough disk space is available, job processing may be slower than usual, or job processing may fail. Maximum Simultaneous Report Jobs The Maximum Simultaneous Report Jobs setting limits the number of concurrent reporting requests that any single Page Server processes. The default value of 75 is acceptable for most, if not all, reporting scenarios. The ideal setting for your reporting environment, however, is highly dependent upon your hardware configuration, your database software, and your
116
reporting requirements. Thus, it is difficult to discuss the recommended or optimum settings in a general way. It is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects services consultant can then assess your reporting environment and assist you in customizing these advanced configuration and performance settings. Minutes Before an Idle Connection is Closed The Minutes Before an Idle Connection is Closed setting alters the length of time that the Page Server waits for further requests from an idle connection. Before you change this setting, it is important to understand that setting a value too low can cause a users request to be closed prematurely. Setting a value that is too high can cause system resources to be consumed for longer than necessary. Minutes before an Idle Report Job is Closed The Minutes before an Idle Report Job is Closed setting alters the length of time that the Page Server keeps a report job active. Before you change this setting, it is important to understand that setting a value too low can cause a users request to be closed prematurely. Setting a value that is too high can cause system resources to be consumed for longer than necessary. (Note that this setting works in conjunction with the Report Job Database Connection setting.) Database Records to Read When Previewing Or Refreshing a Report The Database Records to Read When Previewing Or Refreshing a Report area allows you to limit the number of records that the server retrieves from the database when a user runs a query or report. This setting is useful when you want to prevent users from running on-demand reports containing queries that return excessively large record sets. You may prefer to schedule such reports, both to make the reports available more quickly to users and to reduce the load on your database from these large queries. Oldest On-Demand Data Given to a Client (in minutes) The Oldest On-Demand Data Given To a Client (in minutes): setting controls how long the Page Server uses previously processed data to meet requests. If the Page Server receives a request that can be met using data that was generated to meet a previous request, and the time elapsed since that data was generated is less than the value set here, then the Page Server will reuse this data to meet the subsequent request. Reusing data in this way significantly improves system performance when multiple users need the same information. When setting the value of the oldest processed data given to a client consider how important it is that your users receive up-to-date data. If it is very important that all users receive fresh data (perhaps because important data changes very frequently) you may need to disallow this kind of data reuse by setting the value to 0.
117
Viewer Refresh Always Yields Current Data When enabled, the Viewer Refresh Always Yields Current Data setting ensures that, when users explicitly refresh a report, all previously processed data is ignored, and new data is retrieved directly from the database. When disabled, the setting ensures that the Page Server will treat requests generated by a viewer refresh in exactly the same way as it treats as new requests. Report Job Database Connection The Report Job Database Connection settings can be used to make a tradeoff between the number of database licenses you use and the performance you can expect for certain types of reports. If you select Disconnect when all records have been retrieved or the job is closed, the Page Server will automatically disconnect from the report database as soon as it has retrieved the data it needs to fulfill a request. Selecting this option limits the amount of time that Page Server stays connected to your database server, and therefore limits the number of database licenses consumed by the Page Server. However, if the Page Server needs to reconnect to the database to generate an on-demand sub-report or to process a group-by-on-server command for that report, performance for these reports will be significantly slower than if you had selected Disconnect when the job is closed. (The latter option ensures that Page Server stays connected to the database server until the report job is closed. Note that you can set the Minutes before a Report Job is Closed above.)
Click Apply to submit changes and restart the server so that the changes take effect immediately. Click Update to save the changes. You must restart the server for the changes to take effect.
118
Tip: On Windows, you can also change these settings in the CCM. Stop the RAS and view its Properties. Click the Parameters tab. From the Option Type list, select Database. Number of database records to read when previewing or refreshing a report The Number of database records to read when previewing or refreshing a report area allows you to limit the number of records that the server retrieves from the database when a user runs a query or report. This setting is particularly useful if you provide users with ad hoc query and reporting tools, and you want to prevent them from running queries that return excessively large record sets. When the RAS retrieves records from the database, the query results are returned in batches. The Number of records per batch setting allows you to determine the number of records that are contained in each batch. The batch size cannot be equal to or less than zero. Number of records to browse The Number of records to browse setting allows you to specify the number of distinct records that will be returned from the database when browsing through a particular fields values. The data will be retrieved first from the clients cacheif it is availableand then from the servers cache. If the data is not in either cache, it is retrieved from the database. Oldest on-demand data given to a client (in minutes) The Oldest on-demand data given to a client (in minutes) setting controls how long the RAS uses previously processed data to meet requests. If the RAS receives a request that can be met using data that was generated to meet a previous request, and the time elapsed since that data was generated is less than the value set here, then the RAS will reuse this data to meet the subsequent request. Reusing data in this way significantly improves system performance when multiple users need the same information. When setting the value of the oldest on-demand data given to a client consider how important it is that your users receive up-to-date data. If it is very important that all users receive fresh data (perhaps because important data changes very frequently) you may need to disallow this kind of data reuse by setting the value to 0. This is the default on the RAS, to support the data needs of users performing ad hoc reporting. Report Job Database Connection The Report Job Database Connection settings can be used to make a tradeoff between the number of database licenses you use and the performance you can expect for certain types of reports.
119
If you select Disconnect when all records have been retrieved or the job is closed, the Report Application Server will automatically disconnect from the report database as soon as it has retrieved the data it needs to fulfill a request. Selecting this option limits the amount of time that RAS stays connected to your database server, and therefore limits the number of database licenses consumed by the RAS. However, if the RAS needs to reconnect to the database to generate an ondemand sub-report or to process a group-by-on-server command for that report, performance for these reports will be significantly slower than if you had selected Disconnect when the job is closed. (The latter option ensures that RAS stays connected to the database server until the report job is closed.)
Click Apply to submit changes and restart the server so that the changes take effect immediately. Click Update to save the changes. You must restart the server for the changes to take effect.
Tip: On Windows, you can also change these settings in the CCM. Stop the RAS and view its Properties. Click the Parameters tab. From the Option Type list, select Server. Minutes Before an Idle Connection is Closed The Minutes Before an Idle Connection is Closed setting alters the length of time that the RAS waits for further requests from an idle connection. Before you change this setting, it is important to understand that setting a value too low can cause a users request to be closed prematurely, and setting a value
120
that is too high can affect the servers scalability (for instance, if the ReportClientDocument object is not closed explicitly, the server will be waiting unnecessarily for an idle job to close). Maximum Simultaneous Report Jobs The Maximum Simultaneous Report Jobs setting limits the number of concurrent reporting requests that a RAS processes. The default value is acceptable for most, if not all, reporting scenarios. The ideal setting for your reporting environment, however, is highly dependent upon your hardware configuration, your database software, and your reporting requirements. Thus, it is difficult to discuss the recommended or optimum settings in a general way. It is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects services consultant can then assess your reporting environment and assist you in customizing these advanced configuration and performance settings.
Maximum Jobs Allowed The Maximum Jobs Allowed setting limits the number of concurrent independent processes (child processes) that the server allowsthat is, it limits the number of scheduled objects that the server will process at any one time. You can tailor the maximum number of jobs to suit your reporting environment.
121
The default Maximum Jobs Allowed setting is acceptable for most, if not all, reporting scenarios. The ideal setting for your reporting environment, however, is highly dependent upon your hardware configuration, your database software, and your reporting requirements. Thus, it is difficult to discuss the recommended or optimum settings in a general way. It is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects services consultant can then assess your reporting environment and assist you in customizing these advanced configuration and performance settings. Temp Directory You can also change the default directory where the server stores its temporary files.
5.
Click Apply to submit changes and restart the server so that the changes take effect immediately. Click Update to save the changes. You must restart the server for the changes to take effect.
Return to the Servers management area of the CMC and restart the Job Server.
122
Maximum Simultaneous Connections The maximum number of simultaneous connections that the server allows at one time, from sources such the Web Intelligence SDK or the Web Intelligence Job Server. If this limit is reached, the user will receive an error message, unless another server is available to handle the request. Connection Time Out The number of minutes before an idle connection to the Web Intelligence Report Server will be closed. List of Values Batch Size The maximum number of values that can be returned per list of values batch. For example, if the number of values in a list of values exceeds this size, then the list of values will be returned to the user in several batches of this size or less. The minimum value that you can enter is 10. Although there is no limit on the maximum value, Business Objects recommends that you limit it to 30000. Universe Cache Size The number of universes to be cached on the Web Intelligence Report Server. List of Values Caching Enables or disables caching per user session of list of values in Web Intelligence Report Server. The default is for the feature to be on.
123
Enable Viewing Caching When this parameter is on, real-time caching is possible for Web Intelligence documents when they are viewed, or when they are generated as a result of having been run as a scheduled job. When this parameter is off both real-time caching of Web Intelligence documents and viewing of cached Web Intelligence documents is impossible. Real-time caching is done only if both this parameter and the Enable Real Time Caching parameters are on. Enable Real Time Caching When this parameter is on, the Web Intelligence Report Server caches Web Intelligence documents when the documents are viewed. The server also caches the documents when they are run as a scheduled job, provided the pre-cache was enabled in the document. When the parameter is off, the Web Intelligence Report Server does not cache the Web Intelligence documents when the documents are viewed. Nor does it cache the documents when they are run as a scheduled job. This parameter is taken into account only when the Enable Viewing Caching is set to on. Note: To improve system performance, set the Maximum Number Of Downloaded Documents To Cache to zero when this option is selected, but enter a value for Maximum Number Of Downloaded Documents To Cache when this option deselected. Document Cache Duration The amount of time (in minutes) that content is stored in cache. Document Cache Size The size (in kilobytes) of the document cache. Amount of Cache To Keep When Document Cache is Full If the storage size is bigger than the allocated storage size, the system will delete documents with the oldest last accessed time. Then if the cache size is still exceeds the maximum storage size, the Web Intelligence Report Server will clean up the cache until the amount of cache percentage is reached. Document Cache Scan Interval The number of minutes that the system waits before checking the document cache for cleanup. Maximum Number of Downloaded Documents To Cache The number of Web Intelligence documents that can be stored in cache.
124
Note: To improve system performance, set this value to zero when Enable Real Time Caching is selected, but enter a value when Enable Real Time Caching is deselected.
Enabling or disabling destinations for job servers on page 125 Configuring the destination properties for job servers on page 126 Selecting a destination on page 481 Sending an object or instance on page 420
125
1. 2. 3. 4.
To enable or disable destinations for a job server Go to the Servers management area of the CMC. Click the link for the job server for which you want to enable or disable a destination. Select the check box for each destination you want to support. Click Enable. To disable destinations, click Disable. When a destination is disabled a red circle is shown beside the name.
5.
If you enabled the destination, you must also configure the destination. See Configuring the destination properties for job servers on page 126.
6. 7.
Inbox destination properties on page 127 Unmanaged Disk destination properties on page 131 FTP destination properties on page 130 Email (SMTP) destination properties on page 128
Click Update. Make sure the destination has been enabled. See Enabling or disabling destinations for job servers on page 125.
126
ShortcutThe systems sends a shortcut to the specified destination. CopyThe system sends a copy of the instance, for example, the .rpt file, to the destination.
Send List Specify which users or user groups you want to receive instances that have been generated or processed by the job server.
127
See also Configuring the destination properties for job servers on page 126. Domain Name Enter the fully qualified domain of the SMTP server. Server Name Enter the name of the SMTP server. Port Enter the port that the SMTP server is listening on. (This standard SMTP port is 25.) Authentication Select Plain or Login if the job server must be authenticated using one of these methods in order to send email. SMTP User Name Provide the Job Server with a user name that has permission to send email and attachments through the SMTP server. SMTP Password Provide the Job Server with the password for the SMTP server.
128
From Provide the return email address. Users can override this default when they schedule an object. To, Cc, Subject, and Message Set the default values for users who schedule reports to this SMTP destination. Users can override these defaults when they schedule an object. Add viewer hyperlink to message body Click Add if you want to add the URL for the viewer in which you want the email recipient to view the report. You can set the default URL by clicking Object Settings on the main page of the Objects management area of the CMC. If you send a hyperlink, the email recipient must log on to BusinessObjects Enterprise to see the report.) Users can override this default when they schedule an object. Attach report instance to email message Clear this check box if you do not want to attach a copy of the report or program instance attached to the email. Users can override these defaults when they schedule an object. Default File Name (randomly generated) Select this option if you want BusinessObjects Enterprise to generate a random file name. Specified File Name Select this option if you want to enter a file name. You can also add a variable to the file name. To add a variable, choose a placeholder for a variable property from the list and click Add. Add file extension Adds the .%EXT% extension to the specified filename. This is similar to selecting File Extension from the list and clicking Add. By adding an extension to the file name, Windows will know which program to use to open the file when users want to view the file.
129
See also Configuring the destination properties for job servers on page 126. Host Enter your FTP host information. Port Enter the FTP port number (the standard FTP port is 21). FTP User Name Specify a user who has the necessary rights to upload a report to the FTP server. FTP Password Enter the users password. Account Enter the FTP account information, if required. Account is part of the standard FTP protocol, but it is rarely implemented. Provide the appropriate account only if your FTP server requires it.
130
Destination Directory Enter the FTP directory that you want the object to be saved to. A relative path is interpreted relative to the root directory on the FTP server. Default File Name (randomly generated) Select this option if you want BusinessObjects Enterprise to generate a random file name. Specified File Name Select this option if you want to enter a file nameyou can also add a variable to the file name. To add a variable, choose a placeholder for a variable property from the list and click Add.
Destination Directory Type the absolute path to the directory. The directory can be on a local drive of the Job Server machine, or on any other machine that you can specify with a UNC path. Default File Name (randomly generated) Select this option if you want BusinessObjects Enterprise to generate a random file name.
131
Specified File Name Select this option if you want to specify a file nameyou can also add a variable to the file name. To add a variable, choose a placeholder for a variable property from the list and click Add. When each instance runs, the variable is replaced with the appropriate information. For example, when you add the variable Owner, the file name of each object includes the object owners name. User Name Specify a user who has permission to write files to the destination directory. Password Type the password for the user. In this example, the destination directory is on a network drive that is accessible to the Job Server machine through a UNC path. Each file name will be randomly generated, and a user name and password have been specified to grant the Job Server permission to write files to the remote directory.
132
Native drivers
If you design reports using native drivers, you must install the appropriate database client software on each Job Server and/or Page Server machine that will process the reports. The server loads the client software at runtime in order to access the database that is specified in the report. The server locates the client software by searching the library path environment variable that corresponds to your operating system (LD_LIBRARY_PATH on Sun Solaris, LIBPATH on IBM AIX, and so on), so this variable must be defined for the login environment of each Job Server and Page Server. Depending on your database, additional environment variables may be required for the Job Server and Page Server to use the client software. These include:
Oracle The ORACLE_HOME environment variable must define the top-level directory of the Oracle client installation. Sybase The SYBASE environment variable must define the top-level directory of the Sybase client installation. The SYBPLATFORM environment variable must define the platform architecture.
DB2 The DB2INSTANCE environment variable must define the DB2 instance that is used for database access. Use the DB2 instance initialization script to ensure that the DB2 environment is correct.
133
Note: For complete details regarding these and other required environment variables, see the documentation included with your database client software. As an example, suppose that you are running reports against both Sybase and Oracle. The Sybase database client is installed in /opt/sybase, and the Oracle client is installed in /opt/oracle/app/oracle/product/8.1.7. You installed BusinessObjects Enterprise under the crystal user account (as recommended in the BusinessObjects Enterprise Installation Guide). If the crystal users default shell is a C shell, add these commands to the crystal users login script:
setenv LD_LIBRARY_PATH /opt/oracle/app/oracle/product/8.1.7/ lib:opt/sybase/lib:$LD_LIBRARY_PATH setenv ORACLE_HOME /opt/oracle/app/oracle/product/8.1.7 setenv SYBASE /opt/sybase setenv SYBPLATFORM sun_svr4 If the crystal users default shell is a Bourne shell, modify the syntax
accordingly:
LD_LIBRARY_PATH=/opt/oracle/app/oracle/product/8.1.7/ lib:opt/sybase/lib:$LD_LIBRARY_PATH;export LD_LIBRARY_PATH ORACLE_HOME=/opt/oracle/app/oracle/product/8.1.7;export ORACLE_HOME SYBASE=/opt/sybase;export SYBASE SYBPLATFORM=sun_svr4;export SYBPLATFORM
ODBC drivers
If you design reports off ODBC data sources (on Windows), you must set up the corresponding data sources on the Job Server and Page Server machines. In addition, you must ensure that each server is set up properly for ODBC. During the installation, BusinessObjects Enterprise installs ODBC drivers for UNIX, creates configuration files and templates related to ODBC reporting, and sets up the required ODBC environment variables. This section discusses the installed environment, along with the information that you need to edit. Note:
Detailed documentation covering the various ODBC drivers is included in the Merant Connect ODBC Reference (odbcref.pdf). This is installed below the crystal/enterprise/platform/odbc directory; it is also located in the doc directory of your product distribution. If you report off DB2 using ODBC, your database administrator must first bind the UNIX version of the driver to every database that you report against (and not just each database server). The bind packages are installed below the crystal/enterprise/platform/odbc/lib directory; their filenames are iscsso.bnd, iscswhso.bnd,
134
isrrso.bnd, isrrwhso.bnd, isurso.bnd, and isurwhso.bnd. Because Crystal Reports runs on Windows, ensure also that the Windows version of the driver has been bound to each database.
On UNIX, BusinessObjects Enterprise does not include the Informix client-dependent ODBC driver (CRinf16) that is installed on Windows. The UNIX version does, however, include the clientless ODBC driver for Informix connectivity.
The INSTALL_ROOT/bobje/enterprise11/platform/odbc/lib directory of your installation is added to the library path environment variable. The ODBC_HOME environment variable is set to the INSTALL_ROOT/ bobje/enterprise11/platform/odbc directory of your installation. The ODBCINI environment variable is defined as the path to the .odbc.ini file that was created by the BusinessObjects Enterprise installation.
Modify the environment variables in the env.csh script only if you have customized your configuration of ODBC. The main ODBC configuration file that you need to modify is the system information file.
135
The following example shows the contents of a system information file that defines a single ODBC DSN for servers running on UNIX. This DSN allows the Job Server and Page Server to process reports based on a System DSN (on Windows) called CRDB2:
[ODBC Data Sources] CRDB2=MERANT 3.70 DB2 ODBC Driver [CRDB2] Driver=/opt/bobje/enterprise11/platform/odbc/lib/crdb216.so Description=MERANT 3.70 DB2 ODBC Driver Database=myDB2server LogonID=username [ODBC] Trace=0 TraceFile=odbctrace.out TraceDll=/opt/bobje/enterprise11/platform/odbc/lib/ odbctrac.so InstallDir=/opt/bobje/enterprise11/platform/odbc
As shown in the example above, the system information file is structured in three major sections:
The first section, denoted by [ODBC Data Sources], lists all the DSNs that are defined later in the file. Each entry in this section is provided as dsn=driver, and there must be one entry for every DSN that is defined in the file. The value of dsn must correspond exactly to the name of the System DSN (on Windows) that the report was based off. The second section sequentially defines each DSN that is listed in the first section. The beginning of each definition is denoted by [dsn]. In the example above, [CRDB2] marks the beginning of the single DSN that is defined in the file. Each DSN is defined through a number of option=value pairs. The options that you must define depend upon the ODBC driver that you are using. These pairs essentially correspond to the Name=Data pairs that Windows stores for each System DSN in the registry: \\HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\odbc.ini\dsn However, the options for a particular ODBC driver on UNIX may not correspond by name to the options available for a Windows version of the same driver. For example, some Windows drivers store a UID value in the registry, and on UNIX you may need to specify this value with the LogonID option. Note: For detailed documentation on each ODBC driver, see the Merant Connect ODBC Reference (odbcref.pdf). The PDF is installed below the crystal/enterprise/platform/odbc directory; it is also located in the doc directory of your product distribution.
136
The final section of the file, denoted by [ODBC], includes ODBC tracing information. You need not modify this section.
When the installation creates the system information file, it completes some fields and sets up a number of default DSNsone for each of the installed ODBC drivers. The standard options that are commonly required for each driver are included in the file (Database=, LogonID=, and so on). Edit the file and provide the corresponding values that are specific to your reporting environment. This example shows the entire contents of a system information file created when BusinessObjects Enterprise was installed to the /usr/local directory.
[ODBC Data Sources] CRDB2=MERANT 3.70 DB2 ODBC Driver CRINF_CL=MERANT 3.70 Informix Dynamic Server ODBC Driver CROR8=MERANT 3.70 Oracle8 ODBC Driver CRSS=MERANT 3.70 SQL Server ODBC Driver CRSYB=MERANT 3.70 Sybase ASE ODBC Driver CRTXT=MERANT 3.70 Text ODBC Driver [CRDB2] Driver=/usr/local/bobje/enterprise11/platform/odbc/lib/ crdb216.so Description=MERANT 3.70 DB2 ODBC Driver Database= LogonID= [CRINF_CL] Driver=/usr/local/bobje/enterprise11/platform/odbc/lib/ crifcl16.so Description=MERANT 3.70 Informix Dynamic Server ODBC Driver ServerName= HostName= PortNumber= Database= LogonID= [CROR8] Driver=/usr/local/bobje/enterprise11/platform/odbc/lib/ cror816.so Description=MERANT 3.70 Oracle8 ODBC Driver ServerName= ProcedureRetResults=1 LogonID= [CRSS] Driver=/usr/local/bobje/enterprise11/platform/odbc/lib/ crmsss16.so Description=MERANT 3.70 SQL Server ODBC Driver Address= Database= QuotedId=Yes LogonID=
137
[CRSYB] Driver=/usr/local/bobje/enterprise11/platform/odbc/lib/ crase16.so Description=MERANT 3.70 Sybase ASE ODBC Driver NetworkAddress= Database= LogonID= [CRTXT] Driver=/usr/local/bobje/enterprise11/platform/odbc/lib/ crtxt16.so Description=MERANT 3.70 Text ODBC Driver Database= [ODBC] Trace=0 TraceFile=odbctrace.out TraceDll=/usr/local/bobje/enterprise11/platform/odbc/lib/ odbctrac.so InstallDir=/usr/local/bobje/enterprise11/platform/odbc
Then define the new DSN by adding the following lines just before the system information files [ODBC] section:
[SalesDB] Driver=/usr/local/bobje/enterprise11/platform/odbc/lib/ cror816.so Description=MERANT 3.70 Oracle8 ODBC Driver ServerName=MyServer ProcedureRetResults=1 LogonID=MyUserName
Once you have added this information, the new DSN is available to the Job Server and Page Server, so they can process reports that are based off the SalesDB System DSN (on Windows).
138
In addition, each of the BusinessObjects Enterprise servers is designed to log messages to your operating systems standard system log.On Windows NT/2000, BusinessObjects Enterprise logs to the Event Log service. You can view the results with the Event Viewer (in the Application Log). On UNIX, BusinessObjects Enterprise logs to the syslog daemon as a User application. Each server prepends its name and PID to any messages that it logs. This example shows two messages logged to the syslog daemon on UNIX:
Each server also logs assert messages to the logging directory of your product installation. The programmatic information logged to these files is typically useful only to Business Objects support staff for advanced debugging purposes. The location of these log files depends upon your operating system:
On Windows, the default logging directory is C:\Program Files\Business Objects\BusinessObjects Enterprise 11\Logging On UNIX, the default logging directory INSTALL_ROOT/bobje/logging directory of your installation.
The important point to note is that these log files are cleaned up automatically, so there will never be more than approximately 1 MB of logged data per server.
139
Changing the default server port numbers on page 140 Configuring a multihomed machine on page 143 Adding and removing Windows server dependencies on page 144 Changing the server startup type on page 145 Changing the server user account on page 146 Configuring servers for SSL on page 146
140
This table summarizes the command-line options as they relate to port usage for specific server types. For more information, see Appendix E: Server Command Lines. Option
-port
CMS Specifies the primary BusinessObjects Enterprise port on which the CMS listens for requests from all other servers. The default is 6400.
Other Servers Used only in multihomed environments or for certain NAT firewall environments. In both cases, specify -port interface only. (-port number has no meaning for these servers). the server listens for BusinessObjects Enterprise requests. The server registers this port with the CMS. Selected dynamically if unspecified. Specifies the CMS that the server will register with.
that the CMS uses for identifying other servers and for registering with itself and/ or a cluster. Selected dynamically if unspecified. n/a
-ns
CMS port number, you must change the -ns option in every other servers command line, to ensure that each server connects to the appropriate port of the CMS. (The -ns option stands for nameserver. The CMS functions as the nameserver in BusinessObjects Enterprise, because it maintains a list that includes the host name and port number of each server that is started, enabled, and thus available to accept BusinessObjects Enterprise requests.) You must also set the name and port number of the CMS with the connection.cms context parameter in web.xml. See Configuring the Web Component Adapter on page 89. If you are working with multihomed machines or in certain NAT firewall configurations, you may wish to specify -port interface:number for the CMS and -port interface for the other servers. For details, see Configuring a multihomed machine on page 143 or Configuring for Network Address Translation on page 190. On Windows, the CCM displays default port numbers on each servers Configuration tab. This displayed port corresponds to the -port option. For servers other than the CMS, this default port is not actually in use (each server registers its -requestPort number with the CMS instead).
141
1. 2.
To change the default CMS port for BusinessObjects Enterprise servers Use the CCM (on Windows) or ccm.sh (on UNIX) to stop all the BusinessObjects Enterprise servers. Add (or modify) the following option in the CMS command line:
-port number
Replace number with the port that you want the CMS to listen on. (The default port is 6400.) 3. Add (or modify) the following option in the command line of all of the remaining non-CMS BusinessObjects Enterprise servers:
-ns hostname:number
Replace hostname with the host name of the machine that is running the CMS. The host name must resolve to a valid IP address within your network. Replace number with the port that the CMS is listening on. 4. Start and enable all the BusinessObjects Enterprise servers. The CMS begins listening on the port specified by number, and the non-CMS servers broadcast to that port when attempting to register with the CMS. 5. Set the name and port number of the CMS with the connection.cms context parameter in web.xml. See Configuring the Web Component Adapter on page 89. To change the port a server registers with the CMS Use the CCM (on Windows) or ccm.sh (on UNIX) to stop the server. Add (or modify) the following option in the servers command line:
-requestPort number
1. 2.
Replace number with the port that you want the server to listen on. 3. Start and enable the server. The server binds to the new port specified by number. It then registers with the CMS and begins listening for BusinessObjects Enterprise requests on the new port. By default, each server registers itself with the CMS by IP address, rather than by name. This typically provides the most reliable behavior. If you need each server to register with the CMS by fully qualified domain name instead, use the -requestPort option in conjunction with -port interface (where interface is the servers fully qualified domain name). Having the servers register by name can be useful if a NAT firewall resides between the server and the CMS. For more information, see Configuring for Network Address Translation on page 190.
142
You may also need to specify -port interface when BusinessObjects Enterprise is running on a multihomed machine.
To retain the default port numbers, replace port with 6400 for the CMS. If you change the default port numbers, you will need to make additional configuration changes. For details, see Changing the default server port numbers on page 140. To configure the WCA, use interface:port when setting the connection.listeningPort context parameter in web.xml. (See Configuring the Web Component Adapter on page 89.)
143
4.
144
The Add Dependency dialog box provides you with a list of all available dependencies. Select the dependency or dependencies, as required, and then click Add. 5. 6. 7. To remove a dependency from the list, select it and click Remove. Click OK. Restart the server.
Automatic starts the server each time the machine is started. Manual requires you to start the server before it will run. Disabled requires you to change the startup type to automatic or manual before it can run.
145
1. 2. 3. 4. 5. 6.
To change the server startup type on Windows Start the CCM. Stop the server whose startup type you want to modify. With the server selected, click Properties on the toolbar. Click the Startup Type list and select Automatic, Disabled, or Manual. Click OK. Restart the server.
To change the server startup type on UNIX On UNIX, this requires root privileges. See setupinit.sh on page 607.
146
Deploy BusinessObjects Enterprise with SSL enabled. Create key and certificate files for each machine in your deployment. Configure the location of these files in the Central Configuration Manager (CCM) and your web application server.
2.
This command creates two files, a Certificate Authority (CA) certificate request (cacert.req) and a private key (privkey.pem). 3. To decrypt the private key, type the following command:
sslc rsa -in privkey.pem -out cakey.pem
This command creates the decrypted key, cakey.pem. 4. To sign the CA certificate, type the following command:
sslc x509 -in cacert.req -out cacert.pem -req -signkey cakey.pem -days 365
This command creates a self-signed certificate, cacert.pem, that expires after 365 days. Choose the number of days that suits your security needs. 5. Open the sslc.cnf file, stored in the same folder as the SSLC command line tool. Perform the following steps based on settings in the sslc.cnf file.
Place the cakey.pem and cacert.pem files in the directories specified by sslc.cnf file's certificate and private_key options. By default, the settings in the sslc.cnf file are:
certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem
147
Create a file with the name specified by the sslc.cnf file's database setting. Note: By default, this file is $dir/index.txt. The file can be empty. Create a file with the name specified by the sslc.cnf file's serial setting. Ensure that this file provides an octet-string serial number (in hexadecimal format). Note: To ensure that you can create and sign more certificates, choose a large number, such as 11111111111111111111111111111111.)
6.
To create a certificate request and a private key, type the following command:
sslc req -config sslc.cnf -new -out servercert.req
7. 8.
To sign the certificate with the CA certificate, type the following command:
sslc ca -config sslc.cnf -days 365 -out servercert.pem in servercert.req
This command creates the servercert.pem file, which contains the signed certificate. 9. Use the following commands to convert the certificates to DER encoded certificates:
sslc x509 -in cacert.pem -out cacert.der -outform DER sslc x509 -in servercert.pem -out servercert.der -outform DER
10. Create a text file for storing the plain text passphrase used for decrypting the generated private key. 11. Store the following key and certificate files in a secure location (under the same directory) that can be accessed by the machines in your BusinessObjects Enterprise deployment:
the trusted certificate file (cacert.der) the generated server certificate file (servercert.der) the server key file (server.key) the passphrase file
148
This location will be used to configure SSL for the CCM and your web application server.
2.
If you have an IIS web application server, run the sslconfig tool from the command line and follow the configuration steps.
149
150
chapter
152
1. 2.
To create a server group Go to the Server Groups management area of the CMC. Click New Server Group. The New Server Group Properties tab appears.
3. 4. 5. 6. 7.
In the Server Group Name field, type a name for the new group of servers. Use the Description field to include additional information about the group. Click OK. On the Servers tab, click Add/Remove Servers. Select the servers that you want to add to this group; then click the > arrow. Tip: Use CTRL+click to select multiple servers.
8.
Click OK.
153
This example adds the servers to a server group called Northern Office Servers. You are returned to the Servers tab, which now lists all the servers that you added to the group. You can now change the status, view server metrics, and change the properties of the servers in the group. For more information, see Server management overview on page 78.
154
This example makes the Job Servers group a member subgroup of the Northern Office Servers group.
5.
Click OK. You are returned to the Member of tab, which now lists all the server groups that the initial group is now a member of.
155
156
chapter
Scalability overview
The BusinessObjects Enterprise architecture is scalable in that it allows for a multitude of server configurations, ranging from stand-alone, single-machine environments, to large-scale deployments supporting global organizations. The flexibility offered by the products architecture allows you to set up a system that suits your current reporting requirements, without limiting the possibilities for future growth and expansion. This chapter details common scalability scenarios for administrators who want to expand beyond a stand-alone installation of BusinessObjects Enterprise. These three scenarios have received the most testing, and are recommended for the majority of deployments. For details, see Common configurations on page 159. It must be emphasized, however, that the optimal configuration for your deployment will vary depending upon your hardware configuration, your database software, and your reporting requirements. It is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects Services consultant can then assess your reporting environment and assist in determining the configuration that will best integrate with your current environment. Note: If you customize or expand your system beyond these common configurations without first contacting Business Objects Services, your deployment may not be officially supported. This chapter also provides the related procedures for adding and deleting servers from your BusinessObjects Enterprise installation. Follow these steps when you need to add server components to a machine that is already running BusinessObjects Enterprise. Tip: If you are adding new hardware to BusinessObjects Enterprise by installing server components on additional machines, run the BusinessObjects Enterprise installation and setup program. The setup program allows you to perform an Expand installation. During the Expand installation, you specify the existing CMS whose system you want to expand, and you select the components that want to install on the local machine. For details, see the BusinessObjects Enterprise Installation Guide.
158
Common configurations
This section details the common ways in which you should begin to scale, or expand, your BusinessObjects Enterprise system. The scenarios described are those that have been most thoroughly tested by Business Objects. As a baseline, this section assumes that you have not yet distributed the BusinessObjects Enterprise servers across multiple machines; however, this section does assume familiarity with the BusinessObjects Enterprise architecture, installation, and server configuration. For preliminary installation information, see the BusinessObjects Enterprise Installation Guide. Tip: If you are deploying multi-processor machines, you may also want to run one or more BusinessObjects Enterprise servers in multiple instances on that machine. For details, see Adding a server on page 169. This section describes the following common configurations:
One-machine setup on page 159 Three-machine setup on page 160 Six-machine setup on page 160
One-machine setup
This basic configuration separates the BusinessObjects Enterprise servers from the rest of your reporting environment and from your web server, and installs all BusinessObjects Enterprise servers on a single machine. This grants the BusinessObjects Enterprise servers their own set of processing resources, which they do not have to share with database and web server processes. These are the general steps to setting up this configuration for the default Windows installation of BusinessObjects Enterprise:
Install all of the BusinessObjects Enterprise servers on a single, dedicated machine. Run the CMS database on your database server. If you are still using the MSDE CMS database on Windows, migrate the CMS database to a supported database server. See the Platforms.txt file included with your product distribution for a list of supported database servers.
For a UNIX installation (or for a Windows installation that uses the BusinessObjects Enterprise Java SDK), install your BusinessObjects Enterprise servers on the same machine as your Java web application server and the Web Component Adapter.
159
Three-machine setup
This second configuration divides the BusinessObjects Enterprise processing load in a logical manner, based on the types of work performed by each server. In this way, you prevent the server components from having to compete with each other for the same hardware and processing resources. In addition, this scenario prepares your system for further expansion to provide redundancy. Note: It is recommended that you use three multi-processor machines (dualCPU or better), with at least 2 GB RAM installed on each machine. These are the general steps to setting up this configuration for the default Windows installation of BusinessObjects Enterprise:
Install the CMS and the Event Server on one machine. Tip: Here, the Event Server is installed on the same machine as the CMS. In general, however, the Event Server should be installed on the machine where your monitored, file-based events occur.
Install the application server, the Web Component Adapter and the Cache Server on the second machine. Install the Page Server, the Report Job Server, Program Job Server, Destination Job Server, List of Values Job Server, Web Intelligence Job Server, the Web Intelligence Report Server, the Report Application Server (RAS), and the Input and Output File Repository Servers on the third machine.
For a UNIX installation (or for a Windows installation that uses the BusinessObjects Enterprise Java SDK), install the Java web application server and the Web Component Adapter on the same machine as your Cache Server. Note: As with the one-machine setup, install your BusinessObjects Enterprise servers on machines that are separate from your web server and database servers. This grants the BusinessObjects Enterprise servers their own set of processing resources, which they do not have to share with database and web server processes.
Six-machine setup
This third configuration mirrors the three-machine setup. You maintain the logical breakdown of processing based on the types of work performed by each server, but you increase the number of available machines and servers for redundancy and fault-tolerance. For instance, if a server stops responding, or if you need to take one or two machines offline completely, you need not interrupt BusinessObjects Enterprise requests in order to service the system.
160
This tested configuration is designed to meet the reporting requirements of 85% of all deployment scenarios. If you have further requirements or more advanced configuration needs, contact your Business Objects sales representative for additional assistance. Note: It is recommended that you use six multi-processor machines (dualCPU or better), with at least 2 GB RAM installed on each machine. These are the general steps to setting up this configuration for the default Windows installation of BusinessObjects Enterprise:
Install the three-machine setup first. Verify that BusinessObjects Enterprise is functioning correctly. For details, see Three-machine setup on page 160. Install a second CMS/Event Server pair on the fourth machine. This machine must have a fast network connection (minimum 10 Mbps) to the CMS that you have already installed. Cluster the two CMS services, so they share the task of maintaining the CMS database. Ensure that each CMS accesses the CMS database in exactly the same manner (the same database client software, the same database user name and password, and so on). Tip: Here, the Event Server is installed on the same machine as the CMS. In general, however, the Event Server should be installed on the machine where your monitored, file-based events occur.
Install a second application server and Web Component Adapter on the fifth machine, along with a second Cache Server. Consult your web application server documentation for information on load-balancing and clustering your application servers. Ensure that the web.xml file is configured correctly for each WCA. Install a second Page Server, Report Job Server, Program Job Server, Destination Job Server, List of Values Job Server, Web Intelligence Job Server, Web Intelligence Report Server, and RAS on the remaining machine, along with a pair of Input and Output File Repository Servers. Ensure that all Page Servers and job servers, including the Web Intelligence Report Server, can access your reporting database in exactly the same manner. Install and configure any required database client software similarly on each machine, along with any ODBC DSNs that are required for your reports.
Note: As with the one-machine setup, install your BusinessObjects Enterprise servers on machines that are separate from your web server and database servers. This grants the BusinessObjects Enterprise servers their own set of processing resources, which they do not have to share with database and web server processes.
161
Increasing overall system capacity on page 162 Increasing scheduled reporting capacity on page 163 Increasing on-demand viewing capacity for Crystal reports on page 164 Increasing prompting capacity on page 165 Enhancing custom web applications on page 166 Improving web response speeds on page 166 Getting the most from existing resources on page 167
162
Install the Job Server in close proximity to (but not on the same machine as) the database server against which the reports run. Ensure also that the File Repository Servers are readily accessible to all Job Server (so they can read report objects from the Input FRS and write report instances to the Output FRS quickly). Depending upon your network configuration, these strategies may improve the processing speed of the Job Server, because there is less distance for data to travel over your corporate network. Verify the efficiency of your reports. When designing reports in Crystal Reports, there are a number of ways in which you can improve the performance of the report itself, by modifying record selection formulas, using the database servers resources to group data, incorporating parameter fields, and so on. For more information, see the Designing Optimized Web Reports section in the Crystal Reports Users Guide (version 8.5 and later). Use event-based scheduling to create dependencies between large or complex reports. For instance, if you run several very complex reports on a regular, nightly basis, you can use Schedule events to ensure that the reports are processed sequentially. This is a useful way of minimizing the processing load that your database server is subject to at any given point in time. If some reports are much larger or more complex than others, consider distributing the processing load through the use of server groups. For instance, you might create two server groups, each containing one or more Job Servers. Then, when you schedule recurrent reports, you can specify that it be processed by a particular server group to ensure that especially large reports are distributed evenly across resources. Increase the hardware resources that are available to a Job Server. If the Job Server is currently running on a machine along with other BusinessObjects Enterprise components, consider moving the Job
163
Server to a dedicated machine. If the new machine has multiple CPUs, you can install multiple Job Servers on the same machine (typically no more than one service/daemon per CPU). Increasing Web Intelligence document processing capacity All Web Intelligence documents that are scheduled are eventually processed by a Web Intelligence Job Server and Web Intelligence Report Server. You can expand BusinessObjects Enterprise by running individual Web Intelligence Report Servers on multiple machines, or by running multiple Web Intelligence Report Servers on a single multi-processor machine. When running multiple Web Intelligence Report Servers, you dont need to duplicate the Web Intelligence Job Server. One Web Intelligence Job Server can be used to drive multiple Web Intelligence Report Servers. However, if you are working with server groups, a Web Intelligence Job Server must exist in the same group as the Web Intelligence Report Servers. Note: When deciding whether to increase the number Web Intelligence Report Servers, keep in mind that Web Intelligence Report Server processes both scheduling and viewing requests, whereas requests for Crystal reports are processed by three separate servers, the Report Job Server, the Cache Server and Page Server.
Increase the maximum allowed size of the cache. For details, see Modifying Cache Server performance settings on page 112. Verify the efficiency of your reports. When designing reports in Crystal Reports, there are a number of ways in which you can improve the performance of the report itself, by modifying record selection formulas, using the database servers resources to group data, incorporating parameter fields, and so on. For more information, see the Designing Optimized Web Reports section in the Crystal Reports Users Guide (version 8.5 and later).
164
Increase the number of Page Servers that service requests on behalf of Cache Servers. You can do this by installing additional Page Servers on multiple machines. However, do not install more than one Page Server per machine. The Page Server has been re-designed to optimize the processing capability of a machine. It is therefore no longer recommended that you install multiple Page Servers on one machine. Increase the number of Page Servers, Cache Servers, and Report Application Servers on the system, and then distribute the processing load through the use of server groups. For instance, you might create two server groups, each containing one or more Cache Server/Page Server pairs along with one or more Report Application Servers. You can then specify individual reports that should always be processed by a particular server group.
2.
165
Assess your web servers ability to serve the number of users who connect regularly to BusinessObjects Enterprise. Use the administrative tools provided with your web server software (or with your operating system) to determine how well your web server performs. If the web server is indeed limiting web response speeds, consider increasing the web servers hardware. If web response speeds are slowed only by report viewing activities, see Increasing scheduled reporting capacity on page 163 and Increasing on-demand viewing capacity for Crystal reports on page 164. Take into account the number of users who regularly access your system. If you are running a large deployment, ensure that you have set up a CMS cluster. For details, see Increasing overall system capacity on page 162.
166
If you find that a single application server inadequately services the number of scripting requests made by users who access your system on a regular basis, consider the following options:
Increase the hardware resources that are available to the application server. If the application server is currently running on the web server, or on a single machine with other BusinessObjects Enterprise components, consider moving the application server to a dedicated machine. If the new machine has multiple CPUs, you can install multiple application servers on the same machine (typically no more than one per CPU). If you are using the default Windows installation of BusinessObjects Enterprise, set up two (or more) WCS machines to take advantage of the dynamic load balancing that is built into the Web Connector components. The Web Connector distributes the processing load evenly across WCS hosts: each new BusinessObjects Enterprise session is sent to the least used WCS. This also provides you with the benefits of being able to take one WCS machine offline for service, without bringing down the entire system. Consider setting up two (or more) application servers. Consult the documentation for your web application server for information on loadbalancing, clustering, and scalability. Note: BusinessObjects Enterprise does not support the sessionreplication functionality provided by some Java web application servers.
167
BusinessObjects Enterprise processes reports against your database servers. If your databases are not optimized for the reports you need to run, then the performance of BusinessObjects Enterprise may suffer. Consult your database administrator for more information.
168
Tip: If you are adding new hardware to BusinessObjects Enterprise by installing server components on new, additional machines, run the BusinessObjects Enterprise installation and setup program from your product distribution. The setup program allows you to perform an Expand installation. During the Expand installation, you specify the existing CMS whose system you want to expand, and you select the components that you want to install on the local machine. For details, see the BusinessObjects Enterprise Installation Guide.
Adding a server
These steps add a new instance of a server to the local machine. You can run multiple instances of the same BusinessObjects Enterprise server on the same machine. To add a Windows server Note: To complete this procedure, you must log on as an Administrator of the local machine. 1. 2. 3. Start the CCM on the BusinessObjects Enterprise machine upon which you want to install a new server. On the toolbar, click Add Server. The Add Business Objects Server Wizard displays its Welcome dialog box. Click Next.
169
The Server Type and Display Name Configuration dialog box appears.
4. 5.
Click the Server Type list and select the kind of server you want to add. Change the default Display Name field if you want a different name to appear in the list of servers in the CCM. Note: The display name for each server on the local machine must be unique.
6.
Change the default Server Name field if required. Each server on the system must have a unique name. The default naming convention is HOSTNAME.servertype (a number is appended if there is more than one server of the same type on the same host machine). This Server Name is displayed when you manage servers over the Web in the Central Management Console (CMC). When you add Input or Output File Repository Servers, the wizard always precedes the server name you type with an Input. or Output. prefix. So, if you add an Input FRS with the name SERVER02, the CCM actually names the server Input.SERVER02. This Input. prefix is required by the system. If you subsequently modify the servers name through its command line, do not remove the prefix.
7.
Click Next. The Set Configuration for this server dialog box appears. The contents of this dialog vary slightly, depending upon the type of server that you are installing.
170
8.
Type the name of the CMS that you want the server to communicate with. If your CMS is not listening on the default port (6400), include the appropriate port number, as in CMSname:port#
9.
Click Next to accept any other default values, or modify them to suit your environment. Note: If port number options are displayed in this dialog box, do not modify them. Instead, change ports through each servers command line. For details, see Changing the default server port numbers on page 140.
10. Confirm the summary information is correct; then click Finish. The new server appears in the list, but it is neither started nor enabled automatically. 11. Use the CCM (or the CMC) to start and then to enable the new server when you want it to begin responding to BusinessObjects Enterprise requests. For details, see Viewing and changing the status of servers on page 82. Tip: Auditing in BusinessObjects Enterprise is enabled on a per server basis. If you add a new server to your BusinessObjects Enterprise installation you must enable auditing of actions on each new server. If you do not, the actions performed on the new server will not be audited. See Enabling auditing of user and system actions on page 210 for more information. To add a UNIX server Use the serverconfig.sh script. For reference, see serverconfig.sh on page 602.
Deleting a server
1. 2. 3. 4. To delete a Windows server Start the CCM on the BusinessObjects Enterprise machine that you want to delete a server from. Stop the server that you want to delete from the system. With the server selected, click Delete Server on the toolbar. When prompted for confirmation, click Yes.
To delete a UNIX server Use the serverconfig.sh script. For reference, see serverconfig.sh on page 602.
171
172
chapter
174
Managing BusinessObjects Enterprise Repository Copying data from one repository database to another
Use the Import Wizard to copy repository data from the source CMS. You can choose to merge the contents of the source repository into the destination repository, or you can update the destination with the contents of the source CMS.
Merging repositories
When you merge the contents of the source repository with the destination repository, you add all repository objects from the source CMS into the destination CMS without overwriting objects in the destination. This is the safest import option. All of the objects in the destination repository are preserved. Also, at a minimum, all repository objects from the source system with a unique title are copied to the destination repository. If an object from the source has the same title as an object in the destination, the object is imported to the destination repository if:
The object is not a Business View. You have selected Automatically rename top-level folders that match top-level folders on the destination system.
The end result is a destination repository that contains all objects from the source repository that have unique titles, copies of all non-Business View objects from the source repository that have titles that match titles of objects in the destination, and all objects originally in the destination repository. When an object is copied from the source CMS to the destination CMS, the folder or folders that contain the object are also copied, replicating the folder hierarchy of the source system on the destination. However, the names of top-level folders must be unique. Selecting Automatically rename top-level folders that match top-level folders on the destination system allows these folders to be renamed on the destination repository, and the objects in such folders to be copied to these renamed folders. Note: Top-level folders containing Business Views are not renamed, regardless of the options set. Renaming these folders would change the unique identifier associated with the Business View, causing the Business View functionality to fail.
175
Managing BusinessObjects Enterprise Repository Copying data from one repository database to another
All object titles in a folder must be unique. By default, if copying an object from the source CMS to the destination CMS would result in more than one object in a folder with the same title, the copy fails. If you want these objects to be copied, select the check box Automatically rename objects if an object with that title already exists in the destination folder. Note: System Objects (users, user groups, servers, server groups, events, and calendars), are not renamed when you import them from one CMS to another, regardless of the options set. Changing the names of these objects would cause user management, server management, and event management for these objects to fail. See Importing with the Import Wizard on page 402 for full instructions on using the Import Wizard to copy objects from one BusinessObjects Enterprise XI repository to another.
2.
176
Managing BusinessObjects Enterprise Repository Copying data from one repository database to another
3. 4. 5.
Type the UserID and Password of a user with administrative rights to the repository database. Click Next. The Select Destination Data Source dialog appears. In the CMS field, type the name of the destination data sources Central Management Server. Type the User Name and Password of an Enterprise account that provides you with administrative rights to the CMS; then click Next.
6.
From the Source Repository Objects list, select the items that you want to copy to your BusinessObjects Enterprise repository database. Click Next. BusinessObjects Enterprise exports the selected repository objects from your BusinessObjects Enterprise Repository, reporting success or failure for each object.
7.
Click Next, and then Finish to complete the transfer and close the Repository Migration Wizard.
177
Managing BusinessObjects Enterprise Repository Copying data from one repository database to another
Begin by making a backup copy of this default database. Then replace the default repository by importing its contents into the CMS database using the Repository Migration Wizard. When you use the Repository Migration Wizard, neither the source nor the destination database is overwritten. Objects from the source repository will be added to the destination repository database. If the Wizard finds identical objects in the source and destination repositories, the source objects will not be copied. When you copy repository objects into BusinessObjects Enterprise XI, only the most recent version of each object is copied. Note: Reports configured to use the source repository will now refer to the destination data source. 1. To copy repository data from Crystal Reports 9 From the BusinessObjects Enterprise program group, click Repository Migration Wizard. You must run the wizard on the machine containing your source repository. From the Source list in the Select Source Repository dialog, click the name of the repository that you want to import. If you created security for your repository database, type a User id and Password valid for the repository database. 3. 4. 5. Click Next. Log on to the CMS using a user name with administrative rights to BusinessObjects Enterprise. From the Source Repository Objects list, select the items that you want to copy to your BusinessObjects Enterprise repository database. Click Next.
2.
178
6.
Select the folder in your destination repository where objects from your source directory will be placed.
To add objects to a new folder, select Insert a new folder, and then type the name of the folder.
7.
To delete an existing folder from your repository, select it, and then click Delete the item/folder.
Click Next. BusinessObjects Enterprise exports the selected repository objects from your Crystal Reports repository, reporting success or failure for each object.
8.
Click Next, and then Finish to complete the transfer and close the Repository Migration Wizard.
179
Note: Although refreshing with the repository is faster, you can also refresh reports by setting options that compare reports to their original source .rpt files. For more information, see Setting report refresh options on page 426. Tip: If you use Crystal Reports to open reports directly from your BusinessObjects Enterprise folders, you can update repository objects at that time. You can also refresh repository objects when you publish reports. For details, see Publishing Objects to BusinessObjects Enterprise on page 373. 1. 2. 3. 4. To refresh a published reports repository objects Go to the Objects management area of the CMC. Click the link to the report you want to refresh. On the Properties tab, click the Refresh Options link. Verify that the Use Object Repository when refreshing report check box is selected. Note: If the check box is cleared, select it now and click Update. 5. Click Refresh Report. Tip: Once you have enabled repository refresh for each report, you can refresh multiple reports simultaneously using the Report Repository Helper. The Report Repository Helper is available from Administrative Tools area in the BusinessObjects Enterprise Admin Launchpad.
180
chapter
Firewalls overview
BusinessObjects Enterprise works with firewall systems to provide reporting across intranets and the Internet without compromising network security. This chapter provides general information about what a firewall is and types of firewalls:
If you are already familiar with firewalls and the configuration used in your network, proceed directly to Understanding firewall integration on page 186.
What is a firewall?
A firewall is a security system that protects one or more computers from unauthorized network access. A firewall restricts people to entering and leaving your network at a carefully controlled point. It also prevents attackers from getting close to your other defenses. Typically, a firewall protects a companys intranet from being improperly accessed through the Internet. A firewall can enforce a security policy, log Internet activity, and be a focus for security decisions. A firewall cant protect against malicious insiders or connections that dont go through it. A firewall also cant set itself up correctly or protect against completely new threats. To help explain how firewalls work, some basic networking terms are described here:
If you are already familiar with these topics see Understanding firewall integration on page 186.
182
Transport layer (TCP or UDP). Internet layer (IP). Network Access layer (for example, ethernet and ATM).
At the application layer, the packet consists simply of the data to be transferred. As the packet moves through the layers, each layer adds a header to the packet, preserving the data from the previous level. These headers are used to determine the packets destination and to ensure that it arrives intact. When the packet reaches its destination, the process is reversed: the layers are sequentially removed until the transferred data is available to the destination application.
Ports
Ports are logical connection points that a computer uses to send and receive packets. With TCP/IP, ports allow a client program to specify a particular server program on a computer in a network. High-level applications that use TCP/IP have ports with pre-assigned numbers. For instance, when you visit a typical HTTP site over the Web, you communicate with the web server on port 80, which is the pre-assigned port for HTTP communication. Other application processes are given port numbers dynamically for each connection. When a service or daemon initially is started, it binds to its designated port number. When any client program wants to use that server, it must also request to bind to the designated port number. Valid port numbers range from 0 to 65536, but ports 0 to 1024 are reserved for use by certain privileged services.
Firewall types
Firewalls primarily function using at least one of the following methods:
Packet filtering on page 184 Network Address Translation on page 184 SOCKS proxy servers on page 185
BusinessObjects Enterprise works with these firewall types. Note: Business Objects will be moving away from supporting SOCKS proxy servers. As a result SOCKS proxy servers are still supported in BusinessObjects Enterprise XI. SOCKS proxy servers will be deprecated in a future release of BusinessObjects Enterprise. If you are using SOCKS proxy servers now, we recommend you switch to a different firewall method.
183
Packet filtering
Packet filtering rejects TCP/IP packets from unauthorized hosts and rejects connection attempts to unauthorized services. Packet filtering can reject packets based on the following:
The address the data is coming from. The address the data is going to. The session and application ports being used to transfer the data. The data contained within the packet. Stateful packet filters remember the state of connections at the network and session layers by recording the established session information that passes through the filter gateway. The filter then uses that information to discriminate valid return packets from invalid connection attempts. Stateless packet filters do not retain information about connections in use; instead, they make determinations packet-by-packet based only on the information contained within the packet. Firewalls that employ packet filtering will work with BusinessObjects Enterprise.
184
Static translation (port forwarding) grants a specific internal host a fixed translation that never changes. For example, if you run an email server inside a firewall, you can establish a static route through the firewall for that service. Dynamic translation (automatic, hide mode, or IP masquerade) shares a small group of external IP addresses amongst a large group of internal clients for the purpose of expanding the internal network address space. Because a translation entry does not exist until an internal client establishes a connection out through the firewall, external computers have no way to address an internal host that is protected using a dynamically translated IP address. Note: Some protocols do not function correctly when the port is changed. These protocols will not work through a dynamically translated connection.
BusinessObjects Enterprise and static translation NAT can be configured so that they work together.
185
Communication between servers on page 186 Typical firewall scenarios on page 188
For detailed step-by-step instructions on how to configure your system to work in a firewalled environment, see Configuring the system for firewalls on page 190.
Communication between servers and the CMS directory listing service on page 186 Communication between the application tier and CMS on page 187
Some examples also apply to communications between a BusinessObjects Enterprise server and the BusinessObjects Enterprise SDK (or other BusinessObjects Enterprise SDKs, such as the Report Application Server SDK or the Viewer SDK). Where applicable, these examples are indicated in the descriptions.
186
For example, before running a scheduled report, the Job Server must communicate with the Input File Repository Server (FRS) to obtain the report object. To do so: 1. 2. 3. The Job Server contacts the CMS and requests connection information for the Input FRS. The CMS replies to the Job Server with the IP address and port number of the Input FRS. The Job Server uses this information to connect directly to the Input FRS. All subsequent communications between the two servers continues using the same address and port. This communication model is also used when a BusinessObjects Enterprise SDK or the WCA communicates directly with a server in the Intelligence tier or the Processing tier. Communications between the CMS and the BusinessObjects Enterprise SDK and WCA follow another model. See Communication between the application tier and CMS on page 187. Using the -requestport command, you can configure any BusinessObjects Enterprise server to register a fixed port number with the CMS, rather than using one that is dynamically selected.
Note:
Before changing the default port numbers, see Changing the default server port numbers on page 140 for additional configuration information.
187
You may also change the default port that the CMS uses to listen for initial communications from the Configuration tab of the Properties dialog in the Central Configuration Manager.
The process is similar when you configure your BusinessObjects Enterprise system to communicate across SOCKS proxy filters. But BusinessObjects Enterprise provides direct support for SOCKS proxy filters, so you need only configure each component to be aware of the location and type of the proxies that they communicate with. Note: When this section mentions firewalling different BusinessObjects Enterprise components, it assumes that the components reside on separate computers. If the components reside on the same computer, their communication is uninterrupted by firewalls, and no additional configuration is required.
188
Application tier separated from the CMS by a firewall on page 189 Thick client separated from the CMS by a firewall on page 189
These scenarios are general cases: once you understand the firewalling issues involved, you should be able to support BusinessObjects Enterprise in wide variety of contexts.
Configuring NAT when application tier is separated from the CMS on page 190 Configuring packet filtering when application tier is separated from CMS on page 196 Configuring for SOCKS servers on page 199
Configuring NAT when thick client is separated from the CMS on page 195 Configuring packet filtering when thick client is separated from the CMS on page 198
189
Configuring for Network Address Translation on page 190 Configuring for packet filtering on page 195 Configuring for SOCKS servers on page 199
For a conceptual overview of communications between BusinessObjects Enterprise components and of supported firewall configurations, see Understanding firewall integration on page 186. Note: If you have multiple BusinessObjects Enterprise servers of a given type, the overall procedure for configuring your system to work with firewalls will not change. Configure each server as described in the section that describes your firewall environment, and then specify a firewall rule for the server.
Configuring NAT when application tier is separated from the CMS on page 190 Configuring NAT when thick client is separated from the CMS on page 195
190
Ports
The application server must be able to communicate with every BusinessObjects Enterprise server behind the firewall. Therefore, you must open a port on the firewall for each server. The application server must be a Tomcat or IIS server. Configuring BusinessObjects Enterprise for Network Address Translation when the application tier is separated from the CMS by a firewall includes:
Configuring the CMS on page 191 Configuring the BusinessObjects Enterprise servers on page 192 Configuring the hosts files on page 193 Specifying firewall rules for NAT on page 194
191
2. 3.
Stop the Central Management Server. Edit the ccm.config file to insert the following command line: -port FQDN:6400 -requestport portnum For the -port command, replace FQDN with the fully qualified domain name of the machine that is running the CMS. This machine must be routable from the application server. For the -requestport command, substitute any valid free port number for portnum.
4.
1. 2. 3. 4.
To configure BusinessObjects Enterprise servers on Windows on page 192 To configure BusinessObjects Enterprise servers on UNIX on page 192 To configure BusinessObjects Enterprise servers on Windows Start the CCM. Stop the server. On the toolbar, click Properties. In the Command box, add the following option: -port FQDN -requestport portnum For the -port command, replace FQDN with the fully qualified domain name of the machine that is running the server. This machine must be routable from the application server. For the -requestport command, substitute any valid free port number for portnum. If more than one server is installed on the same machine, each server on that machine must use a unique port number.
5. 6. 7. 1.
Click OK to return to the CCM. Start the server. Repeat for each BusinessObjects Enterprise server. To configure BusinessObjects Enterprise servers on UNIX Run ccm.sh. By default the script and the ccm.config file are installed in the Business Objects install directory, for example /export/home/ businessobjects.
192
2. 3.
Stop the server. Edit the ccm.config file to insert the following command line: -port FQDN -requestport portnum For the -port command, replace FQDN with the fully qualified domain name of the machine that is running the server. This machine must be routable from the application server. For the -requestport command, substitute any valid free port number for portnum. If more than one server is installed on the same machine, each server on that machine must use a unique port number.
4. 5.
Use ccm.sh to start the server. Repeat for each BusinessObjects Enterprise server.
1. 2.
To configure the hosts files on Windows on page 193 To configure the hosts files on UNIX on page 193 To configure the hosts files on Windows Open the hosts file using a text editor like Notepad. The hosts file is located at \WINNT\system32\drivers\etc\hosts. Follow the instructions in the hosts file to add an entry for each machine behind the firewall that is running a BusinessObjects Enterprise server or servers. Use the internally routable IP address of the machine and its externally routable fully qualified domain name. Save the hosts file.
3.
To configure the hosts files on UNIX Note: Your UNIX operating system must be configured to first consult the hosts file to resolve domain names, before consulting DNS. Consult your UNIX systems documentation for details. 1. Open the hosts file using an editor like vi. The hosts file is located at \etc\hosts.
193
2.
Add an entry for each machine behind the firewall that is running a BusinessObjects Enterprise server. Use the translated IP address of the machine and its fully qualified domain name. Save the hosts file. On the firewall machine, add a route from the translated IP address to the actual internal IP address:
route add translatedIPaddress actualIPaddress
3. 4.
Where translatedIPDaddress is the actual translated IP address, and actualIPaddress is the actual internal IP address for the a server.
The fixed port numbers specified in the chart are the port numbers you specify for servers using -requestport. See Configuring the CMS on page 191, and Configuring the BusinessObjects Enterprise servers on page 192 for details. Inbound Rules Source Computer Application server Application server Application server Any Any Port Any Any Any Any Any Destination Computer Port CMS CMS Other BusinessObjects Enterprise server CMS Other BusinessObjects Enterprise Server 6400 Action Allow Allow Allow Reject Reject
fixed fixed
Any Any
Note: There must be one inbound firewall rule for each BusinessObjects Enterprise server behind the firewall. Whenever more than one server is installed on the same machine, each server on that machine must use a unique port number.
194
Outbound Rules Source Computer Machines hosting BusinessObjects Enterprise server Port Any Destination Computer Port Application server Any Action Allow
This outbound rule is needed because the application server may register listeners on servers behind the firewall. These listeners may initiate communication with the application server.
Configure only the Central Management Server and the Input File Repository Server. Establish inbound firewall rules for communication between the Crystal Reports or OLAP Intelligence machine and the CMS and Input File Repository Server. You do not need to establish an outbound firewall rule.
Configuring packet filtering when application tier is separated from CMS on page 196 Configuring packet filtering when thick client is separated from the CMS on page 198.
195
Configuring the BusinessObjects Enterprise servers on page 196 Specifying firewall rules for packet filtering on page 197
1. 2. 3. 4.
To configure BusinessObjects Enterprise servers on Windows on page 196 To configure BusinessObjects Enterprise servers on UNIX on page 196 To configure BusinessObjects Enterprise servers on Windows Start the CCM. Stop the first server. On the toolbar, click Properties. In the Command box, add the following option:
-requestport portnum
For the -requestport command, substitute any valid free port number for portnum. If more than one server is installed on the same machine, each server on that machine must use a unique port number. Tip: If you want to customize the CMS so that it listens on a port other than the default, also add -port cmsport to the command line, where cmsport is the new port number for the default value of 6400. For example: -port cmsport -requestport portnum If you change the default port number of the CMS you must perform additional system configuration. Before changing the port number, see Changing the default server port numbers on page 140. 5. 6. 7. 1. Click OK to return to the CCM. Start the server. Repeat for each BusinessObjects Enterprise server behind the firewall. To configure BusinessObjects Enterprise servers on UNIX Run ccm.sh. By default the script and the ccm.config file are installed in the BusinessObjects install directory, for example /export/home/ businessobjects.
196
2. 3.
Stop the server. Edit the ccm.config file to insert the following command line:
-requestport portnum
For the -requestport command, substitute any valid free port number for portnum. If more than one server is installed on the same machine, each server on that machine must use a unique port number. Tip: If you want to customize the CMS so that it listens on a port other than the default, also add -port 6400 to the command line, substituting your new port number for the default value of 6400. If you change the default port number of the CMS you must perform additional system configuration. Before changing the port number, see Changing the default server port numbers on page 140. 4. 5. Use ccm.sh to start the server. Repeat for each BusinessObjects Enterprise server.
The fixed port numbers specified in the chart are the port numbers you specify for the CMS and other BusinessObjects Enterprise servers using -requestport.
197
Inbound Rules Source Computer Application server Application server Application server Any Any Port Any Any Any Any Any Destination Computer Port CMS CMS Other BusinessObjects Enterprise server CMS Other BusinessObjects Enterprise servers 6400 Action Allow Allow Allow Reject Reject
fixed
fixed Any Any
Note: There must be an inbound firewall rule for each BusinessObjects Enterprise server behind the firewall. Whenever more than one server is installed on the same machine, each server on that machine must use a unique port number. Outbound Rules Source Computer Machines hosting BusinessObjects Enterprise server Port Any Destination Computer Port Application server Any Action Allow
This outbound rule is needed because the application server may register listeners on servers behind the firewall. These listeners may initiate communication with the application server.
Configuring packet filtering when thick client is separated from the CMS
You can publish reports or analytic objects to BusinessObjects Enterprise by saving these objects to BusinessObjects Enterprise from within Crystal Reports or OLAP Intelligence, or by using the Import or Publishing Wizards. However, if there is a firewall between the computer running one of these thick clients and the CMS, this operation fails. Configuring your BusinessObjects Enterprise system to support this configuration when the firewall uses packet filtering is very similar to configuring your system to support a packet filtering firewall between the application tier and the Central Management Server (CMS). For full instructions, follow the detailed steps in Configuring packet filtering when application tier is separated from CMS on page 196 but:
Configure only the Central Management Server and the Input File Repository Server to use fixed port numbers for communication.
198
Establish inbound firewall rules for communication between the Crystal Reports or OLAP Intelligence machine and the CMS and Input File Repository Server. You do not need to establish an outbound firewall rule.
Configuring the CMS for SOCKS Servers Complete these steps if one or more SOCKS servers separate the WCA from the CMS. Configuring the WCA for SOCKS servers When configuring your WCA for SOCKS, complete these steps regardless of the location of your SOCKS server(s).
BusinessObjects Enterprise requires that the CMS and the remaining server components are not separated from one another by firewalls. The remaining server components automatically obtain their SOCKS configuration from the CMS, as required, so you dont need to configure them separately.
199
200
The outermost SOCKS server is the one closest to the web server. The innermost SOCKS server is the last SOCKS server that the WCA communicates with before the CMS. The procedure for configuring the WCA is different for Windows and Unix. See:
1.
To configure the WCA on UNIX on page 201 To configure the WCA on Windows on page 201 To configure the WCA on UNIX Run the sockssetup.sh script to configure the BusinessObjects Enterprise servers and WCA to work with the SOCKS servers. For details, see sockssetup.sh on page 603. To configure the WCA on Windows Add the SOCKS information to the WCA. Edit the web.xml deployment descriptor file associated with the webcompadapter.war to insert a SOCKS URI (universal resource identifier). This URI tells your WCA how to contact the CMS through your SOCKS server(s). See Configuring the Web Component Adapter on page 89 for details on editing web.xml.
1.
2.
Edit the file C:\Inetpub\wwwroot\Web.config. a. b. Go to the line: <add key=connection.socksUri value-*/> Add the following SOCKS server information:
*Socks://Version;User:Password@SOCKSserver:Port/ CMSmachine:Port
c. 3. a. b. c. d. e. f. g.
Save the file. Start the CCM. Stop the CMS. Double-click the CMS. The Properties dialog box appears. Click Configuration tab. Enter the SOCKS information. Start the server again. Repeat step 3 for all the BusinessObjects Enterprise server.
201
202
Managing Auditing
chapter
10
Auditing overview
Auditing allows you to monitor and record key facts about your BusinessObjects Enterprise system. Having information about who is using your system and which objects they are accessing allows you to answer system-level questions like which groups within the company use our BusinessObjects Enterprise system the most? or how many concurrent user licenses are we using at any given time? Auditing also allows you to better administer individual user accounts and reports by giving you more insight into what actions users are taking and which reports they are accessing. This information lets you be more proactive in managing the operation and deployment of your BusinessObjects Enterprise system, while helping you better evaluate the value that BusinessObjects Enterprise provides to your organization.
204
10
Note:
You must configure the auditing database on the CMS before you can begin to audit. See Configuring the auditing database on page 209. The CMS acts as both an auditor and as an auditee when you configure it to audit an action that the CMS itself controls. In a CMS cluster, the cluster will nominate one CMS to act as system auditor. If the machine that is running this CMS fails, another CMS from the cluster will take over and begin acting as auditor.
205
10
User Actions
Actions Folders A folder is created. A folder is deleted. BusinessObjects Enterprise Server CMS
Crystal reports
A folder is modified. (The name, location, or description of a folder is modified.) A report has been viewed successfully. Cache Server A report could not be viewed.
A report is opened successfully using: the Advanced DHTML viewer. a custom application that uses RAS SDK.
RAS
A report fails to be created. A report is saved successfully (using a custom application based on the RAS SDK). A report fails to save using a custom application based on the RAS API. Get list of universes. Web Intelligence Web Report Server Intelligence A user has begun creating a new Web Intelligence documents document, which triggers a request to the server for the list of available universes. Save document to repository.
A user has saved a Web Intelligence document within BusinessObjects Enterprise. Read Document. User opens an existing Web Intelligence document. A user has selected a universe as they create a new Web Intelligence document, or as they edit an existing Web Intelligence document. Selection of universe.
206
10
Actions Refresh document. Web Intelligence User manually refreshes a Web Intelligence documents document, or the user opens a Web Intelligence document that is set to refresh on open. Edit document.
User enters Edit document mode for an existing Web Intelligence document. Apply format. User applies a formatting change to an existing Web Intelligence document in a query panel.
Get page. Server renders the pages of a Web Intelligence document in response to a user request to display all or part of a document. Generate SQL. Server generates an SQL query in response to a user action that requires data to be retrieved from a database. Drill out of scope.
User drills past the scope of the data currently in memory, and triggers a call to the database for more data. List of values.
Users
A list of values is retrieved from the database to populate a picklist associated with a prompt used to filter the data in a document. A concurrent user logon succeeds. A named user logon succeeds. A user logon fails. A users password is changed. User logs off. A job has been run successfully. (A user has successfully sent an object to a destination.) A job has failed to run. (An object has failed to be sent to a destination.) A job failed but will try to run again.
CMS
207
10
An event is registered. Event Server (Event is created, and registered with system) An event is updated. (The name, description, or filename of an event is modified.) An event is unregistered. (Event is removed from system.)
System Actions
Actions Scheduled objects BusinessObjects Enterprise Server
A job has been run successfully. Job Servers For example, a scheduled Crystal report has run successfully. A job has failed to run. For example, a scheduled Crystal report has failed to run. Tip: To audit every failure of a scheduled Crystal report, a scheduled program, or a scheduled List of Values, enable auditing of A job has failed to run on the Job Server, and Communication with a running instance is lost. on the Central Management Server. A job failed but will try to run again. Communication with a running instance is lost. For example, a scheduled Crystal report has failed to run because communication with the instance was lost, and the scheduled time for running the report expired.
CMS
File-based events
Note: You do not need to enable this option to audit every failure of a scheduled Web Intelligence document. An event is triggered. Event Server
208
10
The CMS system database and the auditing database are independent. If you choose, you can use different database software for the CMS system database and the auditing database, or you can install these databases on separate servers. If you have a CMS cluster, every CMS in the cluster must be connected to the same auditing database, using the same connection method and the same connection name. Note that connection names are case sensitive. (See Installing a new CMS and adding it to a cluster on page 94 for more information on CMS clusters.) To configure the auditing database on Windows Start the Central Configuration Manager (CCM). Stop the CMS. Click Specify Auditing Data Source. In the Select Database Driver dialog box, specify whether you want to connect to the new database through SQL Server (ODBC), or through one of the native drivers. Click OK. The remaining steps depend upon the connection type you selected:
1. 2. 3. 4.
5. 6.
If you selected ODBC, the Windows Select Data Source dialog box appears. Select the ODBC data source that you want to use as the auditing database; then click OK. (Click New to configure a new DSN.) Use a System DSN, and not a User DSN or File DSN. By default, server services are configured to run under the System account, which only recognizes System DSNs. When prompted, provide your database credentials and click OK.
209
10
If you selected a native driver, you are prompted for your database Server Name, your Login ID, and your Password. Provide this information and then click OK.
The SvcMgr dialog box notifies you when the auditing database setup is complete. 7. 8. Click OK. Start the CMS. When the CMS starts, it will create the auditing database.
Note: You can also configure the auditing database using the Properties option for the CMS. Stop the CMS, select Properties, and then go to the Configuration tab. Select Write server audit information to specified data source, and then click Specify. To configure the auditing database on UNIX For more information on UNIX scripts, see UNIX Tools on page 597. 1. 2. 3. 4. 5. 6. 7. Use ccm.sh to stop the CMS. Run cmsdbsetup.sh. Choose the selectaudit option, and then supply the requested information about your database server. Run serverconfig.sh. Choose the Modify a server option. Select the CMS, and enable auditing. Enter the port number of the CMS when prompted (the default value is 6400). Use ccm.sh to start the CMS. When the CMS starts, it will create the auditing database.
210
10
In some special cases you may wish to enable auditing on only one server of a given type. For example, if you are interested in the success or failure of only one kind of scheduled report and you have configured your system so that these reports are processed on one particular Job Server, it is not necessary to enable auditing on every Job Server in your system. You only need to enable auditing on the Job Server where the reports are processed. Note: You must configure the auditing database before you can collect data on audit actions. See Configuring the auditing database on page 209 for instructions. 1. 2. To enable audit actions Go to the organize Servers area of the CMC. Click the server that controls the action that you wish to audit. (See the Reference list of auditable actions on page 205 to find the correct server.) 3. Click the Auditing tab.
4. 5. 6.
Select the Auditing is enabled check box. Select the audit actions that you wish to record. Ensure that your audit log file is located on a hard drive that has sufficient space to store the log files. (See Optimizing system performance while auditing on page 213 for information on adjusting the size of log files.) Click Update.
7. Tip:
211
10
To audit every failure of a scheduled Crystal report, a scheduled program, or a scheduled List of Values, enable auditing of A job has failed to run on the Job Server, and Communication with a running instance is lost. on the Central Management Server. Auditing is enabled independently on each server. If you want to audit all actions of a given type, enable identical audit actions on every server that supports those actions. Otherwise your audit record will be incomplete. For example, if you want to track the total number of concurrent logons to your BusinessObjects Enterprise system, you must enable logging of concurrent logons on every Central Management Server in your system.
You can turn off this option by setting minutes to zero. For more information, see Central Management Server on page 586 in Server Command Lines on page 583. This built-in method of time synchronization will be accurate enough for most applications. For more accurate and robust time synchronization, configure the auditee and auditor machines to use an NTP (Network Time Protocol) client, and then turn off internal synchronization by setting
-AuditeeTimeSyncInterval 0
Tip: If you have a CMS cluster, apply the same command-line options to each server. Only one CMS in the cluster acts as the auditor. However, if this CMS fails, another CMS takes over auditing. This CMS will apply its own command-line options. If these options are different than those of the original auditor, audit behavior may not be what you expect.
212
10
-AuditInterval minutes, where minutes is between 1 and 15. (The default value is 5.) The CMS requests audit records from each audited server every audit interval. -AuditBatchSize number, where number is between 50 and 500. (The
default value is 200.) The CMS requests this fixed number of records from each audited server, every time interval.
-auditMaxEventsPerFile number (number has a default value of 500 and must be greater than 0). The maximum number of records that an audited server will store in a single audit log file. When this maximum value is exceeded, the server opens a new log file.
Note: Log files remain on the audited server until all records have been requested by the CMS. Changing each of these options has a different impact on system performance. For example, increasing the audit interval reduces frequency with which the CMS writes events to the auditing database. Decreasing the audit batch size decreases the rate at which records are moved from the audit log files on the audited servers to the auditing database, thereby increasing the length of time that it takes these records to get transferred to the central auditing database. Increasing the maximum number of audit events stored in each audit log file reduces the number of file open and close operations performed by audited servers. You can use these options to optimize audit performance to meet your needs. For example, if you frequently need up-to-date information about audited actions, you can choose a short audit interval and a large audit batch size. In this case, all audit records are quickly transferred to the auditing database, and you can always report accurately on the latest audit actions. However, choosing these options may have an impact on the performance of BusinessObjects Enterprise. Alternatively, you may only need to review audit results periodically (weekly, for example). In this case you can choose to increase the audit interval, and to decrease the number of audit records in each batch. Choosing these options minimizes the impact that auditing has on the performance of BusinessObjects Enterprise. However, depending upon activity levels in your system, these options can create a backlog of records stored in audit log files.
213
10
This backlog is cleared at times of low system activity (such as overnight, or over a weekend), but means that at times your audit reports may not contain records of the most recent audit actions. For more information on changing command-line options, see Server Command Lines on page 583.
214
10
4.
Go to the Servers management area of the CMC. Enable auditing of the actions that are included in the sample audit report. See Enabling auditing of user and system actions on page 210 for instructions. Note: The description of the sample reports indicates which audit actions to enable for each report. BusinessObjects Enterprise will now begin to collect data on audit actions.
5. 6. 7.
From the Crystal Enterprise Admin Launchpad, select the Central Management Console (CMC). Go to the Folders management area of the CMC. Click Report Samples, then admin reports to display the list of sample audit reports.
215
10
8.
Configure the report to use your auditing database. Click the name of a report that you want to use; then, from the Process tab, click the Database link.
9.
If the server name, database name, or database logon information for your auditing database are different than the values originally specified for the sample report, click Use custom database logon information specified here.
216
10
10. Type the Server name (DSN) and Database name that you specified for your auditing database. Make sure you select the same database driver that you used when configuring the auditing database. 11. Type a User name and Password for a user with administrative rights to the auditing database. 12. Click Specify a custom table prefix, and then type DatabaseName.dbo. in the box, where DatabaseName is the name of the database that you specified above. 13. Click Update. The sample audit report is now configured to use your auditing database as its data source. 14. From the Process tab, click the Parameters link.
15. Click the value of any parameter to specify a default value for that parameter, or to indicate that the user should be prompted for a parameter value when the report is run. Click Update. 16. You may now view the report in BusinessObjects Enterprise.
217
10
Audit_Event table
This table stores one record per action that is audited. Field
Server_CUID
Description Server process ID. Combined with the Event_ID to form the primary key for the Audit_Event table. A unique ID generated by the server to identify the audit event. Combined with Server_CUID to form the primary key for the Audit_Event table. Name of user who performed the action. Time for start of action in UTC (Coordinated Universal Time) to the nearest millisecond. The time stamp is created by the server recording the action in its log file, and includes any correction necessary to synchronize with CMS time. You may want to correct this time to your local time zone when creating audit reports. Duration, in seconds, of the action that is audited.
Event_ID
User_Name Start_Timestamp
Duration
218
10
Field
Event_Type_ID
Description Number that uniquely identifies the type of action the entry represents. Foreign key for the Event_Type table. Info Object ID of object associated with the action. This number uniquely identifies an object. Field reserved for error codes generated by the Web Intelligence Report Server.
Object_CUID Error_Code
Audit_Detail table
The Audit_Detail table records more information about each audit action recorded in the Audit_Event table. For example, when a user logon fails, the reasons for that failure are recorded as audit details. There may be more than one record in this table for each audit action recorded in the Audit_Event table. Field
Server_CUID
Description Server process ID. Combined with the Event_ID and the Detail_ID to form the primary key for the Audit_Detail table. A unique ID generated by the server to identify the audit event. Combined with Server_CUID and the Detail_ID to form the primary key for the Audit_Detail table. The Detail_ID field is used to number the individual details associated with each audit action. That is, if there are two details associated with a particular audit action, the first will have a Detail_ID of 1, and the second will have a Detail_ID of 2. Number that uniquely identifies the type of detail about the audit action that the entry represents. Foreign key for the Detail_Type table. Information about the audit detail being recorded. For example, if the Detail_Type_Description were universe name, the detail text would contain the name of that universe.
Event_ID
Detail_ID
Detail_Type_ID
Detail_Text
219
10
Server_Process table
The Server_Process table contains information about the servers running within your BusinessObjects Enterprise system which can generate audit events. Field
Server_CUID Server_Name
Description Server process ID. Primary key for the Server_Process table. Machine name of the server that produced the action. That is, the host name. that generated the audit action. Foreign key to the Application_Type table.
Server_FullName
Friendly name of the server that produced the action. The servers friendly name is the name displayed in the CMC. The default friendly name is
hostname.servertype.
Server_Version
Event_Type table
The Event_Type table contains a static list of the kinds of events that can be audited in your BusinessObjects Enterprise system. This table provides information roughly equivalent to that provided by AuditIDs and AuditStrings in Crystal Enterprise 10. Field
Event_Type_ID
Description Number that uniquely identifies the type of audit event that the entry represents.
220
10
CMS audit events Event_Type_ ID Event_Type_Description Description 65537 65538 65540 65541 65539 65542 Concurrent user logon succeeded. Named user logon succeeded. User logged off. User password has been changed. User logon failed. New folder created. Logon failed because there was no valid license key available. A new folder is created, or an existing folder is copied. Note that this audit string will not be recorded when a new user account is created, even though creating a user creates a user folder. A folder is deleted. Note that this audit string will be recorded when a user account (and therefore the users folder) is deleted. The name, location, or description of the folder was changed. A scheduled report or scheduled program failed to run because communication with the running instance was lost, and the scheduled time for running the job expired. Note: This action must be audited by the CMS as Job Servers are not aware of losing communications with a job. Cache Server audit events Event_Type_ ID Event_Type_Description 196609 196610 Crystal report viewed successfully. A report could not be viewed. Description User successfully viewed a Crystal report that has saved or live data. User attempted to view a Crystal report, but was not successful. The user logged on successfully, using a concurrent user license. The user logged on successfully, using a named user license.
65543
Folder deleted.
65544 65545
Folder modified. Job failed. Reason: Unresponsive Job Server Child process.
221
10
Job Server audit events For scheduled objects, the audit messages give you information about the status of scheduled actions. For example, the audit messages can tell you if a scheduled report ran successfully. For the Destination Job Server, the audit messages give you information on whether an object was sent to a destination, as requested by a user. Event_Type Event_Type_Description Description _ ID 327681 Job successful. The object ran as scheduled (or requested) and the job completed successfully. The scheduled job did not complete successfully. The scheduled job did not complete successfully. The job will be retried by the CMS at a later time. For more information on scheduling jobs, see Scheduling objects on page 466.
327682 327683
Event Server audit events Event_Type_ ID Event_Type_Description Description 262145 Event registered User creates a file-based event that can be used to schedule objects. User deletes a file-based event. Event object was modified by a user, or by the system. Events are updated when a user modifies the name or description of the file-based event. File-based event was initiated.
262146 262147
262148
Event triggered
222
10
Report Application Server audit events The Report Application Server (RAS) is used to view reports opened with the Advanced DHTML viewer, and to create reports using custom applications developed with the RAS SDK. Event_Type_ ID Event_Type_Description 458753 Description
Report was opened for User opened a report for viewing or viewing and/or modification modification. Note: In a few cases, this Event_Type_ID may be generated when the report opens but cannot be viewed. This may occur when:
458754 Report was saved to the CMS.
There are problems with the database setup for the report. For example, you may see this message when the database driver for the report is not present on the client machine A processing extension associated with the report aborts viewing, or fails. The report used Business Views and the user did not have permissions to refresh the underlying data connections. The machine running the RAS ran out of space in its temporary directory.
An existing report was saved. Note: This Event_Type_ID is generated when a custom application created using the RAS SDK saves a report (using the Save method). Consult your RAS SDK documentation for details. A new report was created and saved. Note:
458755
This Event_Type_ID is generated when a custom application created using the RAS SDK saves a new report (using the Save As method). Consult your RAS SDK documentation for details.
458756
223
10
Description An existing report could not be saved by RAS. Note: This Event_Type_ID is generated when a custom application created using the RAS SDK cannot save a new report (using the Save As method). Consult your RAS SDK documentation for details.
458758
Web Intelligence Report Server audit events Event_Type_ ID Event_Type_Description Description 6 9 11 13 Get list of universes Save document to repository Read document Selection of universe User accesses a list of universes as part of a document creation workflow. User saves a Web Intelligence document to BusinessObjects Enterprise. User opens an existing Web Intelligence document. User selects a universe as part of a document creation workflow. This event occurs when a user opens the query panel. User manually refreshes a Web Intelligence document, or user opens a Web Intelligence document that has the refresh on open document property assigned. A list of values is retrieved from the database to populate a picklist associated with a prompt used to filter the data in a document. User has moved into Edit document mode. User applies a formatting change to a document, in a query panel. User action results in a request to server to generate the necessary data and layout to display all or part of a Web Intelligence document.
19
Document refresh
21
List of values
22 28 40
224
10
Event_Type_ ID Event_Type_Description Description 41 42 Generate SQL Drill out of scope Appears when a user refreshes a document. User drills past the scope of the data currently in memory, and triggers a call to the database for more data.
Application_Type table
The Application_Type table contains a static list of the applications that can produce audit events. In BusinessObjects Enterprise XI, the applications that can be audited are servers. Field Name
Application_Type_ID
Description A unique ID that identifies the type of application that generated the audit action. The description of the application generating the audit event.
Application_Type_Description
225
10
Detail_Type table
The Detail_Type table contains a static list of the standard details that can be recorded about audited events. For example, a user logon can fail for a number of different reasons. These reasons are listed as entries in the Detail_Type table. The information in the Detail_Type table is equivalent to the information that was recorded in variable AuditStrings in Crystal Enterprise 10. Field
Detail_Type_ID Detail_Type_Description
Description Number that uniquely identifies the type of audit detail that the entry represents. The description of the type of audit detail generated by the audit event.
226
chapter
11
Security overview
The BusinessObjects Enterprise architecture addresses the many security concerns that affect todays businesses and organizations. The current release supports features such as distributed security, single sign-on, resource access security, granular object rights, and third-party Windows NT, LDAP, and Windows AD authentication in order to protect against unauthorized access. To allow for further customization of security, BusinessObjects Enterprise supports dynamically loaded processing extensions. And, for monitoring and auditing purposes, BusinessObjects Enterprise allows you to log various web statistics, thus enabling you to detect potential security concerns. Because BusinessObjects Enterprise provides the framework for an increasing number of components from the Enterprise family of Business Objects products, this chapter details the security features and related functionality to show how the framework itself enforces and maintains security. As such, this chapter does not provide explicit procedural details; instead, it focuses on conceptual information and provides links to key procedures. Related topics:
For key procedures that show how to modify the default accounts, passwords, and other security settings, see Making initial security settings on page 43. For procedures that show how to set up authentication, users, and groups, see Managing User Accounts and Groups on page 249. For procedures that show how to set object rights for your BusinessObjects Enterprise content, see Controlling User Access on page 315.
228
11
Because BusinessObjects Enterprise is fully customizable, the authentication and authorization processes may vary from system to system. This section uses InfoView as a model and describes its default behavior. If you are developing your own BusinessObjects Enterprise end-user or administrative applications using the BusinessObjects Enterprise Software Development Kit (SDK), you can customize the systems behavior to meet your needs. For complete details, see the developer documentation available on your product CD. For procedures that show how to set up the different authentication types, see Available authentication types on page 252.
Primary authentication
Primary authentication occurs when a user first attempts to access the system. The user provides a user name and password and specifies an authentication type. The authentication type may be Enterprise, Windows NT, LDAP, or Windows AD authentication, depending upon which type(s) you have enabled and set up in the Authorization management area of the Central Management Console (CMC). The users web browser sends the information by HTTP to your web server, which routes the information to the Web Component Adapter (WCA). The WCA passes the users information to logon.aspx and runs the script. Internally, this script communicates with the SDK and, ultimately, the appropriate security plug-in to authenticate the user against the user database. For instance, if the user specifies Enterprise Authentication, the SDK ensures that the BusinessObjects Enterprise security plug-in performs the authentication. The Central Management Server (CMS) uses the BusinessObjects Enterprise security plug-in to verify the user name and password against the system database. Alternatively, if the user specifies Windows NT, LDAP, or Windows AD Authentication, the SDK uses the corresponding security plug-in to authenticate the user. If the security plug-in reports a successful match of credentials (including a match to an appropriate group membership for Windows NT, Windows AD, or LDAP authentication), the CMS grants the user an active identity on the system and the system performs several actions:
The CMS stores the users information in memory in a CMS session variable. While active, this session consumes one user license on the system. The CMS generates and encodes a logon token and sends it to the WCA. The WCA stores the users information in memory in a WCA session variable. While active, this session stores information that allows BusinessObjects Enterprise to respond to the users requests.
229
11
Note:
If you are familiar with the SDK, you should note that the WCA here instantiates the InfoStore object and stores it in the WCA session variable. The session variable does not contain the users password.
The WCA sends the logon token to the users web browser, and the web browser caches the token in a cookie. Until the logon token expires, its encoded information serves as the users valid ticket for the system.
Each of these steps contributes to the distributed security of BusinessObjects Enterprise, because each step consists of storing information that is used for secondary identification and authorization purposes. This is the model used in InfoView. However, if you are developing your own client application and you prefer not to store session state on the WCA, you can design your application such that it avoids using WCA session variables. Note:
The third-party Windows NT, LDAP, and Windows AD security plug-ins work only once you have mapped groups from the external user database to BusinessObjects Enterprise. For details, see Available authentication types on page 252. In a single sign-on situation, BusinessObjects Enterprise retrieves users credentials and group information directly from the Windows NT or Windows AD system. Hence, users are not prompted for their credentials.
If there is a valid logon token, the WCA proceeds to its next task. If there is no valid logon token, the primary authentication process is repeated. For more information about logon tokens, see Logon tokens on page 243.
230
11
2.
Second, the WCA checks internally for an active WCA session that matches the users logon token:
If the corresponding WCA session variable remains in memory, the WCA proceeds to its next task. If the WCA session variable has timed out, the user is logged back on with the logon token. The SDK authenticates the user against the appropriate user database, and the CMS and the WCA recreate the required session variables. In this case, BusinessObjects Enterprise does not have to prompt the user for credentials, because the encoded logon token contains the required information.
3.
Third, the WCA ensures that the appropriate server component actually processes the users request:
If the WCA can process the request itself, it queries the CMS database for the rights associated with the object that the user requested. For instance, if the user requests a list of reports in a specific folder, the WCA queries the CMS database for a list of the reports that the user is authorized to see. The WCA then dynamically lists the reports in an HTML page, and sends the page to the users browser.
If a different server component must process the request, the WCA sends the request and the users logon token to the appropriate server component. That server component then queries the CMS database for the rights associated with the object that the user requested. For instance, if the user attempts to refresh a reports data, the WCA passes the request along to the Page Server. The Page Server passes the logon token to the CMS to ensure that the user is authorized to refresh the report. For details about how the CMS calculates a users effective rights to an object, see Calculating a users effective rights on page 328.
This secondary authentication and authorization process begins similarly to initial identification; here, however, the authentication algorithm followed by the WCA maintains system security in the fewest number of steps, thereby providing the most efficient response to the users initial request. Note: If the user does not have the right to perform the requested action, the WCA displays an appropriate message. For details about setting object rights, see Controlling User Access on page 315.
231
11
Single sign-on to BusinessObjects Enterprise on page 232 Single sign-on to database on page 233 End-to-end single sign-on on page 233
Managing Enterprise and general accounts on page 253 Setting up NT single sign-on on page 292 Configuring LDAP authentication on page 263 Setting up AD single sign-on on page 282
232
11
Web Component Adapter on page 234 Central Management Server on page 234 Security plug-ins on page 235
233
11
Note: Because these components are responsible for additional tasks, several of the components discussed in this section are described in additional detail in BusinessObjects Enterprise Architecture on page 53.
234
11
For details about the CMS and how it calculates a users effective rights to an object, see Calculating a users effective rights on page 328. For more information about the CMS and the CMS database, see Central Management Server (CMS) on page 61.
Security plug-ins
Security plug-ins expand and customize the ways in which BusinessObjects Enterprise authenticates users. BusinessObjects Enterprise currently ships with the system default BusinessObjects Enterprise security plug-in and with the Windows NT, LDAP, and Windows AD security plug-ins. Each security plug-in offers several key benefits. Security plug-ins facilitate account creation and management by allowing you to map user accounts and groups from third-party systems into BusinessObjects Enterprise. You can map third-party user accounts or groups to existing BusinessObjects Enterprise user accounts or groups, or you can create new Enterprise user accounts or groups that corresponds to each mapped entry in the external system. The security plug-ins dynamically maintain third-party user and group listings. So, once you map a Windows NT, LDAP, or Windows AD group into BusinessObjects Enterprise, all users who belong to that group can log on to BusinessObjects Enterprise. When you make subsequent changes to the third-party group membership, you need not update or refresh the listing in BusinessObjects Enterprise. For instance, if you map a Windows NT group to BusinessObjects Enterprise, and then you add a new NT user to the NT group, the security plug-in dynamically creates an alias for that new user when he or she first logs on to BusinessObjects Enterprise with valid NT credentials. Moreover, security plug-ins enable you to assign rights to users and groups in a consistent manner, because the mapped users and groups are treated as if they were Enterprise accounts. For example, you might map some user accounts or groups from Windows NT, and some from an LDAP directory server. Then, when you need to assign rights or create new, custom groups within BusinessObjects Enterprise, you make all of your settings in the CMC. Each security plug-in acts as an authentication provider that verifies user credentials against the appropriate user database. When users log on to BusinessObjects Enterprise, they choose from the available authentication types that you have enabled and set up in the Authorization management area of the CMC: Enterprise (the system default), Windows NT, LDAP, or Windows AD. Note: The Windows NT and Windows AD security plug-ins cannot authenticate users if the BusinessObjects Enterprise server components are running on UNIX, or if your system uses the BusinessObjects Enterprise Java SDK.
235
11
BusinessObjects Enterprise security plug-in on page 236 Windows NT security plug-in on page 236 LDAP security plug-in on page 238 Windows AD security plug-in on page 240
Default accounts
When you first install BusinessObjects Enterprise, this plug-in sets up two default Enterprise accounts: Administrator and Guest. Neither account has a default password. For details on setting these passwords, see Making initial security settings on page 43.
Single sign-on
The BusinessObjects Enterprise authentication provider supports anonymous single sign-on for the Guest account. Thus, when users connect to BusinessObjects Enterprise without specifying a user name and password, the system logs them on automatically under the Guest account. If you assign a secure password to the Guest account, or if you disable the Guest account entirely, you disable this default behavior. For details, see Disabling the Guest account on page 44.
236
11
This plug-in is compatible with NT 4 and Windows 2000 Active Directory user databases (when Windows 2000 Active Directory is configured in non-native mode only). If a Windows 2000 Active Directory user database is configured in native mode and contains universal groups that span several domains, you must use the Windows AD security plug-in. For information on mapping Windows NT users and groups to BusinessObjects Enterprise, see Managing NT accounts on page 284. For information on the Windows AD security plug-in, see Windows AD security plug-in on page 240. Once you have mapped your NT users and groups, all of the BusinessObjects Enterprise client tools support NT authentication, except for the Import Wizard. You can also create your own applications that support NT authentication. For more information, see the developer documentation available on your product CD. Note: The Windows NT and Windows AD security plug-ins cannot authenticate users if the BusinessObjects Enterprise server components are running on UNIX, or if your system uses the BusinessObjects Enterprise Java SDK.
Default account
If you install BusinessObjects Enterprise on Windows as an Administrator of the local machine, then this plug-in is enabled by default. A new NT group (called Business Objects NT Users) is created on the local machine, and your NT user account is added to the group. The Business Objects NT Users group is then mapped to BusinessObjects Enterprise. The result is that you can log on to BusinessObjects Enterprise with your usual NT user credentials.
Single sign-on
The Windows NT security plug-in supports single sign-on, thereby allowing authenticated NT users to log on to BusinessObjects Enterprise without explicitly entering their credentials. The single sign-on requirements depend upon the way in which users access BusinessObjects Enterprise: either via a thick client, or over the Web. In both scenarios, the security plug-in obtains the security context for the user from the authentication provider, and grants the user an active BusinessObjects Enterprise session if the user is a member of a mapped NT group:
To obtain NT single sign-on functionality from a thick-client application (such as the Publishing Wizard), the user must be running a Windows operating system, and the application must use the BusinessObjects Enterprise SDK. In this scenario, the Windows NT security plug-in queries the operating system for the current users credentials when the client is launched.
237
11
To obtain single sign-on functionality over the Web, the system must use Microsoft components only. Specifically, the user must be running Internet Explorer on a Windows operating system, and the web server must be running Internet Information Server (IIS). In this scenario, Internet Explorer and IIS engage in Windows NT Challenge/Response authentication before IIS forwards the users credentials to BusinessObjects Enterprise. Note: IIS performs the Challenge/Response authentication for every web page viewed. This can result in severe performance degradation. For details on configuring IIS for single sign-on, see Setting up NT single sign-on on page 292.
Note: InfoView provides its own form of anonymous single sign-on, which uses Enterprise authentication, as opposed to Windows NT authentication. Design your own web applications accordingly (or modify InfoView) if you want to use NT single sign-on. For information on NT single sign-on, see Setting up NT single sign-on on page 292.
Implement LDAP authentication when BusinessObjects Enterprise is running on Windows or on UNIX. Map users and groups from the LDAP directory service. Specify multiple host names and their ports.
For information on mapping your LDAP users and groups to BusinessObjects Enterprise, see Managing LDAP accounts on page 262.
238
11
Once you have mapped your LDAP users and groups, all of the BusinessObjects Enterprise client tools support LDAP authentication, except for the Import Wizard. You can also create your own applications that support LDAP authentication.
239
11
Enterprise, ensure that you are familiar with the differences between these LDAP types. For details, see RFC2251, which is currently available at http:// www.faqs.org/rfcs/rfc2251.html
AD authentication only works for servers running on Windows systems. AD authentication and aggregation is not functional without a network connection. AD authentication and aggregation may not continue to function if the administration credentials become invalid (for example, if the administrator changes his or her password or if the account becomes disabled).
Single sign-on
The Windows AD security plug-in supports single sign-on, thereby allowing authenticated AD users to log on to BusinessObjects Enterprise without explicitly entering their credentials. The single sign-on requirements depend upon the way in which users access BusinessObjects Enterprise: either via a thick client, or over the Web. In both scenarios, the security plug-in obtains
240
11
the security context for the user from the authentication provider, and grants the user an active BusinessObjects Enterprise session if the user is a member of a mapped AD group:
To obtain AD single sign-on functionality from a thick-client application (such as the Publishing Wizard), the user must be running a Windows operating system, and the application must use the BusinessObjects Enterprise SDK. In this scenario, the Windows AD security plug-in queries the operating system for the current users credentials when the client is launched.
To obtain single sign-on functionality over the Web, the system must use Microsoft components only. Specifically, the user must be running Internet Explorer on a Windows operating system, and the web server must be running Internet Information Server (IIS).
Note: BusinessObjects Enterprise provides its own form of anonymous single sign-on, which uses Enterprise authentication, as opposed to Windows AD authentication. Design your own web applications accordingly (or modify InfoView) if you want to use AD single sign-on. For information on AD single sign-on, see Setting up AD single sign-on on page 282.
Processing extensions
BusinessObjects Enterprise offers you the ability to further secure your reporting environment through the use of customized processing extensions. A processing extension is a dynamically loaded library of code that applies business logic to particular BusinessObjects Enterprise view or schedule requests before they are processed by the system. Note: On Windows systems, dynamically loaded libraries are referred to as dynamic-link libraries (.dll file extension). On UNIX systems, dynamically loaded libraries are often referred to as shared libraries (.so file extension). You must include the file extension when you name your processing extensions. Through its support for processing extensions, the BusinessObjects Enterprise administration SDK essentially exposes a handle that allows developers to intercept the request. Developers can then append selection formulas to the request before the report is processed. A typical example is a report-processing extension that enforces row-level security. This type of security restricts data access by row within one or more database tables. The developer writes a dynamically loaded library that intercepts view or schedule requests for a report (before the requests are processed by the Job Server, Page Server, or Report Application Server). The developers code first determines the user who owns the processing job;
241
11
then it looks up the users data-access privileges in a third-party system. The code then generates and appends a record selection formula to the report in order to limit the data returned from the database. In this case, the processing extension serves as a way to incorporate customized row-level security into the BusinessObjects Enterprise environment. Tip: In BusinessObjects Enterprise XI, you can also set and enforce rowlevel security through the use of Business Views. For more information, see the Business Views Administrator's Guide. The CMC provides methods for registering your processing extensions with BusinessObjects Enterprise and for applying processing extensions to particular object. For details, see Applying processing extensions to reports on page 443. By enabling processing extensions, you configure the appropriate BusinessObjects Enterprise server components to dynamically load your processing extensions at runtime. Included in the SDK is a fully documented API that developers can use to write processing extensions. For more information, see the developer documentation available on your product CD. Note: In the current release, processing extensions can be applied only to Crystal report (.rpt) objects.
242
11
When single sign-on functionality is combined third party ticket mechanisms, such as Kerberos or SiteMinder, the active trust relationship allows users to access BusinessObjects Enterprise and other network resources without ever having to explicitly provide credentials to the system.
Logon tokens
A logon token is an encoded string that defines its own usage attributes and contains a users session information. The logon tokens usage attributes are specified when the logon token is generated. These attributes allow restrictions to be placed upon the logon token to reduce the chance of the logon token being used by malicious users. The current logon token usage attributes are:
Number of minutes This attribute restricts the lifetime of the logon token. Number of logons This attribute restricts the number of times that the logon token can be used to log on to BusinessObjects Enterprise.
Both attributes hinder malicious users from gaining unauthorized access to BusinessObjects Enterprise with logon tokens retrieved from legitimate users.
243
11
The users active identity is stored as a session variable on the WCA that processed the request; consequently, the users active identity is not immediately accessible by the other WCA. For this reason, the users logon token is used to route all of the users requests to the WCA that is storing the users session. By doing so, security is maintained while providing optimal performance: the users identity is verified, but the system does not have to repeatedly prompt the user for his or her credentials; in addition, the user is prevented from unnecessarily consuming resources on both Web Component Adapters. If the WCA that is storing the users active session is taken offline, the logon token again serves a critical purpose. If one WCA ceases to respond to a users requests, InfoView and the CMC are designed such that the request is redirected to the remaining WCA. The client application logs the user on with the valid logon token, and the remaining WCA can authenticate the user and create a new, active session without prompting the user for his or her credentials. The remaining WCA can then authorize and carry out the users request. In this way, the logon token enables the systems load-balancing and fault-tolerance mechanisms to maintain a secure environment without affecting the users experience. In this scenario, when the original WCA is brought back online, the system automatically resumes its load balancing responsibilities by routing each subsequent request to the least used WCA.
CookiesA cookie is a small text file that stores session state on the client side: the users web browser caches the cookie for later use. The BusinessObjects Enterprise logon token is an example of this method.
244
11
Session variablesA session variable is a portion of memory that stores session state on the server side. When BusinessObjects Enterprise grants a user an active identity on the system, information such as the users authentication type is stored in a session variable. So long as the session is maintained, the system neither has to prompt the user for the information a second time nor has to repeat any task that is necessary for the completion of the next request.
Ideally, the system should preserve the session variable while the user is active on the system. And, to ensure security and to minimize resource usage, the system should destroy the session variable as soon as the user has finished working on the system. However, because the interaction between a web browser and a web server can be stateless, it can be difficult to know when users leave the system, if they do not log off explicitly. To address this issue, BusinessObjects Enterprise implements session tracking.
If you are familiar with the SDK, you should note that a WCA session is an instance of an InfoStore object. The WCA session timeout can be programmatically configured in the server-side .aspx pages to timeout earlier if the default of 20 minutes is not desired.
245
11
Environment protection
Environment protection refers to the security of the overall environment in which client and server components communicate. Although the Internet and web-based systems are increasingly popular due to their flexibility and range of functionality, they operate in an environment that can be difficult to secure. When you deploy BusinessObjects Enterprise, environment protection is divided into two areas of communication:
Ensuring that the communication of data is secure. Ensuring that only valid users retrieve information from the web server.
These tasks are typically handled by web servers through various security mechanisms, including the Secure Sockets Layer (SSL) protocol, Windows NT Challenge/Response authentication, and other such mechanisms. You must secure communication between the web browser and the web server independently of BusinessObjects Enterprise. For details on securing client connections, refer to your web server documentation.
246
11
Password restrictions
Password restrictions ensure that Enterprise users create passwords that are relatively complex. You can enable the following options:
Enforce mixed-case passwords This option ensures that passwords contain at least two of the following character classes: upper case letters, lower case letters, numbers, or punctuation.
Must contain at least N characters By enforcing a minimum complexity for passwords, you decrease a malicious users chances of simply guessing a valid users password.
247
11
Logon restrictions
Logon restrictions serve primarily to prevent dictionary attacks (a method whereby a malicious user obtains a valid user name and attempts to learn the corresponding password by trying every word in a dictionary). With the speed of modern hardware, malicious programs can guess millions of passwords per minute. To prevent dictionary attacks, BusinessObjects Enterprise has an internal mechanism that enforces a time delay (0.51.0 second) between logon attempts. In addition, BusinessObjects Enterprise provides several customizable options that you can use to reduce the risk of a dictionary attack:
Disable accounts after N failed attempts to log on Reset failed logon count after N minute(s) Re-enable account after N minute(s)
User restrictions
User restrictions ensure that Enterprise users create new passwords on a regular basis. You can enable the following options:
Must change password every N day(s) Cannot reuse the N most recent password(s) Must wait N minute(s) to change password
These options are useful in a number of ways. Firstly, any malicious user attempting a dictionary attack will have to recommence every time passwords change. And, because password changes are based on each users first logon time, the malicious user cannot easily determine when any particular password will change. Additionally, even if a malicious user does guess or otherwise obtain another users credentials, they are valid only for a limited time.
248
chapter
12
Account name (required) Full name Email Description Password settings Connection type Group membership
In the Groups area, you can create groups that give a number of people access to the report or folder. This enables you to make changes in one place instead of modifying each user account individually. To create groups, specify the following:
Group name (required) Description Users who belong to the group Subgroups that belong to the group Group membership
After the user accounts and groups have been created, you can add report objects and specify rights to them. When the users log on, they can view the reports using InfoView or their custom web application. For more information on objects and rights, see Controlling users access to objects on page 317.
Default users
For procedures on managing users, see Managing Enterprise and general accounts on page 253.
250
12
Administrator
The Administrator user belongs to the Administrators and Everyone groups. This user can perform all tasks in all BusinessObjects Enterprise applications (for example, the Central Management Console, Central Configuration Manager, Publishing Wizard, and InfoView). By default, the Administrator is not assigned a password. For security reasons, it is highly recommended that you create a password for the Administrator user as soon as possible. See Setting the Administrator password on page 44. Note: To use the Central Configuration Manager, your operating system account may require certain rights on the local machine. For more information, see Using the Central Configuration Manager on page 42.
Guest
The Guest user is a member of the Everyone group. This user can view reports that are found within the Report Samples folder. Generally, the Guest user accesses reports through InfoView. This account is enabled by default. To disable this default setting, see Disabling the Guest account on page 261. By default, the Guest user is not assigned a password. If you assign it a password, the single sign-on to InfoView will be broken. Note: If users in multiple time zones use the Guest account, see Supporting users in multiple time zones on page 527.
Default groups
In addition to organizing users and simplifying administration, groups enable you to determine the functionality a user has access to. In BusinessObjects Enterprise, the following default groups are created. For procedures on managing groups, see Managing Enterprise and general accounts on page 253.
Administrators
Users who belong to the Administrators group are able to perform all tasks in all of the BusinessObjects Enterprise applications (Central Management Console, Central Configuration Manager, Publishing Wizard, and InfoView). By default, the Administrator group contains only the Administrator user. Note: To use the Central Configuration Manager, your operating system account may require certain rights on the local machine. For more information, see Using the Central Configuration Manager on page 42.
251
12
BusinessObjects NT Users
When you install BusinessObjects Enterprise on Windows, BusinessObjects Enterprise creates a BusinessObjects NT Users group. This group is also added to Windows on the local machine and the user who installed BusinessObjects Enterprise is automatically added to this group. When NT authentication is enabled, BusinessObjects NT Users can use their NT accounts to log on to BusinessObjects Enterprise. By default, members of this group are able to view folders and reports.
Everyone
Each user is a member of the Everyone group. By default, the Everyone group allows access to all the reports that are found in the Report Samples folder.
Enterprise authentication Use the system default Enterprise Authentication if you prefer to create distinct accounts and groups for use with BusinessObjects Enterprise, or if you have not already set up a hierarchy of users and groups in a Windows NT user database, an LDAP directory server, or a Windows AD server. See Managing Enterprise and general accounts on page 253.
Windows NT authentication If you are working in a Windows NT environment, you can use existing NT user accounts and groups in BusinessObjects Enterprise. When you map NT accounts to BusinessObjects Enterprise, users are able to log on to BusinessObjects Enterprise applications with their NT user name and password. This can reduce the need to recreate individual user and group accounts within BusinessObjects Enterprise. For more information, see Managing NT accounts on page 284.
252
Managing User Accounts and Groups Managing Enterprise and general accounts
12
LDAP authentication If you set up an LDAP directory server, you can use existing LDAP user accounts and groups in BusinessObjects Enterprise. When you map LDAP accounts to BusinessObjects Enterprise, users are able to access BusinessObjects Enterprise applications with their LDAP user name and password. This eliminates the need to recreate individual user and group accounts within BusinessObjects Enterprise. For more information, see Managing LDAP accounts on page 262.
Windows AD authentication If you are working in a Windows 2000 environment, you can use existing AD user accounts and groups in BusinessObjects Enterprise. When you map AD accounts to BusinessObjects Enterprise, users are able to log on to BusinessObjects Enterprise applications with their AD user name and password. This eliminates the need to recreate individual user and group accounts within BusinessObjects Enterprise. For more information, see Managing AD accounts on page 275.
Note: You can use Enterprise Authentication in conjunction with either NT, LDAP, or AD authentication, or with all of the three authentication plug-ins.
Creating an Enterprise user account on page 254 Modifying a user account on page 256 Deleting a user account on page 256 Changing password settings on page 257 Creating a group on page 258 Modifying a group on page 260 Viewing group members on page 261 Deleting a group on page 261 Disabling the Guest account on page 261 Granting access to users and groups on page 262
253
12
Managing User Accounts and Groups Managing Enterprise and general accounts
Note: In many cases, these procedures also apply to NT, LDAP, and AD account management. For specific information on NT authentication, see Managing NT accounts on page 284. For specific information on LDAP authentication, see Managing LDAP accounts on page 262. For specific information on AD authentication, see Managing AD accounts on page 275.
Password Enter the password and confirm. This is the initial password that you assign to the user. The maximum password length is 64 characters. Password never expires Select the check box. User must change password at next logon This check box is selected by default. If you do not want to force users to change the password the first time they log on, clear the check box.
6.
Concurrent User Choose Concurrent user if this user belongs to a license agreement that states the number of users allowed to be connected at one time.
254
Managing User Accounts and Groups Managing Enterprise and general accounts
12
Named User Choose Named user if this user belongs to a license agreement that associates a specific user with a license. Named user licenses are useful for people who require access to BusinessObjects Enterprise regardless of the number of other people who are currently connected.
7.
Click OK. The user is added to the system and is automatically added to the Everyone group. You can now add the user to a group or specify rights for the user. See Adding a user to groups on page 255, Chapter 13: Controlling User Access. An inbox is also automatically created for the user. The user is also automatically assigned an Enterprise alias, for example, secEnterprise:bsmith. For more information, see Managing aliases on page 294.
255
12
Managing User Accounts and Groups Managing Enterprise and general accounts
256
Managing User Accounts and Groups Managing Enterprise and general accounts
12
1. 2. 3. 4.
To delete a user account Go to the Users management area of the CMC. Select the check box associated with the user you want to delete. Click Delete. The delete confirmation dialog box appears. Click OK. The user account is deleted.
4. 1. 2. 3.
Password never expires User must change password at next logon User cannot change password
Click Update. To change password settings Go to the Authentication management area of the CMC. Click the Enterprise tab. Select the check box and enter the value related to the password setting.
257
12
Managing User Accounts and Groups Managing Enterprise and general accounts
The table below identifies the minimum and maximum values for each of the settings you can configure: Recommended Maximum 100 days 100 passwords 100 minutes 100 failed 100 minutes 100 minutes
Password Setting Must contain at least N characters Must change password every N days Must wait N minutes to change password Disable account after N failed attempts to log on Reset failed logon count after N minutes Re-enable account after N minutes 4. Click Update.
0 characters 64 characters
Creating a group
Groups are collections of users who share the same account privileges. For instance, you may create groups that are based on department, role, or location. Groups enable you to change the rights for users in one place (a group) instead of modifying the rights for each user account individually. Also, you can assign object rights to a group or groups. For information on object rights, see Managing objects overview on page 416. For information on granting users and groups administrative rights to other groups, see Granting access to users and groups on page 262. After creating a new group, you can add users, add subgroups, or specify group membership so that the new group is actually a subgroup. Because subgroups provide you with additional levels of organization, they are useful when you set object rights to control users access to your BusinessObjects Enterprise content. 1. 2. 3. 4. To create a new group Go to the Groups management area of the CMC. Click New Group. On the Properties tab, enter the group name and description. Click OK.
258
Managing User Accounts and Groups Managing Enterprise and general accounts
12
5.
To select multiple users, use the SHIFT+click or CTRL+click combination. To search for a specific user, use the Look For field. If there are many users on your system, click the Previous and Next buttons to navigate through the list of users.
Click OK. The Users tab appears. It lists all of the users who belong to this group.
Adding subgroups
You can add an existing group as a subgroup to another group. A subgroup inherits the rights of the parent group. Note: Adding a subgroup is similar to specifying group membership. See Specifying group membership on page 260. 1. 2. 3. 4. 5. To add subgroups In the Groups management area of the CMC, click the link for the group. Click the Subgroups tab. Click Add/Remove Subgroups. Select the groups that should be members of this new group; then click the > arrow. Click OK.
259
12
Managing User Accounts and Groups Managing Enterprise and general accounts
Modifying a group
You can modify a group by making changes to any of the settings. Note: The users who belong to the group will be affected by the modification if they are logged on when you are making changes. 1. 2. 3. To modify a group In the Groups management area of the CMC, click the link for the group. Under the Group Name column, click the link to the group whose configuration you want to change. Make the necessary changes in one of the four tabs:
4.
Depending on which tab you have selected, click OK or Update after you have made your changes.
260
Managing User Accounts and Groups Managing Enterprise and general accounts
12
Deleting a group
You can delete a group when that group is no longer required. You cannot delete the default groups Administrator and Everyone. Note: The users who belong to the deleted group will be affected by the change if they are logged on when the group is deleted. To delete a third-party authentication groups, such as the BusinessObjects NT Users group, use the Authentication management area in CMC. See Unmapping LDAP groups on page 272, Unmapping AD groups on page 280, and Mapping NT accounts on page 284. 1. 2. 3. 4. To delete a group Go to the Groups management area of the CMC. Select the check box associated with the group you want to delete. Click Delete. The delete confirmation dialog box appears. Click OK.
261
12
1. 2. 3. 4. 5.
To disable the Guest account Go to the Users management area of the CMC. In the Account Name column, click Guest. On the Properties tab, select the Account is disabled check box. Click Update. If you are prompted for confirmation, click OK.
Configuring LDAP authentication on page 263 Mapping LDAP groups on page 269 Unmapping LDAP groups on page 272 Viewing mapped LDAP users and groups on page 272 Changing LDAP connection parameters and member groups on page 272 Managing multiple LDAP hosts on page 273 Troubleshooting LDAP accounts on page 274
262
12
Configuring the LDAP host on page 263. Configuring the Secure Socket Layer authentication for LDAP on page 264. Configuring LDAP single sign-on with SiteMinder on page 267. Configuring LDAP mapping options on page 267.
263
12
6. 7. 8. 9.
Click Next. In the Base LDAP Distinguished Name field, type the distinguished name (for example, o=SomeBase). Click Next. Enter the credentials required by the LDAP hosts.
In the LDAP Server Administration Credentials area, type the distinguished name and password for a user account that is authorized to administer your LDAP server. If your LDAP Server allows anonymous binding, leave this area blankBusinessObjects Enterprise servers and clients will bind to the primary host via anonymous logon.
Enter another distinguished name and password in the LDAP Referral Credentials area if all of the following apply:
The primary host has been configured to refer to another directory server that handles queries for entries under a specified base. The host being referred to has been configured to not allow anonymous binding. A group from the host being referred to will be mapped to BusinessObjects Enterprise.
Although groups can be mapped from multiple hosts, only one set of referral credentials can be set. Therefore if you have multiple referral hosts, you must create a user account on each host that uses the same distinguished name and password. 10. Enter the number of referral hops in the Maximum Referral Hops field. If this field is set to zero, no referrals will be followed. 11. Click Next. 12. Proceed with configuring the Secure Socket Layer.
264
12
1.
To configure the Secure Socket Layer authentication If necessary, go to the Authentication management area of the CMC again. Click the LDAP tab, and then click Start LDAP Configuration Wizard. Click Next until the screen of the wizard asks for the Secure Socket Layer authentication information. Otherwise, skip to step 2. Select the type of SSL authentication (Basic (no SSL), Server Authentication, or Mutual Authentication) your LDAP hosts uses to establish a connection with BusinessObjects Enterprise. Click Next. If you selected Server Authentication or Mutual Authentication, choose one of the following options:
2.
3.
Always accept server certificate This is the lowest security option. Before BusinessObjects Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive a security certificate from the LDAP host. BusinessObjects Enterprise does not verify the certificate it receives.
Accept server certificate if it comes from a trusted Certificate Authority This is a medium security option. Before BusinessObjects Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive and verify a security certificate sent to it by the LDAP host. To verify the certificate, BusinessObjects Enterprise must find the Certificate Authority that issued the certificate in its certificate database.
Tip: Java applications (such as the Java version of InfoView) always use this option, regardless of the setting you choose.
Accept server certificate if it comes from a trusted Certificate Authority and the CN attribute of the certificate matches the DNS hostname of the server This is the highest security option. Before BusinessObjects Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive and verify a security certificate sent to it by the LDAP host. To verify the certificate, BusinessObjects Enterprise must find the Certificate Authority that issued the certificate in its certificate database. It must also be able to confirm that the CN attribute on the server certificate exactly matches the host name of the LDAP host as you typed it in the Add LDAP host field in the first step of the wizard. That is, if you entered the LDAP host name as ABALONE.rd.crystald.net:389, using CN =ABALONE:389 in the certificate would not work.
265
12
Tip: The host name on the server security certificate is the name of the primary LDAP host. Therefore if you select this option you cannot use a failover LDAP host. 4. In the SSL host box, you must next add the host name of each machine in your BusinessObjects Enterprise system that uses the BusinessObjects Enterprise SDK. (This includes the machine running your Central Management Server and the machine running your WCA.) Type the host name of each machine in the SSL Host box, and then click Add.
5.
Now configure the SSL settings for each SSL host in the list, starting with the default host.
To select settings for the default host, first clear the Use default value boxes. Then type your values for the path to the certificate and key database files, the password for the key database. Type a nickname for the client certificate in the cert7.db if you selected mutual authentication. The settings for the default host are used:
for any setting (for any host) where you leave the Use default value box checked. for any machine whose name you do not explicitly add to the list of SSL hosts.
To select settings for another host, select its name in the list on the left. Then type the appropriate values in the boxes on the right.
266
12
6. 7.
2. 3. 4.
5. 6.
In the Policy Server Host box, type the name of each Policy Server, and then click Add. For each Policy Server Host, specify the Accounting, Authentication and Authorization port numbers. Enter the name of the Web Agent and the Shared Secret. Enter the shared secret again.
2.
267
12
New Alias Options allow you to specify how LDAP aliases are mapped to Enterprise accounts. Select either:
Assign each added LDAP alias to an account with the same name Use this option when you know users have an existing Enterprise account with the same name; that is, LDAP aliases will be assigned to existing users (auto alias creation is turned on). Users who do not have an existing Enterprise account, or who do not have the same name in their Enterprise and LDAP account, are added as new LDAP users. or
Create a new account for every added LDAP alias Use this option when you want to create a new account for each user.
3.
Update Options allow you to specify if LDAP aliases are automatically created for all new users. Select either:
New aliases will be added and new users will be created Use this option to automatically create a new alias for every LDAP user mapped to BusinessObjects Enterprise. New LDAP accounts are added for users without BusinessObjects Enterprise accounts, or for all users if you selected the Create a new account for every added LDAP alias option. or
No new aliases will be added and new users will not be created Use this option when the LDAP directory you are mapping contains many users, but only a few of them will use BusinessObjects Enterprise. BusinessObjects Enterprise does not automatically create aliases and Enterprise accounts for all users. Instead, it creates aliases (and accounts, if required) only for users who log on to BusinessObjects Enterprise.
268
12
4.
New User Options allow you to specify properties of the new Enterprise accounts that are created to map to LDAP accounts. Select either:
New users are created as named users New user accounts are configured to use named user licenses. Named user licenses are associated with specific users and allow people to access the system based on their user name and password. This provides named users with access to the system regardless of how many other people are connected. You must have a named user license available for each user account created using this option. or
New users are created as concurrent users New user accounts are configured to use concurrent user licenses. Concurrent licenses specify the number of people who can connect to BusinessObjects Enterprise at the same time. This type of licensing is very flexible because a small concurrent license can support a large user base. For example, depending on how often and how long users access BusinessObjects Enterprise, a 100 user concurrent license could support 250, 500, or 700 users.
5.
Click Finish to save your LDAP settings. The LDAP Server Summary page appears.
269
12
You can add more than one LDAP group by repeating this step. To remove a group, highlight the LDAP group and click Delete. 4. New Alias Options allow you to specify how LDAP aliases are mapped to Enterprise accounts. Select either:
Assign each added LDAP alias to an account with the same name Use this option when you know users have an existing Enterprise account with the same name; that is, LDAP aliases will be assigned to existing users (auto alias creation is turned on). Users who do not have an existing Enterprise account, or who do not have the same name in their Enterprise and LDAP account, are added as new LDAP users.
270
12
or
Create a new account for every added LDAP alias Use this option when you want to create a new account for each user.
5.
Update Options allow you to specify if LDAP aliases are automatically created for all new users. Select either:
New aliases will be added and new users will be created Use this option to automatically create a new alias for every LDAP user mapped to BusinessObjects Enterprise. New LDAP accounts are added for users without BusinessObjects Enterprise accounts, or for all users if you selected the Create a new account for every added LDAP alias option. or
No new aliases will be added and new users will not be created Use this option when the LDAP directory you are mapping contains many users, but only a few of them will use BusinessObjects Enterprise. BusinessObjects Enterprise does not automatically create aliases and Enterprise accounts for all users. Instead, it creates aliases (and accounts, if required) only for users who log on to BusinessObjects Enterprise.
6.
New User Options allow you to specify properties of the new Enterprise accounts that are created to map to LDAP accounts. Select either:
New users are created as named users New user accounts are configured to use named user licenses. Named user licenses are associated with specific users and allow people to access the system based on their user name and password. This provides named users with access to the system regardless of how many other people are connected. You must have a named user license available for each user account created using this option. or
New users are created as concurrent users New user accounts are configured to use concurrent user licenses. Concurrent licenses specify the number of people who can connect to BusinessObjects Enterprise at the same time. This type of licensing is very flexible because a small concurrent license can support a large user base. For example, depending on how often and how long users access BusinessObjects Enterprise, a 100 user concurrent license could support 250, 500, or 700 users.
7.
Click Update.
271
12
272
12
2.
Click the LDAP tab. If LDAP authorization is configured, the LDAP Server Configuration Summary page appears. On this page you can change any of the connection parameter areas or fields. You can also modify the Mapped LDAP Member Groups area.
3. 4. 5. 6. 7. 8. 9.
Delete currently mapped groups that will no longer be accessible under the new connection settings. Click Update. Change your connection settings. Click Update. Change your Alias and New User options. Click Update. Map your new LDAP member groups.
The order in which the hosts are communicated with matters, so ensure that you add the primary host first, followed by the remaining failover hosts.
273
12
If you use failover LDAP hosts, you cannot use the highest level of SSL security (that is, you cannot select Accept server certificate if it comes from a trusted Certificate Authority and the CN attribute of the certificate matches the DNS hostname of the server.) For more information, see Configuring LDAP authentication on page 263.
If you create a new LDAP user account, and the account does not belong to a group account that is mapped to BusinessObjects Enterprise, either map the group to BusinessObjects Enterprise, or add the new LDAP user account to a group that is already mapped to BusinessObjects Enterprise. For more information, see Configuring LDAP authentication on page 263. If you create a new LDAP user account, and the account belongs to a group account that is mapped to BusinessObjects Enterprise, refresh the user list. For more information, see Viewing mapped LDAP users and groups on page 272.
If you create a new LDAP group account, and the group account does not belong to a group account that is mapped to BusinessObjects Enterprise, add it to BusinessObjects Enterprise. For more information, see Configuring LDAP authentication on page 263. If you create a new LDAP group account, and the account belongs to a group account that is mapped to BusinessObjects Enterprise, refresh the group list. For more information, see Viewing mapped LDAP users and groups on page 272.
274
12
Managing AD accounts
This section provides an overview of AD authentication and the tasks related to managing it. For information on how AD authentication works in conjunction with BusinessObjects Enterprise, see Windows AD security plug-in on page 240. Once you have mapped your AD users and groups, all of the BusinessObjects Enterprise client tools support AD authentication, except for the Import Wizard. You can also create your own applications that support AD authentication. For more information, see the developer documentation available on your product CD. Note:
AD authentication only works for servers running on Windows systems. AD authentication and aggregation is not functional without a network connection. Users cannot log on to BusinessObjects Enterprise using AD authentication via the Java SDK. AD authentication and aggregation may not continue to function if the administration credentials become invalid (for example, if the administrator changes his or her password or if the account becomes disabled). Mapping AD accounts on page 276 Unmapping AD groups on page 280 Viewing mapped AD users and groups on page 280 Troubleshooting AD accounts on page 281 Setting up AD single sign-on on page 282
275
12
Mapping AD accounts
To simplify administration, BusinessObjects Enterprise supports AD authentication for user and group accounts. However, before users can use their AD user name and password to log on to BusinessObjects Enterprise, their AD user account needs to be mapped to BusinessObjects Enterprise. When you map an AD account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account. To map AD users and groups Before starting this procedure, ensure that you have the appropriate AD domain and group information. As well, you must have created a domain user account on your AD server for BusinessObjects Enterprise to use when authenticating AD users and groups. 1. 2. 3. 4. Go to the Authentication management area of the CMC. Click the Windows AD tab. Ensure that the Windows Active Directory Authentication is enabled check box is selected. If you will be using single sign-on, select the Single Sign On is enabled check box. Note: If you select this option, you must also configure the IIS for single sign-on. For details, see Setting up AD single sign-on on page 282. Failing to configure IIS could compromise your system security if the account that IIS runs under belongs to a mapped group, because users who use one of the web applications would automatically have the same access privileges as the IIS machine account. 5. In the AD Administration Credentials area, enter the name and password of the domain user account youve set up on your AD server for BusinessObjects Enterprise to use when authenticating AD users and groups.
276
12
277
12
Administration credentials must be entered to enable AD authentication, map groups, check rights, and so on. 6. Complete the Default AD Domain field. Note:
7.
Groups from the default domain can be mapped without specifying the domain name prefix. By entering the Default AD Domain name, users from the default domain do not have to specify the AD domain name when they log on to BusinessObjects Enterprise via AD authentication.
In the Mapped AD Member Groups area, enter the AD domain\group in the Add AD Group (Domain\Group) field. Groups can be mapped using one of the following formats:
Note: If you want to map a local group, you can use only the NT name format (\\ServerName\GroupName). Windows AD does not support local users. This means that local users who belong to a mapped local group will not be mapped to BusinessObjects Enterprise. Therefore they will not be able to access BusinessObjects Enterprise. 8. 9. Click Add. The group is added to the list. New Alias Options allow you to specify how AD aliases are mapped to Enterprise accounts. Select either:
Assign each added AD alias to an account with the same name Use this option when you know users have an existing Enterprise account with the same name; that is, AD aliases will be assigned to existing users (auto alias creation is turned on). Users who do not have an existing Enterprise account, or who do not have the same name in their Enterprise and AD account, are added as new AD users. or
Create a new account for every added AD alias Use this option when you want to create a new account for each user.
278
12
10. Update Options allow you to specify if AD aliases are automatically created for all new users. Select either:
New aliases will be added and new users will be created Use this option to automatically create a new alias for every AD user mapped to BusinessObjects Enterprise. New AD accounts are added for users without BusinessObjects Enterprise accounts, or for all users if you selected the Create a new account for every added AD alias option. or
No new aliases will be added and new users will not be created Use this option when the AD directory you are mapping contains many users, but only a few of them will use BusinessObjects Enterprise. BusinessObjects Enterprise does not automatically create aliases and Enterprise accounts for all users. Instead, it creates aliases (and accounts, if required) only for users who log on to BusinessObjects Enterprise. Note: You can also add AD users individually by adding them as a new user in BusinessObjects Enterprise and selecting Windows AD authentication. For details, see Creating a user and a third-party alias on page 294.
11. New User Options allow you to specify properties of the new Enterprise accounts that are created to map to AD accounts. Select either:
New users are created as named users New user accounts are configured to use named user licenses. Named user licenses are associated with specific users and allow people to access the system based on their user name and password. This provides named users with access to the system regardless of how many other people are connected. You must have a named user license available for each user account created using this option.
New users are created as concurrent users New user accounts are configured to use concurrent user licenses. Concurrent licenses specify the number of people who can connect to BusinessObjects Enterprise at the same time. This type of licensing is very flexible because a small concurrent license can support a large user base. For example, depending on how often and how long users access BusinessObjects Enterprise, a 100 user concurrent license could support 250, 500, or 700 users.
279
12
12. Click Update. A message appears stating that it will take several seconds to update the member groups. 13. Click OK.
Unmapping AD groups
Similar to mapping, it is possible to unmap groups using BusinessObjects Enterprise. 1. 2. 3. 4. 5. To unmap AD groups using BusinessObjects Enterprise Go to the Authentication management area of the CMC. Click the Windows AD tab. In the Mapped AD Member Groups area, select the AD group you would like to remove. Click Delete. Click Update. The users in the deleted group will no longer be able to access BusinessObjects Enterprise. Tip: To deny AD authentication for all users, clear the Windows Active Directory Authentication is enabled check box and click Update. Note: The only exceptions to this occur when a user has an alias other than the one assigned for AD authentication. To restrict access, disable or delete the users Enterprise account. For more information, see Managing Enterprise and general accounts on page 253.
280
12
Troubleshooting AD accounts
Creating a new AD user account
If you create a new AD user account, and the account belongs to a group account that is mapped to BusinessObjects Enterprise, ensure that you update the user list by clicking Update in the Windows AD tab found in the Authentication management area. Note that you must click Update to ensure that new users are imported properly. For information on viewing AD users and groups, see Viewing mapped AD users and groups on page 280. User accounts are automatically created for AD users who are added to an AD group when these users successfully log on to BusinessObjects Enterprise.
When you add an AD group account to an AD group that was previously mapped to BusinessObjects Enterprise, and you would like the users of this nested group to get imported into BusinessObjects Enterprise, you need to click Update in the Windows AD tab (found in the Authentication management area). Note: The nested AD group will not get mapped to BusinessObjects Enterprise by this operation.
When you have added a new account in AD, and the AD group to which the account belongs is already mapped to BusinessObjects Enterprise, there are three ways you can get the new AD account into BusinessObjects Enterprise. Choose the method that works best for your situation: When the new AD user logs on to BusinessObjects Enterprise and selects AD authentication, the system will add the user to BusinessObjects Enterprise. This is the simplest method and it doesnt require any extra steps, but the user wont be added until he or she logs on to BusinessObjects Enterprise. You can add the new user to BusinessObjects Enterprise and select Windows AD authentication. The user is added and is automatically assigned a Windows AD alias. See Creating a user and a third-party alias on page 294. You can go to the Windows AD tab in the Authentication management area and select the option to add all new aliases and create all new users, and then click Update. In this case all AD users will be added to BusinessObjects Enterprise. For details, see Mapping AD accounts on
281
12
page 276. However, if the AD group contains many users who dont require access to BusinessObjects Enterprise, you may want to add the user individually instead.
AD single sign-on is not supported on client machines running on Windows 98. By default, AD single sign-on is not enabled.
Setting up AD single sign-on to BusinessObjects Enterprise includes the following tasks: Configuring IIS for AD single sign-on on page 282 Enabling AD single sign-on in CMC on page 283 Modifying the web.config file for AD single sign-on on page 283
Note: For information on how to set up end-to-end single sign on with AD and Kerberos, see Configuring Kerberos single sign-on on page 299.
Deselect the Anonymous access and Basic authentication check boxes. Ensure that Integrated Windows authentication check box is selected. Note: You must also enable AD single sign-on in the CMC. For details, see Enabling AD single sign-on in CMC on page 283.
2. 3.
Modify the web.config file. See Modifying the web.config file for AD single sign-on on page 283. Restart your IIS server. Note: For AD single sign-on to function correctly, make sure you complete all tasks listed in Setting up AD single sign-on on page 282.
282
12
2.
Add the following lines to the <system.web> block in the C:\Program Files\Business Objects\BusinessObjects Enterprise 11\Web Content\Enterprise11\InfoView\Web.config file:
3.
Note: For AD single sign-on to function correctly, make sure you complete all tasks listed in Setting up AD single sign-on on page 282.
283
12
Managing NT accounts
This section provides an overview of NT authentication and the tasks related to managing it. For information on how NT authentication works in conjunction with BusinessObjects Enterprise, see Windows NT security plugin on page 236. Note:
NT authentication only works for servers running on Windows systems. If you install BusinessObjects Enterprise on a Windows NT, 2000, or 2003 machine, NT authentication is installed and enabled by default. NT accounts refer to Windows NT, 2000, or 2003 accounts. Mapping NT accounts on page 284 Unmapping NT groups on page 288 Viewing mapped NT users and groups on page 289 Troubleshooting NT accounts on page 290 Setting up NT single sign-on on page 292
Mapping NT accounts
To simplify administration, BusinessObjects Enterprise supports user and group accounts that are created using Windows NT. However, before users can use their NT user name and password to log on to BusinessObjects Enterprise, their NT user account needs to be mapped to BusinessObjects Enterprise. When you map an NT account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account. You can map NT accounts to BusinessObjects Enterprise through Windows, by using the User Manager in Windows NT or Computer Management in Windows 2000, or through the CMC. Note: NT accounts refer to both Windows NT and 2000 accounts. 1. To map NT users and groups using Windows NT From the Windows Administrative Tools program group, click User Manager. Note: Ensure that you have selected the domain that contains the BusinessObjects NT Users group. 2. Select the BusinessObjects NT Users group.
284
12
Note: The BusinessObjects NT Users group is created automatically in Windows NT when you install BusinessObjects Enterprise on Windows NT. 3. 4. 5. 6. 7. From the User menu, click Properties. Click Add. Select the group(s) and/or user(s); then click Add. Click OK to add the group(s) and/or user(s). Click OK to complete the process. Tip: Users will now be able to log on to InfoView using their NT account if they use the following format:
\\NTDomainName\NTusername or NTMachineName\LocalUserName
Users do not have to specify the NT Domain Name if it is specified in the Default NT Domain field on the Windows NT tab. 1. 2. 3. 4. 5. 6. 7. 8. To map NT users and groups using Windows 2000 From the Windows Administrative Tools program group, click Computer Management. Under System Tools, select Local Users and Groups. Click the Groups folder. Select the BusinessObjects NT Users and from the Action menu, select Properties. Click Add. Select the group(s) and/or user(s); then click Add. Click OK to add the group(s) and/or user(s). Click OK or Apply (and then Close) to complete the process. Tip: Users will now be able to log on to InfoView using their NT account if they use the following format:
\\NTDomainName\NTusername or NTMachineName\LocalUserName
Users do not have to specify the NT Domain Name if it is specified in the Default NT Domain field on the Windows NT tab. To map NT users and groups using BusinessObjects Enterprise Before starting this procedure, ensure you have the NT domain and group information. 1. Go to the Authentication management area of the CMC.
285
12
2.
3. 4.
Ensure that the NT Authentication is enabled check box is selected. If you will be using single sign-on, select the Single Sign On is enabled check box. Note: If you select this option, you must also configure the IIS for single sign-on. For details, see Setting up NT single sign-on on page 292. Failing to configure IIS could compromise your system security if the account that IIS runs under belongs to a mapped group, because users who use one of the web applications would automatically have the same access privileges as the IIS machine account.
5.
To change the Default NT domain, click the domain name. Complete the Default NT Domain field. Note: By typing the default NT Domain Name, users do not have to specify the NT Domain Name when they log on to BusinessObjects Enterprise via NT authentication. Also, you dont have to specify the NT domain name when you map groups.
286
12
6.
In the Mapped NT Member Groups area, enter the NT domain\group in the Add NT Group (NT Domain\Group) field. Note: If you want to map a local NT group, you must type \\NTmachinename\groupname.
7. 8.
Click Add. The group is added to the list. New Alias Options allow you to specify how NT aliases are mapped to Enterprise accounts. Select either:
Assign each added NT alias to an account with the same name Use this option when you know users have an existing Enterprise account with the same name; that is, NT aliases will be assigned to existing users (auto alias creation is turned on). Users who do not have an existing Enterprise account, or who do not have the same name in their Enterprise and NT account, are added as new NT users. or
Create a new account for every added NT alias Use this option when you want the system to create a new account for each user. The system ensures that the users are created with unique names. For example, if BusinessObjects Enterprise user bsmith already exists and an NT user with the same is added, the new user will be bsmith01.
9.
Update Options allow you to specify if NT aliases are automatically created for all new users. Select either:
New aliases will be added and new users will be created Use this option to automatically create a new alias for every NT user mapped to BusinessObjects Enterprise. New NT accounts are added for users without BusinessObjects Enterprise accounts, or for all users if you selected the Create a new account for every added NT alias option. or
No new aliases will be added and new users will not be created Use this option when the NT directory you are mapping contains many users, but only a few of them will use BusinessObjects Enterprise. BusinessObjects Enterprise does not automatically create aliases and Enterprise accounts for all users. Instead, it creates aliases (and accounts, if required) only for users who log on to BusinessObjects Enterprise.
287
12
10. New User Options allow you to specify properties of the new Enterprise accounts that are created to map to NT accounts. Select either:
New users are created as named users New user accounts are configured to use named user licenses. Named user licenses are associated with specific users and allow people to access the system based on their user name and password. This provides named users with access to the system regardless of how many other people are connected. You must have a named user license available for each user account created using this option.
New users are created as concurrent users New user accounts are configured to use concurrent user licenses. Concurrent licenses specify the number of people who can connect to BusinessObjects Enterprise at the same time. This type of licensing is very flexible because a small concurrent license can support a large user base. For example, depending on how often and how long users access BusinessObjects Enterprise, a 100 user concurrent license could support 250, 500, or 700 users.
11. Click Update. A message appears stating that it will take several seconds to update the member groups. 12. Click OK.
Unmapping NT groups
Similar to mapping, it is possible to unmap groups using the administrative tool in Windows NT/2000, or BusinessObjects Enterprise. 1. 2. 3. 4. 5. To unmap NT users and groups using Windows NT From the Administrative Tools program group, click User Manager. Select BusinessObjects NT Users. From the User menu, click Properties. Select the user(s) or group(s); then click Remove. Click OK. The user or group will no longer be able to access BusinessObjects Enterprise. Note: The only exceptions to this occur when a user has an alias to an Enterprise account. To restrict access, disable or delete the users Enterprise account. For more information, see Managing Enterprise and general accounts on page 253.
288
12
1. 2. 3. 4. 5. 6. 7.
To unmap NT users and groups using Windows 2000 From the Administrative Tools program group, click Computer Management. Under System Tools, select Local Users and Groups. Click the Groups folder. Select BusinessObjects NT Users. From the Action menu, click Properties. Select the user(s) or group(s); then click Remove. Click OK or Apply (and then Close) to complete the process. The user or group will no longer be able to access BusinessObjects Enterprise. Note: The only exceptions to this occur when a user has an alias to an Enterprise account. To restrict access, disable or delete the users Enterprise account. For more information, see Managing Enterprise and general accounts on page 253.
1. 2. 3. 4. 5.
To unmap NT groups using BusinessObjects Enterprise Go to the Authentication management area of the CMC. Click the Windows NT tab. In the Mapped NT Member Groups area, select the NT group you would like to remove. Click Delete. Click Update. The users in this group will not be able to access BusinessObjects Enterprise. Tip: To deny NT Authentication for all groups, clear the NT Authentication is enabled check box and click Update. Note: The only exceptions to this occur when a user has an alias to an Enterprise account. To restrict access, disable or delete the users Enterprise account. For more information, see Managing Enterprise and general accounts on page 253.
289
12
To view users and groups that have been added using Windows NT/ 2000 or BusinessObjects Enterprise 1. Go to the Groups management area of the CMC. 2. If you added users and groups through Windows NT/2000, then click BusinessObjects NT Users. If you added users and groups through the CMC, then select the appropriate group. 3. 4. 5. 6. Click the Users tab. Click OK to the message which states that accessing the user list may take several seconds. Click Refresh. Click OK.
To view users and groups that have been added using BusinessObjects Enterprise 1. Go to the Authentication management area of the CMC. 2. Click the Windows NT tab. The Mapped NT Member Groups area displays the groups that have been mapped to BusinessObjects Enterprise. Note: You can view the groups and users by selecting the appropriate group from the Groups management area and then clicking the Users tab.
Troubleshooting NT accounts
Creating a new NT user account
If you create a new NT user account, and the account does not belong to a group account that is mapped to BusinessObjects Enterprise, add it to BusinessObjects Enterprise. For more information, see Mapping NT accounts on page 284. If you create a new NT user account, and the account belongs to a group account that is mapped to BusinessObjects Enterprise, refresh the user list. For more information, see Viewing mapped NT users and groups on page 289.
290
12
When the new NT user logs on to BusinessObjects Enterprise and selects NT authentication, the system will add the user to BusinessObjects Enterprise. This is the simplest method and it doesnt require any extra steps, but the user wont be added until he or she logs on to BusinessObjects Enterprise. You can add the new user to BusinessObjects Enterprise and select Windows NT authentication. The user is added and is automatically assigned a Windows NT alias. See Creating a user and a third-party alias on page 294. You can go to the Windows NT tab in the Authentication management area and select the option to add all new aliases and create all new users, and then click Update. In this case all NT users will be added to BusinessObjects Enterprise. For details, see Mapping NT accounts on page 284. However, if the NT group contains many users who dont require access to BusinessObjects Enterprise, you may want to add the user individually instead.
If you create a new NT group account, and the group account does not belong to a group account that is mapped to BusinessObjects Enterprise, add it to BusinessObjects Enterprise. For more information, see Mapping NT accounts on page 284. If you create a new NT group account, and the account belongs to a group account that is mapped to BusinessObjects Enterprise, refresh the group list. For more information, see Viewing mapped NT users and groups on page 289.
If you disable an NT user account (using Windows Administrative Tools), the user will not be able to log on to BusinessObjects Enterprise using the mapped NT account. However, if the user also has an account that uses Enterprise authentication, the user can still access BusinessObjects Enterprise using that account.
291
12
Configuring IIS for NT single sign-on on page 292 Enabling NT single sign-on in CMC on page 293 Modifying the web.config file for NT single sign-on on page 293
Note: BusinessObjects Enterprise does not support the Kerberos protocol for Windows NT. For information on how to set up end-to-end single sign on with AD and Kerberos, see Configuring Kerberos single sign-on on page 299.
Deselect the Anonymous access and Basic authentication check boxes. Ensure that the Integrated Windows authentication check box is selected.
292
12
2. 3.
Modify the web.config file. See Modifying the web.config file for NT single sign-on on page 293. Restart your IIS server. Note: For NT single sign-on to function correctly, make sure you complete all tasks listed in Setting up NT single sign-on on page 292.
2.
Add the following lines to the <system.web> block in the C:\Program Files\Business Objects\BusinessObjects Enterprise 11\Web Content\Enterprise11\InfoView\Web.config file:
293
12
3.
Note: For NT single sign-on to function correctly, make sure you complete all tasks listed in Setting up NT single sign-on on page 292.
Managing aliases
If a user has multiple accounts in BusinessObjects Enterprise, you can link the accounts using the assign alias feature. This is useful when a user has a third-party account that is mapped to Enterprise and an Enterprise account. By assigning an alias to the user, the user can log on using either a third-party user name and password or an Enterprise user name and password. Thus, an alias enables a user to log on via more than one authentication type. You can also reassign an alias in BusinessObjects Enterprise. For example, after you map your third-party accounts to BusinessObjects Enterprise, you can use the Reassign Alias feature to reassign an alias to a different a user. In CMC, the alias information is displayed at the bottom of the properties page for a user. A user can have any combination of BusinessObjects Enterprise, LDAP, AD, or NT aliases. Managing aliases includes:
Creating a user and a third-party alias on page 294 Creating an alias for an existing user on page 296 Assigning an alias on page 296 Reassigning an alias on page 297 Deleting an alias on page 297 Disabling an aliases on page 298
294
12
Note: For the system to create the third-party alias, the following criteria must be met:
The authentication tool needs to have been enabled in CMC. The format of the account name must agree with the format required for the authentication type. The user account must exist in the third-party authentication tool, and it must belong to a group that is already mapped to BusinessObjects Enterprise. To create a user and add a third-party alias Go to the Users management area of the CMC. Click New User. The New User Properties page appears. Select the authentication type for the user, for example, Windows NT. The New User Properties page appears.
1. 2. 3.
4. 5. 6.
Type in the third-party account name for the user, for example, bsmith. Select the connection type for the user. Click OK. The user is added to BusinessObjects Enterprise and is assigned an alias for the authentication type you selected, for example, secWindowsNT:ENTERPRISE:bsmith. If required, you can add, assign, and reassign aliases to user.
295
12
The authentication tool needs to have been enabled in CMC. The format of the account name must agree with the format required for the authentication type. The user account must exist in the third-party authentication tool, and it must belong to a group that is mapped to BusinessObjects Enterprise. To create a new alias for a user Go to the Users management area of the CMC. Click the link for the user that you want to add an alias to. Click New Alias. The New Alias page appears. Select the authentication type for the user, for example, Windows NT. Type in the account name for the user. Click OK. An alias is created for the user. When you view the user in CMC, at least two aliases are shown, the one that was already assigned to the user and the one you just created.
1. 2. 3. 4. 5. 6.
Assigning an alias
When you assign an alias to a user, you move a third-party alias from another user to the user you are currently viewing. You cannot assign or reassign Enterprise aliases. Note: If a user has only one alias and you assign that last alias to another user, the system will delete the user account, and the Favorites folder, personal categories, and inbox for that account. 1. 2. 3. To assign an alias from another user Go to the Users management area of the CMC. Click the link for the user you want to assign an alias to. Click Assign Alias. The Assign Alias page appears.
296
12
4. 5.
Select the alias you want in the list of available aliases. Click the > arrow. Tip:
6.
To select multiple aliases, use the SHIFT+click or CTRL+click combination. To search for a specific alias, use the Look For field.
Click OK.
Reassigning an alias
When you reassign an alias, you move a third-party alias from the user that you are currently viewing to another user. You cannot assign or reassign Enterprise aliases. Note: If a user has only one alias and you reassign that alias to another user, the system will delete the user account, and the Favorites folder, personal categories, and inbox for that account. 1. 2. 3. 4. 5. To reassign an alias to another user Go to the Users management area of the CMC. Click the link for the user whose alias you want to reassign, for example, bsmith. Click the Reassign Alias button for the alias. The Reassign Alias page appears. In the list, click the name of the user that you want to assign the alias to, for example, jbrown. Click OK. The alias for bsmith has now been assigned to the user jbrown, and the Properties page for user jbrown is displayed. The user jbrown can now log on using the third-party user account and authentication method. The user bsmith can no longer use this alias.
Deleting an alias
When you delete an alias, the alias is removed from the system. If a user has only one alias and you delete that alias, the system automatically deletes the user account and the Favorites folder, personal categories, and inbox for that account.
297
12
1. 2. 3.
To delete an alias Go to the Users management area of the CMC. Click the link for the user whose alias you want to delete. Click the Delete Alias button for the alias. The alias is deleted from the system.
Note: Deleting a users alias does not necessarily prevent the user from being able to log on to BusinessObjects Enterprise again. If the user account still exists in the third-party system, and if the account belongs to a group that is mapped to BusinessObjects Enterprise, then BusinessObjects Enterprise will still allow the user to log on. Whether the system creates a new user or assigns the alias to an existing user, depends on which Update Options you have selected for the authentication tool in the Authentication management area of CMC.
Disabling an aliases
You can prevent a user from logging on to BusinessObjects Enterprise using a particular authentication method by disabling the users alias associated with that method. To prevent a user from accessing BusinessObjects Enterprise altogether, disable all aliases for that user. Note: Deleting a user from BusinessObjects Enterprise does not necessarily prevent the user from being able to log on to BusinessObjects Enterprise again. If the user account still exists in the third-party system, and if the account belongs to a group that is mapped to BusinessObjects Enterprise, then BusinessObjects Enterprise will still allow the user to log on. To ensure a user can no longer use one of his or her aliases to log on to BusinessObjects Enterprise, it is best to disable the alias. See also Deleting an alias on page 297. 1. 2. 3. To disable an alias Go to the Users management area of the CMC. Click the name of the user whose alias you want to disable. In the Alias area on the Properties page, clear the Enabled check box for the alias you want disable. Repeat this step for each alias you want to disable. 4. Click Update. The user can no longer log on using the type of authentication that you just disabled.
298
12
299
12
To set up the service account On the domain controller, set up the domain service account. For detailed instructions, refer to http://msdn.microsoft.com. Note: The procedure for setting up a domain service account varies, depending on whether you are using Windows 2000 or Windows 2003:
In Windows 2000, ensure that the Account is trusted for delegation option has been selected for the account. In Windows 2003, ensure that the following two options have been selected for the account:
Trust this user for delegation to specified service only Use Kerberos only
If you are using Windows 2003, you may have to first add a service principal name (SPN) for the domain account.
Configuring the server machines on page 300 Configuring the servers to use the service account on page 301
CMS Page Server Report Application Server Web Intelligence Report Server
To configure the server machines Note: To complete this procedure, you require a service account that has been trusted for delegation. See Setting up a service account on page 299. 1. 2. 3. 4. 5. Click Start > Administrative Tools > Local Security Policy. Click Local Policies, then click User Rights Assignment. Double-click Act as part of the operating system. Click Add. Double-click the service account, and then click OK.
300
12
6. 7.
Ensure that the Local Policy Setting check box is selected, and then click OK. Repeat the above steps on each machine running a BusinessObjects Enterprise server. For detailed instructions, see Controlling users access to objects on page 317.
CMS server Page Server Report Application Server Web Intelligence Report Server
To configure a server Note: To complete this procedure, you require a service account that has been trusted for delegation. See Setting up a service account on page 299. 1. 2. 3. 4. Start the CCM. Stop the server you want to configure, for example, the CMS server. Double-click the server you want to configure. The Properties dialog box is displayed. On the Properties tab: a. b. c. 5. 6. In the Log On As area, deselect the System Account check box. Enter the user name and password for the service account. Click Apply, and then click OK.
Start the server again. Repeat steps 2 through 5 for each BusinessObjects server that has to be configured.
301
12
Setting up an AD Administrator account. This account requires read access to Active Directory only; it does not require any other rights. Enabling Kerberos single sign-on and setting the service principal name (SPN) to use a service account. To configure the Windows AD security plug-in Go to the Authentication management area of the CMC. Click the Windows AD tab. Ensure that the Windows Active Directory Authentication is enabled check box is selected. Select the Single sign-on is enabled check box. Note: For related information about configuring the Windows AD plug-in, see Managing AD accounts on page 275.
1. 2. 3. 4.
5.
Set up the AD administrator account: a. b. Click AD Administrator Name. Enter the name and password for the account and the default AD Domain. Note: The AD Administrator account requires read access to Active Directory only; it does not require any other rights. c. Click Update.
6.
In the Mapped AD Member Group area, map the AD group for the AD users who require access to BusinessObjects Enterprise via AD authentication and single sign-on. See Mapping AD accounts on page 276. Under Authentication Options select the following:
7.
Select the Use Kerberos authentication check box. Select the Cache Security context (required for SSO to database) check box. In the Service Principal Name box, enter the service principal name of the service account. Note: This must be the same account that you use to run the BusinessObjects Enterprise servers. See Setting up a service account on page 299.
8.
Click Update.
302
12
If the CMS cache expiry is greater than that of the ticket, the system renews the ticket until the CMS cache expiry is reached. If the CMS cache expiry is less than that of the ticket, the ticket will expire when the CMS cache expiry is reached. If the CMS cache expiry is zero, the system will use the globally set ticket expiry.
The other servers use either their cache expiry or the ticket expiry, whichever has the lowest value. Regardless of whether the cache expiry for the server is greater or less than that of the ticket, the ticket will expire when the lowest expiry value is reached. The system comes configured with default values for the server cache expiry. Use the following procedure to change these settings when needed. Note: If you are running multiple instances of a server, you can control the cache expiry for each instance individually. 1. 2. 3. 4. 5. To configure the servers in CMC Go to the Servers management area of the CMC. Click the link for the server. Click the Single Sign-On tab. Type in a new cache expiry value. Click Update.
Configuring the BusinessObjects Enterprise clients on the IIS on page 304 Configuring the Internet Explorer browser on a client machine on page 304
303
12
Setting up the client machines for integrated Windows authentication. Adding the IIS to the trusted sites.
Note: If configuring the IIS for single sign-on to the database only, you do not need to configure the browser for single sign-on. See also Configuring IIS for single sign-on to databases only on page 309. Note: You can automate the following steps through a registry key. For details, refer to you Windows documentation. 1. 2. To configure the IE browser on the client machines On the client machine, open an Internet Explorer browser window. Enable integrated windows authentication: a. b. c. d. Click Tools > Internet Options. The Internet Options dialog box appears. Click the Advanced tab. Navigate to the Security settings. Click the Enable integrated windows authentication option, and then click Apply.
304
12
3.
Add the IIS to the Trusted sites. You can enter the full domain name of the site: a. b. c. d. e. f. Click Tools > Internet Options. The Internet Options dialog box appears. Click the Security tab. Click Sites. Click Advanced. Type in the web site for the IIS, and then click Add. Click OK, and then click OK twice more to close the Internet Options dialog box.
4. 5.
Close the Internet Explorer browser windows and then open them again for the changes to take effect. Repeat the above steps on each BusinessObjects Enterprise client machine.
Configuring IIS5 for Kerberos end-to-end single sign-on on page 305 Configuring IIS6 for Kerberos end-to-end single sign-on on page 307
Note: Instead of configuring the IIS worker processes for end-to-end single sign-on you can configure them to use single sign-on to the database only. You may want to do this, for example, if you dont want to run the IIS worker processes under an account that has been trusted for delegation. For more information, see:
Configuring IIS for single sign-on to databases only on page 309 Configuring web applications for single sign-on to the databases on page 313.
305
12
You can run the IIS either under the machine domain account or under a user domain account. Each approach has advantages and disadvantages:
If you use a machine domain account, the password will be automatically generated and wont expire, nor can it be exposed or modified. If you use a user domain account you have more control over the rights for the account, but the password could be exposed or modified, and it may expire, which would result in an error condition.
Which approach you use, depends on how you want to manage your system security. For complete information about security risks associated with system or user domain accounts, refer to the Microsoft web site: www.microsoft.com. Refer to either of the following procedures, depending on whether you want to use a machine or user domain account:
To run the IIS5 worker process under the machine domain account on page 306 To run the IIS5 worker process under a user domain account on page 307 To run the IIS5 worker process under the machine domain account On the domain controller, set the domain account of the IIS machine to be trusted for delegation. Changing this property can take several minutes to propagate. Set the Aspnet_wp.exe to run as a machine domain account. To do this, change the following parameters in the <processModel> block in the \WINDOWS\Microsoft.NET\Framework\version\CONFIG\machine. config file:
1.
2.
userName="SYSTEM" Password="AutoGenerate"
In the above path name, version represents the software version. Note: Configuring the Aspnet_wp.exe account to run as a machine domain account will cause all ASP.NET web applications on the web server to run as privileged system accounts. Note: For security reasons, make sure that the account which the IIS helper processes run under does not belong to a mapped group. 3. If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:
setspn -A HTTP/serverhost.domainname.com serverhost
For example, if access is via www.domainname.com but the machine name is web.domainname.com.
306
12
1.
To run the IIS5 worker process under a user domain account Set the Aspnet_wp.exe to run as a user domain account that has been trusted for delegation. To do this, change the following parameters in the <processModel> block in the \WINDOWS\Microsoft.NET\Framework\ version\CONFIG\machine.config file:
userName="domainaccount" Password="password"
Where domainaccount is a domain account that you have set to be trusted for delegation, and password is the password for the domain account. In the above path name, version represents the software version. Note: For security reasons, make sure that the account which IIS helper processes run under does not belong to a mapped group. 2. If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:
setspn -A HTTP/serverhost.domainname.com serverhost
For example, if access is via www.domainname.com but the machine name is web.domainname.com.
If you use a machine domain account, the password will be automatically generated and wont expire, nor can it be exposed or modified. If you use a user domain account you have more control over the rights for the account, but the password could be exposed or modified, and it may expire, which would result in an error condition.
Which approach you use, depends on how you want to manage your system security. For complete information about security risks associated with system or user domain accounts, refer to the Microsoft web site: www.microsoft.com. Refer to either of the following procedures, depending on whether you want to use a machine or user domain account:
307
12
To run the IIS6 worker process under the machine domain account on page 308 To run the IIS6 worker process under a user domain account on page 309 To run the IIS6 worker process under the machine domain account On the domain controller, set account of the IIS machine to be trusted for delegation. Changing this property can take several minutes to propagate! If you dont want to use end-to-end single sign-on but want to provide single sign-on to the database, skip step 1. See also Configuring IIS for single sign-on to databases only on page 309.
1.
2.
Configure the account for the w3wp.exe worker process: a. b. c. d. e. f. g. In the Internet Service Manager window, right-click the machine name and select Application Pool > New. Type in a name for the application pool. In the tree panel on the left, expand machine name > Web Site > Default Web Site > businessobjects > EnterpriseXX. Right-click InfoView and select Properties. On the Directory tab select the new application pool name from the list, and then click Apply. Right-click the application pool you created, and select Properties. On the Identity tab select LocalSystem from the list, and then click Apply.
Note: Configuring the w3wp.exe account to run as a LocalSystem account will cause all ASP.NET web applications on the web server to run as privileged system accounts. Note: For security reasons, make sure that the account which the IIS worked processes run under does not belong to a mapped group. 3. If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:
setspn -A HTTP/serverhost.domainname.com serverhost
For example, if access is via www.domainname.com but the machine name is web.domainname.com.
308
12
1.
To run the IIS6 worker process under a user domain account Set the w3wp.exe to run as a user domain account that has been trusted for delegation. To do this, change the following parameters in the <processModel> block in the \WINDOWS\Microsoft.NET\Framework\ version\CONFIG\machine.config file:
userName="domainaccount" Password="password"
In the above path name, version represents the software version. Where domainaccount is a domain account that you have set to be trusted for delegation, and password is the password for the domain account. Note: If you dont want to use end-to-end single sign-on but want to provide single sign-on to the database, skip step 1. See also Configuring IIS for single sign-on to databases only on page 309. For security reasons, make sure that the account which the IIS worker processes run under does not belong to a mapped group. 2. Add the domain account to the IIS_WPG local group, and give it the relevant rights to access the needed files. For more information, see http://msdn.Microsoft.com. If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:
setspn -A HTTP/serverhost.domainname.com serverhost
3.
For example, if access is via www.domainname.com but the machine name is web.domainname.com.
Configuring IIS5 for single sign-on to database only on page 310 Configuring IIS6 for single sign-on to database only on page 311
309
12
2.
Configure the web applications for single sign-on to the database instead of end-to-end single sign-on. See Configuring web applications for single sign-on to the databases on page 313. Note: If configuring the IIS for single sign-on to the database only, you do not need to configure the browser for single sign-on. See Configuring the Internet Explorer browser on a client machine on page 304.
3.
Clear the Single Sign On is enabled check box on the Windows AD page in the Authentication management area in CMC.
If you use a machine domain account, the password will be automatically generated and wont expire, nor can it be exposed or modified. If you use a user domain account you have more control over the rights for the account, but the password could be exposed or modified, and it may expire, which would result in an error condition.
Which approach you use, depends on how you want to manage your system security. For complete information about security risks associated with system or user domain accounts, refer to the Microsoft web site: www.microsoft.com. 1. 2. To configure the IIS5 for single sign-on to databases only Make sure IIS is running as a domain account Set the Aspnet_wp.exe to run as a machine domain account. To do this, change the following parameters to the <processModel> block in the \WINDOWS\Microsoft.NET\Framework\version\CONFIG\machine. config file:
userName="SYSTEM" Password:="AutoGenerate"
In the above path name, version represents the software version. Note:
Configuring the Aspnet_wp.exe account to run as a machine domain account will cause all ASP.NET web applications on the web server to run as privileged system accounts. For security reasons, make sure that the account which IIS runs under does not belong to a mapped group.
310
12
3.
If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine: setspn -A HTTP/serverhost.domainname.com serverhost For example, if access is via www.domainname.com but the machine name is web.domainname.com.
If you use a machine domain account, the password will be automatically generated and wont expire, nor can it be exposed or modified. If you use a user domain account you have more control over the rights for the account, but the password could be exposed or modified, and it may expire, which would result in an error condition.
Which approach you use, depends on how you want to manage your system security. For complete information about security risks associated with system or user domain accounts, refer to the Microsoft web site: www.microsoft.com. 1. 2. To configure the IIS6 for single sign-on to databases only Make sure IIS is running as a domain account. Configure the account for the w3wp.exe worker process: a. b. c. d. e. f. g. In the Internet Service Manager window, right-click the machine name and select Application Pool > New. Type in a name for the application pool. In the tree panel on the left, expand machine name > Web Site > Default Web Site > businessobjects > EnterpriseXX. Right-click InfoView and select Properties. On the Directory tab select the new application pool name from the list, and then click Apply. Right-click the application pool you created, and select Properties. On the Identity tab select LocalSystem from the list, and then click Apply. Configuring the w3wp.exe account to run as a machine domain account will cause all ASP.NET web applications on the web server to run as privileged system accounts.
Note:
311
12
3.
For security reasons, make sure that the account which IIS runs under does not belong to a mapped group.
If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:
setspn -A HTTP/serverhost.domainname.com serverhost
For example, if access is via www.domainname.com but the machine name is web.domainname.com.
2.
Add the following lines to the <system.web> block in the C:\Program Files\Business Objects\BusinessObjects Enterprise 11\Web Content\Enterprise11\InfoView\Web.config file:
3.
Enable Windows authentication by commenting out the following line in the C:\Program Files\Business Objects\BusinessObjects
Enterprise 11\Web Content\Enterprise 11\InfoView\Web.config as shown: <!-- <remove name=WindowsAuthentication/> -->
312
12
2.
Set InfoView to not impersonate the users, by adding the following lines to the <system.web> block in the Web Content\Enterprise 11\InfoView\Web.config file:
Note: Make sure you set identity impersonate to false. Users will now be able to log on to BusinessObjects Enterprise by providing their logon credentials in the InfoView or CMC logon dialog box and selecting Windows AD authentication. Once they are logged on, the users will have single sign-on access to the databases associated with BusinessObjects Enterprise.
313
12
If SQL Server is running under the LocalSystem account, no additional configuration is required. SQL Server registers itself when it starts and the system registers the SPN. When SQL Server shuts down, the system automatically un-registers the SPNs for the LocalSystem account. If SQL Server is running under a service account, you have to configure to be trusted for delegation. To run SQL Server under a service account In Active Directory, set up the SQL Server service account for security delegation: a. b. c. Select Start > Programs > Administrative Tools > Active Directory Users and Computers. Right-click the domain account and select Properties. On the Accounts tab, make sure the following options are selected:
1.
In Windows 2000, ensure that the Account is trusted for delegation option has been selected for the account. In Windows 2003, ensure that the following two options have been selected for the account: Trust this user for delegation to specified service only and Use Kerberos only.
If you are using Windows 2003, you may have to first add a service principal name (SPN) for the domain account. 2. Set the machine running SQL Server as follows:
a. 3.
Computer is trusted for delegation Click Apply, and then click OK.
Where host:port is the name of the machine running SQL Server and the port that, and serviceaccount is the name of the SQL Server service account.
314
chapter
13
316
13
Inherited Rights No Access View Schedule View On Demand Full Control Advanced
In addition to setting user and group rights for report objects from the Objects management area, you can also set user and group rights at the folder level. When you set rights at the folder level, these limits will be in effect for all objects that inherit rights from the folder (including any objects found within the subfolders). For detailed information on the different access modes for object rights and information on inherited rights, see Controlling users access to objects on page 317.
317
13
1. 2. 3.
To add groups or users to an objects rights settings In the Objects management area of the CMC, select an object by clicking its link. Click the Rights tab. The Rights tab appears. Click Add/Remove.
4. 5. 6. 7. 1. 2.
Select an option in the Select Operation list. Select the group(s) or user(s) you would like to add or remove. Click the > arrow to add the group(s) or user(s); click the < arrow to remove the group(s) or user(s). Click OK. To change a group or users report rights In the Objects management area of the CMC, select an object by clicking its link. Click the Rights tab. The Rights tab appears.
318
13
3.
Change the access level for a group or user by selecting a right from the appropriate list in the Access Level column; then click Update. If you select Advanced from the list, you grant or deny granular rights from the Advanced Rights page. For more information, see Setting advanced object rights on page 322.
This example shows the rights for the Report Samples folder. The Name column lists all users and groups who have been given rights to the object. The Object column shows whether the entry is a User or a Group. In this case, users have not been specified individually; instead, users have been divided into two groupsEveryone and Administratorswhich have been granted rights to the folder object. Click Add/Remove to add or remove a user or group to this object. The Access Level column shows how each users or groups rights are determined. In this example, both groups possess Inherited Rights. You can change the rights for either group by selecting a predefined access level (or by selecting Advanced) from the list in the Access Level column. When you change an entry in the Access Level column, click Update to effect your changes. For more information, see Setting common access levels on page 320. The Net Access column displays the net effect of whatever is selected in the Access Level column. That is, the Net Access column shows the effective rights that each user or group has to the object. The Net Access column is
319
13
particularly useful when you are working with inheritance. In this example, the Everyone group inherits rights from a parent folderone that is not displayed on this screen. The Net Access column shows that the rights inherited from the parent folder are equivalent to the Schedule access level. Tip: If you want to view the individual object rights that make up a users (or groups) Net Access, click the corresponding Access Level list and select Advanced. The Advanced Rights page displays the users full array of object rights that have been specified explicitly and/or inherited. Click Cancel to exit without making changes. For more information, see Setting advanced object rights on page 322. For detailed tutorials that walk you through sample implementations of object rights, see Customizing a top-down inheritance model on page 331.
When you assign an access level to a group, each user in the group will have at least that level of access to the object. If the user is a member of multiple groups, then he or she inherits the combination of each groups rights. Thus, when a user is a member of multiple groups, he or she inherits the greatest possible rights. When you assign an access level directly to a user, you ensure that the user has only that level of access to the object. In other words, you prevent the user from inheriting rights that he or she may have otherwise acquired by virtue of group membership.
320
13
No Access The user or group is not able to access the object or folder. InfoView, the Publishing Wizard, and the CMC enforce this right by ensuring that the object is not visible to the user.
View If this access level is set at the folder level, the user or group is able to view the folder, the objects contained within the folder, and all generated instances of each object. If this access level is set at the object level, the user can view the object, the history of the object, and all generated instances of the object. The user cannot, however, schedule the object or refresh it against its data source.
Schedule The user or group is able to view the object or folder and its contents, and to generate instances by scheduling the object to run against the specified data source once or on a recurring basis. The user or group can view, delete, and pause the scheduling of instances that they own. They can also schedule to different formats and destinations, set parameters and database logon information, pick servers to process jobs, add contents to the folder, and copy the object or folder.
View On Demand In addition to the rights provided by the Schedule access level, the user gains the right to refresh data on demand against the data source. Full Control This access level grants all of the available advanced rights. It is the only access level that allows users to delete objects (folders, objects, and instances). This access level also allows users to modify all of the objects properties, including the object rights that are set on the folder or object. Basically, this access level is designed to provide a user or group with administrative control over one or more folders or objects. Users can then log on to the CMC and add, edit, and remove content as required, without being members of the actual Administrators group.
Advanced This access level does not include a predefined set of object rights. Instead, it allows you to customize a users or groups access to an object by selecting from the complete range of available object rights. For more information, see Setting advanced object rights on page 322.
321
13
Note: There is no predefined access level to grant users the rights required to create or modify reports through the Report Application Server (RAS). For details, see Object rights for the Report Application Server on page 568. For a detailed listing of the object rights that make up each access level, see Rights and Access Levels on page 563. Note: In the developer documentation, access levels are referred to as roles. 1. 2. 3. 4. To set an access level for a user or group Go to the Objects or Folders management area of the CMC. Locate the object whose rights you want to modify. Click the link to the object, and then click its Rights tab. In the Name column, locate the user or group whose rights you want to specify. If the user or group is not listed, click Add/Remove. Add the appropriate user or group and click OK. You are returned to the objects Rights tab. 5. In the Access Level column, select the access level (No Access, View, Schedule, View On Demand, or Full Control) that is appropriate for the user or group. Click Update.
6.
Tip: For detailed tutorials that walk you through sample implementations of object rights, see Customizing a top-down inheritance model on page 331.
322
13
Note: Because of the relative priorities assigned by BusinessObjects Enterprise to granted and denied rights, you must disable inheritance entirely when you need to explicitly grant a right that has been denied elsewhere to the user or group. For complete details, see Priorities affecting advanced inheritance settings on page 330. 1. 2. 3. 4. To view or set advanced rights Go to the Objects or Folders management area of the CMC. Locate the object whose rights you want to modify. Click the link to the object, and then click its Rights tab. In the Name column, locate the user or group whose rights you want to specify. If the user or group is not listed, click Add/Remove. Add the appropriate user or group and click OK. You are returned to the objects Rights tab. 5. The next step depends upon the entry that already appears in the Access Level list for this user or group:
If the Access Level is not already set to Advanced, click the list and select Advanced. If the Access Level is already set to Advanced, click the Advanced link in the Net Access column.
The available object rights are displayed in the Advanced Rights page. This example shows advanced rights being applied to the Guest user for an Employee Profile report.
323
13
The first two options specify which types of inheritance affect the Guest users rights to this object. In this example, the Guest user cannot inherit rights by virtue of group membership. But, the Guest user may inherit any rights that he or she has been granted to this reports parent folder. The remainder of the Advanced Rights page lists all available object rights and shows how each right applies to the Guest user. To customize the overall security levels, you can explicitly grant or deny any given right, or you can specify that you want certain rights to be inherited. The Inherited column serves as an indicator to show how inherited rights affect the Guest users effective rights to this report object. A user or group can be granted or denied a right by virtue of inheritance. In addition, some rights may remain not specifiedthat is, they are neither granted nor denied. If an inherited right is labelled as Not Specified, BusinessObjects Enterprise treats it as having been denied. (And if the right is later granted for a parent group or object, the user or group will automatically inherit the right at this level.) In this example, the Guest user has two inherited rights (the right to View document instances that the user owns and to Pause and Resume document instances that the user owns). Currently, these rights are not specified, so the rights are denied by default. However, if the Guest users rights should change on the reports parent folder, the rights will also change for this report object. This demonstrates how inheritance can facilitate future changes to the overall security model. Tip: For scalability and manageability, it is recommended that you leave as many rights as possible inherited, because the system automatically updates those rights as you modify and update your security settings throughout the folder and group hierarchies. The Explicitly Granted column shows which actions the Guest user is allowed to perform on this report. The Guest user is currently granted eleven rights to this report (the right to View objects, Schedule the document to run, and so on). Because group inheritance is disabled, the Guest user will retain these rights, even if its group membership is modified or changed completely. This demonstrates how you can use explicit rights to override a groups rights for a particular group member. The Explicitly Denied column works similarly to the Explicitly Granted column. Regardless of any future changes to the users group membership, an explicitly denied right always prevents a user from performing the associated action. In this example, the Guest user has been explicitly denied eleven rights (the right to Add objects to the folder, Edit objects, and so on). Again, this demonstrates how you can use explicit rights to override a groups rights for a particular group member. When you have made your changes on the Advanced Rights page, click OK.
324
13
Tip: For detailed tutorials that walk you through sample implementations of object rights, see Customizing a top-down inheritance model on page 331.
325
13
To facilitate administration, it is recommended that you enable and disable inheritance with access levels whenever possible (instead of with advanced rights). Additionally, it is recommended that you make your initial settings at the top-level BusinessObjects Enterprise folder and disable inheritance only when necessary. For detailed tutorials that walk you through sample implementations of object rights, see Customizing a top-down inheritance model on page 331. Tip: By default, users or groups who have rights to a folder will inherit the same rights for any object that you subsequently publish to that folder. Consequently, the best strategy is to set the appropriate rights for users and groups at the folder level first. Then publish objects to that folder.
326
13
327
13
328
13
3.
these rights by ascending the inheritance tree to the level at which the inherited rights begin to take effect. The CMS denies any right that is explicitly denied (even if the right had already been explicitly granted). If group inheritance is enabled for the user, the CMS determines the rights specified on the object for each of the groups that the user belongs to. The CMS denies any right that is explicitly denied in any group (even if the right had already been explicitly granted). If group inheritance is enabled for the user, and folder inheritance is enabled for a group that the user belongs to, then the CMS determines the rights that the group has to the parent folder. The CMS denies any right that is explicitly denied in any group (even if the right had already been explicitly granted). The CMS completes the algorithm by denying any rights that remain Not Specified.
4.
5.
As the result, when both types of inheritance are enabled, the CMS grants the user only those rights that are explicitly granted in one or more locations and never explicitly denied. When you disable both types of inheritance for a user, you reduce this algorithm to two steps (1 and 5). Thus, the CMS grants the user only those rights that he or she has been explicitly granted. This provides you with the least complicated way of ensuring that a user has only those rights that you have explicitly granted to him or her for a particular object. When you disable folder inheritance for a user, you reduce this algorithm to three steps (1, 3, and 5). When you disable group inheritance for a user, you reduce this algorithm to three different steps (1, 2, and 5). In both cases, the CMS grants the user only those rights that are explicitly granted in one or more locations and never explicitly denied. This pseudocode is provided as another way to illustrate and describe the algorithm that the CMS follows in order to determine whether a user is authorized to perform an action on a particular object:
IF { (User granted right to object = True) OR [ (Inherit Parent Folder Rights = True) AND (User granted right to parent folder = True) ] OR [ (Inherit Group Rights = True) AND (Group granted right to object = True) ] OR [ (Inherit Group Rights = True) AND (Group granted right to parent folder = True) ] }
329
13
AND { (User denied right to object = False) AND [ (Inherit Parent Folder Rights = False) OR ((Inherit Parent Folder Rights = True) AND (User denied right to parent folder = False)) ] AND [ (Inherit Group Rights = False) OR ((Inherit Group Rights = True) AND (Group denied right to object = False)) ] AND [ (Inherit Group Rights = False) OR ((Inherit Group Rights = True) AND (Group denied right to parent folder = False)) ] } THEN { User action authorized = True } ELSE { User action authorized = False }
330
13
Rights that are not specified are denied by default. On the Advanced Rights page for any object, the Inherited Rights column may label certain rights as Not Specified. This entry denotes rights that are neither granted nor denied by inheritance. To prevent possible security breaches, BusinessObjects Enterprise automatically denies rights that are not specified.
Setting up an open system of decreasing rights on page 334 This detailed tutorial creates an open security model. By default, all users and groups are first granted rights to all objects on the system. As you add folders and subfolders to the system, you decrease the rights of users and groups, as required, in order to secure particular BusinessObjects Enterprise content.
Setting up a closed system of increasing rights on page 346 This shorter tutorial creates the basis for closed security model. By default, users and groups cannot access any objects on the system. As you add folders and subfolders to the system, you increase the rights of users and groups, as required, in order to grant access to particular BusinessObjects Enterprise content.
You can use your own Enterprise, NT, or LDAP groups when following along with these tutorials, or you can create new groups that correspond to those used in the tutorial. For details on setting up these groups and subgroups, see Creating groups for the tutorials on page 332. In each tutorial, you will specify the object rights that particular groups have to certain folders on the system. By making all of your security settings at the group and folder levels, you reduce the administrative efforts now and later. After finishing each tutorial, you may decide to add users to each group and to publish objects to each folder. If you do so, each user will inherit the appropriate rights for every folder and object on the system.
331
13
3. 4. 5.
In the Group Name field, type Marketing. In the Description field, type This group contains all users who
work in Marketing.
Click OK. The Marketing group is added to the system and the page is refreshed. Tip: Click the Users tab if you want to add your own users to this group.
6.
Repeat steps 1 to 5 to create another group called Sales. Use this description for the group: This group contains all users who
work in Sales (worldwide).
332
13
1.
To create the Sales subgroups Go to the Groups management area of the CMC.
2. 3. 4. 5.
Click New Group. In the Group Name field, type Sales USA In the Description field, type This group contains all users who
work in Sales in the USA.
Click OK. The Sales USA group is added to the system and the page is refreshed. Tip: Click the Users tab if you want to add your own users to this group.
6. 7.
Click the Member of tab; then click the Member of button. The Modify Member of page appears. In the Available groups list, select Sales; then click the > arrow. The Sales group is added to the Sales USA is a member of list, as displayed here:
333
13
8.
Click OK. You are returned to the Member of tab. The Sales USA group is now a member (or subgroup) of the Sales group.
9.
Repeat steps 1 to 8 to create the remaining Sales subgroups for the tutorials. Use the following values for the Group Name and Description fields: Group Name Sales Japan Description This group contains all users who work in Sales in Japan.
Sales Managers This group contains all users who manage a Sales team. Sales Report Designers This group contains all users who design and publish reports for the Sales teams.
If you now return to the Groups management area of the CMC, all of the new groups are displayed as follows:
You are now ready to proceed to either of the object security tutorials:
Setting up an open system of decreasing rights on page 334. Setting up a closed system of increasing rights on page 346.
334
13
In this scenario, you are creating folders for several groups within your organization. You have some reports that you want to add to the system immediately. Because some groups plan to add their own reports later, you also need to give some users the ability to add subfolders and to publish reports. These are your security requirements for each folder:
Everyone must be able to view the majority of your reports. Administrators require Full Control access to all folders and objects on the system. Sales Managers are allowed to refresh most reports against the database to view the most recent data. The Marketing group needs Full Control access to its own set of folders that no other user can access (other than Administrators). The Sales groups need a hierarchy of folders containing worldwide reports, regional reports, and management reports:
All Sales staff can view worldwide reports. Sales staff can also view reports for their own regions. If the staff member is also a Manager, he or she can view and refresh reports from all regions. Sales Managers require Full Control access to the management reports. Sales Report Designers require custom administrative privileges to all Sales folders.
For a shorter, less detailed tutorial, see Setting up a closed system of increasing rights on page 346.
Everyone must be able to view the majority of your reports. Administrators require Full Control access to all folders and objects on the system. Sales Managers are allowed to refresh most reports against the database to view the most recent data.
335
13
1. 2.
To change the rights on the top-level folder Go to the Settings management area of the CMC. Click the Rights tab. By default, the Everyone and the Administrators groups are granted access to this folder. You now need to reduce the rights of the Everyone group and to increase the rights of the Sales Managers.
3. 4.
Click the Access Level list that corresponds to the Everyone group, and select View. Click Update. The rights for the Everyone group are reduced and the View access level is now displayed in the Net Access column. Now you will customize the top-level rights for the Sales Managers group.
5. 6. 7. 8.
Click Add/Remove. The Add/Remove page appears. In the Select Operation list, click Add/Remove Groups. In the Available groups list, select Sales Managers. Click the > arrow; then click OK. You are returned to the Rights tab on the Settings page. Ensure that you grant the Sales Managers group View On Demand access. If necessary, change the Access Level list and click Update. This provides the Sales Managers group with sufficient rights to refresh reports.
Now, your system meets your first three security requirements. The Everyone, Administrators, and Sales Managers groups will initially inherit these rights for any folders, subfolders, or reports that you subsequently publish to BusinessObjects Enterprise. You might, for instance, create folders for all of your generally accessible inventory reports, customer list reports, purchasing order reports, and so on. Now that you have created an open basis for your object security model, you will proceed to restricting access to certain folders within the system.
336
13
1. 2. 3. 4. 5. 6. 7.
To decrease rights to a private folder Go to the Folders management area of the CMC. Click New Folder. On the Properties tab, in the Folder Name field, type Marketing Only In the Description field, type This folder is accessible only to
Marketing.
Click OK. Click the Rights tab. In the Access Level column, select the following rights for each group:
8.
Click Update. The Net Access column shows that you have secured this folder from all users other than Administrators. Next, you will grant the Marketing group Full Control access to this folder.
9.
10. In the Select Operation list, click Add/Remove Groups. 11. In the Available groups list, select Marketing. 12. Click the > arrow; then click OK. You are returned to the Rights tab. The Marketing group is granted access to the folder. You need to change the default setting to grant them Full Control access. 13. Click the Access Level list that corresponds to the Marketing group, and select Full Control. 14. Click Update. The Net Access column shows that you have granted the Marketing group Full Control access to this folder. Members of this group now have the ability to perform all tasks in this folder. They can add and delete reports, folders, and subfolders, and they can view, schedule, and export reports to all available destinations and formats. To complete this tutorial, you need to customize the rights that various Sales groups have to a hierarchical set of Sales folders. Before setting the rights for each group, you will see how to create multiple folders quickly when you publish a set of reports to BusinessObjects Enterprise.
337
13
2.
Arrange your reports (.rpt files) in the new folders on your local hard drive. If you do not have any of your own reports, use some of the sample reports included with BusinessObjects Enterprise. The sample reports are typically installed to C:\Program Files\Business Objects\BusinessObjects Enterprise 11\Samples\language \Reports (replace language with, for example, en, de, fr, or jp, depending upon your version of BusinessObjects Enterprise). Note: To complete this procedure, you must place at least one report file in each of the folders that you have created on your local hard drive. Otherwise, the Publishing Wizard will not create the appropriate directories on the BusinessObjects Enterprise system.
338
13
3. 4. 5. 6. 7. 8.
From the BusinessObjects Enterprise XI Programs group, start the Publishing Wizard and, when it appears, click Next. In the System field, type the name of the CMS to which you want to add objects. In the User Name and Password fields, type your BusinessObjects Enterprise credentials. From the Authentication list, select the appropriate authentication type. Click Next. The Select A File dialog box appears. Click Add Folders.
9.
Select the top level Worldwide Sales folder that you created on your local hard drive.
10. Select the Include subfolders check box, and then click OK.
339
13
You are returned to the Select A File dialog box. All of the reports are added to the list.
11. Click Next. The Specify Location dialog box appears. 12. In the Specify Location dialog box, click New Folder. 13. Name the folder Worldwide Sales and ensure that it is located at the top of the directory tree, as shown here:
340
13
14. Click Next. The Specify Folder Hierarchy dialog box appears. 15. Select Duplicate the folder hierarchy to duplicate the local folder hierarchy on the BusinessObjects Enterprise system; then click Next. The Confirm Location dialog box appears. You can see here that the Regional Sales folders will be created below the Worldwide Sales folder, and the Managers Only folders will be created as additional subfolders. The actual report files are arranged in the appropriate folders.
16. Click Next. 17. Proceed through the rest of the Publishing Wizard and make any desired changes to your reports. Tip: If you are publishing sample reports for the purpose of this tutorial, click Next to accept all the default values. For more information on the rest of the Publishing Wizard, see Publishing with the Publishing Wizard on page 376. When the Publishing Wizard has added the reports and folders to the system, it displays a summary: 18. Click Finish to close the Publishing Wizard.
341
13
You are now ready to set each Sales groups object rights for the new set of Sales folders.
All Sales staff can view worldwide reports. Sales staff can also view reports for their own regions. If the staff member is also a Manager, he or she can view and refresh reports from all regions. Sales Managers require Full Control access to the management reports. Sales Report Designers require custom administrative privileges to all Sales folders. To set the base rights on the Worldwide Sales folder Go to the Folders management area of the CMC. Click the link to the Worldwide Sales folder. On the folders Rights tab, click Add/Remove. In the Select Operation list, click Add/Remove Groups. In the Available groups list, select Sales and Sales Report Designers. Tip: Use CTRL+click to select multiple groups. Click the > arrow; then click OK. You are returned to the Rights tab.
1. 2. 3. 4. 5. 6.
342
13
7.
In the Access Level column, select the following rights for each group:
Administrators: Inherited Rights Everyone: No Access Sales: View Sales Managers: Inherited Rights Sales Report Designers: This group requires additional rights to publish content to this folder. You will use advanced rights to make these changes in the next procedure. For now, leave the Access Level list with the default settings.
8.
Click Update. The Net Access column is updated to show your new security settings.
You now need to grant the Sales Report Designers group a set of advanced rights, so group members can administer all the Sales folders.
4.
343
13
Tip: You may choose to explicitly deny additional rights to suit your needs. For instance, to prevent these folder administrators from copying confidential reports to public folders, you could deny the Copy objects to another folder right. Or, if you prefer to retain all administrative control over report-processing servers, you could deny the Define server groups to process jobs right. 6. 7. In the Explicitly Granted column, select all remaining rights. Click OK. You are returned to the Rights tab for the Worldwide Sales folder. The Net Access column now shows that the Sales Report Designers group has Advanced rights to this folder. Tip: Click the Advanced link in the Net Access column when you need to review or modify a set of advanced rights that have already been applied to a user or group. Now that you have set object rights on the uppermost Sales folder, you will proceed to decrease rights as you descend the folder hierarchy.
Sales staff can view reports for their own region and can refresh these reports against the database to view the most recent data. If the staff member is also a Manager, he or she can view and refresh reports from all regions.
You will use the various Sales groups to decrease rights appropriately for each Regional Sales folder. 1. 2. 3. 4. 5. 6. To decrease rights to the regional Sales folders Go to the Regional Sales - JP folder and click its Rights tab. Click Add/Remove. In the Select Operation list, click Add/Remove Groups. In the Available groups list, select Sales Japan. Click the > arrow; then click OK. You are returned to the Rights tab of the Regional Sales - JP folder. In the Access Level column, select the following rights for each group:
344
13
7.
Sales Japan: View On Demand Sales Managers: Inherited Rights Sales Report Designers: Inherited Rights
Click Update. The Net Access column shows your new security settings. As required, the Sales Japan and the Sales Managers groups have View On Demand access, which allows them to refresh reports against the database to view the latest data. The Sales Report Designers retain their advanced rights, and all other users are prevented from accessing the folder (except for Administrators).
8.
Repeat steps 1 to 6 for the Regional Sales - USA folder, but grant View On Demand access to the Sales USA group (instead of to the Sales Japan group).
You are now ready to complete the tutorial by customizing security for the final level of Sales foldersthe Managers Only folders. 1. 2. 3. To decrease rights to the Managers Only folders Go to the Regional Sales - JP folder and click its Subfolders tab. Click the link to the Managers Only folder and click its Rights tab. In the Access Level column, select the following rights for each group:
4.
Administrators: Inherited Rights Everyone: Inherited Rights Sales: Inherited Rights Sales Japan: No Access Sales Managers: Full Control Sales Report Designers: Inherited Rights
Click Update. The Rights tab of this Managers Only folder now shows that the Administrators, Sales Managers, and Sales Report Designers groups all have Full Control access to the folder. Members who do not belong to one of these groups are completely restricted from the folder.
5. 6. 7.
Go to the Regional Sales - USA folder and click its Subfolders tab. Click the link to the Managers Only folder and click its Rights tab. In the Access Level column, select the following rights for each group:
345
13
8.
Sales Managers: Full Control Sales Report Designers: Inherited Rights Sales USA: No Access
Click Update. The Rights tab of this Managers Only folder shows again that the Administrators, Sales Managers, and Sales Report Designers groups all have Full Control access to the folder. Members who do not belong to one of these groups are completely restricted from the folder.
The majority of your reports should be inaccessible to most users. Administrators require Full Control access to all folders and objects on the system. The Sales groups need a hierarchy of folders containing management reports and regional reports:
Only the Sales Managers can view the management reports and all regional reports. Sales staff can only view reports for their own region.
Because this scenario first completely restricts access to the top-level folders, and then gradually increases access to subfolders further down the folder hierarchy, the results are essentially incompatible with the design of InfoView. The closed security model works best when you deploy a web desktop or other application that provides users with a list of all reports and/or folders to which they have access. The sample Report Thumbnail Client and the Inframe Client applications provide examples that are compatible with a closed security model. You can access these applications from the Client Samples area of the Crystal Enterprise Launchpad. InfoView, by contrast, adheres to a hierarchical view of the systems folder structure. Thus, if users cannot access a top-level folder, they have no way of browsing its subfolders (even if they have Full Control over those subfolders
346
13
and their contents). If you implement this closed security model in conjunction with InfoView, users will need to search for specific reports by name or description. For a lengthier, more detailed tutorial, see Setting up an open system of decreasing rights on page 334.
The majority of your reports should be inaccessible to most users. Administrators require Full Control access to all folders and objects on the system.
This procedure gives the Everyone group No Access to all published content. This is how you set the basis for a closed security model. Do not use advanced rights to explicitly deny rights to the Everyone group (or any other group) at the top-level folder of your BusinessObjects Enterprise system, because once a right has been explicitly denied, you have to break all inheritance patterns in order to grant the same right further down the folder hierarchy. 1. 2. 3. To change the rights on the top-level folder Go to the Settings management area of the CMC. Click the Rights tab. You need only reduce the rights of the Everyone group. Click the Access Level list that corresponds to the Everyone group, and select No Access. Note: If users access reports through BusinessObjects Enterprise, they will be unable to browse subfolders once you make this initial security setting. Users will, however, be able to search for reports by name or description. 4. Click Update. The rights for the Everyone group are reduced and No Access is displayed in the Net Access column.
347
13
Now, your system meets your first two security requirements. The Everyone group is prevented from seeing all subsequently published content, and the Administrators group retains Full Control in order to maintain the system. Now that you have created a closed basis for your object security model, you will increase access to certain folders within the system.
1. 2. 3. 4. 5. 6. 7. 8. 9.
Only the Sales Managers can view the management reports and all regional reports. Sales staff can only view reports for their own region. To provide minimal access to the management reports Go to the Folders management area of the CMC. Click New Folder. On the Properties tab, in the Folder Name field, type Management
Reports
Click OK. The new folder is created and the page is refreshed. On the Rights tab, click Add/Remove. In the Select Operation list, click Add/Remove Groups. In the Available Groups list, select Sales Managers. Click the > arrow; then click OK. You are returned to the Rights tab of the Management Reports folder. Click the Access Level list for the Sales Managers group, and select View. The Rights tab now shows that the Sales Managers group has View access to this folder and to any objects that you subsequently publish to it. As required, the Everyone and Administrators groups have inherited the rights that you set on the top-level BusinessObjects Enterprise folder.
348
13
Now you need only create folders for the regional reports and grant access to the appropriate regional Sales groups. 1. 2. 3. 4. 5. 6. 7. 8. 9. To provide selective access to the regional reports If you are not already there, go to the Management Reports folder. On the Subfolders tab, click New Folder. On the Properties tab, in the Folder Name field, type Regional
Reports - JP
Click OK. The new folder is created and the page is refreshed. On the Rights tab, click Add/Remove. In the Select Operation list, click Add/Remove Groups. In the Available Groups list, select Sales Japan. Click the > arrow; then click OK. You are returned to the Rights tab of the Management Reports folder. In the Access Level list for the Sales Japan group, select View. The Rights tab now shows that the Sales Japan group has View access to this folder and to any objects that you subsequently publish to it. The Administrators, Everyone, and Sales Managers groups automatically inherit the appropriate rights for this folder.
11. Repeat this procedure to create a subfolder called Regional Reports USA and to provide the Sales USA group with View access to the folder. When you finish, the Rights tab of the Regional Reports - USA folder shows that you have set the rights as required for this tutorial. You have now reached the end of this tutorial.
349
13
For example, if you have already created your users folders using a standard naming convention, you may want to deny your users the ability to organize their own folders. Note: By default, all users have access to these features. 1. 2. 3. 4. 5. 6. To grant access to a Business Objects applications features Go to the BusinessObjects Enterprise Applications management area of the CMC. Click the link for the application whose access rights you want to change. Click the Rights tab. Click Add/Remove to add users or groups you want to give access to the features. On the Add/Remove page, in the Select Operation list, select Add/ Remove Groups, Add Users, or Remove Users. Select the user or group you want to grant access to the features. Tip: If you have many users on your system, select the Add Users operation; then use the Look for field to search for a particular account. 7. 8. Click OK. On the Rights tab, click Advanced.
350
13
9.
For each feature, choose Inherited, Explicitly Granted, or Explicitly Denied for the user or group. Note: For the Web Intelligence application, make sure you grant access to the Allows interactive HTML viewing option in order for users to be able use the Interactive view format and use the Query HTML panel. The user can select this view format and report panel option in the Web Intelligence Document Preferences tab in InfoView.
351
13
352
13
1. 2. 3. 4.
To grant a user access to another users inbox Go to the Inbox management area of the CMC. Select the inbox you want to grant access to. Click the Rights tab. Click Add/Remove to add users or groups that you want to give access to the selected user or group. The Add/Remove page appears. In the Select Operation list, select Add/Remove Groups, Add Users, or Remove Users. Select the user or group you want to grant access to the specified inbox. Click OK. On the Rights tab, change the Access Level for each user or group, as required. To choose specific rights, choose Advanced. Note: For complete details on the predefined access levels and advanced rights, see Rights and Access Levels on page 563.
5. 6. 7. 8. 9.
353
13
4.
Click Add/Remove to add users or groups that you want to give access to the selected server or server group. The Add/Remove page appears. In the Select Operation list, select Add/Remove Groups, Add Users, or Remove Users. Select the user or group you want to grant access to the specified server or server group. Tip: If you have many users on your system, select the Add Users operation; then use the Look for field to search for a particular account.
5. 6.
7. 8. 9.
Click OK. On the Rights tab, change the Access Level for each user or group, as required. To choose specific rights, choose Advanced. Note: For complete details on the predefined access levels and advanced rights, see Rights and Access Levels on page 563. Click Update.
If the Access Level is not already set to Advanced, click the list and select Advanced. If the Access Level is already set to Advanced, click the Advanced link in the Net Access column.
354
13
If the Access Level is not already set to Advanced, click the list and select Advanced. If the Access Level is already set to Advanced, click the Advanced link in the Net Access column.
1. 2. 3. 4.
To view or set who has access to a specific universe connection Go to the Connections management area of the CMC. Click the link for the connection. Click the Rights tab. In the Name column, locate the user or group whose rights you want to specify. If the user or group is not listed, click Add/Remove. Add the appropriate user or group and click OK. You are returned to the objects Rights tab.
5.
The next step depends upon the entry that already appears in the Access Level list for this user or group:
If the Access Level is not already set to Advanced, click the list and select Advanced. If the Access Level is already set to Advanced, click the Advanced link in the Net Access column.
355
13
356
Organizing Objects
chapter
14
358
14
Tip: When you publish local directories and subdirectories of reports with the Publishing Wizard, you can duplicate your local directory structure on the BusinessObjects Enterprise system. This method provides you with an efficient way of creating multiple folders and subfolders at the same time. For details, see Publishing with the Publishing Wizard on page 376.
4.
Click OK. The new folder is added to the system, and its Properties tab is refreshed. You can now use the Objects, Subfolders, Limits, and Rights tabs to add objects and to change settings for this folder.
359
14
2. 3.
In the Title column, click the link to the folder where you want to add a subfolder. Click the Subfolders tab. Tip: You can browse through existing subfolders to add a new folder elsewhere in the folder hierarchy. When you have found the right parent folder, go to its Subfolders tab. The Subfolders tab appears.
4. 5. 6.
Click New Folder. On the Properties tab, type the name and description of the new folder. Click OK. The new folder is added to the system, and its Properties tab is refreshed. You can now use the Objects, Subfolders, Limits, and Rights tabs to add objects and to change settings for this folder.
360
14
Deleting folders
When you delete a folder, all subfolders, reports, and other objects contained within it are removed entirely from the system. 1. 2. To delete folders Go to the Folders management area of the CMC. Select the check box associated with the folder you want to delete. If the folder you want to delete is not at the top level, locate its parent folder. Then make your selection on the parent folders Subfolders tab. Tip: Select multiple check boxes to delete several folders from their parent folder. 3. Click Delete, and click OK to confirm.
When you copy a folder, the newly created folder does not retain the object rights of the original. Instead, the copy inherits the object rights that are set on its new parent folder. For instance, if you copy a private Sales folder into a Public folder, the contents of the new Sales folder will be accessible to all users who have rights to the Public folder. When you move a folder, all of the folders object rights are retained. For instance, if you move a private Sales folder into a publicly accessible folder, the Sales folder will remain inaccessible to most users. To copy or move a folder Go to the Folders management area of the CMC. Select the check box associated with the folder that you want to copy or move. If the folder you want to copy or move is not at the top level, locate its parent folder. Then make your selection on the parent folders Subfolders tab. Tip: Select multiple check boxes to copy or move several folders from their parent folder to a different folder.
1. 2.
361
14
3.
4.
5.
Copy to: Makes a copy of the folder. Move to: Moves the folder.
Select the Destination folder from the list. Tip: If there are many folders on your system, use the Look for field to search, or click Previous, Next, and Show Subfolders to browse the folder hierarchy.
6.
Click OK. The folder you selected is copied or moved, as requested, to the new destination.
362
14
1.
To add a report to a new folder Once youve created the new folder, click its Objects tab.
2.
3. 4.
On the Report tab, in the File name field, type the full path to the report. If you do not know the path, click Browse to perform a search. If you do not want the user to see a thumbnail preview of the report in BusinessObjects Enterprise, clear the Generate thumbnail for the report check box. Tip: To display thumbnails for a report, open the report in Crystal Reports and click Summary Info on the File menu. Select the Save preview picture check box and click OK. Preview the first page of the report and save your changes.
363
14
5.
If the report references objects in your BusinessObjects Enterprise Repository, select the Use Object Repository when refreshing report check box to update these objects now. For details about setting up the BusinessObjects Enterprise Repository, see BusinessObjects Enterprise Repository overview on page 174.
6.
Ensure that the correct folder name appears in the Destination field. Tip: If there are many folders on your system, use the Look for field to search, or click Previous, Next, and Show Subfolders to browse the folder hierarchy.
7.
364
14
3.
In the Select Operation list, select Add/Remove Groups, Add Users, or Remove Users. The page is refreshed and displays options that depend upon whether you are working with users or with groups. The example above shows the options that are available when you are working with groups.
4.
Select the user/group whose rights you want to specify and click the arrows to specify whether the user/group does or does not have access to the folder. Tip: If you have many users on your system, select the Add Users operation; then use the Look for field to search for a particular account.
5.
6.
Change the Access Level for each user or group, as required. Note: For complete details on the predefined access levels and advanced rights, see Controlling users access to objects on page 317.
7.
Click Update.
365
14
1.
To limit instances at the folder level Once youve created the new folder, click its Limits tab.
2.
Modify the available settings according to the types of instance limits that you want to implement, and click Update after each change. The available settings are:
Delete excess instances when there are more than N instances of an object To limit the number of instances per object, select this check box. Then type the maximum number of instances that you want to remain on the system. (The default value is 100.)
Delete excess instances for the following users/groups To limit the number of instances per user or group, click Add/Remove in this area. Select from the available users and groups and click OK. Then type the maximum number of instances in the Instance Limit column. (The default value is 100.)
Delete instances after N days for the following users/groups To limit the age of instances per user or group, click Add/Remove in this area. Select from the available users and groups and click OK. Then type the maximum age of instances in the Maximum Days column. (The default value is 100.)
366
14
In this example, two settings have been combined to keep a maximum of 50 instances of any object in the folder, and to keep a maximum of 25 instances that belong to any member of the Administrators group.
367
14
Administrative (or corporate) categories are created by the administrator, or other users who have been granted access to these categories. If you have the appropriate rights, you can create administrative categories. Personal categories can be created by each user to organize their own personal documents.
Note: For information about importing existing categories, see Importing information from BusinessObjects Enterprise 6.x on page 390.
368
14
3.
Click the Subcategories tab. Tip: You can browse through existing subcategories to add a new category elsewhere in the hierarchy. When you have found the right parent category, go to its Subcategories tab.
4. 5. 6.
Click New Category. On the Properties tab, type the name and description of the new folder. Click Update. The new category is added to the system, and its Properties tab is refreshed. You can now use the Documents, Subcategories, and Rights tabs to add objects and to change settings for this category.
Deleting categories
When you delete a category, all subcategories within it are remove entirely from the system. Unlike folder deletion, the reports and other objects contained within the category are not deleted from the system. 1. 2. To delete categories Go to the Categories management area of the CMC. Select the check box associated with the category you want to delete. If the category you want to delete is not at the top level, locate its parent category. Then make your selection on the parent categorys Subcategories tab. Tip: Select multiple check boxes to delete several categories from their parent category. 3. Click Delete, and click OK to confirm.
Moving categories
When you move a category, any object assigned to the category maintains its association with it. All of the categorys object rights are retained. For instance, if you move a private Sales category into a publicly accessible category, the Sales category will remain inaccessible to most users. 1. 2. To move a category Go to the Categories management area of the CMC. Select the check box associated with the category that you want move. If the category you want to move is not at the top level, locate its parent category. Then make your selection on the parent categorys Subcategories tab.
369
14
Tip: Select multiple check boxes to copy or move several categories from their parent category to a different category. 3. 4. Click Move. The Move page appears. Select the Destination category from the list. Tip: If there are many categories on your system, use the Look for field to search, or click Previous, Next, and Show Subcategories to browse the category hierarchy. 5. Click OK. The category you selected is moved to the new destination.
370
14
5.
Click either of the following buttons, depending on what you want to do:
Click Remove to remove the object from the category only. In this case, the object continues to exist in the system. Click Delete to remove the object from the category and at the same time delete it from the system.
371
14
372
chapter
15
Publishing overview
Publishing is the process of adding objects such as reports to the BusinessObjects Enterprise environment and making them available to authorized users. There are several types of objects that you can publish to BusinessObjects Enterprise: reports (from Crystal Reports, OLAP Intelligence, and Web Intelligence), programs, Microsoft Excel files, Microsoft Word files, Microsoft PowerPoint files, Adobe Acrobat PDFs, rich text format files, text files, and hyperlinks, as well as object packages, which consist of report and/or program objects. When you publish an object to BusinessObjects Enterprise, an entry is made in the Central Management Server (CMS) database. The Input File Repository Server stores the new object below the \Enterprise\FileStore\Input\ data\ directory. When a user schedules an instance of any object, BusinessObjects Enterprise queries the CMS for the location of the object file; the appropriate server component then retrieves and processes the object file from the Input File Repository. The processed instance is stored by the Output File Repository Server below the \Enterprise\FileStore\Output\data\ directory. Note: Only reports, programs, and object packages can be scheduled. Thus, only these three types of objects have instances. You can publish objects to BusinessObjects Enterprise in three ways:
Have access to the locally installed application. Are adding multiple objects or an entire directory.
For details, see Publishing with the Publishing Wizard on page 376. Use the Central Management Console (CMC) when you are:
Publishing a single object. Taking care of other administrative tasks. Performing tasks remotely.
For details, see Publishing with the Central Management Console on page 385. Save directly to your Enterprise folders when you are:
Designing reports with Crystal Reports. Using the OLAP Intelligence Application Designer. Creating other objects with BusinessObjects Enterprise plug-in components.
For details, see Saving objects directly to the CMS on page 387.
374
15
Note: BusinessObjects Enterprise supports reports created in versions 6 through XI of Crystal Reports. Once published to BusinessObjects Enterprise, reports are saved, processed, and displayed in version XI format.
Publishing options
During the publishing process, you specify how often an object is run. You can choose to set a schedule (recurring), or you can choose to let users set the schedule themselves (on demand). For RPT report files, this affects when data is refreshed and what data users see. (You cannot schedule OLAP Intelligence reports (CAR files).) Each publishing option has potential benefits and drawbacks:
Specifying the data that users see (recurring) This option is recommended for objects that are accessed by a large number of people and that do not require separate database logon credentials. Benefits
Users view the same instance of the report, reducing the number of times the database is hit (and thus system resources are used more effectively). The report instance is static (contains saved data) and is stored on the Cache Server, allowing multiple users to access the report at the same time. The report instance the users see is based on the selection criteria (parameters and record selection formulas) and schedule set by the administrator.
Drawbacks
Allowing users to update the data in the report (on demand) This option is recommended for smaller reports that use parameters and selection formulas, require separate database logon credentials, or have frequent data changes. Benefits
Users are able to determine the frequency in which the data in the report is updated. Multiple users generating reports at the same time increases the load on the system and the number of times the database is hit. Each unique report page is cached separately. Its possible that the Cache Server can contain many copies of the cached report, each of them being generated by hitting the Page Server and database.
Drawbacks
375
15
Adding objects
1. 2. In the Select Files dialog box, depending on the type of object you are adding, click either Add Files or Add Folders. Navigate to and select the object you want to add. If you are adding a folder, you can choose to also add its subfolders by selecting the Include Subfolders check box. Tip: Ensure the appropriate file type is listed in the Files of type field; by default this value is set to Report (*.rpt). 3. 4. Repeat steps 1 and 2 for each of the objects you want to add. Click Next.
376
15
Note: If the Specify Object Type dialog box appears, choose a file type for each unrecognized object, then click Next. The Specify Location dialog box appears.
Note: From the wizard, you can delete only new folders and object packages. (New folders are green; existing folders are yellow.) If you are adding multiple objects and want to place them in separate directories, see Duplicating the folder structure on page 378. 2. Click Next. The Confirm Location dialog box appears.
377
15
You can also add folders and object packages by selecting a parent folder and clicking the New Folder or New Object Package button. To delete a folder or object packages, select it and click the Delete button. You can drag-and-drop objects to place them where you want. And you can right-click objects to rename them. By default, objects are displayed using their titles. You can display the objects local file names by clicking the Show file names button. 2. Click Next when you are finished. The Specify Categories dialog box appears.
378
15
To recreate all of the folders and subfolders on the CMS as they appear on your hard drive, select Duplicate the folder hierarchy. Choose the topmost folder that you want to include in the folder hierarchy. 2. Click Next. The Confirm Location dialog box appears.
Run once only Selecting the Run once only option provides two more sets of options:
This option runs the object once when youve finished publishing it. The object is not run again until you reschedule it.
379
15
This option runs the object once at a date and time you specify. The object is not run again until you reschedule it. Let users update the object This option does not schedule the object. Instead, it leaves the task of scheduling up to the user. Run on a recurring schedule Once you have selected this option, click the Set Recurrence button to set the scheduling options. The Pick a recurrence schedule dialog box appears. The options in this dialog box allow you to choose when and how often the object runs. Select the appropriate options and click the OK button. 3. Click Next after you have set the schedule for each object you are publishing.
380
15
1. 2.
In the Program Type dialog box, select a program. Specify one of three program types:
Binary/Batch Binary/Batch programs are executables such as binary files, batch files, or shell scripts. They generally have file extensions such as: .com, .exe, .bat, .sh. You can publish any executable program that can be run from the command line on the machine where the Program Job Server is running.
3.
Java You can publish any Java program to BusinessObjects Enterprise as a Java program object. They generally have a .jar file extension. Script Script program objects are JScript and VBScript scripts.
Once you have specified the type of each program you are adding, click Next. The Program Credentials dialog box appears.
381
15
1. 2.
To review or modify objects before publishing Select Review or modify properties. Click Next. The Review Object Properties dialog box appears.
382
15
2.
Select the database and change the logon information in the appropriate fields. If the database does not require a user name or password, leave the fields blank. Note: Enter user name and password information carefully. If it is entered incorrectly, the object cannot retrieve data from the database.
3.
Once you have completed the logon information for each object using a different database, click Next. The Set Report Parameters dialog box appears if it is needed.
Setting parameters
Some objects contain parameters for data selection. Before such an object can be scheduled, you must set the parameters in order to determine the default prompts. 1. In the Set Report Parameters dialog box, select the object whose prompts you want to change. The objects prompts and default values appear in a list on the right-hand side of the screen. 2. Click Edit Prompt to change the value of a prompt. Depending on the type of parameter you have chosen, different dialog boxes appear. 3. 4. If you want to set the prompts to contain a null value (where possible), then click Set Prompts to NULL. Click Next after you have finished editing the prompts for each object. The Specify Format dialog box appears.
383
15
3.
384
Publishing Objects to BusinessObjects Enterprise Publishing with the Central Management Console
15
3. 4.
On the left side of the page, click the type of object you want to add. Enter the objects properties.
385
15
Publishing Objects to BusinessObjects Enterprise Publishing with the Central Management Console
The properties that appear vary according to the type of object you are adding: Property File name Object Types Report, Program, Microsoft Excel, Microsoft Word, Microsoft PowerPoint, Adobe Acrobat, Text, Rich Text Object Package, Hyperlink Object Package, Hyperlink Report Description Type the full path to the object, or click Browse to perform a search.
Type the name of the object. Type a description of the object. If you do not want the user to see a thumbnail preview of the report in BusinessObjects Enterprise, clear the Generate thumbnail for the report check box. Tip: To display thumbnails for a report, open the report in Crystal Reports and click Summary Info on the File menu. Select the Save preview picture check box and click OK. Preview the first page of the report and save your changes.
Use Object Report Repository when refreshing report Program Type Program
Select this option to automatically refresh an object's repository fields against the repository each time the report runs. Select Executable, Java, or Script. Tip:
URL Hyperlink
Run Java programs as Java program objects. Run JScript and VBScript programs as Script program objects. Run all other programs as Executable program objects.
Type the URL address of the page you want the hyperlink object to link to.
386
15
5. 6.
If you want to place the object in a category, select the category from the list. Ensure that the correct folder or object package name appears in the Destination field. Tip:
To expand a folder, select it and click Show Subfolders. To search for a specific folder or object package, use the Look For field.
Note: Only report and program objects can be published to object packages. 7. Click OK. When the object has been added to the system, the CMC displays the Properties screen. If necessary, you can now modify the objects properties, such as its title and description, the database logon information, scheduling information, user rights, and so on.
387
15
388
chapter
16
Importing information
The Import Wizard is a locally installed Windows application that allows you to import existing user accounts, groups, folders, and reports to your new BusinessObjects Enterprise system. The Import Wizard runs only on Windows, but you can use it to import information from a source environment that is running on Windows or UNIX to a new BusinessObjects Enterprise system that is running on Windows or on UNIX. You can import information from any of these products:
BusinessObjects Enterprise XI BusinessObjects Enterprise 6.x Crystal Enterprise 10 Crystal Enterprise 9 Crystal Enterprise 8.5 Crystal Enterprise 8 Crystal Info 7.5
The functionality provided by the Import Wizard varies, depending upon the product from which you are importing information. In general, the Import Wizard imports settings that are specific to each object, rather than global system settings. For instance, a global minimum number of characters password restriction is not imported. But a user-level must change password at next log on restriction is imported with the user account. For details, see the section for the product from which you are importing information:
Importing information from BusinessObjects Enterprise 6.x on page 390 Importing information from Crystal Enterprise on page 396 Importing information from Crystal Info on page 400.
For procedural details, see Importing with the Import Wizard on page 402.
390
Importing Objects to BusinessObjects Enterprise Importing information from BusinessObjects Enterprise 6.x
16
Make sure the Import Wizard is deployed on a Windows machine. Use the Custom installation if you want to install only the Import Wizard on a machine. If you are importing from a BusinessObjects Enterprise 6.x source environment, create data sources on the destination machine for every domain that is part of the source deployment. The name and configuration details for the data sources must match the data sources in the source deployment. On the machine that is running the Import Wizard, map drives to the following folders (where installdir represents the BusinessObjects Enterprise 6.x installation directory).
installdir/nodes/<name of node>/mycluster/locdata Map this folder for access to the .key files. installdir/nodes/<name of node>/mycluster/user Map this folder if you are importing personal documents and categories. installdir/nodes/<name of node>/mycluster/mail Map this folder if you are importing the content of users Inbox folders.
Back up all repositories in the source deployment. Note: The Import Wizard modifies BusinessObjects Enterprise 6.x repositories to make them consistent with version 6.5 format before importing data into BusinessObjects Enterprise XI. If you need to access the repositories from a 6.x deployment, you will need to restore them from your backup copies.
Stop all servers in the source deployment. Start the following servers in the BusinessObjects Enterprise XI deployment:
Central Management Server Input File Repository Server and Output File Repository Server
391
16
Importing Objects to BusinessObjects Enterprise Importing information from BusinessObjects Enterprise 6.x
Universes
You can import universes into the BusinessObjects Enterprise repository. There are two ways to import the universes:
Import all universes, connections, and associated objects. You must import all the universes in one batch. You cannot select individual universes or connections to import. Import only universes, connections, and objects that are associated with the documents you are importing. Known as document dependency, this option imports only the objects used by the Web Intelligence documents that you are importing. You can also use this option if you want to import a subset of selected universes and their dependencies.
When you import a universe, the Import Wizard also imports connection objects associated with the universe. It also imports universe restriction sets associated with the universe (if the restriction sets are associated with users or groups that are being imported). When you select a Web Intelligence document to import, the Import Wizard automatically selects the associated universe for import. You can select additional universes for import. Note:
Universe domains are converted into folders under the Universe folder. Each universe folder will be named after the corresponding Business Objects 6.x universe domain. When you import a universe from a domain, it is placed in the corresponding domain folder. When you import BusinessObjects Enterprise 6.x universes, the associated connections are imported automatically. They are converted into connection objects. When you import connection objects from BusinessObjects Enterprise 6.x, ensure that the Import Wizard can access the database the same way that the BusinessObjects Enterprise 6.x accesses it. This may involve installing database drivers or configuring connection settings on the machine.
392
Importing Objects to BusinessObjects Enterprise Importing information from BusinessObjects Enterprise 6.x
16
For example, if you import SQL Server connection objects from a BusinessObjects Enterprise 6.x source environment, you must configure the connections on the destination machine via the Control Panel before you import the connection objects. You must use the exact same name and settings as the connection used on the source machine when you created the domain key.
If a selected universe is a derived universe, then all relevant core universes and their connections will also be imported. For more information about importing universes, see Selecting information to import on page 405.
393
16
Importing Objects to BusinessObjects Enterprise Importing information from BusinessObjects Enterprise 6.x
BusinessObjects Enterprise XI default group Granted appropriate rights on all imported objects, but not added to the Administrators group. Added to the Universe Designer Users group. Added to the Universe Designer Users group. Added to the Everyone group.
Supervisor
If you want to preserve security settings that are assigned to an imported object, select all users and groups that are principals on the selected object and ensure that you select the Enforce rights fidelity option in the Import Wizard. The Enforce rights fidelity option ensures that the effective rights match between the source and destination environments. If effective rights in the source and destination environments do not match for a principal on an object, the Import Wizard sets the effective rights as determined by aggregation rules in the source deployment for the principal user or group on the object in the destination deployment. Whenever possible, BusinessObjects Enterprise 6.x security settings are preserved in BusinessObjects Enterprise XI. If a BusinessObjects Enterprise 6.x right does not map exactly to a BusinessObjects Enterprise XI right, the right will not be granted to the user. Note:
The Import Wizard migrates external users and groups (LDAP or Windows AD users and groups, for example). For more information about the migration of security settings, see the BusinessObjects Enterprise Installation Guide.
394
Importing Objects to BusinessObjects Enterprise Importing information from BusinessObjects Enterprise 6.x
16
Personal categories can be imported only as part of a batch import. You can select individual corporate categories and import Web Intelligence documents grouped by corporate category.
Documents
To have access to a Web Intelligence document from the Import Wizard, the user must be granted access to the document in BusinessObjects Enterprise 6.x, and the user must be a member of the group to which the document is assigned. You can select which domains or documents you want to import into BusinessObjects Enterprise. When you select a document, the document's domain is also imported. Documents (and universes) cannot be imported without importing the domain. Note: If you import a large number of Web Intelligence documents from your existing BusinessObjects Enterprise 6.x deployment, it may require significant processing time.
Inbox documents
Version 6.x Inbox documents are migrated to the users Inbox folder in BusinessObjects Enterprise. Inbox rights
Personal Documents
You can import BusinessObjects Enterprise 6.x Personal documents to BusinessObjects Enterprise. These documents are added to the users Favorites folder.
395
16
Third-party documents
BusinessObjects Enterprise 6.x supports third-party (agnostic) documents. The Import Wizard migrates these documents into BusinessObjects Enterprise XI if the format is supported. Supported formats are: Adobe Acrobat PDF; Microsoft PowerPoint, Word, RTF, and Excel; and *.txt documents.
Timestamps
Timestamps are not migrated from BusinessObjects Enterprise 6.x to BusinessObjects Enterprise XI.
396
16
Aliases
If a user in the destination system has an alias that is identical to a user who is being imported, the destination user keeps all aliases, and the imported user loses that particular alias.
Windows AD
When importing users that employ Windows Active Directory authentication, ensure that the administrative credentials are the same on both the source and destination systems. Active Directory authentication must also be enabled on the destination system.
397
16
LDAP
When importing users that employ LDAP authentication, the Host list and Base LDAP name need to be the same on both the source and destination systems. LDAP authentication must also be enabled on the destination system.
Folders
Folders are imported, whether or not they exist already in the destination environment. To ensure that existing folders are not overwritten, make sure you choose the Automatically rename top-level folders that match top-level folders on the destination system. option in the Please choose an import scenario dialog box. When this option is selected, the Import Wizard appends a number to the end of any duplicated folder names to indicate the number of copies. For example, if you import a folder called Sales Reports when a folder called Sales Reports already exists, then the imported folder is added to BusinessObjects Enterprise with the name Sales Reports(2).
Report objects
The Import Wizard can import Crystal report objects only if they are based on native drivers, ODBC data sources, OLAP data sources, Crystal Info Views, or Business Views. You can import the report instances for each report object, and the scheduling patterns that you have set up in the source environment are imported automatically. Supported reports are always imported with their parent folders, whether or not they exist already in the destination environment. However, so as not to overwrite existing folders, the Import Wizard appends a number to the end of any duplicated folder names to indicate the number of copies. When you import content from one deployment to another, you can ensure that a particular user account retains ownership of its objects and scheduled instances by importing the user along with the content. If you dont import the user account, the ownership properties of its objects and instances are reset to your current administrative account. In the SDK, ownership is reflected by an objects SI_OWNERID property and by a scheduled instancess SI_SUBMITTERID properties.
Rights
When you import folders and reports from one BusinessObjects Enterprise system to another, the associated object rights are imported for every user or group who is imported at the same time. If the user or group is not imported at the same time, the object rights are discarded. For instance, suppose that you import a report that explicitly grants View On Demand rights to the Everyone group in the source environmentbut you do not import the Everyone group.
398
16
In this case, the newly imported report in the destination environment will not grant the same explicit rights to the Everyone group. Instead, the report inherits any rights that have been set on its parent folder. If you do import the appropriate user or group, and it already exists by name in the destination environment, then the corresponding object rights are imported and applied to the existing user or group. For instance, modifying the example above, suppose that you import the report and the Everyone group. In this case, the Import Wizard imports the object rights along with the report. So the newly imported report in the destination environment will explicitly grant the View On Demand right to the Everyone group.
When importing report objects associated with a server group, if the server group exists on the destination system, the report objects are added to the existing group and the source systems server group is not imported. If you have jobs scheduled or pending on a server or server group that you are importing, you might notice odd behavior on the destination system with the individual jobs involved until they run or time out.
Objects that have server group restrictions lose the restrictions if the objects are imported and the server group is not. For example, if a report is scheduled to run only under server group A and that server group is not imported, the report loses that restriction and will run under any server group. You need to import the server group at the same time as the objects that use it to keep the relationship between them. The same logic applies for events: if an object is set up to wait for an event or to trigger an event, you need to import the event at the same time as the object. Otherwise, the object is imported without the dependency and no longer waits for, or triggers, the event. Note:
If Event A is being imported from the source system but there is already an Event A on the destination system, and it is a different type (for
399
16
example, a File event instead of a Custom event), the wizard removes the dependency on Event A from the object when it is imported.
Events are based on Event Servers and, since servers are not imported, you need to manually reset the event server and file name information on the event in the destination system. Once this is set, the event should work as expected.
400
16
Folders
Folders are imported, whether or not they exist already in BusinessObjects Enterprise. To ensure that existing folders are not overwritten, make sure you choose the Automatically rename top-level folders that match top-level folders on the destination system option in the Please choose an import scenario dialog box. When this option is selected, the Import Wizard appends a number to the end of any duplicated folder names to indicate the number of copies. For example, if you import a folder called Sales Reports, when a folder called Sales Reports already exists in BusinessObjects Enterprise, then the imported folder is added to BusinessObjects Enterprise with the name Sales Reports(2).
Report objects
The Import Wizard can import Crystal report objects only if they are based on native drivers, ODBC data sources, or OLAP data sources. Supported reports are always imported with their parent folders, whether or not they exist already in the destination environment. However, so as not to overwrite existing folders, the Import Wizard appends a number to the end of any duplicated folder names to indicate the number of copies. The Import Wizard can import successful instances and some recurring instances from Crystal Info systems. Recurrence patterns that cannot be automatically recreated within BusinessObjects Enterprise are written to the log file created by the Import Wizard. When you import reports based on a Crystal Info View, you are prompted to save the report files. Choose a specific folder where you want to save these reports. You can then run a conversion utility on all reports in that folder to convert them to use metadata. After converting the reports, you can publish them to BusinessObjects Enterprise with the Publishing Wizard.
Rights
BusinessObjects Enterprise enforces security through object rights, which differ from the user rights used within Crystal Info. Consequently, the Import Wizard does not import any of the folder security that is set up within the Crystal Info environment. If you transfer reports from Crystal Info to BusinessObjects Enterprise, the rights associated with the report are not transferred, only the ownership. If the owner of a report is the Administrators group, the Administrators group will have Full Control access to it. If the owner of the report is not an administrator, the report will be transferred and the View On Demand access mode will be associated with the report.
401
16
Other objects
The Import Wizard cannot import Crystal Info objects that are not supported by BusinessObjects Enterprise. Such objects include report packages, query objects, Info cubes, Open OLAP cubes, Holos Applications, and Crystal reports based on query files.
Specifying the source and destination environments on page 402 Selecting information to import on page 405 Importing objects with rights on page 407 Choosing an import scenario on page 407 Importing specific objects on page 409 Finalizing the import on page 414
402
16
The Specify source environment dialog box appears. 3. In the Source list, select the product from which you want to import information. The available options are:
Crystal Info 7.5 Crystal Enterprise 8 Crystal Enterprise 8.5 Crystal Enterprise 9 Crystal Enterprise 10 BusinessObjects Enterprise 6.x BusinessObjects Enterprise XI
You are prompted for administrative account information. The fields that appear depend on the type of source environment you chose. 4. If your source environment is Crystal Info, Crystal Enterprise 10 or earlier, or BusinessObjects Enterprise XI:
In the CMS Name field, type the name of the source environments CMS (Central Management Server). Type the User Name and Password that provide you with administrative rights to the source environment.
403
16
5.
6. 7. 8.
Type the User Name and Password that provide you with administrative rights to the source environment. Note: You must have the General Supervisor profile. In the Domain key file field, provide the full path of the domain file for the BusinessObjects Enterprise system, or click the browse button to select the domain file.
Click Next. The Specify destination environment dialog box appears. In the CMS Name field, type the name of the destination environments Central Management Server. Type the User Name and Password of an Enterprise account that provides you with administrative rights to the BusinessObjects Enterprise system; then click Next.
404
16
Import inbox documents Import personal categories Import personal Web Intelligence documents Import favorite folders for selected users Import application rights
Import corporate categories Import corporate Web Intelligence documents Import folders and objects
Import events Import server groups Import repository objects Import calendars Import universes
Note: The options available depend on the version of the source environment. Events and server groups can be imported from Crystal Enterprise 8.5 or later. Repository objects and calendars can be imported from Crystal Enterprise 10. Universes, categories, and Web Intelligence documents can be imported from BusinessObjects Enterprise 6.x. All object can be imported from BusinessObjects Enterprise XI. 2. 3. Click Next. If the Import personal documents and inbox documents dialog box appears, provide the paths for your personal and/or inbox documents. Note: You do not need to provide a path for corporate documents because they are stored in the repository. 4. If the Import universe and connection objects options dialog box appears, choose an import option:
405
16
Import all universes, connections, and associated objects. This option imports all universes from the source environment in one batch. You cannot select individual universes or connections to import. Import only the universes and connection objects that are associated with the documents you are importing. Known as document dependency, this option imports only the objects used by the Web Intelligence documents that you are importing. You can also use this option if you want to import a subset of selected universes and their dependencies.
5.
Click Next. The Import Object Principals Option dialog box appears.
406
16
2.
Click Next. The Please choose an import scenario dialog box appears. Proceed to Choosing an import scenario on page 407.
407
16
Merging systems
If you merge the source and destination systems, the Import Wizard adds all objects from the source system into the destination CMS without overwriting objects in the destination. Note: This is the safest import option. All of the objects in the destination system are preserved. Also, at a minimum, all objects from the source system with a unique title are copied to the destination system.
To merge the source and destination systems, choose I want to merge the source system into the destination system. To add the source systems information to the destination system without merging, choose I want to update the destination system by using the source system as a reference.
408
16
2.
Click Next. If you are prompted to select specific objects for import, proceed to Importing specific objects on page 409. If the Information collection complete dialog box appears, proceed to Finalizing the import on page 414.
2. 3.
4.
If the Import Groups Option dialog box appears, choose how you want to map third-party groups, and click Next. Note:
Ensure that the third party authentication is configured the same way on both the source and destination environments.
409
16
If you are importing third-party (or external) users and groups from BusinessObjects Enterprise 6.x, you need to determine how these users will be handled upon import into BusinessObjects Enterprise XI. For information about setting alias creation and assignment for LDAP and Active Directory users, see Managing User Accounts and Groups on page 249.
To select categories If you chose to import categories, the Select categories dialog box appears. Select the check boxes for the categories that you want to import, then click Next. The Import Wizard imports the selected categories and the objects that belong to the categories.
To select domains and Web Intelligence documents If you chose to import Web Intelligence documents, the Select Domains and Web Intelligence documents dialog box appears. Select the check boxes for domains or individual documents that you want to import, then click Next.
410
16
1.
To select universes or universe folders If you chose to import a subset of the universes from the source environment, the Select Universe Folder and Universes dialog box appears. Select the check boxes for the universes that you want to import, then click Next.
Note: When you import a universe, its connection objects are imported automatically. Before you can import connection objects from BusinessObjects Enterprise 6.x, ensure that the Import Wizard can access the database the same way that the source environment
411
16
accesses it. This may involve installing database drivers or configuring connection settings on the machine. For example, if you import SQL Server connection objects from a BusinessObjects Enterprise 6.x source environment, you must configure the connections on the destination machine via the Control Panel before you import the connection objects. You must use the exact same name and settings as the connection used on the source machine when you created the domain key. 2. If the universe uses a connection object that is associated with a secure connection that was created with the Use Business Objects username and password option selected, the Connection SSO Option dialog box appears. Select the connection object, provide your connection information, and click Next. If your database supports Kerberos authentication, you can specify logon credentials for database access during scheduling, and you can enable Single Sign-On for database access during viewing and designing. Note:
SSO can be enabled, but you do not need to provide SSO information for described connections. You can specify logon credentials for access when scheduling, and if SSO is not enabled, these credentials will also be used for access when viewing Web Intelligence documents or designing universes. You can enable SSO only for connections that support Kerberos SSO in BusinessObjects Enterprise XI.
To select folders and objects If you chose to import folders and objects, the Select Folders and Objects dialog box appears. Select the check boxes for the folders and reports that you want to import. Then click Next. Tip: You can also choose to Import all instances of each selected report and object package. This example imports the Report Samples folder and a subset of its contents.
412
16
To select repository objects If you chose to import repository objects, the Import repository objects options dialog box appears. Choose an importing option for repository objects, then click Next.
413
16
2.
If the import summary shows that some information was not imported successfully, click View Detail Log for a description of the problem. Otherwise, click Done. Note: The information that appears in the Detail Log is also written to a text file called ImportWiz.log, which you will find in the directory from which the Import Wizard was run. By default, this directory is:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11\win32_x86\
The log file includes a system-generated ID number, a title that describes the imported information, and a field that describes the action and the reason why it was taken.
414
Managing Objects
chapter
17
Go to the Object management area by clicking the Objects link on the CMC Home page. Use folders to organize and facilitate object administration for you and your users. For more information, see Managing User Folders on page 367. General object management on page 417 This section describes general object management concepts that apply to all objects, such as moving, copying, and deleting objects. It also describes how to search for objects, how to modify object properties, and how to set object rights for users and groups.
Report object management on page 425 This section explains report objects and instances, and how to manage them through the Central Management Console (CMC). Managing report objects includes applying processing extensions, specifying alert notification, changing database information, updating parameters, using filters, and working with hyperlinked reports.
Program object management on page 451 This section explains program objects and instances, and how to manage them through the Central Management Console (CMC). Additionally, this section covers type-specific program object configuration, and security considerations for program objects.
Object package management on page 459 This section explains object packages and instances, and how to manage them through the Central Management Console (CMC). Additionally, this section explains how to create an object package and how to add objects to an object package.
416
17
Copying, moving, or creating a shortcut for an object on page 417 Deleting an object on page 419 Searching for an object on page 419 Sending an object or instance on page 420 Changing properties of an object on page 422 Assigning an object to categories on page 424
Tip: You can also manage an object by going to the Folders management area in the CMC, selecting a folder (and any subfolders) by clicking the appropriate link(s), and selecting the object that is located under the Object Title column. See Chapter 14: Organizing Objects. Note: For information setting the rights for an object, see Setting object rights for users and groups on page 317.
Copy creates another copy of the object in a different location. The new copy of the object inherits all object rights from its new parent folder. You use copy, for example, when scheduling objects by using an object package, to copy the objects to the package. See Scheduling objects using object packages on page 471.
Move changes the location of the object from one folder to another. The object retains its original set of object rights. Create shortcut enables you to create an alternate, more convenient, access route for an object. You can also create a shortcut to give users access to the object when you dont want them to access the folder that the actual object is located in. The shortcut inherits object rights from its parent folder. However, the shortcut object rights do not override the rights of the original object. For example, if a user does not have rights to schedule a report, they are not able to schedule that report even through a shortcut that allows them full rights.
417
17
1. 2. 3.
To copy, move, or create a shortcut for an object Go to the Objects management area of the CMC. Select the check boxes associated with the object(s) you want to copy, move, or create a shortcut for. Click Copy/Move/Shortcut. The Copy/Move/Create Shortcut page appears.
4.
Tip: You may want to create a shortcut if you want to give someone access to an object without giving that user access to the entire folder that the object is located in. After you create the shortcut, users who have access to the folder where the shortcut is located can access this object and its instances. For more information on folder rights, see Specifying folder rights on page 364. 5. Select the appropriate destination folder; then click OK. Tip:
To expand a folder, select it and click Show Subfolders. To search for a specific folder or object package, use the Look For field.
418
17
Deleting an object
This procedure explains how to delete either a single object or multiple objects. You can also delete a folder (by selecting a folder and clicking Delete in the Folders management area), which deletes all of the objects and instances that are stored in that folder. As well, you have the option of deleting object instances, rather than the object itself. For more information, see Managing and viewing the history of instances on page 495. Note: When you delete an object, all of its existing instances and scheduled instances will be deleted. 1. 2. 3. 4. To delete an object Go to the Objects management area of the CMC. Select the check boxes associated with the object(s). Click Delete. Click OK.
3.
Click Search.
419
17
420
17
4.
If you want, you can the temporary instances that are created when you send an object or instance, deselect Clean up temporary objects created after objects have been sent. By default, this option is selected and the system deletes any temporary objects or instances after they have been sent. If you want to keep these
5.
Each selected objects scheduling destination Sends the objects or instances to the destination specified on the Destination pages for the objects. A new destination for all selected objects Allows you to specify a destination. If you select this option, you must specify additional parameters for the destination information. See Available destinations by object type on page 421 and Selecting a destination on page 481. If you want the destination to become the default destination for the object, select the Set this destination as the selected objects scheduling destination option. The system will update the destination information for the object when you click Send. Note: Send Web Intelligence documents to the Inbox destination only, or to an Email destination within BusinessObjects Enterprise.
6.
Click Send. The system sends the selected objects or instances to the specified destinations.
421
17
Object type Web Intelligence document Excel file Word file PDF file Text file RTF file PowerPoint file Hyperlink
Email (SMTP) FTP Yes Yes Yes Yes Yes Yes File Yes Yes Yes Yes Yes Yes Link Yes Yes Yes Yes Yes Yes Yes Yes
Inbox File Yes Yes Yes Yes Yes Yes Yes Yes Link Yes Yes Yes Yes Yes Yes Yes Yes
Note that once you have clicked Update, you cannot click Reset to undo changes. View button For Microsoft Word, Microsoft Excel, Microsoft PowerPoint, Adobe Acrobat, Text, and Rich Text objects, a View button appears on the Properties page. Provided that you have the appropriate software installed on your browser machine, you can click the View button to open and view the object.
422
17
Preview button Similarly, for report objects and Web Intelligence documents, a Preview button appears. The Preview button enables you to view a report on demand with all of your current report settings. BusinessObjects Enterprise connects to the reports data source(s) if no cached pages are available. To use the Preview function, the user will need to have rights at the Schedule level or higher. (To preview a report with saved data, the user will need to have rights at the View level or higher.) By default, administrators have rights at the Full Control level (the highest rights setting) for all report objects. For details about object rights, see Report object management on page 425. Show report thumbnail option For reports, the Show report thumbnail check box is selected by default. If you do not want a thumbnail preview of this report to be available in InfoView or another web application, clear the Show report thumbnail check box. Note: A thumbnail is a graphical representation of the first page of a report. If the original report does not contain a thumbnail, then a thumbnail will not be stored on BusinessObjects Enterprise. The Show report thumbnail checkbox does not apply to Web Intelligence document objects.
423
17
Scheduled package fails upon individual component failure option For object packages, the Scheduled package fails upon individual component failure check box is selected by default. (A component is an object in an object package.) This means that if one of objects in a package fails, the object package instance in the History will appear as Failed. If you do not want the object package instance to fail if one of the objects fails, clear the Scheduled package fails upon individual component failure check box.
424
17
What are report objects and instances? on page 425 Setting report refresh options on page 426 Setting report processing options on page 428 Applying processing extensions to reports on page 443 Working with hyperlinked reports on page 447
Note: Most information in this section also applies to Web Intelligence document objects. Any exceptions have been identified.
425
17
Object instances At the specified time, the system runs the object and creates an object instance. The instance contains actual data from the database. It appears on the History page of the object and has a status of Success or Failed. Making changes to an object Any changes you make to the an object (by making the changes and then clicking Update) affect the default settings for the object only. Those changes do not affect any existing scheduled instances or object instances. The next time you schedule the object, whether you use CMC or an application such as InfoView, the new default settings are displayed. You can then change these settings as needed for the scheduled instance you want to create. Note: BusinessObjects Enterprise supports reports created in versions 6 through XI of Crystal Reports. Once published to BusinessObjects Enterprise, reports are saved, processed, and displayed in version XI format.
426
17
To preserve your changes to the values of report elements when you refresh a report, clear the appropriate report refresh option. Note:
If you select Prompt Values, BusinessObjects Enterprise ensures that changes to either the default value of a prompt or to the current value of a prompt are updated in the report object when the report is refreshed. If you select Prompt Options, BusinessObjects Enterprise ensures that changes to the metadata describing a prompt is updated in the report object. For example, Can be null is a prompt option. If you select Use Object Repository when refreshing report, repository objects in the report object will be refreshed against the repository. For more information, see Refreshing repository objects in published reports on page 179. To set a report objects refresh options In the Objects management area of the CMC, select a report object by clicking its link. On the Properties page, click the Refresh Options link. Choose the report elements that you want to refresh from the source report file. Click Refresh Report.
1. 2. 3. 4.
427
17
Setting report viewing options on page 428 Specifying servers for scheduling on page 430 Specifying servers for viewing and modification on page 432 Changing database information on page 434 Updating parameters on page 437 Using filters on page 439 Setting printer and page layout options on page 441 Applying processing extensions to reports on page 443
If you specify which servers a report uses for viewing, you can use perserver settings to standardize data sharing settings for groups of reports, and centrally administer these settings. (See Specifying servers for viewing and modification on page 432.) Per-report settings permit you to specify that particular reports will not share data. They also allow you to tailor the data sharing interval for each report to meet the needs of that reports users. In addition, per-report settings enable you to decide on a report-by-report basis whether it is appropriate to allow users to access the database whenever they refresh reports.
428
17
Data sharing may not be ideal for all organizations, or for all reports. To get full value from data sharing, you must permit data to be reused for some period of time. This means that some users may see old data when they view a report on demand, or refresh a report instance that they are viewing. The default report viewing options for BusinessObjects Enterprise emphasize data freshness and integrity. By default, when you add a report to BusinessObjects Enterprise it is configured to use per-server settings for report sharing. The default server settings ensure that users always receive up-to-date information when they refresh a report, and guarantee that the oldest data given to any user is 0 minutes old. If you choose to enable perreport settings, the default settings allow data sharing, allow a viewer refresh to retrieve fresh data from the database, and ensure that the oldest data given to a client is 5 minutes old. Tip: Disabling the sharing of report data between clients is not the same as setting the Oldest on-demand data given to a client to 0 minutes. Under high load, your system may receive more than one request for the same report instance at the same time. In this case, if the data sharing interval is set to 0 but the Share report data between clients option is enabled, BusinessObjects Enterprise shares data between the client requests. If it is important that data not be shared between different clients (for example, because the report uses a User Function Library (UFL) that is personalized for each user), disable data sharing for that report. For details on setting report viewing options on a per-server basis, see:
Modifying Cache Server performance settings on page 112 Modifying Page Server performance settings on page 115 Modifying performance settings for the RAS on page 120 Configuring the Web Intelligence Report Server on page 122
For more information on configuring BusinessObjects Enterprise to optimize report viewing in your system, see the planning chapter in the BusinessObjects Enterprise Installation Guide. Note: This feature does not apply to Web Intelligence document objects. 1. 2. 3. 4. To set report viewing options for a report In the Objects management area of the CMC, select a report by clicking its link. Click the Process tab. In the Data Refresh for Viewing area, click Use report specific viewing settings. Then select the options that you want to set for this report. Click Update.
429
17
Use the first available server. Use the servers that belong to a selected group first (and, if the servers from that group arent available, use any available server). Use only servers that belong to a specific group.
Depending on the type of object, BusinessObjects Enterprise uses the following servers: Crystal reports are run on the Report Job Server. Web Intelligence documents are run on the Web Intelligence Report Server.
By selecting a particular server or server group, you can balance the load of your scheduling, because specific objects can be processed by specific job servers. You must first create server groups by using the Server Groups management area in the CMC, before you can select servers that belong to a selected group. You can also set the maximum number of jobs that a job server will accept. For more information, see Modifying performance settings for job servers on page 121. Also, you can balance the load of your scheduling, because specific objects can be processed by specific job servers. You must first create server groups by using the Server Groups management area in the CMC, before you can select servers that belong to a selected group. You can also set the maximum number of jobs that a job server will accept. For more information, see Modifying performance settings for job servers on page 121. Note:
If you choose the Use the first available server option, the Central Management Server (CMS) will check the job servers to see which one has the lowest load. The CMS does this by checking the percentage of the maximum load on each job server. If all of the job servers have the same load percentage, then the CMS will randomly pick a job server. If you are scheduling a program object that requires access to files stored locally on a Program Job Server, but you have multiple Program Job Servers, you must specify which server to use to run the program. See Specifying servers for viewing and modification on page 432 for information on specifying the servers used to view or modify an object. To specify the servers to use for an object In the Objects management area of the CMC, select an object by clicking its link.
1.
430
17
2.
3.
In the Default Servers To Use For Scheduling area, choose from one of the three options:
Use the first available server BusinessObjects Enterprise will use the server that has the most resources free at the time of scheduling. Give preference to servers belonging to the selected group Select a server group from the list. This option will attempt to process the object from the servers that are found within your server group. If the specified servers are not available, then the object will be processed on the next available server.
Only use servers belonging to the selected group This option ensures that BusinessObjects Enterprise will only use the specified servers that are found within the selected server group. If all of the servers in the server group are unavailable, then the object will not be processed.
431
17
4. 5.
Click Update. In the Default Servers To Use For Viewing area, repeat the activities from steps 3 and 4. Note: Default Servers To Use For Viewing applies only to report objects.
Use the first available server. Use the servers that belong to a selected group first (and, if the servers from that group arent available, use any available server). Use only servers that belong to a specific group.
Depending on the type of object, BusinessObjects Enterprise uses the following servers: Crystal reports are run on the Cache Server and Page Server, or the Report Application Server, depending on which viewer is used. Web Intelligence documents are run on the Web Intelligence Report Server.
By selecting a particular server or server group, you can balance the load of your viewing, as specific reports can be processed using specific servers. You must first create server groups by going to the Server Groups management area in the CMC before you are able to select servers that belong to a selected group. You can also set the maximum number of jobs a server will accept. For more information, see Modifying Cache Server performance settings on page 112, Modifying Page Server performance settings on page 115, or Modifying performance settings for the RAS on page 120.
432
17
Note:
If you choose the Use the first available server option, the Central Management Server(CMS) will check the servers to see which one has the lowest load. The CMS does this by checking the percentage of the maximum load on each server. If all of the servers have the same load percentage, then the CMS will randomly pick a server. See Specifying servers for scheduling on page 430 for information on specifying Job Servers used to schedule an object. To specify the servers to use for a report object In the Objects management area of the CMC, select an object by clicking its link. Click the Process tab.
1. 2.
433
17
3.
In the Default Servers To Use For Viewing area, choose from one of the three options:
Use the first available server BusinessObjects Enterprise will use the server that has the most resources free at the time of viewing. Give preference to servers belonging to the selected group Select a server group from the list. This option will attempt to process the object from the servers that are found within your server group. If the specified servers are not available, then the object will be processed on the next available server.
Only use servers belonging to the selected group This option ensures that BusinessObjects Enterprise will only use the specified servers that are found within the selected server group. If all of the servers in the server group are unavailable, then the object will not be processed.
4.
Click Update.
434
17
435
17
3. 4.
In the Data Source(s) list, select the data source. Select Use original database logon information from the report or Use custom database logon information specified here. If you select the first option, you can specify a user name and password to be used with the original report database. If you select the second option, you can specify a server name (or a DSN in the case of an ODBC data source), a database name, a user name, and a password for a number of predefined database drivers, or for a custom database driver that youve specified. If youve changed the default table prefix in your database, specify a custom table prefix here. For a complete list of supported databases and drivers, refer to the
platform.txt file included with your installation.
5.
Prompt the user for database logon The system will prompt users for a password when they refresh a report. Note: This option has no effect on a scheduled instance. Also, BusinessObjects Enterprise only prompts users when they first refresh a report; that is, if they refresh the report a second time, they will not be prompted.
Use SSO context for database logon The system will use the users security context, that is, the users logon and password, to log on to the database. Note: For this option to work, you must have your system configured for end-to-end single sign-on, or for single sign-on to the database. For more information, see Configuring Kerberos single sign-on on page 299.
Use same database logon as when report is run The system will use the same database logon information as was used when the report was run on the job server.
6.
Click Update.
436
17
Updating parameters
Note: This feature does not apply to Web Intelligence document objects. Parameter fields (with preset values) enable users to view and to specify the data that they want to see. If a report contains parameters, you can set the default parameter value for each field or fields (which is used whenever a report instance is generated). Through a BusinessObjects Enterprise application such as InfoView, your users are either able to use the report with the preset default value(s) or choose another value or values. If you do not specify a default value, users will have to choose a value when they schedule the report. Note: The Parameters link is available only if the report object contains parameters. 1. 2. To view parameter settings In the Objects management area of the CMC, select a report object by clicking its link. Click the Process tab, and then click the Parameters link.
3.
Under the Value column, select the value associated with the parameter you want to change. A page opens that allows you to change the parameter value. Depending on the parameter value type, you either type a value in the field or choose a value from a list. If there is a list, you can also click Edit to type a new value.
437
17
4. 5.
Select the Clear the current parameter value(s) check box if you want to clear the current value that is set for the specified parameter. Select the Prompt the user for new value(s) when viewing check box if you want your users to be prompted when they view a report instance through a BusinessObjects Enterprise application such as InfoView. Click Update.
6.
438
17
1. 2. 3. 4.
To update the prompts for a Web Intelligence document object In the Objects management area of the CMC, select a report object by clicking its link. Click the Process tab, and then click the Prompts link. The Prompts page appears, showing a dialog box with prompts. Select the prompt and enter a value for the prompt. Repeat this step for every prompt whose you want to change. Click Update.
Using filters
Note: This feature does not apply to Web Intelligence document objects. In the Filters page, you set the default selection formulas for the report. Selection formulas are similar to parameter fields in that they are used to filter results so that only the required information is displayed. Unlike parameters, end users will not be prompted for selection formula values when they view or refresh the report. When users schedule reports through a web-based client such as InfoView, they can choose to modify the selection formulas for the reports. By default, if any formulas are set in the CMC, they will be used by the web-based client. For more information on selection formulas, see the Crystal Reports Users Guide. In addition to changing selection formulas, if you have developed your own processing extensions, you can select the processing extensions that you want to apply to your report. For more information, see Applying processing extensions to reports on page 443. When you use filters in conjunction with processing extensions, a subset of the processed data is returned. Selection formulas and processing extensions act as filters for the report. 1. 2. To use filters In the Objects management area of the CMC, select a report object by clicking its link. Click the Process tab, and then click the Filters link. The Filters page appears.
439
17
440
17
3.
Record Selection Formula Use the Record Selection Formula to create or edit a record selection formula or formulas that limit the records used when you or a user schedules a report.
Group Selection Formula Use the Group Selection Formulas to create or edit a group selection formula or formulas that limit the groups used when you or a user schedules a report.
4.
In the processing extensions area, select a processing extension you want from the Available Processing Extensions list, and move it to the Use these Processing Extensions list. Repeat this step until you have selected the processing extensions you want.
5.
Click Update.
Specifying a printer
Note: This feature does not apply to Web Intelligence document objects. You can choose to print a report (each time it runs) using the Job Servers default printer or a different printer. By selecting the Printer destination, BusinessObjects Enterprise prints your report after it is processed. Note: The Job Server must run under an account that has sufficient privileges to access the printer you specify. See Changing the server user account on page 146 for information on changing the user account.
441
17
1. 2. 3.
To assign a printer In the Objects management area of the CMC, select a report object by clicking its link. On the Process tab, click the Print Setup link. The Print Setup page appears. Select Print in Crystal Reports format using the selected printer when scheduling if you want report instances to be sent directly to a printer. The report instances are automatically sent to the printer in Crystal Reports format. This does not interfere with the format selected when scheduling the report.
4. 5.
Leave Default printer selected if you want to print to the Job Servers default printer, otherwise, select Specify a printer. Enter a printers path and name, select the number of copies, and choose the print page range. If your job server is using Windows, in the Specify a printer field, type:
\\printserver\printername
Where printserver is the name of your printer server, and printername is the name of your printer. If your job server is running on UNIX, in the Specify a printer field, type the print command that you normally use. For instance, type:
lp -d printername
Note: Ensure that the printer you are using (on UNIX) is shown and not hidden. 6. Click Update.
442
17
1. 2.
To set a reports page layout In the Objects management area of the CMC, select a report object by clicking its link. On the Process tab, click the Print Setup link. The Print Setup page appears.
3.
Make your settings according to the type of layout you want. The options are as follows:
Report file default Choose this option if you want the page layout to conform to the settings that were chosen for the report in Crystal Reports. Specified printer settings Choose this option if you want the page layout to conform to the settings of a specified printer. You can choose the Job Servers default printer or another printer. For information about specifying another printer, see Specifying a printer on page 441. When you choose this option, you can print scheduled report instances only to the printer you specify in the Specified printer settings area. In other words, you cannot set your report to display with one printers setting and then print to a different printer.
Custom settings Choose this option if you want to customize all page layout settings. You can choose page orientation, page size, measurement units (inches or millimeters), page width, and page height.
4.
Click Update.
443
17
schedule requests before they are processed by the system. This section shows how to register your processing extension with BusinessObjects Enterprise, and how to apply an available processing extension to a particular report object. For general information about processing extensions and how you can use them to customize report processing and security, see Processing extensions on page 241. For information on writing your own processing extensions with the Processing Extension API, see the developer documentation available on your product CD. Note: On Windows systems, dynamically loaded libraries are referred to as dynamic-link libraries (.dll file extension). On UNIX systems, dynamically loaded libraries are often referred to as shared libraries (.so file extension). You must include the file extension when you name your processing extensions. Also, file names cannot include the \ or / characters.
directory. Tip: It is possible to share a processing extension file. For details, see Sharing processing extensions between multiple servers on page 447. Depending upon the functionality that you have written into the extension, copy the library onto the following machines:
If your processing extension intercepts schedule requests only, copy your library onto each machine that is running as a Job Server. If your processing extension intercepts view requests only, copy your library onto each machine that is running as a Page Server or RAS. If your processing extension intercepts schedule and view requests, copy your library onto each machine that is running as a Job Server, Page Server, or RAS.
Note: If the processing extension is required only for schedule/view requests made to a particular Server Group, you need only copy the library onto each processing server in the group.
444
17
1. 2.
To register a processing extension with the system Go to the Objects management area of the CMC. Click Object Settings.
3. 4.
In the Name field, type a display name for your processing extension. In the Location field, type the file name of your processing extension along with any additional path information:
If you copied your processing extension into the default directory on each of the appropriate machines, just type the file name (but not the file extension). If you copied your processing extension to a subfolder below the default directory, type the location as: subfolder/filename
Note: Although the actual file name must include the .dll or .so extension (as appropriate to the servers operating system), you must not include the file extension in the Location field. 5. 6. Use the Description field to add information about your processing extension. Click Add. You can now select this processing extension to apply its logic to particular objects. For details, see Selecting a processing extension for a report on page 445. Tip: To delete a processing extension, select its check box and click Delete. (Make sure that no recurring jobs are based on this processing extension because any future jobs based on this processing extension will fail.)
445
17
3.
Click the Process tab, and then click the Filters link.
4.
Select your processing extension in the Available Processing Extensions list. Note: Your processing extensions appear in this list only after you have registered them with the system. For details, see Registering processing extensions with the system on page 444. Tip: You may apply more than one processing extension to a report object. Repeat steps 4 and 5 for each processing extension; then use the up and down arrows to specify the order in which the processing extensions should be used.
5.
Click Update. Your processing extension is now enabled for this report object.
446
17
On Windows, use the CCM to stop the server. Then open the servers Properties to modify the command line. Start the server again when you have finished. On UNIX, run ccm.sh to stop the Job Server/Page Server. Then edit ccm.config to modify the servers command line. Start the server again when you have finished. For reference, see ccm.sh on page 598.
447
17
Initially, when you add hyperlinks between reports in Crystal Reports, you create a link from one file directly to another. However, when you publish linked report files simultaneously to the same object package, the links are modified to point to managed report objects. (Each link is changed, so that it references the appropriate destination report by Enterprise ID, rather than by file path.) Also, the modified links become relative inside the object package. When you schedule the object package, BusinessObjects Enterprise processes its reports, and again modifies hyperlinks within each report instance: hyperlinks between report objects in an object package are converted to hyperlinks between report instances in a specific instance of the object package. For more information on object packages, see Scheduling objects using object packages on page 471. To view hyperlinked reports, you must publish both the home and destination reports to the same BusinessObjects Enterprise system. (A home report is one that contains a hyperlink to another report: the destination report.) Note: For information about how to create hyperlinks between report objects, see the Crystal Reports Online Help.
Crystal Reports automatically determines what type of linkrelative or absoluteto establish between the reports. In BusinessObjects Enterprise, relative links are those between reports in the same object package, and absolute links are links to specific report objects or instances.
448
17
possible, use the following procedure to publish reports after they have been hyperlinked. When you publish reports this way, the hyperlinks are converted to relative links.
449
17
To publish reports with existing hyperlinks Using the Publishing Wizard, publish the reports (that are linked to each other) to the same object package. Note: If you publish hyperlinked reports independently of each other, rather than publishing them simultaneously to the same object package, all hyperlinks between the reports will break. You must re-establish the links using Crystal Reports and save the report back to BusinessObjects Enterprise. (For more information, see the Crystal Reports Online Help.)
450
17
Security considerations
To view hyperlinked reports through BusinessObjects Enterprise, you must have the appropriate rights both in BusinessObjects Enterprise and at the database level. In BusinessObjects Enterprise, to view a destination report through a hyperlink in a home report, you must have View rights to the destination report. When the hyperlink points to a report object, you must have View On Demand rights to be able to refresh the data against the data source. For information about setting the levels of access to objects, see Setting common access levels on page 320. Database logon information is carried over between hyperlinked reports. If the credentials you specified to view the home report are not valid for the destination report, you are prompted for a valid set of database logon credentials for the destination report.
What are program objects and instances? on page 451 Setting program processing options on page 453
451
17
Program types Three types of applications can be published to BusinessObjects Enterprise as program objects:
Executable Executable programs are binary files, batch files, or shell scripts. They generally have file extensions such as: .com, .exe, .bat, .sh. You can publish any executable program that can be run from the command line on the machine that runs the Program Job Server.
Java You can publish any Java program to BusinessObjects Enterprise as a Java program object. For Java program objects to have access to Java SDK objects, your class must implement the IProgramBase interface from the BusinessObjects Enterprise Java SDK (com.businessobjects.sdk.plugin.desktop.program.IProgramBase). For details, see the BusinessObjects Enterprise Java SDK Guide.
Script Script program objects are JScript and VBScript scripts. They are run on Windows using an embedded COM object and canonce published reference the BusinessObjects Enterprise SDK objects. For details, see the BusinessObjects Enterprise COM SDK Guide. Note: Script program objects are not supported on UNIX.
Note: As the administrator, you can choose to enable or disable any of the types of program objects. For details, see Authentication and program objects on page 458. Once you have published a program object to BusinessObjects Enterprise, you can configure it in the Objects management area of the CMC. For each type of program object (Executable, Java, or Script) you can choose to specify command-line arguments and a working directory. For executable and Java programs, there are additional ways, both required and optional, to configure the program objects and provide them with access to other files. Tip: Program objects allow you to write, publish, and schedule scripts or Java programs that run against BusinessObjects Enterprise, and perform maintenance tasks, such as deleting instances from the history. Furthermore, you can design these scripts and Java programs to access BusinessObjects Enterprise session information. This ensures that the scheduled program objects retain the security rights or restrictions of the user who scheduled the job. (Your scripts or java programs require access to the BusinessObjects Enterprise SDK. For details, see the BusinessObjects Enterprise COM SDK Guide or the BusinessObjects Enterprise Java SDK Guide.)
452
17
Specifying command-line arguments on page 453 Setting a working directory for a program object on page 454 Configuring executable programs on page 455 Configuring Java programs on page 456 Authentication and program objects on page 458
3.
In the Arguments field, type the command-line arguments for your program, using the same format you would use at the command line itself. For example, if your program has a loops option, to set the loops value to 100, you might type -loops 100
4.
Click Update.
453
17
454
17
Configure the object to have access to external or auxiliary files. See Providing Java programs with access to other files on page 457. Customize environment variables for the shell in which BusinessObjects Enterprise runs the program. See Specifying environment variables on page 456.
If a required file is on the same machine as the Program Job Server, you can specify the full path to the file. Alternatively, if the file is not located on the Program Job Server, you can upload the file to the File Repository Server, which will pass the files to the Program Job Server as necessary. To specify paths to required files In the Objects management area of the CMC, select the executable program object by clicking its link. Click the Process tab, then click the Parameters link. The Parameters page appears. In the External Dependencies field, type the full path to the required file and click Add. Repeat step 3 for each file required. Click Update.
1. 2. 3. 4. 5.
Tip: To edit or remove external dependencies that you have specified, select the file path (in the list of external dependencies on the Parameters page) and click the appropriate button, either Edit or Remove. 1. 2. 3. 4. 5. To upload required files In the Objects management area of the CMC, select the executable program object by clicking its link. Click the Process tab, then click the Auxiliary Files link. The Auxiliary Files page appears. Click Browse to navigate to the required file, then click Add File. Repeat step 3 for each required file. Click Update.
455
17
Tip: To remove auxiliary files that you have specified, select the file(s) (in the list of external dependencies on the Parameters page) and click Remove File(s).
Note: BusinessObjects Enterprise sets your environment variables using the syntax that is appropriate for your operating system. However, on UNIX you must follow convention, and use the appropriate case. For example, all name values on UNIX must be typed in upper-case. 4. Click Update. Tip: To edit or remove environment variables that you have specified, select the variable (in the list of environment variables on the Parameters page), and click the appropriate button, either Edit or Remove.
456
17
457
17
458
17
3. 4.
In the User Name and Password fields, type the credentials for the user account under which the program should run. Click Update.
The settings for the Java Policy are universal for all Program Job Servers running on the same machine. By default, the Java Policy File is installed to the Java SDK directory in the BusinessObjects Enterprise install root directory. For example, a typical location on Windows is:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11\conf\crystal-program.policy
What are object packages, components, and instances? on page 460 Creating an object package on page 460 Adding objects to an object package on page 461 Configuring object packages and their objects on page 462 Authentication and object packages on page 463
459
17
460
17
6.
Click OK. Note: When the object package has been added to the system, the CMC displays the Properties page. You can now modify the properties, contents, scheduling information, destination, user rights, object settings, and notification for the object package.
7.
For reports, set whether to generate a thumbnail for the report, and whether to use the Object Repository when refreshing the report. For programs, set the program type: Executable, Java, or Script.
Click OK.
461
17
General object management on page 417 Report object management on page 425 Program object management on page 451 Chapter 18: Scheduling Objects Configure for an object package yes --yes Scheduling server ----yes --Configure for individual objects in a package yes yes yes -View & Modify server yes yes yes yes -yes yes
Configuration tabs and links Properties tab Refresh Options Links History tab Process tab Database Parameters Filters Print Setup Schedule tab Notification Alert Notification
462
17
Configuration tabs and links Format Destination Schedule For Categories tab Corporate Personal Rights tab
Configure for an object package -yes yes n/a yes yes yes
463
17
464
Scheduling Objects
chapter
18
Scheduling objects on page 466 This section provides information on how to schedule objects. Managing instances on page 495 This section describes how to manage instances for an object. Setting the scheduling options on page 476 This section describes the options on the different Schedule pages for an object, such as Notification, or Destination.
Scheduling objects
When you schedule an object, the system creates a scheduled instance for the object. A scheduled instance contains object and schedule information. It does not contain any data yet. Scheduled instances appear on the History page of the respective object and have a status of Recurring or Pending. Scheduled instances use the settings that are presently configured for the object in CMC. In order for a program object to be successfully scheduled and run, you must provide logon information for the account that the program object will run as. For details, see Authentication and program objects on page 458.
466
18
For end users to schedule and run objects, they must use a web-based client such as InfoView or a custom web application. InfoView is designed primarily to schedule objects and view reports, whereas CMC enables you to manage and administer objects in addition to scheduling objects and viewing reports. Many scheduling options allow you to schedule an instance with events. For details, see Scheduling an object with events on page 473. Note: If a Web Intelligence document has been set to refresh on open then the system will access the database to obtain the latest information each time a user views the document. Therefore, it may not be advantageous to schedule Web Intelligence documents that are set to refresh on open, because running the document at scheduled times will not reduce the number of database hits. 1. 2. 3. To schedule an object In the Objects management area of the CMC, select an object by clicking its link. Click the Schedule tab. The Schedule page appears, showing the default settings for the object. Select the recurrence pattern you want. For example, select Weekly. For a list and descriptions of the recurrence patterns, see Recurrence patterns on page 469. 4. Specify the Run option and parameters that you want. For example, select Every week on and then specify Monday, Wednesday, Friday. For a list and descriptions of the Run options and parameters, see Run options and parameters on page 469. 5. 6. Set any of the other schedule options and parameters as required. For details, see Setting the scheduling options on page 476. Click Schedule. The system creates a scheduled instance and it will run the instance according to the schedule information you just specified. You can view the scheduled instance on the History page for the object. See also Managing and viewing the history of instances on page 495. Note: To save the schedule settings as the new default setting for the object, click Update. The new settings on the Schedule tab for the object are saved.
467
18
468
18
Which run options and parameters are available depends on the recurrence pattern you selected. In many case the same parameters appear, such as start and end dates. The names of the recurrence patterns, options, and fields are generally self explanatory, but for a complete description, see:
Recurrence patterns on page 469 Run options and parameters on page 469
Recurrence patterns
When scheduling an object, you can choose from the following recurrence patterns:
On demandThe object will only be run when a user request it to be run. OnceThe object will be run only once. It can be run now or in the future, or when a specified event has occurred. DailyThe object will be run every day. It can be run once or several times a day. You can specify what time as well as a start and end date. WeeklyThe object will be run every week. It can be run once a week or several times a week. You can specify which days, what time, and a start and end date. MonthlyThe object will be run every month or every several months. You can specify on which days of the month, what time, and a start and end date you want it to run. CalendarThe object will be run on the dates specified in a calendar. You can specify which calendar. The calendar must have been previously created. See Chapter 19: Managing Calendars.
469
18
X and N variables Applies to certain Daily and Monthly recurrence patterns only. When you select a Run option that contains these variables, the system displays their default values. You can then changes these values as needed. For example, if you select the Daily recurrence pattern and the Every X hour(s), N minute(s) Run option, you could specify to run the report every 4 (X) hours and 30 (N) minutes. If you dont change the X or N value, the system will run the report every hour. Start Date Applies to most, but not all recurrence patterns and Run options. The default is the current date and time. The system will run the object according to the schedule that you specified, as soon as it can, after the Start Date has passed. For example, if you specify a start date that is three months into the future, the system wont run the object until the start date has passed, even if all the other criteria are met. After that, the system will run the report at the specified time. End Date Applies to most, but not all, recurrence patterns and Run options. The default is the current time and a date in the distant future, to ensure an object will be run indefinitely. Specify a different End Date if required. Once the End Date has passed, the system no longer runs the object. Available Events Applies to all Run options that include with events. Select an event and click the Add button to move it to the Events to wait for box. You can select one or several events. The system will run the object only when those events have been successfully completed. See also Scheduling an object with events on page 473. Available Schedule Events Applies to all Run options that include with events. Select an event and click the Add button to move it to the Events to trigger on completion box. You can select one or several events. A successful run of the object will trigger the events that you specified. This list of events contains schedule events only. You cannot trigger file or custom events. See also Scheduling an object with events on page 473, and Chapter 20: Managing Events. Number of retries allowed Always applies. The number of times the system attempts to process an object if the first attempt is not successful. By default, the number is zero. Retry interval in seconds Always applies. The period, in seconds, that the system will wait before it attempts to process the object again if the first attempt is unsuccessful.
470
18
You must configure the processing information of each of the components of an object package individually. For example, if you want a report object in an object package to print when scheduled, you must configure it through the Print Setup link available on the report objects Process tab. For more information about configuring objects, see Managing Objects on page 415. For information about publishing hyperlinked report objects, see Working with hyperlinked reports on page 447. To schedule objects using object packages Go to the Objects management area of the CMC. If the object package already exist, skip this step. Otherwise: a. b. c. d. e. f. Click New Object, and then click the Object Package tab. Type the package name and a description. Select a destination for the object package. If you want, assign the object package to a category. Click OK. Go to the Objects management area of the CMC again.
1. 2.
See also Publishing with the Central Management Console on page 385.
471
18
3. 4.
Select the check boxes associated with each object you want to place in the object package. Click Copy/Move/Shortcut. The Copy/Move/Create Shortcut page appears.
5.
Select Copy to. Note: Existing objects cannot be moved into an object packages; they must be copied to the object package.
6.
Select the object package you created as the Destination for the objects, and then click OK. Tip:
7.
Object packages are indicated by [square brackets]. To expand a folder, select it and click Show Subfolders. To search for a specific folder or object package, use the Look For field.
472
18
473
18
4.
In the Run list, select a run option that contains the words, with events.
5.
Select and complete the schedule parameters for your object (scheduling option, Start Date, End Date, and so on). For a list and descriptions of the Run options and parameters, see Run options and parameters on page 469.
6.
In the Available Events area, select from the list of events and click Add. For example, the report object above is set to wait for a Custom-based event to occur before the report is processed.
7.
To update the default scheduling information, click Update. If you dont click Update, any changes you made to the scheduling information are not saved.
8.
474
18
1. 2. 3.
To schedule an object to trigger an event In the Objects management area of the CMC, select an object by clicking its link. Click the Schedule tab. From the list on the left of the page, select a recurrence pattern: Once, Daily, Weekly, Monthly, or by Calendar. For a list and descriptions of the recurrence patterns, see Recurrence patterns on page 469.
4. 5.
In the Run list, select a run option that contains the words, with events. Select and complete the schedule parameters for your object (scheduling option, Start Date, End Date, and so on).
6.
In the Available Schedule Events area, select from the list of events and click Add.
475
18
For example, the report object above is set to trigger a Schedule-based event only if the report is successfully processed. Note: You can only select schedule-based events in this list. 7. To update the default scheduling information, click Update. If you dont click Update, any changes you made to the scheduling information are not saved. 8. Click the Schedule button to schedule the object.
Scheduling objects on page 466 Setting notification for an objects success or failure on page 476 Specifying alert notification on page 479 Selecting a destination on page 481 Choosing a format on page 491 Scheduling an object for a user or group on page 493
476
18
Report and Web Intelligence document objects A report instance runs successfully if it doesnt encounter any errors while processing the report object or accessing the database. A report instance may fail if the user does not provide the correct parameters or logon information.
Program objects For program objects, the program must run in order to succeed. If the program does not run, the instance is considered a failure. If the program runs, but does not perform the tasks it is supposed to, it is still considered a successful instance because the program object ran. BusinessObjects Enterprise does not monitor problems with the program objects code.
Object packages An object package may fail if one of its components fails. To change this setting, click the object packages Properties tab and clear the Scheduled package fails upon individual component failure option. You can also set scheduling options for individual objects within an object package. Note: You cannot set audit or email notification for object packages, but you can set any type of notification for the individual objects in the object package. You can also schedule object packages with events on the Schedule tab. For more information about events, see Schedule-based events on page 512.
About notification
You can set notification at the object level. You can select unique notification options for each object, sending different types of notification for different conditions. For object packages, you can set only event notification, which will trigger an event based on success or failure of the object package. To monitor object successes and failures from a more general perspective, use the auditing functionality within BusinessObjects Enterprise. If notification fails, then the object instance fails. For example, if an email notification sends a message to an invalid email address, then the notification fails and the object instance is recorded as a failure in the objects history. You can choose to notify using:
477
18
Audit notification To use audit notification, you must configure the auditing database and enable auditing for the servers. If you use auditing to monitor your BusinessObjects Enterprise system, you can use audit notification. For more information about configuring the auditing database and enabling auditing, see Managing Auditing on page 203. When you select audit notification, information about the scheduled object is written to the auditing database. You can choose to have a notification sent to the auditing database when the job runs successfully, when it fails to run, or both. Note: For the job servers you can also set audit notification on the Auditing tab.
Email notification You can send an email as a notification of an object instances success or failure. You can choose the sender and recipients of the email message. You can send an email when the instance fails and when it succeeds. For example, you could send your administrator an email if the report fails, but when the report succeeds you can automatically send a notification to everyone who needs the report to let them know it is now available. Note: To enable email notification, you must have the Email SMTP destination enabled and configured on the job servers. See Configuring the destinations for job servers on page 125
Note: Notification of a scheduled objects success or failure is not the same as alert notification. Alert notification must be built into the design of the report. For example, alert notification can send an email to you whenever a specific value in the report exceeds $1000000. In this case, the notification has nothing to do with the contents of the report - its just about whether or not the report object instance has failed or succeeded. 1. 2. 3. To set notification for an instances success or failure Select a object in the Objects management area of the CMC. Click the Schedule tab, then click the Notification link. Click the notification type (or types) you want to use. Note: If the notification type is already being used, it will be labelled Enabled. If not, it will be labelled Not in use. 4. Choose the specific settings for the notification.
478
18
Audit notification To send a record to the auditing database when the job succeeds, select A job has been run successfully. To send a record when the job fails, select A job has failed to run. Email notification Choose whether you want to send a notification when the job fails or when it succeeds. To specify the contents and recipients of the email notification, select Set the vales to be used here and provide the From and To email addresses, the email subject line, and the message. Note: By default, the notification is sent to the servers default email destination. For details on how to change the default email settings, see Email (SMTP) destination properties on page 128. 5. Click Update.
The Alert Notification link is available only if the report object contains alerts. Alerts are triggered in the report object even if you disable alert notification. To enable alert notification, you must have the Email SMTP destination enabled and configured on the job servers. See Configuring the destinations for job servers on page 125.
479
18
1. 2.
To set alert notification In the Objects management area of the CMC, select a report object by clicking its link. Click the Schedule tab, and then click the Alert Notification link. The Alert Notification page appears.
3. 4.
Clear the Enable alert notification check box if you do not want to send an alert notification. Select either Use the Job Servers defaults or Set the values to be used at schedule time here. If you select the first option, BusinessObjects Enterprise will deliver the alert notification using the Job Servers default settings. You can change these settings in the Servers management area. For more information, see Configuring the destinations for job servers on page 125.
480
18
If you select the second option, you can specify the email settings:
From Type a return address or distribution list. To Type the addresses or distribution list that you wish to send the report to. Cc Type the addresses or distribution list that you wish to send a copy of the alert notification to. Subject Complete the subject field. Message Type a short message, if required.
Note: Separate multiple addresses or distribution lists using semicolons. 5. Type the URL for the viewer in which you want the email recipient to view the report. Alternatively, you can select the default viewer by clicking Use default. The viewer URL appears in the hyperlink that is sent in the alert notification email. You can set the default URL by clicking Object Settings on the main page of the objects management area of the CMC. For more information, see the developer documentation available on your product CD. Note: You must use World Wide Web Consortium (W3C) URL encoding when typing the viewer URL. For example, replace spaces in the path with %20. For more information, see http://www.w3.org/ 6. Type the maximum number of alert records to be included in the alert notification. The hyperlink in the alert notification displays a report page that contains the records that triggered the alert. Use this field to limit the number of records displayed. Tip: The Alert Name and Status fields are set in Crystal Reports. 7. Click Update.
Selecting a destination
Using BusinessObjects Enterprise, you can configure an object or instance for output to a destination other than the default Output File Repository Server (FRS). When the system runs an object, it always stores the output instance on the Output FRS. Being able to choose an additional destination gives you the flexibility to deliver instances across your enterprise system or to destinations outside your enterprise system.
481
18
For example, you can set an object to have its output automatically delivered by email to other users. Note: You can also configure object instances to be printed after they have been run. See Setting printer and page layout options on page 441. When you specify a destination other then Default, BusinessObjects Enterprise generates a unique name for the output file or files. To generate a file name, you can use a combination of ID, name or title of the object, owner information, or the date and time information. The following destinations are available:
Default destination support on page 483 Unmanaged Disk destination support on page 483 FTP support on page 485 Email (SMTP) support on page 487 Inbox support on page 490
Note: You can change the destination setting for an object or instance either in the Central Management Console (CMC) or in InfoView. When you specify the destination settings through the CMC, these settings are also reflected in the default scheduling settings for InfoView. For program and report objects you can specify any of the available destinations. However, for object packages and Web Intelligence documents you cannot do this, because the recipients must have access to the BusinessObjects Enterprise system to be able to open these types of objects. For example, you cannot specify Unmanaged Disk as a destination for a Web Intelligence document. The following table summarizes which destinations you can configure for which types of objects. Object type Report Object Package Program Web Intelligence document Unm. DIsk No No Email (SMTP) FTP No No File No No Link No Inbox File Link -
482
18
1. 2.
To use a destination, you must have the destination enabled and configured on the job servers. See Configuring the destinations for job servers on page 125. The location must be a local or mapped directory on the processing server. For servers using Windows, the location can also be a Universal Naming Convention (UNC) path. The processing server must have sufficient rights to the specified location. To set your destination to unmanaged disk In the Objects management area of the CMC, select an object by clicking its link. Click the Schedule tab, then click the Destination link. The Destination page appears.
483
18
3.
If you want, select the Clean up instance after scheduling option. When that option is selected, the system automatically deletes the report or program instance from the Output File Repository Server to keep the number of instances on the server to a minimum.
4.
Select either Use the Job Servers defaults or Set the values to be used at schedule time here. If you select the first option, BusinessObjects Enterprise will schedule an object using the Job Servers default settings. You can change these settings in the Servers management area. For more information, see Configuring the destinations for job servers on page 125. If you select the second option, you can set the file name properties and enter user information:
484
18
Default File Name (randomly generated) Select this option if you want BusinessObjects Enterprise to generate a random file name. Specified File Name Select this option if you want to specify a file nameyou can also add a variable to the file name. To add a variable, choose a placeholder for a variable property from the list and click Add. When the instance is run, the variable will be replaced with the specified information from the instance. For example, if you add the variable Owner, when you schedule an object, its file name will include the object owners name.
User Name Specify a user who has permission to write files to the destination directory. Password Type the password for the user.
Note: You can specify a user name and password only for servers using Windows. 5. Click Update.
FTP support
When scheduling objects, you can configure the objects for output to a File Transfer Protocol (FTP) server. To connect to the FTP server, you must specify a user who has the necessary rights to upload files to the server.If you specify an FTP destination, the system will save an output instance to both the Output File Repository Server and the specified destination. If the object is a Web Intelligence document or an object package, you cannot specify FTP as a destination. However, for an object package you can configure the individual objects in the object package for output to FTP. Note: To use a destination, you must have the destination enabled and configured on the job servers. See Configuring the destinations for job servers on page 125. 1. 2. To set an FTP server as the destination In the Objects management area of the CMC, select an object by clicking its link. Click the Schedule tab, then click the Destination link. The Destination tab appears.
485
18
3.
4.
If you want, select the Clean up instance after scheduling option. When that option is selected, the system automatically deletes the report or program instance from the Output File Repository Server to keep the number of instances on the server to a minimum.
5.
Select either Use the Job Servers defaults or Set the values to be used at schedule time here. If you select the first option, BusinessObjects Enterprise will schedule an object using the Job Servers default settings. You can change these settings in the Servers management area. For more information see Configuring the destinations for job servers on page 125.
486
18
If you select the second option, you can set the FTP and file name properties:
Host Enter the FTP host information. Port Enter the FTP port number (the default is 21). FTP User Name Specify a user who has the necessary rights to upload an object to the FTP server. FTP Password Enter the users password. Account Enter the FTP account information, if required. Account is part of the standard FTP protocol, but it is rarely implemented. Provide the appropriate account only if your FTP server requires it.
Destination Directory Enter the FTP directory that you want the object to be saved to. Default File Name (randomly generated) Select this option if you want BusinessObjects Enterprise to generate a random file name. Specified File Name Select this option if you want to enter a file nameyou can also add a variable to the file name. To add a variable, choose a placeholder for a variable property from the list and click Add.
6.
Click Update.
487
18
Note: To use a destination, you must have the destination enabled and configured on the job servers. See Configuring the destinations for job servers on page 125. Note: If the object is a Web Intelligence document, you cannot specify Email (SMTP) as a destination. 1. 2. 3. To send an object by email In the Objects management area of the CMC, select an object by clicking its link. Click the Schedule tab, then click the Destination link. The Destination page appears. Select Email (SMTP) from the Destination list
4.
488
18
5.
6.
When that option is selected, the system automatically deletes the report or program instance from the Output File Repository Server to keep the number of instances on the server to a minimum. Select either Use the Job Servers defaults or Set the values to be used at schedule time here. If you select the first option, BusinessObjects Enterprise will schedule an object using the Job Servers default settings. You can change these settings in the Servers management area. For more information, see Configuring the destinations for job servers on page 125. If you select the second option, you can specify the email settings and the file name properties: From Enter a return address. To Enter an address or addresses that you wish to send the object to. Separate multiple addresses with semicolons. Cc Enter an address or addresses that you wish to send a carbon copy of the object to. Subject Complete the subject field. Message Type a short message, if required. Add viewer hyperlink to message body Click Add if you want to add the URL for the viewer in which you want the email recipient to view the object. You can set the default URL by clicking Object Settings on the main page of the Objects management area of the CMC. Attach object instance to email message Clear this check box if you do not want a copy of the instance attached to the email. Default File Name (randomly generated) Select this option if you want BusinessObjects Enterprise to generate a random file name. Specified File Name Select this option if you want to enter a file nameyou can also add a variable to the file name. To add a variable, choose a placeholder for a variable property from the list and click Add. Click Update.
489
18
Inbox support
When scheduling objects, you can configure objects for output to the inboxes of users. In this case, the system will save the instance to both the Output File Repository Server and the inboxes you specified. Instead of sending the actual file to the inboxes, you can choose to send a shortcut. Note: To use a destination, you must have the destination enabled and configured on the job servers. See Configuring the destinations for job servers on page 125. 1. 2. 3. To send an object to inboxes In the Objects management area of the CMC, select an object by clicking its link. Click the Schedule tab, then click the Destination link. The Destination tab appears. Select Inbox from the Destination list.
490
18
4.
If you want, select the Clean up instance after scheduling option. When that option is selected, the system automatically deletes the report or program instance from the Output File Repository Server to keep the number of instances on the server to a minimum.
5.
Use the Job Servers defaults BusinessObjects Enterprise will schedule the object with the job servers default settings. For more information, see Configuring the destinations for job servers on page 125.
Set the values to be used at schedule time here BusinessObjects Enterprise will schedule the object with the parameters you specify.
6.
If you selected Set the values to be used at schedule time here, set the parameters for that option, otherwise skip this step: Send Document as
7.
Shortcut The system will send a shortcut to the instance, rather than send a copy of the instance itself. Copy The system will send a copy of the instance.
Send List Operation Specify who must receive the report instance. You can select individual users or user groups. Look for Use this feature to search for a specific user or users group. Type the name and then click Find now.
Click Update.
Choosing a format
Web Intelligence document formats For Web Intelligence documents, you can select the format that the document will be saved in when it is generated. This format will be saved to the destination you have selected. For more information on destinations, see Selecting a destination on page 481. You can select from the following formats:
491
18
Crystal report formats For Crystal report objects, you can select the format that a report instance will be saved in when it is generated by BusinessObjects Enterprise. This format will be saved to the destination you have selected for the report object and its instances. For more information on destinations, see Selecting a destination on page 481. You can select from the following formats:
Crystal Report Microsoft Excel Microsoft Excel (Data Only) Microsoft Word (RTF) Adobe Acrobat Rich Text Editable Rich Text Plain Text Paginated Text Tab-Separated Text Tab-Separated Values Character-separated Values
For Excel, Paginated Text, Tab-separated Values, and Character-separated Values, you specify certain formatting properties for the report. For example, if you select Character-separated Values, you can enter characters for the separator and delimiter; you can also select the two check boxes: Same number formats as in report and Same date formats as in report. Note:
If you choose to print the report when it is scheduled (by checking the Print in Crystal Reports format using the selected printer when scheduling check box on the Print Setup page), the report instance is automatically sent to the printer in Crystal Reports format. This does not conflict with the format you select when scheduling the report. The difference between Excel and Excel (Data only) is that Excel attempts to preserve the look and feel of your original report, while Excel (Data only) saves only the data, with each cell representing a field. The Tab-separated Values format places a tab character between values; the Character-separated Values format places a specified character between values. Each of these two formats produce data lists. In contrast, the Tab-separated Text format attempts to preserve the formatting of the report.
492
18
1. 2. 3. 4. 5.
To select a format for the report In the Objects management area of the CMC, select a report object by clicking its link. On the Schedule tab, click the Format link. The Format page appears. Select a format from the Format list. Complete any fields that appear below the list and select (where appropriate) the check boxes that appear. Click Update.
Crystal reports that are based on Business Views Web Intelligence documents that use Universes
493
18
Using the Schedule For feature you can schedule an object and specify for which users you want the system to run the object. The system will run the object and generate multiple instances of the report or document. Each instance will contain data that is relevant to the individual user only. For example, you can schedule a sales report and on the Schedule For page you can specify the users names for all your sales representatives. At the specified time, the system runs the report object and generates the individual report instances. Each instance would contain sales information for the individual sales representative only. 1. 2. To change the Schedule For settings for an object In the Objects management area of the CMC, select a report object by clicking its link. On the Schedule tab, click the Schedule For link. The Schedule For page appears.
3.
4.
Schedule only for myself Schedule for specified users and user groups
If you selected Schedule for specified users and user groups, select one or more users or groups and add them to the Groups to be added to the scheduling list by using the arrow buttons. Otherwise, skip this step. Click Update.
5.
494
18
Managing instances
To view or manage instances, go to the History page for the object. That page lists the scheduled instances and the output instances for an object:
Scheduled instances will have a status of Recurring or Pending. The system has not yet run these instances, and the instances do not contain any data yet. Output instances, that is, actual report or program instances, will have a status of Success or Failed, which indicate whether they were run successfully:
A report instance contains actual report data. A program instance stores the programs standard out and standard error in a text output file.
From the History page, you can also choose to delete, run, pause, and refresh instances. See Managing and viewing the history of instances on page 495. To manage storage space, it is good practice to limit the number of possible instances for an object, or to provide a time limit for the instances. See Setting instance limits for an object on page 498.
495
18
instances exist as records in the object history. BusinessObjects Enterprise stores the programs standard out and standard error in a text output file. This file appears when you click a program instance in the object History. Managing instances includes the following tasks:
1. 2. 3.
Viewing an instance on page 496 Pausing or resuming an instance on page 497 Deleting an instance on page 498 Sending an object or instance on page 420 To manage instances In the Objects management area of the CMC, select an object by clicking its link. Click the History tab. The History tab appears. Select an instance or instances by selecting the appropriate check boxes. To select all instances, click the check box in the column heading. Note: To refresh the list, click Refresh. In this case you dont need to select an instance first.
4.
Click either Run Now, Pause, Resume, Send to, or Delete. If you click Run Now, the system schedules the object to be run immediately. The scheduled job will have a status of Pending. For information about the Send to button, see Sending an object or instance on page 420.
Viewing an instance
1. 2. To view an instance Select a object in the Objects management area of the CMC. Click the History tab.
496
18
3.
In the Instance Time column, click the instance you want to view. You can also use the Instance Manager tool to view a list of instances by status or by user. Access the Instance Manager by clicking its link in the Administrative Tools area of the BusinessObjects Enterprise Administration Launchpad.
497
18
Deleting an instance
You can delete instances from an object as needed. You can delete both scheduled instances, which have a status of recurring or pending, and report or program instances, which have a status of success of failed. 1. 2. To delete an instance Go to the History page for an object. Select the check box for the instance or instances you want to delete.
Click Delete.
498
18
3.
Make your settings according to the types of limits you want to set for your instances. The options are as follows:
Delete excess instances when there are more than N instances of an object To limit the number of instances per object, select this check box. Then type the maximum number of instances that you want to remain on the system. (The default value is 100.)
Delete excess instances for the following users/groups To limit the number of instances for users or groups, click Add/ Remove in this area. Select from the available users and groups and click OK. Then type the maximum number of instances in the Instance Limit column. (The default value is 100.)
Delete instances after N days for the following users/groups To limit the number of days that instances are saved for users or groups, click Add/Remove in this area. Select from the available users and groups and click OK. Then type the maximum age of instances in the Maximum Days column. (The default value is 100.)
4.
Click Update.
499
18
500
Managing Calendars
chapter
19
Overview
Calendars make it easy for you to schedule complex recurring jobs efficiently. A calendar is a customized list of run dates for scheduled jobs. When users schedule objects, they can use a calendar to run the job on a predefined set of dates. By providing calendars for your users, you can create more complex processing schedules than you can with the standard scheduling options. Calendars are particularly useful when you want to run a recurring job on an irregular schedule, or if you want to provide users with sets of regular scheduling dates to choose from. Calendars also allow you to create more complex processing schedules, combining unique scheduling dates with recurring ones. For example, if you want a report object to run every business day except for your countrys statutory holidays, you can create a calendar with the holidays marked as non-run days, on which the report object cannot be run. BusinessObjects Enterprise will run the job every day you have specified as a run day in your calendar. You can set up as many calendars as you want in BusinessObjects Enterprise. Calendars you create appear in the Calendar selection list available when you choose to schedule an object using a calendar. When you apply the calendar to a job, runs the job on the run dates as scheduled. You can apply calendars to any object that can be scheduled, including report objects, program objects, and object packages. Managing calendars includes:
Creating calendars on page 502 Adding dates to a calendar on page 503 Deleting calendars on page 507 Specifying calendar rights on page 508
Creating calendars
In the Central Management Console (CMC), go to the Calendars management area to create new calendars and to modify existing calendars. To create a calendar, you need to provide a name and description. When the calendar is created, you can add run dates to it using the Dates tab. Tip: It is good practice to create a calendar for users to use as a template for creating new calendars. They can copy this template calendar and modify it as necessary. For example, you can create a default Weekdays calendar that includes all days as run dates except weekends and company holidays.
502
19
1. 2. 3.
To create a calendar Go to the Calendars management area of the CMC. Click New Calendar. On the Properties tab, type the name and description of the new calendar. This example creates a calendar for Canadian employees that schedules an object on all weekdays except statutory Canadian holidays.
4.
Click Update. The new calendar is added to the system, and its Properties tab is refreshed. You can now use the Dates tab to add run dates to this calendar. For details, see Adding dates to a calendar on page 503.
503
19
4.
In the Select a calendar displaying format list, choose from one of the five calendar format options:
Yearly Yearly displays the calendars run dates for the year. To change the year displayed, you can click the Previous Year and Next Year buttons. To add a date from the Yearly format, click a month to open it in Monthly format, where you can add run dates to specific days.
Quarterly Quarterly displays the calendars run dates for the current calendar quarter. You can change the displayed quarter using the Previous Quarter and Next Quarter buttons. To add a date from the Quarterly format, click a month to open it in Monthly format, where you can add run dates to specific days.
Monthly Monthly displays the calendars run dates for the current month. You can change the displayed month using the Previous Month and Next Month buttons.
Generic Monthly, by Day of Week Generic Monthly, by Day of Week allows you to add general recurring dates based on the day of the week. The dates are applied to the months specified between the Start and End Dates. Week 1 starts on the Sunday of the week of the Start Date you specify. Note that this format does not display the currently selected dates from the calendar; it only allows you to add new dates and update the schedule.
Generic Monthly, by Day of Month Generic Monthly, by Day of Month allows you to add general recurring dates based on the day of the month. The dates are applied to the months specified between the Start and End Dates. This format allows you to add new dates and update the schedule; it does not display currently selected dates from the calendar.
See also Specific dates on page 505 and Recurring dates on page 506. 5. Click the days of the month that you want to include as run days for the calendar. To remove a run day, click the day again. Tip: For the Monthly and Generic Monthly, by Day of Week formats, you can select multiple dates at once by clicking the row or column headings. 6. To add the new dates to the calendar, click Update.
504
19
If you added dates using a generic format, the Yearly format will automatically appear, displaying the new dates. Note: When you change an existing calendar, BusinessObjects Enterprise checks all currently scheduled instances in your system. Objects that use the edited calendar are automatically updated to run on the revised date schedule.
Specific dates
To add a specific date to a calendar, use the Yearly, Quarterly, and Monthly formats to add dates to the calendars. The Yearly format displays the run schedule for the entire year. The Quarterly format displays the run dates for the current quarter. You can also view the Monthly format for the calendar, which displays the run dates for the current month. In all three formats, you can change the displayed time range by clicking the previous and next buttons. You can add specific dates in the Monthly calendar format. To add dates for the Yearly and Quarterly calendar formats, click a month to open it in the Monthly format, where you can select specific days as run dates.
For example, if your company ships products according to an irregular schedule that cannot be defined using the daily or weekly settings, you can create a list of these dates in a Shipping dates calendar. The Shipping department can now check the inventory after each shipment by scheduling a report that uses the calendar to run at the end of each shipping day.
505
19
Recurring dates
To create a recurring pattern of monthly run dates, use the generic Monthly formats. You can add the generic dates based on the day of the week or the day of the month. To view existing run dates, you must use the Yearly, Quarterly, or Monthly format; the generic formats are used to add dates to the calendar. Although you can set a recurring schedule using the standard scheduling options, calendars allow you to specify several different recurring run patterns at once. You can also run instances on dates that do not follow the pattern by adding individual days to a calendar. For example, to schedule a report object to run on the first four days of every month, and on the second and fourth Friday of every month, first create a new calendar object and name it. Then, use the Generic Monthly, by Day of Month format to add the first four days of the month to this calendar. When you update the calendar, the Yearly format appears with the new run dates.
To add every second and fourth Friday to the calendar, use the Generic Monthly, by Day of Week format.
506
19
Deleting calendars
When you delete a calendar, any objects that are scheduled according to the deleted calendar will be run one more time by the system. After that, the system wont be able to schedule the objects again, because the calendar no longer exists. To ensure the objects continue to be run, change the scheduling information for the objects either by selecting a different calendar or a different recurrence pattern. See Scheduling objects on page 466. 1. 2. 3. To delete a calendar Go to the Calendars management area of the CMC. Select the check box associated with the calendar you want to delete. Tip: Select multiple check boxes to delete several calendars. Click Delete, and click OK to confirm.
507
19
508
Managing Events
chapter
20
File events When you define a file-based event, you specify a filename that the Event Server should monitor for a particular file. When the file appears, the Event Server triggers the event. For instance, you might want to make some reports dependent upon the regular file output of other programs or scripts. For details, see File-based events on page 511.
Schedule events When you define a schedule-based event, you select an object whose existing recurrence schedule will serve as the trigger for your event. In this way, schedule-based events allow you to set up contingencies or conditions between scheduled objects. For instance, you might want certain large reports to run sequentially, or you might want a particular sales summary report to run only when a detailed sales report runs successfully. For details, see Schedule-based events on page 512.
Custom events When you create a custom event, you create a shortcut for triggering an event manually. Basically, your custom event occurs only when you or another administrator clicks the corresponding Trigger this event button in the CMC. For details, see Custom events on page 514.
510
20
When working with events, keep in mind that an objects recurrence schedule still determines how frequently the object runs. For instance, a daily report that is dependent upon a file-based event will run, at most, once a day (so long as the file that you specify appears every day). In addition, the event must occur within the time frame established when you actually schedule the event-based report. Note: For information on scheduling an event-based object in the Objects management area of the CMC, see Scheduling an object with events on page 473.
File-based events
File-based events wait for a particular file (the trigger) to appear before the event occurs. Before scheduling an object that waits for a file-based event to occur, you must first create the file-based event in the Events management area of the CMC. Then you can schedule the object and select this event. For more information on scheduling an object with events, see Scheduling an object with events on page 473. File-based events are monitored by the Event Server. When the file that you specify appears, the Event Server triggers the event. The Central Management Server (CMS) then releases any schedule requests that are dependent on the event. For instance, suppose that you want your daily reports to run after your database analysis program has finished and written its automatic log file. To do this, you specify the log file in your file-based event, and then schedule your daily reports with this event as a dependency. When the log file appears, the event is triggered and the reports are processed. Note: If the file already exists prior to the creation of the event, the event is not triggered. In this case, the event is triggered only when the file is removed and then recreated. If you want an event to be triggered multiple times, you must remove and recreate the file each time. 1. 2. To create a file-based event Go to the Events management area of the CMC. Click New Event. The New Event page appears.
511
20
3. 4. 5. 6. 7.
In the Type list, select File. Type a name for the event in the Event Name field. Complete the Description field. In the Server list, select the Event Server that will monitor the specified file. Type a filename in the Filename field. Note: Type the absolute path to the file that the Event Server should look for (for example, C:\folder\filename, or /home/folder/filename). The drive and directory that you specify must be visible to the Event Server. Ideally, the directory should be on a local drive.
8.
Click OK.
Schedule-based events
Schedule-based events are dependent upon scheduled objects. That is, a schedule-based event is triggered when a particular object has been processed. When you create this type of event, it can be based on the success or failure of a scheduled object, or it can be based simply on the completion of the job. Most importantly, you must associate your schedule-based event with at least two scheduled objects. The first object serves as the trigger for the event: when the object is processed, the event occurs. The second object is
512
20
dependent upon the event: when the event occurs, this second object runs. For more information on scheduling objects with events, see Scheduling an object with events on page 473. For instance, suppose that you want report objects R1 and R2 to run after program object P1 runs. To do this, you create a schedule-based event in the Events management area. You specify the Success option for the event, which means that the event is triggered only when program P1 runs successfully. Then, you schedule reports R1 and R2 with events, and select your new schedule-based event as the dependency. Schedule program P1 with events, and set program P1 to trigger the schedule-based event upon successful completion. Now, when program P1 runs successfully, the schedulebased event is triggered, and reports R1 and R2 are subsequently processed. 1. 2. To create a schedule-based event Go to the Events management area of the CMC. Click New Event. The New Event page appears.
3. 4. 5.
In the Type list, select Schedule. Type a name for the event in the Event Name field. Complete the Description field.
513
20
6.
Success The event is triggered only upon successful completion of a specified object. Failure The event is triggered only upon non-successful completion of a specified object. Success or Failure The event is triggered upon completion of a specified object, regardless of whether that object was processed successfully or not.
7.
Click OK.
Custom events
A custom event occurs only when you explicitly click its Trigger this event button. As with all other events, an object based on a custom event runs only when the event is triggered within the time frame established by the objects schedule parameters. Custom events are useful because they allow you to set up a shortcut that, when clicked, triggers any dependent schedule requests. Tip: When developing your own web applications, you can trigger Custom events from within your own code, as required. For more information, see the developer documentation available on your product CD. For instance, you may have a scenario where you want to schedule a number of reports, but you want to run them after you have updated information in your database. To do this, create a new custom event, and schedule the reports with that event. When you update the data in the database and you need to run the reports, return to the event in the CMC and trigger it manually. BusinessObjects Enterprise then runs the reports. For more information on event-based scheduling, see Scheduling an object with events on page 473. Note: You can trigger a custom event multiple times. For example, you might schedule two sets of event-based program objects to run dailyone set runs in the morning, and one set runs in the afternoon. When you first trigger the related custom event in the morning, one set of programs is run; when you trigger the event again in the afternoon, the remaining set of programs is run. If you neglect to trigger the event in the morning and trigger it only in the afternoon, both sets of programs run at that time.
514
20
1. 2. 3. 4. 5. 6.
To create a custom event Go to the Events management area of the CMC. Click New Event. In the Type list, select Custom. Type a name for the event in the Event Name field. Complete the Description field. Click OK. Note: Before you trigger this custom event, schedule an object that is dependent upon this event.
1. 2. 3.
To trigger a custom event Go to the Events management area of the CMC. In the Event Name column, select a custom event by clicking its link. Click Trigger this event. A message appears: This event has been triggered.
515
20
4.
Click Add/Remove to add users or groups that you want to give access to the event. The Add/Remove page appears. In the Select Operation list, select Add/Remove Groups, Add Users, or Remove Users. Select the user or group you want to grant access to the specified event. If you have many users on your system, select the Add Users operation; then use the Look for field to search for a particular account. Click OK. On the Rights tab, change the Access Level for each user or group, as required. Note: For complete details on the predefined access levels and advanced rights, see Rights and Access Levels on page 563.
5. 6. 7. 8. 9.
516
General Troubleshooting
chapter
21
Troubleshooting overview
BusinessObjects Enterprise is designed to integrate with a multitude of different operating systems, web servers, network and firewall configurations, database servers, and reporting environments. Thus, any troubleshooting that you may need to undertake will likely reflect the particularities of your deployment environment. This chapter includes general troubleshooting steps along with solutions to some specific configuration issues. In general, consider the following key points when troubleshooting:
Ensure that client and server machines are running supported operating systems, database servers, database clients, and appropriate server software. For details, consult the Platforms.txt file, included with your product distribution. Verify that the problem is reproducible, and take note of the exact steps that cause the problem to recur. On Windows, use the sample reports and sample data included with the product to confirm whether or not the same problem exists.
Determine whether the problem is isolated to one machine or is occurring on multiple machines. For instance, if a report fails to run on one processing server, see if it runs on another. If the problem is isolated to one machine, pay close attention to any configuration differences in the two machines, including operating system versions, patch levels, and general network integration.
If the problem relates to connectivity or functionality over the Web, check that BusinessObjects Enterprise is integrated properly with your web environment. For details, see BusinessObjects Enterprise Installation Guide and Web accessibility issues on page 519. If the problem relates to report viewing or report processing, verify your database connectivity and functionality from each of the affected machines. Use Crystal Reports to verify that the report can be viewed properly. If the Job or Page Servers are running on Windows, open the report in Crystal Reports on the server machine and check that you can refresh the report against the database. For details, see Report viewing and processing issues on page 521. Look for solutions in the documentation included with your product. For details, see Documentation resources on page 519.
518
21
Check out the Business Objects Customer Support technical support web site for white papers, files and updates, user forums, and Knowledge Base articles: http://support.businessobjects.com/
Documentation resources
The BusinessObjects Enterprise Release Notes are provided in the root directory of your product distribution, as is the Platforms.txt file. These documents list supported third-party software along with any known issues or implementation-specific configuration details. BusinessObjects Enterprise also includes a number of manuals. CHM and PDF files are located in the doc directory of your product distribution. Access the HTML versions from the BusinessObjects Enterprise Administrator Launchpad, or from within the CMC or InfoView. Additional Compiled HTML Help (CHM) files are provided with the following client tools:
Central Configuration Manager Publishing Wizard Repository Migration Wizard Import Wizard Crystal Report Offline Viewer
Press F1 or click Help to launch the online help from within these applications.
519
21
Use the CCM to start the CMS. (If the CMS was already started, use the CCM to restart it.)
This error may occur for various reasons. Investigate these common solutions:
Ensure that the specified authentication type corresponds to the user name and password provided on the log on page. To log on with a Windows NT user name, verify that the authentication type is set to Windows NT Authentication and not Enterprise. Netscape users must provide a valid Windows NT user name in the form of Domain\User. Microsoft Internet Explorer users must provide a valid Windows NT user name. It must be in the form of Domain\User if the user account does not reside in the default domain of the CMS. If Windows NT Integrated security (NT Challenge/Response) is enabled in Internet Information Services (IIS) and in the Web Component Adapter (WCA), then users must use Microsoft Internet Explorer. In addition, users must log on to the client machine with a valid NT domain user account before logging on to BusinessObjects Enterprise. Users must log on to BusinessObjects Enterprise with a valid Windows NT user name. It must be in the form of Domain\User if the user account does not reside in the default domain of the CMS. The web server and all BusinessObjects Enterprise components must be running on Windows NT/2000 for Windows NT authentication to work.
520
21
If the report runs successfully on demand, but fails when scheduled, start Crystal Reports on the Job Server. If the report fails when viewed on demand, but runs successfully when scheduled, start Crystal Reports on the Page Server.
521
21
If the report fails when viewed on demand with the Advanced DHTML viewer, start Crystal Reports on the RAS. If the report fails in all cases, first complete these troubleshooting steps on one processing server; then verify whether or not the problem is resolved on all processing servers. If not, repeat the steps on a different processing server.
2.
Open the report from the CMS. On the File menu, click Open. Click Enterprise Folders and log on to your CMS. If you cannot open the report, verify network connectivity between the server you are working on, the CMS, and the Input File Repository Server.
3.
Test your database connection and authentication. On the Database menu, click Log On/Off Server. If you cannot log on to the database server, check the configuration of the database client software and ensure that the report contains a valid database user name and password.
4.
If the reports parameters or record selection need to be modified by BusinessObjects Enterprise users when they schedule or view the report, change the parameter values or record selection formula accordingly. If the values are invalid, Crystal Reports will report an error. Verify that the tables used in the report match the tables in the database. On the File menu, clear the Save Data with Report check box. On the Database menu, click Verify Database. Correct any issues reported by Crystal Reports, and then save the report.
5.
6.
Refresh the report and, if current data is not returned from the database, check these possible causes:
If the report fails, ensure that the database credentials provide READ rights to all tables in the report. If the database credentials are valid, the reports SQL statement is evaluated at this time. Check the join information. Note any ODBC errors that are produced. If the SQL statement is valid, data begins to return to Crystal Reports. As this happens, the temporary files increase in size. Verify resource allocation in case the machine is running out of memory or disk space.
7.
Go to the last page of the report. Crystal Reports will report any errors that it encounters within the report (such as formulas, subreports, and other objects).
8.
Export the report to Crystal Reports format (or any other desired format).
522
21
This step ensures that Crystal Reports is able to create temporary files that are required in order to complete the processing of a report. 9. If the report now refreshes successfully, save it back to the CMS. 10. Close the report. 11. Close Crystal Reports. 12. Repeat the activity that caused the original report to fail: view the report on demand over the Web, or schedule the report for processing.
523
21
Base reports off System DSNs (and not File or User DSNs), and set up each System DSN identically on every Job Server, Page Server, and RAS machine that will process the report. If the report is based off an ODBC data source, the processing server must have permission to access the corresponding DSN configuration. This information is stored in the Windows registry. The Job Server, Page Server, and RAS require Full Control or Special Access to the ODBC registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI
Consult your Windows documentation for information about working with the registry. Additional configuration may be required, depending upon the database that you are reporting off of. For details, see Configuring Windows processing servers for your data source on page 132. 4. Determine the configuration of the database client software. If you are not using ODBC, the database client software must be installed on each machine that will process reports. On Windows, many database clients store their configuration in the registry below HKEY_LOCAL_MACHINE. If your database client stores its configuration below
HKEY_CURRENT_USER, the BusinessObjects Enterprise services cannot
use the database client software to communicate with the database. 5. Verify the NTFS permissions granted to the Job Server, Page Server, and RAS. Insufficient NTFS rights on the server may cause a number of problems to arise when you view reports over the Web. As in step 2, changing each servers logon account to that of a Domain Administrator account should resolve such problems. For the minimum set of NTFS permissions required by BusinessObjects Enterprise, see Configuring NTFS Permissions on page 569. 6. Check whether or not NT authentication is performed by the database. If you report against a database that uses NT authentication for access control (Microsoft SQL Server, Sybase, and so on), the Job Server, Page Server, and RAS must run under a Windows NT/2000 domain user account that has access to the appropriate database tables. (In this scenario, each servers logon account determines the level of access it is granted by the database. BusinessObjects Enterprise does not pass endusers NT tokens through to the database server.) To retain the access control levels that are set up within the database, you can instead change each ODBC DSN so that it implements SQL Server Login instead of NT authentication.
524
21
7.
Check the available environment variables. Environment variables are used by the operating system to govern and manage system files for particular users. On Windows, BusinessObjects Enterprise servers are generally most affected by the TMP and TEMP environment variables. Because the servers are run as services, they cannot access the User Environment variables that are created by default. Therefore, it is recommended that you create System Environment variables if they do not already exist. Consult your Windows documentation for details.
8.
Reference remote data sources with UNC paths. Ensure that servers have access to remote databases through UNC paths, instead of through mapped drives. For example, if you design a report off a PC database that resides on a network drive, ensure that the report references its data source with the appropriate UNC path. For details, see Ensuring that server resources are available on local drives on page 526.
9.
Ensure that you have enough database client licenses. If all database client licenses are in use, the BusinessObjects Enterprise servers are unable to retrieve data from the database.
10. Check that database connections are closed in a timely fashion. If a database connection is not closed quickly, the database may not service another request until the connection has been closed. To decrease the Minutes Before an Idle Job is Closed setting, see Modifying Page Server performance settings on page 115. 11. Use multi-threaded database drivers. Multi-threaded database drivers allow the processing servers to connect to the database without having to wait for the database to fulfill initial requests. ODBC connections are typically recommended because they provide multithreaded connections to the database. However, Crystal Reports now includes a number of thread-safe native and OLEDB drivers. A list of these thread-safe drivers is available in the Crystal Reports Release Notes. 12. Check for problems with particular data sources. If your report is based on a Lotus Notes database, you may need to perform additional configuration. Download the latest instructions from the Business Objects Customer Support Knowledge Base.
525
21
IBM offers several client applications for connecting to DB2. The recommended client is IBM DB2 Direct Connect, whose ODBC drivers were written for actual programmatic interaction with products like BusinessObjects Enterprise. See the Business Objects Customer Support Knowledge Base for discussions of this and other DB2 clients. If you encounter problems with any other specific data sources, check the Knowledge Base for the latest information.
526
21
account. Instead, the servers perform account impersonation. This provides access to some profile-specific resources (such as printers and email profiles), but not others (such as ODBC User Data Source Names and mapped drives).
This error indicates that the Page Server is not started and enabled. Use the CCM to start the Page Server and then enable it. (If the Page Server was already started and enabled, use the CCM to restart it.)
InfoView considerations
Supporting users in multiple time zones
Avoid granting Schedule access to the default Guest account if you deploy InfoView for users in different time zones. Instead, ensure that each user who is allowed to schedule reports has a dedicated account on the system, and that each user's InfoView preferences include the appropriate time-zone setting. To view or modify the time-zone setting for any user account, use the Preferences Manager, which is available as a Client Sample on the Crystal Enterprise User Launchpad. Dedicated accounts are recommended because the default Guest account does not allow users to modify account preferences that would affect other users. For more information about using specific time-zone properties in your custom web applications, see the BusinessObjects Enterprise SDK documentation.
527
21
InfoView, reports are processed on the Job Server and sent to the File Repository Server. The Default destination setting in InfoView is equivalent to the Default destination setting in the CMC.
528
Licensing Information
chapter
22
Licensing overview
BusinessObjects Enterprise is a scalable product that provides you with the ability to add license keys as the demand for report information increases in your organization. You can purchase concurrent, named, and processor licenses. RAS Report Modification licenses are also available. Concurrent licenses specify the number of people who can connect to BusinessObjects Enterprise at the same time. This type of licensing is very flexible because a small concurrent license can support a large user base. For example, a 100 user concurrent license could support 250, 500, or 700 users depending on the frequency with which the system is accessed and the number and size of the reports. Named user licenses are associated with specific users and allow people to access the system based on their user name and password. This provides named users with access to the system regardless of how many other people are connected. You may want to purchase named user licenses for people in your organization who require access to BusinessObjects Enterprise at all times. For example, you could purchase a named user license for each of the 25 managers and a concurrent license for 175 general users. Processor licenses are based on the number of processors that are running BusinessObjects Enterprise. To determine the number of processor licenses you require, count the number of processors on any servers running any component of BusinessObjects Enterprise. BusinessObjects Enterprise Embedded or RAS Report Modification licenses enable the Report Application Servers Software Development Kit (SDK) for report-creation, thereby providing you with tools for building your own webbased reporting and query tools. In addition, these licenses add standard report-creation and report-modification wizards to InfoView, so users can create and modify reports over the Web in an ad hoc fashion. Note: If you are upgrading from a trial version of the product, be sure to delete the Evaluation key prior to adding any new license keys or product activation keycodes. For more information about licenses, sessions, and session handling see BusinessObjects Enterprise Security Concepts on page 227.
530
22
2.
Select a license key. The details associated with the key appear in the Licensing Information area. To purchase additional license keys:
Contact your Business Objects sales representative. Contact your regional office. For details, go to: http://www.businessobjects.com/company/contact_us/
531
22
532
22
Feature Crystal Repository refresh Insert subreport Unicode support Setting locale of the Report Engine New viewer architecture Smart Tags Exporting page ranges New Excel export options OLAP integration Export drill down views Embed URL link to report in email Set database location Custom printer settings Java SDK .NET SDK RAS support for processing extensions Distributed servers Ability to define users/ personalization Concurrent users Third-party authentication support Events Object distribution (Destinations) BusinessObjects Enterprise Mobile Desktop Server group re-direction
Express X X X X X X X X X X X X
Professional X X X X X X X X X X X X X X X X X X X
X X X
X X
X X
533
22
534
appendix
Product offering
Here is a list of the applications in each versions offering. Although the applications in each row belong to the same area of functionality, those in the BusinessObjects 6.x column and those in the BusinessObjects XI column are not necessarily equivalent: In BusinessObjects 6.x In BusinessObjects XI
Several applications allow you to add Publishing Wizard objects to the repository. Several other applications allow you to add objects to the repository as well.
Administration Console Auditor InfoView BusinessObjects BusinessQuery WebIntelligence WebIntelligence for OLAP Data Sources Broadcast Agent Developer Suite
Web Intelligence Crystal Reports OLAP Intelligence OLAP Intelligence Designer Central Management Console (CMC) Developer Suite Performance Management (formerly Application Foundation) Data Integrator Import Wizard
The Application Foundation suite and Data Integrator are available to complement the BusinessObjects 6.x suite, but are not part of it.
536
Architecture
The overall architecture of the two systems is organized in a similar manner.
BusinessObjects 6.x
BusinessObjects 6.x is organized five logical layers:
The client tier contains products or features that run on the end-users computer (either as a standalone application or in the web browser). The presentation layer contains the web and application servers, as well as the Business Objects components hosted on them (server SDKs, portal pages, servlets, Dispatcher, and HSAL). The application services layer provides the essential framework and services to the processing layer, such as WISessionManager, WILoginServer, and WIStorageManager. The processing layer contains report engines, as well as the additional components that implement business logic (portal workflows, repository access, scheduling, etc.). The database tier is made up of the databases containing the data used in documents and reports.
BusinessObjects XI
BusinessObjects XI is organized into five tiers: The client tier contains client applications. The application tier includes the web and application servers, as well as the Business Objects components hosted on them. The intelligence tier manages the BusinessObjects XI system, maintaining security information, routing requests to the appropriate processing layer services, managing audit information, and storing report instances for rapid report viewing. There are no strict equivalents for these servers in the BusinessObjects 6.x system. The processing tier accesses the data and generates reports. This layer contains fewer servers, or processes, than the BusinessObjects 6.x processing layer. Transactional workflows are therefore simplified, with each server processing requests for a specific type of object. In a BusinessObjects 6.x context, this corresponds a dedicated role such as WIReportServer, which processes WebIntelligence 6.x reports only, rather than a provider of shared services such as WIQT, which plays a shared role in several types of processing workflows. The data tier is made up of the databases containing the data used in reports.
538
Basic terminology
Here are some of the main differences in terminology between the two releases: In BusinessObjects 6.x Repository The BusinessObjects 6.x suite uses a repository a database that is stored in a relational database management system. The repository is used to secure access to your data warehouse and to provide an infrastructure for distributing information to be shared by users. The repository database actually contains the data associated with the security, universe and document domains. Making sure the repository database has enough space is therefore critical. In BusinessObjects XI The repository exists here as well, as one of the databases maintained by the Central Management Server (CMS). The CMS is the central service/daemon in the BusinessObjects Enterprise XI system (see its entry further along in this table). Although the repository database stores specific information about the objects published to it, including users, servers, security, groups, folders, categories and parameters, it does not actually store physical copies of the objects; it also contains pointers to the physical objects, such as Web Intelligence WID files, Crystal Reports RPT files, universe UNV files and third-party documents, stored in storage associated with the File Repository Servers. When universe and document domains are imported from a BusinessObjects 6.x deployment, they are made into folders in the CMS database. Although the security domain itself is not imported, you can import its contents (user rights, etc.). See Migration on page 542.
Repository domains The repository must have a security domain. It can also contain universe and document domains.
In BusinessObjects 6.x Business Objects servers At a minimum, the Business Objects server back end must be installed on the clusters primary node and all secondary nodes. This installs all the processing layer modules on the server machines.
In BusinessObjects XI Central Management Servers (CMS) The CMS is a single service which provides framework services, security management, administers scheduling tasks, and also is responsible for maintaining the database (CMS database) containing system information, such as users/groups, security levels, and services. In addition it maintains the repository and audit databases. The CMS serves as the central nervous system of the BusinessObjects Enterprise intelligence layer. Disabling the CMS is roughly equivalent to disabling the Session Stack (starting with version 6.1, the set of core processing modules enabled or disabled as a group). Servers Processes in the BusinessObjects Enterprise XI system are called servers. They run as services under Windows, and as daemons under UNIX. The CMCs ability to enable/disable and even group servers, for example, concerns processes, not actual Business Objects servers, or server machines.
Modules Processes used in Business Objects transactions which can be configured through the Administration Console are called modules.
A few examples of modules are: Broadcast Agent Manager (which manages Schedulers) WIStorageManager
A few examples of servers are: Job Server the File Repository Servers Web Intelligence Report Server
WIReportServer
540
In BusinessObjects 6.x Clusters A cluster is one or more Business Objects servers which provide the functional processing for a given BI portal. Each server hosts the entire set of Business Objects modules; the Session Stack must be activated in order for the server to contribute to cluster processing.
In BusinessObjects XI CMS clusters A Central Management Server cluster (CMS cluster) consists of two or more CMSs working together to maintain the system databases and repository. The CMSs can be on the same machine or on different ones. This means that at a minimum only the CMS component must be installed and activated on the machine. Other processes (servers) can be installed and run on other machines. A CMS cluster is called an expanded deployment.
When a cluster contains more than one server machine, it is called a distributed deployment. Clusters can contain the following elements:
The distinction between primary and secondary nodes does not apply. When you add a new CMS to a deployment The primary node serves as the containing a previously- installed CMS, you central coordinator amongst all the nodes in the cluster. There is one and instruct the new CMS to connect to the existing only one primary node in a cluster; if CMS database and to share the processing the cluster contains only one node, it workload with any existing CMS machines. By default, the new cluster is given the name of the is a primary node. first installed CMS, prefaced by @. Optional secondary nodes run the ORB components required to communicate with the primary node and start Business Objects processes on the secondary node(s), as well as optional services. Both primary and secondary nodes are considered cluster nodes. WebIntelligence Application servers Broadcast Agent Web Intelligence Web application servers Scheduling functions are handled by the CMS, which instructs the Job Server to process the job on a schedule managed by the CMS. Web Intelligence Report Server Public folder The Event Server manages file-based events.
Schedule-based and custom events, on the other hand, are managed by the CMS.
WIReportServer Corporate documents page File Watcher allows the processing of a scheduled task only when a specified file is present in a specified location.
Migration
To import repository objects such as domains, universes, universe restriction sets, users and groups, categories, documents, and reports from BusinessObjects 6.x, you use the Import Wizard. This Wizard and how to use it is described in the BusinessObjects Enterprise XI Installation Guide. Here is a summary of what the Import Wizard does and doesnt import: The Import Wizard imports: The Import Wizard doesnt import:
BusinessObjects documents
To migrate .rep documents to .wid format, you can use the Report Migration Utility, delivered with the BusinessObjects 6.5 suite. Instructions are in the Report Migration Utility guide. WebIntelligence OLAP
Custom applications and interfaces created using the SDK Broadcast Agent Scheduler or Publisher tasks BusinessObjects Auditor Timestamps
Identification Strategy Logon Enable Real Time User Rights Update Enable Password Modification flag
This maps to the User cannot change password property, which when True, means what it says. This property must be reset manually by the administrator at the global level.
542
Specific migration information Expressed as limit rights set on the universe folder; object levels in BusinessObjects 6.x map to appropriately-named user groups. Most BusinessObjects 6.x user profiles map to default groups in the new system. For example, General Supervisors become members of the Administrators groups. Supervisors, on the other hand, are not mapped to the Administrators group, but instead simply granted the appropriate rights on all imported objects. Users with the User/Versatile profile are added to an Object Level Security group based on their Object Security levels. The Company group maps to the Everyone group. The Import Wizard maps static LDAP groups. Dynamic groups are mapped with Enterprise authentication. After migration, Administrators need to create dynamic groups. Inbox documents are imported to the Inbox folder. If Inbox already includes duplicate documents, they are also migrated to the File Repository Servers, which manage all document instances that have been scheduled or published to the repository. Personal documents are imported to the users Favorites folder, where only the BusinessObjects administrator and their owners have access to them. Any personal or corporate categories that referred to these documents in BusinessObjects 6.x continue to refer to them in BusinessObjects Enterprise XI. Both personal and corporate categories are imported. When you import corporate categories, you can select individual categories and subcategories to import into BusinessObjects Enterprise XI. Document and universe domains become folders with the same name. User and group access to these folders is equivalent to the rights they had on the BusinessObjects 6.x domains. Documents and universes cannot be imported unless their domain is imported as well.
User profiles
Inbox documents
Personal documents
Categories
Domains
Specific migration information Expressed as limit rights set on the universe folder; object levels in BusinessObjects 6.x map to appropriately-named user groups. Most BusinessObjects 6.x user profiles map to default groups in the new system. For example, General Supervisors become members of the Administrators groups. Supervisors, on the other hand, are not mapped to the Administrators group, but instead simply granted the appropriate rights on all imported objects. Users with the User/Versatile profile are added to an Object Level Security group based on their Object Security levels. The Company group maps to the Everyone group. The Import Wizard maps static LDAP groups. Dynamic groups are mapped with Enterprise authentication. After migration, Administrators need to create dynamic groups. Inbox documents are imported to the Inbox folder. If Inbox already includes duplicate documents, they are also migrated to the File Repository Servers, which manage all document instances that have been scheduled or published to the repository. Personal documents are imported to the users Favorites folder, where only the BusinessObjects administrator and their owners have access to them. Any personal or corporate categories that referred to these documents in BusinessObjects 6.x continue to refer to them in BusinessObjects Enterprise XI. Both personal and corporate categories are imported. When you import corporate categories, you can select individual categories and subcategories to import into BusinessObjects Enterprise XI. Document and universe domains become folders with the same name. User and group access to these folders is equivalent to the rights they had on the BusinessObjects 6.x domains. Documents and universes cannot be imported unless their domain is imported as well.
User profiles
Inbox documents
Personal documents
Categories
Domains
544
Object Universes
Specific migration information Users can choose between importing all universes and connections, or only those associated with the WebIntelligence reports being imported. WebIntelligence documents that used a BusinessObjects 6.x universe use the same universe in BusinessObjects Enterprise XI. BusinessObjects 6.x universe IDs are updated to BusinessObjects Enterprise XI IDs and CUIDs: For universes: Universe ID, connection ID, and core universe ID For Web Intelligence reports: universe ID Scope management is a Supervisor option which allows you to control the extent of the access that all supervisors are granted to users and user groups. General supervisors can limit other supervisors access by setting their scope management setting to Standard, Secured or Extended mode, each of which defines a different level of access to user/group information and management. Although this feature is mapped to the Delegated Administration feature in Business Objects Enterprise XI, the two features are not strictly equivalent; in particular, Delegated Administration does not support modes. Import attempts to set rights in the destination deployment that are at least as restrictive as the effective rights in the source deployment. This is true for all restrictions that limit modification and administration of objects. A delegated administrator may nonetheless be able to view imported objects (such as connections) that were previously hidden in the source deployment. It is recommended to verify effective rights on imported objects for delegated administrators after import and to set appropriate rights for access to objects that only exist in BusinessObjects Enterprise XI and not in BusinessObjects 6.x (e.g. calendars, events, etc.). By default, imported delegated administrators will inherit the rights specified for the Everyone group for access to such objects.
Scope management
The following identifies the migration path for integrated rights: Right Type in BusinessObjects 6.x Migrated to BusinessObjects Enterprise XI as... Product Access (PA) right Security Command right Domain Access right Document/Universe Access right Right to view application object Right to application object, domain folder, or content object Right to view domain folder Right to view content object
Granted Denied (The Designer and Supervisor PA right is set to Denied on the root folder at install time.) Enabled Denied
If hidden anywhere, then hidden If disabled anywhere, then disabled Otherwise, enabled
Granted
Denied
If unspecified or denied anywhere, then denied If unspecified or denied anywhere, then denied
Denied
Denied
546
Server Custom
Client Server
The Server option provides three installation options: New Expand Custom
Distributed deployments To distribute processing, you add additional cluster nodes to a cluster. To add a cluster node, you must install Business Objects server on the node machine. This installs the entire set of processes required for system processing on each machine. At a minimum, the Session Stack must be activated on each cluster node to share the transaction load.
You can distribute a single deployments transactional capabilities on the same machine by creating multiple instances of a server, or you can install on additional machines to distribute the load. This capability offers you the ability to scale your system vertically (more services on the same machine) or horizontally (more machines). The CMS does not need to run on each machine.
In BusinessObjects 6.x Installation and the repository Repository creation is completely independent of the installation of Business Objects software.
In BusinessObjects XI Setting up the CMS database, which includes the repository, is an integral part of BusinessObjects Enterprise installation. In a New server installation, if you install a Central Management Server in a Windows environment, and you do not choose to connect the CMS to an existing database, the installation procedure automatically installs and configures Microsoft Data Engine (MSDE) as the CMS database. In similar circumstances in UNIX environments, MySQL is installed. After installation, you can select or create a new CMS database at any time using the Central Configuration Manager (CCM). Silent installation You must install a Web Component Adapter (WCA) on any machine hosting an application server. The WCA allows your application server to run BusinessObjects Enterprise applications making Crystal Web Requests, and to host the Central Management Console. Not all applications require the WCA. For example, InfoView doesnt need it unless users will be viewing OLAP Intelligence documents. Installing BusinessObjects Enterprise XI on the same machine as the application server is called a server-side installation. When you perform this installation, the client and server components are installed, the default user and group accounts are created, and the sample reports are published to the system. When the installation is complete, the servers are started as services on the local machine.
Command-line installation Application servers Application servers communicate with the Business Objects cluster through the ORB. If the application server is hosted on a machine which is neither a primary nor secondary node, you must configure the ORB on it in order to allow it to communicate with the cluster. You configure the ORB on the application server machine either by installing the Configuration Tool on that machine, then using it to configure the server as a client node of the cluster, or by configuring the ORB manually.
For information on deploying web For information on deploying web applications on application servers, see Deploying web applications on application servers, see Deploying web applications on page 550 applications on page 550 in this table. in this table.
548
In BusinessObjects 6.x Web servers To configure the web server to work with a cluster, you must install a third-party connector to the clusters application server.
In BusinessObjects XI If you connect BusinessObjects Enterprise to a web server, the web server must be able to communicate with the machine that runs your Web Component Adapter (WCA).
For information on deploying web For information on deploying web applications on applications on web servers, see web servers, see Deploying web applications on Deploying web applications on page 550 page 550 in this table. in this table. License key management Before installation, you copy your license key to a directory to which all nodes or application client machines have access. During installation, you specify where these XML files are located. OLAP You install Web Intelligence for OLAP Data Sources using the standard installation process. Configuring clusters and the ORB You create clusters and configure their ORB on their nodes using the Configuration Tool. You configure the clusters primary node and then its secondary nodes. License keys are stored in the CMS database. You can view your deployments current license keys, as well as add or delete them, using the CMC.
When you install the first Central Management Server (typically a New install), you can define it as a cluster. This creates a cluster of one and sets the cluster up for subsequent Expand installs, which add additional CMSs to the cluster. The subsequent machines on which you install the CMS become part of a CMS cluster named <@Name of First CMS>. At the installation of each additional CMS, you specify the name of the first CMS you installed. This makes it part of the cluster.
In BusinessObjects 6.x
In BusinessObjects XI
Available web applications Administration Console InfoView Auditor Supervisor over the Web
Central Management Console InfoView Performance Manager applications (formerly Application Foundation), J2EE only Custom web applications developed using the SDK
Custom web applications developed using the SDK Although not part of the BusinessObjects 6.x suite, Application Foundation applications can also be deployed.
Deploying web applications You can deploy web applications in three ways: If youre using IIS or Tomcat/Apache, the Configuration Tool can deploy the applications automatically on web and application servers. You can use the wdeploy tool, a command-line utility that you can run on all other supported application and/ or web servers. You can manually deploy the application on all other supported web and/or application servers. Repository creation You create the repository after installation and configuration, using the Supervisor application. After repository creation, you must copy the bomain.key file corresponding to the repository on each node in the cluster.
If you choose a New installation and are using IIS or Apache/Tomcat, the Business Objects web applications are deployed automatically on the web and/or application server, unless you are deploying to an existing Java application server. Otherwise, you must deploy web applications manually.
If you do not have a supported database client on the machine, installation can install and configure MSDE (Windows) or mySQL (UNIX) for use as the CMS database. To use your own database server, you must create a new, empty database on your database server prior to running the installation. This database will be configured during the install. Whenever you add a new CMS to a cluster in an Expand installation, you define the connection to the initial CMSs database. This allows the server to connect to it.
550
In BusinessObjects 6.x Multiple service instances In BusinessObjects 6.x, certain modules such as WIQT, BusinessObjects.exe (Windows)/bolight (UNIX), Connection Server, and WIReportServer, are designed to be multi-instance on cluster nodes. You use the Administration Console to set the number of instances in each process pool. BusinessObjects 6.5 also supports multiple Business Objects servers on the same UNIX box. Unicode databases
In BusinessObjects XI Multiple instances of the same service can run on the same machine (providing vertical scaling), or on separate machines (for horizontal scaling), in any mixture of supported operating systems. The single exception is the Central Management Server, which must run on the same operating system within a single cluster.
The use of Unicode databases, which can All CMS databases must support the Unicode protocol. store information in different languages and centralize all the information in a company, is supported as a data source for Web Intelligence reports. Unicode databases are not supported for repositories or BusinessObjects documents.
Security
BusinessObjects 6.x applications use a very different security model than that provided with BusinessObjects Enterprise XI, and as such, administrators of BusinessObjects 6.x systems are encouraged to read with attention the documentation shipped with BusinessObjects Enterprise XI. Through BusinessObjects 6.5.1, authentication is defined for an entire cluster and/or all desktop users. Implementing an authentication method is broken down into selecting an authentication mode, then its source, which can be Repository, External then Repository, or External. You can choose between Microsoft AD or an LDAP user management system for external authentication sources. In BusinessObjects XI, security is much more granular. You implement an authentication method for each user, when you create the users account. When users log into the system, they specify their username and password, but may enter their authentication method as well.
In BusinessObjects 6.x
In BusinessObjects XI
bomain.key The bomain.key tells Business Objects There is no bomain.key file. At login, the Central applications where to find the repositorys management Server (CMS) verifies the user security domain. name and password against the security information stored in the CMS database. Each CMS is configured either at installation or subsequently using the Central Management Console (CMC) to connect to a specific database. Setting the authentication and authorization methods Up through version 6.5.1, you set authentication/authorization for the entire cluster using the Security Configuration Tool.
You select the authentication method for each user at the creation of the users account, using the CMC. You can even assign multiple aliases, or authentication modes, to a single user, or create new aliases then assign them to exiting users in the system. If you import external users via LDAP, Windows NT or Active Directory, users are automatically created. So if you are not using complex scenarios in which users can log on with both NT and LDAP authentications, you dont need to create the settings for each user individually.
Configuring authentication and authorization You set authentication/authorization for the entire cluster using the Security Configuration Tool.
552
In BusinessObjects 6.x
In BusinessObjects XI
Available authentication modes Business Objects standard Windows-NTLM (similar to BusinessObjects XI Windows NT authentication) Single Sign-On
LDAP authentication Basic authentication (user Windows AD authentication authentication is delegated to the web server) Other authentication modes are available through add-in products, such as SAP authentication. Single Sign-On is not a mode in itself, but is available for certain authentication modes. See below. Single Sign-On to BusinessObjects Enterprise can be provided through the use of third-party systems such as Windows AD or Netegrity SiteMinder. End-to-end single sign-on includes SSO to the database at the back end. Note: If you use SiteMinder, you must use LDAP for external user management. Because of the use of Access Control Lists (ACL), an industry standard method of controlling cascading security access, the imposition of restrictions is much more granular. You can apply user, group, and role level security at the object level, to documents, categories, folders, universes, and connections. This means, for example, that you could allow a group to refresh document A, but not refresh document B.
Enterprise authentication (automatically enabled when you install the system, and similar to Business Objects standard in version 6.x) Windows NT authentication
Authorization You can use security commands in Supervisor to restrict user and group access to functionalities in Business Objects products. You cannot restrict access at the object level. For example, if you grant a group the right to refresh, but not create documents, the restriction will apply regardless of the documents being used.
Administration
The administrative model applied to BusinessObjects Enterprise XI is very different from the BusinessObjects 6.x model.
The Central Management Console (CMC) The CMC allows you to perform user management tasks such as setting up authentication and adding users and groups. It also allows you to publish, organize, and set security levels for all of your BusinessObjects Enterprise content. Additionally, the CMC enables you to manage servers and create server groups, whenever the Central Management Server (CMS) is running.
The Central Configuration Manager The CCM is a server-management tool that allows you to view and configure each of your BusinessObjects Enterprise server components while Business Objects servers are offline. This tool allows you to start, stop, enable, and disable Business Objects servers, as well as view and configure advanced server settings. On Windows, these settings include default port numbers, CMS database and clustering details, SOCKS server connections, and more. In addition, on Windows the CCM allows you to add servers to, or remove servers from your BusinessObjects Enterprise system. The CCM comes in two forms. In a Windows environment, the CCM allows you to manage local and remote servers through its Graphical User Interface (GUI) or from a command line. In a UNIX environment, the CCM shell script (ccm.sh) allows you to manage servers from a command line. At first, the CCM takes into account only the servers running locally. You can then connect to servers on a remote machine.
This section covers administrative tasks concerning the repository, users and groups, universes, server and cluster management, and auditing.
554
In BusinessObjects 6.x Repository creation and management You create your clusters repository after Business Objects installation and configuration, using the Supervisor application.
In BusinessObjects XI
If you do not have a supported database client on the machine, installation can install and configure MSDE (Windows) or mySQL (UNIX) for use as the CMS database. To use your own database server, you must create a new, empty database on your database server prior to running the installation. This database will be configured during the install. Whenever you add a new CMS to a cluster in an Expand installation, you define the connection to the initial CMSs database. This allows the server to connect to it.
User/group creation and management You use Supervisor or Supervisor over the Web. You use the CMC.
An initial General Supervisor account By default, an initial Administrator and Guest account is is created when you create the created at installation. repository. A company name group is automatically created at repository creation. Two default groups are automatically created at installation: Administrators
Everyone
If youre using Windows NT/2000, an additional group called Business Objects NT Users is also created. You can use Designer in online mode only. This means that unless you are logged into the repository, you cannot work on a universe.
In BusinessObjects 6.x Cluster start/stop Under Windows, you can use WINotify or the Start menu; during installation, you can also set the
In BusinessObjects XI You use the CCM to stop a Central Management Server (CMS), regardless of the operating system. At installation, you can also configure the server to start automatically at machine startup. Note: You cannot use the Central Management Console (CMC) to stop a CMS.
Under UNIX, you start the cluster manually using the wstart command, or use S99WebIntelligence to start it automatically on machine startup.
Cluster server enable/disable You use the Administration Console. In Windows, you use the Central Configuration Manager (CCM) to disable a Central Management Server (CMS). In UNIX, you use the cms.sh script. Caution: You can use the CMC to disable/enable and even group servers, but this refers to what BusinessObjects 6.x users refer to as modules, not the actual cluster nodes. Server settings management You use the Administration Console. You use the Central Management Console or the Central Configuration Manager, depending on the type of setting you want to define, and whether you are online or offline. Audit management You use the Audit facility in the Administration Console. You can also use the Auditor application for enhanced system monitoring and analysis. You use the CMC. You can also use the CMC to view server metrics, including information about the machine that the server is running onits name, operating system, total hard disk space, free hard disk space, total RAM, number of CPUs, and local time. The CMC allows you to configure what information you want each server/service to audit. Auditor is not part of this release.
Setting up Broadcast Agent schedulers You create and manage schedulers using the Broadcast Agent Managers Properties page in the Administration Console.
Because the scheduler is incorporated into the CMS, it comes automatically installed with BusinessObjects Enterprise XI and requires little or no additional configuration beyond setting up access to email servers, printers and file servers.
556
In BusinessObjects 6.x
In BusinessObjects XI
Viewing scheduled tasks You can view the full list of scheduled You cannot view a global list of scheduled jobs. documents and their status using the You can view the status of one scheduled object at a Broadcast Agent Console. time in the CMC in the objects History page. This list includes all scheduled jobs for the object, as well as existing instances of the object (i.e. reports that have already been run and contain data). In InfoView, you can also view a list of an objects instances by looking at the objects history. A sample application built using the Administration SDK and available from the BusinessObjects Enterprise Users Launchpad also allows you to see all the jobs scheduled by any specific user. InfoView appearance and functionality management You can use Supervisor security commands to prevent users from modifying the default settings in the InfoView Options page. Setting locale You set the clusters language at installation; you can subsequently use the Site Properties tab in the Administration Console to modify it. Users can set the language of their interface in InfoView.
You can modify the appearance and some functionality using the BusinessObjects Enterprise Applications management area in the CMC.
You dont specifically set the CMS locale. Users set the locale for their own interface in InfoView; if they dont, InfoView uses the locale specified on the web server.
WebIntelligence
Crystal Reports can also connect directly to databases using a variety of methods including ODBC and native drivers, as well as XML and text files. It can also use Business Views (the semantic layer from Crystal Enterprise) as a data source. The out-of-the-box portal in BusinessObjects Enterprise XI is also called InfoView. Available for both Java and .NET platforms, its interface is somewhat different from the BusinessObjects 6.x application.
InfoView InfoView is a web application that must be deployed after Business Objects installation using the Configuration Tool, wdeploy, or manual procedures. It is available in JSP and ASP platforms.
558
In BusinessObjects 6.x Categories Within InfoView, you can use categories to organize documents on a particular document list page.
In BusinessObjects XI BusinessObjects Enterprise XI uses both categories and folders to organize documents. Folders are used for the storage location of information, while categories are used more for the classifying information regardless of its storage location. BusinessObjects Enterprise XI automatically creates a folder for each user in the system, called Personal Folders. These folders are organized within the CMC as User folders. Within InfoView, these folders are called Favorites folders. Folders are created and managed from the CMC. Categories are equivalent to BusinessObjects 6.x categories. Folders contain actual copies of objects, while categories simply point to objects. There are two types of categories: Corporate
Personal
Personal
Corporate categories can be created Corporate categories can be created either in from InfoView, BusinessObjects, or InfoView (with reduced management capabilities) or Supervisor. from the CMC (full management capabilities). As a general supervisor or supervisor, you can grant specific users or groups the right to create categories, and to rename and delete the categories they create, from BusinessObjects or WebIntelligence. You do this by enabling the security command Manage All Categories or Manage My Categories. You can use security commands to restrict access to corporate categories. In the CMC you can restrict users and/or groups access to categories and folders. You can set limits on folders, which automate regular clean-ups of old Business Objects content by eliminating excess instances of particular objects, or object instances which have remained more than the specified number of days in the folder.
In BusinessObjects 6.x Scheduling You schedule for refresh documents and files either from 2-tier deployments of BusinessObjects, or from InfoView.
In BusinessObjects XI You schedule for refresh objects from the CMC or from InfoView.
560
In BusinessObjects 6.x
In BusinessObjects XI
You can schedule: BusinessObjects documents WebIntelligence reports WebIntelligence OLAP reports
You can also schedule program objects, such as executables, Java programs, or scripts (Jscripts and VBscripts) to run at specified times. You can publish objects to BusinessObjects Enterprise in several ways. Use the Publishing Wizard when you: Have access to the locally installed application.
Publishing to the repository You add objects to the repository by: Exporting universes from Designer or Supervisor Adding users and groups and managing security settings from Supervisor and/or Supervisor over the Web Saving documents to the repository from InfoView Publishing documents from 2- and 3-tier deployments of BusinessObjects
Are adding multiple objects or an entire directory. The Publishing Wizard is a locally installed Windows application that enables both administrators and end users to add any supported document to BusinessObjects Enterprise.
Use the Central Management Console (CMC) when you are: Publishing a single object.
Save directly to your Enterprise folders when you are: Designing reports with Crystal Reports or Web Intelligence. Using the OLAP Intelligence Application Designer. Creating other objects with BusinessObjects Enterprise plug-in components. Upload documents stored on your local computer when youre using InfoView. Use Designer to export universes to the repository. Use the Import Wizard to migrate objects to a BusinessObjects Enterprise XI repository from BusinessObjects 6.x or Crystal Enterprise 10.
SDK
In BusinessObjects 6.x Development platforms Java In BusinessObjects XI
WebServices
562
appendix
Rights
This table lists the rights available within the Advanced Rights page of the Central Management Console (CMC). Other BusinessObjects Enterprise plug-in components may in future add their own, object-specific rights to this list. The table matches the descriptions used in the CMC with the programmatic name that developers use when assigning rights with the BusinessObjects Enterprise SDK. Description used in the CMC Respect current security by inheriting rights from parent groups Respect current security by inheriting rights from parent folders Add objects to the folder View objects Edit objects Modify the rights users have to objects Schedule the document to run Delete objects Define server groups to process jobs Delete instances Copy objects to another folder Schedule to destinations View document instances Pause and Resume document instances Print the reports data Refresh the reports data Export the reports data View objects that the user owns Edit objects that the user owns Modify the rights users have to objects that the user owns Name used in the SDK AdvancedInheritGroups AdvancedInheritFolders ceRightAdd ceRightView ceRightEdit ceRightModifyRights ceRightSchedule ceRightDelete ceRightPickMachines ceRightDeleteInstance ceRightCopy ceRightSetDestination ceRightViewInstance ceRightPauseResumeSchedule ceReportRightPrintReport ceReportRightRefreshOnDemand Report ceReportRightPageServerExport ceRightOwnerView ceRightOwnerEdit ceRightOwnerModifyRights
564
Description used in the CMC Delete objects that the user owns Delete instances that the user owns View document instances that the user owns
Pause and resume document instances ceRightOwnerPauseResume that the user owns Schedule
Access levels
This section lists the rights that constitute each of the predefined access levels that are available through the Advanced Rights page of the Central Management Console (CMC). Note: There is no predefined access level to grant users the rights required to create or modify reports through the Report Application Server (RAS). For details, see Object rights for the Report Application Server on page 568.
No Access
This access level ensures that all rights remain unspecified. That is, rights are neither explicitly granted nor explicitly denied. When rights are unspecified, the system denies the right by default.
View
Description used in the CMC View objects View document instances Name used in the SDK ceRightView ceRightViewInstance
Schedule
Description used in the CMC View objects Schedule the document to run Define server groups to process jobs Name used in the SDK ceRightView ceRightSchedule ceRightPickMachines
Description used in the CMC Copy objects to another folder Schedule to destinations View document instances Print the reports data Export the reports data Edit objects that the user owns Pause and resume document instances that the user owns
Name used in the SDK ceRightCopy ceRightSetDestination ceRightViewInstance ceReportRightPrintReport ceReportRightPageServerExport ceRightOwnerEdit ceRightOwnerPauseResumeSchedule
View On Demand
Description used in the CMC View objects Schedule the document to run Define server groups to process jobs Copy objects to another folder Schedule to destinations View document instances Print the reports data Refresh the reports data Export the reports data Edit objects that the user owns Delete instances that the user owns Pause and resume document instances that the user owns Name used in the SDK ceRightView ceRightSchedule ceRightPickMachines ceRightCopy ceRightSetDestination ceRightViewInstance ceReportRightPrintReport ceReportRightRefreshOnDemand Report ceReportRightPageServerExport ceRightOwnerEdit ceRightOwnerDeleteInstance ceRightOwnerPauseResumeSchedule
566
Full Control
Description used in the CMC Add objects to the folder View objects Edit objects Modify the rights users have to objects Schedule the document to run Delete objects Delete instances Copy objects to another folder Schedule to destinations View document instances Pause and Resume document instances Print the reports data Refresh the reports data Export the reports data Name used in the SDK ceRightAdd ceRightView ceRightEdit ceRightModifyRights ceRightSchedule ceRightDelete ceRightDeleteInstance ceRightCopy ceRightSetDestination ceRightViewInstance ceRightPauseResumeSchedule ceReportRightPrintReport ceReportRightRefreshOnDemand Report ceReportRightPageServerExport
The Everyone group is granted the Schedule access level. The Administrators group is granted the Full Control access level.
Rights and Access Levels Object rights for the Report Application Server
View objects (or View document instances, as appropriate) Edit objects Refresh the reports data Export the reports data
User must also have permission to add objects to at least one folder before they can save new reports back to BusinessObjects Enterprise. To ensure that users retain the ability to perform additional reporting tasks (such as copying, scheduling, printing, and so on), its recommended that you first assign the appropriate access level and update your changes. Then, change the access level to Advanced, and add any of the required rights that are not already granted. For instance, if users already have View On Demand rights to a report object, you allow them to modify the report by changing the access level to Advanced and explicitly granting the additional Edit objects right. When users view reports through the Advanced DHTML viewer and the RAS, the View access level is sufficient to display the report, but View On Demand is required to actually use the advanced search features. The extra Edit objects right is not required. Tip: For more information about RAS Report Modification licenses, see Licensing overview on page 530.
568
appendix
570
C:\Winnt\system32 C:\Program Files\BusinessObjects Enterprise\Web Content\enterprise C:\Program Files\BusinessObjects Enterprise\WCA\CRImages C:\Program Files\BusinessObjects Enterprise\WCA C:\Program Files\Business Objects\BusinessObjects Enterprise 11\win32_x86 C:\Program Files\BusinessObjects Enterprise\WCA\Logging
Write
Note: This table shows the default installation paths. If your BusinessObjects Enterprise deployment includes OLAP Intelligence, the WCA user account also needs Read permission for the OLAP Intelligence FileStore\Input folder.
Ensure that the user account for the Input FRS has the appropriate NTFS permissions for the following folders: NTFS permissions Files and folders
C:\Winnt\system32 C:\Program Files\Business Objects\BusinessObjects Enterprise 11\FileStore\Input C:\Program Files\Business Objects\BusinessObjects Enterprise 11\FileStore\Input
For the Output FRS, make sure the user account has access to the following folders: NTFS permissions Files and folders
C:\Winnt\system32 C:\Program Files\Business Objects\BusinessObjects Enterprise 11\FileStore\Output C:\Program Files\Business Objects\ BusinessObjects Enterprise 11\FileStore\Output
Note:
The Input and Output File Repository Servers cannot share the same directories. If the Input folder or the Output folder does not exist, the respective FRS creates it when the service starts.
572
Cache Server
The Cache Server uses the local System account by default. If the Cache Server needs to access BusinessObjects Enterprise components on other machines, you must set its user account to a domain user account that has local administrative access to all computers hosting components. For details on changing the user account, see Changing the server user account on page 146. Ensure that the Cache Servers user account has the correct NTFS permissions for the following folders: NTFS permissions Files and folders
Job Server
The Job Server uses the local System account by default. The Job Server must use a different user account if it needs to access BusinessObjects Enterprise components on other machines. If the CMS, the Input FRS, or the Output FRS is not located on the same machine as the Job Server, set the Job Servers user account to a domain user account that has local administrative access to all computers hosting these components. For details on changing the user account, see Changing the server user account on page 146. Ensure that the Job Servers user account has the correct NTFS permissions for the following folders: NTFS permissions Files and folders
C:\Winnt\system32
Write
Page Server
The Page Server connects to the database to retrieve the information needed to build the report. For most BusinessObjects Enterprise deployments, the reporting database is located on a separate machine. If the Page Server is on a different machine from the database, you must change the Page Servers user account from the default local System account to a domain user account with local administrative access to the computer hosting the reporting database. For details on changing the user account, see Changing the server user account on page 146. Ensure that the Page Servers user account has the correct NTFS permissions for the following folders: NTFS permissions Files and folders
C:\Winnt\system32
Write
574
appendix
Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents
fonts and font sizes for tables, cells, chart axes, and so on background colors (wallpaper) lines and borders for cells and tables color palettes
The new settings take effect only for reports created after the defaultconfig.xml file is modified and saved. Earlier reports are not affected by the new settings. In the defaultconfig.xml file, settings are grouped by key value. (See List of key values on page 580.) To modify a setting, open the defaultconfig.xml file in a text editor and modify the parameter you want. Back up the original file before you start. For an example of how to modify the defaultconfig.xml file, see Example: Modifying the default font in table cells on page 581. Note:
You cannot use defaultconfig.xml to customize the appearance of the HTML Report panel. The defaultconfig.xml is also used by the REBean Editing SDK. For more information, see the developer documentation.
576
Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents
Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents
By modifying a few settingsstable header and body cell fonts, alternative row settings, chart axes values, label fonts, and section cell bordersdefault Web Intelligence tables and charts can look like this:
578
Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents
3.
Extract defaultconfig.xml from the desktop.war file. For the Java Report Panel, extract
webiApplet\AppletConfig\defaultconfig.xml
Tip: On Windows, you can use a tool such as WinZip to extract and replace files in a .war file. 4. 5. Make a backup of the defaultconfig.xml file. Open defaultconfig.xml, and make your changes. See List of key values on page 580 for information on the values you can change, and Example: Modifying the default font in table cells on page 581 for an example. 6. 7. 8. Save and close defaultconfig.xml. Reinsert defaultconfig.xml into desktop.war. Ensure that you insert the file into the correct directory within the .war file. Restart your web application server and redeploy desktop.war. See the BusinessObjects Enterprise Installation Guide for details.
Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents
580
Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents
Interface element Object name cells in a crosstable Footer cells in a table General settings for forms Header cells in a table Header cells in a form General settings for tables Custom fonts
Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents
4.
To change the default font for specified languages, enter the font name after FACE=. For example, to change only Japanese to a font named SpecialFont, you would enter:
<FONT xml:lang="ja" FACE="SpecialFont" ...
5.
To change the overall default font for all non-specified languages, enter the new font name after FONT FACE=. Note: You must modify the default font values separately for each language you want to change.
6. 7.
Modify any other attributes you want, such as font size. Save and close the defaultconfig.xml file.
582
appendix
On Windows, use the CCM to stop the server. Then open the servers Properties to modify the command line. Start the server again when you have finished. On UNIX, run ccm.sh to stop the server. Then edit ccm.config to modify the servers command line. Start the server again when you have finished. Note: On UNIX, each servers command line is actually passed as an argument to the crystalrestart.sh script. This script launches the server and monitors it in case an automatic restart is required. See the ccm.config file and bobjerestart.sh on page 606.
584
Behavior Specify the friendly name of the server. The server registers this name with the Central Management Server (CMS), and the name is displayed in the CMC. The default friendly name is hostname.servertype Note:
Do not modify -name for a CMS. If you modify -name for an Input or Output File Repository Server, you must include Input. or Output. as the prefix to the value you type for string (for example, -name Input.Server01 or -name Output.UK).
-ns
cmsname[:port]
Specify the CMS that the server should register with. Add
-requestPort port
Specify the port that the server listens on. The server registers this port with the CMS. If unspecified, the server chooses any free port > 1024. Note: This port is used for different purposes by different servers. Before changing, see Changing the default server port numbers on page 140
Option
-port
Behavior Bind WCA or CMS to the specified port, or to the specified network interface and port. Binds other servers to the specified network interface. Useful on multihomed machines or in certain NAT firewall environments. Note:
Use -port port or -port interface:port for WCA and CMS. Use -port interface for other servers. The port command is used for different purposes by different servers. Before changing, see Changing the default server port numbers on page 140 If you change the default port value for the CMS, you must perform additional system configuration. For more information please see Changing the default server port numbers on page 140
-restart -fg
Server restarts if it exits with an unusual exit code. UNIX only. Run the daemon in the foreground. When passing the servers command line to the crystalrestart.sh script, you must use this option (see ccm.config). If you run the servers command line directly, do not use this option, because the foreground process blocks the shell until the server exits.
SIGTERM results in a graceful server shutdown (exit code = 0). SIGSEGV, SIGBUS, SIGSYS, SIGFPE, and SIGILL result in a rapid
586
Option
-threads -reinitializedb
Valid Behavior Arguments number Use a thread pool of the specified size. The default is one thread per request. Cause the CMS to delete the system database and recreate it with only the default system objects. Force the CMS to quit after processing the reinitializedb option. number Specify the number of threads the CMS creates to receive client requests. A client may be another Business Objects server, the Report Publishing Wizard, Crystal Reports, or a custom client application that you have created. The default value is 5. Normally you will not need to increase this value, unless you create a custom application with many clients. Specify the maximum number of objects that the CMS stores in its memory cache. Increasing the number of objects reduces the number of database calls required and greatly improves CMS performance. However, placing too many objects in memory may result in the CMS having too little memory remaining to process queries. The upper limit is 100000. Specify the number of CMS worker threads sending requests to the database. Each thread has a connection to the database, so you must be careful not to exceed your database capacity. In most cases, the maximum value you should set is 10. Specify interval at which the CMS requests audit information from audited servers. The default value is 5 minutes. (Maximum value is 15 minutes, and minimum value is 1 minute.). Specify the maximum number of audit records that the CMS requests from each audited server, per audit interval. The default value is 200 records. (Maximum value is 500, and minimum value is 50.)
-quit
-receiverPool
-maxobjectsincache
number
-ndbqthreads
number
-AuditInterval
minutes
-AuditBatchSize
number
Option
-auditMaxEventsPerFile
Valid Behavior Arguments number Specify the maximum number of records in the audit log file. The default value is 500. If the number specified by auditMaxEventsPerFile is exceeded, the server opens a new log file. Specify the interval between time synchronization events. The CMS broadcasts its system time to audited servers at the interval specified by AuditeeTimeSyncInterval. The audited servers compare their internal clocks to the CMS time, and then adjust the timestamps they give to all subsequent audit records so that the time of these records synchronizes with the CMS time. The default interval is 60 minutes. (Maximum value is 1 day, or 1440 minutes. Minimum value is 15 minutes. Setting the interval to 0 turns off time synchronization.)
-AuditeeTimeSyncInterval minutes
588
INSTALL_ROOT/bobje/enterprise11/platform/boe_pagesd
Option
-cache -dir
Behavior Enable Cache Server functionality. Specify the cache directory for a Cache Server and the temp directory for the Page Server. The directories created are absolutepath/cache and
absolutepath/temp
Delete the cache directory every time the server starts and stops. absolutepath minutes number Specify the temp directory for the Page Server. This option overrides -dir. Share cached pages for the specified number of minutes. Limit the number of database records that are returned from the database. The default limit is 20000 records. If a user views an on-demand report containing more than 20000 records, an error message indicates that the report contains too many database records. To increase the enforced limit, increase number accordingly; to disable the limit, replace number with 0 (zero). Disable automatic database disconnection for the Page Server. By default the Page Server will automatically disconnect from the reporting database after retrieving data, to free up database licenses. This may affect performance if your site uses many reports with on-demand subreports, or group-by-on-server.
-maxDBResultRecords
-noautomaticdbdisconnect
Option
-report_ProcessExtPath
Behavior Specify the default directory for processing extensions. For details, see Applying processing extensions to reports on page 443. On the Cache Server, specifies the maximum number of audit actions recorded in the audit log file. The default value is 500. If this maximum number of records is exceeded, the server will open a new log file.
-auditMaxEventsPerFile
number
Job servers
This section provides the command-line options that are specific to the job servers, which include Job Servers, Program Job Servers, Destination Job Server, and List of Values Job Server. The default path to the server on Windows is:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11\win32_x86\JobServer.exe
The default paths to the server on UNIX are: INSTALL_ROOT/bobje/enterprise11/platform/boe_reportjobsd INSTALL_ROOT/bobje/enterprise11/platform/boe_programjobsd Option
-dir -lib
Specify the processing library to load: procReport or procProgram Loading procReport starts the Job Server as a Report Job Server. Loading procProgram starts the Job Server as a Program Job Server. This option is used in conjunction with -objectType.
590
Option
-objectType
Behavior The program ID of the processing library, which determines the class of object supported by the Job Server: CrystalEnterprise.Report or
CrystalEnterprise.Program
Used with -lib to specify whether the Job Server becomes a Report Job Server or a Program Job Server.
-maxJobs
number
Set the maximum number of concurrent jobs that the server will handle. The default is five. Specify the range of ports that child processes should use in a firewall environment. For example, 6800-6805 limits child processes to six ports. Specify the default directory for processing extensions. For details, see Applying processing extensions to reports on page 443. Specify the maximum number of records in the audit log file. The default value is 500. If the number specified by auditMaxEventsPerFile is exceeded, the server opens a new log file.
-requestJSChildPorts
lowerboundupperbound
-report_ProcessExtPath absolutepath
-auditMaxEventsPerFile number
Option
-ipport
Behavior Specify the port number for receiving TCP/IP requests when running in stand-alone mode (outside of BusinessObjects Enterprise). Specify the default directory for processing extensions. For details, see Applying processing extensions to reports on page 443. Use a mask to specify exactly which CPUs that RAS will use when it runs on a multiprocessor machine. The mask is in the format 0xffffffff, where each f represents a processor, and the list of processors reads from right to left (that is, the last f represents the first processor). For each f, substitute either 0 (use of CPU not permitted) or 1 (use of CPU is permitted). For example, if you run the RAS on a 4 processor machine and want it to use the 3rd and 4th processor, use the mask 0x1100. To use the 2nd and 3rd processor, use 0x0110. Note:
-report_ProcessExtPath absolutepath
-ProcessAffinityMask
mask
-auditMaxEventsPerFile number
RAS uses the first permitted processors in the string, up to the maximum specified by your license. If you have a two processor license, 0x1110 has the same effect as 0x0110. The default value of the mask is -1, which has the same meaning as 0x1111.
Specify the maximum number of records in the audit log file. The default value is 500. If the number specified by auditMaxEventsPerFile is exceeded, the server opens a new log file.
592
Behavior Specify the number of minutes before the server will timeout. Specify the maximum number of simultaneous connections that the server allows at one time. Enables caching of Web Intelligence documents when the document is being viewed. Enables real time caching of Web Intelligence documents.
-DocExpressEnable
-DocExpressRealTime CachingEnable -DocExpressCache DurationMinutes -DocExpressMaxCache SizeKB -EnableListOfValues Cache -ListOfValuesBatchSize number -UniverseMaxCacheSize -WIDMaxCacheSize
minutes kilobytes
Specify the amount of time (in minutes) that content is stored in cache. Specify the size of the document cache. Enables the caching per user sessions of lists of values Specify the maximum number of values that can be returned per list of values batch. Specify the number of universes to be cached. Specify the maximum number of Web Intelligence documents that can be stored in cache.
number number
The default paths to the program that provides both servers on UNIX are: INSTALL_ROOT/bobje/enterprise11/platform/boe_inputfilesd INSTALL_ROOT/bobje/enterprise11/platform/boe_outputfilesd Note: If you modify -name for an Input or Output File Repository Server, you must include Input. or Output. as the prefix to the value you type (for example, -name Input.Server01 or -name Output.UK). Option
-rootDir
Behavior Set the root directory for the various subfolders and files that are managed by the server. File paths used to refer to files in the File Repository Server are interpreted relative to this root directory. Note: All Input File Repository Servers must share the same root directory, and all Output File Repository Servers must share the same root directory (otherwise there is a risk of having inconsistent instances). Additionally, the input root directory must not be the same as the output root directory. It is recommended that you replicate the root directories using a RAID array or an alternative hardware solution.
-tempDir
absolutepath
Set the location of the temporary directory that the FRS uses to transfer files. Use this command line option if you want to control the location of the FRS temporary directory, or if the default temporary directory name generated by the FRS exceeds the file system path limit (which will prevent the FRS from starting). Specify the number of minutes after which an idle session is cleaned up.
-maxidle
minutes
594
Event Server
This section provides the command-line options that are specific to the Event Server. The default path to the server on Windows is:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11\win32_x86\EventServer.exe
Behavior Specify the frequency (in seconds) with which the server checks for File events. Specify the frequency (in minutes) with which the server cleans up listener proxies. Specify the maximum number of records in the audit log file. The default value is 500. If the number specified by auditMaxEventsPerFile is exceeded, the server opens a new log file.
-auditMaxEventsPerFile number
596
UNIX Tools
appendix
Script utilities
This section describes the administrative scripts that assist you in working with BusinessObjects Enterprise on UNIX. The remainder of this guide discusses the concepts behind each of the tasks that you can perform with these scripts. This reference section provides you the main command-line options and their arguments.
ccm.sh
The ccm.sh script is installed to the crystal directory of your installation. This script provides you with a command-line version of the CCM. This section lists the command-line options and provides some examples. Note: Arguments in square brackets [ ] are optional. By default, servers are named with a hostname.servertype convention. If the option requires the server name, use servertype as the server name. If the option requires the fully qualified server name, use hostname.servertype. If you are unsure of a servers fully qualified name, look in the ccm.config file, locate the servers launch string, and use the value that appears after the -name option.
598
Arguments denoted by other authentication information are provided in the second table. Valid Arguments n/a
all or servername all or servername
CCM Option
-help -start -stop
Description Display command-line help. Start each server as a process. Use the short form of the server name. Stop each server by terminating its Process ID. Use the short form of the server name. Stop each server by terminating its Process ID; then each server is started. Use the short form of the server name.
-restart
all or servername
-enable
Enable a started server so that it all or hostname.servertype [other authentication information] registers with the system and starts listening on the appropriate port. Use the fully qualified form of the server name.
all or hostname.servertype Disable a server so that it stops [other authentication information] responding to BusinessObjects Enterprise requests but remains started as a process. Use the fully qualified form of the server name.
-disable
-display
Reports the servers current status (enabled or disabled). The CMS must be running before you can use this option. previous version of BusinessObjects Enterprise into your current CMS system database. Use this option after running cmsdbsetup.sh. See Completing a CMS database migration on page 104 for more information.
This table describes the options that make up the argument denoted by other authentication information. Authentication Option
-cms
Description Specify the CMS that you want to log on to. If not specified, the CCM defaults to the local machine and the default port (6400). Specify an account that provides administrative rights to BusinessObjects Enterprise. If not specified, the default Administrator account is attempted. Specify the corresponding password. If not specified, a blank password is attempted. Note: To specify the -password argument, you must also specify the username argument. Specify the appropriate authentication type for the administrative account. If not specified, secEnterprise is attempted.
-username
username
-password
password
authenticatio n
secEnterprise, secLDAP
The CCM reads the server launch strings and other configuration values from the ccm.config file. For details, see ccm.config on page 601.
Examples
These two commands start and enable all the servers. The Central Management Server (CMS) is started on the local machine and the default port (6400):
ccm.sh -start all ccm.sh -enable all
These two commands start and enable all the servers. The CMS is started on port 6701, rather than on the default port:
ccm.sh -start all ccm.sh -enable all -cms MACHINE01:6701
These two commands start and enable all the servers with a specified administrative account named SysAdmin:
ccm.sh -start all ccm.sh -enable all -cms MACHINE01:6701 -username SysAdmin password 35%bC5@5 -authentication LDAP
600
This single command logs on with a specified administrative account to disable a Job Server that is running on a second machine:
ccm.sh -disable MACHINE02.businessobjects.com.reportserver cms MACHINE01:6701 -username SysAdmin -password 35%bC5@5 -authentication secLDAP
ccm.config
This configuration file defines the server launch strings and other values that are used by the CCM when you run its commands. This file is maintained by the CCM itself, and by the other BusinessObjects Enterprise script utilities. You typically edit this file only when you need to modify a servers command line. For details, see Command lines overview on page 584.
cmsdbsetup.sh
The cmsdbsetup.sh script is installed to the crystal directory of your installation. The script provides a text-based program that enables you to configure the CMS database, CMS clusters, and to set up the audit database You can add a CMS to a cluster by selecting a new data source for its CMS database. You can also delete and recreate (re-initialize) a CMS database, copy data from another data source, or change the existing cluster name. Note: Before running this script, back up your current CMS database. Also be sure to see Configuring the intelligence tier on page 92 for additional information about CMS clusters and configuring the CMS database. The script will prompt you for the name of your CMS. By default, the CMS name is hostname.cms. That is, the default name of a CMS installed on a machine called MACHINE01 is MACHINE01.cms. To check the name of your CMS (or any other server), view the contents of ccm.config and look for the servers launch string. The servers current name appears after the -name option. For more information about configuring the CMS database, see Configuring the intelligence tier on page 92. For more information about setting up the auditing database, see Configuring the auditing database on page 209.
configpatch.sh
The configpatch.sh script is installed to the bobje/enterprise/ generic directory of your installation. Use the configpatch.sh script when installing patches that require updates to system configuration values. After installing the patch, run configpatch.sh with the appropriate .cf file name
as an argument. The readme.txt file that accompanies BusinessObjects Enterprise patches tells you when to run configpatch.sh, and the name of the .cf file to use.
serverconfig.sh
The serverconfig.sh script is installed to the crystal directory of your installation. This script provides a text-based program that enables you to view server information and to add and delete servers from your installation. This script adds, deletes, modifies, and lists information from the ccm.config file. When you modify a server using serverconfig.sh, you can change the location of its temporary files. For the Central Management Server, you can change its port number or enable auditing. For the Input File Repository Server or the Output File Repository Server, you can enter the root directory.
1. 2.
To add/delete/modify/list UNIX servers Go to the crystal directory of your installation. Issue the following command:
./serverconfig.sh
The script prompts you with a list of options: 1 - Add a server 2 - Delete a server 3 - Modify a server 4 - List all servers in the config file
3. 4.
Type the number that corresponds to the action you want to perform. If you are adding, deleting, or modifying a server, provide the script with any additional information that it requests. Tip: The script will prompt you for the name of your CMS. By default, the CMS name is hostname.cms. That is, the default name of a CMS installed on a machine called MACHINE01 is MACHINE01.cms. However, in this script you can enter hostname to check the name of your CMS (or any other server), view the contents of ccm.config, and look for the servers launch string. The servers current name appears after the name option.
5.
Once you have added or modified a server, use the CCM to ensure that the server is both started and enabled.
For more information about each of these topics, see Scalability overview on page 158.
602
sockssetup.sh
The sockssetup.sh script is installed to the crystal directory of your installation. The script provides a text-based program that enables you to configure the Web Component Adapter (WCA) and the Central Management Server (CMS) when they must communicate across one or more SOCKS proxy server firewalls. For technical information about BusinessObjects Enterprise and firewalls, see Firewalls overview on page 182.
1. 2. 3.
To modify SOCKS configuration Go to the crystal directory of your installation. Issue the following command:
./sockssetup.sh
Type wca to configure the communication between the WCA and the CMS. Or, type servers to configure SOCKS information between the remaining servers. The script may prompt you for the name or friendly name of the server. By default, each servers name is hostname.servertype. To check the name of a server, view the contents of ccm.config and look for the servers launch string. The servers current name appears after the -name option. The friendly name of the WCA by default is hostname.wca. To check the name of the WCA, look for the <display-name> of the WCA as listed in the web.xml file in the WEB-INF directory of the webcompadapter.war archive. (This archive is found in the businessobjects_root/ enterprise/JavaSDK/applications directory, where businessobjects_root is the root directory of your BusinessObjects Enterprise installation.)
4.
5.
Type show to display any SOCKS servers that have already been entered with this script. A blank list is displayed if no servers have been added. Type create to add a new SOCKS server to the list. Type modify to change one of the SOCKS servers in the list. Type delete to remove a SOCKS server from the list. Type moveup or movedown to modify the sequence of SOCKS servers.
Proceed through the script and provide any additional information that it requests:
If you are creating a new entry in the list, you will typically need to provide the name or IP address of the SOCKS server, the port number it is listening on, the version number of the SOCKS server (4 or 5), and any authentication information that the BusinessObjects Enterprise servers will require in order to establish a connection with your SOCKS server. If you choose to delete, modify, or move an existing entry, you will be asked to specify the server by index. Type the number that corresponds to the SOCKS server you want to modify.
For details about SOCKS and the importance of the sequence of servers, see Configuring for SOCKS servers on page 199.
uninstallBOBJE.sh
The uninstallBOBJE.sh script is installed to the bobje directory of your installation. This script deletes all of the files installed during your original installation of BusinessObjects Enterprise by running the scripts in the bobje/uninstall directory. Do not run the scripts in the uninstall directory yourself: each of these scripts removes only the files associated with a single BusinessObjects Enterprise component, which may leave your BusinessObjects Enterprise system in an indeterminate state. Before running this script, you must disable and stop all of the BusinessObjects Enterprise servers. Note: The uninstallBOBJE.sh script will not remove files created during the installation process, or files created by the system or by users after installation. To remove these files, after running installBOBJE.sh, perform an rm -rf command on the bobje directory. If you performed the system installation type, you will also need to delete the run control scripts from the appropriate /etc/rc# directories.
Script templates
These scripts are provided primarily as templates upon which you can base your own automation scripts.
604
startservers
The startservers script is installed to the crystal directory of your installation. This script can be used as a template for your own scripts: it is provided as an example to show how you could set up your own script that starts the BusinessObjects Enterprise servers by running a series of CCM commands. For details on writing CCM commands for your servers, see ccm.sh on page 598.
stopservers
The stopservers script is installed to the crystal directory of your installation. This script can be used as a template for your own scripts: it is provided as an example to show how you could set up your own script that stops the BusinessObjects Enterprise servers by running a series of CCM commands. For details on writing CCM commands for your servers, see ccm.sh on page 598.
silentinstall.sh
The silentinstall.sh script is installed to the crystal directory of your installation. Once you have set up BusinessObjects Enterprise on one machine, you can use this template to create your own scripts that install BusinessObjects Enterprise automatically on other machines. Essentially, once you have edited the silentinstall.sh template accordingly, it defines the required environment variables, runs the installation and setup scripts, and sets up BusinessObjects Enterprise according to your specifications, without requiring any further input. The silent installation is particularly useful when you need to perform multiple installations and do not want to interrupt people who are currently working on machines in your system. You can also use the silent installation script in your own scripts. For example, if your organization uses scripts to install software on machines, you can add the silent BusinessObjects Enterprise installation command to your scripts. For information about script parameters, see the comments in the silentinstall.sh script. Note: Because the silentinstall.sh file is installed with BusinessObjects Enterprise, you cannot install silently the first time you install BusinessObjects Enterprise.
The silent installation is not recommended if you need to perform custom installations. The installation options are simplified and do not allow for the same level of customization provided in the BusinessObjects Enterprise install script.
bobjerestart.sh
This script is run internally by the CCM when it starts the BusinessObjects Enterprise server components. If a server process ends abruptly without returning its normal exit code, this script automatically restarts a new server process in its place. Do not run this script yourself.
env.sh
The env.sh script is installed to the crystal directory of your installation. This script sets up the BusinessObjects Enterprise environment variables that are required by some of the other scripts. BusinessObjects Enterprise scripts run env.sh as required. When you install BusinessObjects Enterprise on UNIX, you must configure your Java application server to source this script on startup. See the BusinessObjects Enterprise Installation Guide for more details.
env-locale.sh
The env-locale.sh script is used for converting the script language strings between different types of encoding (for example, UTF8 or EUC or Shift-JIS). This script is run by env.sh as needed.
initlaunch.sh
The initlaunch.sh script runs env.sh to set up the BusinessObjects Enterprise environment variables, and then runs any command that you have added as a command-line argument for the script. This script is intended primarily for use as a debugging tool by Business Objects SA.
606
patchlevel.sh
The patchlevel.sh is installed to the bobje/enterprise/generic directory of your installation. This script reports on the patch level of your UNIX distribution. This script is intended primarily for use by Business Objects SA support staff. Option
list query check
Valid Arguments Description n/a patch # textfile List all the installed patches. Query the operating system for the presence of a particular patch by numeric ID. Check that all the patches listed in textfile are installed on your operating system.
postinstall.sh
The postinstall.sh script is installed to the crystal directory of your installation. This script runs automatically at the end of the installation script and launches the setup.sh script. You need not run this script yourself.
setup.sh
The setup.sh script is installed to the crystal directory of your installation. This script provides a text-based program that allows you to set up your BusinessObjects Enterprise installation. This script is run automatically when you install BusinessObjects Enterprise. It prompts you for the information that is required in order to set up BusinessObjects Enterprise for the first time. For complete details on responding to the setup script when you install BusinessObjects Enterprise, see the BusinessObjects Enterprise Installation Guide.
setupinit.sh
The setupinit.sh script is installed to the crystal directory of your installation when you perform a system installation. This script copies the run control scripts to your rc# directories for automated startup. When you run a system installation you are directed to run this script after the setup.sh script completes. Note: You must have root privileges to run this script.
608
International Deployments
appendix
610
Languages
A quick survey of your organization should provide enough information to determine your language requirements. Which languages are used most often across the organization? Is there a demand for reports in all of these languages? Which languages does your company currently support on its web site? How many languages do your report users speak? It may be necessary to provide reports in only two or three languages. Make sure you check your language requirements against the list of supported languages for BusinessObjects Enterprise. BusinessObjects Enterprise software is available in two versions, an English version and a multilingual version. The multilingual version provides components for the following languages:
For these languages, the software itself has been translated (or localized), with all functions and features available in the specific language. You can publish objects in these languages using the English or multilingual versions of BusinessObjects Enterprise.
Resources
After you determine which languages are required, look at the resources required to implement the different server configurations that will meet the language needs of your users. You can provide separate BusinessObjects Enterprise deployments for each language, or you can ask users to create reports in one language and deliver them using servers in another language. Do you have the resources and people you need to manage multiple systems or can you support only one BusinessObjects Enterprise deployment? For any deployment that involves more than one language, you must account for additional server requirements. For example, if you run an English version of BusinessObjects Enterprise on a multilingual operating system, you must ensure that you have the correct combination of components for both languages. You should choose the right deployment based on the available resources. For each server, ensure that you have the appropriate operating system, fonts, and language files.
Languages Install the appropriate languages on all servers. Even if only a few users design reports in Spanish and Japanese, Spanish and Japanese language files must be installed on all servers used in the deployment. For information on installing languages, consult your operating systems documentation.
Fonts If a language requires a special font, install the font files on all machines running BusinessObjects Enterprise components. For information on installing fonts, consult your operating systems documentation. Note:
Depending on the languages, data may not be displayed properly. For example, if you publish reports in a double-byte language like Japanese to an English server, the double-byte characters may not display properly in chart titles, drill-down tabs, group tree values, and strings in formulas. These strings use the system font specified by the server to display text. Unless the system font supports doublebyte characters, BusinessObjects Enterprise will not display the strings properly.
612
If, after installing the necessary fonts on the various servers, BusinessObjects Enterprise does not render the report properly, install Crystal Reports on the problematic servers. Then, open the problem report and refresh it. For more information, see Troubleshooting reports with Crystal Reports on page 521.
Operating systems Depending on your language needs, you may need to install a localized operating system on machines running BusinessObjects Enterprise components. The operating system may affect certain messages that appear when working with BusinessObjects Enterprise. To ensure that all messages appear in the language you want, make sure you install the appropriate version of the operating system, and make sure it is a language supported by BusinessObjects Enterprise. For example, if you access French reports from a French client using an English version of BusinessObjects Enterprise on the server, you must have a French operating system on the server.
People Depending on your configuration, you may need additional people to help deliver and maintain your BusinessObjects Enterprise system. If you deploy multiple systems for different languages, you may need another system administrator or IT professional to configure and maintain the system. When you are working with localized versions of operating systems and software, it is good practice to have someone on staff who not only has the technical IT skills, but also the language skills required to manage the system.
614
appendix
About accessibility
When you create Crystal reports for a large audience across the organizationand around the worldyou need to account for the diverse needs of that audience. Report designers often create reports for specific languages, countries, job tasks, or work groups, but it is also important to consider the accessibility requirements of users. Report users may have physical, sensory, or cognitive limitations that affect their ability to access the Web. They may not be able to see, move, or hear. They may have low vision or limited movement. Some people have dyslexia, colorblindness, or seizure disorders; others have difficulty reading or understanding text. They may have a combination of disabilities, with varying levels of severity. People with disabilities often use assistive technologies: products or techniques that help people perform tasks they cannot perform otherwise. Assistive technologies include adaptive software programs such as screen readers (which translate text into audible output), screen magnifiers, and speech-recognition software. People with disabilities may also use special browsers that allow only text or voice-based navigation. They may use assistive devices such as refreshable Braille displays, or alternative keyboards that use sip-and-puff switches or eyegaze technology. To meet the reporting needs of people with disabilities, your reports should be designed to work with as many assistive technologies as possible. Despite the wide range of potential accessibility issues, you can use the techniques described in this chapter to create reports that are useful for everyone.
Accessible reports are easier for everyone to use. Many accessibility guidelines result in improved usability. An accessible report must provide logical and consistent navigation. Its content must be clearly written and easy to understand.
Accessible reports are more compatible with a variety of technologies, new and old.
616
Accessible content is easier to export to simple formats that are more compatible with mobile phone browsers, personal digital assistants (PDAs), and other devices with low-bandwidth connections. Some people may not have a keyboard or a mouse. They may have a textonly screen, a small screen, or a slow Internet connection. Accessible design makes it easier for people with limited technology to access information.
Accessible content is easier to reuse for other formats. In the viewers, accessible reports are more accurately copied or exported to other formats. Accessible reports improve server efficiency. You may reduce the number of HTTP requests on the server, by providing clear navigation so people can find what they need faster. Providing text-only alternatives can reduce the number of graphics, which take up valuable bandwidth.
Recent initiatives indicate a worldwide trend towards providing accessible web content. More companies are making accessibility a requirement for their web content, especially in the United States, where the government introduced section 508 of the Rehabilitation Act. Accessibility is quickly becoming an essential part of web content delivery.
You may be legally required to provide accessible content. Each year, more countries introduce anti-discrimination laws that ensure equal opportunities for people with disabilities. Even if you are not legally required to meet accessibility guidelines, you may want to do business with an organization that is required to adhere to them.
Creating accessible reports is easier than modifying existing reports to make them accessible. If you build accessible features into your reports now, it will be significantly less expensive than to redesign existing reports later.
Organizations and governments worldwide are adopting the accessibility recommendations of the W3C. In Australia, the Disability Discrimination Act includes standards for web site accessibility. Similar guidelines have been introduced in the United Kingdom and throughout Europe. In Canada, all government web content is now developed according to the Common Look and Feel (CLF) initiative, which is largely based on the W3C's Web Content Accessibility Guidelines. Taking web accessibility a step further, the United States government introduced legislation in the form of Section 508 of the Rehabilitation Act, which ensures the right to accessible government web content. Common to all guidelines is a focus on providing web content that is useful for all people, regardless of disability or impairment. For reports, accessible design is focused on the same key concepts:
Content must be easy to understand and navigate. Text equivalents or alternatives should be provided for non-text objects. Objects should be logically organized to clarify relationships between objects. Reports must not rely on any one specific type of hardware, such as a mouse, a keyboard, or a color screen.
For more information on specific accessibility guidelines, see Resources on page 640.
Crystal Reports
By observing accessibility guidelines, you can use Crystal Reports to create reports that are accessible to users with disabilities. However, Crystal Reports does not currently provide complete accessibility for report designers with disabilities. Note: The reports in this chapter were created in Crystal Reports and tested using screen readers (including JAWS 4.5).
Web Intelligence
Web Intelligence provides accessible access through its HTML Report Panel interface, where you can view, create, and edit Web Intelligence documents. Web Intelligence documents are read from left to right and top to bottom, and you can navigate through the report panels frames and tabs using the Tab key.
618
OLAP Intelligence
Although you can use many of the same design guidelines to improve the accessibility of Crystal Analysis Professional reports, Worksheets are difficult to format for accessibility. Web Intelligence or Crystal reports are the recommended options for delivering reports to people with disabilities.
BusinessObjects Enterprise
After you create accessible Web Intelligence documents or Crystal reports, you can publish them to BusinessObjects Enterprise, where people with disabilities can view them on the Web using InfoView and the DHTML viewers. The management components of BusinessObjects Enterprise, including the Central Management Console (CMC) and the Central Configuration Manager (CCM), do not currently provide access for people with disabilities. The ActiveX and Java viewers are also not accessible.
620
3.
Tab through the remaining objects. The order that Crystal Reports uses to tab through the objects is the same order adopted by a screen reader that views the published version of the report.
Text
The most common accessibility issue encountered by report designers is also one of the easiest to resolve: providing text-only versions of non-text objects. A non-text object is an object that conveys meaning through a picture or sound. Non-text objects include pictures, charts, graphical buttons, graphical representations of text, sounds, animations, and audio or video clips. People who use assistive technologies are accustomed to text-only substitutes and, therefore, will respond well to the text-only alternatives you provide. There are a number of ways you can use text to substantially improve your reports accessibility:
Provide text equivalents for objects in reports. Provide text alternatives for reports. Ensure that text is written and formatted clearly.
Text is a useful tool for creating accessible reports. Most assistive technologies require text input, including screen readers, speech synthesizers, and Braille displays. You can easily resize and format text, and text is the most flexible medium for import and export.
Place a descriptive text object next to a non-text object, and be sure to add them to the report in consecutive order (for more details see Placing objects in order on page 620). Whenever possible, a text equivalent should communicate the same information as its corresponding object in the report. If a report displays data in a pie chart, for example, include a text box next to the chart that summarizes its contents. Describe the purpose of the non-text object. For example, if an image performs an action when you click it, describe the action. For a button that opens your web site, provide a text box labeled Click to view our web site.
If a report includes audio links, provide a transcript for significant audio clips. If a report links to a multimedia or video presentation, provide a transcript. You may also want to provide captioning for the audio portion and an audio description of the visual portion. Captioning should be synchronized with the audio.
622
7.
To hide the subreport link, on the Font tab, choose the color that matches the background color of the report. Note: Instead of hiding the subreport link, you can conditionally suppress the section that contains the subreport. For details, see Accessibility and subreports on page 631.
Using punctuation
To improve the logical flow of spoken text, you may need to add extra punctuation to create pauses. Without extra punctuation, screen readers may read several text objects as one continuous sentence, making the content difficult to understand. For example, information in data tables may be read without stopping. To prevent this, you can break up information in data tables by inserting periods between fields. Certain punctuation marks are read aloud, which may be distracting if used too frequently. For example, when a screen reader reads a colon :, it may read it aloud as colon instead of a pause. You can change the amount of spoken punctuation in your screen reader's settings. To troubleshoot your report's punctuation, it is good practice to read the report using a screen reader. Do objects run together too quickly? Or are there too many pauses? Are any punctuation marks read aloud? Does this improve or deter from the usability of the report?
Formatting text
After you create text equivalents or alternatives for non-text objects, ensure that the text is clearly written and easy to read. Observe the following design guidelines:
Use a larger font. Although people with visual impairments can use the Zoom feature to increase the size of the report, they will not need to magnify the report as much if the font size is larger. For example, chart labels or legends can appear in a small font by default. For general legibility, it is good practice to use a font larger than 8 point. For accessibility, ensure that text is larger than 11 point.
Use a sans serif font. Simple fonts such as Arial and Helvetica can be easier to read than serif fonts like Times or Palatino. Choose left or justified alignment. Left-aligned or justified text is easier to read than centered or rightaligned text.
Ensure that text follows the guidelines for color usage. For details, see Color on page 625.
Note: You can allow users to choose different font settings using a parameter and conditional formatting. For details, see Accessibility and conditional formatting on page 629.
624
Color
The colors you choose for objects in reports can have a significant impact on accessibility for people with visual impairments, low vision, or color blindness. Ensure that your reports can be understood when viewed without color.
Contrasting colors
Users with limited vision may be unable to distinguish between colors. To test the color contrast in your report, print or view a black and white copy. You should be able to distinguish between values or fields displayed in different colors (in a pie chart, for example). If you cannot distinguish between colors on the report, try different colors or use gray shading. If this does not resolve the issue, you can change other characteristics. For text, use the Format Editor to change the font, size, or style. You can add borders, underlining, or background shading to differentiate text objects from each other. For charts, use a combination of shading and patterns. You can automatically convert a color chart to a black and white one using the Chart Expert, or you can select values individually and choose your own patterns. 1. 2. 3. To convert a chart into black and white Select the chart and choose Chart Expert from the Format menu. In the Chart Expert, click the Options tab. In the Chart color area, select Black and white, then click OK. The chart colors convert to a variety of high-contrast pattern and color fills. 1. 2. 3. 4. To change the fill for a chart value Select the chart, then click the shaded area you want to change. On the Chart menu, point to Chart Options, and then click Selected Item. In the Formatting dialog box, on the Fill tab, choose a color and click Pattern. In the Choose A Pattern dialog box, click a pattern, then click OK.
Note: You can also select a texture, gradient, or picture as a fill for the chart value. See the Chart Help for more information.
Highlighting To highlight particular values in a table, do not change only the color of the value. If you highlight outstanding invoices in red, for example, they may look the same as the paid invoices to someone with limited vision. In the Highlighting Expert dialog box, change a font characteristic other than color, such as font style.
Hyperlinks Using color as the only method for identifying hyperlinks may also cause problems for color-blind users. When you print your report in black and white, check the hyperlinks to ensure that they are still visible.
Identifying important areas of the report Do not organize a report by using color as a background or as a separator between different sections or areas. Instead of using color to identify sections, establish clear and consistent navigation for the entire report.
Navigation
As with other aspects of accessible design, providing several alternative navigation methods can help you meet the reporting needs of more people. The W3C recommends including several different navigation methods. On the other hand, simplicity is critical for intuitive navigation. Section 508 recommends simple navigation that uses the least number of navigation links possible. Either approach can be effective for your reports, as long as you maintain clarity and consistency. You may want to use report parts to navigate a report (or to connect several reports). If you provide a series of links in a page header, keep in mind that screen-reading software will reread the navigation information every time the
626
user refreshes the page or views a new page. In this case, simple navigation is preferable. For a large report, you could provide a list of navigation links as a table of contents in the report header. More extensive navigation can be useful when you have a large volume of data. To allow users to skip the list, you could start with a Skip the table of contents link that jumps ahead to the first page header. In general, report navigation should follow these guidelines:
Identify the target of each link. Provide information at the start of the report that describes the layout and navigation. Use navigation consistently. Provide the opportunity to skip repetitive navigation links.
Parameter fields
When you include parameter fields in a report, make sure they are clear and simple. Although parameter fields can be a useful tool for providing accessible content, they can also introduce several accessibility concerns. It is important to test all parameter fields for accessibility. Parameter fields should follow these guidelines:
Provide a list of default values for the user to choose from. Avoid requiring the user to type a value for a parameter. When users provide their own values, they need to make sure the format of the value will be recognized by the parameter field. A list of default values is easier to use, and it ensures that the user chooses from values with valid formats.
Try to avoid complex parameter fields. A complex parameter field may be more accessible when it is broken down into multiple parameters. When you test the accessibility of your parameter fields, pay particular attention to parameters that require a range. It may be easier to understand if you provide two parameter fields that prompt for discrete values for the top and bottom of the range, rather than ask the user to choose both values in the same parameter field.
For date fields, do not allow users to choose their own values. The calendar used to select date values is not currently accessible. Provide a pick-list of default date values. Using a list of default values also helps avoid invalid date formats.
4. 5. 6. 7. 8.
628
This formula ensures that the font size for the currently selected field is increased from 10 point to 20 point when the user chooses to display accessible formatting. 6. Click Save and close.
If a report contains many objects, suppressing sections may require fewer conditional formulas. Not all settings and features can be formatted conditionally. By suppressing sections, however, you can make any formatting changes you want. You may want to provide completely different types of information for people viewing the accessible version of the report. For example, you may want to split visual and audio objects into two different sections and conditionally suppress them based on the parameter value the user chooses. To suppress an accessible section Right-click the left boundary of the section you want to suppress conditionally, and click Section Expert. In the Section Expert, click the Formula button that corresponds to the Suppress (No Drill-Down) setting. The Format Formula Editor opens a new formula named Suppress (No
Drill-Down).
1. 2.
3.
In the Formula text window, type this formula (which uses Crystal Syntax):
if {?Access} = "No" then True
This formula selects the Suppress option if the user chooses not to view accessible report content. 4. 5. Click Save and close. Click OK in the Section Expert.
630
To make the report accessible, you may need to change the overall organization of the report sections, or you may need to provide different objects. If the report contains a large number of objects or sections, it may take too much time to create conditional formulas for all of them.
For example, if a report contains many non-text objects displayed in a complex series of groups and sections, you may want to provide a text-only version that uses different objects and a simplified group structure to meet accessibility guidelines. The easiest way to address this problem is to create a subreport that displays the accessible version of the report and place the subreport at the beginning of the main report. For details on creating a textonly accessible subreport, see Providing text-only alternatives on page 622. If you want only screen readers to be able to see the subreport, you can hide it by changing the subreport link to the same color as the background. Alternatively, you can use the ?Access parameter field to allow users to choose whether or not the subreport appears in the report. Place the subreport in its own section and conditionally suppress the section based on the ?Access parameter field. For details, see Accessibility and suppressing sections on page 630.
Note: This chapter uses terminology consistent with the W3C accessibility guidelines. In these guidelines, the term data table refers to values arranged in columns and rows. In Crystal Reports, data tables take the form of group or page headings combined with database fields in the Details section. Do not confuse data tables with database tables, which are data sources used by Crystal Reports.
632
Providing extra information for each value can make a data table appear cluttered for people without vision impairments, so you may want to hide the extra text objects by changing the font color to the same color as the background. The extra text is invisible, but is still detected and read by screen readers.
You can use the parameter field to suppress the text objects conditionally. While it has the same effect as changing the font color to the background color, conditionally-suppressed text also allows you to use the parameter field to specify other formatting options such as font size and style. To display the text objects only when the user chooses Yes for the ?Access parameter field, the following report uses a simple conditional formula to enable the Suppress option on the Common tab of the Format Editor.
{?Access}="No"
The formula must be added for each text object you want to suppress. When the user chooses Yes for the ?Access parameter field, the text objects are not suppressed; the data table displays text descriptions.
Note: The report shown also uses the ?Access parameter field to enable the Can Grow option (also on the Common tab of the Format Editor) and increase the font size for people with visual impairments. When the user chooses No for the ?Access parameter field, the conditional formula suppresses the text objects, leaving spaces in the report in place of the text objects.
634
The following report uses formulas placed in the Details section that combine the database fields and the extra text. When the user chooses Yes for the ?Access parameter field, each formula builds a string that includes the description and the value.
@Last Name
If {?Access}="Yes" then "Employee last name is " + {Employee.Last Name} + "." else {Employee.Last Name}
@Salary
If {?Access}="Yes" then {Employee.Last Name} + "'s Salary is " + ToText({Employee.Salary}) + "." else ToText({Employee.Salary})
Notice the added punctuation. The periods at the end of each formula improve screen reader legibility by creating a pause between fields. Note:
The report also uses the ?Access parameter field to enable the Can Grow option and increase the font size. In @Employee ID, ?Access parameter field has been set to 0 to enable the Can Grow option and increase the font size.
When the user chooses No for the ?Access parameter field, the formula returns only the data. The report does not display blank spaces in place of the conditional text objects. Both versions of the report are easy to read.
Include an introductory paragraph that summarizes the content of the table. The summary should be brief: one or two sentences if possible. Ensure that headings provide enough information to clearly identify the values that they label. To test a table's accessibility, read its headings and values in a linear fashion from left to right and from top to bottom. For example, if a report displays last and first name fields for each customer, it may read better if it displays first name followed by last name. Whenever possible, test the report using assistive technologies such as screen reading software.
636
To display the table summary conditionally, the report designer divided the Page Header into two sections. The first page header is suppressed when the ?Access parameter field is set to No. The second page header is suppressed if the user chooses Yes. For details, see Accessibility and suppressing sections on page 630.
2. 3. 4. 5. 6. 7.
On the title bar, click Preferences. On the General Preferences page, in the On my desktop, show me area, select Action view. To reduce the number of reports displayed on each page, type a number in the text box next to the Action view option. Click the Crystal Report Preferences link. In the View my reports using the area, select the DHTML viewer. Click Apply.
Frames Frames should be clearly labelled, for easier identification and navigation. Provide text at the top of the frame that describes its purpose. For example, if a frame provides a list of links to different countries, you can clarify its purpose by adding text to the frame, such as a title (Countries) or short instructions (Click a country for details).
Style sheets If you have a visual impairment, you can create a style sheet with specific viewing preferences to accommodate the disability. For example, you could create a style sheet that displays all web pages in a large font with white characters on a black background. Users cannot apply personalized style sheets to Crystal reports, but the viewers provide a Zoom button that enables people with visual impairments to increase the magnification to suit their needs. You can also allow users to choose from different formatting options using conditional formatting. For details, see Accessibility and conditional formatting on page 629.
Scripts
638
If you modify Business Objects content to include a script that displays content or an interactive object, ensure that the script is identified by text that conveys the purpose of the script. Make sure that pages with scripts are still usable when the scripts are turned off or unsupported. For more information about scripts and accessibility, see Resources on page 640.
Image maps Server-side image maps identify active regions using coordinates, which are not meaningful to a screen reader. Client-side image maps provide better accessibility because you can assign a link or URL to each active region within the image map.
Electronic forms Electronic forms can present difficulties for screen readers, and must be set up carefully. When you label a component in a form, ensure the label is clearly located next to the form component. For example, for a Search box, ensure that the Search title appears alongside the appropriate text box.
Applets and plug-ins If a report needs an applet, plug-in, or other application on the client machine in order to interpret page content, the plug-in or applet must follow accessibility guidelines. If you attach multimedia or other additional resource files to your report, such as PDF or Real Audio files, provide a link to install the required plugins or software, and ensure that the required software also meets accessibility design standards.
Flickering Flickering images can trigger seizures for people with seizure disorders. The W3C recommends to avoid use of images that flicker or flash between four and 59 times per second.
Search engine placement Do not use hidden text to enhance your web sites placement in search engines. Hidden text reduces readability, because it is read by the screen readers. Also, hidden text is actively discouraged by popular search engines such as Google, and thus offers little benefit.
Resources
This chapter focuses on how you can create and distribute accessible reports with Business Objects software. The report design techniques in the chapter were tested using JAWS 4.5. It is good practice to test all accessible reports using JAWS and other assistive technologies whenever possible. To make all of your Web communications accessible, consult the detailed guidelines available through the W3C or from your government's web site.
World Wide Web Consortium's Web Accessibility Initiative: http://www.w3.org/WAI/ the United States Access Board's web site for Section 508: http://www.access-board.gov/sec508/guide/ the Government of Canada Internet Guide: http://www.cio-dpi.gc.ca/ig-gi/
640
appendix
Documentation
You can find answers to your questions on how to install, configure, deploy, and use Business Objects products from the documentation.
Address Business Objects Consulting Services http://www.businessobjects.com/ services/consulting/ Business Objects Education Services http://www.businessobjects.com/ services/training
Content Information on how Business Objects can help maximize your business intelligence investment. Information on Business Objects training options and modules.
Index
A
access to applications 349 to universe connections 355 to universes 354 Access Level column 319 access levels administration 351 Advanced 321, 322 available in the CMC 565 calendars 508 enabling and disabling inheritance 327 events 515 folders 364, 371 for RAS 568 Full Control 321 groups 352 InfoView 349 inheritance 325 No Access 321 NTFS 570 reference 563 restricting from the top-level folder 347 Schedule 321 server groups 353 servers 353 setting 320 specifying on folders 364, 371 tutorials 331 types of 320 users 352 View 321 View On Demand 321 when copying/moving folders 361, 369 access rights to Query HTML panel 48 accessibility 616 and BusinessObjects Enterprise 637 and Crystal Reports 616 benefits of 616 design considerations 619 guidelines 617 resources 640 accounts, managing 250 Active Directory 275 active sessions, viewing 81, 81 active trust relationship 242 AD authentication plug-in 240 adding CMS cluster members 92 servers 169 administration 36 configuration tools 78 delegating 343, 351 events 515 folders 364, 371 over the Web 37 remote UNIX machines 43 remote Windows machines 42 rights 351 servers and server groups 353 tools 36 users and groups 352 Administrator account 251 setting password 44 Administrator group 251 Administrators group, default rights 567 Advanced access level 321 advanced rights 322 and inheritance 325 priorities affecting 330 denied by default 330 enabling and disabling inheritance 328 precedence 330 reference 564 setting 322 viewing 322 Advanced Rights page 323
Index
reference 564 affinity, and SSL 243 alerts, setting notification 479 aliases assigning to a user 296 creating for existing user 296 for new user 294 deleting 297 disabling 298 managing 294 reassigning for a user 297 anonymous single sign-on 232 application servers 59 application tier 58 applications 56 CCM 57 CMC 56 Import Wizard 57 InfoView 56 Publishing Wizard 57 APS. See CMS apsdbsetup.sh 601 architecture 54 diagram 54 areas, management 38 assigning an alias 296 assistive technology 616 attributes, logon tokens 243 audience, intended 22 audit actions enabling auditing of 210 reference list 205 synchronizing records 212 auditee 204 auditing 204 configuring database 209 database schema 218 enabling 210 information flow 204 notification 477 optimizing performance 213 reporting results 214, 217 synchronizing records 212 user and system actions 205
web activity 247 auditing database configuring 209 database schema 218 Application_Type table 225 Audit_Detail table 219 Audit_Event table 218 Detail_Type table 226 Event_Type table 220 Server_Process table 220 auditor 204 authentication BusinessObjects Enterprise security plug-in 236 LDAP security plug-in 238 object packages 463 primary 229 program objects 458 secondary 230 security plug-ins 235 troubleshooting log on 520 Windows AD security plug-in 240 Windows NT Challenge/Response 237, 240 Windows NT security plug-in 236 authentication, types of 252 authorization. See also object rights authorization, effective rights 328 Automated Process Scheduler. See CMS available rights 325
B
base rights 325 business calendars. See calendars Business Objects consulting services 644, 645 support services 643 training services 644, 645 BusinessObjects applications CCM 57 CMC 56 CMS 61 Import Wizard 57 InfoView 56 Publishing Wizard 57 BusinessObjects Enterprise
648
Index
communication between servers 186 compared to BusinessObjects Enterprise 6.x 535 disabling Guest account 44 firewall integration 186 international deployments 610 primary authentication process 229 single sign-on 236 single sign-on with NT 237 system architecture 54 BusinessObjects Enterprise 6.x 390 compared to BusinessObjects Enterprise 11 535 BusinessObjects Enterprise Central Management Console. See CMC BusinessObjects Enterprise Repository 174 refreshing objects in reports 179 BusinessObjects Enterprise SDK 230, 241 Java SDK 59 .NET SDK 59 BusinessObjects Enterprise security plug-in 236 BusinessObjects Enterprise servers 61, 64 Cache Server 63 configuring hosts file for firewall 193 description 54 Event Server 64 File Repository Servers 63 Job Server 65 Page Server 67 Program Job Server 65 Report Application Server 66 BusinessObjects Enterprise Sizing Guide 158 BusinessObjects NT Users group 252
C
cache format for Web Intelligence documents 493 Cache Server 63 auditable actions 206 command-line options 588 configuring 112 NTFS 573 metrics 80 performance settings 112 viewing with 72 Cache Server for viewing reports 432
caching Web Intelligence documents, when scheduling 493 calendars adding dates to 503 creating 502 deleting 507 specifying rights 508 categories 368, 394 assigning an object to 424 creating 368 CCM 57 accessing 42 adding a server 169 changing server startup type 145 server user account 146 Windows server dependencies 144 copying server status 88 deleting a server 171 enabling and disabling servers 85 for UNIX 43, 598 for Windows 42 printing server status 86 refreshing the list of servers 88 starting, stopping, and restarting servers 82 working with 42 ccm.sh 598 Help option 43 running 43 Central Configuration Manager. See CCM Central Management Console. See CMC Central Management Server. See CMS certificate files 147 characters, setting CMC preferences 38 client side viewers 68 client tier 56 clusters 92, 94, 95 changing names 96 requirements 92 viewing details 81 CMC 56, 385 access to 349 changing password 40 enabling and disabling servers 85 logging off 41
Index
logging on 37 management areas 38 navigating 38 publishing objects with 385 setting preferences 38 setting Query size threshold 40 starting, stopping, and restarting servers 82 unable to connect 520 working with 37 CMS 61, 234 adding to a cluster 95 and authentication 229, 230 and authorization 230 and distributed security 243 and security 234, 234 and security plug-ins 234 as nameserver 140 auditable actions 206, 207, 208 base rights and available rights 325 calculating effective rights 328 changing cluster name 96 clustering 92 installing new cluster member 94 requirements 92 command-line options 586 configuring 108, 109, 140 NAT 190 NTFS 572 SOCKS 200 database 61 default port 140 metrics 81, 81 session variables 244 and authentication 229, 230 tracking 245 stopping 84 unable to connect 520 when enabling and disabling other servers 85 CMS database changing password 109 configuring 98 copying 98 deleting 108 migrating 98 recreating 108
selecting 109 color and accessibility 625 contrast 625 command line arguments specifying 384 for program objects 453 command lines 584 command-line options all servers 585 Cache Server 588 CMS 586 Event Server 595 Input and Output File Repository Servers 594 Job Server 590 Page Server 588 Program Job Server 590 Report Application Server 591 SSL 146 Web Intelligence Job Server 590 Web Intelligence Report Server 593 commands, UNIX reference 597 communication between browser and WCA 229 between BusinessObjects Enterprise servers 186 components, security management 233 conditional formatting for accessibility 629 configuration, common scenarios 159 configuring auditing database 209 Cache Server 112 CMS clusters 92, 96 CMS database 98, 108, 109 Event Server 114 executable programs 455 File Repository Servers 110 firewalls 190 intelligence tier 92 Job Server 121, 121, 125, 132 NTFS permissions 570 object packages 462 Page Server 115, 132 processing tier 115 server settings 78
650
Index
servers 78 connecting to remote Windows machines 42 Connection folder, access to 252 connections. See universe connections consultants, Business Objects 644 content, folders 358 contrast, color 625 cookies and session tracking 244 logon tokens 243 copying/moving folders 361, 369 creating categories 368 custom audit reports 217 folder administrators 343 folders 358, 375 server groups 152 server subgroups 154 subfolders 360, 368 Crystal Info Views 402 Crystal Info, importing information 400 Crystal Reports and accessibility 616 saving objects to CMS 387 troubleshooting reports 521 Crystal reports choosing a format 492 job server for scheduling 430 server for viewing and modifying 432 Crystal Reports Cache Server. See Cache Server Crystal Reports Page Server. See Page Server Crystal Repository. See BusinessObjects Enterprise Repository custom events 510, 514 custom web applications, enhancing 166 customer support 643 customizing inheritance model 331 object rights 322 your configuration 158
D
daemons, signal handling 586 data choosing live/saved 75
formatting for accessibility 631 live 75 refreshing 375 saved 76 data sharing 78 on Cache Server 112 on Page Server 115 on RAS 118 data sources on UNIX 133 data sources on Windows 132 data tier 68 databases changing settings 434 configuring servers for 132 copying CMS data 98 initializing the CMS 108 modifying RAS interactions 118 selecting for the CMS 109 single sign-on access 233 troubleshooting logon 523 default groups 251 default settings authentication 236 Enterprise accounts 236 groups 250 modifying security 45 NT account 237 object rights 563 ports 140 security plug-in 236 users 250 default users 250 defaultconfig.xml 576 finding correct version to change 578 list of customizable elements 580 modifying for Java Report Panel 579 modifying for .NET InfoView 579 delegated administration. See administration deleting aliases 297 CMS database 108 folders 361, 369 report objects 419 servers 171
Index
universe connections 46 universes 45 denied rights 330 dependencies of servers on Windows 144 designing reports and accessibility 619 in multiple languages 610 destination environment, and importing 402 Destination Job Server auditable actions 207 destinations configuring 126 enabling or disabling 125 enabling Inbox destination 125 metrics 81 performance settings 121 destinations 481 available, by object type 421 default settings 483 email 487 for job servers configuring 126 enabling or disabling 125 FTP 485 sending to 420 troubleshooting 527 unmanaged disk 483 directories, publishing 376 directory servers about LDAP 239 security plug-in 238 disabilities. See accessibility disabling aliases 298 destinations for job servers 125 Guest account 44 inheritance 327 program objects 458 servers 85 discussion thread cancelling search 49 searching 49 sorting search results 51 Discussions access rights to objects 51
accessing 49 DLL. See dynamic-link libraries documentation additional 519 feedback on 643 on product CD 642 on the web 642 roadmap 642 domains 392, 394 DSNs on UNIX 135 dynamic-link libraries as processing extensions 241
E
education. See training effective rights, calculating 328 email destination 487 setting defaults 128 email notification 477 enabling auditing 210 destinations for a job server 125 inheritance 327 program objects 458 servers 85 encoding logon tokens 243 end-to-end single sign-on 233 Enterprise authentication 252 environment variables ODBC 135 environment variables, specifying for program objects 456 env.sh 606 ePortfolio. See InfoView errors Page Server 527 troubleshooting 518 Event Log 139, 144 Event Server 64 auditable actions 208, 208 command-line options 595 configuring 114 metrics 80 polling time 114 events 510
652
Index
access to 515 custom 514 file-based 511 importing from Crystal Enterprise 399 notification 477 polling time 114 schedule-based 512 scheduling 473 Everyone group 252 Everyone group, default rights 567 executable programs 451 configuring 455 expanding the system 158 Explicitly Denied column 323 Explicitly Granted column 323 extensions, processing 241
F
failure, notification 476 Favorites folders 367 features, new 25 feedback, on documentation 643 file events 510, 511 File Repository Servers 63 command-line options 594 configuring NTFS permissions 571 maximum idle times 110 metrics 80 Properties page 110 root directories 110 filters for report objects 439 firewall rules specifying for NAT 194 specifying for packet filtering 197 firewall types 183 NAT 184 packet filtering 184 SOCKS 185 firewalls 182, 246 configuration scenarios 188
configuring 190 NAT 190 packet filtering 195 SOCKS 199 thick client 195 with application tier 190 with WCA 200 forcing servers to register by name 142 integration with BusinessObjects Enterprise 186 server communications, and 186 folder administrators, creating 343 folders 358 access to 364, 371 adding a report 362, 370 changing top-level rights 336 copying/moving 361, 369 creating 358, 375 default rights at top level 567 default user folders 367, 372 delegated administration 343 deleting 361, 369 Favorites folder 367, 372 importing from Crystal Enterprise 398 from Crystal Info 401 inheritance 326 moving 361, 369 object rights 317 access levels 320 advanced settings 322 inheritance 326 setting access levels 320 viewing 319 when copying/moving 361, 369 rights 364, 371 setting instance limits 365 specifying rights 364, 371 format choosing for Crystal reports 492 choosing for Web Intelligence documents 491 formatting, and accessibility 623 FTP destination 485 setting defaults 130 Full Control access level 321
Index
reference 567
G
global deployments, BusinessObjects Enterprise 610 granted rights 330 group inheritance 326 group rights 317 grouping servers 152 groups access to 352 creating 258 for tutorials 332 default 251 deleting 261 importing from Crystal Enterprise 397 from Crystal Info 400 modifying 260 object rights access levels 320 advanced rights 322 inheritance 326 of servers 152 setting instance limits on folders 365 object rights 317 viewing members 261 Guest account 251 default rights 567 disabling 44, 261
H
help, documentation resources 519 highlighting exceptions and accessibility 626 Holos applications, from Crystal Info 402 hosts file, configuring for NAT firewall 193 HTTP 229, 244 hyperlinks between reports 447
I
idle times Cache Server 112 File Repository Servers 110
Page Server 115 Import Wizard 57, 390 selecting information 405 specifying source and destination 402 importing from BusinessObjects Enterprise 6.x 390 from Crystal Enterprise 396 from Crystal Info 400 Import Wizard 390 selecting information 405 specifying source and destination 402 Inbox documents 395 index, setting CMC preferences 38 Info cubes 402 information flow, between servers 69 information resources 642 InfoView 56 accessing 37 categories 372 considerations 527 controlling access to 349 folders 367 in multiple languages 613 Java version 47, 89 managing 47 scheduling 466 troubleshooting 527 inheritance 325 and advanced rights 323, 328 base rights and available rights 325 enabling and disabling 327 priorities affecting 330 tutorials 331 Inherited column 323 initializing CMS database 108 initlaunch.sh 607 Input File Repository Server 63 command-line options 594 configuring NTFS permissions 571 maximum idle time 110 metrics 80 root directory 110 instances deleting 498 from Crystal Info 401
654
Index
importing from Crystal Enterprise 398 managing 495, 496 notification 477 object packages 460 pausing 497 program objects 451 report objects 425 resuming 497 sending 420 setting limits at the folder level 365 intelligence tier 61 configuring 92 international deployments, planning 611 Internet Information Services (IIS), default web site 519
K
Kerberos single sign-on 233, 299 key files 147
L
LDAP 239 about 239 and SSL 239 LDAP accounts 239 managing 262 modifying connection parameters 272 member groups 272 troubleshooting 274, 274 LDAP authentication 253 configuring 263 configuring mapping options 267 LDAP authentication plug-in 238 LDAP groups mapping 269 troubleshooting 274, 275 unmapping 272 viewing mapped groups 272 LDAP hosts configuring 263 managing multiple 273 LDAP security plug-in 238 LDAP single sign-on, configuring 267 license keys 530 adding 532 and CMS database migration 98 reinitializing the CMS database 108 viewing account activity 532 licensing 530 accessing information 531 Lightweight Directory Access Protocol. See LDAP limits, setting at the folder level 365 List of Values Job Server auditable actions 208 description 67 destinations configuring 126 enabling or disabling 125 metrics 81
J
Java InfoView, customizing appearance of Web Intelligence documents 579 Java platform 60 Java programs 451 authentication 459 configuring 456 providing access to other files 457 setting parameters 457 Java SDK 60 Job Server command-line options 590 configuring 132 NTFS permissions 573 on UNIX 133 destinations configuring 126 enabling or disabling 125 metrics 81 performance settings 121 specifying 430 Job Servers 65, 65 auditable actions 208 job servers configuring destinations 126 performance settings 121
Index
performance settings 121 live data 75 load balancing and distributed security 243 CMS clustering 92 Local System account 132 log on processing server accounts 132 protection against malicious attempts 247 to the CMC 37 with token 230 logging server activity 139 web activity 247 logon tokens 243 and authentication 229 and authorization 230 and distributed security 243 and secondary authentication 230 and session tracking 244 logon.csp 229
selecting information 405 specifying source and destination 402 multihomed machines 143 My Password, setting CMC preferences 38
N
nameserver, role of CMS 140 NAT. See Network Address Translation native drivers 132 on UNIX 133 navigation and accessibility 626 between reports 447 Net Access column 319 .NET InfoView customizing appearance of Web Intelligence documents 579 Network Address Translation application tier, and 190 configuring 190 CMS (Unix) 191 CMS (Windows) 191 server hosts file 193 servers behind firewall 192 definition 184 specifying firewall rules 194 thick client, and 195 new features 25 No Access level 321 reference 565 non-text objects 621 Not Specified rights, and access levels 320 notification 477 alerts 479 audit 477 email 477 event 477 for a scheduled object 476 NT authentication and UNIX 236 NT authentication plug-in 236 NT LM Security Support Provider 144 NT single sign-on and Windows NT security plugin 237 NTFS permissions 570
M
malicious logon attempts, protection against 247 management areas, defined 38 mapped drives 526 mapped groups aliases, managing 294 viewing Windows AD 280 Windows NT 289 mapped users, managing aliases 294 mapped Windows AD groups, viewing 280 mapped Windows AD users, viewing 280 mapping Windows AD accounts and groups 276 Windows NT accounts 284 menu styles, setting CMC preferences 38 metrics viewing 79 account activity 532 migrating 390 CMS database 98 from Crystal Enterprise 396 from Crystal Info 400
656
Index
number of logons, logon tokens 243 number of minutes, logon tokens 243
O
object packages adding objects to 461 authentication 463 configuring 462 creating 377, 460 managing 459 moving 378 publishing objects to 385 scheduling 471 object rights 317 access levels 320 advanced setting 322 available in the CMC 564 base and available 325 calculating effective 328 for creating/modifying reports 568 for RAS 568 importing from Crystal Enterprise 398 from Crystal Info 401 inheritance 325, 326, 328 reference 563 setting 320 specifying for a folder 364, 371 tutorials 331 decreasing rights 334 increasing rights 346 viewing 319 when copying/moving folders 361, 369 object scheduling, recurrence pattern 469 objects adding to an object package 461 Advanced Rights page 322 and access levels 320 assigning to a category 424 copying 417 creating a shortcut 417 enabling and disabling inheritance 327 importing from Crystal Enterprise 398 from Crystal Info 401
managing 416, 417 moving 417 properties, changing 422 publishing 373 multiple 376 options 375 with CMC 385 refreshing from BusinessObjects Enterprise Repository 179 Rights tab 319 saving to CMS 387 scheduling 466 searching for 419 sending 420 viewing rights 319 objects displayed, setting maximum 40 objects per page, setting maximum 38 ODBC CMS database 95 connectivity 98 drivers 132 environment variables 135 processing server accounts 132 reporting on UNIX 134 system information file 135 .odbc.ini 135 OLAP Intelligence, saving objects to CMS 387 one-machine setup 159 Online Customer Support 643 Open OLAP cubes 402 options, publishing 375 Output File Repository Server 63 command-line options 594 configuring NTFS permissions 571 maximum idle time 110 metrics 80 root directory 110 overloads 393
P
packet filtering 184 configuring for 195 packets, firewalls and 182 page index, setting CMC preferences 38 page layout, specifying 442
Index
Page Server 67 command-line options 588 configuring on UNIX 133 configuring for data source 132 configuring NTFS permissions 574 for viewing and modifying 432 metrics 81 performance settings 115 Properties page 115 viewing with 72 pages, setting CMC preferences 38 parameter fields and accessibility 628 conditional formatting with 629 parameters for Java programs 457 passwords changing 257 for CMS database 109 restrictions 247 setting for Administrator account 44 for current CMC user 38 patchlevel.sh 607 pausing an instance 497 performance 158 Cache Server settings 112 CMS clusters 92 common scenarios 159 general considerations 162, 162 load balancing 243 of jobs per server 121 Page Server settings 115 RAS settings 120 while auditing 213 Windows NT Challenge/Response authentication 237, 240 performance improvement, delegating XSL transformation 165 permissions 317 NTFS 570 personal categories 372 Personal documents 395 platforms Java 60
Windows .NET 60 plug-ins, security 235 polling time, setting for Event Server 114 port numbers, changing 140 ports definition 183 firewalls, and 183 opening on firewall 191 postinstall.sh 607 predefined access levels 320 preferences, setting in the CMC 38 primary authentication 229 printer, specifying 441 printing setting printer options 441 setting the default printer 441 processing extensions 241 applying to reports 443 registering 444 selecting 445 sharing 447 processing servers, configuring 133 processing threads Cache Server 112 Page Server 115 processing tier 64 configuring 115 program credentials specifying 381 Program Job Server auditable actions 208 destinations configuring 126 enabling or disabling 125 metrics 81 Program Job Server, command-line options 590 program objects 451 accessing other files 384 authentication 458 batch 380 binary 380 command line arguments 384 configuring 455 disabling 458 enabling 458 environment variables, specifying 456
658
Index
Java 380 configuring 456 providing access to other files 457 setting parameters 457 processing options, setting 453 properties, changing 422 providing executables with access to other files 455 script 380 working directory, specifying 454 programs. See program objects Properties tab for job servers 121 publishing 374 and object rights 338 folders 358 object packages 385 options 375 reports and objects 373 with CMC 385 with Publishing Wizard 376 Publishing Wizard 376 adding folders 376 objects 376 creating category on CMS 379 creating folder on CMS 377 database log on 382 duplicating folder structure 378 modifying default values 381 object properties 382 moving reports between folders 378 repository refresh 380 scheduling objects 379 selecting category on CMS 379 folder on CMS 377 setting parameters 383
R
RAS database settings 118 for viewing and modifying 432 metrics 81 object rights required 568 performance settings 120 Properties page 120 reassigning an alias 297 recurrence patterns, object scheduling 469 recurring dates 503 refreshing cache files 112 reports 426 repository objects 179 Rehabilitation Act, Section 508 617, 640 Remote Procedure Call 144 remote resources, troubleshooting 526 remote servers CCM for UNIX 43 CCM for Windows 42 CMC 37 Report Application Server 66 auditable actions 206 command-line options 591 viewing with 73 report instances description 426 managing 425, 496 history 495 setting limits 498 viewing 496 Report Job Server 208 auditable actions 208 Report Job Server, performance settings 121 report objects and accessibility 619 applying processing extensions 443 assigning to a category 424 database settings, specifying 434 deleting 419 destination 481 filters, specifying 439 managing 425 page layout, specifying 442
Q
.qry files 525 Query HTML panel, access rights 48 query objects, from Crystal Info 402
Index
parameters, specifying 437 properties, changing 422 refreshing against BusinessObjects Enterprise Repository 179 rights for creating/modifying 568 searching for 419 setting instance limits 498 rights 317 specifying Job Servers for 430 specifying servers for viewing and modifying 432 report packages 402 report thumbnails, adding with reports 362, 370 Report Viewers 68 report_view_advanced.aspx 71 report_view_dhtml.aspx 71 reports adding to a folder individually 362, 370 audit 214, 217 custom 217 sample 214 configuring servers for data sources 132 hyperlinking 447 importing from Crystal Enterprise 398 from Crystal Info 401 managing 425 modifying RAS SQL options 118 publishing 373 multiple 376 options 375 with CMC 385 refresh options 426 saving to CMS 387 scheduling 70 scheduling with events 473, 473 troubleshooting 521, 523 viewing 71 viewing options 428 repositories 391 Repository Migration Wizard 176, 177 repository. See BusinessObjects Enterprise Repository requirements, clustering 92
resources 642 restarting servers 82 restart.sh 606 restrictions access from the top level 347 guest account 248 logon 248 password 247 user 248 resuming instance 497 rights 317 administration 351 Advanced 321 available 325 base 325 calendars 508 CMC 349 events 515 folders 364, 371 for RAS 568 Full Control 321 groups 352 importing from Crystal Enterprise 398 from Crystal Info 401 InfoView 349 No Access 321 Schedule 321 server groups 353 servers 353 setting object rights 317 specifying for a folder 364, 371 tutorials 331 users 352 View 321 View On Demand 321 rights. See also object rights Rights tab 319 root directories, File Repository Servers 110 root folders default rights 567 modifying security 45 row-level security, processing extensions 241 run dates 503 run options, object scheduling 469
660
Index
S
saved data 76 scalability 158 common scenarios 159 general considerations 162 scaling the system 157 Schedule access level 321 reference 565 schedule events 510, 512 Schedule page 468 setting for an object 476 scheduled instance, description 425 scheduling an object 476 events 473 from Crystal Info 402 importing from Crystal Enterprise 398 increasing capacity 163 information flow 70 notification 476 object packages 471 objects 466 in batches 471 recurrence patterns 469 run options 469 specifying server for 430 screen readers 616 script programs 451 scripts for UNIX 597 searches, setting CMC preferences 40 searching discussion threads 49 for objects 419 secEnterprise.dll 236 secLDAP.dll 238 secondary authentication 230 Section 508, Rehabilitation Act 617, 640 sections, and accessibility 630 Secure Sockets Layer 146 Secure Sockets Layer (SSL) 239, 246 and LDAP 239 and load balancing 243 configuring for LDAP 264 security 228 active trust relationship 242
auditing web activity 247 closed model 346 components 233 distributed 243 environment protection 246 firewalls 246 Guest account restrictions 248 initial settings 43 logon restrictions 248, 248 modifying default levels 45 object rights 317 inheritance 325 tutorials 331 open model 334 password restrictions 247, 247 plug-ins 235 predefined access levels 320 processing extensions 241 protection against malicious logon attempts 247 restrictions 248 session tracking 244 user restrictions 248 web browser to web server 246 web servers 246 security plug-ins 235 Enterprise authentication 236 LDAP authentication 238 Windows AD authentication 240 Windows NT authentication 236 secWindows.dll 236 selecting CMS database 109 sending objects or instances 420 to inboxes, default configuration 125 server dependencies, changing 144 server groups 152 access to 353 creating 152 importing from Crystal Enterprise 399 subgroups 154 serverconfig.sh 602 servers 54, 61, 64, 78 access to 353 accessing the CCM 42
Index
activity, logging 139 adding 169 application tier 58 changing status 82 user account on Windows 146 changing startup type 145 command lines 584 communication 186 application tier and CMS 187 CMS directory listing 186 configuring 78 default settings 78 deleting 171 dependencies, adding or removing 144 disabling 85 enabling 85 for scheduling 430 for viewing and modifying reports 432 grouping 152 information flow 69, 69 intelligence tier 61 logging activity 139 managing 77 metrics, viewing 79 modifying group membership 155 processing tier 64 refreshing list using the CCM 88 registering by name 142 restarting 82 standard command-line options 585 starting 82 status changing 82 copying 88 printing 86 stopping 82 troubleshooting 526 UNIX signal handling 586 user account, changing 146 session variables 244 and authentication 229, 230 sessions tracking 244 viewing active 81
settings access levels 320 advanced object rights 322 InfoView 47 initial security levels 43 Query size threshold 40 report refresh 426 report viewing 428 viewing account activity 532 setup.sh 607 shared libraries, as processing extensions 241 signal handling 586 silentinstall.sh 605 single sign-on anonymous 232 disabling Guest account 44 authentication Enterprise 236 LDAP 239 NT 237 Windows AD 240 end-to-end 233 with Kerberos 299 setting up Kerberos 299 LDAP 267 SiteMinder 267 Windows AD 282 Windows NT 292 to BusinessObjects Enterprise 232 to database 233 SiteMinder, setting up single sign-on with LDAP 267 six-machine setup 160 SMTP destinations, setting defaults 128 SOCKS 185 configuring 199 CMS 200 WCA 200 sockssetup.sh 603 source environment, specifying 402 SSL 146 certificates 147 configuring servers 146, 146 keys 147
662
Index
SSL. See Secure Sockets Layer (SSL) sslc.cnf 146 sslc.exe 146 starting CCM for UNIX 43 CCM for Windows 42 servers 82 startservers 605 startup type, changing for servers 145 startup types, configuring servers 145 statistics, auditing web activity 247 status, viewing and changing for servers 82 stopping CMS 84 servers 82 stopservers 605 styles, setting CMC preferences 38 subfolders, creating 360, 368 subgroups of servers 152 subreports and accessibility 622, 631 success, notification 476 support customer 643 locations 643 technical 643 web site 643 synchronizing audit actions 212 syslog 139 system actions, list of auditable 208 system architecture 54 system data, copying 98 system database, migrating 98 system information file (ODBC) 135 system metrics, viewing 81 system security 228
T
tables, and accessibility 631 TCP/IP, firewalls and 182 technical support 643 temporary files, configuring Page Server 115 text objects formatting for accessibility 623 placing on the report 621 thick client, firewall configuration 189
NAT 195 third-party documents 395 third-party security plug-ins 235 three-machine setup 160 thumbnails, adding with reports 362, 370 tickets for distributed security 243 logon tokens 243 tiers 54 application 58 client 56 data 68 intelligence 61 processing 64 time zones setting CMC preferences 38 supporting multiple 527, 610 timestamps 396 tools administration 36 Central Configuration Manager (CCM) 42, 42 Central Management Console (CMC) 37 UNIX 598 top-level folder, modifying security 45 top-level, creating new categories 368 top-level, creating new folders 359 tracking, sessions 244 training, on Business Objects products 644 transfer of trust 243 troubleshooting 518 access 570 InfoView deployments 527 LDAP accounts 274 NTFS permissions 570 report viewing and processing 521 web accessibility 519 Windows AD accounts 281 Windows NT accounts 290 trust, active trust relationship 242 tutorials 331
U
UNC paths 526 uninstall 604 uninstallCE.sh 604
Index
universe connections deleting 46 importing 392 managing 46 Universe Designer Users group 252 Universe Designer, access to 252 universe domains 392 universe restriction sets 393 universes access to 354 deleting 45 importing 392 managing 45 UNIX administrative scripts 597 and NT authentication 236 application server 59 Central Configuration Manager 43 command reference 597 installation 60 syslog 139 tools 597 WCA 60 unmanaged disk destination 483 setting defaults 131 unmapping LDAP groups 272 Windows AD accounts 280 Windows NT accounts 288 upgrading from BusinessObjects Enterprise 6.x 390 from Crystal Enterprise 396 from Crystal Info 400 Import Wizard 390 user accounts 250 configuring servers 146 creating 254 default 250 deleting 256 managing 250 modifying 256 NTFS permissions 570 user actions, list of auditable 206 user aliases assigning to 296
creating for existing user 296 for new user 294 deleting 297 disabling 298 reassigning 297 user databases, NT4 and Windows 2000 Active Directory 236 user folders 367 user groups, default 251 user rights 317 user rights, setting 51 users access to 352 auditing actions of 204 delegated administrators 343 importing from BusinessObjects Enterprise 6.x 393 from Crystal Enterprise 397 from Crystal Info 400 object rights access levels 320 advanced rights 322 effective rights 328 inheritance 327 setting instance limits on folders 365 object rights 317 viewing active sessions 81, 81 users with AD authentication, importing from Crystal Enterprise 397 users with aliases, importing from Crystal Enterprise 397 users with LDAP authentication, importing from Crystal Enterprise 398 utilities, UNIX reference 597
V
View access level 321 reference 565 View On Demand access level 321 reference 566 viewers and InfoView 71 client-side 68
664
Index
setting CMC preferences 38 zero client 68 viewing active users 81, 81 advanced object rights 323 BusinessObjects Enterprise architecture 71 CMS cluster details 81 current account activity 532 current metrics 79 information flow 71 licensing information 531 object rights 319 server metrics 79 system metrics 81 with the Cache Server 72 with the Page Server 72 with the Report Application Server 73 viewrpt.aspx 71
W
WCA 59 and authentication 229 and authorization 230 and logon tokens 234 and security 234 auditing web activity 247 configuring for SOCKS 200 description 59 WCA session variables 244 primary authentication 229 secondary authentication 230 tracking 245 WCS, configuring NTFS permissions 571 web customer support 643 getting documentation via 642 useful addresses 644 Web Accessibility Initiative 640 Web application environments 60 Web Component Adapter. See WCA Web Content Accessibility Guidelines 617 web desktop. See InfoView Web Intelligence application rights 48
documents changing default appearance 576 customizing for Java InfoView 579 customizing for .NET InfoView 579 finding correct defaultconfig.xml 578 list of customizable elements 580 Query HTML access rights 48 Web Intelligence documents 395 See also report objects assigning to a category 424 choosing a format 491 delegating XSL transformation 165 properties, changing 422 scheduling 466 searching for 419 selecting cache format 493 server for scheduling 430 server for viewing and modifying 432 Web Intelligence Job Server auditable actions 208 command-line options 590 destinations configuring 126 enabling or disabling 125 metrics 81 performance settings 121 Web Intelligence Report Server auditable actions 206, 207 command-line options 593 metrics 81 performance settings 122 web response speeds, improving 166 web servers 61 improving response speeds 166 securing 246 web sites support 643 training 644 Windows Central Configuration Manager 42 Event Log 139 Local System account 132 server dependencies 144 Windows 2000 Active Directory 236 Windows 2000, unmapping accounts in 289
Index
Windows AD accounts See also Windows AD users adding to mapped groups 281 creating 281 mapping 276 troubleshooting 281 unmapping 280 Windows AD authentication 253 Windows AD groups mapped, viewing 280 mapping 276 unmapping 280 Windows AD security plug-in 240 Windows AD single sign-on 282 end-to-end 299 to BusinessObjects Enterprise 282 Windows AD users See also Windows AD accounts viewing 280 Windows AD, viewing mapped groups and users 280 Windows .NET platform 60 Windows NT accounts adding to mapped groups 291 creating 290 disabling 291 managing 284 mapping 284 in CMC 285 in Windows 2000 285 in Windows NT 284 troubleshooting 290 unmapping 288 Windows NT authentication 252 Windows NT Challenge/Response authentication 237, 240, 246 Windows NT groups creating 291 mapping 284 unmapping 288, 288 viewing 289 Windows NT security plug-in 236 and UNIX 236 Windows NT single sign-on, setting up 292 Windows NT users, viewing 289
X
XSL transformation for Web Intelligence documents 165
Z
zero client viewers 68
666