BusinessObjects XI Security From the Ground Up

Scott Emmons Alan Mayer Integra Solutions Inc.

Presentation Information (Hidden Slide)

Author: Scott Emmons, Alan Mayer Company: Integra Solutions, Inc. Contributors: Alan Mayer Breakout session title (same as on slide 1)
BusinessObjects XI Security From the Ground Up

Breakout session description

BusinessObjects XI introduces a new security model that allows administrators to centrally manage users and report content with more control than ever before. Discover how the essential pieces of this model can be configured to cover a variety of security schemes. Learn how to organize and designate access rights to resources at the folder, group, user, application, and metalayer level. Find out how to take advantage of new security concepts like restriction sets to further control database resources. For users of prior versions of BusinessObjects, this session will also include some tips and tricks that will make configuring security in BusinessObjects XI much easier. Print_Code (please leave for Business Objects use)

Slide 2

Topics
The Big Picture Folders and Categories Groups Users Security Rights Q&A

Slide 3

The Big Picture

All security information is kept in the System database
Users, groups, categories, rights

1/6

The Central Management Server (CMS) uses this database

Process logins Create sessions Validate rights

Published objects resides in Filestores

Objects include Crystal reports, Webi documents, programs, Two types of stores: Input and Output

Slide 4

The Big Picture

System Database Relies on 5 tables
Much less than 50 tables for traditional BusinessObjects repository Uses less resources to process

2/6

Each table stores information used by the Central Management Server (CMS)
CMS_AliasesX Alternative accounts for users CMS_IdNumbersX Next available unique ID CMS_InfoObjectsX All objects (users, groups, folders, ) CMS_RELATIONSX Relationships between objects CMS_VersionInfo Latest software version

Slide 5

The Big Picture

Central Management Server (CMS)

3/6

The only enterprise service that interacts with the System database.
CMS decides who gets to see what The tables contain the accounts, groups, and rights This server deciphers this information to make its decision

This server also maintains this database through the Central Management Console (CMC)
Web-based tool used to add folders, users, groups, and rights Can also be used to publish report objects Traditional BusinessObjects acts like Supervisor

Slide 6

The Big Picture

Central Management Console (CMC) The Central Management Console will be our main window into the System Database

4/6

Slide 7

The Big Picture

Filestores Flat-file databases used to index and store published objects
All published objects are maintained as files. Directory structure is used like an index to quickly retrieve content. Objects are stored using machine-generated names

5/6

Two types of filestores available

Input Filestore
Stores published objects that can be re-executed later. Data not stored with object

Output Filestore
Stores object instances that have already been processed. Data is stored with instance

Slide 8

The Big Picture

Filestores, contd Example of Input Filestore

6/6

Slide 9

Topics
The Big Picture Folders and Categories Groups and Users Security Rights Q&A

Slide 10

Folders and Categories

Folders store report content
All published objects stored in a folder An object can be a Crystal Report, Webi document, program, image, and so on. Objects can be stored in one folder only it represents the home for that object. Traditional BusinessObjects folders are like domains Subfolders are allowed just like subdirectories in Windows

1/6

Categories allow users to classify objects

Unlike folders, objects may be linked to multiple categories Categories can span objects stored in multiple folders They serve as an alternative filing system

Slide 11

Folders and Categories

Real-life considerations for folders
Folders usually mirror the groups or departments that own the content Folders can be based on organization, location, customers, Subfolders represent groups that own their own report objects in addition to objects within the main folder Folder creation is CONTENT DRIVEN.

2/6

Slide 12

Folders and Categories

Creating a Folder Run the Administration Launchpad (Java or .NET) Log into the Central Management Console Choose Folders Click the New Folder button

3/6

Slide 13

Folders and Categories

Creating a Folder, contd Define your folder

4/6

Slide 14

Folders and Categories

Creating a Folder, contd Once the folder is created, subfolders can be added

5/6

Slide 15

Folders and Categories

Creating a Category Categories can also be created from the CMC

6/6

Slide 16

Topics
The Big Picture Folders and Categories Groups and Users Security Rights Q&A

Slide 17

Users and Groups

Users allow people to access BusinessObjects Enterprise
These accounts determine how a user is authenticated when logging in Authentication methods include:
Enterprise Windows Authentication Active Directory Lightweight Directory Access Protocol (LDAP)

1/13

Users can be manually added or imported (mapped) Information about the user can be added
Name Description Password E-mail address License type (CPU or named user)

Slide 18

Users and Groups

Default users available
Administrator Performs all tasks within Enterprise Guest Accesses reports (like Report Samples)

2/13

Slide 19

Users and Groups

Groups tie users with similar access rights together
Access to report content (reports, documents, ) is usually granted for groups rather than individual users Users can belong to more than one group Access rights will be discussed in a later section Information about each group can be added
Name Description Users that belong to the group Subgroups

3/13

Slide 20

Users and Groups

Default groups are available
Administrators
Members can perform all tasks

4/13

Everyone
All users belong to this group Allows access to Report Samples folder

Universe Designer Users

Can use the Designer application Can access Universe Designer, Connections folder

BusinessObjects NT Users
Windows Authentication only

Slide 21

Users and Groups

Creating a User Run the Administration Launchpad (Java or .NET) Log into the Central Management Console Choose Users Click the New User button

5/13

Slide 22

Users and Groups

Creating a User, contd Fill in details for that user

6/13

Slide 23

Users and Groups

Creating a User, contd Set password, authentication, and license type

7/13

Outdated

Slide 24

Users and Groups

Creating a User, contd

8/13

Once added, a user can be assigned to a group Click on the Member of button from the Member tab

Slide 25

Users and Groups

Creating a User, contd Choose the groups that user should be a member of

9/13

Slide 26

Users and Groups

Creating a Group Run the Administration Launchpad (Java or .NET) Log into the Central Management Console Choose Groups Click the New Group button

10/13

Slide 27

Users and Groups

Creating a Group, contd Fill in details for that group

11/13

Slide 28

Users and Groups

Creating a Group, contd

12/13

Subgroups can now be assigned (if they exist) using the Subgroups tab OR this group can be assigned as a subgroup

Slide 29

Users and Groups

Creating a Group, contd

13/13

In this case, IT Administrators will be a subgroup of IT

Slide 30

Topics
The Big Picture Folders and Categories Groups and Users Security Rights Q&A

Slide 31

Security Rights

1/41

Assigning rights to groups and users is easy once you understand the Enterprise Security Model This model shows how rights are set and inherited Once the main rules are understood, well cover how to apply these rights at different levels
Globally By Folder By Group By Object By Category By Application By Universe

Slide 32

Security Rights
The Enterprise Security Model This model controls how users interact with BusinessObjects applications and report content Control is granted/removed through RIGHTS A right dictates what actions a user can perform
View a report Use WebIntelligence to create an ad-hoc query Publish documents to the System database

2/41

Rights have been grouped internally as ACCESS LEVELS to make the job easier These predefined levels can be customized by adding ADVANCED RIGHTS.

Slide 33

Security Rights
The Enterprise Security Model Access Levels Predefined access levels include:
No Access
Not able to access report content

3/41

View
A user can view the folder or report object , as well as any generated instances (executed versions) of those objects.

Schedule
In addition to View, a user can create additional instances of an object through scheduling Complete control is given over those generated instances (delete, modify) For folders, a user can add report objects and copy the object and/or folder.

View On Demand
In addition to Schedule rights, a user can refresh a report instantly (on demand)

Full Control
The user gains all additional rights

Slide 34

Security Rights
The Enterprise Security Model Access Levels

4/41

Advanced rights can be set on a folder or report object

Explicitly Granted
User or group is given the right

Explicitly Denied
User or group is denied the right. Denials take priority over grants.

Inherited
The user or group inherits a right that was granted at a higher level Higher level folders or groups

Not Specified
The right has not been assigned so it is denied It could be inherited or explicitly granted

Slide 35

Security Rights
Rules of the Road Follow these simple rules
Top-level folders inherit rights set at the global security level
More on this in a minute

5/41

Children inherit the rights of their parents Advanced rights override inherited rights Denied rights override granted rights

Slide 36

Security Rights
Global-Level Rights

6/41

Global rights set the default security for the entire Enterprise system Any top-level folder that is created will be given these permissions Any group that should have certain system-wide rights needs global rights Set these rights first, then decrease/increase rights as additional folders and objects are added A common scenario:
Administrators may need Full Control by default The Everyone group should have No Access

Slide 37

Security Rights
Establishing Global-level Rights Run the Administration Launchpad (Java or .NET) Log into the Central Management Console Choose Settings

7/41

Slide 38

Security Rights
Establishing Global-level Rights, contd Example: Change global access for Administrators to Full Control

8/41

Slide 39

Security Rights
Establishing Global-level Rights, contd

9/41

Control can be fine-tuned by setting Advanced Rights

Slide 40

Security Rights
Establishing Global-level Rights, contd

10/41

General settings can be explicitly granted or denied These Advanced Rights are available at any level (folder, object, ..)

Slide 41

Security Rights
Establishing Global-level Rights, contd Advanced Rights for Reports

11/41

Slide 42

Security Rights
Establishing Global-level Rights, contd Advanced Rights for Text and WebIntelligence

12/41

Slide 43

Security Rights
Folder-level Rights

13/41

Top-level folders use global rights to set their access levels Groups and users are given access to folders Rights for those groups and users are inherited from their parent folders Additional rights can be added

Global
Admin: Full Control Everyone: No Access

Sales
Admin: Full Control (inherited) Everyone: No Access (Inherited) Sales: View Marketing: View

Slide 44

Security Rights
Folder-level Rights, contd

14/41

Subfolders inherit the rights of their parents A subfolder may have different rights than its parent

Sales
Sales: View Marketing: View

Sales USA

Sales: Schedule Marketing: View (Inherited)

Sales Japan

Sales: Schedule Marketing: No Access

Slide 45

Security Rights
Establishing Folder-level Rights Run the Administration Launchpad (Java or .NET) Log into the Central Management Console Choose Folders Select a folder (like Sales)

15/41

Slide 46

Security Rights
Establishing Folder-level Rights, contd Select the Rights tab Add the group(s) that need access to this folder

16/41

Slide 47

Security Rights
Establishing Folder-level Rights, contd Adjust that groups access level to the folder

17/41

Slide 48

Security Rights
Group-level Rights

18/41

Users inherit rights from the group(s) they belong to Subgroups inherit rights from their parent groups A user that belongs to more than one group inherits the most powerful (least restrictive) access of any group
Sales
Sales: View Marketing: No access

Sales USA: View (inherited)

John: View

John: View

Slide 49

Security Rights
Group-level Rights Users granted explicit rights override any rights inherited from their group Denied rights override any other access

19/41

Sales

Sales: View

Marketing: No access

Sales USA: View (inherited)

John: Denied

Sally: Schedule

John: Denied

Slide 50

Security Rights
Object-level Rights

20/41

Report content within a folder can have access rights This allows finer-grained control over individual reports, programs, Establishing object-level access is very similar to folder-level access
Inventory Report.rpt

Sales
Customers.xls Admin: Full Control (inherited) Everyone: No Access (Inherited) Sales: View Marketing: View Logo.bmp

Slide 51

Security Rights
Object-level Rights, contd

21/41

Object-level rights take priority over group and folder rights

Sales
Sales: View Marketing: View

Inventory Report.rpt
Sales: Schedule

Scott: Full Control Alan: Denied

Slide 52

Security Rights
Establishing Object-level Rights Run the Administration Launchpad (Java or .NET) Log into the Central Management Console Choose Objects Select an object

22/41

Slide 53

Security Rights
Establishing Object-level Rights Select the Rights tab Add a group or user that needs access Modify existing group or user access

23/41

Slide 54

Security Rights
Category-level Rights

24/41

Categories group similar object content together It acts as an alternative filing system that can span multiple folders Like folders and objects, access rights can be set on categories A group or user must have rights to the category and object within that category If the object is not available, it will not appear in its associated category

Slide 55

Security Rights
Establishing Category Rights Run the Administration Launchpad (Java or .NET) Log into the Central Management Console Choose Categories Select a category

25/41

Slide 56

Security Rights
Establishing Category-level Rights Select the Rights tab Add a group or user that needs access Modify existing group or user access

26/41

Slide 57

Security Rights
Application-level Rights

27/41

Enterprise applications can be secured using rights Basic applications that can be secured:
Central Management Console (CMC) Designer Infoview WebIntelligence

Additional applications can be added and secured

Strategy Builder Performance Management

This allows portions of each application to be assigned to separate groups

Slide 58

Security Rights
Establishing Application Rights Run the Administration Launchpad (Java or .NET) Log into the Central Management Console Choose BusinessObjects Enterprise Applications

28/41

Slide 59

Security Rights
Establishing Application Rights, contd Select an Enterprise Application (like Designer)

29/41

Slide 60

Security Rights
Establishing Application Rights, contd

30/41

Select the Rights tab Add a group or user if necessary Click on the Advanced button for application-specific rights

Slide 61

Security Rights
Universe-level Rights

31/41

Universes are interfaces built using the Designer application. Users can use these universes to develop ad-hoc reports using WebIntelligence (and Crystal Reports!) Universes must be imported into the System database The Central Management Console can control their use
Who can access a universe What rights are given for that universe What objects that group or user can see What databases the universe can connect to

The Designer application can further restrict access to a universe

Slide 62

Security Rights
Establishing Universe Rights Run the Administration Launchpad (Java or .NET) Log into the Central Management Console Choose Universes

32/41

Slide 63

Security Rights
Establishing Universe Rights, contd Select a universe (like Xtreme) Click on the Object Level Security tab

33/41

Slide 64

Security Rights
Establishing Universe Rights, contd

34/41

Objects can be designated with a security level when the universe is created This matches with the group/users security level Group/User Public Controlled Confidential Restricted Private Object Public Controlled Confidential Restricted Private A group or user can see objects up to his security level!

Slide 65

Security Rights
Establishing Universe Rights, contd Rights are established like folders and objects Advanced rights apply to Universe Designers

35/41

Slide 66

Security Rights
Establishing Universe Rights, contd

36/41

Universe database connections can also be secured Run the Administration Launchpad (Java or .NET) Log into the Central Management Console Choose Universe Connections

Slide 67

Security Rights
Establishing Universe Rights, contd Select a connection (like Xtreme) Select the Rights tab Advanced rights are pretty simple
You can use the connection or you cant

37/41

Slide 68

Security Rights
Establishing Universe Rights, contd

38/41

The Universe Designer now allows security restriction sets These restriction sets mimic the universe restrictions from BO Supervisor
Database connections can be changed Row and column level security can be enforced Tables can be substituted for other tables and views

Once created, they can be applied against any user or group

Slide 69

Security Rights
Establishing Universe Rights, contd Log into Universe Designer Open or import a universe (like Xtreme) Select the Security Restriction Set icon

39/41

Slide 70

Security Rights
Establishing Universe Rights, contd Refer to the Designers Guide for more information

40/41

Slide 71

Security Rights
Establishing Universe Rights, contd Once created, the restriction set can be applied to groups and users

41/41

Slide 72

Topics
Introduction The Big Picture Folders and Categories Groups and Users Security Rights Q&A

Slide 73

Q&A
Questions Contact information
Scott Emmons Email: scott@integrasolutions.net

Slide 74