Hello everyone.

I am brand now to BOB so please forgive me if I missed some threads that cover what I am asking. I did do a search for best practices but I could not find what I am looking for.

Here is the situation. My organization is upgrading from BO 5.1.3 to XI R3.0. This is a very large leap for the organization. Part of it includes granting limited access to users that know little or nothing about BO and creating several access levels for InfoView, Webi and Deski. Previously all BO users were equal with no need to differentiate them.

Our vendor created 5 security levels which follows:

5 Report Readers: View access only in infoview. No editing, scheduling, etc allowed.
4 Report Consumers: View + Refresh
3 Report Writers: View, Refresh, + Write/Modify
2 Power Users: View, Refresh, Write/Modify + Schedule
1 Deski: View, Refresh, Write/Modify, Schedule + Deski access

The problem is that the vendor set the default level that all user accounts are created into at the Power Users level. This default group also grants access to the data. They then deny rights to create level 3-5 and grant additional rights to create level 1. This creates problems because if you deny anything to the default group, then all users are affected. A few sub-admins locked themselves out of their own folders when trying to restrict access to most of their users. Each user in our sub-organizations must be in their default group in order to have access to their data.

That is the background. I am trying to redesign the security from the ground up and I am having difficulty understanding exactly how and why things are done in the CMC. I would prefer to have our security based on unassigned and granted rights with very sparing usage of explicit denials.

I have found a few different approaches that I can take but I’m not sure of the pitfalls in each:

Approach A:

Seperate out the data access group and the security group. Leave the groups as is.

This would be the easiest solution but I’m not sure if it is the right solution. It still leaves in place a denal of rights for access levels 3-5. Also, it could cause problems with our sub admins if them assign a user mistakingly to multiple groups.

Approach B:

Use the default BO access levels. Create 5 groups for our security levels then assign rights to applications based on the groups.

The thing that I don’t like about this approach is that the default BO access levels don’t fit our administrative plan’s security levels.

Approach C:

Create 5 access levels matching our 5 security levels. Create a matching 5 groups and assign users to the groups accordingly. A seperate group will be used to grant access to Data.

This is the route that I prefer but it does not seem to be as cut and dry as I originally thought. It took me days of pounding my head against the wall trying to figure out why my test users could not change their own preferences and passwords until I granted the test group access to itself.

Any input would be greatly appreciated.

CalDoug (BOB member since 2009-01-12)

I don’t want to repeat myself. A quick search for keyword “security” and my user name yielded a few threads as followed (there are more if you like to read)…

This should get you started.

substring (BOB member since 2004-01-16)

CalDoug,
In addition to substring’s noted links, you might want to consider some transition courses offered by SAP which are Business Objects version 3.x eLearning training courses that will prepare you for the implementation of Business Objects XI release 3.x.

BOE405 [3 hrs, $138], which is equivalent to SA100eV3.0-Enterprise XI 3.0: Administration

BOE415 [2 hrs, $138], which is equivalent to SA101eV3.0-Enterprise XI 3.0: What’s New – User Rights

BOE425 [2 hrs, $138], which is equivalent to SA100eV3.0-Enterprise XI 3.0: Federation, Server-Intelligence, Auditing

BOE445 [2 hrs, $138], which is equivalent to SA104eV3.0-Enterprise XI 3.0: Using the CMC and Infoview

Best wishes.
John

jsanzone (BOB member since 2006-09-12)

Thank you for the replies.

Those threads don’t really help me with my situation.

I have read through everything that I can download from BO. I am scheduled to take a security course from BO next month. Unfortunately, it does not help me much this month which our pilot will end and we are scheduled to expand to the rest of the organization.

I guess I asked too broad of a question so I did not get any real answers. I will focus my questions better in the future.

I think I have made up my mind that I will go with option C and build everything up from the ground up.

CalDoug (BOB member since 2009-01-12)

Generally, I’m with you on C. And yes, what you’re trying to do involves a LOT of potentially complex issues, so don’t be frustrated.

My advice is to start small and simple, and add the more complex solutions only if needed. Here is a place to start … XI 3.0 Security for Mere Mortals. It includes a number of best practice recommendations. Not so ironically, they specifically advise AGAINST your A and B solutions (denying rights, and using built-in access levels).

Here is one hint. Your “other” vendor is mixing application privileges with document / universe / connection privileges. A second hint. There should be no reason to create separate groups JUST for data access rights.

Dwayne Hoffpauir (BOB member since 2002-09-19)

In addition, you can also consider hiring a consultant, either from SAP BusinessObjects Consulting Services or from a Business Objects consulting partner, who has done it before, to lay the ground work for you. This will save yourself a lot of grief down the road. It is because if you implement it wrong from the beginning, it is 100 times harder to try to correct it later.

substring (BOB member since 2004-01-16)

Thank you very much for that power point and spread sheet. That helped a lot.

Unfortunately my organization does not have the money to hire a consultant. Additionally, the database and universes are already set up by our primary vendor and cannot be altered. I believe there is some row level security but I do not have access to any tools to alter them nor do I have the expertise to do it.

I am tasked with administering our users and sub-admins. That is why I want to rework our security structure before we go live with it. As it is now, we have already ran into a few problems and I forsee much more to come if I don’t rework it.

Thank you again for your assistance. I’ll post an update after I am done reworking the access levels and groups. I wish there was a easy way to cut-n-paste out of the CMC. That would make sharing group permission settings much easier on this board.

CalDoug (BOB member since 2009-01-12)

If the row level security is set up in Designer, you will need to install that client software in order to make any change. If it is set up on the database, you can download a free database management software called SQuirreL. It can access all the popular RDBMS as long as you have the driver.

By the way, it is almost impossible for you to set up security if you have one hand tied behind your back…so to speak. Your company needs to give you all the necessary permissions in order for you to do the job properly.

Good luck.

substring (BOB member since 2004-01-16)

Trying to modify an existing security could be a tricky thing … What about rebuild it from scratch? Think about the future day administration!

I just upgraded my BOEXIR2 SP2 environment to BOE XIR3.1. I imported all the content and security setttings by using the Import Wizard. However, I am running into some security issues at this time.

Is there any way that you can wipe out all the security that was imported and start rebuilding it this from scratch without affecting the content?

Thanks for your help.

My environment: BOE 3.1, Windows 2003, SQl Server 2005, Tomcat, Java, AD authentication.

rbrito (BOB member since 2007-09-06)

There is no way to reset only the security …

It’s better to first audit the R2 security before the migration.

You can import the contents ONLY without the associated security. Then build the security on the new environment.

This is really off topic and not related to the orginal post. If you have further question on this topic, you should start a new one instead of hijacking this thread.

substring (BOB member since 2004-01-16)

Thanks for your reply. I will start a new thread for this, it wasn’t my intention to hijack anything.

rbrito (BOB member since 2007-09-06)