The No password checking option does not only have the risk of users that
type the wrong password and
get frustrated. There is a major security problem. A user can use the
userid of his manager and
a fake password to log on to BO. He then can start BO (password is not
checked in BO).
He now can retrieve documents from Doc Agent and Repository that contains
data that was meant for his manager.
We raised an enhancement request to provide the ability to have the
userid and pw checked against the
(data) database. It will be version 5.x (not 0) until this option will be
available.
Regards,
Michiel Brunt
mh9725@MOMAIL.SBC.COM on 12-04-99 20:43:00
cc: (bcc: Michiel Brunt/NL/ABNAMRO/NL)
Luis
Thanks for the suggestions. The no password checking is Ok but it does not
work like it could. What happens if my user mistypes the password when
prompted at the opening of Business Objects? Since checking is turned off,
it passes through and then after the user has gone to all the trouble of
creating a query it gives them the message that they can’t run the query.
Now the user has to figure out how to save this query that they have been
working on for 2+ hours. You and I both know that it is Options >> Do not
retrieve data, however, many users do not know how to do this. So what
ends
up happening is they dump the query and start all over again. As a result
frustration is through the roof, and they are ready to take BO off the
desktop at the first sign of a competing product.
A possible solution is to have a pointer to the database that the universe
describes. Instead of logging in at the start of BO, have the user login
after they pick the universe they want to use. At this time the users
password is checked against the database containing the data that the user
is going to be querying. Then the user would be sure that since BO started
up and gave no errors they would be able to run queries. This solution
scales nicely until you guys figure out how to put tables from multiple
databases in one universe. (I don’t even want to go there).
I noticed that P.S. Mohan put forth a script to do what you described in
the
second part of your post. I look forward to trying this one out. I
believe
it may be exactly what I needed.
Thanks
Michael Holly
Southwestern Bell
From: Luis Gonzalez[SMTP:LGonzalez@BUSINESSOBJECTS.COM]
Sent: Friday, April 09, 1999 10:18 AM
Randy and Michael,
BOUSER and BOPASS in connection parameters work best when there is no
password defined for the users in Supervisor.
The security flag “No Password Checking” was developed for this purpose,
so
that users are allowed in to the application via verification of only
the
user name. With this flag on, the password is not checked in the
repository,
and whatever password the user enters is passed through to the database
for
verification when running or refreshing queries. In other words, no
password
maintenance is required in BusinessObjects when using “No Password
Checking.”
If you still want to maintain passwords in BusinessObjects, you can
probably
try a couple of things:
-
Through your same VB front-end, if you allow user interaction in
changing passwords, execute BusinessObjects and use SendKeys to execute
the
Tools/Change Password command to have the user change their BO password.
2. The column OBJ_M_ACTOR.M_ACTOR_N_ENDING is set to 0 for a
perpetual
password, and to 1 to force the user to change their password at next
login.
So, setting M_ACTOR_N_ENDING = 1 will ask users to change their
passwords
the next time they login to BusinessObjects.
Hope this helps,
Luis Gonzalez
-----Original Message-----
Sent: Friday, April 09, 1999 07:36 AM
Randy
There is no way of setting the BO password programmatically. Many
people
have asked for this for quite a while but it falls on deaf ears. Because
of
this I know several groups in my company that have ceased using this
functionality. The user passes through and the database checks the
validity
when a query is started.
You would think that they could give a function in a dll to do this.
Make
it
so that I can programmatically change the password of someone who has
user
level but nothing higher. I don’t think BO really knows how their tool
is
used in the enterprise. An example is a group with data that resides on
two
different locations X and Y. Of course I want to use BOUSER BOPASS on
each
connection so that I can track the SQL that the users are issuing. Now
throw
in a BO password. I now have the problem of keeping the BO password in
synch
with the password on system X and system Y and on BO. But what if I
have
some users within that group that access information on Z system using
BO?
I
do not administrate system Z but now I am forced to coordinate with this
other system to synch that user’s password to the same one as my system
uses. Now multiply this by the many systems that a large company has and
the
problem becomes evident.
Yours in frustration.
Michael Holly
Southwestern Bell IS
PS If you do find a way, post it here. I sure would like to know.
From: rcoates@ATT.NET[SMTP:rcoates@ATT.NET]
Sent: Thursday, April 08, 1999 6:05 AM
We are using the id/password pass-thru functionality of
Business Objects, where @Variable(BOUSER) and @Variable
(BOPASSWORD) in the universe connection window pass the
Business Object id/password through to our database. We
are struggling with how to keep the two passwords
synchronized. We can get the database to change through
our Visual Basic front-end, but cannot find a way to
programmatically change the Business Objects password.
Randy Coates
Actium
rcoates@actium.com
rcoates@worldnet.att.net
Listserv Archives (BOB member since 2002-06-25)