How do your users set database credentials?

system · November 14, 2014, 6:36pm

We currently have a custom jsp solution in XI3.1 that enables our users to set their database credentials. I would like to move away from custom coding if possible and am looking for alternatives.

I never understood why setting database credentials is done in the CMC. It’s not intended to be an end-user tool, and when would it be appropriate for a BO admin to know users’ database passwords?

So, I’m curious how other people manage this. Do you have your users use CMC to set their credentials, or do you use some other solution?

joepeters (BOB member since 2002-08-29)

system · November 17, 2014, 9:15am

If using Oracle would a VPD work for you?

http://scn.sap.com/thread/1199494

Mak 1 (BOB member since 2005-01-06)

system · November 17, 2014, 2:01pm

Thanks, Mak. Not sure if our DBAs will go along with it, but it looks like it would make the user management a lot easier.

joepeters (BOB member since 2002-08-29)

system · November 17, 2014, 3:00pm

DBAs in Doing as Little as Possible Shock!

Try and sell it to them on the basis that they will be able to see which users are running each query on the database.

Mak 1 (BOB member since 2005-01-06)

JohnBClark · November 17, 2014, 3:49pm

Is single sign-on to the database an option for you? There are some limitations to this but it would eliminate the need for them to change their database credentials.

system · November 17, 2014, 8:08pm

I’ll try that!

joepeters (BOB member since 2002-08-29)

system · November 17, 2014, 8:09pm

We’ve never done that, and I didn’t find much info here. Do you have any pointers?

joepeters (BOB member since 2002-08-29)

JohnBClark · November 17, 2014, 8:20pm

We haven’t done single sign-on to the database. We have recently looked at how we handle our database logins also. The DBAs like the single sign-on option for Mak’s statement, they would know exactly who the users were. The problem we ran into is that the login credentials for this are not cached as far as we could tell. Because of that, the user couldn’t schedule a report to run at a time when they weren’t logged in. Because of this we had to abandon the single sign-on route.

I didn’t do the testing myself, but this is what I was told.

If you add

--user:@variable('BOUSER')  --universe:@variable('UNVNAME')  --doc name:@variable('DOCNAME')

to the END SQL parameter of your universe, it will pass the user’s login, the universe they are using, and the WebI document that they are using as a comment at the end of the report SQL that is passed to the database. (This code is for SQL Server). If they are running or scheduling a Crystal Report, it will only pass the BOUSER variable or the user’s login to the database.

You could use this in conjunction with a database authenticated login for Business Objects. You could use the database login either with a login for each database, for each database server, or for each Business Objects environment. This gets you away from using the user database credentials completely.

It really comes down to negotiation with your DBAs to find a balance between good security practices and maintaining Business Objects functionality for your users.

EDIT: Instructions for setting up single sign-on to the database are in the Administrator’s Guide.

system · November 17, 2014, 8:27pm

Are you doing this for my beloved “Crystal Reports” or what is the true reason behind your requirement, please?

Andreas (BOB member since 2002-06-20)

system · November 21, 2014, 6:53pm

No, not CR. They are actually DeskI reports that we’re converting to WebI as part of our BI4 upgrade.

Our users all have Oracle IDs that are created primarily for another business application. The secondary usage is for reporting in BO. So the queries that are generated in BO need to reflect the access restrictions applied in the database.

Joe

joepeters (BOB member since 2002-08-29)