Business Objects Administration – Security Rights migration from SAP BO 3.x and BI 4.x

Hi Readers,

In this blog we are going to see the security rights migration from SAP BO 3.x and BI 4.x and the challenges we could encounter while doing BO content migration from 3.x to 4.x.

This post describes security settings as they correspond to the new interface and functions. The structure of the interface has been redesigned and security settings changed in certain cases. This means that some 3.x security settings are not directly compatible with the new interface. Where equivalents exist, these are used.

This document will guide you in the changes you might need to make when migrating content from 3.x to 4.x. Certain rights have been renamed, others are unaffected, and some rights are not supported in 4.x, and will require unsetting before resaving and migrating those reports.

Below are some of the known general Issues.

• Rights are not supported in 4.x and exist in 3.x
• Rights that are renamed in 4.x and exist in 3.x

Let us see each case in detail.

• Rights are not supported in 4.x

The typical example for this category would be Desktop intelligence application and redesign of      BI launch pad interface.

• Desktop intelligence

As Desktop Intelligence is removed in 4.x all the corresponding rights are not supported.

• Interface

In 3.x we are allowed to hide the toolbar based on the user rights. But in case of 4.x it is replaced by toolboxes in which we can disable the individual component.

Some of the rights come under this category:

Right	Migration status
Enable drill mode	No longer maintained in 4.x
Extend scope of analysis	No longer maintained in 4.x
Interactive: General – Ability to hide / show toolbars	Toolbar is replaced with toolbox
Enable HTML Report Panel	HTML viewer is removed in 4.x
Desktop Intelligence Application level rights	Desktop Intelligence Application is removed

How to resolve this?

We need to remove these rights in 3.x before migration so that they will not be migrated to the new version.

• Rights that are renamed in 4.x

The right “View SQL“in 3.x has been renamed to “Query Script – Enable Viewing” in 4.x.

Similarly below are some of the rights that belong to this category in my knowledge.

Rights in 3.x	Rights in 4.x
Create document	Documents – enable creation
Data Tracking: Enable for users	Data – enable data tracking
Data Tracking: Enable format display changes by users	Data – enable formatting of changed data
Edit SQL	Query script – enable editing (SQL , MDX…)
Enable Auto save for this user	Documents – enable auto save
Enable formula and variable creation	Reporting – create formulas and variables
Enable Java Report Panel	Interfaces – enable Rich Internet Application
Enable Publish and Manage Document Content for this user (did not exist)	Documents – enable publish and manage content as web service
Merge dimensions for synchronization	Reporting – enable merged dimensions
View SQL	Query script – enable viewing (SQL , MDX…)
Web Intelligence Rich Client : Save a document locally on the file system	Desktop interface – save documents locally
Web Intelligence Rich Client: Allow local data providers	Desktop Interface – enable local data providers
Web Intelligence Rich Client: Export a document	Desktop interface – export documents
Web Intelligence Rich Client: Import a document	Desktop interface – import documents
Web Intelligence Rich Client: Install from Info View	Desktop interface – install from BI launch pad
Web Intelligence Rich Client: Print a document	Desktop interface – print documents
Web Intelligence Rich Client: Remove document security	Desktop interface – remove document security
Web Intelligence Rich Client: Save a document for all users	Desktop interface – save document for all users
Web Intelligence Rich Client: Send by mail	Desktop interface – send by mail

How to overcome this?

We need to remap these rights in 4.x after migration by comparing them against 3.x rights.

• Special cases

The below rights are added in XI3 SP4 and are not included till 4.0.3.

i.    Import from BI On Demand

ii.   Export to BI On Demand

Resolution

SAP recommends not to migrate to XI 3.4 or later to BI 4.0.3.x or a previous release as some of the rights that are added in these versions are not replicated in till BI 4.0.3.x.

Hope the post was useful for those considering 4.x migration.

Thanks for reading.  Read More About  Business Objects Administration

Business Objects Mobile – Architecture and Deployment

Hello All,
As a continuation of my previous blog, we are going to see more in detail about BO Mobile Architecture, Deployment scenarios, Server side and client side requirements in this blog.

The diagram below shows Mobile Installation on top of Business Objects Enterprise Framework

And the Business Objects Mobile Architecture will be like

Three deployment scenarios are supported for SAP Business Objects Mobile. You can choose to deploy based on your User community.

• BlackBerry devices registered on a corporate BlackBerry Enterprise Server (BES)
• Non-BlackBerry devices and/or BlackBerry devices not registered on a corporate BES. This requires a proxy server or firewall to ensure security.
• User population that includes BlackBerry devices registered on the BES and other devices. This requires a BES and a proxy server or firewall.

Based on the above deployment scenarios the common architecture of BO Mobile would be like

Server side requirements

The following components need to be deployed on top of SAP Business Objects Enterprise Installation.

• The Mobile server composed of an authentication server (VAS) and a processing server (VMS).
• A mobile database that logs the user activity and provides information on synchronization of data between the SAP Business Objects Enterprise server and the mobile devices.
• A BlackBerry Enterprise Server (BES), if you are deploying the application to BlackBerry device users (Deployment type 1).
• A proxy server, if your deployment to BlackBerry devices does not include a BES server or if your deployment includes non-BlackBerry devices (Deployment type 2 and 3).
• To deploy client application to devices through OTA provisioning, you need to install and deploy the OTA web application, delivered with SAP Business Objects mobile, on a web application server.

Client side requirements

Based on deployment scenario, SAP Business Objects mobile application can be delivered to users via

• Over-The-Air to BlackBerry devices using the push capability in the BlackBerry Enterprise Server.
• Over-The-Air (OTA) via a secured web site page. This requires you to deploy the OTA web application delivered with SAP Business Objects Mobile to a secured web application server.
• Manually on each device using the client desktop application supplied by device manufacturer.

I Hope this blog gives a good understanding on Business Objects Mobile architecture and deployment.
In our next blog we will see configuration of BO Mobile using Blackberry simulators.

Keep reading!

Business Objects Mobile – Introduction

Hello BOgglers,

Just a change from series of BO Administration series to emerging trends in SAP Business Objects.SAP BO Mobile is going to be the topic of discussion in my upcoming blogs starting from this.

The shift from a wired world to a wireless world of connectivity with the advantage of smart phones and handheld devices has lead to a new era of mobile computing, especially in the field of BI. BO Mobile allows to access favorite BI reports, metrics and right-time data with a single click from a mobile device with the following advantages

• Make informed decisions with instant access to personalized information on the move, can be alerted about changes to critical business data instantly.
• Leverage existing BI investments & skills to quickly reach mobile users.
• Users can intuitively access familiar reports without a need for additional training.

Devices Supportability

BO Mobile supports broad range of mobile devices including BlackBerry, Windows Mobile, Symbian OS and any J2ME 2.0-compatible devices.

Supported document types

• Web Intelligence documents
• Crystal Reports documents
• Limited gauge analytics (speedometers, barometers and thermometers)

Functionalities Supported

• Save documents locally and consult them offline, to mitigate network interruptions and minimize communication costs.
• Receive alerts when a document is modified, a condition is met or a schedule is run.
• Follow-up actions by clicking on report cells to launch an SMS, phone call or email.
• Set up a default document that opens automatically whenever log into application.
• Refresh reports to retrieve the most up-to-date data.
• View results using zoom and navigational shortcuts.
• Navigate to related documents via hyperlinks on reports.
• Drill on results to analyze detailed or summary data.
• Track data changes via customizable highlighting set up by the document creator.

Target Audience

Information executives: Users who needs to know a few high-risk KPIs at the right time, no matter where they are. A business case for this could be a sudden fall in sales or inventory levels brought to the attention of the respective director.
Field workers: Users of this segment work in the field and need specific information at specific times. A sales representative, while finding an unexpected opportunity, can browse for required historic information such as price negotiation, contract tenure to give immediate feedback to the customer.
Business analysts: Business analysts need a few strategic KPIs in addition to static reports.
Clerical member staff: This people occasionally need reports while they are on the move.

Limitations

• BO Mobile is not guaranteed to work on all mobile devices and operating systems.
• Report data sets can be large and can theoretically saturate available device memory. The unsatisfactory display of large data sets can be mitigated by designing smaller report views.

We will see more in detail about Mobile Architecture and installation and configuration in upcoming blogs.

Thanks for reading! Happy Blogging!  Read More about  Business Objects

Windows AD authentication for Business Objects using Kerberos – Part II

This is our continuation of our SSO configuration from starting from SIA configuration.

4.     Configuring the Server Intelligence Agent to use the service account

In order to support Kerberos, Server Intelligence Agent must be configured in CCM to log on as the service account:

To configure a Server Intelligence Agent

1)  Start the CCM.

2)  Stop the Server Intelligence Agent.

3)  Double-click the Server Intelligence Agent and the Properties dialog box is displayed.

4)  On the Properties tab:

• In the Log On As area, deselect the System Account check box.
• Enter the user name and password for the service account.
• Click Apply, and click OK.

5)       Start the server again.

5.     Configure the AD plug-in

In order to support Kerberos, we have to configure the Windows AD security plug-in the CMC to use Kerberos authentication.

To configure the Windows AD security plug-in for Kerberos

• Go to the Authentication management area of the CMC and Click the Windows AD tab.

• Ensure that the Windows Active Directory Authentication is enabled check box is selected.
• In the Windows AD Configuration Summary area of the page, click the link beside AD Administration Name.
• Enter the credentials that have read access to Active Directory in the Name and Password fields.

Note:

Use the format Domain\Account in the Name field LIKE NA\ BOLab-Admin.

• Enter the default domain in the Default AD Domain field.

Note:

Use FQDN format and enter the domain in uppercase, here it is NA.HEXAWARE.COM

• In the Mapped AD Member Group area, enter the name of an AD group whose users require access to Business Objects Enterprise, and then click Add.

• In the Authentication Options area, select Use Kerberos authentication.
• In the Service Principal Name field, enter the account and domain of the service account or the SPN mapping to the service account which was created

In this case, BOBJCentralMS/TESTSERVER.NA.HEXAWARE.COM.

• Click Update

6.     Configure Tomcat web.xml file

Modify the web.config file to ensure Windows authentication is enabled.

To configure InfoView for AD authentication mode, configure the web.config file in the

\Tomcat55\webapps\InfoViewApp\WEB-INF directory.

Edit the web.xml. Then, change the authentication default value to secWinAD.

7.     Configure the Krb5AuthLoginModule and krb5.ini

Create a folder in C:\WINNT to store the following two files:

1. krb5.ini
2. bscLogin.conf

The contents of the krb5.ini and the bscLogin.conf were the following:

Note: 1. This should be done on all computers that run application servers.

2.  KDC is the Domain Controller(s) of the particular domain.

8.     Configure the Tomcat Java option

Launch the Tomcat Configuration program & add the following Java command in the Java Optionsof the Java tab.

-Djava.security.auth.login.config=C:\WINNT\bscLogin.conf

-Djava.security.krb5.conf= C:\WINNT \krb5.ini

Hope this will be useful for Kerberos based windows AD authentication. Feel free to get back to me in case of any issues. I am privileged to helping you all. Happy Blogging!