Business Objects Administration – Security Rights migration from SAP BO 3.x and BI 4.x

Hi Readers,

In this blog we are going to see the security rights migration from SAP BO 3.x and BI 4.x and the challenges we could encounter while doing BO content migration from 3.x to 4.x.

This post describes security settings as they correspond to the new interface and functions. The structure of the interface has been redesigned and security settings changed in certain cases. This means that some 3.x security settings are not directly compatible with the new interface. Where equivalents exist, these are used.

This document will guide you in the changes you might need to make when migrating content from 3.x to 4.x. Certain rights have been renamed, others are unaffected, and some rights are not supported in 4.x, and will require unsetting before resaving and migrating those reports.

Below are some of the known general Issues.

• Rights are not supported in 4.x and exist in 3.x
• Rights that are renamed in 4.x and exist in 3.x

Let us see each case in detail.

• Rights are not supported in 4.x

The typical example for this category would be Desktop intelligence application and redesign of      BI launch pad interface.

• Desktop intelligence

As Desktop Intelligence is removed in 4.x all the corresponding rights are not supported.

• Interface

In 3.x we are allowed to hide the toolbar based on the user rights. But in case of 4.x it is replaced by toolboxes in which we can disable the individual component.

Some of the rights come under this category:

Right	Migration status
Enable drill mode	No longer maintained in 4.x
Extend scope of analysis	No longer maintained in 4.x
Interactive: General – Ability to hide / show toolbars	Toolbar is replaced with toolbox
Enable HTML Report Panel	HTML viewer is removed in 4.x
Desktop Intelligence Application level rights	Desktop Intelligence Application is removed

How to resolve this?

We need to remove these rights in 3.x before migration so that they will not be migrated to the new version.

• Rights that are renamed in 4.x

The right “View SQL“in 3.x has been renamed to “Query Script – Enable Viewing” in 4.x.

Similarly below are some of the rights that belong to this category in my knowledge.

Rights in 3.x	Rights in 4.x
Create document	Documents – enable creation
Data Tracking: Enable for users	Data – enable data tracking
Data Tracking: Enable format display changes by users	Data – enable formatting of changed data
Edit SQL	Query script – enable editing (SQL , MDX…)
Enable Auto save for this user	Documents – enable auto save
Enable formula and variable creation	Reporting – create formulas and variables
Enable Java Report Panel	Interfaces – enable Rich Internet Application
Enable Publish and Manage Document Content for this user (did not exist)	Documents – enable publish and manage content as web service
Merge dimensions for synchronization	Reporting – enable merged dimensions
View SQL	Query script – enable viewing (SQL , MDX…)
Web Intelligence Rich Client : Save a document locally on the file system	Desktop interface – save documents locally
Web Intelligence Rich Client: Allow local data providers	Desktop Interface – enable local data providers
Web Intelligence Rich Client: Export a document	Desktop interface – export documents
Web Intelligence Rich Client: Import a document	Desktop interface – import documents
Web Intelligence Rich Client: Install from Info View	Desktop interface – install from BI launch pad
Web Intelligence Rich Client: Print a document	Desktop interface – print documents
Web Intelligence Rich Client: Remove document security	Desktop interface – remove document security
Web Intelligence Rich Client: Save a document for all users	Desktop interface – save document for all users
Web Intelligence Rich Client: Send by mail	Desktop interface – send by mail

How to overcome this?

We need to remap these rights in 4.x after migration by comparing them against 3.x rights.

• Special cases

The below rights are added in XI3 SP4 and are not included till 4.0.3.

i.    Import from BI On Demand

ii.   Export to BI On Demand

Resolution

SAP recommends not to migrate to XI 3.4 or later to BI 4.0.3.x or a previous release as some of the rights that are added in these versions are not replicated in till BI 4.0.3.x.

Hope the post was useful for those considering 4.x migration.

Thanks for reading.  Read More About  Business Objects Administration

BusinessObjects Administration – Custom Access Levels

Hi BOOglers,

Another interesting feature in business objects, Custom access level is going to be the topic of discussion for this blog. Please note the custom access levels are introduced only from Business Objects 3.0 onwards.

As you all know Access levels are groups of rights that users frequently need. They allow administrators to set common security levels quickly and uniformly rather than individual rights to be set one by one. Business Objects comes with several predefined access levels. Beginning with View and ending with Full Control, each access level builds upon the rights granted by the previous level. We can also create and customize your own access levels. This will greatly reduce administrative and maintenance costs associated with security.

Predefined Access Levels

Below four are list of predefined access levels and associated list of right(s).

Access level	Description	Rights involved
View	If set on the folder level, a principal can view the folder, objects within the folder, and each object’s generated instances.		View objects View document instances
Schedule	A principal can generate instances by scheduling an object to run against a specified data source once or on a recurring basis. The principal can view, delete, and pause the scheduling of instances that they own.		View access level rights, plus: Schedule the document to run Print the report’s data Edit objects that the user owns
View On Demand	A principal can refresh data on demand against a data source.		Schedule access level rights, plus: Refresh the report’s data
Full Control	A principal has full administrative Control of the object.		All available rights

* Principle refer to User group or User

Access levels in CMC

Advanced rights

Icon	Rights option	Description
	Granted	The right is granted to a principal.
	Denied	The right is denied to a principal.
	Not Specified	The right is unspecified for a principal. By default, rights set to Not Specified are denied.
	Apply to Object	The right applies to the object. This option becomes available when you click Granted or Denied.
	Apply to Sub Object	The right applies to sub-objects. This option becomes available when you click Granted or Denied.

Custom Access Levels

Consider a situation in which an administrator must manage two groups, Marketing managers and Marketing employees. Both groups need to access ten reports in the Business Objects Enterprise system, but Marketing managers require more rights than marketing employees. The predefined access levels do not meet the needs of either group. Instead of adding groups to each report as principals and modifying their rights in ten different places, the administrator can create two new access levels, Marketing Managers and Marketing Employees. The administrator then adds both groups as principals to the reports and assigns the groups their respective access levels. When rights need to be modified, the administrator can modify the access levels. Because the access levels apply to both groups across all ten reports, the rights those groups have to the reports are automatically updated.

We can create a new custom access level either start from the scratch or copy the existing access levels. We can also add/remove set of rights from existing custom access level from the existing custom access level.

Right Click on the Custom Access level and Select Included Rights.

And you will get the screen like below. Select the appropriate rights as per the requirement,

Then click OK to complete.

Finally you can assign the Custom Access level against each User group/User on a particular folder.

Administrator will get the best benefits out of this because they will get-rid of the traditional rights assignment using Advanced rights option. Also It is easy to manage the rights when they are grouped together.

Feel free to leave your comments. Thanks for reading! 

Read More About  Business Objects Administration

Business Objects Administration – Backup and Recovery

Hello BOOglers,

Backup and Recovery in Business Objects is going be the topic of discussion today.

A backup and recovery plan consists of making copies of data which may be used to restore the original content in the event of data loss. The plan aims to minimize the disaster effects on the daily operations so that the environment can resume critical business functions quickly.

As part of a BOE disaster recovery plan, an implementation of redundant servers in a backup system, which mirrors the primary system, can also be included. If the primary system goes down, still the disaster recovery system is available.

Backup process in Business Objects

We can always go with either Cold backup or hot backup based on the scenario.

Cold backup	Hot backup
Needs downtime as CMS, FRS will be stopped	No downtime of the system
assures accurate system snapshot, since no transactions can occur during the backup	Can’t be assured as accurate because users may still accessing the system.
Suitable for complete system backup	Suitable for partial backup

What to backup?

It is always recommended to back up BusinessObjects system on a daily basis for all the below components unless otherwise they are modified.

• CMS tables and Audit tables
• File Repository Server
• Database Connections
• Custom applications (java/.Net code)

What to consider?

• How often the backup needs to be taken on BO content?
• How much time is taking to complete the backup process?
• How long the downtime of the system if it is the cold backup?

Things to be ready before backup process

• Ensure that there are no scheduled reports/Federation jobs running during the backup process time window.
• Users must be communicated regarding the backup process so that they can plan their report schedules, etc.
• For hot backup it is always suggested to run the Repository Diagnostic Tool to make sure the CMS and FRS are in sync.

Recovery process in Business Objects

Regardless of whether a cold or hot backup, recovery process should be simple and clear-cut. The high level sequence of steps to be followed for recovery process as specified below.

• Stop all Business Objects services.
• Restore the backup of the CMS and Audit database.
• Configure the all the ODBC sources to point to the restored database and report source.
• Restore the Input and Output File Repositories (FRS)
• Start all Business Objects services.

If you are planning for a partial recovery you need to import the content to be restored from a BIAR file using Import wizard.

Thanks for reading!  Read More about  Business Objects Administration

Business Objects Content Management planning

Hi BOOglers,

Let us resume with Administration track once again with Content management planning in Business Objects. Hope this is going to be more interesting and helpful for the Administrators to start up with.

Content management plan is a collection of procedures used to manage Business objects work flow in a collaborative and manageable environment. This ensures who needs access to what. While planning for Business Objects enterprise system appropriate content management planning is an important factor. Because of lack of expertise and time we always end up with BOE environment which is not structured properly, as a result BOE environment will become more difficult to manage and maintain.

Below are simple measures to consider in order plan for our BI content.

• Easy to understand the hierarchy and secure implementation
• Ensure users only accessing documents which they interested and authorized to.
• Efficient structure so users are able to search the info they need easily
• Easy access to information in the system will increase effectiveness of using the system.

Points to be consider for the Content management Planning

1. Creating a folder structure and organizing objects

As a first and foremost step we need to segregate the BI content according to users who is going to consume the information. This will enable us to decide the folder hierarchy of the system.

For example, for set of reports to Marketing department, we will manage them in the Marketing parent folder. Then we have a subfolder called Marketing- Americas or Marketing-Asia Pacific where reports can further be separated.

2. Organize users by creating a Group/User structure

Now we need to organize user group structure that will allow access to BI content. This will be similar to the folder structure, in our example we will be having a Marketing group each further categorized basd on the region.

3. Set access levels for folders and objects

Next we need to establish the security access levels for folders and objects contained in our group/user structure. This is extremely critical as we may risk in setting inappropriate security access levels for our users. Determining the needs of our users will help us establish who needs access to what folders and objects within the system. For example only users of the Marketinggroup can access the Marketing folder based on their functional roles.

Custom access levels created for each functional user group is depicted as below.

And finally this is how security is applied on Folder at Group level.

4. Creating corporate categories and assigning objects

The advantage of categories is that it will help the uses to search and access the reports that are appropriate to them. This can be configured according to uses requirement.

For example, the Marketing department user search for reports that are specific to vendor evaluation,

Even if the vendor related reports managed across different folders, we can create a separate category called Vendor management and group the corresponding reports in the Vendor management category. As a result the user not necessarily needs to go to every folder and search for the required report. They can simply access the category with which they authorized to access with.

In the below screen though the reports Marketing Dashboard and Sales Dashboard physically exist in Marketing and Sales folders respectively, still they can be accessed from Vendor  Management category.

The above are the initial steps that we can take to create a planned content management system with which we can end up with success.

I look forward to your inputs and feedback. Thanks for reading!

Read More  Business Objects Administration