Securing Business Objects Content – Folder Level, Top Level and Application Security
2013-09-05 17:49
417 查看
Securing Business Objects Content – Folder Level, Top
Level and Application Security
Applies
to:
Business Objects Enterprise XI 3.0 / 3.1, for more information, SAP
Business objects Solutions Homepage.
(http://www.sdn.sap.com/irj/sdn/sbo-solutions)
Summary
Unlike SAP systems, Business Object Enterprise XI 3.0/3.1 do not comprise
of Roles, Profiles and
Authorization objects. Security in Business Objects is different than
SAP and it consists of: Folder level
security, Application Security, Object Level Security and inheritance
concepts. This document begins with
simple example on how to create users, user groups and ends with creating
access Levels and basic
troubleshooting techniques using the Security Query.
Author(s): Shikha
Baxi Dhiraj Wamanacharya & Milind Desai
Company: IBM
India Pvt. Ltd
Created
on: 18th May 2011
Author
Bio
Shikha Baxi,Dhiraj Wamanacharya & Milind Desai are working with IBM
and have more than 3.5 yrs of experience in SAP
Administration, Security, and have been extensively working in Business
Objects in the area of
implementation and upgrade.
User
and User Group Creation:
Users in Business Objects are of various types, and a user can login
to Business Objects (CMC or InfoView)
using that particular authentication with which it has been created.
The authentications are:
1. Enterprise
2. LDAP
3. Windows AD
4. SAP
The document covers Enterprise and SAP user administration from the
above list.
Creating
an Enterprise User:
The example below illustrates “How to create an Enterprise user” in
Business Objects.
Login to CMC _ Go
to Users
and Groups
To create a new User click on
and
for User group creation click on
OR
Click Manage:
Select the Authentication Type in the next screen and maintain the
required fields.
1 ) Authentication Type as Enterprise
:
2) Authentication Type as SAP
:
When Authentication type is SAP
(secSAPR3) then you only need to maintain Account
Name as
<SAP
SID>~<Client
No.>/<SAP
User ID> .
User will login in Business Object Using his SAP Login credentials.
Connection
Type:
Concurrent -
This user belongs to a license agreement that states the number of users allowed to be
connected at one time.
Named
: This user belongs to a license agreement that
associates a specific user with a license. Named
user licenses are useful for people who require access to Business
Objects Enterprise regardless of the
number of other people who are currently connected.
Click Create
& Close
“Administrator”
is the default user that comes along with the Business Objects installation.
User
Group Creation:
The user group is a collection of users who require same kind of authorization.
So instead of assigning
authorization to every new user that is created, we can create a user
group and assign the requisite
authorization to it, and later simply assign the user to that particular
user Group.
Click Create
User group:
Name the User Group:
To add a user to the group click (Add
member to user group)
You can add a newly created or existing group to some other group while
you can also assign a user to a
group.
Administrators and Everyone are
the default groups that come along with the Business Objects installation.
Importing
Roles from the backend SAP system:
Let us continue with ‘How to import roles’, which in turn import users
from a backend SAP system to the
Business Objects System’.
Login to the CMC,
Click Authentication _ SAP
Click the Options tab,
now you need to check the field Automatic
import User and click Update
Since your Business Objects System is connected to a Backend SAP System
you are able to see a list of
Roles in the left Pane which belong to the SAP system. You can now
Import the roles from the Backend SAP
system to the Business Objects system, select the role in the left
pane and click
to
import the
roles then click Update
:
When a role is imported all the users assigned to that role in your
backend SAP system, will also get
imported into the Business Objects system.
Here, PBW is our SAP system Id, while 100 is the client number from
where the users arrive, hence the
naming convention: PBW~100
/
Whenever a user assignment is done to a role in backend (already imported
in Business Objects) and user
should get created in Business Objects automatically, then you should
also check Force
Synchronization
under Options tab
and click Update:
Now when a user get assigned to a role in backend , only you need to
click Update button
under Role
Import tab
and the user will get created in the Business Objects system. To automate this activity also, we
have elaborated the step in the next section.
Schedule
a SAP Authentication Role / Group update in Business Objects XI 3.1 using a java program
object:
To schedule (automate) the updating of SAP Users in the Business Objects
system, you need to follow the
steps mentioned below:
1 .Download SAP
Update. jar file from SAP Note : 1406037
2. Unzip the file
3. Login in Business Objects CMC
->Folders-->Manage_New _ folder called Objects ,
4. Select the folder "Objects" and
click on Manage
| Add | Program File
5. Choose as Program Type as Java and
add SAPUpdate.jar
6. Right
Click on SAPUpdate within your Objects folder
and choose Properties
| Default Settings | Program
Parameters
Specify as "Class to run:" sapupdate.Main
Using the "Run
Now" and schedule the Program Object
Set the Recurrence for this Program as desired.
Under Authentication
tab -> Options, you need to check the field Automatic
import User and Force
User
Synchronization
Go to Authentication
Tab -> Select Role and Import, click update.
Now, the SAP user will get imported every time when it is created and
assigned the role in the SAP system
which is already imported in Business Objects CMC. As such, there is
no need to create a user in the
Business Object CMC every time a new user is created in the SAP system.
.
Note: The statement assumes that every user which is created in the
SAP system needs to be created in
Business Objects system. Else,if all the users are not required in
the Business Objects system , the role
which is imported in the Business Objects system should not be assigned
to such users in the SAP backend.
Access
Levels in Business Objects:
Pre-Defined access levels:
There are four default access levels that come along with the Business
Objects Installation for securing the content. These levels are explained as below:
1. Full
Control: A principal has full administrative control
of the object.
2. Schedule: A
principal can generate instances by scheduling an Schedule object to run against a
specified data source once or on a recurring basis.
3. View: If
set on the folder level, a principal can view the folder, View objects within the folder, and
each object's generated instances.
4. View
on Demand: A principal can refresh data on demand against
a data source.
5. No
Access: The user or group is not able to access the
object or folder.
To see what rights are included in an access level; go to CMC ->
select Access
Level, right click -> Include
rights
Custom
Access Levels:
In addition to the predefined access levels, you can also create and
customize your own access level, which
can greatly reduce administrative and maintenance costs associated
with security.
How to create access levels: Login to CMC _ Select Access
Levels.
Maintain Title and Description:
To include rights in an access level, select the Access
level, right click -> included
rights
Click Add/Remove
Rights:
You will be able to see four types of rights collections in the left
panel namely:
General
Content
Application
System
By default you will be guided to the “General
Global rights” window. Now set your general global
rights:
Each right can have a status of:
Granted
Denied
Not Specified.
You can also choose whether to apply these rights to the object only
or to their sub-objects only, or both.
To set type-specific rights for the access level, in the navigation
list, click the Rights
collection, and then
click the Subcollection that applies to the object type you want to
set the rights for.
Folder
level Security:
Folder-level security enables you to set access-level rights for a
folder and the objects contained within that
folder. While folders inherit security from the top-level folder (root
folder), subfolders inherit the security of
their parent folder. Rights set explicitly at the folder level override
inherited rights.
To set folder level security:
1. Login
to CMC _ Select Folders
2. Right click on the particular folder & select User
Security.
Select the Principal (user
/ group) you wish to add:
On the same screen in the bottom right corner click:
Provide the requisite Access Level to this Principal. Here we have
provided “Full
Control” to the
“Basis_Monitors” group.
Click Apply, and
then Click OK.
To View, what access has been provided to the Principal click “View
Security”
Assigned
Rights:
Top
Level Security:
The below example shows, how Top Level Security can be assigned to
a principal against the Business
Objects Servers:
Manage the Top Level Security for Severs:
For this:
1. Login to CMC
-> Servers-> Manage
2. Select Top
Level Security _ All
Servers/ All Server Groups.
Click OK.
Break Inheritance:
If your Principal is a part of multiple groups and to avoid “Conflict
of Rights” you can uncheck the:
1. Inherit From Parent Folder
2. Inherit From Parent Group.
Now, provide access/advanced level security as required.
Application
Level Security:
Users need access to particular Business Objects applications to perform
their jobs effectively. As a
Business Objects Administrator you are responsible for setting appropriate
application security levels
according to the needs of your organization.
Application security is used to control the functionality that users
and groups have to the Business Objects
Enterprise applications. The Manage area of the CMC allows you to control
access for the following
Business Objects Enterprise applications:
Manage
CMC User Security:
To Manage CMC security:
Logon to CMC ->
Click Applications _ Select CMC
Now Right Click and select User
Security.
Click Add
Principals:
Select the principal for which you want to assign security.
On the same screen in the bottom right corner click:
Now assign the security as required:
Now Click “View
Security” on the Next screen to check what access
has been provided to “test” user:
Similarly you can manage Security, and access for rest of the applications.
Advance
Rights :
You may sometimes need to override certain granular rights in an access
level. Advanced rights let you
customize the rights for a principal on top of the access levels, the
principal already has.
There are 3 Type of rights exist as explained earlier:
Grant
Denied
Not Specified
Exception:
• In general, the rights that are set on child objects override the
rights that are set on parent
Object.
• In general, the rights that are set on subgroups or members of groups
override the rights that are set on
groups.
If a user belongs to more than one group, and there is a conflict in
rights assignments between the groups to
which the user belongs to, the Denied (D) right wins over a Granted
(G) right, and the Granted (G) right wins
over a Not Specified
Case
Study I: (Advanced Rights)
We will be explaining, how advanced rights are used through this Case
Study:
Consider an example where your user needs to have following access:
i) Needs to be provided no access to any folder or report , ii) Need
to have access to schedule a report
(Material Plant) , iii) Need to view, pause and resume its scheduled
instances iv)Need to be restricted to
delete a instance and view a report.
We proceed as below:
1. Maintain No
Access at root level security at Folders:
2. Select
the Material plant report and click User
Security
Break inheritance and click Advance tab
->Add/Remove
Rights
Once done, you are able to view the General global rights, Now maintain
the rights by clicking on radio
buttons for grant denied or not specified
Select the Grant radio button for providing access to schedule a report,
view, pause and resume its
scheduled instances.
Select Deny radio button to deny access to any folder or report, and
to view, delete a report.
Rights are divided into the following collections based on the object
types they apply to:
You can also allow the rights to be applied to a Sub object, by checking
the Object and Sub Object
check boxes, next to the Rights column.
Only after you click grant or deny radio button, object and sub-object
check boxes are enabled. Now
you can maintain the scope of rights.
If you want to apply a right only for a folder and not for its sub
folders, then uncheck sub-object check
box.
Security
Query:
Due to the complexities inherent in a security system as complicated
as Business Objects Enterprise XI 3.1,
systems administrators sometimes find it difficult to pinpoint from
where a particular user right is inherited.
Security queries let you determine which objects a principal has certain
rights to and enables you to manage
user rights:
In the earlier part of our Case studies we have created a group called
“Basis_Monitors”. In this exercise we
will find out what access Basis_Monitors have on Servers using the
“Security Query”. For this:
Logon to CMC
-> Select Query
Results
Now select Security
Queries -> Right click _ Create Security
Query.
Provide the required inputs like :
i) Principal (Basis_Monitors).
ii) Check /Uncheck Query Permission as per the requirement.
iii) Select the Query Context (Servers)
After selecting the required parameters click OK.
Now, the next screen appears showing the result regarding what access
the principal has
on the Querycontext.
You can also click on the Source column
to view, from where the Principal is obtaining its access:
In case you see, the source along with (Inherited) it implies that
access comes either from the Parent group
or from the parent folder.
Related
Content:
1. http://help.sap.com/businessobjects/
2. http://www.sdn.sap.com/irj/sdn/sbo-solutions
3. http://www.sap.com/services/education/catalog/businessobjectstraining/businessintelligence
For
more information, visit https://www.sdn.sap.com/irj/sdn/nw-bi
Copyright
© Copyright 2010 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain
proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks
of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System
p, System p5, System x, System z, System z10, System z9, z10, z9,
iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390,
OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server,
PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER,
OpenPower, PowerPC, BatchPipes,
BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF,
Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,
Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks
or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and
other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks
or registered trademarks of Adobe Systems
Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open
Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame,
and MultiWin are trademarks or registered trademarks of
Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of
W3C®, World Wide Web Consortium, Massachusetts
Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used
under license for technology invented and implemented by
Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign,
and other SAP products and services mentioned
herein as well as their respective logos are trademarks or registered
trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal
Reports, Crystal Decisions, Web Intelligence, Xcelsius, and
other Business Objects products and services mentioned herein as well
as their respective logos are trademarks or registered
trademarks of Business Objects S.A. in the United States and in other
countries. Business Objects is an SAP company.
All other product and service names mentioned are the trademarks of
their respective companies. Data contained in this document
serves informational purposes only. National product specifications
may vary.
These materials are subject to change without notice. These materials
are provided by SAP AG and its affiliated companies ("SAP
Group") for informational purposes only, without representation or warranty
of any kind, and SAP Group shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP
Group products and services are those that are set forth in the
express warranty statements accompanying such products and services,
if any. Nothing herein should be construed as constituting an
additional warranty.
Level and Application Security
Applies
to:
Business Objects Enterprise XI 3.0 / 3.1, for more information, SAP
Business objects Solutions Homepage.
(http://www.sdn.sap.com/irj/sdn/sbo-solutions)
Summary
Unlike SAP systems, Business Object Enterprise XI 3.0/3.1 do not comprise
of Roles, Profiles and
Authorization objects. Security in Business Objects is different than
SAP and it consists of: Folder level
security, Application Security, Object Level Security and inheritance
concepts. This document begins with
simple example on how to create users, user groups and ends with creating
access Levels and basic
troubleshooting techniques using the Security Query.
Author(s): Shikha
Baxi Dhiraj Wamanacharya & Milind Desai
Company: IBM
India Pvt. Ltd
Created
on: 18th May 2011
Author
Bio
Shikha Baxi,Dhiraj Wamanacharya & Milind Desai are working with IBM
and have more than 3.5 yrs of experience in SAP
Administration, Security, and have been extensively working in Business
Objects in the area of
implementation and upgrade.
User
and User Group Creation:
Users in Business Objects are of various types, and a user can login
to Business Objects (CMC or InfoView)
using that particular authentication with which it has been created.
The authentications are:
1. Enterprise
2. LDAP
3. Windows AD
4. SAP
The document covers Enterprise and SAP user administration from the
above list.
Creating
an Enterprise User:
The example below illustrates “How to create an Enterprise user” in
Business Objects.
Login to CMC _ Go
to Users
and Groups
To create a new User click on
and
for User group creation click on
OR
Click Manage:
Select the Authentication Type in the next screen and maintain the
required fields.
1 ) Authentication Type as Enterprise
:
2) Authentication Type as SAP
:
When Authentication type is SAP
(secSAPR3) then you only need to maintain Account
Name as
<SAP
SID>~<Client
No.>/<SAP
User ID> .
User will login in Business Object Using his SAP Login credentials.
Connection
Type:
Concurrent -
This user belongs to a license agreement that states the number of users allowed to be
connected at one time.
Named
: This user belongs to a license agreement that
associates a specific user with a license. Named
user licenses are useful for people who require access to Business
Objects Enterprise regardless of the
number of other people who are currently connected.
Click Create
& Close
“Administrator”
is the default user that comes along with the Business Objects installation.
User
Group Creation:
The user group is a collection of users who require same kind of authorization.
So instead of assigning
authorization to every new user that is created, we can create a user
group and assign the requisite
authorization to it, and later simply assign the user to that particular
user Group.
Click Create
User group:
Name the User Group:
To add a user to the group click (Add
member to user group)
You can add a newly created or existing group to some other group while
you can also assign a user to a
group.
Administrators and Everyone are
the default groups that come along with the Business Objects installation.
Importing
Roles from the backend SAP system:
Let us continue with ‘How to import roles’, which in turn import users
from a backend SAP system to the
Business Objects System’.
Login to the CMC,
Click Authentication _ SAP
Click the Options tab,
now you need to check the field Automatic
import User and click Update
Since your Business Objects System is connected to a Backend SAP System
you are able to see a list of
Roles in the left Pane which belong to the SAP system. You can now
Import the roles from the Backend SAP
system to the Business Objects system, select the role in the left
pane and click
to
import the
roles then click Update
:
When a role is imported all the users assigned to that role in your
backend SAP system, will also get
imported into the Business Objects system.
Here, PBW is our SAP system Id, while 100 is the client number from
where the users arrive, hence the
naming convention: PBW~100
/
Whenever a user assignment is done to a role in backend (already imported
in Business Objects) and user
should get created in Business Objects automatically, then you should
also check Force
Synchronization
under Options tab
and click Update:
Now when a user get assigned to a role in backend , only you need to
click Update button
under Role
Import tab
and the user will get created in the Business Objects system. To automate this activity also, we
have elaborated the step in the next section.
Schedule
a SAP Authentication Role / Group update in Business Objects XI 3.1 using a java program
object:
To schedule (automate) the updating of SAP Users in the Business Objects
system, you need to follow the
steps mentioned below:
1 .Download SAP
Update. jar file from SAP Note : 1406037
2. Unzip the file
3. Login in Business Objects CMC
->Folders-->Manage_New _ folder called Objects ,
4. Select the folder "Objects" and
click on Manage
| Add | Program File
5. Choose as Program Type as Java and
add SAPUpdate.jar
6. Right
Click on SAPUpdate within your Objects folder
and choose Properties
| Default Settings | Program
Parameters
Specify as "Class to run:" sapupdate.Main
Using the "Run
Now" and schedule the Program Object
Set the Recurrence for this Program as desired.
Under Authentication
tab -> Options, you need to check the field Automatic
import User and Force
User
Synchronization
Go to Authentication
Tab -> Select Role and Import, click update.
Now, the SAP user will get imported every time when it is created and
assigned the role in the SAP system
which is already imported in Business Objects CMC. As such, there is
no need to create a user in the
Business Object CMC every time a new user is created in the SAP system.
.
Note: The statement assumes that every user which is created in the
SAP system needs to be created in
Business Objects system. Else,if all the users are not required in
the Business Objects system , the role
which is imported in the Business Objects system should not be assigned
to such users in the SAP backend.
Access
Levels in Business Objects:
Pre-Defined access levels:
There are four default access levels that come along with the Business
Objects Installation for securing the content. These levels are explained as below:
1. Full
Control: A principal has full administrative control
of the object.
2. Schedule: A
principal can generate instances by scheduling an Schedule object to run against a
specified data source once or on a recurring basis.
3. View: If
set on the folder level, a principal can view the folder, View objects within the folder, and
each object's generated instances.
4. View
on Demand: A principal can refresh data on demand against
a data source.
5. No
Access: The user or group is not able to access the
object or folder.
To see what rights are included in an access level; go to CMC ->
select Access
Level, right click -> Include
rights
Custom
Access Levels:
In addition to the predefined access levels, you can also create and
customize your own access level, which
can greatly reduce administrative and maintenance costs associated
with security.
How to create access levels: Login to CMC _ Select Access
Levels.
Maintain Title and Description:
To include rights in an access level, select the Access
level, right click -> included
rights
Click Add/Remove
Rights:
You will be able to see four types of rights collections in the left
panel namely:
General
Content
Application
System
By default you will be guided to the “General
Global rights” window. Now set your general global
rights:
Each right can have a status of:
Granted
Denied
Not Specified.
You can also choose whether to apply these rights to the object only
or to their sub-objects only, or both.
To set type-specific rights for the access level, in the navigation
list, click the Rights
collection, and then
click the Subcollection that applies to the object type you want to
set the rights for.
Folder
level Security:
Folder-level security enables you to set access-level rights for a
folder and the objects contained within that
folder. While folders inherit security from the top-level folder (root
folder), subfolders inherit the security of
their parent folder. Rights set explicitly at the folder level override
inherited rights.
To set folder level security:
1. Login
to CMC _ Select Folders
2. Right click on the particular folder & select User
Security.
Select the Principal (user
/ group) you wish to add:
On the same screen in the bottom right corner click:
Provide the requisite Access Level to this Principal. Here we have
provided “Full
Control” to the
“Basis_Monitors” group.
Click Apply, and
then Click OK.
To View, what access has been provided to the Principal click “View
Security”
Assigned
Rights:
Top
Level Security:
The below example shows, how Top Level Security can be assigned to
a principal against the Business
Objects Servers:
Manage the Top Level Security for Severs:
For this:
1. Login to CMC
-> Servers-> Manage
2. Select Top
Level Security _ All
Servers/ All Server Groups.
Click OK.
Break Inheritance:
If your Principal is a part of multiple groups and to avoid “Conflict
of Rights” you can uncheck the:
1. Inherit From Parent Folder
2. Inherit From Parent Group.
Now, provide access/advanced level security as required.
Application
Level Security:
Users need access to particular Business Objects applications to perform
their jobs effectively. As a
Business Objects Administrator you are responsible for setting appropriate
application security levels
according to the needs of your organization.
Application security is used to control the functionality that users
and groups have to the Business Objects
Enterprise applications. The Manage area of the CMC allows you to control
access for the following
Business Objects Enterprise applications:
Manage
CMC User Security:
To Manage CMC security:
Logon to CMC ->
Click Applications _ Select CMC
Now Right Click and select User
Security.
Click Add
Principals:
Select the principal for which you want to assign security.
On the same screen in the bottom right corner click:
Now assign the security as required:
Now Click “View
Security” on the Next screen to check what access
has been provided to “test” user:
Similarly you can manage Security, and access for rest of the applications.
Advance
Rights :
You may sometimes need to override certain granular rights in an access
level. Advanced rights let you
customize the rights for a principal on top of the access levels, the
principal already has.
There are 3 Type of rights exist as explained earlier:
Grant
Denied
Not Specified
Exception:
• In general, the rights that are set on child objects override the
rights that are set on parent
Object.
• In general, the rights that are set on subgroups or members of groups
override the rights that are set on
groups.
If a user belongs to more than one group, and there is a conflict in
rights assignments between the groups to
which the user belongs to, the Denied (D) right wins over a Granted
(G) right, and the Granted (G) right wins
over a Not Specified
Case
Study I: (Advanced Rights)
We will be explaining, how advanced rights are used through this Case
Study:
Consider an example where your user needs to have following access:
i) Needs to be provided no access to any folder or report , ii) Need
to have access to schedule a report
(Material Plant) , iii) Need to view, pause and resume its scheduled
instances iv)Need to be restricted to
delete a instance and view a report.
We proceed as below:
1. Maintain No
Access at root level security at Folders:
2. Select
the Material plant report and click User
Security
Break inheritance and click Advance tab
->Add/Remove
Rights
Once done, you are able to view the General global rights, Now maintain
the rights by clicking on radio
buttons for grant denied or not specified
Select the Grant radio button for providing access to schedule a report,
view, pause and resume its
scheduled instances.
Select Deny radio button to deny access to any folder or report, and
to view, delete a report.
Rights are divided into the following collections based on the object
types they apply to:
You can also allow the rights to be applied to a Sub object, by checking
the Object and Sub Object
check boxes, next to the Rights column.
Only after you click grant or deny radio button, object and sub-object
check boxes are enabled. Now
you can maintain the scope of rights.
If you want to apply a right only for a folder and not for its sub
folders, then uncheck sub-object check
box.
Security
Query:
Due to the complexities inherent in a security system as complicated
as Business Objects Enterprise XI 3.1,
systems administrators sometimes find it difficult to pinpoint from
where a particular user right is inherited.
Security queries let you determine which objects a principal has certain
rights to and enables you to manage
user rights:
In the earlier part of our Case studies we have created a group called
“Basis_Monitors”. In this exercise we
will find out what access Basis_Monitors have on Servers using the
“Security Query”. For this:
Logon to CMC
-> Select Query
Results
Now select Security
Queries -> Right click _ Create Security
Query.
Provide the required inputs like :
i) Principal (Basis_Monitors).
ii) Check /Uncheck Query Permission as per the requirement.
iii) Select the Query Context (Servers)
After selecting the required parameters click OK.
Now, the next screen appears showing the result regarding what access
the principal has
on the Querycontext.
You can also click on the Source column
to view, from where the Principal is obtaining its access:
In case you see, the source along with (Inherited) it implies that
access comes either from the Parent group
or from the parent folder.
Related
Content:
1. http://help.sap.com/businessobjects/
2. http://www.sdn.sap.com/irj/sdn/sbo-solutions
3. http://www.sap.com/services/education/catalog/businessobjectstraining/businessintelligence
For
more information, visit https://www.sdn.sap.com/irj/sdn/nw-bi
Copyright
© Copyright 2010 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain
proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks
of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System
p, System p5, System x, System z, System z10, System z9, z10, z9,
iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390,
OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server,
PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER,
OpenPower, PowerPC, BatchPipes,
BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF,
Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,
Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks
or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and
other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks
or registered trademarks of Adobe Systems
Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open
Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame,
and MultiWin are trademarks or registered trademarks of
Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of
W3C®, World Wide Web Consortium, Massachusetts
Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used
under license for technology invented and implemented by
Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign,
and other SAP products and services mentioned
herein as well as their respective logos are trademarks or registered
trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal
Reports, Crystal Decisions, Web Intelligence, Xcelsius, and
other Business Objects products and services mentioned herein as well
as their respective logos are trademarks or registered
trademarks of Business Objects S.A. in the United States and in other
countries. Business Objects is an SAP company.
All other product and service names mentioned are the trademarks of
their respective companies. Data contained in this document
serves informational purposes only. National product specifications
may vary.
These materials are subject to change without notice. These materials
are provided by SAP AG and its affiliated companies ("SAP
Group") for informational purposes only, without representation or warranty
of any kind, and SAP Group shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP
Group products and services are those that are set forth in the
express warranty statements accompanying such products and services,
if any. Nothing herein should be construed as constituting an
additional warranty.
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd
- Implementing SQL Server Row and Cell Level Security
- Testing an Angular Application: Angular JS and Spring Security Part VIII
- Quick and easy user-level security checks
- Preparing for Application and Service Deployment - Introducing the Windows Azure Content Delivery Ne
- 笔记: SAP How-to Guide: How To... Create an Application and Security profile in SMP 3.0
- Creating custom headers and footers in Application level events using global.asax
- Creating custom headers and footers in Application level events using global.asax
- SPS top-level Site Collection Administrators and Owners
- 【React】配置react-hot-loader后出现import' and 'export' may only appear at the top level
- Flex Mobile中巧用FlexGlobals.topLevelApplication.navigator
- 【一步一步的积累】Auto-context and Its Application to High-level Vision Tasks
- Unify the Role-Based Security Models for Enterprise and Application Domains with .NET
- travel the binary tree by level 3 ( from down to top and from right to left every level )
- Top-level const and low-level const
- Top 10 Open Source Web Application Firewalls (WAF) for WebApp Security
- SPRING IN ACTION 第4版笔记-第九章Securing web applications-001-SpringSecurity简介(DelegatingFilterProxy、AbstractSecurityWebApplicationInitializer、WebSecurityConfigurerAdapter、@EnableWebSecurity、@EnableWebMvcS)
- Flex获取参数(二)——FlexGlobals.topLevelApplication
- Security Level and Firewall
- Chapter 3 A top-level view of computer function and interconnection