The security model we're implementing here is an example of the Type III model that is described in this article on different security model patterns.

We start by creating a baseline security model that involves locking down the Everyone group and creating three functional groups. Next we create the group and folder structure for a typical BI application. If you are unfamiliar with the concept of developing BI applications then the article Developing BI Applications provides a good overview.

Intended Audience

Readers of this article should be familiar with working with the Central Management Console (CMC) and further information on the CMC can be found in chapter 17 "Working with the Central Management Console" of the SAP BOE Administrator’s Guide.

Baseline Security Model

Lockdown the Everyone Group

First we need to make some changes to the Everyone group. When BOE is first installed the Everyone group is a bit too generous with the rights in grants members and so we should reduce the amount of permissions granted to a suitable minimum.

For a simple set of requirements we want users who are only a member of the Everyone group to be able to,

• Logon to InfoView
• View the top level public folder and view any agnostic document within that folder
• Not be able to create or upload any new documents
• Not be able to logon to any other application other than InfoView

The reason for allowing access to the root public folder is so that any user in the Everyone group can read any “getting started” type documents that we create and put in this folder. Examples of these documents include information on contacting support, how to request access to different applications, etc.

Access to Root Public Folder

By default the Everyone group does not provide access to the root folder however when we grant view rights to the root folder the user will end up seeing all subfolders including "Administration Tools", "Auditor" etc so we then need to update these folders and explicitly deny the Everyone group from viewing these admin folders.

To update the Everyone group,

 
1. Logon to the CMC and navigate to Folders
 
2. Select the All Folders node and from the Manage menu select Top Level Security, All Folders. Click OK to the warning message
 
3. Select the Everyone group and then click Assign Security
 
4. Enable the two inheritance modes by checking on the check boxes and click apply
 
5. Select View Access Level and click the > button. Your screen should look similar to below
 
6. Click OK and click Close to return to the main display.

That's all we need to do to allow the Everyone group access to public folders. We now need to deny access to each of the top level administration folders "Administration Tools", "Auditor" etc.

 
1. From within the Folders view expand the All Folders node
 
2. Select the Administration Tools folder and click the Manage User Security icon or select User Security from the Manage menu.
 
3. Select the Everyone group and click the Assign Security button
 
4. Uncheck the inheritance option "Inherit From Parent Folder" and click OK
 
5. Click OK to the warning message
 
6. Click OK in the Assign Security dialog and close the User Security dialog.

Repeat with remaining administration folders: "Auditor" and you may also wish to hide the "Feature Samples" and "Report Samples" folders in a similar manner. Alternatively these samples folders can be safely exported to a BIAR file and then deleted if not required on a production server.

Denying Access to CMC

The Everyone group by default also has logon access to the CMC. Certainly once logged on there is very little a user can do but it may be preferable to deny access to all users other than Administrators.

To prevent the Everyone group from accessing the CMC,

 
1. Logon to the CMC as Administrator and navigate to Applications
 
2. Select CMC from the list
 
3. Click the Manage User Security icon
 
4. Select the Everyone group and click Assign Security
 
5. Click the Remove Access button and click OK
 
6. Click OK to the warning message.The Everyone group should now be listed as having No Access.
7. Click close to close the dialog

We can test logging in to the CMC with a user that is not an Administrator. Unfortunately when logging in as a user who does not have permission we don't get a nice and friendly "you don't have permission" error as expected but instead we just get a blank screen.

Reduce Web Intelligence Application Functionality to the Everyone group

The Everyone group has View access to Web Intelligence. This is not necessarily a concern as any user who is only a member of the Everyone group should not have access to any folder containing a Web Intelligence document or be able to create a new document.

The access is still to high however as we are intending to control functional access through assigning users to appropriate functional access groups. Therefore we should remove all access to Web Intelligence for the Everyone group.

1. Logon to the CMC as Administrator and navigate to Applications
2. Select Web Intelligence from the list
3. Click the Manage User Security icon
4. Select Everyone from the list of principals (by default it should be set to View access) and click Assign Security.
5. Click the Remove Access button and click OK
6. Click OK to the warning message. 
7. Everyone should now be listed as having No Access

Managing Connections

Security also applies to connections used by a Universe and the easiest way to manage connections is to grant the Everyone group permission to use all the connections. This may seem a little extreme as it grants too wide an access but universe connections can only be used by an end user via a Universe. This means that so long as we control access to the universes we don't need to worry about the connections.

Universe designers on the other hand can work with connections directly and there may be a situation where we want to restrict a universe designer's access to a connection, for example, if the underlying database contains sensitive data.

Here we will enable access to all connections and to grant the Everyone group access to a connection,

 
1. Logon to the CMC as Administrator and navigate to Connections
 
2. Select each connection in turn and click the Manage User Security icon
 
3. Select the Everyone group and click Assign Security
 
4. Click the Advanced tab and the click Add/Remove Rights button

This screen allows us to assign or deny individual rights (see example screen shot below). On the left hand sign we see a set of nodes that contain categories, selecting a category will update the right hand display. The right hand panel lists all the rights available in the category and you can set access as either ‘granted', ‘denied' or ‘not specified'.

Descriptions of all of these rights across all areas are detailed in the BOE XI 3.1 Administrator's Guide in the section "Rights Appendix"

 
1. Under the General node grant access to the View Objects right
 
2. Click the connection node under System and grant Data Access right
 
3. Click OK to save these changes and
 
4. Click OK to close the Assign Security dialog

That's all we need to do with reducing access rights for the Everyone group. If you are using any other application such as Performance Manager or Desktop Intelligence then you'll also need to reduce some access rights for those. The next section looks at creating the baseline functional access groups. 

Create Functional Access Groups

In this example we are creating three user groups that will control what functionality a user has when working with SAP BusinessObjects Enterprise. These functional access groups will work across the BI applications we deploy to the system, that is, a user who is in the "Advanced" group will be an advanced user in all applications that they have access to.

Note, it is possible to create functional access groups that only work within an application and so you can have a user who is Advanced for one application but only an Intermediate user in another application.

When first deployed BOE comes with prebuilt functional groups: Administrators, Universe Designers, QaaWS Group Designers and Report Conversion Tool Users. Membership of these groups grant a user different functionality, for example a user in the Administrators group has full access to the system, membership of Universe Designers allows user to create and edit universes.

We will create further functional groups that allow a user different functional access to Web Intelligence. These are

• Standard Users. Users can view and refresh Web Intelligence documents and Crystal Reports
• Intermediate Users.  Member of this group have same rights as Standard Users but can also create new Web Intelligence documents on the universes they have access to. They cannot save new documents to the public folders but can save to their private folders
• Advanced Users. Members have same rights as Intermediate users but can also save to public folder (but only be allowed to edit or delete documents they have created)

These groups are created in a hierarchy:
  Everyone > Standard > Intermediate > Advanced

Create Functional User Groups

By default all new users will reside in the Everyone group. This grants the use permission to log on but very little else. The Standard User group allows users to view and refresh existing documents. Note, document access is controlled by the application groups.

To create the Standard User group,

1. Logon to the CMC as Administrator and navigate to Users and Groups
2. Select Everyone group and click Create New Group icon
3. Provide a Group Name "Standard Users" and a meaningful description that describes what functionality members of this group are entitled to - "All members of this group have the right to view and refresh reports that they have been granted access to."
4. Expand the Everyone group by clicking on the plus sign next to Everyone and select the newly created Standard Users group
5. Click the Create New Group icon again and enter a group name and description for the Intermediate Users group
6. Expand the Standard Users group, select Intermediate Users and once more click the Create New Group Icon
7. Enter a group name and description for Advanced Users
8. Click OK once done and return to main screen

Assign Rights for Functional Groups

We have now created these groups we now need to implement their security. First we'll set functional access permission for the Web Intelligence application.

1. Logon to the CMC as Administrator and navigate to Applications
2. Select Web Intelligence from the list and click the Manage User Security icon
3. Click Add Principals and add the Standard Users groups we created above.
4. Click Add and Assign Security button.
   Note, although we can use this screen to add all three principals at once we need to do them in turn. This is because when we click Add and Assign Security we then have a screen that forces us to assign the same security settings to all the groups selected but ours need different security settings.
5. Uncheck the inheritance permission "Inherit from Parent Folder" - this then forces inheritance to be purely group based - and click Apply
6. Click Advanced tab and then click Add/Remove Rights button
7. Under General section grant the right "Log on to Web Intelligence and view this object in the CMC" and click Apply. This grants essentially allows users to be able to use Web Intelligence application in InfoView.
8. Expand Application node in left hand menu and select Web Intelligence.
   There are quite a few functional rights for Web Intelligence and depending on your exact requirements you can enable required. In this worked example we will update the following rights to be granted for Standard User,
   Data Tracking: Enable for users
   Data Tracking: Enable format display changes by users
   Enable drill mode
   Enable HTML Report Panel
   Interactive: Left pane - Enable data summary  
   Interactive: Left pane - Enable document structure and filters  
   Interactive: Left pane - Enable document summary
9. Click Apply and click OK to close the dialog
   You will notice that some functionality is not listed here, for example, the ability to send a document by email or download to PDF. This functionality is controlled at the folder level and so we need to control these permission from there.
   At this stage we can complete the functional permissions for the remaining two groups.
10. Click Add Principal and select the Intermediate Users group
11. Click Add and Assign Security button.
12. Uncheck the inheritance permission "Inherit from Parent Folder" and click Apply
13. Click Advanced tab and then click Add/Remove Rights button
    When viewing the rights we should see that this group has automatically inherited the rights of the Standard Users group. So here we just need to add additional rights for the group
14. Expand Application node in left hand menu and select Web Intelligence.
15. Update the following rights to granted,
    Create Document
    Enable Autosave for this user
    Enable formula and variable creation
    Enable interactive HTML viewing (if license permits)
    Enable Java Report Panel
    Enable Query - HTML
    Extend scope of analysis
    Interactive: Formatting - Enable toolbar and menus
    Interactive: General - Ability to hide / show toolbars
    Interactive: General - Edit 'My Preferences'
    Interactive: General - Enable right click menu
    Interactive: Left pane - Enable available objects, tables and charts
    Interactive: Reporting - Apply and remove existing alerters
    Interactive: Reporting - Create and edit break
    Interactive: Reporting - Create and edit predefined calculation
    Interactive: Reporting - Create and edit report filter
    Interactive: Reporting - Create and edit sort
    Interactive: Reporting - Insert and remove report, table, chart and cell
    Merge dimensions for synchronization
    Web Intelligence Rich Client : Save a document locally on the file system
    Web Intelligence Rich Client: Allow local data providers
    Web Intelligence Rich Client: Create a document
    Web Intelligence Rich Client: Enable a client to use it
    Web Intelligence Rich Client: Export a document
    Web Intelligence Rich Client: Import a document
    Web Intelligence Rich Client: Install from InfoView
    Web Intelligence Rich Client: Print a document
    Web Intelligence Rich Client: Save a document for all users
16. Click OK to save these changes
17. Click OK to close the Assign Security dialog
18. Click Add Principals and select Advanced users.
19. Click Add and Assign Security
20. Uncheck the inheritance permission "Inherit from Parent Folder" and click OK
21. Click Close to close the Security dialog

Advanced Users have same functional access as Intermediate, their difference is the ability to save to public folders. This is set in the following section.

Define Functional Access for Public Folders

We define default permissions to top level folders to the functional groups and these will inherit down to the application folders that a user has access to.

 
1. Logon to CMC as Administrator and navigate to Folders
 
2. From the Manage menu select Top Level Security, All Folders.
3. Click OK to warning message
 
4. Click Add Principals, select Standard Users and click Add and Assign Security.
 
5. Click Advanced tab and click Add/Remove Rights.
     For Standard Users we want to enable minimum rights including ability to Refresh documents.
 
6. No changes are required to General section so expand the Content node in left hand menu and select Crystal Reports.
 
7. Update the following rights to granted and click Apply
         Download files associated with the report
         Export the report's data
         Print the report's data
         Refresh the report's data
 
8. Select the node Note and grant permission to allow discussion threads.
 
9. Click Apply
 
10. Select Web Intelligence node and grant the following rights. Click apply once done
          Download files associated with the object
          Export the report's data  
          Refresh List of Values  
          Refresh the report's data  
          Save as CSV
          Save as Excel
          Save as PDF
          Use Lists of Values
          Note, the two rights we are not allowing are Edit Query and View SQL.
 
11. Click OK and then OK again to return to the User Security dialog.
          Intermediate Users have same permissions at folder level as Standard Users but we also allow the user to copy a document to their local folder and to edit queries in a report.
 
12. Click Add Principals, select Intermediate Users and click Add and Assign Security.
 
13. Click Advanced tab and click Add/Remove Rights.
 
14. In the General section update the right "Copy objects to another folder" to granted. Click apply
 
15. Expand Content and select Web Intelligence Report and grant permission for Edit Query to granted.
      Note, since the Intermediate group is inheriting from Standard Users we see that some rights are already. See screenshot below
 
16. Click OK

Our requirement for Advanced Users is to allow those users to save new documents to the public folder for the applications that they have access to.

If we grant this permission at root level then an Advanced user can save a document to this root level which is not what we want. So we need to set the Advanced Users permissions to at the BI application level.

To simplify this and to ensure that we apply same settings to all application folders we define a custom access level that we can then set for the Advanced User at the application folder.

Create Custom Access Level for Advanced Users

To create a custom access level,

 
1. Logon to the CMC as Administrator and navigate to Access Levels
 
2. Click the icon to Create a New Access Level
 
3. Enter a name "Advanced User Folder Rights" and a suitable description "Applies advanced user functional rights to a folder" and click OK
 
4. Select the newly created access control in the list and from the Action menu select Included Rights
 
5. Click the Add/Remove Rights button
 
6. We only need to update the rights under the General node and we set the following rights to granted,
     Add objects to the folder
     Copy objects to another folder
     Delete objects that the user owns
     Edit objects that the user owns
     Note, the edit and delete only apply to objects that the user owns, i.e. objects (documents) that the user has saved to the folder themselves.
7. Click OK to save these changes and we should be left with the screen shot below,
8. Click close to close this window

We can now apply this access level to each application group. This is done in the activities below.

Create the BI Application Security Model

Overview

Here we look in detail at how to set up security to define a BI application in SAP BOE.

The BI application requires the creation of 3 security areas,

 
• a user group that defines which users have access to the application
 
• a public folder in which application documents can be shared
 
• a universe folder that controls access to the universes of the application

Below are the steps required to create these items and setup their security.

In this example we will create a user group called "Financial Analysis Users", a public folder called "Financial Analysis" and a universe folder called "Financial Analysis Universes".

Create the BI Application's User Group

All members of this group will have access to the BI application, that is, they will have access to the BI Application's public folder and universes.

To create the user group

 
1. Logon to the CMC as Administrator and navigate to Users and Groups
 
2. Make sure Group Hierarchy is selected and either click Create New Group icon
 
3. Enter a group name "Financial Analysis" and provide a description and click OK
     The name should reflect the application name the description should indicate what the group enables the users to do: "Members of this group have access to the Financial Analysis BI application"
 
4. Click OK to close the dialog and return to the original screen.

Create the BI Application Report Folder

Having created the user group we now create the BI application's top level public folder for the reports. Once the folder is created we then only allow the applications user group access to the contents of the folder. And finally we apply the Advanced User custom access level for the Advanced Users functional group.

To create the folder,

 
1. In the CMC select Folders from the navigation menu
 
2. Select All Folders in the left hand menu
 
3. Click the new folder icon or select Manage, New, Folder
 
4. Enter a name for the folder ‘Financial Analysis'
 
5. Select the newly created folder from the left hand menu and select Manage, Properties
 
6. Provide a suitable description that describes the BI application in general: "The Financial Analysis application allows reporting and analysis of budgeting and forecasting financial information."
 
7. Click Save (not Save & Close) and from the left hand menu select User Security.
 
8. Select Everyone group and click Assign Security button
 
9. Uncheck the inheritance option Inherit From Parent Folder and click OK
 
10. Click Add Principal
 
11. From the next screen select the Groups radio button and select the group we created above: ‘Financial Analysis Users'.
 
12. Click the > button to move the group to the right hand list. Click Apply
 
13. Click Add and Assign Security button
          Here we want all members of this group to be able to view this folder and the contents of the folder. What they can then do with this folder is controlled by membership of the functional groups.
 
14. Check on the inheritance option Inherit From Parent Folder and click Apply.
 
15. Select View from the Available Access Levels and click the > button to assign the access level and click Apply
 
16. Click OK
          Finally we must also apply the Advanced Users functional access rights to this folder.
 
17. Select the Advanced Users group and click Assign Security
 
18. Select the custom access control level we created earlier Advanced User Folder Rights and click the > button to add the right to the Assigned Access Level list.
 
19. Click OK to apply the setting. We should now have a set of groups with different access to this folder.
 
20. Click OK to close the dialog.

Create the BI Application Universe Folder

Lastly we create a folder in which all universes of the application are to be placed.

1. Logon to the CMC as Administrator and navigate to Universes
2. Select the webi universes folder in the left hand menu
3. Click the new folder icon or select Manage, New, New Folder
4. Enter a name "Financial Universes" for the folder
5. Select the newly created folder and then select Manage, Properties
6. Update the description field with a description that describes the universes in the folder: "These universes provide access to the data marts of the Financial Analysis application"
7. Click Apply and select User Security from the left hand menu
8. Click Add Principals
9. Select the appropriate application group "Finance Users" and use the > button to move the group to the right hand list
10. Click Add and Assign Security button
11. Click Advanced tab, then Add/Remove Rights button
12. Under the General section update the right "View Objects" to explicitly grant and click Apply
13. Expand System and update the rights Data Access and Create and Edit Queries Based on Universe to granted.
14. Click OK
15. Click OK to close the Assign Security dialog
16. then click Close to return to the main Universe screen.

Above we had to modify individual rights on the universe folder. If we are creating many applications then we'll need to make the same changes for each BI application universe folder. It would be preferable then to make use of a custom access level called say "View Universe" that can be set to grant these same rights. This then simplifies the process and also ensures consistency across applications.

Conclusion

Although that seems like quite a lot of work it is reasonable straightforward to implement. What is important is that you document all the security settings made, this helps with troubleshooting and maintaining the security model.

In addition it is also importantly to conduct unit testing of any implemented security model. Security models should be developed in a Dev environment and then promoted to a test environment using BIAR file or the Life Cycle Management tool. Security Models should never be implemented directly into a production system.

Hopefully this article gave you some ideas on what to do when implementing a security model, what areas to consider and the impact of some of the settings.