In this blog post I will describe some best practices with regards to Data Storage and Schema, Security, Managment, Operations and Customization for shared services deployments. A shared service deployment is characteristic by multiple business units accessing the same BI platform, sharing the software as well as physical hardware, yet being isolated from each other. The principals of share service deployments are the same as for multitenancy deployments; in this blog I use the terms interchangeably.
The BI Platform enables different deployment models, which can be exemplified in three common models. Of course mixed models or variations are possible, but to simplify I focus on these 3.
When you are considering data security and data access is the most important consideration in the design of a shares service deployment. The technique to achieve user-level data filtering is also influenced by the deployment model.
For the shared database and semantic layer deployment models, one can use the following 2 options:
For the separate database with shared semantic layer, one can use the following 2 options:
Alternatively you can create a dynamic query via Universe variable on custom attribute. This feature was added in the BI 4.0 SP4 release. It provides the capability to define some attributes in the CMC that will be attached to each individual user. These attributes are then exposed in the Semantic Layer and can be used to filter business unit’s specific data. A more detailed overview can be found in the User Attribute Mapping in BI4 - in depth blog.
Next I’ll go into best practices regarding managing security for multiple tenants.
It is advisable that business units each have their own user groups in the SAP BI platform. This will help simplify the authorization management in the shared SAP BI platform and will make applying it to the semantic layer more effective and easier to manage. For BI content management, the same advice applies: each business unit should have its own public folder for storing its BI documents.
Create Authorization controlled by Access Control List (ACL) for your business units. The access control setting specifies who can carry out operation on specific content. While powerful access control technology in the SAP BI platform allows many variations and complexity, the security setting can be simplified and easily managed if user group and folder structures are adopted.
When it comes to managing different business units, you may want to consider having a standard structure for each business unit in order to lower administration cost. If business units in a shares service deployment have structural similarity, such as same folder structure, same user group structure, similar reports and so on, then you can save administrating cost when onboarding a new business unit. For this you can take advantage of the Tenant Provisioning Tool to automate on-boarding process. This feature was introduced in BI 4.0 SP4. The tool focuses on business units onboarding and BI
contents management. Its goal is to reduce manual work by enable automation without lot of low level programming allowing, hence saving time and making the onboarding process less prone to human mistake. More information can be found in Overview of SAP BI 4.x Multitenancy Management Tool
An additional feature in the BI4.1 release is that business units which were onboarded via the onboarding command line tool are now visible in a new Multitenancy tab in the CMC. In this tab you the ability to change business unit’s properties such as name, concurrent user limit and associated user
groups. The concurrent user limit ensures service availability by limiting the number of concurrent users that a business unit can logon at a given time. Once
the business unit's limit has been reached no further users of this business unit will be able to log on until another business unit’s user has logged out.
Once business units were onboarded using the above Onboarding tool, you can use the tenant auditing feature, which was introduced in BI 4.1. It allows to measure the usage of the system by the users of each business unit (for example, for billing purposes). For this feature enable and configure auditing events that you are interested it. Then in order to determine which auditing event is generated by which business unit/tenant use 2 new lookup tables in the auditing database: ADS_TENANT and ADS_USER
Administration effort of a shared service environment may be very large and may exceed the resources of a single administrator. A system administrator who wants to focus only on high-priority tasks can create delegated administrators and assign a subsets of management tasks to them (for example, the administration of a department or tenant content in case of BI platform as part of a SaaS application). Delegated administrators perform a limited set of tasks and have fewer rights on objects in the system. To improve user experience and workflow, a system administrator may hide any of the CMC tabs that a delegated administrator (or a principal) is not expected to use. Additional information can be found at Delegated administration in SAP BI 4.0 SP4
The hot backup feature, which was introduced in BI 4.0 SP4, allows you to back up your Business Intelligence platform system while continuing to allow users to use the system normally, this is important in a shared service deployment as service availability is crucial.
Using LCM you can archive and restore a subset of the BOE content, which can be used to archive a particular business unit’s data.
Additionally you can use system monitoring to ensure system health and to take proactive action. You can create custom defined condition and alerting for each business unit or create custom probe to check specific BI content or operation.
With different business units accessing the system there is often a need to customize the BI platform per business unit. Starting with 4.0 you can customize the landing page of BI launch pad by creating a custom BI workspace, an administrator can customize the homepage for a particular business unit’s user group or can also set the landing page to a particular business unit’s folder. For more information on this please see Tutorial: How to customize BI launch pad home page
User | Count |
---|---|
34 | |
25 | |
12 | |
7 | |
7 | |
6 | |
6 | |
6 | |
5 | |
4 |