Update:  This feature is now available with BI4.1 SP5 FP3 and does not require the Lumira Integration add-on.    

If you've attended the ASUG2014 BusinessObjects User Conference or have been attending some of the latest webinars, you will have heard about the ability to restrict the Lumira Desktop functionality using rights in the CMC.

Let's dive into the details:

Prerequisites:

• Lumira Desktop 1.19 or higher
• BI4.1 SP5 or higher (or BI4 Integration for Lumira)

Overview of the rights:

From the Applications tab in the CMC, navigate down to SAP Lumira. 

The following is a set of rights you can set, which should be fairly self explanatory.

Enabling/Forcing Desktop Governance

This feature is managed through forcing a logon to your BI system at each startup of the Lumira Desktop.

You can, and it is recommended that you do set up kerberos SSO for lumira desktop to make this step seamless.

The logon is controlled through the placement of a .properties file, placed in the Lumira Desktop application directory.

The steps are also described in section 4.6 of the BI add-on for Lumira.

The format of the LumiraGovernance.properties file should look something like this:

enable=true

adapter.type=boe

authentication.type=secEnterprise

rest.url=http://myserver:6405/biprws

useSSO=false

Where enable/disable turns this feature on or off,

"adapter.type" will need to be boe, but you can see that this could in the future open up other types like Lumira Server

"authentcation.type" will be enterprise, AD, LDAP or SAP, in the following formats:

● secEnterprise
● secLDAP
● secWinAD
● secSAPR3

The rest.url will be the same that is used to publish to the BI platform and

"useSSO" will dictate if a prompt should appear or if single signon will be used.

SSO Bonus:  You do NOT need to perform additional configuration here to enable kerberos for this workflow, such as a krb5.ini file.  In other words, you do NOT need to perform the steps that you would need to access universe data described in this KB http://service.sap.com/sap/support/notes/1995864

Place the file in the user's work directory.

C:\Users\<user>\.sapvi

Provisioning the LumiraGovernance.properties file

By now you will have noticed that this is just a plan text file.  How do you get this onto the user's desktop?

To make the feature effective, you do need a centralized software distribution system, and one that will set this file to read only.

See the effect

The following shows a difference in UI between the full unrestricted mode and restricted mode for data acquisition.  We have limited the user to use only certified corporate data from a universe and their local system.

The below shows limiting the publishing destinations to BI only, and includes the prevention of exporting to a file.

Pushing settings to client

Using the settings of the SAP Lumira applicaiton object, you can also control whether your end users are allowed to update the desktop.

Or even force them to use a specific server for publishing, if you have set up the full Lumira BI integration (requires Lumira Server), or specific cloud destination.

Offline Support

The desktop tool will go into last known restricted mode if launched offline.