on 05-28-2012 5:35 PM
Hi all,
I defined a OLAP connection for accessing a MS SQL 2008 cube. I'd like to manage also security issues, like the correct visibility of data for specific users.
For example, I have a sales data cube containing information of different countries. I define a OLAP connection for that cube and I create a Analysis view of that data.
want to manage data segregation (some users can only see data from Italy, other users can only see data from England, etc). I'm reading also some manuals and it seems I can't decide this kind of data segregation via SAP BO. Is it so? Do I have to manage these issues using MS SQL server authentication and security or there is a way to manage also with BO Security?
Thanks all for the support!
Hi G.Mare
Analysis OLAP honours the security rights defined in the SSAS cube and you must make use of this to control the data that is made available to individual users.
Analysis OLAP connects directly to the SSAS cube so the BO security ultimately only applies at the document/report level.
Tools that make use of the universe (eg Web Intelligence) can alternatively use the security profiles that Henry mentioned).
Regards
Ian
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ian,
it was exactly my doubt. But if it is so, does it mean that all the security profiles I define using Security Profiles on IDT are not applied if a user define an OLAP Analysis connecting with OLAP SSAS?
This consideration can open the following scenario:
- For using OLAP Analysis on SSAS cubes I have to define authorizations on MS SQL Server Platform
- For creating new reports on universes based on other sources I have to define autorization on IDT
And this can generate a double and potentially reduntant security management. Is all true?
Thanks a lot.
Hi G. Mare
Yes, what you have said is true. But there is another option. You can define the security on the database sources and not the universe... then use SSO from the universe to connect to the sources. That way all tools could support the security model regardless if they use the universe or not. Of course this may also mean multiple security models if the datasources are all from different vendors.
Regards
What do we need to make SSO from SAP BI 4.0 Analysis Edition for OLAP work all the way to SQL Server 2008? I have selected SSO option from OLAP connections and my AD account is added on the Analysis Services cube but still I am getting "Login failed. Invalid user name or password."
The connection to the same server worked fine with BO 3.1 where we additionally needed to specify a SPN. Isn't this required anymore now that the connection is done with HTTP and Windows Authentication? Basic Authentication and typing in user name and password works fine. Should I investigate the problem on the IIS or BO server?
Hi,
You should ideally create a new thread, as this one is solved already.
Your question is timely, there have been bugs around this . Here are a collection of notes i refer to :
However, there still is 1 further issue, where you can't create an SSO connection to MSAS in IDT, when IIS is on different server from MSAS.
Let me know.
Regards.
Henry
Hi Henry,
I tried to check some of the notes you mentioned, but from sap support portal it seems it's not possible. I go to notes and I see the message "Document is not released". Could you please tell me if you have the same problem and, in negative case, send me 1689744 note?
Thanks a lot for your support.
Hi,
It is still being reviewed by the publisher
here is a copy paste:
Symptom
Environment
Analysis Edition for OLAP Web 4.0
Reproducing the Issue
Cause
There are several root causes for the error. Trace of the APS (Adaptive Processing Server) running the MDAS service narrows down the issue:
Resolution
Regards, H
Hi Henry,
I tried what is wrote on that note, but still my matter persists:
- When I try to manage connections through CMC (OLAP CONNECTIONS --> Edit Connection) and I try to connect to SSAS server, message is "Failed to get connections for connection.."
- When I try to create/use a connection via Information Design Tool and I click on "Test Connection", error "password must not be null or empty" arises
Any idea of that issue?
Thanks in advance
I followed the instructions in KB 1688079 and I have the new keytab and settings in place but still getting "Login failed. Invalid user name or password." in Analysis edition for OLAP. I changed MDAS server logging to High and it says "Unsupported SSO scenario" here:
com.businessobjects.multidimensional.services.server.transport.corba.SessionServant||calling [Session] method [openCube(ConnectionDescriptor connectionDescriptor, AuthenticationType authenticationType)] message [Unsupported SSO scenario.]
-- Context Info :
{
"processid" : "10292@FIOLVAPP424",
"threadid" : "Transport:Shared-3/10",
"requestid" : "3",
"object" : "Session",
"method" : "openCube(ConnectionDescriptor connectionDescriptor, AuthenticationType authenticationType)"
}
-- type [GenericDescriptor] value [{
"classType": "GenericDescriptor",
"connectionName": "FIDO Production",
"connectionDescription": "",
"connectionType": "CUBE",
"isDataSource": "true",
"credentials":
{
"classType": "ConnectionCredentials",
"username": "",
"password": "[********]"
},
"super":
{
"classType": "ConnectionDescriptorBase",
"providerName": "SSAS2008",
"providerDescription": "",
"serverName": "http://fiolsql274/olap/msmdpump.dll",
"properties": [
{"CONNECTION_ID": "CONNECTION_ID=Ab2l6F6vuHlHkG7aD51f8VI",
{"CATALOG": "CATALOG=FidoASProduction",
{"SERVERTYPE": "SERVERTYPE=SERVER",
{"CUBE": "CUBE=FIDO",
{"PROVIDER": "PROVIDER=SSAS2008",
{"PROTOCOL": "PROTOCOL=XMLA",
{"CATALOGPROPERTYNAME": "CATALOGPROPERTYNAME=CATALOG"]
}
}]
-- type [AuthenticationType] value [SSO]
Also BI launch pad SSO works, but manual login with username and password with Windows AD authentication does not (neither to CMC anymore).
Any advice?
I checked tomcat log and everytime a user log in in BI Launch pad, the following message arises:
GRAVE: Servlet.service() for servlet equinoxbridgeservlet threw exception
java.lang.RuntimeException: java.lang.IllegalStateException
at com.businessobjects.http.servlet.internal.BundlePathAwareServiceHandler.serviceHelper(BundlePathAwareServiceHandler.java:254)
at com.businessobjects.http.servlet.internal.BundlePathAwareServiceHandler.service(BundlePathAwareServiceHandler.java:197)
at com.businessobjects.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:248)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.eclipse.equinox.servletbridge.BridgeServlet.service(BridgeServlet.java:220)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.businessobjects.pinger.TimeoutManagerFilter.doFilter(TimeoutManagerFilter.java:159)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:852)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.lang.IllegalStateException
at org.apache.catalina.connector.ResponseFacade.sendError(ResponseFacade.java:421)
at javax.servlet.http.HttpServletResponseWrapper.sendError(HttpServletResponseWrapper.java:118)
at javax.servlet.http.HttpServletResponseWrapper.sendError(HttpServletResponseWrapper.java:118)
at com.businessobjects.sdk.credential.WrappedServletResponse.sendError(WrappedServletResponse.java:30)
at com.wedgetail.idm.sso.AbstractAuthenticator.writeAuthenticationChallenge(AbstractAuthenticator.java:1936)
at com.wedgetail.idm.sso.MechChecker.authenticate(MechChecker.java:147)
at com.wedgetail.idm.sso.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:1444)
at com.wedgetail.idm.sso.AbstractAuthenticator.checkAuthenticationOnly(AbstractAuthenticator.java:1330)
at com.wedgetail.idm.sso.AbstractAuthenticator.checkAuthentication(AbstractAuthenticator.java:1139)
at com.wedgetail.idm.sso.AuthFilter.doFilter(AuthFilter.java:148)
at com.businessobjects.sdk.credential.WrappedResponseAuthFilter.doFilter(WrappedResponseAuthFilter.java:66)
at com.businessobjects.http.servlet.internal.FilterRegistration.doFilter(FilterRegistration.java:72)
at com.businessobjects.http.servlet.internal.filter.FilterChainImpl.doFilter(FilterChainImpl.java:43)
at com.crystaldecisions.webapp.util.filter.ResponseEncodingFilter.doFilter(ResponseEncodingFilter.java:24)
at com.businessobjects.http.servlet.internal.FilterRegistration.doFilter(FilterRegistration.java:72)
at com.businessobjects.http.servlet.internal.filter.FilterChainImpl.doFilter(FilterChainImpl.java:43)
at com.businessobjects.webutil.boetrustguard.BOETrustValidateFilter.doFilter(BOETrustValidateFilter.java:45)
at com.businessobjects.http.servlet.internal.FilterRegistration.doFilter(FilterRegistration.java:72)
at com.businessobjects.http.servlet.internal.filter.FilterChainImpl.doFilter(FilterChainImpl.java:43)
at com.businessobjects.webutil.internal.filters.BrowserRenderingModeFilter.doFilter(BrowserRenderingModeFilter.java:20)
at com.businessobjects.http.servlet.internal.FilterRegistration.doFilter(FilterRegistration.java:72)
at com.businessobjects.http.servlet.internal.filter.FilterChainImpl.doFilter(FilterChainImpl.java:43)
at com.businessobjects.webutil.boetrustguard.BOETrustPrepareFilter.doFilter(BOETrustPrepareFilter.java:32)
at com.businessobjects.http.servlet.internal.FilterRegistration.doFilter(FilterRegistration.java:72)
at com.businessobjects.http.servlet.internal.filter.FilterChainImpl.doFilter(FilterChainImpl.java:43)
at com.businessobjects.swd.shared.tracelog.TraceLogScopeFilter.doFilter(TraceLogScopeFilter.java:38)
at com.businessobjects.http.servlet.internal.FilterRegistration.doFilter(FilterRegistration.java:72)
at com.businessobjects.http.servlet.internal.filter.FilterChainImpl.doFilter(FilterChainImpl.java:43)
at com.businessobjects.sdk.actionfilter.WorkflowFilter.doFilter(WorkflowFilter.java:45)
at com.businessobjects.http.servlet.internal.FilterRegistration.doFilter(FilterRegistration.java:72)
at com.businessobjects.http.servlet.internal.filter.FilterChainImpl.doFilter(FilterChainImpl.java:43)
at com.businessobjects.swd.appcontext.RequestInitFilter.doFilter(RequestInitFilter.java:26)
at com.businessobjects.http.servlet.internal.FilterRegistration.doFilter(FilterRegistration.java:72)
at com.businessobjects.http.servlet.internal.filter.FilterChainImpl.doFilter(FilterChainImpl.java:43)
at com.businessobjects.http.servlet.internal.BundlePathAwareServiceHandler.serviceHelper(BundlePathAwareServiceHandler.java:235)
... 20 more
Hi,
Sure there is:
Business Security Profiles (what objects can be used in query panel)
and Data Security Profiles (what results rows can be see in a table)
both of these are configurable from IDT, via the Security Editor.
please consult the application's Help files and our Online documentation.
Regards,
Henry
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
88 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.