Solved: Hide A Universe From New Report Creation (4.x vers...

Hi guys,

We have the following issue in SAP BI 4.0 SAP 4:

We have created 2 different Custom Level Access (CAL) in order to make possible that some people were able to use reports based on a universe or create reports based on a universe. These CAL include the following access rights:

- CAL A: Data Access, View Access

- CAL B: Data Access, View Accees, Create and Edit Queries Based on possible

So, for instance:

For Users A,B we apply CAL A on Universe A & B

For User B we apply CAL B on Universe B

In this scenario the user B can effectively refresh reports based on Universe A and create reports based on universe B. The issue is the following:

When the User B creates a new document, and selects to create a new data provider based on a Universe, the list of "availables"universe show both universes A & B, despite that user can not create queries on Universe A. If he tries to use it (Universe A) it receives an error.Question is: why the universe A is showed in the list?

In version 3.1 using the same CAL the list only showed the "universes" that can be effectively used for creating data providers.

Has someone faced this issue and knows a workaround/way to fix it?

Thanks in advance,

SAP Managed Tags:
SAP BusinessObjects - Web Intelligence (WebI)

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Accepted Solutions (1)

hi Alfons,

Can you clarify the below for me.

Do you maintain any second level folder for universe objects after root folders or all the universe come directly under root folders without any categorization?

We also came across the same scenario as yours and our approach was to maintain a second level folder beneath the root folder and controlled the access by tweaking security at second level folder by using the rights at (Apply to Objects only /Apply to Subobjects only)

Kindly let me know for any issues further.

Regards,

Mani

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi Alfons,

The tweak would be

Apply your custom access level at secondary folder level for all the power users (Universe and data access) with Apply to subobjects option.

for Viewers (only data access) the access to be granted directly at universe level without access to secondary folder.

More settings

- Inheritance should be disabled at root folder as well as in secondary folder level

- Viewers shouldnot have access to both Root and secondary folders.

Regards,

Mani

Hi Manikandan,

I don't know If I have misunderstood your advices but I have not been able to achieve the desired result. I have organized the universes in folders but the problem is always the same. If the user has "View Objects" rights on the universe (that is required to execute reports based on it) the universe is always shown in the list of availables universes when trying to create a report from WebI.

Alfons

Alfons,

What you understood is right. Let me clarify the bit of thing which you missed out.

The trick is that Universe should be accessible to all the users who refers universe for information consumption. But the Universe folder should be accessible to users who are more privileged than viewer but not the viewers. By this way you restrict viewer users not to see the Universe folders in turn Universe and the viewers can still access universe as they already have view access to universe.

you can achieve your requirement by proceeding the approach above. moreover there shouldn't be any inheritance from Universe folder to Universe

Regards,

Mani

Hi Manikandan,

First of all thanks by our help.

Your approach has sense (preventing acces at folder level should restrict the visibility of universes when user tries to create documents using WebI) but for some strange reason the list of availables universes for query seems to be ignoring the universe folder rights..

We have repeteadly verifying your approach

1) Create a Folder Universe (FA) under Universe root level. Put the universe A under this secondary folder

Universe Root Folder

-> Folder FA

-> Universe A

2) Check that the Viewer User has no access over FA folder (root level and folder level). Inheritance is broken when exists.

3) Assign Data Access and View universe privileges to Viewer user directly to the universe.

But as you can see in the available link the Universe still appears in the list of availaboe queries (curiously the folder column appears empty).

Can you confirm which released are you currently using? We are on 4.0 SP4 Patch 8.

http://www.mediafire.com/view/?7g7h7at1e45g7bx

regards,

Alfons

Hi Alfons,

I am also facing similar issue.

Tried many configuration settings but still not able to achieve the combination where user is able to refresh the report from universe, but not able to create reports based on it.

We are also on SP4.

Let me know if you found any solution.

I hope SAP will provide a fix for this in next Patch.

Best Regards,

Dinesh Agarwal

Hi,

As a side note, i would not leave it to chance, and simply ' hope for a fix '

the only way you can "drive" this process is by working collaboratively with SAP Support , and proving that this is infact a defect (and not an issue in your security model )

please be aware that SP04 is no longer maintained. the last patch on that codeline has already been released. (patch15)

If you are adamant this is a bug then you will need to requalify the defect on either SP05 Patch9 or Sp06 Patch1 (the 2 latest and actively maintained codelines for BI 4.0 )

It may already be that this 'defect' has been resolved in recent weeks / months, compared to vaniall SP04 . you should check the 'fixed issues' lists to determine that.

Regards,

Hi Dinesh,

I confirm you that we have not been able to manage this defect using SP 4 Patch 8. In next weeks we will move to SP6. If defects persist (as I fear) we would try to follow the path suggested by Henry (open a case, ....).

Alfons

Hi Alfons,

please try to apply KBA 1348507 which states:

Symptom

User should be able to create and refresh reports based on a particular
universe and should only be able to refresh reports based on another
universe.

Environment

SAP BusinessObjects Enterprise XI 3.1
SAP BusinessObjects Business Intelligence Platform 4.0

Resolution

Login to Central Management Console as administrator.
Create a Test user.
Give Full Control to Test user on:

Public Folder
Connections
Webi Appllication

Click on the Universes ->Select Universe 1 ->Manage ->User
security->Click on Add Principals
Add the Test user and click on "Add and Assign Security->Click on
Advanced ->Add/Remove->Grant "View Objects"(Under General group of
rights) and "Data Access"(Under Universe rights) rights.
Select Universe 2 -> Manage ->User security->Click on Add
Principles-
Add the Test user and click on "Add and Assign Security"->Click on
Advance ->Add/Remove->Grant "View Objects", "Data Access" rights and Deny
"Create and Edit Queries Based on Universe".

Now the Test user will be able to create and refresh the reports from
Universe 1 and only refresh the reports from Universe 2.

If this does not work, please open a CSS message and let me know

Thanks

Best regards

Simone Caneparo, SAP

Hi Alfons,

We just upgraded to SP6, but the problem still exists.

Dennis

Hi Dennis,

please see my previous post

Thanks

Simone Caneparo

Hi Simone,

The model works but the issue is that the user can still see the Universe 2 from the list when creating a new report although he doesn't have the rights to create query.

Regards

Dennis

Hi Dennis,

if this is the problem, it would be adiviseable to create a CSS message so that we can address this and correct if the case

Thanks

Simone

Hi ,

Please try giving these rights:

The user will be able to see the universe in list , but he will not be able to create the report. He will get error " This query cannot be edited.

Check if this works for you.

Best Regards,

Dinesh

Hi Dinesh,

Thanks for the suggestion. The security model that you purpose is the one that we have already in place now. Effectively it prevents users for create reports but because it allows them to see all the universes in the choice list situation becomes quite confusing (we have dozens of universes and some users may only work with a single one).

Regards,

Answers (6)

Hi,

I observed that this is achievable in SAP BIP 4.1 Platfrom but in UNV only not with DSL.Universe(UNX).

Regards,

Sandeep

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

I am testing my 3.1 SP6 to 4.1 SP4 and I am experiencing the same thing with the adminstrators group that has Full Control.

Universe Folder

Universe1

Universe2

Universe3

When I logged in as me (member of the administrators group), click on Web Intelligence, Clicked on New, choose Universe. I could not see Universe2 but I could see Universe1 and Universe2.

I logged into the CMC

Went to the Universes screen

Expanded my Universe Folder

Right Clicked on Universe2

Clicked on User Security

Clicked ont he line for the "Administrators" principal

Noticed that my Access Rights were "Full Control" but not Inherited

I clicked on the "Reset Security Settings" button on the bottom of the screen

I logged back in

Now I am able to see the universe

Guessing it could be something with Explicit Rights assigned that are the same as the Inherited rights or something like that. I would love to be able to click on an object, choose a userid and see all the different possible principals they belong to and see their rights for each to determine why you can or cannot access something.

Hoping this helps. Hard part is identifying all the places this could be a problem.

Tammy Datri

Grane Healthcare

Hi Alfons,

I observed it still persists in SAP BIP 4.1 SP4. Were you able to resolve it?

Regards,

Sandeep

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

I'm just started testing BI 4.1 SP4 and the issue looks to be fixed in this version! Hopefully nothing else broke and I can apply to PROD.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Joseph,

I observe it still persists in SAP BIP 4.1 SP4. Will you please confirm us?

Regards,

Sandeep

I put in a ticket with SAP and got refereed to SAP Note 1722836 which has been open for over a year. Apparently this bug that is being treated as an enhancement request with no timetable except say possible fix is next major release which from what I understand would be 5.x. I can't believe this is being treated as an enhancement request when this ability was present in prior release and is present in the current Rich Client. Does anyone know how to go about escalating this issue as quite a few users have started to complain about getting errors when trying to open a universe they shouldn't have access to?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi Joseph!

Thanks a lot for sharing the note you were referred to with us. Actually I don't know any way to escalate the issue as you put it. We are going to put in a ticket too, in order to see if this helps it to get relevance in SAP.

Regards,

Luigi

The depth of this problem is huge. SAP should give some fix / work around ASAP .

Thank you for the KB article. We are having the same issue with BO4.1 SP1. Is this going to be resolved soon?

Was this ever fixed? Or was a workaround found? This seems to be present in BI 4.1 SP2 as well...When creating adhoc reports, a user shouldn't be able see a universe in which they don't have Create and Edit Queries Based on Universe rights. User has View Objects right so that they can refresh existing static reports. It's very disconcerting that simple things that worked in XI 3.1 are not working the same even in the latest version of BO.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi Joseph,

For us it has never work more again since we deploy I 4.0 (now we are in SP8). We share your frustration

Hi Joseph and Alfons,

We are facing the exactly same issue in a customer of ours, using BO 4.1 SP1 Patch 3. We expected to see a solution in 4.1 SP2, but as Joseph put it, it's really disconcerting that such a small issue has not been solved so far.

We will try to get a solution through CSS/incident report.

Regards,

Luigi

Hi alfons,

This depends one how you apply security to universes root folder and the individual universes.

Kindly brief that. More over check whether eveyone group have access to root folder.if so try remove it.

View Objects right is the key here which enables the User/Usergroup to view the particular object.

Regards

Mani

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi Manikandan,

Effectively everything depends on the the right applied effectively on the object. In our case we have checked that there is nor rights applied to the everyone group in the root folder. To my understand the key point comes from the "View Object" Right. This right seems to be applied on a Universes if we want to execute any report that contains any data source referred to this particular universes. On the other side ,once applied, this rightallows to see the universe in the list of universes avalaibles as data source (despite that users has no create & edit query on it).

How to fix this situation?

Thanks

Ask a Question

Top Q&A Solution Author

User

Count

Hide A Universe From New Report Creation (4.x version)

Accepted Solutions (1)

Accepted Solutions (1)

Answers (6)

Answers (6)

CSGOROLL Promo Code 'CSGOGAMERY': Unlock a 5% Bonu...

Binance Referral Code: Unlock $3000 Welcome Bonus ...

Exclusive Binance Referral Code: Unlock $3000 Welc...

BC Game Promo Code 'VIPPLUS': Claim Your Welcome B...

API Client Locked