Administering Access Rights

Rights are the base units for controlling and securing user access to the objects, users, applications, servers, and other features in SAP BusinessObjects BI Platform 2025. They are administered using Central Management Console (CMC).

They play an important role in securing the system by specifying the individual actions that users can do by enabling access control to your BI content. Rights enable you to delegate user and group management to different departments. Rights also give your IT department access to servers and server groups.

Definition:

You can set rights on folders and objects using principals; that is, users and groups who access the objects.

• To give a manager access to a particular folder, you add the manager to the Access Control List in the Folder area in CMC. You can't give the manager access by configuring the manager's rights settings in the Users and Groups area.
• The User Security settings for the manager in the Users and Group area are used to grant other delegated administrators access to the manager as an object in the system.

Implicit and Explicit Rights:

• Global or specific rights on objects can be Granted, Denied, or Not Specified.
• If a global or a specific right is set to Not Specified, this right is denied by default (due to the lack of a grant right) for an object. We also call the Not Specified right as Implicit right (default).
• If a global or a specific right is set to Granted or Denied, this right is applied and will override the implicit right (default). We also call the Granted or Denied right as Explicit rights.
• Also, when both Explicit rights (Granted and Denied) are applied for a same object, the effective right is Denied (in the rights hierarchy, a Deny Explicit right overrides always a Grant Explicit right, and a Grant Explicit right overrides always a Not Specified Implicit right).

An important exception to this rule happens when a right is explicitly set on a child object that contradicts the rights inherited from the parent object. In this case, the right set on the child object overrides the inherited rights. This exception also applies to users who are members of groups. If a user is explicitly granted a right that is denied to the user's group, the right set on the user overrides the inherited right from the group.

SAP BusinessObjects BI Platform 2025 Security Terminology

• A right in SAP BusinessObjects BI Platform 2025 is also referred to as Access Control Entry (ACE) or permission.
• An ACE (or permission) can be set to one of three states: explicit Denied (D), explicit Granted (G) or implicit Not Specified (NS).
• A combination of several ACEs (or permissions) and states (for example, a combination of the right to schedule object which is Granted + the right to view object which is Granted + the right to modify object which is Denied) makes up an Access Level.
• SAP BusinessObjects BI Platform 2025 includes predefined Access Levels (View, Schedule, View On Demand, Full Control).
  Note

  It is NOT possible to modify a predefined Access Level.
• You can also leverage the security by creating your own custom Access Levels, either from scratch or from a duplicate copy of a predefined Access Level.
• Groups and users in the system are also referred to as principals. In SAP BusinessObjects BI Platform 2025, you give rights to principals on objects (folders, documents, universes, connections, BI application).

Principals:

• You can assign rights to groups or users (called Principals). It is recommended that you assign rights to groups rather than users to simplify overall security management.
• To assign rights in the CMC, navigate to the object (folder, report, application, etc.) and then identify the principal (user or group) for whom you need to modify access.

For example, if the HR Business Users group needs access to the HR Department public folder, administrator will have to navigate in CMC to that specific folder (first step) to add a Principal (second step) and assign an Access Level for him (third step).

The Three-Steps Securing Process :

An administrator must follow the following three-steps process in CMC to secure access to any object in SAP BusinessObjects BI Platform 2025:

1. WHAT: Select the Object to secure in CMC (for instance, a public folder).
2. WHO: Add a Principal for this Object in CMC (for instance, a user group).
3. HOW: Assign an Access Level to this Principal in CMC to specify how to access the Object (for instance, a custom access level).

Access Levels:

• Access levels are a collection of rights (global and specific) that users often need.
• They allow administrators to set common security levels quickly and uniformly rather than setting individual right separately.
• SAP BusinessObjects BI Platform 2025 also comes with several predefined access levels.
• You can also create and add your own custom access levels.

Inheritance:

• SAP BusinessObjects BI Platform 2025 recognizes two types of inheritance:
  • Group inheritance:

    Group inheritance allows principals to inherit rights as the result of group membership.

  • Folder inheritance:

    Folder inheritance allows principals to inherit any rights that they've been granted on an object's parent folder.

Top-level folder security:

• Top-level folder security is the default security set for each specific object type (for example Universes, Folders, Connections, Users and Groups).
• Each object type has its own top-level folder (root folder) that all the sub-objects inherit rights from.
• If there are any access levels common to certain object types that apply throughout the whole system, set them at the top-level folder specific to each object type.
• For example, if the Sales group needs the View access level to all folders, you can set this access at the root level for Folders.

Folder-level security:

• Folder-level security enables you to set access-level rights for a folder and the objects within the folder.
• While folders inherit security from the top-level folder (root folder), sub-folders inherit the security of their parent folder. Rights set explicitly at the folder level override inherited rights.

Object-level security:

• Objects in SAP BusinessObjects BI Platform 2025 inherit security from their parent folder.
• Rights set explicitly at the object level override inherited rights.

Considerations:

Predefined Access Levels are embedded in SAP BusinessObjects BI Platform 2025:

• They are based on a model of increasing rights - View, Schedule, View On Demand, Full Control (Owner) and Full Control; each access level builds upon the rights granted by the previous level.
• These can be used to quickly assign commonly needed access rights. Also, exploring the specific assigned rights in these predefined access level will help you identify which rights are logically combined together.
  Note

  In the View On Demand predefined access level, a user has the right to edit object and he is also granted to view object in order to actually make modifications. In other words, you can't edit an object if you can't see it.
• The No Access predefined access level does not exist in SAP BusinessObjects BI Platform 2025. If you want set all implicit rights (Not Specified) for an object, you just have to remove all access levels assigned to this object.

Assigning a Predefined Access Level:

• As predefined access levels are statically defined with a preset selection of rights, they can be restrictive when configuring fairly complex security models.
• Optionally, you can also create custom Access Levels either from scratch or from a duplicate copy of a predefined Access Level (custom Access Levels enable greater flexibility as you design your security model).

The following link summarizes the rights that each predefined access level involves on SAP BusinessObjects BI Platform 2025.

Predefined Access Levels

Definition:

• You can create Custom Access Levels (CALs) either from scratch or from a duplicate copy of a predefined Access Level in CMC.
• CALs enable greater flexibility as you design your security model.

General:

• In access levels, rights are organized in Rights Collections, depending on the type of object you want to secure on SAP BusinessObjects BI Platform 2025.
• The General rights collection contains a list of global rights dedicated for public folders (shared).

For instance, you can grant the view objects right to allow viewing folders and you can deny the edit and delete object right to prevent editing and deleting folders or documents within.

Content:

The Content rights collection contains a list of specific rights for content.

For instance, you can grant to edit a query and refresh the report's data in a Web Intelligence content (web intelligence document).

Application :

The Application rights collection contains a list of specific rights for BI applications.

For instance, you can grant to use the Web Intelligence application for creating and designing a new document in the Web Intelligence application.

System :

The System rights collection contains a list of specific rights for objects in relationship with data sources (universes, connections).

For instance, you can grant to create and edit queries for .UNX universe and grant data access for a relational connection to a data source.

In a situation where you manage two groups, business users and business analysts, you can then create two custom access levels (CALs) one for each group in SAP BusinessObjects BI Platform 2025 (for instance, one CAL for business users to be able to view and refresh reports, another CAL for business analysts to be able to create/design/refresh and publish new reports). You add both groups as principals to the folders that contain report objects. Then, you can control report access by assigning the custom access level (CAL).

Once custom access levels have been created, administrator can use the three-steps process to assign a security model on objects in SAP BusinessObjects BI Platform 2025 (WHAT / WHO / HOW).

• Rights in SAP BusinessObjects BI Platform 2025 are the base units for controlling user access to various features and are administered using the Central Management Console (CMC).
• They secure the system by enabling access control, allowing for delegation of user and group management, and granting IT department access to servers.
• Rights can be set on folders and objects and are assigned to principals (users or groups), with options to Grant, Deny, or leave Not Specified.
• An important exception to the right override rule is when a right is explicitly set on a child object or user, which then overrides the inherited rights.
• Predefined Access Levels, such as View, Schedule, and Full Control, simplify security management by grouping commonly needed rights.