Testing Security

Objective

After completing this lesson, you will be able to evaluate security model in SAP BusinessObjects BI Platform 2025.

Troubleshooting Rights Issues

Definition:

Troubleshooting user rights can be a laborious undertaking for a system administrator. SAP BusinessObjects BI Platform 2025 includes two tools that could be used.

  • Security Query
  • Permissions Explorer

Security Query:

The Security Query tool enables an administrator to list the objects a principal can access. It also enables the administrator to change the security settings from the query result interactively.

Security Query tool enables an administrator to list the objects a principal can access.

Permissions Explorer:

The Permissions Explorer displays principal rights.

The Permissions Explorer displays principal rights.

Security Queries

Create A Security Query In CMC

Sometimes, you want to know the objects to which a principal has been granted or denied access. You can use a security query to do this.

  • Security Query is available only for administrators.
  • Security queries can be created by administrators from the Users and Groups tab in CMC.
Create Security Query option in CMC.

Security Query Parameters In CMC

Security queries let you determine which objects a principal have certain rights to and manage user rights. For each security query, you enter the following parameters:

  • Query Principal (user or group)
  • Query Permissions (rights)
  • Query Context (object type)

Security Query tool let you determine which objects a principal have certain rights to and manage user rights.

  • Query Principal:

    You specify either the user or the group that you want to run the security query for. You choose one principal for each security query.

  • Query Permission:

    • You specify the right or rights that you want to run the security query for, the status of these rights, and the object type on which these rights are set.

    • If you select the Do not query by permissions option, that means you do not want to specify any filter on specific rights and permissions to run the security query for.

  • Query Context:

    You specify the areas (object types) that you want the security query to search. For each area, you can choose whether to include sub-objects in the security query. You can specify up to a maximum of four different areas in the query context.

You can choose among the following areas for the query context:

  • Folders
  • Personal Folders
  • Users
  • Usergroups
  • Profiles
  • Server Groups
  • Servers
  • Categories
  • Personal Categories
  • Inboxes
  • Universes
  • Universe Connections
  • Calendars
  • Events
  • Access Levels
  • Applications

When you run a security query :

  • The results appear in the Query Results area in the Tree panel under Security Queries.
  • On the panel located at the top of the Query results area, you will see all objects and sub-objects filtered by the requested query context and query permission for the requested query principal.
  • For each of resulting object, you will know its name, its type, its path and its current access level. You can select any of these objects.
  • On the panel located at the bottom of the Query results area, the detailed collection of rights is displayed to check them by object/sub-object.
  • If you want to refine a security query, you can run a second query within the results from the first query.

Security Query results area in CMC.

Security queries are useful because they allow you to see the objects that a principal has certain rights to, and they provide the locations of these objects if you want to modify those rights.

Note

Security queries are only user session affinity. They are not stored on SAP BusinessObjects BI Platform 2025, so that means all your security queries will be automatically deleted when administrator ends his user session by logging off from CMC.

Verify Access Rights using Permissions Explorer and Security Query

In this exercise, you will verify access rights using Permissions Explorer and Security Query.

ExerciseStart Exercise

Summary of Hierarchical Rules

The following is a summary of Hierarchical Rules:

  • A more specific assignment overrides over a less specific assignment, such as a sub-object over a parent object.
  • Groups can have sub-groups and users. Subgroups and users are treated as members of the parent group.
  • The rights given to the group closest to the principal take precedence (without breaking inheritance).

Summary of Recommendations

The following are the recommendations for security:

  • Use access levels wherever possible. Access levels contain sets of rights simplify administration by grouping together rights associated with common user needs.
  • Do not forget to set rights and access levels on top-level objects (public folders, universe folders, connection folders). Enabling inheritance will allow these rights to be passed down through the system with minimal administrative intervention.
  • Avoid breaking inheritance for objects whenever possible. By doing so, you can reduce the amount of time it takes to secure the content that you have added to SAP BusinessObjects BI Platform 2025.
  • Set appropriate rights for users and groups at the folder level, then publish objects to that folder. By default, users or groups who have rights to a folder will inherit the same rights for any object that you subsequently publish to that folder.
  • Organize users into user groups, assign access levels and rights to the entire group, and assign access levels and rights to specific members when necessary.
  • Create individual administrator accounts for each administrator in the system and add them to the Administrators group to improve accountability for system changes.
  • By default, the Everyone group is granted very limited rights to top-level folders in SAP BusinessObjects BI Platform 2025. After installation, it is recommended that you review the rights of Everyone group members and assign security accordingly.

For more information on recommendations of rights administration on SAP BusinessObjects BI Platform 2025:

Summary of recommendations for rights administration

Summary

  • Troubleshooting user rights can be challenging for system administrators, but SAP BusinessObjects BI Platform 2025 offers two helpful tools for this purpose.
  • The Security Query tool allows administrators to list accessible objects for a principal and change security settings interactively.
  • The Permissions Explorer tool displays the rights assigned to principals.
  • Security queries help determine which objects a principal has certain rights to, and they allow management of user rights by specifying the principal, permissions, and context for each query.
  • Administrators can use these tools to effectively manage and troubleshoot security settings within SAP BusinessObjects BI Platform 2025.

Learning

SAP FacebookSAP YoutubeSAP LinkedIn