boexi admin guide

BusinessObjects Enterprise™ XIAdministrator’s Guide

BusinessObjects Enterprise XI

Windows

Patents Business Objects owns the following U.S. patents, which may cover products that are offered and sold by Business Objects: 5,555,403, 6,247,008 B1, 6,578,027 B2, 6,490,593 and 6,289,352.

Trademarks Business Objects, the Business Objects logo, Crystal Reports, and Crystal Enterprise are trademarks or registered trademarks of Business Objects SA or its affiliated companies in the United States and other countries. All other names mentioned herein may be trademarks of their respective owners.

Copyright Copyright © 2004 Business Objects. All rights reserved.

Contents
Chapter 1 Introduction to BusinessObjects Enterprise XI Administrator’s Guide 19
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Who should use this guide? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Business Objects information resources . . . . . . . . . . . . . . . . . . . . . . . 20

Chapter 2 What’s New in BusinessObjects Enterprise 21Welcome to BusinessObjects Enterprise XI . . . . . . . . . . . . . . . . . . . . . . . . 22About this version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Supported products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22New features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

End-user experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Report design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Developer flexibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26System administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Chapter 3 Administering BusinessObjects Enterprise 31Administration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Central Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Logging on to the Central Management Console . . . . . . . . . . . . . . . . 33Navigating within the Central Management Console . . . . . . . . . . . . . . 34Setting console preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Setting the Query size threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Logging off of the Central Management Console . . . . . . . . . . . . . . . . 37

Using the Central Configuration Manager . . . . . . . . . . . . . . . . . . . . . . . . . 37Accessing the CCM for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Making initial security settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Setting the Administrator password . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Disabling the Guest account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Modifying the default security levels . . . . . . . . . . . . . . . . . . . . . . . . . . 40

BusinessObjects Enterprise Administrator’s Guide 3

Contents

Managing universes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Managing universe connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Managing InfoView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Managing Web Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Managing Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Accessing the Discussions page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Searching for discussion threads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Sorting search results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Deleting discussion threads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Setting user rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Chapter 4 BusinessObjects Enterprise Architecture 47Architecture overview and diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Client tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

InfoView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Central Management Console (CMC) . . . . . . . . . . . . . . . . . . . . . . . . . . 50Central Configuration Manager (CCM) . . . . . . . . . . . . . . . . . . . . . . . . . 51Publishing Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Import Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Application tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Application tier components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Web development platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Web application environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Intelligence tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Central Management Server (CMS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57File Repository Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Event Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Processing tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Report Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Program Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Web Intelligence Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

4 BusinessObjects Enterprise Administrator’s Guide

Contents

Report Application Server (RAS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Destination Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61List of Values Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Page Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Data tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Report viewers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Information flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

What happens when you schedule an object? . . . . . . . . . . . . . . . . . . 64What happens when you view a report? . . . . . . . . . . . . . . . . . . . . . . . 65

Choosing between live and saved data . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Live data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Saved data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Chapter 5 Managing and Configuring Servers 73Server management overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Viewing current metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Viewing current server metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Viewing system metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Viewing and changing the status of servers . . . . . . . . . . . . . . . . . . . . . . . . 78Starting, stopping, and restarting servers . . . . . . . . . . . . . . . . . . . . . . 78Stopping a Central Management Server . . . . . . . . . . . . . . . . . . . . . . . 80Enabling and disabling servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Printing, copying, and refreshing server status . . . . . . . . . . . . . . . . . . 82

Configuring the application tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Configuring the Web Component Adapter . . . . . . . . . . . . . . . . . . . . . . 84

Configuring the intelligence tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Clustering Central Management Servers . . . . . . . . . . . . . . . . . . . . . . . 87Copying data from one CMS database to another . . . . . . . . . . . . . . . . 92Deleting and recreating the CMS database . . . . . . . . . . . . . . . . . . . . . 99Selecting a new or existing CMS database . . . . . . . . . . . . . . . . . . . . 100Setting root directories and idle times of the File Repository Servers 102Modifying Cache Server performance settings . . . . . . . . . . . . . . . . . 103Modifying the polling time of the Event Server . . . . . . . . . . . . . . . . . . 105


Contents

Configuring the processing tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Modifying Page Server performance settings . . . . . . . . . . . . . . . . . . . 106Modifying database settings for the RAS . . . . . . . . . . . . . . . . . . . . . . 109Modifying performance settings for the RAS . . . . . . . . . . . . . . . . . . . . 111Modifying performance settings for job servers . . . . . . . . . . . . . . . . . 112Configuring the Web Intelligence Report Server . . . . . . . . . . . . . . . . . 113Configuring the destinations for job servers . . . . . . . . . . . . . . . . . . . . 116Configuring Windows processing servers for your data source . . . . . 123

Logging server activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Advanced server configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Changing the default server port numbers . . . . . . . . . . . . . . . . . . . . . 124Configuring a multihomed machine . . . . . . . . . . . . . . . . . . . . . . . . . . . 127Adding and removing Windows server dependencies . . . . . . . . . . . . 128Changing the server startup type . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Changing the server user account . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Configuring servers for SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Chapter 6 Managing Server Groups 135Server group overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136Creating a server group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136Working with server subgroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Modifying the group membership of a server . . . . . . . . . . . . . . . . . . . . . . 139

Chapter 7 Scaling Your System 141Scalability overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142Common configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

One-machine setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Three-machine setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Six-machine setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

General scalability considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Increasing overall system capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Increasing scheduled reporting capacity . . . . . . . . . . . . . . . . . . . . . . . 147Increasing on-demand viewing capacity for Crystal reports . . . . . . . . 148


Contents

Increasing prompting capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Delegating XSL transformation to Internet Explorer . . . . . . . . . . . . . 149Enhancing custom web applications . . . . . . . . . . . . . . . . . . . . . . . . . 150Improving web response speeds . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150Getting the most from existing resources . . . . . . . . . . . . . . . . . . . . . 151

Adding and deleting servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Adding a server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Deleting a server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Chapter 8 Managing BusinessObjects Enterprise Repository 157BusinessObjects Enterprise Repository overview . . . . . . . . . . . . . . . . . . 158Copying data from one repository database to another . . . . . . . . . . . . . . 158

Importing data from a Crystal Enterprise 10 or BusinessObjects Enterprise XI CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Copying data from a Crystal Enterprise 9 repository database . . . . . 163Copying data from a Crystal Reports 9 repository database . . . . . . . 165

Refreshing repository objects in published reports . . . . . . . . . . . . . . . . . 166

Chapter 9 Working with Firewalls 169Firewalls overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

What is a firewall? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Firewall types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Understanding firewall integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Communication between servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Firewall configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176Typical firewall scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Configuring the system for firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Configuring for Network Address Translation . . . . . . . . . . . . . . . . . . 178Configuring for packet filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182Configuring for SOCKS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Chapter 10 Managing Auditing 189Auditing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

How does auditing work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190


Contents

Which actions can I audit? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Configuring the auditing database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195Enabling auditing of user and system actions . . . . . . . . . . . . . . . . . . . . . . 196Controlling synchronization of audit actions . . . . . . . . . . . . . . . . . . . . . . . 198Optimizing system performance while auditing . . . . . . . . . . . . . . . . . . . . . 198Using sample audit reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199Creating custom audit reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Auditing database schema reference . . . . . . . . . . . . . . . . . . . . . . . . . 203

Chapter 11 BusinessObjects Enterprise Security Concepts 213Security overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214Authentication and authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Primary authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215Secondary authentication and authorization . . . . . . . . . . . . . . . . . . . . 216About single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Security management components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219Web Component Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220Central Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220Security plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221Processing extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Active trust relationship . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228Logon tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229Ticket mechanism for distributed security . . . . . . . . . . . . . . . . . . . . . . 229

Sessions and session tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230WCA session tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231CMS session tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Environment protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232Web browser to web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232Web server to BusinessObjects Enterprise . . . . . . . . . . . . . . . . . . . . . 232

Auditing web activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233Protection against malicious logon attempts . . . . . . . . . . . . . . . . . . . . . . . 233

Password restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233Logon restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234


Contents

User restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234Guest account restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

Chapter 12 Managing User Accounts and Groups 235What is account management? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236Default users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Default users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236Default groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Available authentication types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238Managing Enterprise and general accounts . . . . . . . . . . . . . . . . . . . . . . . 239

Creating an Enterprise user account . . . . . . . . . . . . . . . . . . . . . . . . . 240Adding a user to groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241Modifying a user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242Deleting a user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242Changing password settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243Creating a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244Adding users to a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245Modifying a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246Viewing group members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247Deleting a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247Disabling the Guest account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247Granting access to users and groups . . . . . . . . . . . . . . . . . . . . . . . . 248

Managing LDAP accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248Configuring LDAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249Mapping LDAP groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255Unmapping LDAP groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258Viewing mapped LDAP users and groups . . . . . . . . . . . . . . . . . . . . . 258Changing LDAP connection parameters and member groups . . . . . 258Managing multiple LDAP hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259Troubleshooting LDAP accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

Managing AD accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261Mapping AD accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262Unmapping AD groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266


Contents

Viewing mapped AD users and groups . . . . . . . . . . . . . . . . . . . . . . . . 266Troubleshooting AD accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267Setting up AD single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Managing NT accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270Mapping NT accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270Unmapping NT groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274Viewing mapped NT users and groups . . . . . . . . . . . . . . . . . . . . . . . . 275Troubleshooting NT accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276Setting up NT single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Managing aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280Creating a user and a third-party alias . . . . . . . . . . . . . . . . . . . . . . . . 280Creating an alias for an existing user . . . . . . . . . . . . . . . . . . . . . . . . . 282Assigning an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282Reassigning an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283Deleting an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283Disabling an aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

Configuring Kerberos single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285Setting up a service account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285Configuring the servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286Configuring the Windows AD plug-in for Kerberos authentication . . . 287Configuring the cache expiry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289Configuring the IIS and browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289Configuring IIS for end-to-end single sign-on . . . . . . . . . . . . . . . . . . . 291Configuring IIS for single sign-on to databases only . . . . . . . . . . . . . . 295Configuring BusinessObjects Enterprise web applications . . . . . . . . . 298Mapping AD accounts for Kerberos single sign-on . . . . . . . . . . . . . . . 299Configuring the databases for single sign-on . . . . . . . . . . . . . . . . . . . 299

Chapter 13 Controlling User Access 301Controlling user access overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302Controlling users’ access to objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Setting object rights for users and groups . . . . . . . . . . . . . . . . . . . . . . 303Viewing object rights settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305


Contents

Setting common access levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306Setting advanced object rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308Using inheritance to your advantage . . . . . . . . . . . . . . . . . . . . . . . . . 311Inheritance with advanced rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314Customizing a ‘top-down’ inheritance model . . . . . . . . . . . . . . . . . . . 317

Controlling access to applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335Controlling administrative access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Controlling access to users and groups . . . . . . . . . . . . . . . . . . . . . . . 338Controlling access to user inboxes . . . . . . . . . . . . . . . . . . . . . . . . . . 338Controlling access to servers and server groups . . . . . . . . . . . . . . . . 339Controlling access to universes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340Controlling access to universe connections . . . . . . . . . . . . . . . . . . . . 341

Chapter 14 Organizing Objects 343Organizing objects overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

About folders and categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344Working with folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

Creating and deleting folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344Copying and moving folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347Adding a report to a new folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348Specifying folder rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350Setting limits for folders, users, and groups . . . . . . . . . . . . . . . . . . . . 351Managing User Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Working with categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354Creating and deleting categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354Moving categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355Adding an object to a new category . . . . . . . . . . . . . . . . . . . . . . . . . . 356Removing or deleting objects from a category . . . . . . . . . . . . . . . . . . 356Specifying category rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357Managing personal categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358


Contents

Chapter 15 Publishing Objects to BusinessObjects Enterprise 359Publishing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

Publishing options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361Publishing with the Publishing Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

Logging on to BusinessObjects Enterprise . . . . . . . . . . . . . . . . . . . . . 362Adding objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362Creating and selecting a folder on the CMS . . . . . . . . . . . . . . . . . . . . 363Moving objects between folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364Duplicating the folder structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364Adding objects to a category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365Changing scheduling options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365Refreshing repository fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366Selecting a program type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367Specifying program credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367Changing default values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367Changing object properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368Entering database logon information . . . . . . . . . . . . . . . . . . . . . . . . . 368Setting parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369Setting the schedule output format . . . . . . . . . . . . . . . . . . . . . . . . . . . 370Adding extra files for programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370Specifying command line arguments . . . . . . . . . . . . . . . . . . . . . . . . . 370Finalizing the objects to be added . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

Publishing with the Central Management Console . . . . . . . . . . . . . . . . . . 371Saving objects directly to the CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Chapter 16 Importing Objects to BusinessObjects Enterprise 375Importing information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376Importing information from BusinessObjects Enterprise 6.x . . . . . . . . . . . 376

Before importing from BusinessObjects Enterprise 6.x . . . . . . . . . . . . 377Importing objects from BusinessObjects Enterprise 6.x . . . . . . . . . . . 378

Importing information from Crystal Enterprise . . . . . . . . . . . . . . . . . . . . . . 382Importing objects from Crystal Enterprise . . . . . . . . . . . . . . . . . . . . . . 383

Importing information from Crystal Info . . . . . . . . . . . . . . . . . . . . . . . . . . . 386


Contents

Importing objects from Crystal Info . . . . . . . . . . . . . . . . . . . . . . . . . . 386Importing with the Import Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

Specifying the source and destination environments . . . . . . . . . . . . . 388Selecting information to import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391Importing objects with rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393Choosing an import scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393Importing specific objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395Finalizing the import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

Chapter 17 Managing Objects 401Managing objects overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402General object management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

Copying, moving, or creating a shortcut for an object . . . . . . . . . . . . 403Deleting an object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405Searching for an object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405Sending an object or instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406Changing properties of an object . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408Assigning an object to categories . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

Report object management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411What are report objects and instances? . . . . . . . . . . . . . . . . . . . . . . 411Setting report refresh options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412Viewing the universes for a Web Intelligence document . . . . . . . . . . 413Setting report processing options . . . . . . . . . . . . . . . . . . . . . . . . . . . 414Applying processing extensions to reports . . . . . . . . . . . . . . . . . . . . 429Working with hyperlinked reports . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

Program object management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436What are program objects and instances? . . . . . . . . . . . . . . . . . . . . 436Setting program processing options . . . . . . . . . . . . . . . . . . . . . . . . . 438

Object package management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444What are object packages, components, and instances? . . . . . . . . . 444Creating an object package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445Adding objects to an object package . . . . . . . . . . . . . . . . . . . . . . . . . 446Configuring object packages and their objects . . . . . . . . . . . . . . . . . 447


Contents

Authentication and object packages . . . . . . . . . . . . . . . . . . . . . . . . . . 448

Chapter 18 Scheduling Objects 449Scheduling objects overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450Scheduling objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450

About the scheduling options and parameters . . . . . . . . . . . . . . . . . . 452Scheduling objects using object packages . . . . . . . . . . . . . . . . . . . . . 455Scheduling an object with events . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457

Setting the scheduling options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460Setting notification for an object’s success or failure . . . . . . . . . . . . . 460Specifying alert notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463Selecting a destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465Choosing a format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475Selecting cache options for Web Intelligence documents . . . . . . . . . . 477Scheduling an object for a user or group . . . . . . . . . . . . . . . . . . . . . . 477

Managing instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479Managing and viewing the history of instances . . . . . . . . . . . . . . . . . . 479Setting instance limits for an object . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

Chapter 19 Managing Calendars 485Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486Creating calendars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486Adding dates to a calendar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487Deleting calendars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491Specifying calendar rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492

Chapter 20 Managing Events 493Managing events overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494File-based events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495Schedule-based events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496Custom events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498Specifying event rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499


Contents

Chapter 21 General Troubleshooting 501Troubleshooting overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502Documentation resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503Web accessibility issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503

Using an IIS web site other than the default . . . . . . . . . . . . . . . . . . . 503Unable to connect to CMS when logging on to the CMC . . . . . . . . . . 504Windows NT authentication cannot log you on . . . . . . . . . . . . . . . . . 504

Report viewing and processing issues . . . . . . . . . . . . . . . . . . . . . . . . . . . 505Troubleshooting reports with Crystal Reports . . . . . . . . . . . . . . . . . . 505Troubleshooting reports and looping database logon prompts . . . . . 507Ensuring that server resources are available on local drives . . . . . . . 510Page Server error when viewing a report . . . . . . . . . . . . . . . . . . . . . 511

InfoView considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511Supporting users in multiple time zones . . . . . . . . . . . . . . . . . . . . . . 511Setting default report destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . 511

Chapter 22 Licensing Information 513Licensing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514Accessing license information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515Adding a license key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516Viewing current account activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516

Appendix A From BusinessObjects 6.x to BusinessObjects XI 519Product offering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521

BusinessObjects 6.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521BusinessObjects XI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522

Basic terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526

Migration and mapping of specific objects . . . . . . . . . . . . . . . . . . . . . 526Migration of user rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528

Installation, configuration, and deployment . . . . . . . . . . . . . . . . . . . . . . . 530


Contents

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537Reporting, analysis, information sharing . . . . . . . . . . . . . . . . . . . . . . . . . . 541SDK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545

Appendix B Rights and Access Levels 547Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548Access levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549

No Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549View On Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550Full Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551

Default rights on the top-level folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551Object rights for the Report Application Server . . . . . . . . . . . . . . . . . . . . . 552

Appendix C Configuring NTFS Permissions 553Configuring NTFS permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554

Configuring NTFS permissions for BusinessObjects Enterprise components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554

Appendix D Customizing the appearance of Web Intelligence documents 559Customizing the appearance of Web Intelligence documents . . . . . . . . . 560

What you can do with the defaultconfig.xml file . . . . . . . . . . . . . . . . . 561Locating and modifying defaultconfig.xml . . . . . . . . . . . . . . . . . . . . . . 562List of key values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564Example: Modifying the default font in table cells . . . . . . . . . . . . . . . . 565

Appendix E Server Command Lines 567Command lines overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568Standard options for all servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569Central Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570Page Server and Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572Job servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574Report Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575


Contents

Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577Input and Output File Repository Servers . . . . . . . . . . . . . . . . . . . . . . . . 578Event Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579

Appendix F International Deployments 581International deployments overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582Deploying BusinessObjects Enterprise internationally . . . . . . . . . . . . . . . 582

Planning an international BusinessObjects Enterprise deployment . . 583Providing a client tier for multiple languages . . . . . . . . . . . . . . . . . . . 585

Appendix G Creating Accessible Reports 587About accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588

Benefits of accessible reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588About the accessibility guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . 589Accessibility and Business Objects products . . . . . . . . . . . . . . . . . . . 590

Improving report accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591Placing objects in reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593Color . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598Parameter fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599

Designing for flexibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600Accessibility and conditional formatting . . . . . . . . . . . . . . . . . . . . . . . 601Accessibility and suppressing sections . . . . . . . . . . . . . . . . . . . . . . . 602Accessibility and subreports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603

Improving data table accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603Text objects and data table values . . . . . . . . . . . . . . . . . . . . . . . . . . 604Other data table design considerations . . . . . . . . . . . . . . . . . . . . . . . 608

Accessibility and BusinessObjects Enterprise . . . . . . . . . . . . . . . . . . . . . 609Setting accessible preferences for BusinessObjects Enterprise . . . . 609

Accessibility and customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612


Contents

Appendix H Business Objects Information Resources 613Documentation and information services . . . . . . . . . . . . . . . . . . . . . . . . . 614Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614

What’s in the documentation set? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614Where is the documentation? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614Send us your feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615

Customer support, consulting and training . . . . . . . . . . . . . . . . . . . . . . . . 615How can we support you? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615Looking for the best deployment solution for your company? . . . . . . . 616Looking for training options? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616

Useful addresses at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617

Index 619


Introduction to BusinessObjects Enterprise XI Administrator’s Guide

chapter

Introduction to BusinessObjects Enterprise XI Administrator’s GuideAbout this guide1
About this guide
This guide provides you with information and procedures covering a wide range of administrative tasks. Procedures are provided for common tasks. Conceptual information and technical details are provided for all advanced topics.BusinessObjects Enterprise is a flexible, scalable, and reliable solution for delivering powerful, interactive reports to end users via any web application—intranet, extranet, Internet or corporate portal. Whether it is used for distributing weekly sales reports, providing customers with personalized service offerings, or integrating critical information into corporate portals, BusinessObjects Enterprise delivers tangible benefits that extend across and beyond the organization. As an integrated suite for reporting, analysis, and information delivery, BusinessObjects Enterprise provides a solution for increasing end-user productivity and reducing administrative efforts.

Who should use this guide?This guide is intended for system administrators who are responsible for configuring, managing, and maintaining a BusinessObjects Enterprise installation. Familiarity with your operating system and your network environment is certainly beneficial, as is a general understanding of web server management and scripting technologies. However, in catering to all levels of administrative experience, this guide aims to provide sufficient background and conceptual information to clarify all administrative tasks and features.For more information about the product, consult the BusinessObjects Enterprise Getting Started Guide, the BusinessObjects Enterprise Installation Guide, and the BusinessObjects Enterprise User’s Guide. Online versions of these guides are included in the doc directory of your product distribution. Once you install BusinessObjects Enterprise, they are also accessible from the BusinessObjects Enterprise Launchpad.

Business Objects information resourcesFor more information and assistance, see Appendix H: Business Objects Information Resources. This appendix describes the Business Objects documentation, customer support, training, and consulting services, with links to online resources.


What’s New in BusinessObjects Enterprise

chapter

What’s New in BusinessObjects EnterpriseWelcome to BusinessObjects Enterprise XI2
Welcome to BusinessObjects Enterprise XI
BusinessObjects Enterprise XI is the business intelligence platform that supports the entire range of reporting, querying, and analysis. It also provides platform-level support for semantic layers, data integration, and security. BusinessObjects Enterprise provides full web-based administration and configuration of the entire system.This release extends the robust information infrastructure provided by earlier versions of BusinessObjects Enterprise and Crystal Enterprise. BusinessObjects Enterprise XI brings together features from across the Business Objects product line to meet the diverse needs of users, from presentation-quality reporting to in-depth data analysis. This version includes a variety of major enhancements spread across our data access methods, administration capabilities, and report design options. This chapter provides an overview of the new features and enhancements available in this version of BusinessObjects Enterprise.

About this versionBusinessObjects Enterprise provides an industry-standard, proven architecture based largely on an enhanced version of the Crystal Enterprise architecture, supplemented by powerful query and analysis, and data integration capabilities from the Business Objects product line.BusinessObjects Enterprise is designed to integrate seamlessly with existing data, web, and application investments without imposing a new set of standards and processes. Thanks to the extensive upgrade and content migration support provided in BusinessObjects Enterprise XI, existing customers can leverage their current investments in Business Objects and Crystal technology.

Supported productsAll Business Objects products are now available under the same platform. BusinessObjects Enterprise XI provides full support for the management, security, delivery, and interaction for the following products and versions:• Crystal Reports XI• BusinessObjects Web Intelligence XI• BusinessObjects OLAP Intelligence XI• BusinessObjects Data Integrator XI


What’s New in BusinessObjects EnterpriseNew features 2

For information about these products, consult the documentation provided with each component.BusinessObjects Enterprise XI also supports the following add-in components:• BusinessObjects Enterprise Live Office XI

Use Live Office to embed your business intelligence data into Word documents, Excel spreadsheets, and PowerPoint presentations. Then you can share the resulting Office documents securely using BusinessObjects Enterprise. By taking advantage of the security and management features of BusinessObjects Enterprise, you can manage your Office documents the same way you manage your business intelligence documents.

New featuresBusinessObjects Enterprise XI represents the full integration of traditional Business Objects and Crystal products, combining the best features of each product line. Whether you have an existing BusinessObjects Enterprise system or a Crystal Enterprise system, you will notice a wide range of new features in BusinessObjects Enterprise XI.

End-user experienceBusinessObjects Enterprise XI provides a significantly enhanced user experience for all customers.

CategoriesIf you are upgrading or migrating from an existing Crystal Enterprise deployment, you will notice the addition of categories to BusinessObjects Enterprise XI. If you’re migrating from BusinessObjects Enterprise 6.5, you can import your existing categories with the Import Wizard.Folders and categories work together to provide strong navigation capabilities. Folders are used as a location to store documents. Complimentary to folders, categories are used for classifying documents in BusinessObjects Enterprise. Categories provide an effective way of classifying documents that makes it easier for users to organize documents. The categorization of documents enables users to locate information more easily regardless of where it is stored within the system. Users can classify documents by using categories created by themselves and by others. By creating a combination of folders and categories, and setting appropriate rights for them, you can organize documents according to multiple criteria and improve both security and navigation.


What’s New in BusinessObjects EnterpriseNew features2

For example, if you currently organize your files into departmental folders, you could use categories to create an alternate filing system that divides content according to different roles in your organization, such as managers or VPs.You can associate documents with multiple categories, and you can create subcategories within categories.

DiscussionsDiscussions provide threaded notes on all documents within BusinessObjects XI, allowing users to add comments to documents in BusinessObjects Enterprise.In BusinessObjects Enterprise XI, you can add discussions to any document in the system either by selecting it from the document list or while the user is viewing the document. By adding discussions to documents, you can share knowledge about the information in the documents. You can grant other users access to the threaded discussions to allow new users to keep track of historical comments added to the documents.

InfoViewBusinessObjects Enterprise XI introduces a new InfoView, a completely updated business intelligence portal. InfoView has been designed to allow users to do most tasks within the BI environment without the need of IT intervention. Users familiar with previous versions of InfoView or ePortfolio will see that old features have been fully updated and improved. New features allow users to be even more productive.Through extensive testing and design, the new look and feel is designed for intuitive user interaction, combined with comprehensive support for the entire product line. From a single web environment, users can view, create, and interact with information.InfoView is available as a .NET (ASPX) version or a J2EE version (JSP). The delivery of both .NET and J2EE versions gives the customer the flexibility of deploying InfoView in their established environment.

PublishingIn BusinessObjects Enterprise 6 systems, the term publishing is related to sending a document to multiple users containing different information depending on the user rights. This functionality, traditionally provided by the Broadcast Agent Publisher and is now part of BusinessObjects Enterprise XI itself. The important features provided by the Broadcast Agent Publisher are provided in BusinessObjects Enterprise XI, including scheduling to different formats, and scheduling directly to email or printers. For more information on migrating documents, see the BusinessObjects Enterprise Installation Guide.



SchedulingBusinessObjects Enterprise XI provides scheduling capabilities for both Crystal reports and Web Intelligence documents. If you are migrating from an existing BusinessObjects Enterprise 6.x deployment, note that the Broadcast Agent Scheduler is no longer required. You will also notice that scheduling is more integrated in Business Objects XI and includes new features such as business calendars.BusinessObjects Enterprise XI also provides the ability to schedule documents on behalf of others. This secure mechanism allows a single report to serve the needs of multiple users by delivering only the specific subsets of information to each user according to their security profile. Unlike other techniques that require special programming efforts, this solution is more manageable and can be applied to all documents designed from secured Universes or Business Views.

Report designBusinessObjects XI includes Crystal Reports, the leading report design tool in the market. Crystal ReportsXI provides improved report design, usability, and processing, including significant enhancements to parameters to allow for the dynamic generation of lists of values.

Semantic LayerBusinessObjects Enterprise XI includes both Universes and Business Views, to help make the report design process even simpler.

UniversesUniverses are patented Business Objects technology. They act as a semantic layer between the user and a database.All universe objects and their associated connections are stored and secured in the repository of BusinessObjects Enterprise XI itself.If you’re migrating from an existing BusinessObjects Enterprise deployment, you can use Import Wizard to import your existing universes and their connection objects.

Business ViewsBusiness Views is a flexible and reliable multi-tier system that enables companies to build detailed and specific Business Views objects that help report designers and end users access the information they require. Note: Business Views can be used only by Crystal Reports, while Universes are accessible by both Crystal Reports as well as Web Intelligence.


Dynamic prompts and cascading lists of values
Dynamic prompts and cascading lists are now available in Crystal Reports, allowing prompt values to be populated from values in a database. Prompts can be arranged in a cascade, where one value in a prompt constrains values in subsequent picklists. Report designers no longer need to maintain static prompt lists in individual reports. A single prompt definition can be stored in the repository and shared among multiple reports, improving both runtime scalability and design time productivity.

Developer flexibility

BusinessObjects Enterprise development toolsBusinessObjects Enterprise provides SDKs for enterprise application developers to build application and portal integration on top of the platform. Recognizing the need for comprehensive support for different development environments, BusinessObjects Enterprise XI provides extensive .NET and Java SDKs.Note: BusinessObjects Enterprise also continues to support existing development in COM, although we recommend migrating to .NET or Java.BusinessObjects Enterprise XI includes an enhanced version of the Unified Web Services provided with the BusinessObjects Crystal Integration Pack. Unified Web Services includes server components (the providers) and both .NET and Java APIs that are used to write applications that consume the provided web services. The consumers simplify application development.

Web ServicesThe integration pack Web Services have been updated to support the new BusinessObjects XI platform features:• The Web Intelligence documents are served by the BusinessObjects XI

Web Intelligence report engine.• The LDAP authentication is natively supported.• Web Farm is support.As in the integration pack, the BusinessObjects XI Web Services deliver a Session service (Session management, authentication, and so on), a BICatalog service (InfoObject list, category management, and so on), and a ReportEngine service (Crystal Reports and Web Intelligence document viewing including prompt and drill management).



BusinessObjects Enterprise SDKBusinessObjects Enterprise SDK has been enhanced to include:• JavaServer Faces for BusinessObjects Enterprise XI.• Support for Web Intelligence, Inbox, Categories, Universes.• Java and Web Farms support.• Improved query language.

System administrationBusinessObjects Enterprise provides an efficient and scalable architecture for processing, managing, and delivering information to your users.

ManagementThe Central Management Console provides users with a centralized point for administering a variety of details including scheduling, security, and auditing.

ArchitectureIf you are upgrading from an existing BusinessObjects Enterprise 6.5 system, you will notice key differences in the architecture of BusinessObjects Enterprise XI. BusinessObjects Enterprise XI is built on a component- or services-based architecture. As a services-oriented architecture, it provides better flexibility, scalability, fault tolerance, and extensibility.BusinessObjects Enterprise XI inherits most of the new platform services from the proven Crystal Enterprise architecture, widely recognized as a highly scalable, reliable, and powerful platform by customers and industry experts alike. The service-oriented platform allows current Business Objects products such as Web Intelligence to plug directly into the framework without requiring extensive configuration.

Enhanced Page ServerOne of the many improvements in BusinessObjects Enterprise XI is the enhanced Page Server. The Page Server has the ability to grow and create sub processes as required, offering dynamic growth, improved reliability, and the smart use of resources. This leads to an increase in efficiency and performance.

AuditingInstead of using a separate auditing component, BusinessObjects Enterprise XI features built-in auditing features.



The auditing functionality of BusinessObjects Enterprise XI focuses on enabling administrators to gain a better understanding of the users accessing the system and the documents they are interacting with.The auditing functionality within BusinessObjects Enterprise has been implemented with the concept of a central auditor and individual server auditees, The auditor role is fulfilled by the Central Management Server (CMS), while individual services with auditing functionality are considered the auditees. This means that the overall system, as well as the individual services, can be audited depending on the level of detail required. The CMS collects and collates the auditing data from the system interactions and writes the information into the auditing database. You can then create reports based on this auditing data.There is no migration or integration of the BusinessObjects Auditor product. For more information on auditing, see the auditing chapter of the BusinessObjects Enterprise Administrator’s Guide.

Fault toleranceBusinessObjects Enterprise provides fail-over at the system management level (for scheduling, security, and authentication, for example). The system also provides full support for replication of all server components. Redundant components automatically take over the load if the system encounters a hardware failure or excessive wait times.BusinessObjects Enterprise XI includes enhanced support for session-level failover. If a processing service fails, another service identifies the failure and continues the processing. The enhanced fault tolerance ensures seamless reporting and query analysis for your users.

Load balancingIntelligent load balancing algorithms eliminate bottlenecks and maximize hardware efficiency. In a multi-server environment, you need to balance the load across multiple machines, in order to enhance scalability and maintain efficient server performance. BusinessObjects Enterprise XI includes built-in load balancing across all system management and report processing functions. It applies a mixture of active and passive approaches to maximize server availability and minimize response time for your users.

SecurityBusinessObjects Enterprise XI provides all of the existing security features currently supported in Crystal Enterprise. User, group, and object level security is controlled using Access Control Lists (ACL), an industry standard



method for controlling cascading security access. Security can be applied at the object level to all documents, categories, connections, universes, and universe restriction sets.The Central Management Console is a centralized management tool that can be used to administer security.For details on how rights are mapped, please see the BusinessObjects Enterprise XI Installation Guide.Business Objects XI now provides single sign-on with Active Directory authentication using the Kerberos protocol. By combining single sign-on and report viewing, you can provide end-to-end single sign-on, which allows a user’s security context to be retrieved from the host operating system and be used to access BusinessObjects Enterprise and the underlying databases for the reports and documents in the system.These capabilities require the system to run all components on the Windows operating system and for the users to use Internet Explorer with Active Directory authentication. Please see platforms.txt for more information on supported platforms.Business Objects XI has introduced single sign-on for LDAP authentication. When LDAP authentication is enabled, the administrator has the option to use Siteminder as an external system for authentication providing single sign-on capabilities to BusinessObjects Enterprise.Also, you can now configure your deployment to use the Secure Sockets Layer (SSL) protocol for all network communication between your BusinessObjects Enterprise XI servers.

MigrationAn administrator will be able to create users and groups, and import users and groups from existing BusinessObjects Enterprise and Crystal Enterprise deployments into BusinessObjects Enterprise XI using the Import Wizard. The Import Wizard maps most security rights from current systems directly to new users and groups in BusinessObjects Enterprise XI.For details on how rights are mapped or for more information on the Import Wizard, please see the BusinessObjects Enterprise XI Installation Guide.


Administering BusinessObjects Enterprise

chapter

Administering BusinessObjects EnterpriseAdministration overview3
Administration overview
The regular administrative tasks associated with BusinessObjects Enterprise can be roughly divided into three major categories: user management, content management, and server management. The remainder of this guide provides technical and procedural information corresponding to each of these management categories. This chapter briefly introduces new BusinessObjects Enterprise administrators to some of the available management tools. It also shows you how to make initial security settings, such as setting the password for the system’s default Administrator account.You will typically use the following applications to manage BusinessObjects Enterprise:• Central Management Console (CMC)

This web application is the most powerful administrative tool provided for managing a BusinessObjects Enterprise system. It offers you a single interface through which you can perform almost every task related to user management, content management, and server management.For an introduction to the CMC, see “Central Management Console” on page 32.

• Central Configuration Manager (CCM)In a Windows environment, the CCM allows you to manage local and remote servers through its Graphical User Interface (GUI) or from a command line. For an introduction to the CCM, see “Using the Central Configuration Manager” on page 37.

• Publishing WizardThis application allows you to publish your reporting content to For more information on publishing content to BusinessObjects Enterprise, see “Publishing overview” on page 360.

Central Management ConsoleYou will use the Central Management Console (CMC) extensively to manage your BusinessObjects Enterprise system. This tool allows you to perform user management tasks such as setting up authentication and adding users and groups. And it allows you to publish, organize, and set security levels for all of your BusinessObjects Enterprise content. Additionally, the CMC enables you to manage servers and create server groups. Because the CMC is a web-based application, you can perform all of these administrative tasks remotely.


Administering BusinessObjects EnterpriseCentral Management Console 3

Any user with valid credentials to BusinessObjects Enterprise can log on to the CMC and set his or her preferences. However, users who are not members of the Administrators group cannot perform any of the available management tasks unless they have been granted rights to do so. For complete details about object rights, see “Controlling User Access” on page 301.

Logging on to the Central Management ConsoleThere are two ways to access the CMC: type the name of the machine you are accessing directly into your browser, or select BusinessObjects Enterprise Administration Launchpad from the program group on the Windows Start menu.

To log on to the CMC1. Go to the following page:

http://webserver/businessobjects/Enterprise11/WebTools/adminlaunch/default.aspx

Replace webserver with the name of the web server machine. If you changed this default virtual directory on the web server, you will need to type your URL accordingly.Tip: On Windows, you can click Start > Programs > BusinessObjects XI> BusinessObjects Enterprise > BusinessObjects Enterprise .NET Administration Launchpad (or Java Administration Launchpad).

2. Click Central Management Console.3. Type your User Name and Password.

For this example, type Administrator as the User Name. This default Enterprise account does not have a password until you create one. For details, see “Setting the Administrator password” on page 39.If you’re using LDAP or Windows NT authentication, you may log on using an account that has been mapped to the BusinessObjects Enterprise Administrators group.

4. Select Enterprise in the Authentication Type list.Windows AD, Windows NT and LDAP authentication also appear in the list; however, you must map your third-party user accounts and groups to BusinessObjects Enterprise before you can use these types of authentication.

5. Click Log On. The CMC Home page appears.


Administering BusinessObjects EnterpriseCentral Management Console3
Navigating within the Central Management Console
Because the CMC is a web-based application, you can navigate through its areas and pages in a number of ways:• Click the links or icons on the Home page to go to specific “management

areas.”• Select the same “management areas” from the drop-down list in the title

area of the window. Click Go if your browser doesn’t take you directly to the new page.

Once you leave the Home page, your location within the CMC is indicated by a path that appears above the title of each page. For example, Home > Users > New User indicates that you’re on the New User page. You can click the hyperlinked portions of the path to jump quickly to different parts of the application. In this example, you could click Home or Users to go to the corresponding page.

Setting console preferencesThe Preferences area of the CMC allows you to customize your administrative view of BusinessObjects Enterprise.

To set the console preference1. Log on to the CMC and click the Preferences button in the upper-right

corner of the CMC. 2. Set the preference as required. See “CMC preferences” on page 34. 3. Click OK.

CMC preferences


Administering BusinessObjects EnterpriseCentral Management Console 3

ViewerThis list sets the default report viewer that is loaded when you view a report in the CMC. To set the available and default viewers for all users, see “Configuring the processing tier” on page 106.

Maximum number of objects per pageThis option limits the number of objects listed on any page or tab in the CMC.Note: This setting does not limit the number of objects displayed, simply the number displayed per page. For details about limiting the number of objects displayed on a page or in a search, see “Setting the Query size threshold” on page 36.

Maximum number of characters for each page indexWhen a list of objects spans multiple pages, the full list is sorted alphanumerically and indexed before being subdivided. At the top of every page, hyperlinks are displayed as an index to each of the remaining pages. This setting determines the number of characters that are included in each hyperlink.In this example, the maximum number of characters is set to 3, so three-character hyperlinks are used to index the report objects on each page.Note: To specify an unlimited maximum number of characters, select the Unlimited check box.

Measuring units for report page layoutSpecify inches or millimeters as the measuring units used by default when you customize a report’s page layout on the report object’s Print Setup tab.

Time zoneIf you are managing BusinessObjects Enterprise remotely, use this list to specify your time zone. BusinessObjects Enterprise synchronizes scheduling patterns and events appropriately. For instance, if you select Eastern Time (US & Canada), and you schedule a report to run at 5:00 a.m. every day on a server that is located in San Francisco, then the server will run the report at 2:00 a.m. Pacific Time.For more information about time zones, see “Supporting users in multiple time zones” on page 511.

My PasswordClick the Change Password link to change the password for the account under which you are currently logged on.


Administering BusinessObjects EnterpriseCentral Management Console3
Setting the Query size threshold
By default, when you go to the Objects, Folders, Groups, or Users management areas of the CMC, a list of objects in that management area is displayed. Because BusinessObjects Enterprise loads each of the objects in the list, if you have numerous objects this can heavily tax your system resources. You can modify the number of objects displayed by setting the Query size threshold in the Business Objects Applications management area of the CMC. By default the Query size threshold value is 500. This means that BusinessObjects Enterprise prompts users to use the search function of the CMC if the return size exceeds 500 objects. Modify this value to specify the maximum number of objects that displayed on the initial pages of the Objects, Folders, Groups, and Users management areas of the CMC and when displaying search results in these management areas.

To set the Query size threshold1. Go to the BusinessObjects Enterprise Applications management area

of the CMC.2. Click the BusinessObjects Enterprise Central Management Console

link.The Query size threshold page appears.

3. In the Prompt for search if the return size exceeds field, type the maximum number of objects you want to be returned in searches and on the initial pages of the Objects, Folders, Groups, and Users management areas.


Administering BusinessObjects EnterpriseUsing the Central Configuration Manager 3

4. In the CMC Access URL field, type the URL for the CMC. Specifying the URL here allows Crystal Reports to get this URL from the CMS in order to call pages in the CMC. It needs to call these pages in order to support the previewing of reports and to enable administration tasks to be performed from Crystal Reports.

5. Click Update.Note: To modify the number of objects displayed on a page (rather than the total number of objects displayed), see “Setting console preferences” on page 34.

Logging off of the Central Management ConsoleWhen you have finished using the CMC, end the session by logging off. The Logoff button is located in the upper-right corner of the console.

Using the Central Configuration ManagerThe Central Configuration Manager (CCM) is a server-management tool that allows you to configure each of your BusinessObjects Enterprise server components. This tool allows you to start, stop, enable, and disable servers. It also allows you to view and to configure advanced server settings such as default port numbers, CMS database and clustering details, SOCKS server connections, and more.To access the CCM, see:• “Accessing the CCM for Windows” on page 37

Accessing the CCM for WindowsFrom a Windows machine, use the CCM to manage BusinessObjects Enterprise server components that are running locally or on a remote Windows machine. To run the CCM, you must have NT administrator rights on the local machine. If you are managing servers on a remote machine, you must also have NT administrator rights on the machine you are connecting to. Depending on the configuration of your network, you might be prompted to enter a user name and password.

To start the CCMFrom the BusinessObjects Enterprise program group, click Central Configuration Manager.


Administering BusinessObjects EnterpriseMaking initial security settings3

The servers that are available on the local machine appear in the list. A status icon is displayed for each server:• A green arrow indicates the server is running.• A yellow arrow indicates the server is starting.• A red arrow indicates the server is not running.Note: The status icons do not indicate whether servers are enabled or disabled. Servers must be enabled before they will respond to BusinessObjects Enterprise requests. Click Enable/Disable on the toolbar to log on and enable or disable servers. For details, see “Enabling and disabling servers” on page 81.

To connect to servers on a remote machine1. Once you have started the CCM, you can connect to a remote machine in

several ways:• In the Computer Name field, type the name of the machine you want

to connect to; then press Enter.• In the Computer Name field, select a remote machine from the list.• On the toolbar, click Browse. Select the appropriate computer; then

click OK.2. If prompted, log on to the remote machine with an account holding

administrative rights.Note: You may need to type your user name as domain\username. The CCM lists the servers associated with this machine.

Making initial security settingsTo ensure system security, you may want to configure the following security settings before you publish content or provide users with access to BusinessObjects Enterprise:• “Setting the Administrator password” on page 39• “Disabling the Guest account” on page 39• “Modifying the default security levels” on page 40For additional security information, you may also want to refer to:• Chapter 11: BusinessObjects Enterprise Security Concepts• “Available authentication types” on page 238• “Controlling User Access” on page 301


Administering BusinessObjects EnterpriseMaking initial security settings 3

Setting the Administrator passwordAs part of the installation, BusinessObjects Enterprise creates an Administrator account and a Guest account that do not have passwords. Log on to the Central Management Console (CMC) with the Administrator account and use the following procedure to create a secure password for the Administrator account.Note: Do not create a password for the Guest account if you plan to use the anonymous single sign-on or the Sign Up features available in BusinessObjects Enterprise. To disable these features, see “Disabling the Guest account” on page 39.

To change the Administrator password1. Go to the Users management area of the CMC.2. Click the link for the Administrator account.3. In the Enterprise Password Settings area, enter and confirm the new

password.4. If it is selected, clear the “User must change password at next logon”

check box.5. Click Update.

Disabling the Guest accountBy disabling the Guest account, you ensure that no one can log on to BusinessObjects Enterprise with this account. In doing so, you also disable the anonymous single sign-on functionality of BusinessObjects Enterprise, so users will be unable to access InfoView without providing a valid user name and password.

To disable the Guest account1. Go to the Users management area of the CMC.2. In the Account Name column, click Guest.3. On the Properties tab, select the Account is disabled check box.4. Click Update.5. If you are prompted for confirmation, click OK.For more information about user accounts, see “Managing Enterprise and general accounts” on page 239.


Administering BusinessObjects EnterpriseManaging universes3
Modifying the default security levels
This procedure shows where you can modify the default object rights that users are granted to the top-level BusinessObjects Enterprise folder. Initially, the Everyone group is granted Schedule access to the top-level folder, and the Administrators group is granted Full Control. You can change these default security levels to suit your needs. For a full description of object rights and inheritance patterns, see “Controlling users’ access to objects” on page 303.

To modify top-level security settings1. Go to the Settings management area of the CMC.2. Click the Rights tab.3. As required, change the entry in the Access Level list for each user or

group that is displayed.For detailed information, see “Controlling users’ access to objects” on page 303.

4. Click Update.5. Click Add/Remove to grant different levels of security to additional users

or groups.

Managing universesWeb Intelligence users connect to a universe, and run queries against a database. They can do data analysis and create reports using the objects in a universe, without seeing, or having to know anything about, the underlying data structures in the database. You create a universe by using the Designer. For complete information, see the Designer’s Guide. Using CMC, you can view and delete universes. You can also control who has access rights to a universe. See “Controlling access to universes” on page 340.

To view a universe1. Go to the Universes management area of the CMC.

The Universes page appears.2. Click the link for the universe you want to view.

The properties page for the universe appears.


Administering BusinessObjects EnterpriseManaging universe connections 3

To delete a universe1. Go to the Universes management area of the CMC.

The Universes page appears.2. Select the universe you want to delete.3. Click Delete.

Managing universe connectionsA connection is a named set of parameters that defines how a BusinessObjects application accesses data in a database file. A connection links Web Intelligence to your middleware. You must have a connection to access data. You must select or create a connection when you create a universe. For complete information, see the Designer’s Guide.Using CMC, you can view and delete connections. You can also control who has access rights to a connection. See “Controlling access to universe connections” on page 341.

To view connections1. Go to the Universe Connections management area of the CMC.

The Connections page appears.2. Click the link for the connection you want to view.

The properties page for the connection appears.

To delete a universe connection1. Go to the Universe Connections management area of the CMC.

The Universe Connections page appears.2. Select the connection you want to delete.3. Click Delete.

Managing InfoViewYou can use the Business Objects Applications area of the Central Management Console to make minor changes to the appearance and functionality of InfoView, without doing any programming. You can also configure settings that control which viewers are available to users.When users view a report using the Advanced DHTML viewer, the report is processed by the Report Application Server.


Administering BusinessObjects EnterpriseManaging InfoView3

If you are using the Java version of InfoView and want users to be able to use the Active X or Java viewers, you must enter the context path of the Web Component Adapter. Consult the BusinessObjects Enterprise Installation Guide for more information.


Administering BusinessObjects EnterpriseManaging Web Intelligence 3

To manage settings for InfoView1. Go to the BusinessObjects Enterprise Applications management area

of the CMC.2. Click InfoView. 3. On the Properties tab, select the options that you want.4. Click Update.

Managing Web IntelligenceFor the Web Intelligence application, make sure you grant access to the “Allows interactive HTML viewing (as per license)” option in order for users to be able use the Interactive view format and use the Query HTML panel. The user can select this view format and report panel option in the Web Intelligence Document Preferences tab in InfoView.

To manage settings for Web Intelligence1. Go to the BusinessObjects Enterprise Applications management area

of the CMC.2. Click Web Intelligence.3. On the Properties tab, select the options that you want.4. Click Update.

Managing DiscussionsBusinessObjects Enterprise administrators are responsible for maintaining the discussion threads and for granting the appropriate access rights to BusinessObjects Enterprise users. Managing Discussions includes the following tasks:• “Accessing the Discussions page” on page 44• “Searching for discussion threads” on page 44• “Sorting search results” on page 46• “Deleting discussion threads” on page 46• “Setting user rights” on page 46


Administering BusinessObjects EnterpriseManaging Discussions3
Accessing the Discussions page
To access the Discussions page1. Go to the BusinessObjects Enterprise Applications management area

of the CMC.2. Click Discussions.

The Discussions page appears.

Searching for discussion threadsBy default, the Discussions page displays the titles of all discussion threads. Only the root level threads are displayed. Branches from the root level thread are not displayed. Use the Previous and Next buttons to page through the list of discussion threads.You can search for a specific thread or group of threads.Note: To cancel a search and reset the search values back to the default settings, click Cancel.

To search for a discussion thread1. Go to the BusinessObjects Enterprise Applications management area

of the CMC.2. Click Discussions.

The Discussions page appears.


Administering BusinessObjects EnterpriseManaging Discussions 3

3. In the Field name list, select which of the following criteria you want to search by:• Thread title. Search by the title of a thread.• Creation date. Search by the date the thread was created.• Last modified date. Search based on the date a thread was last

modified.• Author. Search by the author of a specific thread.

4. From the second list, refine your search.If you search by Thread title or Author, the second field provides you with the following options.• is: The DMC searches for any discussion threads where the thread

title, or the author name, exactly match the text that you type into the third field. Searches are not case sensitive.

• is not: The DMC searches for any discussion threads where the thread title, or the author name, do not exactly match the text that you type into the third field.

• contains: The DMC searches for any discussion threads that contain the search text string within any part of the thread title or the author’s name.

• does not contain: The DMC searches for any discussion threads that do not contain the text string within any part of the thread title.

If you search by Creation date or Last modified date, there are the following options.• before: The DMC searches for any discussion threads that were

created or modified before the search date.• after: The DMC searches for any discussion threads that were

created or modified after the search date.• between: The DMC searches for any discussion threads that were

created or modified between the two search dates.5. Use the third field to further refine your search.

If you selected a text-based search in the first two fields, type in the text string. If you selected a date-based search, enter the date or dates in the appropriate fields.

6. Click Search to display all the records that match your search criteria.


Administering BusinessObjects EnterpriseManaging Discussions3
Sorting search results
You can select how you want your search results to display. For example you can display them in ascending alphabetical order, and choose how many results to display per page.

To sort your results1. In the Sort by list, select which of the following criteria you want to display:

• Thread title. Sort by the title of a thread.• Creation date. Sort by the date the thread was created.• Last modified date. Sort based on the date a thread was last

modified.• Author. Sort by the author of a specific thread.

2. In the second list, select whether you want the records to be displayed in ascending or descending order.

3. In the third category, enter how many results you want to be displayed on each page.

4. Click Search.

Deleting discussion threadsYou can delete any discussion thread.

To delete a discussion thread1. On the Discussions page, select which threads you want to delete in the

results list.For details, see “Accessing the Discussions page” on page 44.Tip: You can use the Select All and Clear All buttons to select or clear all the threads displayed on the page.

2. Click Delete.The selected threads are deleted.

Setting user rightsUsers of the Discussions feature must have the right to view a report in order to create a discussion thread, or add a note to a report. For more information on setting user rights to reports and report objects, see Chapter 13: Controlling User Access.


BusinessObjects Enterprise Architecture

chapter

BusinessObjects Enterprise ArchitectureArchitecture overview and diagram4
Architecture overview and diagram
BusinessObjects Enterprise is a multi-tier system. Although the components are responsible for different tasks, they can be logically grouped based on the type of work they perform. If you are new to BusinessObjects Enterprise, use this chapter to gain familiarity with the BusinessObjects Enterprise framework, its components, and the general tasks that each component performs.In BusinessObjects Enterprise, there are five tiers: the client tier, the application tier, the intelligence tier, the processing tier, and the data tier. To provide flexibility, reliability, and scalability the components that make up each of these tiers can be installed on one machine, or spread across many.The following diagram illustrates how each of the components fits within the multi-tier system. Other Business Objects products, such as OLAP Intelligence and Report Application Server, plug in to the BusinessObjects Enterprise framework in various ways. This chapter describes the framework itself. Consult each product’s installation or administration guides for details about how it integrates with the BusinessObjects Enterprise framework.The “servers” run as services on Windows machines. On UNIX, the servers run as daemons. These services can be “vertically scaled” to take full advantage of the hardware that they are running on, and they can be “horizontally scaled” to take advantage of multiple computers over a network environment. This means that the services can all run on the same machine, or they can run on separate machines. The same service can also run in multiple instances on a single machine.For example, you can run the Central Management Server and the Event Server on one machine, while you run the Report Application Server on a separate machine. This configuration is called “horizontal scaling.” If the Report Application Server is running on a multi-processor computer, then you may choose to run multiple Report Application Servers on it. This configuration is called “vertical scaling.” The important thing to understand is that, even though these are called servers, they are actually services and daemons that do not need to run on separate computers.Note: BusinessObjects Enterprise Standard requires all of the components to be installed on one machine.


BusinessObjects Enterprise ArchitectureArchitecture overview and diagram 4

The remainder of this chapter describes each tier, the key BusinessObjects Enterprise components, and their primary responsibilities:• “Client tier” on page 50• “Application tier” on page 52• “Processing tier” on page 58• “Data tier” on page 62Tip: When you are familiar with the architecture and want to customize your system configuration, see Chapter 5: Managing and Configuring Servers and Chapter 7: Scaling Your Systemthe BusinessObjects Enterprise Administrator’s Guide.Note: BusinessObjects Enterprise supports reports created in versions 6 through XI of Crystal Reports. Once published to BusinessObjects Enterprise, reports are saved, processed, and displayed in version XI format.


BusinessObjects Enterprise ArchitectureClient tier4
Client tier
The client tier is the only part of the BusinessObjects Enterprise system that administrators and end users interact with directly. This tier is made up of the applications that enable people to administer, publish, and view reports and other objects.

The client tier includes:• “InfoView” on page 50• “Central Management Console (CMC)” on page 50• “Central Configuration Manager (CCM)” on page 51• “Publishing Wizard” on page 51• “Import Wizard” on page 51

InfoViewBusinessObjects Enterprise comes with InfoView, a web-based interface that end users access to view, schedule, and keep track of published reports. Each BusinessObjects Enterprise request that a user makes is directed to the BusinessObjects Enterprise application tier. The web server forwards the user request directly to an application server where the request is processed by the WCA.InfoView also serves as a demonstration of the ways in which you can use the BusinessObjects Enterprise Software Development Kit (SDK) to create a custom web application for end users. In the case of .NET, InfoView also demonstrates how you can use the BusinessObjects Enterprise .NET Server Components. For more information, see the developer documentation available on your product CD.

Central Management Console (CMC)The Central Management Console (CMC) allows you to perform user management tasks such as setting up authentication and adding users and groups. It also allows you to publish, organize, and set security levels for all of your BusinessObjects Enterprise content. Additionally, the CMC enables you to manage servers and create server groups. Because the CMC is a web-based


BusinessObjects Enterprise ArchitectureClient tier 4

application, you can perform all of these administrative tasks remotely. For more information, see “Central Management Console (CMC)” on page 50the BusinessObjects Enterprise Administrator’s Guide.The CMC also serves as a demonstration of the ways in which you can use the administrative objects and libraries in the BusinessObjects Enterprise SDK to create custom web applications for administering BusinessObjects Enterprise. For more information, see the developer documentation available on your product CD.

Central Configuration Manager (CCM)The Central Configuration Manager (CCM) is a server-management tool that allows you to configure each of your BusinessObjects Enterprise server components. This tool allows you to start, stop, enable, and disable servers, and it allows you to view and to configure advanced server settings. On Windows, these settings include default port numbers, CMS database and clustering details, SOCKS server connections, and more. In addition, on Windows the CCM allows you to add or remove servers from your BusinessObjects Enterprise system. On UNIX, some of these functions are performed using other tools. For more information, see “Using the Central Configuration Manager” on page 37the BusinessObjects Enterprise Administrator’s Guide and Chapter 5: Managing and Configuring Servers.

Publishing WizardThe Publishing Wizard is a locally installed Windows application that enables both administrators and end users to add reports to BusinessObjects Enterprise. By assigning object rights to BusinessObjects Enterprise folders, you control who can publish reports and where they can publish them to. For more information, see “Publishing overview” on page 360 and “Controlling users’ access to objects” on page 303the BusinessObjects Enterprise Administrator’s Guide.The Publishing Wizard publishes reports from a Windows machine to BusinessObjects Enterprise servers running on Windows or on UNIX.

Import WizardThe Import Wizard is a locally installed Windows application that guides administrators through the process of importing users, groups, reports, and folders from an existing BusinessObjects Enterprise, Crystal Enterprise, or


BusinessObjects Enterprise ArchitectureApplication tier4

Crystal Info implementation to BusinessObjects Enterprise. For more information, see “Importing with the Import Wizard” on page 388the BusinessObjects Enterprise Administrator’s Guide.The Import Wizard runs on Windows, but you can use it to import information into a new BusinessObjects Enterprise system running on Windows or on UNIX.

Application tierThe application tier hosts the server-side components that process requests from the client tier as well as the components that communicate these requests to the appropriate server in the intelligence tier. The application tier includes support for report viewing and logic to understand and direct web requests to the appropriate BusinessObjects Enterprise server in the intelligence tier. The application tier includes:• “Application tier components” on page 52• “Web development platforms” on page 53• “Web application environments” on page 54

Application tier componentsFor both the Java and .NET platforms, the application tier includes the following components:• “Application server and BusinessObjects Enterprise SDK” on page 53• “Web Component Adapter (WCA)” on page 53

Note: In Crystal Enterprise 10 on Windows, the communication between the web server and the application server was handled through the Web Connector; the functionality of the Web Component Adapter (WCA) was provided through


BusinessObjects Enterprise ArchitectureApplication tier 4

the Web Component Server (WCS). In BusinessObjects Enterprise XI, the web server communicates directly with the application server and the WCA handles the WCS functionality, both on Windows and Unix platforms.

Application server and BusinessObjects Enterprise SDKBusinessObjects Enterprise systems that use the BusinessObjects Enterprise Java SDK or the BusinessObjects Enterprise .NET SDK run on a third party application server. See the Platforms.txt file included with your product distribution for a complete list of tested application servers and version requirements.The application server acts as the gateway between the web server and the rest of the components in BusinessObjects Enterprise. The application server is responsible for processing requests from your browser. It also supports InfoView and other Business Objects applications, and uses the SDK to convert report pages (.epf files) to HTML format when users view pages with a DHTML viewer.

Web Component Adapter (WCA)The web server communicates directly with the application server that hosts the BusinessObjects Enterprise SDK. The Web Component Adapter (WCA) runs within the application server and provides all services that are not directly supported by the BusinessObjects Enterprise SDK. The web server passes requests directly to the application server, which then forwards the requests on to the WCA.The WCA has two primary roles:• It processes ASP.NET (.aspx) and Java Server Pages (.jsp) files• It also supports Business Objects applications such as the Central

Management Console (CMC) and Crystal report viewers (that are implemented through viewrpt.aspx requests).

Note: In Crystal Enterprise 10 on Windows, the communication between the web server and the application server was handled through the Web Connector; the functionality of the Web Component Adapter (WCA) was provided through the Web Component Server (WCS). In BusinessObjects Enterprise XI, the web server communicates directly with the application server and the WCA handles the WCS functionality, both on Windows and Unix platforms.

Web development platformsBusinessObjects Enterprise supports the following web development platforms:


BusinessObjects Enterprise ArchitectureApplication tier4

• “Java platform” on page 54• “Windows .NET platform” on page 54

Java platformAll UNIX installations of BusinessObjects Enterprise include a Web Component Adapter (WCA). In this configuration, a Java application server is required to host the WCA and the BusinessObjects Enterprise Java SDK. The use of a web server is optional as you may choose to have static content hosted by the application server.

Windows .NET platformBusinessObjects Enterprise installations that use the .NET Framework include Primary Interop Assemblies (PIAs) that allow you to use the BusinessObjects Enterprise .NET SDK with ASP.NET, and a set of .NET Server Components that you can optionally use to simplify the development of custom applications. This configuration requires the use of a Microsoft Internet Information Services (IIS) web server. Note: In Crystal Enterprise 10 on Windows, the communication between the web server and the application server was handled through the Web Connector; the functionality of the Web Component Adapter (WCA) was provided through the Web Component Server (WCS). In BusinessObjects Enterprise XI, the web server communicates directly with the application server and the WCA handles the WCS functionality, both on Windows and Unix platforms.You do not need a Web Component Adapter for custom ASP.NET applications.

Web application environmentsBusinessObjects Enterprise supports Java Server Pages (.jsp) and ASP.NET (.aspx) pages. BusinessObjects Enterprise includes web applications developed in .aspx, such as InfoView and the sample applications available via the BusinessObjects Enterprise Launchpad. Java Server Pages (.jsp) and ASP.NET (.aspx) pages allow you to develop cross-platform J2EE and ASP.NET applications that use the BusinessObjects Enterprise SDKs in conjunction with third party APIs.Note: For backward compatibility, BusinessObjects Enterprise continues to l support Crystal Server Pages (.csp) and Active Server Pages (.asp).


BusinessObjects Enterprise ArchitectureIntelligence tier 4

BusinessObjects Enterprise also includes Primary Interop Assemblies (PIAs) that enable you to use the BusinessObjects Enterprise SDK and Report Application Server SDK with ASP.NET. It also includes a set of .NET Server Components which simplify development of custom BusinessObjects Enterprise applications in ASP.NET. For more information, see the developer documentation available on your product CD.

Intelligence tierThe intelligence tier manages the BusinessObjects Enterprise system. It maintains all of the security information, sends requests to the appropriate servers, manages audit information, and stores report instances.

For more information, refer to the following sections:• “Central Management Server (CMS)” on page 55• “Cache Server” on page 57• “File Repository Servers” on page 57• “Event Server” on page 58

Central Management Server (CMS)The CMS is responsible for maintaining a database of information about your BusinessObjects Enterprise system, which other components can access as required. The data stored by the CMS includes information about users and groups, security levels, BusinessObjects Enterprise content, and servers. The CMS also maintains the BusinessObjects Enterprise Repository, and a separate audit database of information about user actions. This data allows the CMS to perform its four main tasks:• Maintaining security

By maintaining a database of users and their associated object rights, the CMS enforces who has access to BusinessObjects Enterprise and the types of tasks they are able to perform. These tasks include enforcing and maintaining the licensing policy of your BusinessObjects Enterprise system.


BusinessObjects Enterprise ArchitectureIntelligence tier4

• Managing objectsThe CMS keeps track of the location of objects and maintains the containment hierarchy, which includes folders, categories, and inboxes. By communicating with the Job Servers and Program Job Servers, the CMS is able to ensure that scheduled jobs run at the appropriate times.

• Managing serversBy staying in frequent contact with each of the servers in the system, the CMS is able to maintain a list of server status. Report viewers access this list, for instance, to identify which Cache Server is free to use for a report viewing request.

• Managing auditingBy collecting information about user actions from each BusinessObjects Enterprise server, and then writing these records to a central audit database, the CMS acts as the system auditor. This audit information allows system administrators to better manage their BusinessObjects Enterprise deployment.

Note: In previous versions of Crystal Enterprise, the Central Management Server (CMS) was known as the Crystal Management Server, and also as the Automated Process Scheduler (APS).Typically, you provide the CMS with database connectivity and credentials when you install BusinessObjects Enterprise, so the CMS can create its own system database and BusinessObjects Enterprise Repository database using your organization’s preferred database server. For details about setting up CMS databases, see the BusinessObjects Enterprise Installation Guide, and “Configuring the auditing database” on page 195the BusinessObjects Enterprise Administrator’s Guide. See the Platforms.txt file included with your product distribution for a complete list of tested database software and version requirements.Note: • It is strongly recommended that you back up the CMS system database,

and the audit database frequently. The backup procedure depends upon your database software. If you are unsure of the procedure, consult with your database administrator.

• The CMS database should not be accessed directly. System information should only be retrieved using the calls that are provided in the BusinessObjects Enterprise Software Development Kit (SDK). For more information, see the developer documentation available on your product CD.

• You can access the audit database directly to create custom audit reports. See “Creating custom audit reports” on page 202the BusinessObjects Enterprise Administrator’s Guide for more information.


BusinessObjects Enterprise ArchitectureIntelligence tier 4

On Windows, the Setup program can install and configure its own Microsoft Data Engine (MSDE) database if necessary. MSDE is a client/server data engine that provides local data storage and is compatible with Microsoft SQL Server. If you already have the MSDE or SQL Server installed, the installation program uses it to create the CMS system database. You can migrate your default CMS system database to a supported database server later.For details about configuring the CMS, its system database, and CMS clusters, see “Configuring the intelligence tier” on page 87the BusinessObjects Enterprise Administrator’s Guide. For more information about Auditing, see “Managing Auditing” on page 189the BusinessObjects Enterprise Administrator’s Guide.

Cache ServerThe Cache Server is responsible for handling all report viewing requests. The Cache Server checks whether or not it can fulfill the request with a cached report page. If the Cache Server finds a cached page that displays exactly the required data, with data that has been refreshed from the database within the interval that you have specified as the default, the Cache Server returns that cached report page.If the Cache Server cannot fulfil the request with a cached report page, it passes the request along to the Page Server. The Page Server runs the report and returns the results to the Cache Server. The Cache Server then caches the report page for future use, and returns the data to the viewer. By storing report pages in a cache, BusinessObjects Enterprise avoids accessing the database each and every time a report is requested. If you are running multiple Page Servers for a single Cache Server, the Cache Server automatically balances the processing load across Page Servers. For more information, see “Modifying Cache Server performance settings” on page 103the BusinessObjects Enterprise Administrator’s Guide.

File Repository ServersThere is an Input and an Output File Repository Server in every BusinessObjects Enterprise implementation.The Input File Repository Server manages all of the report objects and program objects that have been published to the system by administrators or end users (using the Publishing Wizard, the Central Management Console, the Import Wizard, or a Business Objects designer component such as Crystal Reports or the Web Intelligence Java or HTML Report Panels).


BusinessObjects Enterprise ArchitectureProcessing tier4

Tip: If you use the BusinessObjects Enterprise SDK, you can also publish reports from within your own code.The Output File Repository Server manages all of the report instances generated by the Report Job Server or the Web Intelligence Report Server, and the program instances generated by the Program Job Server.The File Repository Servers are responsible for listing files on the server, querying for the size of a file, querying for the size of the entire file repository, adding files to the repository, and removing files from the repository.Note: • The Input and Output File Repository Servers cannot share the same

directories. This is because one of the File Repository Servers could then delete files and directories belonging to the other.

• In larger deployments, there may be multiple Input and Output File Repository Servers, for redundancy. In this case, all Input File Repository Servers must share the same directory. Likewise, all Output File Repository Servers must share a directory.

• Objects with files associated with them, such as text files, Microsoft Word files, or PDFs, are stored on the Input File Repository Server.

Event ServerThe Event Server manages file-based events. When you set up a file-based event within BusinessObjects Enterprise, the Event Server monitors the directory that you specified. When the appropriate file appears in the monitored directory, the Event Server triggers your file-based event: that is, the Event Server notifies the CMS that the file-based event has occurred. The CMS then starts any jobs that are dependent upon your file-based event.After notifying the CMS of the event, the Event Server resets itself and again monitors the directory for the appropriate file. When the file is newly created in the monitored directory, the Event Server again triggers your file-based event.Note: Schedule-based events, and custom events are managed by the Central Management Server.

Processing tierThe processing tier accesses the data and generates the reports. It is the only tier that interacts directly with the databases that contain the report data.


BusinessObjects Enterprise ArchitectureProcessing tier 4

The processing tier includes:• “Report Job Server” on page 59• “Program Job Server” on page 60• “Web Intelligence Job Server” on page 60• “Web Intelligence Report Server” on page 60• “Report Application Server (RAS)” on page 61• “Destination Job Server” on page 61• “List of Values Job Server” on page 62• “Page Server” on page 62

Report Job ServerA Job Server processes scheduled actions on objects at the request of the CMS. You can configure a Job Server to process either report objects or program objects when you add it to your BusinessObjects Enterprise system. If you configure a Job Server to process report objects, it becomes a Report Job Server.The Report Job Server processes scheduled reports, as requested by the CMS, and generates report instances (instances are versions of a report object that contain saved data). To generate a report instance, the Report Job Server obtains the report object from the Input FRS and communicates with the database to retrieve the current data. Once it has generated the report instance, it stores the instance on the Output FRS.


BusinessObjects Enterprise ArchitectureProcessing tier4
Program Job Server
A Job Server processes scheduled actions on objects at the request of the CMS. You can configure a Job Server to process either report objects or program objects when you add it to your BusinessObjects Enterprise system. If you configure a Job Server to process program objects, it becomes a Program Job Server.Program objects allow you to write, publish, and schedule custom applications, including scripts, Java programs or .NET programs that run against, and perform maintenance work on, BusinessObjects Enterprise.The Program Job Server processes scheduled program objects, as requested by the CMS. To run a program, the Program Job Server first retrieves the files from storage on the Input File Repository Server, and then runs the program. By definition, program objects are custom applications. Therefore the outcome of running a program will be dependent upon the particular program object that is run. Unlike report instances, which can be viewed in their completed format, program instances exist as records in the object history. BusinessObjects Enterprise stores the program’s standard out and standard error in a text output file. This file appears when you click a program instance in the object History.

Web Intelligence Job ServerThe Web Intelligence Job Server processes scheduling requests it receives from the CMS for Web Intelligence documents. It forwards these requests to the Web Intelligence Report Server, which will generate the instance of the Web Intelligence document. The Web Intelligence Job Server does not actually generate object instances.

Web Intelligence Report ServerThe Web Intelligence Report Server is used to create, edit, view, and analyze Web Intelligence documents. It also processes scheduled Web Intelligence documents and generates new instances of the document, which it stores on the Output File Repository Server (FRS). Depending on the user’s access rights and the refresh options of the document, the Web Intelligence Report Server will use cached information, or it will refresh the data in the document and then cache the new information.


BusinessObjects Enterprise ArchitectureProcessing tier 4

Report Application Server (RAS)The Report Application Server (RAS) processes reports that users view with the Advanced DHTML viewer. The RAS also provides the ad hoc reporting capabilities that allow users to create and modify reports over the Web.The RAS is very similar to the Page Server: it too is primarily responsible for responding to page requests by processing reports and generating EPF pages. However, the RAS uses an internal caching mechanism that involves no interaction with the Cache Server.As with the Page Server, the RAS supports COM, ASP.NET, and Java viewer SDKs. The Report Application Server also includes an SDK for report-creation and modification, providing you with tools for building custom report interaction interfaces.

Destination Job ServerWhen you add a job server to your BusinessObjects Enterprise system, you can configure it to process report objects or program objects, or to send objects or instances to specified destinations. If you configure it to send objects or instances, it become a Destination Job Server.A Destination Job Server processes requests that it receives from the CMS and sends the requested objects or instances to the specified destination:• If the request is for an object, it retrieves the object from the Input File

Repository Server. • If the request is for a report or program instance, it retrieves the instance

from the Output File Repository Server.The Destination Job Server can send objects and instances to destinations inside the BusinessObjects Enterprise system, for example, a user’s inbox, or outside the system, for example, by sending a file to an email address.The Destination Job Server does not run the actual report or program objects. It only handles objects and instances that already exist in the Input or Output File Repository Servers. For more information, see “Sending an object or instance” on page 406the Business Objects Enterprise Administrator’s Guide.


BusinessObjects Enterprise ArchitectureData tier4
List of Values Job Server
The List of Values Job Server processes scheduled list-of-value objects. These are objects that contain the values of specific fields in a Business View. Lists of values are use to implement dynamic prompts and cascading lists of values within Crystal Reports. List-of-value objects do not appear in CMC or InfoView. For more information, see the Business Views Administrator’s Guide. The List of Values Job Server behaves similarly to the Report Job Server in that it retrieves the scheduled objects from the Input File Repository Server (FRS) and saves the instance it generates to the Output FRS. There is never more than one instance of a list-of-values object. On demand list of value objects are processed by the Report Application Server.

Page Server The Page Server is primarily responsible for responding to page requests by processing reports and generating Encapsulated Page Format (EPF) pages. The EPF pages contain formatting information that defines the layout of the report. The Page Server retrieves data for the report from an instance or directly from the database (depending on the user’s request and the rights he or she has to the report object). When retrieving data from the database, the Page Server automatically disconnects from the database after it fulfills its initial request and reconnects if necessary to retrieve additional data. (This behavior conserves database licenses.)The Cache Server and Page Server work closely together. Specifically, the Page Server responds to page requests made by the Cache Server. The Page Server and Cache Server also interact to ensure cached EPF pages are reused as frequently as possible, and new pages are generated as soon as they are required. BusinessObjects Enterprise takes advantage of this behavior by ensuring that the majority of report-viewing requests are made to the Cache Server and Page Server. (However, if a user’s default viewer is the Advanced DHTML viewer, the report is processed by the Report Application Server.) The Page Server also supports COM, ASP.NET, and Java viewer Software Development Kits (SDKs).

Data tierThe data tier is made up of the databases that contain the data used in the reports. BusinessObjects Enterprise supports a wide range of corporate databases.


BusinessObjects Enterprise ArchitectureReport viewers 4

See the Platforms.txt file included with your product distribution for a complete list of tested database software and version requirements.

Report viewersBusinessObjects Enterprise includes report viewers that support different platforms and different browsers in the client tier, and which have different report viewing functionality. (For more information on the specific functionality or platform support provided by each report viewer, see the BusinessObjects Enterprise User’s Guide or the Crystal Reports Developer’s Guide.)All of the viewers fall into two categories:• client-side viewers

Client-side viewers are downloaded and installed in the users’ web browser.

• zero client viewersThe code to support zero client viewers resides in the application tier.

All report viewers help process requests for reports, and present report pages that appear in the user’s browser.

Client-side viewersClient-side viewers are downloaded and installed in the user’s browser. When a user requests a report, the application server processes the request, and retrieves the report pages in .epf format from the BusinessObjects Enterprise framework. The application server then passes the .epf file to the client-side viewer, which processes the .epf files and displays them directly in the browser.

Zero client viewersZero client viewers reside on the application server. When a user requests a report, the application server processes the request, and then retrieves the report pages in .epf format from the BusinessObjects Enterprise framework.

client-side viewers zero client viewers

Active X viewer DHTML viewerJava viewer Advanced DHTML viewer


BusinessObjects Enterprise ArchitectureInformation flow4

The SDK creates a viewer object on the application server which processes the .epf and creates DHTML pages that represent both the viewer controls and the report itself. The viewer object then sends these pages through the web server to the user’s web browser.

Installing viewersIf they haven’t already done so, users are prompted to download and install the appropriate viewer software before the report is displayed in the browser. The Active X viewer is downloaded the first time a user requests a report, and then remains installed on the user’s machine. The user will be prompted to reinstall the ActiveX viewer only when a new version becomes available on the server.

Information flowThis section describes the interaction of the server components in order to demonstrate how report-processing is performed. This section covers two different scenarios:• “What happens when you schedule an object?” on page 64• “What happens when you view a report?” on page 65

What happens when you schedule an object?When you schedule an object, you instruct BusinessObjects Enterprise to process an object at a particular point in time, or on a recurring schedule. For example, if you have a report that is based on your web server logs, you can schedule the report to run every night on a recurring basis.Tip: BusinessObjects Enterprise also allows you to schedule jobs that are dependent upon other events. For details, see “Managing events overview” on page 494the BusinessObjects Enterprise Administrator’s Guide.When a user schedules an object using InfoView, the following happens:1. InfoView sends the request to the web server. 2. The web server passes the web request directly to the application server,

where it is evaluated by the BusinessObjects Enterprise SDK. 3. The SDK passes the request to the Central Management Server.4. The CMS checks to see if the user has sufficient rights to schedule the

object.5. If the user has sufficient rights, the CMS schedules the object to be run at

the specified time(s).


BusinessObjects Enterprise ArchitectureInformation flow 4

6. When the time occurs, the CMS passes the job to the appropriate job server. Depending on the type of object, the CMS will send the job to one of the following job servers:• If the object is Web Intelligence document, it sends the job to the

Web Intelligence Job Server, which sends the request to the Web Intelligence Report Server.

• If the object is a report, it sends the job to the Report Job Server.• If the object is program, it sends the job to the Program Job Server.

7. The job server retrieves the object from the Input File Repository Server and runs the object against the database, thereby creating an instance of the object.

8. The job server then saves the instance to the Output File Repository Server, and tells the CMS that it has completed the job successfully.If the job was for a Web Intelligence document, the Web Intelligence Report Server notifies the Web Intelligence Job Server. The Web Intelligence Job Server then notifies the CMS that the job was completed successfully.

Tip: For details about multiple time zones, see “Supporting users in multiple time zones” on page 511the BusinessObjects Enterprise Administrator’s Guide.Note: • The Cache Server and the Page Server do not participate in scheduling

reports or in creating instances of scheduled reports. This can be an important consideration when deciding how to configure BusinessObjects Enterprise, especially in large installations. See “Scaling Your System” on page 141the section on scaling your system in the BusinessObjects Enterprise Administrator’s Guide.

• When you schedule program objects or object packages, the interaction between servers follows the same pattern as it does for reports.

Users without schedule rights on an object will not see the schedule option in BusinessObjects Enterprise.

What happens when you view a report?This section describes the viewing mechanisms that are implemented in InfoView. The processing flow for custom applications may differ.



When you view a report through BusinessObjects Enterprise, the processing flow varies depending upon your default report viewer, the type of report, and the rights you have to the report. In all cases, however, the request that begins at the web server must be forwarded to the application server.The actual request is constructed as a URL that includes the report’s unique ID. This ID is passed as a parameter to a server-side script that, when evaluated by the application server, verifies the user’s session and retrieves the logon token from the browser. The script then checks the user’s InfoView preferences and redirects the request to the viewing mechanism that corresponds to the user’s default viewer.Different report viewers require different viewing mechanisms:• The zero-client DHTML viewer is implemented through

report_view_dhtml.aspx.When evaluated by the application server, this script communicates with the framework (through the published SDK interfaces) in order to create a viewer object and retrieve a report source from the Cache Server and Page Server.

• The zero-client Advanced DHTML viewer is implemented through report_view_advanced.aspx.When evaluated by the application server, this script communicates with the framework (through the published SDK interfaces) in order to create a viewer object and retrieve a report source from the Report Application Server.

• The client-side report viewers (the ActiveX and Java viewers) are implemented through viewrpt.aspx, hosted by the WCA.The Crystal Web Request is executed internally through viewer code on the application server. The viewer code communicates with the framework in order to retrieve a report page in .epf format from the Cache Server and Page Server. If they haven’t already done so, users are prompted to download and install the appropriate viewer software.

Report viewing with the Cache Server and Page ServerThis section describes the process for viewing a Crystal report when using the zero-client DHTML, ActiveX, or Java viewer. This process uses the Cache Server and the Page Server.1. Upon receiving a report-viewing request, the Cache Server checks to see

if it has the requested pages cached. Cached pages are stored as Encapsulated Page Format (.epf) files.



2. If a cached version of the .epf file is available:a. The Cache Server checks with the CMS to see if the user has rights

to view the report.b. If the user is granted the right to view the report, the Cache Server

sends the .epf file to the application server.3. If a cached version of the .epf file is unavailable:

a. The Cache Server requests new .epf files from the Page Server. b. The Page Server checks with the CMS to see if the user has rights to

view the report.c. If the user is granted the right to view the report, the Page Server

retrieves the report from the Input File Repository Server.d. If the report is an instance, and the user only has View rights, the

Page Server will generate pages of the report instance using the data stored in the report instance. That is, the Page Server will not retrieve the latest data from the database.If the report is an object, the user must have View On Demand rights to view the report successfully (because the Page Server needs to retrieve data from the database).

e. If the user has sufficient rights, the Page Server generates the .epf pages and forwards them to the Cache Server.

f. The Cache Server then caches the .epf files.g. The Cache Server sends the .epf files to the application server.

4. The application server sends the report to the user’s Web browser in one of two ways, depending on how the initial request was made:• If the initial request was made through a DHTML viewer

(report_view_dhtml.aspx), the viewer SDK (residing on the application server) is used to generate HTML that represents both the DHTML viewer and the report itself. The HTML pages are then returned through the web server to the user’s web browser.

• If the initial request was made through an Active X or Java viewer (viewrpt.aspx), the application server forwards the .epf pages through the web server to the report viewer software in the user’s web browser.

Report viewing with the Report Application Server (RAS)This section describes the process for viewing a Crystal report when using the Advanced DHTML viewer. This process flow uses the Report Application Server (RAS).



1. Upon receiving a report-viewing request, the RAS checks to see if it has the requested report data in cache. (The RAS has its own caching mechanism, which is separate from the Cache Server.)

2. If a cached version of the .epf file is available:a. The RAS checks with the CMS to see if the user has rights to view

the report. b. If the user is granted the right to view the report, the RAS returns .epf

pages to the application server.3. If a cached version of the .epf file is unavailable:

a. The RAS checks with the CMS to see if the user has rights to view the report.

b. If the user is granted the right to view the report, the RAS retrieves the report object from the Input File Repository Server.

c. The RAS then processes the report object, obtains the data from the database, generates the .epf pages, caches the .epf pages and sends the .epf pages to the application server.

d. If the user is granted View rights to the report object, then the RAS will only ever generate pages of the latest report instance. That is, the RAS will not retrieve the latest data from the database.If the user is granted View On Demand rights to the report object, then the RAS will refresh the report against the database.Note: The interactive search and filter features provided by the Advanced DHTML viewer are available only if the user has View On Demand rights (or greater) to the report object.

4. When the application server receives the .epf pages from the RAS, the viewer SDK generates HTML that represents both the Advanced DHTML viewer and the report itself.

5. The application server sends the HTML pages through the web server to the user’s web browser.

Viewing Web Intelligence documentsThis section describes the process for viewing a Web Intelligence document.1. InfoView sends the request to the web application server. 2. The web application server sends the request to the application server,

which creates a new session with the Web Intelligence Report Server. 3. The Web Intelligence Report Server checks if the user has rights to use

the Web Intelligence application.



4. The web application server then sends the request to the Web Intelligence Report Server.

5. The Web Intelligence Report Server contacts the CMS to check whether the user has the right to view the document, and to check when the document was last updated.

6. If the user has the right to view the document, the Web Intelligence Report Server checks whether it has up-to-date cached content for the document.

7. If cached content is available, the Web Intelligence Report Server sends the cached document information to the SDK.If cached content is not available, the following happens:a. The Web Intelligence Report Server obtains the document

information from the CMS and checks what rights the user has on the document.

b. The Web Intelligence Report Server obtains the Web Intelligence document from either the Input or Output File Repository Server and loads the document file.Note: Which FRS is used depends on whether the request was for a Web Intelligence document that was saved to BusinessObjects Enterprise or for an instance of the document. Documents are stored on the Input FRS. Instances are generated when an object is run according to a schedule, and they are stored on the Output FRS.

c. If the document is set to “refresh on open” and the user has the View On Demand rights, the Web Intelligence Report Server refreshes the data in the document with data from the database.Note: If the document is set to “refresh on open” but the user does not have View On Demand rights, an error message is displayed.

d. The Web Intelligence Report Server stores the document file and the new document information in cache.

e. The Web Intelligence Report Server sends the document information to the SDK.

8. The viewer script calls the SDK to get the requested page of the document. The request is passed to the Web Intelligence Report Server.

9. If the Web Intelligence Report Server has cached content for the page, it returns the cached XML to the SDK.If the Web Intelligence Report Server does not have the cached content for the page, it renders the page to XML using the current data for the document. It then returns the XML to the SDK.


BusinessObjects Enterprise ArchitectureChoosing between live and saved data4

10. The SDK applies an XSLT style sheet to the XML to transform it to HTML.11. The viewer script returns the HTML to the browser.

Choosing between live and saved dataWhen reporting over the Web, the choice to use live or saved data is one of the most important decisions you’ll make. Whichever choice you make, however, BusinessObjects Enterprise displays the first page as quickly as possible, so you can see your report while the rest of the data is being processed.

Live dataOn-demand reporting gives users real-time access to live data, straight from the database server. Use live data to keep users up-to-date on constantly changing data, so they can access information that’s accurate to the second. For instance, if the managers of a large distribution center need to keep track of inventory shipped on a continual basis, then live reporting is the way to give them the information they need.Before providing live data for all your reports, however, consider whether or not you want all of your users hitting the database server on a continual basis. If the data isn’t rapidly or constantly changing, then all those requests to the database do little more than increase network traffic and consume server resources. In such cases, you may prefer to schedule reports on a recurrent basis so that users can always view recent data (report instances) without hitting the database server.For more information about optimizing the performance of reports that are viewed on demand, see the “Designing Optimized Web Reports” section in the Crystal Reports User’s Guide (version 8.5 and later).Tip: Users require View On Demand access to refresh reports against the database.

Saved dataTo reduce the amount of network traffic and the number of hits on your database servers, you can schedule reports to be run at specified times. When the report has been run, users can view that report instance as needed, without triggering additional hits on the database.Report instances are useful for dealing with data that isn’t continually updated. When users navigate through report instances, and drill down for details on columns or charts, they don’t access the database server directly;


BusinessObjects Enterprise ArchitectureChoosing between live and saved data 4

instead, they access the saved data. Consequently, reports with saved data not only minimize data transfer over the network, but also lighten the database server’s workload.For example, if your sales database is updated once a day, you can run the report on a similar schedule. Sales representatives then always have access to current sales data, but they are not hitting the database every time they open a report.Tip: Users require only View access to display report instances.


BusinessObjects Enterprise ArchitectureChoosing between live and saved data4


Managing and Configuring Servers

chapter

Managing and Configuring ServersServer management overview5
Server management overview
This chapter provides information on a range of server tasks that allow you to customize the behavior of BusinessObjects Enterprise. It also includes information on the server settings that you can alter to accommodate the needs of your organization. The default values for these settings have been chosen to maximize the reliability, predictability, and consistency of operation of a typical BusinessObjects Enterprise installation. The default settings guarantee the highest degree of data accuracy and timeliness. For example, by default, data sharing between reports is disabled. When running reports on demand, disabling data sharing means that every user can always assume that they will receive the latest data. If you prefer to place more emphasis on the efficiency, economy, and scalability of BusinessObjects Enterprise, you can tune server settings to set your own balance between system reliability and performance. For example, enabling data sharing between reports markedly increases system performance when user loads are heavy. To take advantage of this feature while ensuring that every user receives data that meets your criteria for timeliness, you can also specify how long data will be shared between users.

BusinessObjects Enterprise administrative toolsBusinessObjects Enterprise includes two key administrative tools that allow you to view and to modify a variety of server settings:• Central Management Console (CMC)

The CMC is the web-based administration tool that allows you to view and to modify server settings while BusinessObjects Enterprise is running. For instance, you use the CMC to change the status of a server, change server settings, access server metrics, or create server groups. Because the CMC is a web-based interface, you can configure your BusinessObjects Enterprise servers remotely over the Internet or through your corporate intranet.

• Central Configuration Manager (CCM)The CCM is a program that allows you to view and to modify server settings while Business Objects servers are offline. For instance, you use the CCM to stop servers, to modify performance settings, and to change the default server port numbers. With BusinessObjects Enterprise, the CCM allows you to configure BusinessObjects Enterprise remotely over your corporate network

You can accomplish some configuration tasks with both tools, while other tasks must be performed with a specific tool.


Managing and Configuring ServersViewing current metrics 5

Related topics:• For an overview of the multi-tier architecture and the BusinessObjects

Enterprise server components, see “BusinessObjects Enterprise Architecture” on page 47.

• For information about creating groups of servers, see “Managing Server Groups” on page 135.

• With the BusinessObjects Enterprise Software Development Kit (SDK), you can now access and modify server metrics and settings from your own web applications. For more information, see the developer documentation available on your product CD.

Viewing current metricsThe CMC allows you to view server metrics over the Web. These metrics include general information about each machine, along with details that are specific to the type of server. The CMC also allows you to view system metrics, which include information about your product version, your CMS, and your current system activity.Tip: For an example of how to use server metrics in your own web applications, see the “View Server Summary” sample on the BusinessObjects Enterprise Admin Launchpad.

Viewing current server metricsThe Servers management area of the CMC displays server metrics that provide statistics and information about each BusinessObjects Enterprise server. The general information displayed for each server includes information about the machine that the server is running on—its name, operating system, total hard disk space, free hard disk space, total RAM, number of CPUs, and local time. The general information also includes the time the server started and the version number of the server.

To view server metrics1. Go to the Servers management area of the CMC.2. Click the link to the server whose metrics you want to view.3. Click the Metrics tab.


Managing and Configuring ServersViewing current metrics5

This example shows the metrics for an Event Server that is running on a machine called Crystal-E501888.crystald.net.

The Metrics tabs for the following servers include additional, server-specific information:

Input and Output File Repository ServersThe Metrics tab of each File Repository Server lists the root directory of the files that the server maintains, indicates the maximum idle time, and displays the number of active files and active client connections. It also lists the total available hard disk space, as well as the number of bytes sent and received.Each File Repository Server also has an Active Files tab, which lists the filename, the number of readers, and the number of writers for each active file.

Cache ServerThe Metrics tab of the Cache Server displays the maximum number of processing threads, the maximum cache size, the minutes before an idle job is closed, the minutes between refreshes from the database, whether or not the database is accessed whenever a viewer’s file (object) is refreshed, the location of the cache files, the total threads running, the number of requests served, the number of bytes transferred, the cache hit rate, the number of current connections, and the number of requests that are queued.The Metrics tab also provides a table that lists the Page Servers that the Cache server has connections to, along with the number of connections made to each Page Server.

Event ServerThe Metrics tab of the Event Server contains statistics on the files that the server is monitoring. This tab includes a table showing the file name and the last time the event occurred.


Managing and Configuring ServersViewing current metrics 5

Page ServerThe Metrics tab of the Page Server contains information on how the server is running. It lists the maximum number of simultaneous report jobs, the location of temporary files, the number of minutes before an idle connection is closed, the minutes before a report job is closed, the maximum number of database records shown when previewing or refreshing a report, the oldest processed data given to a client, whether a viewer refresh always hits the database, and the setting for the Report Job Database Connection. It also shows the number of current connections, the number of requests queued, the current number of processing threads running, the total number of requests served, and the total bytes transferred.

Report Application ServerThe Metrics tab of the Report Application Server (RAS) shows the number of reports that are open, and the number of reports that have been opened. It also shows the number of open connections, along with the number of open connections that have been created.

Job servers and Web Intelligence serversThe Metrics tabs of theses servers lists the current number of jobs that are being processed, the total number of requests received, the total number of failed job creations, the processing mode, and the location of its temporary files.

Central Management ServerThe Metrics tab of the CMS lists only the general information about the machine it is running on. The Properties tab, however, shows a list of users who have active sessions on the system. Click any user’s link to view the associated account details.

Viewing system metricsThe Settings management area of the CMC displays system metrics that provide general information about your BusinessObjects Enterprise installation. The Properties tab includes information about the product version and build. It also lists the data source, database name, and database user name of the CMS database. The Metrics tab lists current account activity, along with statistics about current and processed jobs. The Cluster tab lists the name of the CMS you are connected to, the name of the CMS cluster, and the names of other cluster members.

To view system metrics1. Go to the Settings management area of the CMC.2. View the contents of the Properties, Metrics, and Cluster tabs.


Managing and Configuring ServersViewing and changing the status of servers5

Related topics:• For more information about licenses and account activity, see Licensing

overview.• For information about CMS clusters, see Clustering Central Management

Servers.

Viewing and changing the status of serversThe status of a server is its current state of operation: a server can be started, stopped, enabled, or disabled. To respond to BusinessObjects Enterprise requests, a server must be started and enabled. A server that is disabled is still running as a process; however, it is not accepting requests from the rest of BusinessObjects Enterprise. A server that is stopped is no longer running as a process. This section shows how to modify the status of servers with the CMC and the CCM. It includes:• “Starting, stopping, and restarting servers” on page 78• “Enabling and disabling servers” on page 81• “Printing, copying, and refreshing server status” on page 82

Starting, stopping, and restarting serversStarting, stopping, and restarting servers are common actions that you perform when you configure servers or take them offline for other reasons. The remainder of this chapter tells you when a certain configuration change requires that you first stop or restart the server. However, because these tasks appear frequently, the concepts and differences are explained first, and the general procedures are provided for reference.

Action Description

Stopping a server You must stop BusinessObjects Enterprise servers before you can modify certain properties and settings.

Starting a server If you have stopped a server to configure it, you need to start it to effect your changes and to have the server resume processing requests.

Restarting a server Restarting a server is a shortcut to stopping a server completely and then starting it again. You can change certain settings without stopping the server; however, the changes typically do not take effect until your restart the server.


Managing and Configuring ServersViewing and changing the status of servers 5

For example, if you want to change the name of a CMS, then you must first stop the server. Once you have made your changes, you start the server again to effect your changes.Tip: When you stop (or restart) a server, you terminate the server’s process, thereby stopping the server completely. If you want to prevent a server from receiving requests without actually stopping the server process, you can also enable and disable servers. We recommend that you disable Job Servers and Program Job Servers before stopping them so that they can finish processing any jobs they have in progress before stopping. For details, see “Enabling and disabling servers” on page 81.

To start, stop, or restart servers with CMCNote: You cannot use CMC to stop the CMS. You must use the CCM instead. See “Stopping a Central Management Server” on page 80 for more information.1. Go to the Servers management area of the CMC.

A list of servers appears. The icon associated with each server identifies its status:• Running is indicated by a server with a green arrow.• Stopped is indicated by a server with a red arrow.• Disabled is indicated by a server with a red circle.In this example, the Page Server Server is stopped, the Event Server is disabled, and the remaining servers are running and enabled.

2. Select the check box for the server whose status you want to change.3. Depending upon the action you need to perform, click Start, Stop, or

Restart.You may be prompted for network credentials that allow you to start and stop services running on the remote machine.

4. Click Refresh to update the page.



To start, stop, or restart a Windows server with the CCM1. Start the CCM.2. Select the server that you want to start, stop, or restart.3. On the toolbar, click the appropriate button.

You may be prompted for network credentials that allow you to start and stop services. Note: When you provide your network credentials, they are first checked against the machine hosting the CMS. If the server that you want to start, stop, or restart is located on another machine, the same credentials are used to access the other machine. If you supply credentials that are valid on the remote machine but not on the machine running the CMS, then you receive an error message. The CCM performs the action and refreshes the list of servers.

Stopping a Central Management ServerIf your BusinessObjects Enterprise installation has a single Central Management Server (CMS), shutting it down will make BusinessObjects Enterprise unavailable to your users and will interrupt the processing of reports and programs. Before stopping your CMS, you may wish to disable your processing servers so that they can finish any jobs in progress before BusinessObjects Enterprise shuts down. See “Enabling and disabling servers” on page 81 for more information.If you have a CMS cluster consisting of more than one active CMS, you can shut down a single CMS without losing data or affecting system functionality. The other CMS in the cluster will assume the workload of the stopped server. Using a CMS cluster enables you to perform maintenance on each of your Central Management Servers in turn without taking BusinessObjects Enterprise out of service.

Toolbar Icon

Action

Start the selected server.

Stop the selected server.

Restart the selected server.


Managing and Configuring ServersViewing and changing the status of servers 5

For more information on CMS clusters, see “Clustering Central Management Servers” on page 87.

Enabling and disabling serversWhen you disable a BusinessObjects Enterprise server, you prevent it from receiving and responding to new BusinessObjects Enterprise requests, but you do not actually stop the server process. This is especially useful when you want to allow a server to finish processing all of its current requests before you stop it completely.For example, you may want to stop a Job Server before rebooting the machine it is running on. However, you want to allow the server to fulfill any outstanding report requests that are in its queue. First, you disable the Job Server so it cannot accept any additional requests. Next, go to the Central Management Console to monitor when the server completes the jobs it has in progress. (From the Servers management area, choose the server name and then the metrics tab). Then, once it has finished processing current requests, you can safely stop the server.Note: The CMS must be running in order for you to enable and/or disable other servers.

To enable and disable servers with CMC1. Go to the Servers management area of the CMC.

The icon associated with each server identifies its status. In this example, the Event Server is disabled (but not stopped), and the remaining servers are running and enabled.



2. Select the check box for the server whose status you want to change.3. Depending upon the action you need to perform, click Enable or Disable.

To enable or disable a Windows server with the CCM1. Start the CCM.2. On the toolbar, click Enable/Disable.3. When prompted, log on to your CMS with the credentials that provide you

with administrative privileges to BusinessObjects Enterprise.4. Click Connect.

The Enable/Disable Servers dialog box appears.

This dialog box lists all of the BusinessObjects Enterprise servers that are registered with your CMS, including servers running on remote machines. By default, servers running on remote machines are displayed as MACHINE.servertype. In this example, all of the listed servers are currently enabled.

5. To disable a server, clear the check box in the Server Name column.6. Click OK to effect your changes and return to the CCM.

Printing, copying, and refreshing server statusWhen using the CCM on Windows, you can print and copy the properties of a server, and refresh the list of servers.

To print the status of a server1. Start the CCM.2. Select the server(s).


Managing and Configuring ServersConfiguring the application tier 5

3. Click Print. The Print dialog box appears.

4. Click OK.A brief listing of the server’s properties is printed, including the Display Name, Version, Command Line, Status, and so on.

To copy the status of a serverTo save the status of a server, you can copy the details from the CCM to a document or to an email message (if you want to send the status information to someone else).1. Start the CCM.2. Select the server(s).3. Click Copy.4. Paste the information into a document for future reference.

To refresh the list of servers• To ensure you are looking at the latest information, click Refresh.Note: Disabled servers may not appear in this list. Click Enable/Disable to view a list of servers and ensure that each is enabled.

Configuring the application tierThis section includes technical information and procedures that show how you can modify settings for the application tier.

The majority of the settings discussed here allow you to integrate BusinessObjects Enterprise more effectively with your current hardware, software, and network configurations. Consequently, the settings that you choose will depend largely upon your own requirements.


Managing and Configuring ServersConfiguring the application tier5

Note: This section does not show how to configure your Web application server to deploy BusinessObjects Enterprise applications. This task is typically performed when you install BusinessObjects Enterprise. For details, see the BusinessObjects Enterprise Installation Guide. For further troubleshooting, see “Working with Firewalls” on page 169.

Configuring the Web Component AdapterThe WCA provides support for the Central Management Console and CSP applications. The Web Component Adapter is a web application. It does not appear as a server in the Central Management Console or in the Central Configuration Manager. To configure the WCA, edit either of the following files, depending on whether you are running the system on a Java or .NET platform:• On a Java platform edit the web.xml file associated with the WCA. See

“Configuring the Java Web Component Adapter” on page 84.• On a .NET platform edit the web.config file associated with the WCA.

See “Configuring the .NET Web Component Adapter” on page 86.

Configuring the Java Web Component AdapterTo configure the Java WCA you edit the web.xml file associated with the WCA:• Windows: C:\Program Files\Business

Objects\BusinessObjects Enterprise 11\java\applications directory

For example, the context parameter that controls whether a group tree will be generated looks like this:<context-param><param-name>viewrpt.groupTreeGenerate</param-name>

<param-value>true</param-value><desctiption>”true” or “false” value determining whether

a group tree will be generated.</description></context-param>

To change the value of a context parameter, edit the value between the <param-value> </param-value> tags.

To configure web.xmlNote: Your Java Web Application Server may provide tools to allow you to edit web.xml directly from an administrative console.Otherwise use the following procedure to configure web.xml.1. Stop your application server.2. Extract the web.xml file from the webcompadapter.war archive.


Managing and Configuring ServersConfiguring the application tier 5

3. Edit the file by using a text editor such as Notepad or vi.4. Reinsert the file into the WEB-INF directory in webcompadapter.war.

Tip: To reinsert web.xml into WEB-INF using WinZip, right-click on the WEB-INF directory that contains your edited web.xml file and select “Add to Zip File...”. Adding the file in this way ensures that it is placed in the correct directory inside the archive.

5. Restart your application server.When you install more than one WCA, each webcomponentadapter.war file contains its own web.xml file containing configuration parameters for that WCA. However, you can only set the parameters listed in the following table individually for each WCA. The remaining parameters must be the same for all WCA in your system.

Context Parameter Description

display-name Equivalent to WCA name.cspApplication.defaultPage The default page that will be loaded if no

filename is specified in a particular request.

cspApplication.dir This is the real path to the directory containing the CSP/WAS application(s) that you would like to host. This is a required field.

connection.cms This is the name (or name and port number) of the CMS that you would like your application(s) to connect to.

connection.listeningPort This field defaults to the port that the WCA related servlets are running on.

log.file Filename of the logfile including full real path to file, excluding extension. Defaults to WCA with no path

log.ext File extension of logfile, defaults to .loglog.isRolling Determines whether or not the logs will be

rotated, defaults to true.log.size If log rolling is turned on, this will govern

the max size before logfile is rotated. Accepted suffix: MB, KB and GB.

log.level The default loglevel is “error.”log.entryPattern Please refer to log4j documentation for

accepted log entry patterns.


Managing and Configuring ServersConfiguring the application tier5
Configuring the .NET Web Component Adapter
To configure the .NET WCA you edit the web.config file associated with the the WCA. This file is located in the following directory:C:\Program Files\Business Objects\BusinessObjects Enterprise

11\Web Content\application

For example, the context parameter that controls whether a group tree will be generated looks like this:

To configure web.configNote: Your .NET Web Application Server may provide tools to allow you to edit web.config directly from an administrative console. 1. Stop your application server.2. Edit the web.config file by using a text editor such as Notepad.3. Restart your application server.

Parameter Description

display-name Equivalent to WCA name.cspApplication.defaultPage The default page that will be loaded if no

filename is specified in a particular request.

connection.cms This is the name (or name and port number) of the CMS that you would like your application(s) to connect to.

connection.listeningPort This field defaults to the port that the WCA related servlets are running on.

log.file Filename of the logfile including full real path to file, excluding extension. Defaults to WCA with no path

log.ext File extension of logfile, defaults to .loglog.isRolling Determines whether or not the logs will be

rotated, defaults to true.log.size If log rolling is turned on, this will govern

the max size before logfile is rotated. Accepted suffix: MB, KB and GB.

log.level The default loglevel is “error.”log.entryPattern Please refer to log4j documentation for

accepted log entry patterns.


Managing and Configuring ServersConfiguring the intelligence tier 5

Configuring the intelligence tierThis section includes technical information and procedures that show how you can modify settings for the BusinessObjects Enterprise servers that make up the intelligence tier.

The majority of the settings discussed here allow you to integrate BusinessObjects Enterprise more effectively with your current hardware, software, and network configurations. Consequently, the settings that you choose will depend largely upon your own requirements.Configuring the intelligence tier includes the following tasks:• “Clustering Central Management Servers” on page 87• “Copying data from one CMS database to another” on page 92• “Deleting and recreating the CMS database” on page 99• “Selecting a new or existing CMS database” on page 100• “Setting root directories and idle times of the File Repository Servers” on

page 102• “Modifying Cache Server performance settings” on page 103• “Modifying the polling time of the Event Server” on page 105

Clustering Central Management ServersIf you have a large or mission-critical implementation of BusinessObjects Enterprise, you will probably want to run several CMS machines together in a CMS cluster. A CMS cluster consists of two or more CMS servers working together to maintain the system database. If a machine that is running one CMS fails, a machine with another CMS will continue to service BusinessObjects Enterprise requests. This “failover” support helps to ensure that BusinessObjects Enterprise users can still access information when there is equipment failure.This section shows how to add a new CMS cluster member to a production system that is already up and running. When you add a new CMS to an existing cluster, you instruct the new CMS to connect to the existing CMS database and to share the processing workload with any existing CMS machines. For information about your current CMS and CMS cluster, go to the Settings management area of the CMC and click the Cluster tab.


Managing and Configuring ServersConfiguring the intelligence tier5

Before clustering CMS machines, you must make sure that each CMS is installed on a system that meets the detailed requirements (including version levels and patch levels) for operating system, database server, database access method, database driver, and database client outlined in the platforms.txt file included in your product distribution. In addition, you must meet the following clustering requirements:• For best performance, the database server that you choose to host the

system database must be able to process small queries very quickly. The CMS communicates frequently with the system database and sends it many small queries. If the database server is unable to process these requests in a timely manner, BusinessObjects Enterprise performance will be greatly affected.

• For best performance, run each CMS cluster member on a machine that has the same amount of memory and the same type of CPU.

• Configure each machine similarly:• Install the same operating system, including the same version of

operating system service packs and patches. • Install the same version of BusinessObjects Enterprise (including

patches, if applicable).• Ensure that each CMS connects to the CMS database in the same

manner: whether you use native or ODBC drivers, ensure that the drivers are the same on each machine, and are a supported version.

• Ensure that each CMS uses the same database client to connect to its system database, and that it is a supported version.

• Check that each CMS uses the same database user account and password to connect to the CMS database. This account must have create, delete, and update rights on the system database.

• Run each CMS service/daemon under the same account. (On Windows, the default is the “LocalSystem” account.)

• Verify that the current date and time are set correctly on each CMS machine (including settings for daylight savings time).

• Ensure that each and every CMS in a cluster is on the same Local Area Network.

• If you wish to enable auditing, each CMS must be configured to use the same auditing database and to connect to it in the same manner. The requirements for the auditing database are the same as those for the system database in terms of database servers, clients, access methods, drivers, and user IDs. See also Chapter 10: Managing Auditing.



Tip: By default, a CMS cluster name reflects the name of the first CMS that you install, but the cluster name is prefixed by the @ symbol. For instance, if your existing CMS is called BUSINESSOBJECTSCMS, then the default cluster name is @BUSINESSOBJECTSCMS. To modify the default name, see “Changing the name of a CMS cluster” on page 91.There are two ways to add a new CMS cluster member. Follow the appropriate procedure, depending upon whether or not you have already installed a second CMS:• “Installing a new CMS and adding it to a cluster” on page 89

See this section if you have not already installed the new CMS on its own machine.

• “Adding an installed CMS to a cluster” on page 90Follow this procedure if you have already installed a second, independent CMS on its own machine. While testing various server configurations, for instance, you might have set up an independent BusinessObjects Enterprise system with its own CMS. Follow this procedure when you want to incorporate this independent CMS into your production system.

Note: Back up your current CMS database before making any changes. If necessary, contact your database administrator.

Installing a new CMS and adding it to a clusterWhen you install a new CMS, you can quickly cluster it with your existing CMS. Run the BusinessObjects Enterprise installation and setup program on the machine where you want to install the new CMS cluster member. The setup program allows you to perform an Expand installation. During the Expand installation, you specify the existing CMS whose system you want to expand, and you select the components that want to install on the local machine. In this case, specify the name of the CMS that is running your existing system, and choose to install a new CMS on the local machine. Then provide the Setup program with the information it needs to connect to your existing CMS database. When the Setup program installs the new CMS on the local machine, it automatically adds the server to your existing CMS cluster.For complete requirements for CMS added to a cluster, see “Clustering Central Management Servers” on page 87. For complete information on running the Setup program and performing the Expand installation, see the BusinessObjects Enterprise Installation Guide.


Adding an installed CMS to a cluster
In these steps, the independent CMS refers to the one that you want to add to a cluster. You will add the independent CMS to your production CMS cluster. By adding an independent CMS to a cluster, you disconnect the independent CMS from its own database and instruct it to share the system database that belongs to your production CMS.Before starting this procedure, ensure that you have a database user account with Create, Delete, and Update rights to the database storing the BusinessObjects Enterprise tables. Ensure also that you can connect to the database from the machine that is running the independent CMS (through your database client software or through ODBC, according to your configuration). Also ensure that the CMS you are adding to the cluster meets the requirements outlined in “Clustering Central Management Servers” on page 87.Note: Back up your current CMS database before beginning this procedure. If necessary, contact your database administrator.

To add an installed CMS to a cluster on Windows1. Use the CCM to stop the independent Central Management Server.2. With the CMS selected, click Specify CMS Data Source on the toolbar.

The CMS Database Setup dialog box appears.

3. Click Select a Data Source; then click OK.4. In the Select Database Driver dialog box, specify whether you want to

connect to the production CMS database through ODBC, or through one of the native drivers.

5. Click OK.



6. The remaining steps depend upon the connection type you selected:• If you selected ODBC, the Windows “Select Data Source” dialog box

appears. Select the ODBC data source that corresponds to your production CMS database; then click OK. If prompted, provide your database credentials and click OK. The CCM connects to the database server and adds the new CMS to the cluster.

• If you selected a native driver, you are prompted for your database Server Name, your Login ID, and your Password. Once you provide this information, the CCM connects to the database server and adds the new CMS to the cluster.

The SvcMgr dialog box notifies you when the CMS database setup is complete.

7. Click OK.8. Start the Central Management Server.

Changing the name of a CMS clusterBy default, a CMS cluster name reflects the name of the first CMS that you install, but the cluster name is prefixed by the @ symbol. For instance, if your existing CMS is called BUSINESSOBJECTSCMS, then the default cluster name is @BUSINESSOBJECTSCMS.This procedure allows you to change the name of a cluster that is already installed and running. To change the cluster name, you need only stop one of the CMS cluster members. The remaining CMS cluster members are dynamically notified of the change.For optimal performance, after changing the name of the CMS cluster reconfigure each Business Objects server so that it registers with the CMS cluster, rather than with an individual CMS.

To change the cluster name on Windows1. Use the CCM to stop any Central Management Server that is a member

of the cluster.2. With the CMS selected, click Properties on the toolbar.3. Click the Configuration tab.4. Select the Change Cluster Name to check box.5. Type the new name for the cluster.6. Click OK and then start the Central Management Server.

The CMS cluster name is now changed. All other CMS cluster members are dynamically notified of the new cluster name (although it may take several minutes for your changes to propagate across cluster members).



7. Go to the Servers management area of the CMC and check that all of your servers remain enabled. If necessary, enable any servers that have been disabled by your changes.

To register servers with the CMS cluster on Windows1. Use the CCM to stop a Business Objects server.2. Select the server from the list, and then click Properties.3. Click the Configuration tab.4. In the CMS Name box, type the name of the cluster.

The name of the cluster begins with the @ symbol. For example, if the cluster name was changed to ENTERPRISE, type @ENTERPRISE in the box.

5. Click OK, and then start the server. Repeat for each Business Objects server in your installation.

Copying data from one CMS database to anotherBusinessObjects Enterprise enables you to copy the contents of one CMS database into another database. This procedure is also referred to as migrating a CMS database. You can migrate CMS data from a different CMS database (versions 8.5 through 10 of Crystal Enterprise and version XI of BusinessObjects Enterprise) into your current CMS database. Or, you can migrate the data from your current CMS database into a different data source.Throughout this section, the source CMS database refers to the database that holds the data you are copying; this data is copied into the destination database. The destination database is initialized before the new data is copied in, so any existing contents of the destination database are permanently deleted (all BusinessObjects Enterprise tables are destroyed permanently and then recreated). Once the data has been copied, the destination database is established as the current database for the CMS.Note: Prior to BusinessObjects Enterprise XI, the CMS was known as Crystal Management Server, and also as the Automated Process Scheduler (APS).Tip: If you want to import users, groups, folders, and reports from one system to another, without deleting the contents of the current CMS database, see “Importing with the Import Wizard” on page 388.Depending on the platform of your system and the version of your CMS database, migrating a CMS database will include several of the following tasks:• “Preparing to migrate a CMS database” on page 93• “Copying data from a CMS on Windows” on page 94• “Copying data from a Crystal Enterprise 8 APS” on page 96• “Completing a CMS database migration” on page 97



Preparing to migrate a CMS databaseBefore migrating a CMS database, take the source and the destination environments offline by disabling and subsequently stopping all servers. Back up both CMS databases, and back up the root directories used by all Input and Output File Repository Servers. If necessary, contact your database or network administrator. Ensure that you have a database user account that has permission to read all data in the source database, and a database user account that has Create, Delete, and Update rights to the destination database. Ensure also that you can connect to both databases—through your database client software or through ODBC, according to your configuration—from the CMS machine whose database you are replacing. Make a note of the license keys you purchased for the current version of BusinessObjects Enterprise. During migration, license keys that are present in the destination database are retained only if the source database contains no license keys that are valid for the current version of BusinessObjects Enterprise. License keys in the destination database are replaced with license keys from the source database when the source license keys are valid for the current version of BusinessObjects Enterprise. License keys from earlier versions of Crystal Enterprise are not copied.If you are copying CMS data from a different CMS database (version 8.0, 8.5, 9, or 10 of Crystal Enterprise or version XI of BusinessObjects Enterprise) into your current CMS database, your current CMS database is the destination database whose tables are deleted before they are replaced with the copied data. In this scenario, make note of the current root directories used by the Input and Output File Repository Servers in the source environment. The database migration does not actually move report files from one directory location to another. After you migrate the database, you will connect your new Input and Output File Repository Servers to the old root directories, thus making the report files available for the new system to process. Log on with an administrative account to the CMS machine whose database you want to replace. Complete the procedure that corresponds to the version of the source environment:• “Copying data from a CMS on Windows” on page 94• “Copying data from a Crystal Enterprise 8 APS” on page 96If you are copying a CMS database from its current location to a different database server, your current CMS database is the source environment. Its contents are copied to the destination database, which is then established as the active database for the current CMS. This is the procedure to follow if you want to move the default CMS database on Windows from the local Microsoft Data Engine (MSDE) to a dedicated database server, such as Microsoft SQL



Server, Informix, Oracle, DB2, or Sybase. Log on with an administrative account to the machine that is running the CMS whose database you want to move. Complete the following procedure:• “Copying data from a CMS on Windows” on page 94Note: • When you migrate a CMS database from an earlier version of Crystal

Enterprise, the database and database schema are upgraded to the format required by the current version of BusinessObjects Enterprise.

• When you copy data from one database to another, the destination database is initialized before the new data is copied in. That is, if your destination database does not contain the four BusinessObjects Enterprise XI system tables, these tables are created. If the destination database does contain BusinessObjects Enterprise XI system tables, the tables will be permanently deleted, new system tables will be created, and data from the source database will be copied into the new tables. Other tables in the database, including previous versions of Crystal Enterprise system tables, are unaffected.

Copying data from a CMS on WindowsUse this procedure if your CMS is installed on Windows and you are copying data from versions 8.5, 9, or 10 of Crystal Enterprise or from version XI of BusinessObjects Enterprise. If you are copying data from version 8 of Crystal Enterprise, please see “Copying data from a Crystal Enterprise 8 APS” on page 96.

To copy data from a CMS on Windows1. Use the CCM to stop the Central Management Server.2. With the CMS selected, click Specify CMS Data Source on the toolbar.3. Click Copy data from another Data Source; then click OK.

The Specify Data Source dialog box appears.



4. In the “Source contains data from version” list, click Autodetect (or explicitly select the version of the source CMS database).You must now specify the source CMS database whose contents you want to copy.

5. Click Specify.6. In the Select Database Driver dialog box, specify whether you want to

connect to the source CMS database through ODBC, Informix, or through one of the native drivers.

7. Click OK.8. The next steps depend upon the connection type you selected:

• If you selected ODBC or Informix, the Windows “Select Data Source” dialog box appears. Select the data source that corresponds to the source CMS database; then click OK. If prompted, provide your database credentials and click OK.

• If you selected a native driver, provide your database Server Name, your Login ID, and your Password; then click OK.

You are returned to the Specify Data Source dialog box. You must now specify the destination CMS database whose contents you want to replace with the copied data.Tip: If the correct destination database already appears in the “Copy to the following data source” field, proceed to step 13.

9. Click Browse.10. In the Select Database Driver dialog box, specify whether you want to

connect to the destination CMS database through ODBC, or through one of the native drivers.


• If you selected ODBC, the Windows “Select Data Source” dialog box appears. Select the ODBC data source that corresponds to the destination CMS database; then click OK. If prompted, provide your database credentials and click OK.


You are returned to the Specify Data Source dialog box. You are now ready to copy the CMS data.

13. Click OK and, when prompted to confirm, click Yes.




14. Click OK.15. Proceed to “Completing a CMS database migration” on page 97.

Copying data from a Crystal Enterprise 8 APS Note: Prior to BusinessObjects Enterprise XI, the CMS was known as Crystal Management Server, and also as the Automated Process Scheduler (APS).Use this procedure if your CMS is installed on Windows, and you are copying data from a Crystal Enterprise 8 APS system database.

To copy data from a Crystal Enterprise 8 APS1. Use the CCM to stop the Central Management Server.2. With the CMS selected, click Specify CMS Data Source on the toolbar.3. Click Copy data from another Data Source; then click OK.

The Specify Data Source dialog box appears.4. In the “Source contains data from version” list, click Crystal Enterprise 8.0.

You must now specify the source CMS database whose contents you want to copy.

5. Click Specify.6. In the “Browse data” dialog box, click one of the following:

• CMS machine nameClick this option if you have administrative rights to the Crystal Enterprise 8 CMS machine. Your administrative rights allow the CCM to read the data source information from the Windows Registry on the CMS machine. Click OK and use the Browse for Computer dialog box to specify the CMS machine.

• CMS ODBC data sourceClick this option if you do not have administrative rights to the Crystal Enterprise 8 CMS machine. Use the Windows “Select Data Source” dialog box to select (or create) an ODBC data source that provides the local machine with access to the Crystal Enterprise 8 CMS database. If prompted, provide your database credentials and click OK.

You are returned to the Specify Data Source dialog box. You must now specify the destination CMS database whose contents you want to replace with the copied data.Tip: If the correct destination database already appears in the “Copy to the following data source” field, proceed to step 11.



7. Click Browse.8. In the Select Database Driver dialog box, specify whether you want to

connect to the destination CMS database through ODBC, or through one of the native drivers.


• If you selected ODBC, the Windows “Select Data Source” dialog box appears. Select the ODBC data source that corresponds to the destination CMS database; then click OK. If prompted, provide your database credentials and click OK.


You are returned to the Specify Data Source dialog box. You are now ready to copy the CMS data.

11. Click OK and, when prompted to confirm, click Yes.The SvcMgr dialog box notifies you when the CMS database setup is complete.Note: Migration of a large source database could take several hours.

12. Click OK.13. Proceed to “Completing a CMS database migration” on page 97.

Completing a CMS database migrationWhen you finish copying data from the source database to the destination database, complete these steps before allowing users to access the system.When migrating from an older version of Crystal Enterprise, servers that existed in the source installation do not appear in the migrated install. This occurs because there cannot be a mix of old and new servers in a BusinessObjects Enterprise installation.Server groups from the old installation appear in the new system, but they will be empty. New servers are automatically detected and added to the servers list (outside of any group) in a disabled state. You must enable these servers before they can be used. You may add the new servers to the imported groups as appropriate.Reports that depend on a particular server group for scheduled processing will not execute until a job server is added to that group. Reports that depend on a particular server group for processing are not available until servers are added to that group.



To complete a CMS database migration on Windows1. If errors occurred during migration, a db_migration log file was created

in the logging directory on the machine where you ran the CCM to carry out the migration. The CCM will notify you if you need to check the log file.The default logging directory is:C:\Program Files\Business Objects\BusinessObjects

Enterprise 11\Logging\

2. If you migrated CMS data from a different CMS database into your current CMS database, you need to make your old input and output directories available to the new Input and Output File Repository Servers. You can do this in several ways:• Copy the contents of the original input root directory into the root

directory that the new Input File Repository Server is already configured to use. Then copy the contents of the original output directory into the root directory that the new Output File Repository is already configured to use.

• Reconfigure the new Input and Output File Repository Servers to use the old input and output root directories.

• If the old Input and Output File Repository Servers are running on a dedicated machine, you can run the BusinessObjects Enterprise setup program to upgrade the servers directly. Then you need not move the input and output directories. Instead, modify the -ns option in both servers’ command lines to have them register with your new CMS. See Appendix E: Server Command Lines for more information.

For more information, see “Setting root directories and idle times of the File Repository Servers” on page 102.

3. Use the Central Configuration Manager (CCM) to start the CMS on the local machine.

4. Make sure your web application server is running.5. Log on to the Central Management Console with the default

Administrator account, using Enterprise authentication.Tip: If you just replaced your CMS database with data from an older system, keep in mind that you now need to provide the Administrator password that was valid in the older system.

6. Go to the Authorization management area and check that your BusinessObjects Enterprise license keys are entered correctly.

7. In the CCM, start and enable the Input File Repository Server and the Output File Repository Server.



8. Go to the Servers management area of the Central Management Console and verify that the Input File Repository Server and the Output File Repository Server are both started and enabled.

9. Click the link to each File Repository Server and, on the Properties tab, check that the Root Directory points to the correct location.

10. Return to the Central Configuration Manager. 11. If objects in your source database require updating, the Update Objects

button on the toolbar contains a flashing red exclamation mark. Click Update Objects.

12. When prompted, log on to your CMS with credentials that provide you with administrative privileges to BusinessObjects Enterprise.The Update Objects dialog box tells you how many objects require updating. Objects typically require updating because their internal representation has changed in the new version of BusinessObjects Enterprise, or because the objects require new properties to support the additional features offered by BusinessObjects Enterprise XI. Because your Central Management Server was stopped when the migration occurred, you need to update the objects now.

13. If there are objects that require updating, click Update, otherwise click Cancel.

14. Start and enable the remaining BusinessObjects Enterprise servers.15. Verify that BusinessObjects Enterprise requests are handled correctly,

and check that you can view and schedule reports successfully.

Deleting and recreating the CMS databaseThis procedure shows how to recreate (re-initialize) the current CMS database. By performing this task, you destroy all data that is already present in the database. This procedure is useful, for instance, if you have installed BusinessObjects Enterprise in a development environment for designing and testing your own, custom web applications. You can re-initialize the CMS database in your development environment every time you need to clear the system of absolutely all its data.When you recreate the CMS database with the CCM, your existing license keys should be retained in the database. However, if you need to enter license keys again, log on to the CMC with the default Administrator account (which will have been reset to have no password). Go to the Authorization management area and enter your information on the License Keys tab.



Note: Remember that all data in your current CMS database will be destroyed if you follow this procedure. Consider backing up your current CMS database before beginning. If necessary, contact your database administrator.

To recreate the CMS database on Windows1. Use the CCM to stop the Central Management Server.2. With the CMS selected, click Specify CMS Data Source on the toolbar.3. In the CMS Database Setup dialog box, click Recreate the current Data

Source.4. Click OK and, when prompted to confirm, click Yes.


5. Click OK.You are returned to the CCM.

6. Start the Central Management Server.While it is starting, the CMS writes required system data to the newly emptied data source. You may need to click the Refresh button in the CCM to see that the CMS has successfully started.

Selecting a new or existing CMS databaseFollow this procedure if you want to disconnect a CMS from its current database and connect it to an alternate database. When you complete these steps, none of the data in the current database is copied into the alternate database. If the alternate database is empty, the CCM initializes it by writing system data that is required by BusinessObjects Enterprise. If the alternate database already contains BusinessObjects Enterprise system data, the CMS uses that data when it starts.Generally, there are only a few times when you need to complete these steps:• If you have changed the password for the current CMS database, these steps

allow you to disconnect from, and then reconnect to, the current database. When prompted, you can provide the CMS with the new password.

• If you want to select and initialize an empty database for BusinessObjects Enterprise, these steps allow you to select that new data source.

• If you have restored a CMS database from backup (using your standard database administration tools and procedures) in a way that renders the original database connection invalid, you will need to reconnect the CMS to the restored database. (This might occur, for instance, if you restored the original CMS database to a newly installed database server.)



Note: These steps are essentially the same as adding a CMS to an existing cluster; in this case, however, there are no other CMS machines already maintaining the database. For complete details about CMS clusters, see “Clustering Central Management Servers” on page 87.

To select a new or existing database for a CMS on Windows1. Use the CCM to stop the Central Management Server.2. With the CMS selected, click Specify CMS Data Source on the toolbar.

The CMS Database Setup dialog box appears.

3. Click Select a Data Source; then click OK.4. In the Select Database Driver dialog box, specify whether you want to connect

to the new database through ODBC, or through one of the native drivers.5. Click OK.6. The remaining steps depend upon the connection type you selected:

• If you selected ODBC, the Windows “Select Data Source” dialog box appears. Select the ODBC data source that you want to use as the CMS database; then click OK. (Click New to configure a new DSN.) When prompted, provide your database credentials and click OK.

• If you selected a native driver, you are prompted for your database Server Name, your Login ID, and your Password. Provide this information and then click OK.


7. Click OK.8. Start the Central Management Server.


Setting root directories and idle times of the File Repository Servers
The Properties tabs of the Input and Output File Repository Servers enable you to change the locations of the default root directories. These root directories contain all of the report objects and instances on the system. You may change these settings if you want to use different directories after installing BusinessObjects Enterprise, or if you upgrade to a different drive (thus rendering the old directory paths invalid).Note: • The Input and Output File Repository Servers must not share the same root

directory, because modifications to the files and subdirectories belonging to one server could have adverse effects on the other server. In other words, if the Input and Output File Repository Servers share the same root directory, then one server might damage files belonging to the other.

• If you run multiple File Repository Servers, all Input File Repository Servers must share the same root directory, and all Output File Repository Servers must share the same root directory (otherwise there is a risk of having inconsistent instances).

• It is recommended that you replicate the root directories using a RAID array or an alternative hardware solution.

• The root directory should be on a drive that is local to the server.You can also set the maximum idle time of each File Repository Server. This setting limits the length of time that the server waits before it closes inactive connections. Before you change this setting, it is important to understand that setting a value too low can cause a user's request to be closed prematurely. Setting a value that is too high can result the uneasier consumption of system resources such as processing time and disk space.

To modify settings for a File Repository Server1. Go to the Servers management area of the CMC.2. Click the link to the File Repository Server you want to change.

By default, the File Repository Servers are named Input and Output, respectively. If you run multiple instances of each server, their names should be prefixed with “Input.” and “Output.” as appropriate.

3. Make your changes on the Properties tab.In this example, the Input File Repository Server is set to use D:\InputFRS\ as its root directory. The server will remain idle for a maximum of 15 minutes.



4. Click either Apply or Update:• Click Apply to submit changes and restart the server so that the

changes take effect immediately.• Click Update to save the changes. You must restart the server for the

changes to take effect.

Modifying Cache Server performance settingsThe Properties tab of the Cache Server allows you to set the location of the cache files, the maximum cache size, the maximum number of simultaneous processing threads, the number of minutes before an idle job is closed, and the number of minutes between refreshes from the database.

To modify Cache Server performance settings1. Go to the Servers management area of the CMC.2. Click the link to the Cache Server whose settings you want to change. 3. Make your changes on the Properties tab.

In this example, the Cache Server retains most of the default settings, but the “Maximum Simultaneous Processing Threads” is increased to 50.



4. Click either Apply or Update:• Click Apply to submit changes and restart the server so that the

changes take effect immediately.• Click Update to save the changes. You must restart the server for the

changes to take effect.Location of the Cache FilesThe “Location of the Cache Files” setting specifies the absolute path to the directory on the Cache Server machine where the cached report pages (.epf files) are stored.Note: The cache directory must be on a drive that is local to the server.Maximum Cache Size AllowedThe “Maximum Cache Size Allowed” setting limits the amount of hard disk space (in KBytes) that is used to cache reports. When the Cache Server has to handle large numbers of reports, or reports that are especially complex, a larger cache size is needed. The default value is 5000 Kbytes, which is large enough to optimize performance for most installations.Maximum Simultaneous Processing ThreadsThe “Maximum Simultaneous Processing Threads” setting limits the number of concurrent reporting requests that the Cache Server processes. The default value is set to “Automatic”, and is acceptable for most, if not all, reporting scenarios. With this setting, the Cache Server sets the maximum number of threads using the number of processors in your system as a guide. If your Cache Server responds slowly under high load, and resource utilization on the machine is high (that is, either memory usage is high or CPU utilization is high, particularly in the kernel), you may wish to decrease the number of threads to improve performance. If the Cache Server is slow under high load but CPU utilization is low, increasing the number of threads may improve performance. However, the ideal setting for your reporting environment is highly dependent upon your hardware configuration, your database software, and your reporting requirements. Thus, it is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects services consultant can then assess your reporting environment and assist you in customizing these advanced configuration and performance settings.Minutes Before an Idle Connection is ClosedThe “Minutes Before an Idle Connection is Closed” setting alters the length of time that the Cache Server waits for further requests from an idle connection. Before you change this setting, it is important to understand that setting a



value too low can cause a user’s request to be closed prematurely, and setting a value that is too high can cause requests to be queued while the server waits for idle jobs to be closed.Oldest On-Demand Data Given To a Client (in minutes)The “Oldest On-Demand Data Given To a Client (in minutes)” setting determines how long cached report pages are used before new data is requested from the database. This setting is respected for report instances with saved data, and for report objects that do not have on-demand subreports or parameters and that do not prompt for database logon information. Generally, the default value of 15 minutes is acceptable: as with other performance settings, the optimal value is largely dependent upon your reporting requirements.Viewer Refresh Always Yields Current DataWhen enabled, the “Viewer Refresh Always Yields Current Data” setting ensures that, when users explicitly refresh a report, all cached pages are ignored, and new data is retrieved directly from the database. When disabled, this setting prevents users from retrieving new data more frequently than is permitted by the time specified in the “Minutes Between Refreshes from Database” setting.

Modifying the polling time of the Event ServerThe Properties tab of the Event Server allows you to change the frequency with which the Event Server checks for file events. This “File Polling Interval in Seconds” setting determines the number of seconds that the server waits between polls. The minimum value is 1 (one). It is important to note that, the lower the value, the more resources the server requires.Tip: On Windows, you can also change this setting in the CCM. Stop the Event Server and view its Properties. Then click the Configuration tab.

To modify the polling time1. Go to the Servers management area of the CMC.2. Click the link to the Event Server whose settings you want to change. 3. Make your changes on the Properties tab.

The value that you type must be 1 or greater.4. Click Update.5. Return to the Servers management area of the CMC.


Managing and Configuring ServersConfiguring the processing tier5
Configuring the processing tier
This section includes technical information and procedures that show how you can modify settings for the BusinessObjects Enterprise servers that make up the processing tier. The processing tier includes different job servers, Page Servers, Report Application Servers, and Web Intelligence Job Servers and Web Intelligence Report Servers.

The majority of the settings discussed here allow you to integrate BusinessObjects Enterprise more effectively with your current hardware, software, and network configurations. Consequently, the settings that you choose will depend largely upon your own requirements.Configuring the processing tier includes:• “Modifying Page Server performance settings” on page 106• “Modifying database settings for the RAS” on page 109• “Modifying performance settings for the RAS” on page 111• “Modifying performance settings for job servers” on page 112• “Configuring the Web Intelligence Report Server” on page 113• “Configuring the destinations for job servers” on page 116• “Configuring Windows processing servers for your data source” on

page 123

Modifying Page Server performance settingsThe Properties tab of the Page Server in the Central Management Console lets you set the location of temporary files, the maximum number of simultaneous report jobs, the minutes before an idle connection is closed, the minutes before a processing job is closed, the number of database records to read when previewing or refreshing a report, the oldest processed data to give a client, and when to disconnect from the report job database.


Managing and Configuring ServersConfiguring the processing tier 5

To modify Page Server performance settings1. Go to the Servers management area of the CMC.2. Click the link to the Page Server whose settings you want to change.3. Make your changes on the Properties tab.4. Click either Apply or Update:

• Click Apply to submit changes and restart the server so that the changes take effect immediately.

• Click Update to save the changes. You must restart the server for the changes to take effect.

Location of Temp FilesThe “Location of Temp Files” setting specifies the absolute path to a directory on the Page Server machine.This directory must have plenty of free hard disk space. If not enough disk space is available, job processing may be slower than usual, or job processing may fail.Maximum Simultaneous Report JobsThe “Maximum Simultaneous Report Jobs” setting limits the number of concurrent reporting requests that any single Page Server processes. The default value of 75 is acceptable for most, if not all, reporting scenarios. The ideal setting for your reporting environment, however, is highly dependent upon your hardware configuration, your database software, and your



reporting requirements. Thus, it is difficult to discuss the recommended or optimum settings in a general way. It is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects services consultant can then assess your reporting environment and assist you in customizing these advanced configuration and performance settings.Minutes Before an Idle Connection is ClosedThe “Minutes Before an Idle Connection is Closed” setting alters the length of time that the Page Server waits for further requests from an idle connection. Before you change this setting, it is important to understand that setting a value too low can cause a user’s request to be closed prematurely. Setting a value that is too high can cause system resources to be consumed for longer than necessary.Minutes before an Idle Report Job is ClosedThe “Minutes before an Idle Report Job is Closed” setting alters the length of time that the Page Server keeps a report job active. Before you change this setting, it is important to understand that setting a value too low can cause a user’s request to be closed prematurely. Setting a value that is too high can cause system resources to be consumed for longer than necessary. (Note that this setting works in conjunction with the “Report Job Database Connection” setting.)Database Records to Read When Previewing Or Refreshing a ReportThe “Database Records to Read When Previewing Or Refreshing a Report” area allows you to limit the number of records that the server retrieves from the database when a user runs a query or report. This setting is useful when you want to prevent users from running on-demand reports containing queries that return excessively large record sets. You may prefer to schedule such reports, both to make the reports available more quickly to users and to reduce the load on your database from these large queries. Oldest On-Demand Data Given to a Client (in minutes)

The “Oldest On-Demand Data Given To a Client (in minutes):” setting controls how long the Page Server uses previously processed data to meet requests. If the Page Server receives a request that can be met using data that was generated to meet a previous request, and the time elapsed since that data was generated is less than the value set here, then the Page Server will reuse this data to meet the subsequent request. Reusing data in this way significantly improves system performance when multiple users need the same information. When setting the value of the “oldest processed data given to a client” consider how important it is that your users receive up-to-date data. If it is very important that all users receive fresh data (perhaps because important data changes very frequently) you may need to disallow this kind of data reuse by setting the value to 0.



Viewer Refresh Always Yields Current DataWhen enabled, the “Viewer Refresh Always Yields Current Data” setting ensures that, when users explicitly refresh a report, all previously processed data is ignored, and new data is retrieved directly from the database. When disabled, the setting ensures that the Page Server will treat requests generated by a viewer refresh in exactly the same way as it treats as new requests.Report Job Database ConnectionThe “Report Job Database Connection” settings can be used to make a trade-off between the number of database licenses you use and the performance you can expect for certain types of reports. If you select “Disconnect when all records have been retrieved or the job is closed”, the Page Server will automatically disconnect from the report database as soon as it has retrieved the data it needs to fulfill a request. Selecting this option limits the amount of time that Page Server stays connected to your database server, and therefore limits the number of database licenses consumed by the Page Server. However, if the Page Server needs to reconnect to the database to generate an on-demand sub-report or to process a group-by-on-server command for that report, performance for these reports will be significantly slower than if you had selected “Disconnect when the job is closed”. (The latter option ensures that Page Server stays connected to the database server until the report job is closed. Note that you can set the “Minutes before a Report Job is Closed” above.)

Modifying database settings for the RASThe Database tab of the Report Application Server (RAS) in the Central Management Console lets you modify the way the server runs reports against your databases.

To modify database interaction settings for the RAS1. Go to the Servers management area of the CMC.2. Click the link to the RAS whose settings you want to change.3. Make your changes on the Database tab.4. Click either Apply or Update:





Tip: On Windows, you can also change these settings in the CCM. Stop the RAS and view its Properties. Click the Parameters tab. From the Option Type list, select Database.Number of database records to read when previewing or refreshing a reportThe “Number of database records to read when previewing or refreshing a report” area allows you to limit the number of records that the server retrieves from the database when a user runs a query or report. This setting is particularly useful if you provide users with ad hoc query and reporting tools, and you want to prevent them from running queries that return excessively large record sets.When the RAS retrieves records from the database, the query results are returned in batches. The “Number of records per batch” setting allows you to determine the number of records that are contained in each batch. The batch size cannot be equal to or less than zero.Number of records to browseThe “Number of records to browse” setting allows you to specify the number of distinct records that will be returned from the database when browsing through a particular field’s values. The data will be retrieved first from the client’s cache—if it is available—and then from the server’s cache. If the data is not in either cache, it is retrieved from the database.Oldest on-demand data given to a client (in minutes)The “Oldest on-demand data given to a client (in minutes)” setting controls how long the RAS uses previously processed data to meet requests. If the RAS receives a request that can be met using data that was generated to meet a previous request, and the time elapsed since that data was generated is less than the value set here, then the RAS will reuse this data to meet the subsequent request. Reusing data in this way significantly improves system performance when multiple users need the same information. When setting the value of the “oldest on-demand data given to a client” consider how important it is that your users receive up-to-date data. If it is very important that all users receive fresh data (perhaps because important data changes very frequently) you may need to disallow this kind of data reuse by setting the value to 0. This is the default on the RAS, to support the data needs of users performing ad hoc reporting.Report Job Database ConnectionThe “Report Job Database Connection” settings can be used to make a trade-off between the number of database licenses you use and the performance you can expect for certain types of reports.



If you select “Disconnect when all records have been retrieved or the job is closed”, the Report Application Server will automatically disconnect from the report database as soon as it has retrieved the data it needs to fulfill a request. Selecting this option limits the amount of time that RAS stays connected to your database server, and therefore limits the number of database licenses consumed by the RAS.However, if the RAS needs to reconnect to the database to generate an on-demand sub-report or to process a group-by-on-server command for that report, performance for these reports will be significantly slower than if you had selected “Disconnect when the job is closed”. (The latter option ensures that RAS stays connected to the database server until the report job is closed.)

Modifying performance settings for the RASThe Server tab of the Report Application Server (RAS) in the Central Management Console allows you to modify the number of minutes before an idle connection is closed, and the maximum number of simultaneous processing threads.Note: The RAS server must have been installed and configured in order to use the List of Values Job Server. For more information, see “Processing tier” on page 58.

To modify performance settings for the RAS1. Go to the Servers management area of the CMC.2. Click the link to the RAS whose settings you want to change.3. Make your changes on the Server tab.4. Click either Apply or Update:



Tip: On Windows, you can also change these settings in the CCM. Stop the RAS and view its Properties. Click the Parameters tab. From the Option Type list, select Server.Minutes Before an Idle Connection is ClosedThe “Minutes Before an Idle Connection is Closed” setting alters the length of time that the RAS waits for further requests from an idle connection. Before you change this setting, it is important to understand that setting a value too low can cause a user’s request to be closed prematurely, and setting a value



that is too high can affect the server’s scalability (for instance, if the ReportClientDocument object is not closed explicitly, the server will be waiting unnecessarily for an idle job to close).Maximum Simultaneous Report JobsThe “Maximum Simultaneous Report Jobs” setting limits the number of concurrent reporting requests that a RAS processes. The default value is acceptable for most, if not all, reporting scenarios. The ideal setting for your reporting environment, however, is highly dependent upon your hardware configuration, your database software, and your reporting requirements. Thus, it is difficult to discuss the recommended or optimum settings in a general way.It is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects services consultant can then assess your reporting environment and assist you in customizing these advanced configuration and performance settings.

Modifying performance settings for job serversBy default, the job servers run jobs as independent processes rather than as threads. This method allows for more efficient processing of large, complex reports.Use the following procedure to modify the performance settings for any of the job servers, that is the Report Job Server, Program Job Server, Destination Job Server, List of Values Job Server, and the Web Intelligence Job Server.

To modify performance settings for job servers1. Go to the Servers management area of the CMC.2. Click the link to the job server whose settings you want to change. 3. Make your changes on the Properties tab.4. Click Update.5. Return to the Servers management area of the CMC.Maximum Jobs AllowedThe “Maximum Jobs Allowed” setting limits the number of concurrent independent processes (child processes) that the server allows—that is, it limits the number of scheduled objects that the server will process at any one time. You can tailor the maximum number of jobs to suit your reporting environment.



The default “Maximum Jobs Allowed” setting is acceptable for most, if not all, reporting scenarios. The ideal setting for your reporting environment, however, is highly dependent upon your hardware configuration, your database software, and your reporting requirements. Thus, it is difficult to discuss the recommended or optimum settings in a general way. It is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects services consultant can then assess your reporting environment and assist you in customizing these advanced configuration and performance settings.Temp DirectoryYou can also change the default directory where the server stores its temporary files.

Configuring the Web Intelligence Report ServerUse the following procedure to configure the performance settings for the Web Intelligence Report Server.

To modify performance settings for the Web Intelligence report server1. Go to the Servers management area of the CMC.2. Click the link to the Web Intelligence Report Server whose settings you

want to change. 3. Make your changes on the Properties tab.4. Click either Apply or Update:



5. Return to the Servers management area of the CMC and restart the Job Server.



Maximum Simultaneous ConnectionsThe maximum number of simultaneous connections that the server allows at one time, from sources such the Web Intelligence SDK or the Web Intelligence Job Server. If this limit is reached, the user will receive an error message, unless another server is available to handle the request.Connection Time OutThe number of minutes before an idle connection to the Web Intelligence Report Server will be closed.List of Values Batch SizeThe maximum number of values that can be returned per list of values batch. For example, if the number of values in a list of values exceeds this size, then the list of values will be returned to the user in several batches of this size or less.The minimum value that you can enter is 10. Although there is no limit on the maximum value, Business Objects recommends that you limit it to 30000.Universe Cache SizeThe number of universes to be cached on the Web Intelligence Report Server.List of Values CachingEnables or disables caching per user session of list of values in Web Intelligence Report Server. The default is for the feature to be on.



Enable Viewing CachingWhen this parameter is on, real-time caching is possible for Web Intelligence documents when they are viewed, or when they are generated as a result of having been run as a scheduled job.When this parameter is off both real-time caching of Web Intelligence documents and viewing of cached Web Intelligence documents is impossible.Real-time caching is done only if both this parameter and the Enable Real Time Caching parameters are on.Enable Real Time CachingWhen this parameter is on, the Web Intelligence Report Server caches Web Intelligence documents when the documents are viewed. The server also caches the documents when they are run as a scheduled job, provided the pre-cache was enabled in the document.When the parameter is off, the Web Intelligence Report Server does not cache the Web Intelligence documents when the documents are viewed. Nor does it cache the documents when they are run as a scheduled job.This parameter is taken into account only when the Enable Viewing Caching is set to on.Note: To improve system performance, set the Maximum Number Of Downloaded Documents To Cache to zero when this option is selected, but enter a value for Maximum Number Of Downloaded Documents To Cache when this option deselected.Document Cache DurationThe amount of time (in minutes) that content is stored in cache.Document Cache SizeThe size (in kilobytes) of the document cache.Amount of Cache To Keep When Document Cache is FullIf the storage size is bigger than the allocated storage size, the system will delete documents with the oldest “last accessed time.” Then if the cache size is still exceeds the maximum storage size, the Web Intelligence Report Server will clean up the cache until the amount of cache percentage is reached.Document Cache Scan IntervalThe number of minutes that the system waits before checking the document cache for cleanup.Maximum Number of Downloaded Documents To CacheThe number of Web Intelligence documents that can be stored in cache.



Note: To improve system performance, set this value to zero when Enable Real Time Caching is selected, but enter a value when Enable Real Time Caching is deselected.

Configuring the destinations for job serversBy default, when the system runs a scheduled report or a program object, it stores the output instance it creates on the Output File Repository Server (FRS). However, you can specify a different destination. If you do, the system will store one output instance on the Output FRS, and one at the specified destination.You also specify a destination when you use the Send to feature, which sends an existing object to a specified destination.In order for the system to work with destinations other than the default, the destination must have been enabled and configured on the respective job server.For example, to be able to schedule a report object for output to an unmanaged disk, you have to enable and configure the Unmanaged Disk destination on the Job Server. To send a report instance by email, you have to configure the Email (SMTP) destination on the Destination Job Server.Configuring destinations for job servers includes:• “Enabling or disabling destinations for job servers” on page 116• “Configuring the destination properties for job servers” on page 117For information about selecting destinations for objects see:• “Selecting a destination” on page 465• “Sending an object or instance” on page 406

Enabling or disabling destinations for job serversThis procedure applies to the Job Server, Program Job Server, Destination Job Server, List of Values Job Server, and Web Intelligence Job Server.For a job server to store output instances in a destination other than the default, you have to enable and configure the other destinations on the job servers. See also “Configuring the destination properties for job servers” on page 117.Note: On the Destination Job Server, the Inbox destination is enabled by default. This allows you to use the “Send to” feature and to distribute reports to users within the BusinessObjects Enterprise system. If you want, you can enable and configure additional destinations on the Destination Job Server.



To enable or disable destinations for a job server1. Go to the Servers management area of the CMC.2. Click the link for the job server for which you want to enable or disable a

destination.3. Select the check box for each destination you want to support.4. Click Enable.

To disable destinations, click Disable. When a destination is disabled a red circle is shown beside the name.

5. If you enabled the destination, you must also configure the destination. See “Configuring the destination properties for job servers” on page 117.

Configuring the destination properties for job serversThis procedure applies to the Job Server, Program Job Server, Destination Job Server, List of Values Job Server, and Web Intelligence Job Server.For a job server to store output instances in a destination other than the default, you have to enable and configure the other destinations on the job servers. See also “Enabling or disabling destinations for job servers” on page 116.

To set the destination properties for a job server1. Go to the Servers management area of the CMC.2. Click the link for the job server whose setting you want to change.3. Click the Destinations tab.4. Click the link for the destination whose setting you want to set, for

example, FTP.5. Set the properties for the destination. For information about the

properties for each destination, see:• “Inbox destination properties” on page 118• “Unmanaged Disk destination properties” on page 122• “FTP destination properties” on page 121• “Email (SMTP) destination properties” on page 119

6. Click Update.7. Make sure the destination has been enabled. See “Enabling or disabling

destinations for job servers” on page 116.


Inbox destination properties
The Inbox destination stores an object or instance in the user inboxes on the BusinessObjects Enterprise system. A user inbox is automatically created when you add a user. For more information, see “Configuring the destination properties for job servers” on page 117 and “Controlling access to user inboxes” on page 338.Note: On the Destination Job Server, the Inbox destination is enabled by default. This allows you to use the “Send to” feature and to distribute reports to users within the BusinessObjects Enterprise system. If you want, you can enable and configure additional destinations on the Destination Job Server.

Send document asSelect the option you want:• Shortcut—The systems sends a shortcut to the specified destination.• Copy—The system sends a copy of the instance, for example, the .rpt

file, to the destination.Send ListSpecify which users or user groups you want to receive instances that have been generated or processed by the job server.



Email (SMTP) destination propertiesIn this example, the SMTP server resides in the businessobjects.com domain. Its name is EMAIL_SERV and it is listening on the standard SMTP port. Plain text authentication is being used, and an account called BusinessObjectsJobAccount has been created on the SMTP server for use by the Job Server.

See also “Configuring the destination properties for job servers” on page 117.Domain NameEnter the fully qualified domain of the SMTP server.Server NameEnter the name of the SMTP server.PortEnter the port that the SMTP server is listening on. (This standard SMTP port is 25.)AuthenticationSelect Plain or Login if the job server must be authenticated using one of these methods in order to send email.SMTP User NameProvide the Job Server with a user name that has permission to send email and attachments through the SMTP server.SMTP PasswordProvide the Job Server with the password for the SMTP server.



FromProvide the return email address. Users can override this default when they schedule an object.To, Cc, Subject, and MessageSet the default values for users who schedule reports to this SMTP destination. Users can override these defaults when they schedule an object.Add viewer hyperlink to message bodyClick Add if you want to add the URL for the viewer in which you want the email recipient to view the report. You can set the default URL by clicking Object Settings on the main page of the Objects management area of the CMC. If you send a hyperlink, the email recipient must log on to BusinessObjects Enterprise to see the report.)Users can override this default when they schedule an object.Attach report instance to email messageClear this check box if you do not want to attach a copy of the report or program instance attached to the email. Users can override these defaults when they schedule an object.Default File Name (randomly generated)Select this option if you want BusinessObjects Enterprise to generate a random file name.Specified File NameSelect this option if you want to enter a file name. You can also add a variable to the file name. To add a variable, choose a placeholder for a variable property from the list and click Add.Add file extensionAdds the .%EXT% extension to the specified filename. This is similar to selecting File Extension from the list and clicking Add. By adding an extension to the file name, Windows will know which program to use to open the file when users want to view the file.



FTP destination propertiesIn this example, reports scheduled to this destination are randomly named and uploaded to the ftp.businessobjects.com site.

See also “Configuring the destination properties for job servers” on page 117.HostEnter your FTP host information.PortEnter the FTP port number (the standard FTP port is 21).FTP User NameSpecify a user who has the necessary rights to upload a report to the FTP server.FTP PasswordEnter the user’s password.AccountEnter the FTP account information, if required.Account is part of the standard FTP protocol, but it is rarely implemented. Provide the appropriate account only if your FTP server requires it.



Destination DirectoryEnter the FTP directory that you want the object to be saved to. A relative path is interpreted relative to the root directory on the FTP server.Default File Name (randomly generated)Select this option if you want BusinessObjects Enterprise to generate a random file name.Specified File NameSelect this option if you want to enter a file name—you can also add a variable to the file name. To add a variable, choose a placeholder for a variable property from the list and click Add.

Unmanaged Disk destination propertiesAn unmanaged disk is disk on a system outside the BusinessObjects Enterprise system. See also “Configuring the destination properties for job servers” on page 117.

Destination DirectoryType the absolute path to the directory. The directory can be on a local drive of the Job Server machine, or on any other machine that you can specify with a UNC path.Default File Name (randomly generated)Select this option if you want BusinessObjects Enterprise to generate a random file name.



Specified File NameSelect this option if you want to specify a file name—you can also add a variable to the file name. To add a variable, choose a placeholder for a variable property from the list and click Add. When each instance runs, the variable is replaced with the appropriate information. For example, when you add the variable “Owner,” the file name of each object includes the object owner’s name.User NameSpecify a user who has permission to write files to the destination directory.PasswordType the password for the user.In this example, the destination directory is on a network drive that is accessible to the Job Server machine through a UNC path. Each file name will be randomly generated, and a user name and password have been specified to grant the Job Server permission to write files to the remote directory.

Configuring Windows processing servers for your data sourceWhen started on Windows, the report processing servers by default log on to the local system as services with the Windows “LocalSystem” account. This account determines the permissions that each service is granted on the local machine. This account does not grant the service any network permissions.In the majority of cases, this account is irrelevant in relation to the server’s task of processing reports against your data source. (The database logon credentials are stored with the report object.) Thus, you can usually leave each server’s default logon account unchanged or, if you prefer, you can change it to a Windows user account with the appropriate permissions.However, there are certain cases when you must change the logon account used by the processing servers. These cases arise either because the server needs additional network permissions to access the database, or because the database client software is configured for a particular Windows user account. This table lists the various database/ driver combinations and shows when you must complete additional configuration.Tip: Running a service under an Administrator account does not inadvertently grant administrative privileges to another user, because users cannot impersonate services.For details on changing the user accounts, see “Changing the server user account” on page 130. For a complete list of supported databases and drivers, refer to the platform.txt file included with your installation.


Managing and Configuring ServersLogging server activity5
Logging server activity
BusinessObjects Enterprise allows you to log specific information about BusinessObjects Enterprise web activity. For details on locating and customizing the web activity logs, see “Configuring the Web Component Adapter” on page 84.In addition, each of the BusinessObjects Enterprise servers is designed to log messages to your operating system’s standard system log.Each server also logs assert messages to the logging directory of your product installation. The programmatic information logged to these files is typically useful only to Business Objects support staff for advanced debugging purposes. The location of these log files depends upon your operating system:• On Windows, the default logging directory is C:\Program

Files\Business Objects\BusinessObjects Enterprise 11\Logging

The important point to note is that these log files are cleaned up automatically, so there will never be more than approximately 1 MB of logged data per server.

Advanced server configuration optionsThis section includes additional configuration tasks that you may want to perform, depending upon your reporting environment. It includes:• “Changing the default server port numbers” on page 124• “Configuring a multihomed machine” on page 127• “Adding and removing Windows server dependencies” on page 128• “Changing the server startup type” on page 129• “Changing the server user account” on page 130• “Configuring servers for SSL” on page 130

Changing the default server port numbersDuring installation, the CMS is set up to use default port numbers. The default CMS port number is 6400. This ports fall within the range of ports reserved by Business Objects (6400 to 6410). Thus, BusinessObjects Enterprise communication on these ports should not conflict with third-party applications that you have in place. (Although unlikely, it is possible that your custom applications use these ports. If so, you can change the default CMS port.)


Managing and Configuring ServersAdvanced server configuration options 5

The Web Component Adapter is not a server. However, you can configure its listening port by changing the connection.listeningPort context parameter in web.xml. See “Configuring the Web Component Adapter” on page 84.When started and enabled, each of the other BusinessObjects Enterprise servers dynamically binds to an available port (higher than 1024), registers with this port on the CMS, and then listens for BusinessObjects Enterprise requests. If necessary, you can instruct each server component to listen on a specific port (rather than dynamically selecting any available port). On Windows, you view and modify server command lines with the CCM. The Command field appears on each server’s Properties tab. This table summarizes the command-line options as they relate to port usage for specific server types. For more information, see Appendix E: Server Command Lines.

Before modifying any port numbers, consider the following:• CMS port number, you must change the -ns option in every other

server’s command line, to ensure that each server connects to the appropriate port of the CMS. (The -ns option stands for “nameserver.” The CMS functions as the nameserver in BusinessObjects Enterprise, because it maintains a list that includes the host name and port number of each server that is started, enabled, and thus available to accept BusinessObjects Enterprise requests.) You must also set the name and port number of the CMS with the connection.cms context parameter in web.xml. See “Configuring the Web Component Adapter” on page 84.

Option CMS Other Servers-port Specifies the primary

BusinessObjects Enterprise port on which the CMS listens for requests from all other servers. The default is 6400.

Used only in multihomed environments or for certain NAT firewall environments. In both cases, specify -port interface only. (-port number has no meaning for these servers).

-requestPort Specifies the secondary port that the CMS uses for identifying other servers and for registering with itself and/or a cluster. Selected dynamically if unspecified.

Specifies the port on which the server listens for BusinessObjects Enterprise requests. The server registers this port with the CMS. Selected dynamically if unspecified.

-ns n/a Specifies the CMS that the server will register with.


Managing and Configuring ServersAdvanced server configuration options5

• If you are working with multihomed machines or in certain NAT firewall configurations, you may wish to specify -port interface:number for the CMS and -port interface for the other servers. For details, see “Configuring a multihomed machine” on page 127 or “Configuring for Network Address Translation” on page 178.

• On Windows, the CCM displays default port numbers on each server’s Configuration tab. This displayed port corresponds to the -port option. For servers other than the CMS, this default port is not actually in use (each server registers its -requestPort number with the CMS instead).

To change the default CMS port for BusinessObjects Enterprise servers1. Use the CCM (on Windows) or ccm.sh (on UNIX) to stop all the

BusinessObjects Enterprise servers.2. Add (or modify) the following option in the CMS command line:

-port number

Replace number with the port that you want the CMS to listen on. (The default port is 6400.)

3. Add (or modify) the following option in the command line of all of the remaining non-CMS BusinessObjects Enterprise servers:-ns hostname:number

Replace hostname with the host name of the machine that is running the CMS. The host name must resolve to a valid IP address within your network. Replace number with the port that the CMS is listening on.

4. Start and enable all the BusinessObjects Enterprise servers.The CMS begins listening on the port specified by number, and the non-CMS servers broadcast to that port when attempting to register with the CMS.

5. Set the name and port number of the CMS with the connection.cms context parameter in web.xml. See “Configuring the Web Component Adapter” on page 84.

To change the port a server registers with the CMS1. Use the CCM (on Windows) or ccm.sh (on UNIX) to stop the server.2. Add (or modify) the following option in the server’s command line:

-requestPort number

Replace number with the port that you want the server to listen on.3. Start and enable the server.The server binds to the new port specified by number. It then registers with the CMS and begins listening for BusinessObjects Enterprise requests on the new port.



By default, each server registers itself with the CMS by IP address, rather than by name. This typically provides the most reliable behavior. If you need each server to register with the CMS by fully qualified domain name instead, use the -requestPort option in conjunction with -port interface (where interface is the server’s fully qualified domain name). Having the servers register by name can be useful if a NAT firewall resides between the server and the CMS. For more information, see “Configuring for Network Address Translation” on page 178.You may also need to specify -port interface when BusinessObjects Enterprise is running on a multihomed machine.

Configuring a multihomed machineA multihomed machine is one that has multiple network addresses. You may accomplish this with multiple network interfaces, each with one or more IP addresses, or with a single network interface that has been assigned multiple IP addresses.If you have multiple interface cards, each with a single IP address, change the binding order so that the card at the top of the binding order is the one you want the BusinessObjects Enterprise servers to bind to. If your interface card has multiple IP addresses, use the -port command-line option to specify a IP address for the BusinessObjects Enterprise server. Tip: This section shows how to restrict all servers to the same network address, but it is possible to bind individual servers to different addresses. For instance, you might want to bind the File Repository Servers to a private address that is not routable from users’ machines. Advanced configurations such as this require your DNS configuration to route communications effectively between all the BusinessObjects Enterprise server components. In this example, the DNS must route communications from the other BusinessObjects Enterprise servers to the private address of the File Repository Servers.

Configuring the CMS to bind to a network addressWhen you use the -port command-line option to configure the CMS to bind to a specific IP address, you must also include the port number these servers use (even if the server is using the default port). Add the following option to both of their command lines:-port interface:port

If the machine has multiple network interfaces, interface can be the fully qualified domain name or the IP address of the interface that you want the server to bind to. If the machine has a single network interface, interface must be the IP address that you want the server to bind to.



Note: • To retain the default port numbers, replace port with 6400 for the CMS.

If you change the default port numbers, you will need to make additional configuration changes. For details, see “Changing the default server port numbers” on page 124.

• To configure the WCA, use interface:port when setting the connection.listeningPort context parameter in web.xml. (See “Configuring the Web Component Adapter” on page 84.)

Configuring the remaining servers to bind to a network addressThe remaining BusinessObjects Enterprise servers select their ports dynamically by default, so you need only add the following option to their command lines:-port interface

Replace interface with the same value that you specified for the CMS. Ensure that each server’s -ns parameter points to the CMS, and that the DNS resolves the value to the appropriate network address.

Adding and removing Windows server dependenciesWhen installed on Windows, each server in BusinessObjects Enterprise is dependent on at least three services: the Event Log, NT LM Security Support Provider, and Remote Procedure Call (RPC) services. If you are having problems with a server, check to ensure that all three services appear on the server’s Dependency tab.

To add and remove server dependencies1. Use the CCM to stop the server whose dependencies you want to modify.2. With the server selected, click Properties on the toolbar.3. Click the Dependency tab.



As shown here, at least three services should be listed: Event Log, NT LM Security Support Provider, and Remote Procedure Call (RPC).

4. To add a dependency to the list, click Add.The Add Dependency dialog box provides you with a list of all available dependencies. Select the dependency or dependencies, as required, and then click Add.

5. To remove a dependency from the list, select it and click Remove.6. Click OK.7. Restart the server.

Changing the server startup typeWhen installed on Windows, each server is configured to start automatically. As with other Windows services, there are three startup types:• Automatic starts the server each time the machine is started.• Manual requires you to start the server before it will run.• Disabled requires you to change the startup type to automatic or manual

before it can run.



To change the server startup type on Windows1. Start the CCM.2. Stop the server whose startup type you want to modify.3. With the server selected, click Properties on the toolbar.4. Click the Startup Type list and select Automatic, Disabled, or Manual.5. Click OK.6. Restart the server.

Changing the server user accountIf the incorrect user account is running on a server on Windows, change it in the Central Configuration Manager (CCM). Tip: The Program Job Server must be configured to use the Local System account, or a user account that has the right “Act as part of the operating system”.

To change a server’s user account1. Use the CCM to stop the server.2. Click Properties.3. Clear the System Account check box.4. Enter the Windows user name and password information.

When started, the server process will log on to the local machine with this user account. In addition, all reports processed by this server will be formatted using the printer settings associated with the user account that you enter.

5. Click Apply, and then click OK.6. Start the server.

Configuring servers for SSLYou can use the Secure Sockets Layer (SSL) protocol for all network communication between clients and servers in your BusinessObjects Enterprise deployment.To set up SSL for all server communication you need to perform the following steps:• Deploy BusinessObjects Enterprise with SSL enabled. • Create key and certificate files for each machine in your deployment.



• Configure the location of these files in the Central Configuration Manager (CCM) and your web application server.

Creating key and certificate filesTo set up SSL protocol for your se.rver communication, use the SSLC command line tool to create a key file and a certificate file for each machine in your deployment. Note: For more information about using the SSLC command line tool, consult the SSLC documentation.

To create key and certificate files for a machine1. Run the SSLC.exe command line tool.

The SSLC tool is installed with your BusinessObjects Enterprise software. (On Windows, for example, it is installed by default in C:\Program Files\Business Objects\BusinessObjects Enterprise 11\win32_x86.)

2. Type the following command:sslc req -config sslc.cnf -new -out cacert.req

This command creates two files, a Certificate Authority (CA) certificate request (cacert.req) and a private key (privkey.pem).

3. To decrypt the private key, type the following command:sslc rsa -in privkey.pem -out cakey.pem

This command creates the decrypted key, cakey.pem.4. To sign the CA certificate, type the following command:

sslc x509 -in cacert.req -out cacert.pem -req -signkey cakey.pem -days 365

This command creates a self-signed certificate, cacert.pem, that expires after 365 days. Choose the number of days that suits your security needs.

5. Open the sslc.cnf file, stored in the same folder as the SSLC command line tool. Perform the following steps based on settings in the sslc.cnf file.• Place the cakey.pem and cacert.pem files in the directories specified

by sslc.cnf file's certificate and private_key options.By default, the settings in the sslc.cnf file are:certificate = $dir/cacert.pem

private_key = $dir/private/cakey.pem

• Create a file with the name specified by the sslc.cnf file's database setting.



Note: By default, this file is $dir/index.txt. The file can be empty.• Create a file with the name specified by the sslc.cnf file's serial

setting. Ensure that this file provides an octet-string serial number (in hexadecimal format). Note: To ensure that you can create and sign more certificates, choose a large number, such as 11111111111111111111111111111111.)

• Create the directory specified by the sslc.cnf file's new_certs_dir setting.

6. To create a certificate request and a private key, type the following command:sslc req -config sslc.cnf -new -out servercert.req

7. Make a copy of the private keycopy privkey.pem server.key

8. To sign the certificate with the CA certificate, type the following command:sslc ca -config sslc.cnf -days 365 -out servercert.pem -in servercert.req

This command creates the servercert.pem file, which contains the signed certificate.

9. Use the following commands to convert the certificates to DER encoded certificates:sslc x509 -in cacert.pem -out cacert.der -outform DER

sslc x509 -in servercert.pem -out servercert.der -outform DER

10. Create a text file for storing the plain text passphrase used for decrypting the generated private key.

11. Store the following key and certificate files in a secure location (under the same directory) that can be accessed by the machines in your BusinessObjects Enterprise deployment:• the trusted certificate file (cacert.der)• the generated server certificate file (servercert.der)• the server key file (server.key)• the passphrase fileThis location will be used to configure SSL for the CCM and your web application server.



Configuring the SSL protocolAfter you create keys and certificates for each machine in your deployment, and store them in a secure location, you need to provide the Central Configuration Manager (CCM) and your web application server with the secure location.

To configure the SSL protocol in the CCM1. In the CCM, right-click a server and choose Properties.2. In the Properties dialog box, click the Protocol tab.3. Provide the file path for the directory where you stored the key and

certificate files.Note: Make sure you provide the directory for the machine that the server is running on.

4. Repeat steps 1 to 3 for all servers.

To configure the SSL protocol for the web application server1. If you have a J2EE web application server, run the Java SDK with the

following system properties set:-Dbusinessobjects.orb.oci.protocol=ssl -DcertDir=d:\ssl -DtrustedCert=cacert.der -DsslCert=clientcert.der -DsslKey=client.key -Dpassphrase=passphrase.txt

2. If you have an IIS web application server, run the sslconfig tool from the command line and follow the configuration steps.


Managing Server Groups

chapter

Managing Server GroupsServer group overview6
Server group overview
Server groups provide a way of organizing your BusinessObjects Enterprise servers to make them easier to manage. That is, when you manage a group of servers, you need only view a subset of all the servers on your system. More importantly, server groups are a powerful way of customizing BusinessObjects Enterprise to optimize your system for users in different locations, or for objects of different types.If you group your servers by region, you can easily set up default processing settings, recurrent schedules, and schedule destinations that are appropriate to users who work in a particular regional office. You can associate an object with a single server group, so the object is always processed by the same servers. And you can associate scheduled objects with a particular server group to ensure that scheduled objects are sent to the correct printers, file servers, and so on. Thus, server groups prove especially useful when maintaining systems that span multiple locations and multiple time zones.If you group your servers by type, you can configure objects to be processed by servers that have been optimized for those objects. For example, processing servers need to communicate frequently with the database containing data for published reports. Placing processing servers close to the database server that they need to access improves system performance and minimizes network traffic. Therefore, if you had a number of reports that ran against a DB2 database, you might want to create a group of Page Servers that process reports only against the DB2 database server. If you then configured the appropriate reports to always use this Page Server group for viewing, you would optimize system performance for viewing these reports.After creating server groups, configure objects to use specific server groups for scheduling, or for viewing and modifying reports. For details, see “Specifying servers for scheduling” on page 416 or “Specifying servers for viewing and modification” on page 418. You can change the status, obtain metrics, and configure your servers in the organize Server Groups area—just as you would in the organize Servers area. The only difference is that you see only the servers that you added to the server group.

Creating a server groupTo create a server group, you need to specify the name and description of the group, and then add servers to the group.


Managing Server GroupsCreating a server group 6

To create a server group1. Go to the Server Groups management area of the CMC.2. Click New Server Group.

The New Server Group Properties tab appears.

3. In the Server Group Name field, type a name for the new group of servers.

4. Use the Description field to include additional information about the group.5. Click OK.6. On the Servers tab, click Add/Remove Servers.7. Select the servers that you want to add to this group; then click the >

arrow.Tip: Use CTRL+click to select multiple servers.

8. Click OK.


Managing Server GroupsWorking with server subgroups6

This example adds the servers to a server group called Northern Office Servers.You are returned to the Servers tab, which now lists all the servers that you added to the group. You can now change the status, view server metrics, and change the properties of the servers in the group. For more information, see “Server management overview” on page 74.

Working with server subgroupsSubgroups of servers provide you with a way of further organizing your servers. A subgroup is just a server group that is a member of another server group.For example, if you group servers by region and by country, then each regional group becomes a subgroup of a country group. To organize servers in this way, first create a group for each region, and add the appropriate servers to each regional group. Then, create a group for each country, and add each regional group to the corresponding country group.There are two ways to set up subgroups: you can modify the subgroups of a server group, or you can make one server group a member of another. The results are the same, so use whichever method proves most convenient.

To add subgroups to a server group1. Go to the Server Groups management area of the CMC.2. Click the group that you want to add subgroups to.

This group is the parent group.3. On the Subgroups tab, click Add/Remove Groups.4. In the Available server groups list, select the server groups that you

want to add as subgroups; then click the > arrow.5. Click OK.

You are returned to the Subgroups tab, which now lists all the server groups that you added to the parent group.

To make one server group a member of another1. Go to the Server Groups management area of the CMC.2. Click the group that you want to add to another group.3. On the Member of tab, click the Member of button.4. In the Available server groups list, select the server groups that should

include your group as a member; then click the > arrow.


Managing Server GroupsModifying the group membership of a server 6

This example makes the Job Servers group a member subgroup of the Northern Office Servers group.

5. Click OK.You are returned to the “Member of” tab, which now lists all the server groups that the initial group is now a member of.

Modifying the group membership of a serverYou can modify a server’s group membership to quickly add the server to (or remove it from) any group or subgroup that you have already created on the system.For example, suppose that you created server groups for a number of regions. You might want to use a single Central Management Server (CMS) for multiple regions. Instead of having to add the CMS individually to each regional server group, you can click the server’s “Member of” link to add it to all three regions at once.

To modify a server’s group membership1. Go to the Servers management area of the CMC.2. Locate the server whose membership information you want to change. 3. In the Server Group column, click the server’s Member of link.

The “Member of” page lists any server groups that the server currently belongs to.

4. Click the Member of button.The “Modify Member Of” page appears.

5. Move server groups from one list to another to specify which groups the server is a member of.

6. Click OK.


Managing Server GroupsModifying the group membership of a server6


Scaling Your System

chapter

Scaling Your SystemScalability overview7
Scalability overview
The BusinessObjects Enterprise architecture is scalable in that it allows for a multitude of server configurations, ranging from stand-alone, single-machine environments, to large-scale deployments supporting global organizations. The flexibility offered by the product’s architecture allows you to set up a system that suits your current reporting requirements, without limiting the possibilities for future growth and expansion.This chapter details common scalability scenarios for administrators who want to expand beyond a stand-alone installation of BusinessObjects Enterprise. These three scenarios have received the most testing, and are recommended for the majority of deployments. For details, see “Common configurations” on page 143.It must be emphasized, however, that the optimal configuration for your deployment will vary depending upon your hardware configuration, your database software, and your reporting requirements. It is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects Services consultant can then assess your reporting environment and assist in determining the configuration that will best integrate with your current environment.Note: If you customize or expand your system beyond these common configurations without first contacting Business Objects Services, your deployment may not be officially supported.This chapter also provides the related procedures for adding and deleting servers from your BusinessObjects Enterprise installation. Follow these steps when you need to add server components to a machine that is already running BusinessObjects Enterprise.Tip: If you are adding new hardware to BusinessObjects Enterprise by installing server components on additional machines, run the BusinessObjects Enterprise installation and setup program. The setup program allows you to perform an Expand installation. During the Expand installation, you specify the existing CMS whose system you want to expand, and you select the components that want to install on the local machine. For details, see the BusinessObjects Enterprise Installation Guide.


Scaling Your SystemCommon configurations 7

Common configurationsThis section details the common ways in which you should begin to scale, or expand, your BusinessObjects Enterprise system. The scenarios described are those that have been most thoroughly tested by Business Objects. As a baseline, this section assumes that you have not yet distributed the BusinessObjects Enterprise servers across multiple machines; however, this section does assume familiarity with the BusinessObjects Enterprise architecture, installation, and server configuration. For preliminary installation information, see the BusinessObjects Enterprise Installation Guide.Tip: If you are deploying multi-processor machines, you may also want to run one or more BusinessObjects Enterprise servers in multiple instances on that machine. For details, see “Adding a server” on page 153.This section describes the following common configurations:• “One-machine setup” on page 143• “Three-machine setup” on page 144• “Six-machine setup” on page 144

One-machine setupThis basic configuration separates the BusinessObjects Enterprise servers from the rest of your reporting environment and from your web server, and installs all BusinessObjects Enterprise servers on a single machine. This grants the BusinessObjects Enterprise servers their own set of processing resources, which they do not have to share with database and web server processes. These are the general steps to setting up this configuration for the default Windows installation of BusinessObjects Enterprise:• Install all of the BusinessObjects Enterprise servers on a single,

dedicated machine.• Run the CMS database on your database server.

If you are still using the MSDE CMS database on Windows, migrate the CMS database to a supported database server. See the Platforms.txt file included with your product distribution for a list of supported database servers.

For a UNIX installation (or for a Windows installation that uses the BusinessObjects Enterprise Java SDK), install your BusinessObjects Enterprise servers on the same machine as your Java web application server and the Web Component Adapter.


Scaling Your SystemCommon configurations7
Three-machine setup
This second configuration divides the BusinessObjects Enterprise processing load in a logical manner, based on the types of work performed by each server. In this way, you prevent the server components from having to compete with each other for the same hardware and processing resources. In addition, this scenario prepares your system for further expansion to provide redundancy. Note: It is recommended that you use three multi-processor machines (dual-CPU or better), with at least 2 GB RAM installed on each machine.These are the general steps to setting up this configuration for the default Windows installation of BusinessObjects Enterprise:• Install the CMS and the Event Server on one machine.

Tip: Here, the Event Server is installed on the same machine as the CMS. In general, however, the Event Server should be installed on the machine where your monitored, file-based events occur.

• Install the application server, the Web Component Adapter and the Cache Server on the second machine.

• Install the Page Server, the Report Job Server, Program Job Server, Destination Job Server, List of Values Job Server, Web Intelligence Job Server, the Web Intelligence Report Server, the Report Application Server (RAS), and the Input and Output File Repository Servers on the third machine.

For a UNIX installation (or for a Windows installation that uses the BusinessObjects Enterprise Java SDK), install the Java web application server and the Web Component Adapter on the same machine as your Cache Server.Note: As with the one-machine setup, install your BusinessObjects Enterprise servers on machines that are separate from your web server and database servers. This grants the BusinessObjects Enterprise servers their own set of processing resources, which they do not have to share with database and web server processes.

Six-machine setupThis third configuration mirrors the three-machine setup. You maintain the logical breakdown of processing based on the types of work performed by each server, but you increase the number of available machines and servers for redundancy and fault-tolerance. For instance, if a server stops responding, or if you need to take one or two machines offline completely, you need not interrupt BusinessObjects Enterprise requests in order to service the system.


Scaling Your SystemCommon configurations 7

This tested configuration is designed to meet the reporting requirements of 85% of all deployment scenarios. If you have further requirements or more advanced configuration needs, contact your Business Objects sales representative for additional assistance.Note: It is recommended that you use six multi-processor machines (dual-CPU or better), with at least 2 GB RAM installed on each machine.These are the general steps to setting up this configuration for the default Windows installation of BusinessObjects Enterprise:• Install the three-machine setup first. Verify that BusinessObjects

Enterprise is functioning correctly. For details, see “Three-machine setup” on page 144.

• Install a second CMS/Event Server pair on the fourth machine. This machine must have a fast network connection (minimum 10 Mbps) to the CMS that you have already installed.Cluster the two CMS services, so they share the task of maintaining the CMS database. Ensure that each CMS accesses the CMS database in exactly the same manner (the same database client software, the same database user name and password, and so on).Tip: Here, the Event Server is installed on the same machine as the CMS. In general, however, the Event Server should be installed on the machine where your monitored, file-based events occur.

• Install a second application server and Web Component Adapter on the fifth machine, along with a second Cache Server. Consult your web application server documentation for information on load-balancing and clustering your application servers.Ensure that the web.xml file is configured correctly for each WCA.

• Install a second Page Server, Report Job Server, Program Job Server, Destination Job Server, List of Values Job Server, Web Intelligence Job Server, Web Intelligence Report Server, and RAS on the remaining machine, along with a pair of Input and Output File Repository Servers.Ensure that all Page Servers and job servers, including the Web Intelligence Report Server, can access your reporting database in exactly the same manner. Install and configure any required database client software similarly on each machine, along with any ODBC DSNs that are required for your reports.

Note: As with the one-machine setup, install your BusinessObjects Enterprise servers on machines that are separate from your web server and database servers. This grants the BusinessObjects Enterprise servers their own set of processing resources, which they do not have to share with database and web server processes.


Scaling Your SystemGeneral scalability considerations7
General scalability considerations
This section provides information about system scalability and the BusinessObjects Enterprise servers that are responsible for particular aspects of your system. Each subsection focuses on one aspect of your system’s capacity, discusses the relevant components, and provides a number of ways in which you might modify your configuration accordingly.Before modifying these aspects of your system, it is strongly recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects Services consultant can then assess your reporting environment and assist in determining the configuration that will best integrate with your current environment.General scalability considerations include the following:• “Increasing overall system capacity” on page 146• “Increasing scheduled reporting capacity” on page 147• “Increasing on-demand viewing capacity for Crystal reports” on page 148• “Increasing prompting capacity” on page 149• “Enhancing custom web applications” on page 150• “Improving web response speeds” on page 150• “Getting the most from existing resources” on page 151

Increasing overall system capacityAs the number of report objects and users on your system increases, you can increase the overall system capacity by clustering two (or more) Central Management Servers (CMS). You can install multiple CMS services/daemons on the same machine. However, to provide server redundancy and fault-tolerance, you should ideally install each cluster member on its own machine.CMS clusters can improve overall system performance because every BusinessObjects Enterprise request results, at some point, in a server component querying the CMS for information that is stored in the CMS database. When you cluster two CMS machines, you instruct the new CMS to share in the task of maintaining and querying the CMS database.For more information, see “Clustering Central Management Servers” on page 87.


Scaling Your SystemGeneral scalability considerations 7

Increasing scheduled reporting capacityIncreasing Crystal reports processing capacityAll Crystal reports that are scheduled are eventually processed by a Job Server. You can expand BusinessObjects Enterprise by running individual Report Job Servers on multiple machines, or by running multiple Report Job Servers on a single multi-processor machine.If the majority of your reports are scheduled to run on a regular basis, there are several strategies you can adopt to maximize your system’s processing capacity:• Install the Job Server in close proximity to (but not on the same machine

as) the database server against which the reports run. Ensure also that the File Repository Servers are readily accessible to all Job Server (so they can read report objects from the Input FRS and write report instances to the Output FRS quickly). Depending upon your network configuration, these strategies may improve the processing speed of the Job Server, because there is less distance for data to travel over your corporate network.

• Verify the efficiency of your reports. When designing reports in Crystal Reports, there are a number of ways in which you can improve the performance of the report itself, by modifying record selection formulas, using the database server’s resources to group data, incorporating parameter fields, and so on. For more information, see the “Designing Optimized Web Reports” section in the Crystal Reports User’s Guide (version 8.5 and later).

• Use event-based scheduling to create dependencies between large or complex reports. For instance, if you run several very complex reports on a regular, nightly basis, you can use Schedule events to ensure that the reports are processed sequentially. This is a useful way of minimizing the processing load that your database server is subject to at any given point in time.

• If some reports are much larger or more complex than others, consider distributing the processing load through the use of server groups. For instance, you might create two server groups, each containing one or more Job Servers. Then, when you schedule recurrent reports, you can specify that it be processed by a particular server group to ensure that especially large reports are distributed evenly across resources.

• Increase the hardware resources that are available to a Job Server. If the Job Server is currently running on a machine along with other BusinessObjects Enterprise components, consider moving the Job



Server to a dedicated machine. If the new machine has multiple CPUs, you can install multiple Job Servers on the same machine (typically no more than one service/daemon per CPU).

Increasing Web Intelligence document processing capacityAll Web Intelligence documents that are scheduled are eventually processed by a Web Intelligence Job Server and Web Intelligence Report Server. You can expand BusinessObjects Enterprise by running individual Web Intelligence Report Servers on multiple machines, or by running multiple Web Intelligence Report Servers on a single multi-processor machine.When running multiple Web Intelligence Report Servers, you don’t need to duplicate the Web Intelligence Job Server. One Web Intelligence Job Server can be used to drive multiple Web Intelligence Report Servers. However, if you are working with server groups, a Web Intelligence Job Server must exist in the same group as the Web Intelligence Report Servers.Note: When deciding whether to increase the number Web Intelligence Report Servers, keep in mind that Web Intelligence Report Server processes both scheduling and viewing requests, whereas requests for Crystal reports are processed by three separate servers, the Report Job Server, the Cache Server and Page Server.

Increasing on-demand viewing capacity for Crystal reportsWhen you provide many users with View On Demand access to reports, you allow each user to view live report data by refreshing reports against your database server. For most requests, the Page Server retrieves the data and performs the report processing, and the Cache Server stores recently viewed report pages for possible reuse. However, if users use the Advanced DHTML viewer, the Report Application Server (RAS) processes the request.If your reporting requirements demand that users have continual access to the latest data, you can increase capacity in the following ways:• Increase the maximum allowed size of the cache. For details, see

“Modifying Cache Server performance settings” on page 103.• Verify the efficiency of your reports. When designing reports in Crystal

Reports, there are a number of ways in which you can improve the performance of the report itself, by modifying record selection formulas, using the database server’s resources to group data, incorporating parameter fields, and so on. For more information, see the “Designing Optimized Web Reports” section in the Crystal Reports User’s Guide (version 8.5 and later).



• Increase the number of Page Servers that service requests on behalf of Cache Servers. You can do this by installing additional Page Servers on multiple machines. However, do not install more than one Page Server per machine. The Page Server has been re-designed to optimize the processing capability of a machine. It is therefore no longer recommended that you install multiple Page Servers on one machine.

• Increase the number of Page Servers, Cache Servers, and Report Application Servers on the system, and then distribute the processing load through the use of server groups. For instance, you might create two server groups, each containing one or more Cache Server/Page Server pairs along with one or more Report Application Servers. You can then specify individual reports that should always be processed by a particular server group.

Increasing prompting capacityWhen reports use a list of values, the RAS processes the list-of-values objects for the report when the report is being viewed. It does this regardless of whether the list-of-value object was scheduled or whether data needs to be retrieved from the data base. To avoid contention with other applications that use the RAS, you can add a RAS server that will be dedicated to processing list-of-value objects. In CMC you can then create a RAS server group and assign the dedicated RAS to the RAS server group. In Business View Manager, you then assign the list-of-values objects to be processed by the RAS server group.

Delegating XSL transformation to Internet ExplorerIf your users access InfoView via the Internet Explorer 6.0 browser, you can instruct the Web Intelligence Report Server to delegate the transformation of XML to XSL to the browser. This substantially decreases the load on the server, primarily during document display, but also during display of the portal itself.By default, the XSL transformation delegation is not activated.

To delegate XSL transformation to the browser for document display:1. On the application server, set the CLIENT_XSLT variable in

webiviewer.properties, located in the WEB-INF\classes subfolder of the application server as follows:CLIENT_XSLT=Y

2. Restart the application server.


Enhancing custom web applications
If you are developing your own custom desktops or administrative tools with the BusinessObjects Enterprise Software Development Kit (SDK), be sure to review the libraries and APIs. You can now, for instance, incorporate complete security and scheduling options into your own web applications. You can also modify server settings from within your own code in order to further integrate BusinessObjects Enterprise with your existing intranet tools and overall reporting environment.To improve the scalability of your system, consider distributing administrative efforts by developing web applications for delegated content administration. You can grant select users the ability to manage particular BusinessObjects Enterprise folders, content, users, and groups on behalf of their team, department, or regional office.In addition, be sure to check the developer documentation available on your BusinessObjects Enterprise product CD for performance tips and other scalability considerations. The query optimization section in particular provides some preliminary steps to ensuring that custom applications make efficient use of the query language.

Improving web response speedsBecause all user interaction with BusinessObjects Enterprise occurs over the Web, you may need to investigate a number of areas to determine exactly where you can improve web response speeds. These are some common aspects of your deployment that you should consider before deciding how to expand BusinessObjects Enterprise:• Assess your web server’s ability to serve the number of users who

connect regularly to BusinessObjects Enterprise. Use the administrative tools provided with your web server software (or with your operating system) to determine how well your web server performs. If the web server is indeed limiting web response speeds, consider increasing the web server’s hardware.

• If web response speeds are slowed only by report viewing activities, see “Increasing scheduled reporting capacity” on page 147 and “Increasing on-demand viewing capacity for Crystal reports” on page 148.

• Take into account the number of users who regularly access your system. If you are running a large deployment, ensure that you have set up a CMS cluster. For details, see “Increasing overall system capacity” on page 146.



If you find that a single application server inadequately services the number of scripting requests made by users who access your system on a regular basis, consider the following options:• Increase the hardware resources that are available to the application

server. If the application server is currently running on the web server, or on a single machine with other BusinessObjects Enterprise components, consider moving the application server to a dedicated machine. If the new machine has multiple CPUs, you can install multiple application servers on the same machine (typically no more than one per CPU).

• If you are using the default Windows installation of BusinessObjects Enterprise, set up two (or more) WCS machines to take advantage of the dynamic load balancing that is built into the Web Connector components. The Web Connector distributes the processing load evenly across WCS hosts: each new BusinessObjects Enterprise session is sent to the least used WCS. This also provides you with the benefits of being able to take one WCS machine offline for service, without bringing down the entire system.

• Consider setting up two (or more) application servers. Consult the documentation for your web application server for information on load-balancing, clustering, and scalability.Note: BusinessObjects Enterprise does not support the session-replication functionality provided by some Java web application servers.

Getting the most from existing resourcesOne of the most effective ways to improve the performance and scalability of your system is to ensure that you get the most from the resources that you allocate to BusinessObjects Enterprise.

Optimizing network speed and database efficiencyWhen thinking about the overall performance and scalability of BusinessObjects Enterprise, don’t forget that BusinessObjects Enterprise depends upon your existing IT infrastructure. BusinessObjects Enterprise uses your network for communication between servers and for communication between BusinessObjects Enterprise and client machines on your network. Make sure that your network has the bandwidth and speed necessary to provide BusinessObjects Enterprise users with acceptable levels of performance. Consult your network administrator for more information.



BusinessObjects Enterprise processes reports against your database servers. If your databases are not optimized for the reports you need to run, then the performance of BusinessObjects Enterprise may suffer. Consult your database administrator for more information.

Using the appropriate processing serverWhen users view a report using the Advanced DHTML viewer, the report is processed by the Report Application Server rather than the Page Server and Cache Server. The Report Application Server is optimized for report modification. For simple report viewing you can achieve better system performance if users select the DHTML viewer, the Active X viewer, or the Java viewer. These report viewers process reports against the Page Server.If the ability to modify reports is not needed at your site, you can disable the Advanced DHTML viewer for all users of BusinessObjects Enterprise.

Disabling the Advanced DHTML Viewer1. In the Central Management Console, select Business Objects

Applications.2. Select Web Desktop. 3. On the Properties tab, go to the Viewers area. Clear the option labeled

Allow users to use the Advanced DHTML Viewer.4. Click Update.

Optimizing BusinessObjects Enterprise for report viewingBusinessObjects Enterprise allows you to enable data sharing, which permits different users accessing the same report object to use the same data when viewing a report on demand or when refreshing a report. Enabling data sharing reduces the number of database calls, thereby reducing the time needed to provide report pages to subsequent users of the same report while greatly improving overall system performance under load. However, to get full value from data sharing, you must permit data to be reused for some period of time. This means that some users may see “old” data when they view a report on demand, or refresh a report instance that they are viewing. For details on data sharing options for reports, see “Setting report viewing options” on page 414. For more information on configuring BusinessObjects Enterprise to optimize report viewing in your system, see the planning chapter in the BusinessObjects Enterprise Installation Guide.


Scaling Your SystemAdding and deleting servers 7

Adding and deleting serversThis section shows how to add and delete servers from a machine that is already running BusinessObjects Enterprise components. It includes the following sections:• “Adding a server” on page 153• “Deleting a server” on page 155Tip: If you are adding new hardware to BusinessObjects Enterprise by installing server components on new, additional machines, run the BusinessObjects Enterprise installation and setup program from your product distribution. The setup program allows you to perform an Expand installation. During the Expand installation, you specify the existing CMS whose system you want to expand, and you select the components that you want to install on the local machine. For details, see the BusinessObjects Enterprise Installation Guide.

Adding a serverThese steps add a new instance of a server to the local machine. You can run multiple instances of the same BusinessObjects Enterprise server on the same machine.

To add a Windows serverNote: To complete this procedure, you must log on as an Administrator of the local machine.1. Start the CCM on the BusinessObjects Enterprise machine upon which

you want to install a new server.2. On the toolbar, click Add Server.

The Add Business Objects Server Wizard displays its Welcome dialog box.3. Click Next.


Scaling Your SystemAdding and deleting servers7

The “Server Type and Display Name Configuration” dialog box appears.

4. Click the Server Type list and select the kind of server you want to add.5. Change the default Display Name field if you want a different name to

appear in the list of servers in the CCM.Note: The display name for each server on the local machine must be unique.

6. Change the default Server Name field if required.Each server on the system must have a unique name. The default naming convention is HOSTNAME.servertype (a number is appended if there is more than one server of the same type on the same host machine). This Server Name is displayed when you manage servers over the Web in the Central Management Console (CMC).When you add Input or Output File Repository Servers, the wizard always precedes the server name you type with an “Input.” or “Output.” prefix. So, if you add an Input FRS with the name SERVER02, the CCM actually names the server Input.SERVER02. This “Input.” prefix is required by the system. If you subsequently modify the server’s name through its command line, do not remove the prefix.

7. Click Next.The “Set Configuration for this server” dialog box appears. The contents of this dialog vary slightly, depending upon the type of server that you are installing.


Scaling Your SystemAdding and deleting servers 7

8. Type the name of the CMS that you want the server to communicate with.If your CMS is not listening on the default port (6400), include the appropriate port number, as in CMSname:port#

9. Click Next to accept any other default values, or modify them to suit your environment.Note: If port number options are displayed in this dialog box, do not modify them. Instead, change ports through each server’s command line. For details, see “Changing the default server port numbers” on page 124.

10. Confirm the summary information is correct; then click Finish.The new server appears in the list, but it is neither started nor enabled automatically.

11. Use the CCM (or the CMC) to start and then to enable the new server when you want it to begin responding to BusinessObjects Enterprise requests. For details, see “Viewing and changing the status of servers” on page 78.

Tip: Auditing in BusinessObjects Enterprise is enabled on a per server basis. If you add a new server to your BusinessObjects Enterprise installation you must enable auditing of actions on each new server. If you do not, the actions performed on the new server will not be audited. See “Enabling auditing of user and system actions” on page 196 for more information.

Deleting a server To delete a Windows server

1. Start the CCM on the BusinessObjects Enterprise machine that you want to delete a server from.

2. Stop the server that you want to delete from the system.3. With the server selected, click Delete Server on the toolbar.4. When prompted for confirmation, click Yes.


Scaling Your SystemAdding and deleting servers7


Managing BusinessObjects Enterprise Repository

chapter

Managing BusinessObjects Enterprise RepositoryBusinessObjects Enterprise Repository overview8
BusinessObjects Enterprise Repository overview
The BusinessObjects Enterprise Repository is a database in which you manage shared report elements such as text objects, bitmaps, custom functions, and custom SQL commands. When you save any Business View, it is also saved to the BusinessObjects Enterprise Repository. You can refresh a report’s repository objects with the latest version from your BusinessObjects Enterprise Repository when you publish reports to BusinessObjects Enterprise. Alternatively, you can refresh a report’s repository objects on demand over the Web. The BusinessObjects Enterprise Repository is now hosted by the Central Management Server (CMS) system database. Before publishing reports that reference repository objects, move your existing Crystal Repository to the Central Management Server database. See the rest of this chapter for details.

Copying data from one repository database to another

BusinessObjects Enterprise enables you to copy the contents of one repository database into another database. This procedure is also referred to as migrating a BusinessObjects Enterprise Repository database. You can migrate repository data from a different repository database (from version 10 of Crystal Reports, or version 10 of Crystal Enterprise) into your current CMS database. Or, you can migrate the repository data from your current CMS database into a different data source.Throughout this section, the source CMS database refers to the database that holds the data you are copying; this data is copied into the destination database.

Importing data from a Crystal Enterprise 10 or BusinessObjects Enterprise XI CMS

You may want to import repository objects from a Crystal Enterprise 10 installation, or you may want to import repository objects from one BusinessObjects Enterprise XI installation to another. For example, you may have repository data on a test system that you want to move onto a production server.


Managing BusinessObjects Enterprise RepositoryCopying data from one repository database to another 8

Use the Import Wizard to copy repository data from the source CMS. You can choose to merge the contents of the source repository into the destination repository, or you can update the destination with the contents of the source CMS.

Merging repositoriesWhen you merge the contents of the source repository with the destination repository, you add all repository objects from the source CMS into the destination CMS without overwriting objects in the destination. This is the safest import option. All of the objects in the destination repository are preserved. Also, at a minimum, all repository objects from the source system with a unique title are copied to the destination repository.If an object from the source has the same title as an object in the destination, the object is imported to the destination repository if:• The object is not a Business View.• You have selected “Automatically rename top-level folders that match

top-level folders on the destination system.”The end result is a destination repository that contains all objects from the source repository that have unique titles, copies of all non-Business View objects from the source repository that have titles that match titles of objects in the destination, and all objects originally in the destination repository. When an object is copied from the source CMS to the destination CMS, the folder or folders that contain the object are also copied, replicating the folder hierarchy of the source system on the destination. However, the names of top-level folders must be unique. Selecting “Automatically rename top-level folders that match top-level folders on the destination system” allows these folders to be renamed on the destination repository, and the objects in such folders to be copied to these renamed folders.Note: Top-level folders containing Business Views are not renamed, regardless of the options set. Renaming these folders would change the unique identifier associated with the Business View, causing the Business View functionality to fail.

Updating the destination repositoryWhen you update the contents of the destination repository using the source repository as a reference, you add all objects in the source CMS to the destination CMS. If an object in the source repository has the same unique identifier as an object in the destination, the object in the destination is overwritten.


Managing BusinessObjects Enterprise RepositoryCopying data from one repository database to another8

All object titles in a folder must be unique. By default, if copying an object from the source CMS to the destination CMS would result in more than one object in a folder with the same title, the copy fails.If you want these objects to be copied, select the check box “Automatically rename objects if an object with that title already exists in the destination folder.”Note: System Objects (users, user groups, servers, server groups, events, and calendars), are not renamed when you import them from one CMS to another, regardless of the options set. Changing the names of these objects would cause user management, server management, and event management for these objects to fail. See “Importing with the Import Wizard” on page 388 for full instructions on using the Import Wizard to copy objects from one BusinessObjects Enterprise XI repository to another.

Specifying the source and destination environmentsThis procedure shows how to specify a source environment and a destination environment using the initial screens of the Import Wizard.

To specify the source and destination environments1. From the BusinessObjects Enterprise program group, click Import

Wizard.2. Click Next.

The “Specify source environment” dialog box appears.3. In the Source list, select BusinessObjects Enterprise XI.4. In the CMS Name field, type the name of the source environment’s CMS

(Central Management Server).5. Type the User Name and Password that provide you with administrative

rights to the source environment.

6. Click Next.



The “Specify destination environment” dialog box appears.7. In the CMS Name field, type the name of the destination environment’s

Central Management Server.8. Type the User Name and Password of an Enterprise account that

provides you with administrative rights to the BusinessObjects Enterprise system; then click Next.

The “Choose objects to import” dialog box appears. Proceed to “Selecting information to import” on page 162.


Selecting information to import
This procedure shows how to select the users, groups, folders, and reports that you want to import. If you have not already started the Import Wizard, see “Specifying the source and destination environments” on page 160.

To choose which objects to import1. In the “Choose objects to import” dialog box, select the check box (or

boxes) corresponding to the information you want to import:• Import users and user groups

• Import inbox documents• Import personal categories• Import personal Web Intelligence documents• Import favorite folders for selected users• Import application rights

• Import corporate categories• Import corporate Web Intelligence documents• Import folders and objects

• Import discussions associated with the selected reports• Import events• Import server groups• Import repository objects• Import calendars• Import universes

2. Click Next.3. In the “Please choose an import scenario” dialog box, click one of the two

options:• “I want to merge the source system into the destination system.”

Select this option if you want to add objects from the source system to the destination system without overwriting objects in the destination. For more information on this option, see “Merging repositories” on page 159.



• “I want to update the destination system by using the source system as a reference.” Select this option if you want to add objects from the source system to the destination system, overwriting objects in the destination when they have the same unique identifier as those in the source. for more information on this option, see “Updating the destination repository” on page 159.

Click Next.4. If you chose “Import repository objects”, the Import Progress dialog box

now displays status information and creates an Import Summary while the Import Wizard completes its tasks.

5. If the Import Summary shows that some information was not imported successfully, click View Detail Log for a description of the problem. Otherwise, click Done.Note: The information that appears in the Detail Log is also written to a text file called ImportWiz.log, which you will find in the directory from which the Import Wizard was run. By default, this directory is: C:\Program Files\Business Objects\BusinessObjects

Enterprise 11\win32_x86\

The log file included a system-generated ID number, a title that describes the imported information, and a field that describes the action taken and the reason why.

Copying data from a Crystal Enterprise 9 repository database

In Crystal Enterprise 9, the Crystal Repository database was hosted on a separate database server that you could connect to through ODBC.In a BusinessObjects Enterprise environment, begin by making a backup copy of the source repository database. Then replace the repository by importing its contents into the CMS database using the Repository Migration Wizard.When you use the Repository Migration Wizard, neither the source nor the destination database is overwritten. Objects from the source repository will be added to the destination repository database. If the Wizard finds identical objects (that is, objects with the same unique identifier) in the source and destination repositories, the source objects will not be copied.When you copy repository objects into BusinessObjects Enterprise XI, only the most recent version of each object is copied.



Note: Reports configured to use the source repository will now refer to the destination data source.

To copy repository data from Crystal Enterprise 91. From the BusinessObjects Enterprise program group, click Repository

Migration Wizard. You must run the wizard on the machine containing your source repository.

2. From the Source list in the Select Source Repository dialog, click the name of the repository that you want to import.

3. Type the UserID and Password of a user with administrative rights to the repository database. Click Next.

4. The Select Destination Data Source dialog appears. In the CMS field, type the name of the destination data source’s Central Management Server.

5. Type the User Name and Password of an Enterprise account that provides you with administrative rights to the CMS; then click Next.

6. From the “Source Repository Objects” list, select the items that you want to copy to your BusinessObjects Enterprise repository database. Click Next. BusinessObjects Enterprise exports the selected repository objects from your BusinessObjects Enterprise Repository, reporting success or failure for each object.

7. Click Next, and then Finish to complete the transfer and close the Repository Migration Wizard.



Copying data from a Crystal Reports 9 repository databaseThe Crystal Repository shipped with Crystal Reports 9 was an Access database (Repository.mdb). By default, it was located in the following directory of your Crystal Reports installation: C:\Program Files\Common Files\Crystal Decisions\2.0\bin\

Begin by making a backup copy of this default database. Then replace the default repository by importing its contents into the CMS database using the Repository Migration Wizard.When you use the Repository Migration Wizard, neither the source nor the destination database is overwritten. Objects from the source repository will be added to the destination repository database. If the Wizard finds identical objects in the source and destination repositories, the source objects will not be copied.When you copy repository objects into BusinessObjects Enterprise XI, only the most recent version of each object is copied.Note: Reports configured to use the source repository will now refer to the destination data source.

To copy repository data from Crystal Reports 91. From the BusinessObjects Enterprise program group, click Repository

Migration Wizard. You must run the wizard on the machine containing your source repository.

2. From the Source list in the Select Source Repository dialog, click the name of the repository that you want to import.If you created security for your repository database, type a User id and Password valid for the repository database.

3. Click Next.4. Log on to the CMS using a user name with administrative rights to

BusinessObjects Enterprise.5. From the “Source Repository Objects” list, select the items that you want

to copy to your BusinessObjects Enterprise repository database. Click Next.


Managing BusinessObjects Enterprise RepositoryRefreshing repository objects in published reports8

6. Select the folder in your destination repository where objects from your source directory will be placed. • To add objects to a new folder, select “Insert a new folder”, and then

type the name of the folder.

• To delete an existing folder from your repository, select it, and then click “Delete the item/folder”.

7. Click Next. BusinessObjects Enterprise exports the selected repository objects from your Crystal Reports repository, reporting success or failure for each object.

8. Click Next, and then Finish to complete the transfer and close the Repository Migration Wizard.

Refreshing repository objects in published reports

As you update objects stored in your BusinessObjects Enterprise Repository, you will want to update the published Crystal reports that reference those repository objects. When you refresh a report in this way, the old repository objects stored in the report are replaced with the latest versions from the BusinessObjects Enterprise Repository.


Managing BusinessObjects Enterprise RepositoryRefreshing repository objects in published reports 8

Note: Although refreshing with the repository is faster, you can also refresh reports by setting options that compare reports to their original source .rpt files. For more information, see “Setting report refresh options” on page 412.Tip: If you use Crystal Reports to open reports directly from your BusinessObjects Enterprise folders, you can update repository objects at that time. You can also refresh repository objects when you publish reports. For details, see “Publishing Objects to BusinessObjects Enterprise” on page 359.

To refresh a published report’s repository objects1. Go to the Objects management area of the CMC.2. Click the link to the report you want to refresh.3. On the Properties tab, click the Refresh Options link.4. Verify that the Use Object Repository when refreshing report check

box is selected.Note: If the check box is cleared, select it now and click Update.

5. Click Refresh Report.Tip: Once you have enabled repository refresh for each report, you can refresh multiple reports simultaneously using the Report Repository Helper. The Report Repository Helper is available from Administrative Tools area in the BusinessObjects Enterprise Admin Launchpad.


Managing BusinessObjects Enterprise RepositoryRefreshing repository objects in published reports8


Working with Firewalls

chapter

Working with FirewallsFirewalls overview9
Firewalls overview
BusinessObjects Enterprise works with firewall systems to provide reporting across intranets and the Internet without compromising network security. This chapter provides general information about what a firewall is and types of firewalls: • “What is a firewall?” on page 170• “Firewall types” on page 171If you are already familiar with firewalls and the configuration used in your network, proceed directly to “Understanding firewall integration” on page 174.

What is a firewall?A firewall is a security system that protects one or more computers from unauthorized network access. A firewall restricts people to entering and leaving your network at a carefully controlled point. It also prevents attackers from getting close to your other defenses. Typically, a firewall protects a company’s intranet from being improperly accessed through the Internet. A firewall can enforce a security policy, log Internet activity, and be a focus for security decisions. A firewall can’t protect against malicious insiders or connections that don’t go through it. A firewall also can’t set itself up correctly or protect against completely new threats.To help explain how firewalls work, some basic networking terms are described here:• “TCP/IP and packets” on page 170• “Ports” on page 171If you are already familiar with these topics see “Understanding firewall integration” on page 174.

TCP/IP and packetsTCP/IP (Transmission Control Protocol/Internet Protocol) is the communications protocol used on the Internet. The units of data transmitted through a TCP/IP network are called packets. Packets are typically too small to contain all the data that is sent at any one time, so multiple packets are required, each containing a portion of the overall data. When data is sent by TCP/IP, the packets are constructed such that a layer for each protocol is wrapped around each packet.Typically, TCP/IP packets have the following layers:• Application layer (for example, FTP, telnet, and HTTP).


Working with FirewallsFirewalls overview 9

• Transport layer (TCP or UDP).• Internet layer (IP).• Network Access layer (for example, ethernet and ATM).At the application layer, the packet consists simply of the data to be transferred. As the packet moves through the layers, each layer adds a header to the packet, preserving the data from the previous level. These headers are used to determine the packet’s destination and to ensure that it arrives intact. When the packet reaches its destination, the process is reversed: the layers are sequentially removed until the transferred data is available to the destination application.

PortsPorts are logical connection points that a computer uses to send and receive packets. With TCP/IP, ports allow a client program to specify a particular server program on a computer in a network. High-level applications that use TCP/IP have ports with pre-assigned numbers. For instance, when you visit a typical HTTP site over the Web, you communicate with the web server on port 80, which is the pre-assigned port for HTTP communication.Other application processes are given port numbers dynamically for each connection. When a service or daemon initially is started, it binds to its designated port number. When any client program wants to use that server, it must also request to bind to the designated port number. Valid port numbers range from 0 to 65536, but ports 0 to 1024 are reserved for use by certain privileged services.

Firewall typesFirewalls primarily function using at least one of the following methods:• “Packet filtering” on page 172• “Network Address Translation” on page 172• “SOCKS proxy servers” on page 173BusinessObjects Enterprise works with these firewall types.Note: Business Objects will be moving away from supporting SOCKS proxy servers. As a result SOCKS proxy servers are still supported in BusinessObjects Enterprise XI. SOCKS proxy servers will be deprecated in a future release of BusinessObjects Enterprise. If you are using SOCKS proxy servers now, we recommend you switch to a different firewall method.


Working with FirewallsFirewalls overview9
Packet filtering
Packet filtering rejects TCP/IP packets from unauthorized hosts and rejects connection attempts to unauthorized services. Packet filtering can reject packets based on the following:• The address the data is coming from.• The address the data is going to.• The session and application ports being used to transfer the data.• The data contained within the packet.Typically there are two types of packet filtering:• Stateful packet filters remember the state of connections at the network

and session layers by recording the established session information that passes through the filter gateway. The filter then uses that information to discriminate valid return packets from invalid connection attempts.

• Stateless packet filters do not retain information about connections in use; instead, they make determinations packet-by-packet based only on the information contained within the packet. Firewalls that employ packet filtering will work with BusinessObjects Enterprise.

Network Address TranslationNetwork Address Translation (NAT) converts private IP addresses in a private network to globally unique, public IP addresses for use external to that network. NAT is also called IP masquerading. The main purpose of NAT is to hide internal hosts.As outgoing packets are routed through the firewall, NAT hides internal hosts by converting their IP addresses to an external address. Once the translation is complete, the firewall sends the data payload on to its original destination; thus, NAT makes it appear that all traffic from your site comes from one (or more) external IP addresses. The firewall maintains a translation table to keep track of the address conversions that it has performed. When an incoming response arrives at the firewall, the firewall uses this translation table to determine which internal host should receive the response. Because this type of firewall essentially sends and receives data on behalf of internal hosts, NAT can also be described as a simple proxy.


Working with FirewallsFirewalls overview 9

There are two basic types of NAT:• Static translation (port forwarding) grants a specific internal host a fixed

translation that never changes. For example, if you run an email server inside a firewall, you can establish a static route through the firewall for that service.

• Dynamic translation (automatic, hide mode, or IP masquerade) shares a small group of external IP addresses amongst a large group of internal clients for the purpose of expanding the internal network address space. Because a translation entry does not exist until an internal client establishes a connection out through the firewall, external computers have no way to address an internal host that is protected using a dynamically translated IP address.Note: Some protocols do not function correctly when the port is changed. These protocols will not work through a dynamically translated connection.

BusinessObjects Enterprise and static translation NAT can be configured so that they work together.

SOCKS proxy serversNote: Business Objects will be moving away from supporting SOCKS proxy servers. As a result SOCKS proxy servers are still supported in BusinessObjects Enterprise XI. SOCKS proxy servers will be deprecated in a future release of BusinessObjects Enterprise. If you are using SOCKS proxy servers now, we recommend you switch to a different firewall method.SOCKS is a networking protocol that enables computers on one side of a SOCKS server to access computers on the other side of a SOCKS server without requiring a direct IP connection. A SOCKS server redirects connection requests from computers on one side of it to computers on the other side of it. A SOCKS server typically authenticates and authorizes requests, establishes a proxy connection, and relays data between the internal and external networks. BusinessObjects Enterprise supports and works with SOCKS servers.SOCKS servers work by listening for service requests from internal clients. When an external request is made, the SOCKS server sends the requests to the internal network as if the SOCKS server itself was the originating client. When the SOCKS server receives a response from the internal server, it returns that response to the original client as if it were the originating external server. This effectively hides the identity and the number of clients on the internal network from examination by anyone on the external network.


Working with FirewallsUnderstanding firewall integration9
Understanding firewall integration
This section gives a conceptual overview of internal communications between BusinessObjects Enterprise servers and the implications for firewall configuration. It also reviews the most common firewall scenarios. It includes:• “Communication between servers” on page 174• “Typical firewall scenarios” on page 176For detailed step-by-step instructions on how to configure your system to work in a firewalled environment, see “Configuring the system for firewalls” on page 178.

Communication between serversIt is helpful to understand the basics of internal communications between BusinessObjects Enterprise servers before configuring your BusinessObjects Enterprise system to work with firewalls. BusinessObjects Enterprise connections include:• “Communication between servers and the CMS directory listing service”

on page 174• “Communication between the application tier and CMS” on page 175Some examples also apply to communications between a BusinessObjects Enterprise server and the BusinessObjects Enterprise SDK (or other BusinessObjects Enterprise SDKs, such as the Report Application Server SDK or the Viewer SDK). Where applicable, these examples are indicated in the descriptions.

Communication between servers and the CMS directory listing serviceThe Central Management Server (CMS) manages a directory listing service for the application server and the servers in the Intelligence tier and the Processing tier. See “Architecture overview and diagram” on page 48 for a listing of these servers.When a BusinessObjects Enterprise server first connects to the BusinessObjects Enterprise framework, it registers its IP address and port number with the CMS. By default this port number is dynamically chosen.When one BusinessObjects Enterprise server needs to communicate with another, it contacts the directory listing service on the CMS to obtain the connection information. The first server then uses this information to communicate directly with the second server.


Working with FirewallsUnderstanding firewall integration 9

For example, before running a scheduled report, the Job Server must communicate with the Input File Repository Server (FRS) to obtain the report object. To do so:1. The Job Server contacts the CMS and requests connection information

for the Input FRS.2. The CMS replies to the Job Server with the IP address and port number

of the Input FRS.3. The Job Server uses this information to connect directly to the Input FRS.

All subsequent communications between the two servers continues using the same address and port.

Note: • This communication model is also used when a BusinessObjects

Enterprise SDK or the WCA communicates directly with a server in the Intelligence tier or the Processing tier.

• Communications between the CMS and the BusinessObjects Enterprise SDK and WCA follow another model. See “Communication between the application tier and CMS” on page 175.

• Using the -requestport command, you can configure any BusinessObjects Enterprise server to register a fixed port number with the CMS, rather than using one that is dynamically selected.

Communication between the application tier and CMSNot all BusinessObjects Enterprise components use the directory listing service on the CMS to make their initial connections with other elements of BusinessObjects Enterprise. The WSA contacts the CMS using a pre-defined address and port number. The CMS replies with its address and a second port number, which by default is selected dynamically. Subsequent communications continue using this address and second port number.You can use the -requestport command to configure the CMS to reply with a fixed port number for subsequent communications, rather than one that is dynamically selected. Using the -port option, you can also customize the CMS to listen on a specific port for initial communications, rather than using the pre-defined default value (port 6400 for the CMS).Note: • Before changing the default port numbers, see “Changing the default

server port numbers” on page 124 for additional configuration information.


Working with FirewallsUnderstanding firewall integration9

• You may also change the default port that the CMS uses to listen for initial communications from the Configuration tab of the Properties dialog in the Central Configuration Manager.

Firewall configuration overviewBy default BusinessObjects Enterprise uses dynamically chosen port numbers for communications between components. You must change this default when you place a stateful firewall that uses packet filtering or Network Address Translation (NAT) between BusinessObjects Enterprise components because these firewalls provide protection by permitting communications from outside the firewall with only specified addresses and ports inside the firewall. To enable BusinessObjects Enterprise to communicate across such a firewall, you must:1. Configure its components to use fixed addresses and ports.2. Configure your firewall to allow communications to the services behind

the firewall using these addresses and ports. The process is similar when you configure your BusinessObjects Enterprise system to communicate across SOCKS proxy filters. But BusinessObjects Enterprise provides direct support for SOCKS proxy filters, so you need only configure each component to be aware of the location and type of the proxies that they communicate with.Note: When this section mentions firewalling different BusinessObjects Enterprise components, it assumes that the components reside on separate computers. If the components reside on the same computer, their communication is uninterrupted by firewalls, and no additional configuration is required.

Typical firewall scenariosIf all users of your BusinessObjects Enterprise system are on your internal network, there is no need to perform any special configuration of your firewalls or of BusinessObjects Enterprise. Simply place all BusinessObjects Enterprise components on computers inside your firewall.However, if you need to provide access to BusinessObjects Enterprise to external users, you must consider where to place each BusinessObjects Enterprise component, and how to configure both BusinessObjects Enterprise and your firewalls in order to provide this access.This section outlines the following common firewall scenarios:• “Application tier separated from the CMS by a firewall” on page 177• “Thick client separated from the CMS by a firewall” on page 177


Working with FirewallsUnderstanding firewall integration 9

These scenarios are general cases: once you understand the firewalling issues involved, you should be able to support BusinessObjects Enterprise in wide variety of contexts.

Application tier separated from the CMS by a firewallIn most cases, clients access protected information through a web server running in a Demilitarized Zone (DMZ). A DMZ is a network area that is neither part of the internal network nor directly part of the Internet. Typically, the DMZ is set up between two firewalls: an outer firewall and an inner firewall.You may chose to place your application server in the DMZ, while placing the CMS and all other BusinessObjects Enterprise servers on the internal network. BusinessObjects Enterprise requires that the CMS and the remaining server components are not separated from one another by firewalls. Note: Placing your application server in the DMZ is less secure than placing it on your internal network. For maximum security, you may prefer to place your BusinessObjects Enterprise application server on your internal network.For more information, see:• “Configuring NAT when application tier is separated from the CMS” on

page 178• “Configuring packet filtering when application tier is separated from CMS”

on page 182• “Configuring for SOCKS servers” on page 184

Thick client separated from the CMS by a firewallYou can publish reports or analytic objects to BusinessObjects Enterprise by saving these objects to BusinessObjects Enterprise from within Crystal Reports or OLAP Intelligence, or by using the Import Wizard or Publishing Wizard. However, the thick clients communicate directly with the CMS. This means that if there is a firewall between the computer running one of these thick clients and the CMS, this operation fails. You must configure your CMS, your File Repository Servers, and your firewall if you want to support this network configuration.For more information, see:• “Configuring NAT when thick client is separated from the CMS” on

page 181• “Configuring packet filtering when thick client is separated from the CMS”

on page 184


Working with FirewallsConfiguring the system for firewalls9
Configuring the system for firewalls
This section gives practical step-by-step instructions for configuring your BusinessObjects Enterprise system to work in a firewalled environment. It includes:• “Configuring for Network Address Translation” on page 178• “Configuring for packet filtering” on page 182• “Configuring for SOCKS servers” on page 184For a conceptual overview of communications between BusinessObjects Enterprise components and of supported firewall configurations, see “Understanding firewall integration” on page 174.Note: If you have multiple BusinessObjects Enterprise servers of a given type, the overall procedure for configuring your system to work with firewalls will not change. Configure each server as described in the section that describes your firewall environment, and then specify a firewall rule for the server.

Configuring for Network Address TranslationIf you use Network Address Translation (NAT) only on the outer firewall of the DMZ, then no special configuration is required for BusinessObjects Enterprise to communicate properly. However, if you separate BusinessObjects Enterprise components using NAT, you need to configure these components to communicate properly through the firewall.Note: You can configure BusinessObjects Enterprise to communicate properly across NAT firewalls that use static IP translation; however, BusinessObjects Enterprise cannot communicate across a firewall whose IP translation is dynamic.Depending on your system configuring, configuring for Network Address Translation can include one or both of the following tasks:• “Configuring NAT when application tier is separated from the CMS” on

page 178• “Configuring NAT when thick client is separated from the CMS” on

page 181

Configuring NAT when application tier is separated from the CMSIf the application server is separated from the CMS and other BusinessObjects Enterprise servers by NAT, you must ensure that whenever a BusinessObjects Enterprise server passes an address across the firewall to the application server, it passes a fully qualified domain name (FQDN) that is routable by the firewall.


Working with FirewallsConfiguring the system for firewalls 9

PortsThe application server must be able to communicate with every BusinessObjects Enterprise server behind the firewall. Therefore, you must open a port on the firewall for each server. The application server must be a Tomcat or IIS server.Configuring BusinessObjects Enterprise for Network Address Translation when the application tier is separated from the CMS by a firewall includes:• “Configuring the CMS” on page 179• “Configuring the BusinessObjects Enterprise servers” on page 179• “Configuring the hosts files” on page 180• “Specifying firewall rules for NAT” on page 180

Configuring the CMS To configure the CMS on Windows

1. Start the CCM.2. Stop the Central Management Server.3. On the toolbar, click Properties.4. In the Command box, add the following option:

-port FQDN:6400 -requestport portnumFor the -port command, replace FQDN with the fully qualified domain name of the machine that is running the CMS. This machine must be routable from the application server.For the -requestport command, substitute any valid free port number for portnum.Tip: If you want to customize the CMS so that it listens on a port other than the default, substitute your new port number for the default value of 6400. If you change the default port number of the CMS you must perform additional system configuration. Before changing the port number, see “Changing the default server port numbers” on page 124.

5. Click OK to return to the CCM.6. Start the Central Management Server.

Configuring the BusinessObjects Enterprise servers To configure BusinessObjects Enterprise servers on Windows

1. Start the CCM.2. Stop the server.3. On the toolbar, click Properties.



4. In the Command box, add the following option:-port FQDN -requestport portnumFor the -port command, replace FQDN with the fully qualified domain name of the machine that is running the server. This machine must be routable from the application server.For the -requestport command, substitute any valid free port number for portnum. If more than one server is installed on the same machine, each server on that machine must use a unique port number.

5. Click OK to return to the CCM.6. Start the server.7. Repeat for each BusinessObjects Enterprise server.

Configuring the hosts filesOn each machine running a BusinessObjects Enterprise server, you must configure the hosts file so that the server can map the FQDN it receives from the Central Management Server (CMS) to an internally routable IP address. This is necessary to enable communication between servers inside the firewall.

To configure the hosts files on Windows1. Open the hosts file using a text editor like Notepad. The hosts file is

located at \WINNT\system32\drivers\etc\hosts.2. Follow the instructions in the hosts file to add an entry for each machine

behind the firewall that is running a BusinessObjects Enterprise server or servers. Use the internally routable IP address of the machine and its externally routable fully qualified domain name.

3. Save the hosts file.

Specifying firewall rules for NATWhen there is a firewall between the application server and the rest of the BusinessObjects Enterprise servers you need to specify the inbound access rules and one outbound rule. The outbound rule is needed because the application server may register listeners with any of the BusinessObjects Enterprise serversFor details of how to specify these rules, consult your firewall documentation. For details about the rules see:• “Inbound Rules” on page 181• “Outbound Rules” on page 181



The fixed port numbers specified in the chart are the port numbers you specify for servers using -requestport. See “Configuring the CMS” on page 179, and “Configuring the BusinessObjects Enterprise servers” on page 179 for details.

Inbound Rules

Note: There must be one inbound firewall rule for each BusinessObjects Enterprise server behind the firewall. Whenever more than one server is installed on the same machine, each server on that machine must use a unique port number.

Outbound Rules

This outbound rule is needed because the application server may register listeners on servers behind the firewall. These listeners may initiate communication with the application server.

Configuring NAT when thick client is separated from the CMSYou can publish reports or analytic objects to BusinessObjects Enterprise by saving these objects to BusinessObjects Enterprise from within Crystal Reports or OLAP Intelligence, or by using the Import or Publishing Wizards. However, if there is a firewall between the computer running one of these thick clients and the Central Management Server (CMS), this operation fails. Configuring your BusinessObjects Enterprise system to support this configuration when the firewall uses Network Address Translation (NAT) is very similar to configuring your system to support a NAT firewall between the application tier and the Central Management Server.

Source Computer Port Destination Computer Port Action

Application server Any CMS 6400 Allow Application server Any CMS fixed Allow Application server Any Other BusinessObjects

Enterprise serverfixed Allow

Any Any CMS Any RejectAny Any Other BusinessObjects

Enterprise ServerAny Reject


Machines hosting BusinessObjects Enterprise server

Any Application server Any Allow



For full instructions, follow the detailed steps in “Configuring NAT when application tier is separated from the CMS” on page 178 but:• Configure only the Central Management Server and the Input File

Repository Server. • Establish inbound firewall rules for communication between the Crystal

Reports or OLAP Intelligence machine and the CMS and Input File Repository Server. You do not need to establish an outbound firewall rule.

Configuring for packet filteringIf you use packet filtering only on the outer firewall of the DMZ, then no special configuration is required for BusinessObjects Enterprise to communicate properly. However, if you separate BusinessObjects Enterprise components using packet filtering, you need to configure them to communicate properly through the firewall.This section includes:• “Configuring packet filtering when application tier is separated from CMS”

on page 182• “Configuring packet filtering when thick client is separated from the CMS”

on page 184.

Configuring packet filtering when application tier is separated from CMSIf your firewall performs packet filtering, you must configure the CMS and every BusinessObjects Enterprise server inside the inner firewall to respond to communications from the application server on a fixed port. This includes:• “Configuring the BusinessObjects Enterprise servers” on page 182• “Specifying firewall rules for packet filtering” on page 183

Configuring the BusinessObjects Enterprise servers To configure BusinessObjects Enterprise servers on Windows

1. Start the CCM.2. Stop the first server.3. On the toolbar, click Properties.4. In the Command box, add the following option:

-requestport portnum

For the -requestport command, substitute any valid free port number for portnum. If more than one server is installed on the same machine, each server on that machine must use a unique port number.



Tip: If you want to customize the CMS so that it listens on a port other than the default, also add -port cmsport to the command line, where cmsport is the new port number for the default value of 6400. For example:-port cmsport -requestport portnum

If you change the default port number of the CMS you must perform additional system configuration. Before changing the port number, see “Changing the default server port numbers” on page 124.

5. Click OK to return to the CCM.6. Start the server.7. Repeat for each BusinessObjects Enterprise server behind the firewall.

Specifying firewall rules for packet filteringWhen there is a firewall between the application server and the rest of the BusinessObjects Enterprise servers you need to specify the inbound access rules and one outbound rule. The outbound rule is needed because the application server may register listeners with any of the BusinessObjects Enterprise servers.For details of how to specify these rules, consult your firewall documentation. For details about the rules see:• “Inbound Rules” on page 183• “Outbound Rules” on page 184The fixed port numbers specified in the chart are the port numbers you specify for the CMS and other BusinessObjects Enterprise servers using -requestport.

Inbound Rules

Note: There must be an inbound firewall rule for each BusinessObjects Enterprise server behind the firewall. Whenever more than one server is installed on the same machine, each server on that machine must use a unique port number.


Application server Any CMS 6400 AllowApplication server Any CMS fixed AllowApplication server Any Other BusinessObjects

Enterprise serverfixed Allow

Any Any CMS Any RejectAny Any Other BusinessObjects

Enterprise serversAny Reject



Outbound Rules

This outbound rule is needed because the application server may register listeners on servers behind the firewall. These listeners may initiate communication with the application server.

Configuring packet filtering when thick client is separated from the CMSYou can publish reports or analytic objects to BusinessObjects Enterprise by saving these objects to BusinessObjects Enterprise from within Crystal Reports or OLAP Intelligence, or by using the Import or Publishing Wizards. However, if there is a firewall between the computer running one of these thick clients and the CMS, this operation fails. Configuring your BusinessObjects Enterprise system to support this configuration when the firewall uses packet filtering is very similar to configuring your system to support a packet filtering firewall between the application tier and the Central Management Server (CMS). For full instructions, follow the detailed steps in “Configuring packet filtering when application tier is separated from CMS” on page 182 but:• Configure only the Central Management Server and the Input File

Repository Server to use fixed port numbers for communication.• Establish inbound firewall rules for communication between the Crystal

Reports or OLAP Intelligence machine and the CMS and Input File Repository Server. You do not need to establish an outbound firewall rule.

Configuring for SOCKS serversNote: Business Objects will be moving away from supporting SOCKS proxy servers. As a result SOCKS proxy servers are still supported in BusinessObjects Enterprise XI. SOCKS proxy servers will be deprecated in a future release of BusinessObjects Enterprise. If you are using SOCKS proxy servers now, we recommend you switch to a different firewall method.BusinessObjects Enterprise provides direct support for SOCKS proxy server firewalls on Windows installations that use the BusinessObjects Enterprise .NET SDK.


Machines hosting BusinessObjects Enterprise server

Any Application server Any Allow



There is limited support of SOCKS for the UNIX installation of BusinessObjects Enterprise, or for a Windows installation that uses the BusinessObjects Enterprise Java SDK. You can configure the Web Component Adapter to communicate through a SOCKS server, but the Java SDK has no support for SOCKS. Therefore you may be able to configure your system to support a custom CSP application and SOCKS, but you cannot use JSP pages through a SOCKS firewall.Note: The EBUS layer of the Java SDK does not support communications using the SOCKs protocol. The means that applications written using the Java SDK cannot be on the outside of a firewall from any components that must be accessed, if the only means of traversing the firewall is using the SOCKs protocol. Therefore only perform the test cases that utilize socks when using IIS on a windows deploymentThis list describes when to use the procedures that are provided in the remainder of this section:• Configuring the CMS for SOCKS Servers

Complete these steps if one or more SOCKS servers separate the WCA from the CMS.

• Configuring the WCA for SOCKS serversWhen configuring your WCA for SOCKS, complete these steps regardless of the location of your SOCKS server(s).

BusinessObjects Enterprise requires that the CMS and the remaining server components are not separated from one another by firewalls. The remaining server components automatically obtain their SOCKS configuration from the CMS, as required, so you don’t need to configure them separately.

Configuring the CMS for SOCKS ServersComplete these steps if one or more SOCKS servers separate the application server from the CMS. The remaining BusinessObjects Enterprise servers automatically obtain their SOCKS configuration from the CMS, as required, so you don’t need to configure them separately.

To configure the CMS on Windows1. Start the CCM.2. Stop all of the Business Objects servers, including the Central

Management Server.3. Select the CMS and, on the toolbar, click Properties.4. On the Connection tab, click Add.5. In the SOCKS Proxy dialog box, type the Server Name or IP Address of

your SOCKS server.



6. In the Server Port field, type the number of the port that the SOCKS server is listening on.

7. Select the SOCKS version that you are running (Ver 4 or Ver 5).If you are using version 5 and you would like to secure access to the server, select the authentication check box, and then enter your user name and password.

8. Click OK.If you have more than one SOCKS server, repeat steps 4 to 8 for each additional server. Then click Up and Down to order the SOCKS servers from the outermost (closest to the application server or Web Component Server) to the innermost (closest to the CMS).

9. Click OK in all three dialog boxes to return to the CCM.10. Start the BusinessObjects Enterprise server components.

Configuring the WCA for SOCKS serversComplete these steps if one or more SOCKS servers separates the Web Component Adapter (WCA) from the Central Management Server (CMS). These steps provide the WCA with the required information about each SOCKS server, in order, from the outermost to the innermost.The outermost SOCKS server is the one closest to the web server. The innermost SOCKS server is the last SOCKS server that the WCA communicates with before the CMS.

To configure the WCA on Windows1. Add the SOCKS information to the WCA. Edit the web.xml deployment

descriptor file associated with the webcompadapter.war to insert a SOCKS URI (universal resource identifier). This URI tells your WCA how to contact the CMS through your SOCKS server(s).See “Configuring the Web Component Adapter” on page 84 for details on editing web.xml.

2. Edit the file C:\Inetpub\wwwroot\Web.config. a. Go to the line: <add key=”connection.socksUri” value-“*”/>b. Add the following SOCKS server information:

*Socks://Version;User:Password@SOCKSserver:Port/CMSmachine:Port

c. Save the file.3. Configure the BusinessObjects Enterprise server:

a. Start the CCM.



b. Stop the CMS.c. Double-click the CMS. The Properties dialog box appears.d. Click Configuration tab.e. Enter the SOCKS information.f. Start the server again.g. Repeat step 3 for all the BusinessObjects Enterprise server.


Managing Auditing

chapter

Managing AuditingAuditing overview10
Auditing overview
Auditing allows you to monitor and record key facts about your BusinessObjects Enterprise system. Having information about who is using your system and which objects they are accessing allows you to answer system-level questions like “which groups within the company use our BusinessObjects Enterprise system the most?” or “how many concurrent user licenses are we using at any given time?” Auditing also allows you to better administer individual user accounts and reports by giving you more insight into what actions users are taking and which reports they are accessing. This information lets you be more proactive in managing the operation and deployment of your BusinessObjects Enterprise system, while helping you better evaluate the value that BusinessObjects Enterprise provides to your organization.

How does auditing work?The Central Management Server (CMS) acts as the system auditor, while each BusinessObjects Enterprise server that controls actions that you can monitor is an auditee. To audit an action in BusinessObjects Enterprise, you must first determine which server controls that action. Then you must enable auditing of that action in the Servers management area of the Central Management Console. As the auditee, the BusinessObjects Enterprise server will then begin to record these audit actions in a local log file.As the auditor, the CMS controls the overall audit process. Each server writes audit records to a log file local to the server. At regular intervals the CMS communicates with the auditee servers to request copies of records from the auditee’s local log files. When the CMS receives these records it writes data from the log files to the central auditing database.The CMS also controls the synchronization of audit actions that occur on different machines. Each auditee provides a time stamp for the audit actions that it records in its log file. To ensure that the time stamps of actions on different servers are consistent, the CMS periodically broadcasts its system time to the auditees. The auditees then compare this time to their internal clocks. If differences exist, they make a correction to the time stamp they record in their log files for subsequent audit actions.Once the data is in the auditing database you can run pre-configured reports against the database or design custom reports to suit your own needs.


Managing AuditingAuditing overview 10

Note: • You must configure the auditing database on the CMS before you can

begin to audit. See “Configuring the auditing database” on page 195.• The CMS acts as both an auditor and as an auditee when you configure it

to audit an action that the CMS itself controls.• In a CMS cluster, the cluster will nominate one CMS to act as system

auditor. If the machine that is running this CMS fails, another CMS from the cluster will take over and begin acting as auditor.

Which actions can I audit?You can use auditing to track the actions of individual users of BusinessObjects Enterprise as they log in and out of the system, access data, or create file-based events. You can also monitor system actions like the success or failure of scheduled objects. (For a complete list of auditable actions, see “Reference list of auditable actions” on page 191). For each action, BusinessObjects Enterprise records the time of the action, the name and user group of the user who initiated the action, the server where it was performed, and a variety of other parameters more fully documented in “Auditing database schema reference” on page 203.Once you have collected this data, you can use a custom or pre-configured report to view the raw data, or to answer more complex queries such as “how many concurrent licenses are we using at a given time?”. See “Using sample audit reports” on page 199 or “Creating custom audit reports” on page 202 for more information.

Reference list of auditable actionsThis list contains a complete list of the audit actions you can enable in BusinessObjects Enterprise. It is organized according to the types of actions that you can audit, to help you find the server where you enable auditing of these actions. For step by step instructions on how to enable audit actions, see “Enabling auditing of user and system actions” on page 196.For more information about the actions that are audited, and the data that is recorded for each audit action, see the “Auditing database schema reference” on page 203.



User Actions

Actions BusinessObjects Enterprise Server

Folders A folder is created. CMSA folder is deleted.A folder is modified.(The name, location, or description of a folder is modified.)

Crystal reports

A report has been viewed successfully. Cache ServerA report could not be viewed.A report is opened successfully using:• the Advanced DHTML viewer.• a custom application that uses RAS SDK.

RAS

A report fails to open.A report has been created successfully using:• a custom application that uses the RAS SDK.A report fails to be created. A report is saved successfully (using a custom application based on the RAS SDK).A report fails to save using a custom application based on the RAS API.

Web Intelligence documents

Get list of universes.• A user has begun creating a new Web Intelligence

document, which triggers a request to the server for the list of available universes.

Web Intelligence Report Server

Save document to repository.• A user has saved a Web Intelligence document within

BusinessObjects Enterprise.Read Document.• User opens an existing Web Intelligence document.Selection of universe.• A user has selected a universe as they create a new

Web Intelligence document, or as they edit an existing Web Intelligence document.


Managing AuditingAuditing overview 10

Web Intelligence documents

Refresh document.• User manually refreshes a Web Intelligence

document, or the user opens a Web Intelligence document that is set to “refresh on open”.

Web Intelligence Report Server

Edit document.• User enters “Edit document” mode for an existing

Web Intelligence document.Apply format.• User applies a formatting change to an existing Web

Intelligence document in a query panel.Get page.• Server renders the pages of a Web Intelligence

document in response to a user request to display all or part of a document.

Generate SQL.• Server generates an SQL query in response to a user

action that requires data to be retrieved from a database.

Drill out of scope.• User drills past the scope of the data currently in

memory, and triggers a call to the database for more data.

List of values.• A list of values is retrieved from the database to

populate a picklist associated with a prompt used to filter the data in a document.

Users A concurrent user logon succeeds. CMSA named user logon succeeds.A user logon fails.A user’s password is changed.User logs off.

Send an object to a destination

A job has been run successfully.(A user has successfully sent an object to a destination.)

Destination Job Server

A job has failed to run.(An object has failed to be sent to a destination.)A job failed but will try to run again.




System Actions

File-based events

An event is registered.(Event is created, and registered with system)

Event Server

An event is updated. (The name, description, or filename of an event is modified.) An event is unregistered.(Event is removed from system.)



Scheduled objects

A job has been run successfully.For example, a scheduled Crystal report has run successfully.

Job Servers

A job has failed to run.For example, a scheduled Crystal report has failed to run.Tip: To audit every failure of a scheduled Crystal report, a scheduled program, or a scheduled List of Values, enable auditing of “A job has failed to run” on the Job Server, and “Communication with a running instance is lost.” on the Central Management Server.A job failed but will try to run again. Communication with a running instance is lost.For example, a scheduled Crystal report has failed to run because communication with the instance was lost, and the scheduled time for running the report expired.Note: You do not need to enable this option to audit every failure of a scheduled Web Intelligence document.

CMS

File-based events

An event is triggered. Event Server


Managing AuditingConfiguring the auditing database 10

Configuring the auditing databaseBefore you audit actions within BusinessObjects Enterprise, you must configure your Central Management Server to connect to an auditing database. You can use any database server supported for the CMS system database for your auditing database. See the Platforms.txt file included with your product distribution for a complete list of tested database software and version requirements.It is recommended that you develop a back up strategy for your auditing database. If necessary, contact your database administrator for more information.Note: • The CMS system database and the auditing database are independent. If

you choose, you can use different database software for the CMS system database and the auditing database, or you can install these databases on separate servers.

• If you have a CMS cluster, every CMS in the cluster must be connected to the same auditing database, using the same connection method and the same connection name. Note that connection names are case sensitive. (See “Installing a new CMS and adding it to a cluster” on page 89 for more information on CMS clusters.)

To configure the auditing database on Windows1. Start the Central Configuration Manager (CCM).2. Stop the CMS.3. Click Specify Auditing Data Source.4. In the Select Database Driver dialog box, specify whether you want to

connect to the new database through SQL Server (ODBC), or through one of the native drivers.

5. Click OK.6. The remaining steps depend upon the connection type you selected:

• If you selected ODBC, the Windows “Select Data Source” dialog box appears. Select the ODBC data source that you want to use as the auditing database; then click OK. (Click New to configure a new DSN.) Use a System DSN, and not a User DSN or File DSN. By default, server services are configured to run under the System account, which only recognizes System DSNs. When prompted, provide your database credentials and click OK.


Managing AuditingEnabling auditing of user and system actions10

• If you selected a native driver, you are prompted for your database Server Name, your Login ID, and your Password. Provide this information and then click OK.

The SvcMgr dialog box notifies you when the auditing database setup is complete.

7. Click OK.8. Start the CMS. When the CMS starts, it will create the auditing database.Note: You can also configure the auditing database using the Properties option for the CMS. Stop the CMS, select Properties, and then go to the Configuration tab. Select “Write server audit information to specified data source”, and then click Specify.

Enabling auditing of user and system actionsTo audit an action in BusinessObjects Enterprise you must first determine which BusinessObjects Enterprise server controls the action. Then you must enable auditing on the server from the Servers management area of the Central Management Console (CMC).If you have multiple BusinessObjects Enterprise servers of a given type, be sure to enable identical audit actions on every server. Doing so ensures that you collect information on all user or system actions in your BusinessObjects Enterprise system. For example, if you are interested in the total number of concurrent user logons, enable auditing of concurrent user logons on each of your Central Management Servers. If you enable auditing on only one Central Management Server, you will only collect audit information about actions that occur on that server.In some special cases you may wish to enable auditing on only one server of a given type. For example, if you are interested in the success or failure of only one kind of scheduled report and you have configured your system so that these reports are processed on one particular Job Server, it is not necessary to enable auditing on every Job Server in your system. You only need to enable auditing on the Job Server where the reports are processed. Note: You must configure the auditing database before you can collect data on audit actions. See “Configuring the auditing database” on page 195 for instructions.

To enable audit actions 1. Go to the organize Servers area of the CMC.2. Click the server that controls the action that you wish to audit.


Managing AuditingEnabling auditing of user and system actions 10

(See the “Reference list of auditable actions” on page 191 to find the correct server.)

3. Click the Auditing tab.

4. Select the Auditing is enabled check box.5. Select the audit actions that you wish to record.6. Ensure that your audit log file is located on a hard drive that has sufficient

space to store the log files. (See “Optimizing system performance while auditing” on page 198 for information on adjusting the size of log files.)

7. Click Update.Tip: • To audit every failure of a scheduled Crystal report, a scheduled program,

or a scheduled List of Values, enable auditing of “A job has failed to run” on the Job Server, and “Communication with a running instance is lost.” on the Central Management Server.

• Auditing is enabled independently on each server. If you want to audit all actions of a given type, enable identical audit actions on every server that supports those actions. Otherwise your audit record will be incomplete. For example, if you want to track the total number of concurrent logons to your BusinessObjects Enterprise system, you must enable logging of concurrent logons on every Central Management Server in your system.


Managing AuditingControlling synchronization of audit actions10
Controlling synchronization of audit actions
The CMS controls the synchronization of audit actions that occur on different machines. The CMS periodically broadcasts its system time to the auditees in UTC (Coordinated Universal Time). The auditees compare this time to their internal clocks, and then make the appropriate correction to the time stamp (in UTC) they record for subsequent audit actions. This correction affects only the time stamp that the auditee records in its audit log file. The auditee does not adjust the system time of the machine on which it is running.By default, the CMS broadcasts its system time every 60 minutes. You can change the interval using the command-line option-AuditeeTimeSyncInterval minutes

You can turn off this option by setting minutes to zero. For more information, see “Central Management Server” on page 570 in “Server Command Lines” on page 567. This built-in method of time synchronization will be accurate enough for most applications. For more accurate and robust time synchronization, configure the auditee and auditor machines to use an NTP (Network Time Protocol) client, and then turn off internal synchronization by setting -AuditeeTimeSyncInterval 0

Tip: If you have a CMS cluster, apply the same command-line options to each server. Only one CMS in the cluster acts as the auditor. However, if this CMS fails, another CMS takes over auditing. This CMS will apply its own command-line options. If these options are different than those of the original auditor, audit behavior may not be what you expect.

Optimizing system performance while auditing

Enabling auditing should have minimal effect on the performance of BusinessObjects Enterprise. However, you can optimize system performance by fine-tuning these command-line options:

• -AuditInterval minutes, where minutes is between 1 and 15. (The default value is 5.) The CMS requests audit records from each audited server every audit interval.

• -AuditBatchSize number, where number is between 50 and 500. (The default value is 200.) The CMS requests this fixed number of records from each audited server, every time interval.


Managing AuditingUsing sample audit reports 10

• -auditMaxEventsPerFile number (number has a default value of 500 and must be greater than 0). The maximum number of records that an audited server will store in a single audit log file. When this maximum value is exceeded, the server opens a new log file.

Note: Log files remain on the audited server until all records have been requested by the CMS.Changing each of these options has a different impact on system performance. For example, increasing the audit interval reduces frequency with which the CMS writes events to the auditing database. Decreasing the audit batch size decreases the rate at which records are moved from the audit log files on the audited servers to the auditing database, thereby increasing the length of time that it takes these records to get transferred to the central auditing database. Increasing the maximum number of audit events stored in each audit log file reduces the number of file open and close operations performed by audited servers. You can use these options to optimize audit performance to meet your needs. For example, if you frequently need up-to-date information about audited actions, you can choose a short audit interval and a large audit batch size. In this case, all audit records are quickly transferred to the auditing database, and you can always report accurately on the latest audit actions. However, choosing these options may have an impact on the performance of BusinessObjects Enterprise.Alternatively, you may only need to review audit results periodically (weekly, for example). In this case you can choose to increase the audit interval, and to decrease the number of audit records in each batch. Choosing these options minimizes the impact that auditing has on the performance of BusinessObjects Enterprise. However, depending upon activity levels in your system, these options can create a backlog of records stored in audit log files. This backlog is cleared at times of low system activity (such as overnight, or over a weekend), but means that at times your audit reports may not contain records of the most recent audit actions.For more information on changing command-line options, see “Server Command Lines” on page 567.

Using sample audit reportsBusinessObjects Enterprise ships with several sample audit reports created using Crystal Reports. They are available on your product CD.To use these sample reports, first publish them to BusinessObjects Enterprise. Next configure an auditing database, and then enable auditing of the user and server actions needed to provide data for the sample reports.


Managing AuditingUsing sample audit reports10

Finally, ensure that the sample reports are configured to use database connection information valid for your auditing database. You can now use the sample reports to view auditing data collected about user and system actions on your installation of BusinessObjects Enterprise.Note: If you have recently enabled auditing, the sample audit reports may contain little or no data the first time you view them.

To use sample audit reports1. Create a folder called “admin reports” inside the Report Samples folder to

hold the sample auditing reports.Note: To create this folder, go to the Folders management area of the Central Management Console (CMC). Click Report Samples, and then click New Folder.

2. Publish the sample audit reports to the “admin reports” folder within BusinessObjects Enterprise. (The sample audit reports are in Samples > Reports > AdminReports on your product CD.) For more information about publishing, see “Publishing Objects to BusinessObjects Enterprise” on page 359.

3. If you have not already configured your auditing database, do so now. See “Configuring the auditing database” on page 195 for instructions.The sample audit reports were created using a ODBC connection to a database server named AuditData (that is, the DSN was AuditData), and a database called AuditData. You can create an auditing database that uses these names, or you can use a database server name and database name of your choice.

4. Go to the Servers management area of the CMC. Enable auditing of the actions that are included in the sample audit report. See “Enabling auditing of user and system actions” on page 196 for instructions.Note: The description of the sample reports indicates which audit actions to enable for each report.BusinessObjects Enterprise will now begin to collect data on audit actions.

5. From the Crystal Enterprise Admin Launchpad, select the Central Management Console (CMC).

6. Go to the Folders management area of the CMC.7. Click Report Samples, then admin reports to display the list of sample

audit reports.


Managing AuditingUsing sample audit reports 10

8. Configure the report to use your auditing database. Click the name of a report that you want to use; then, from the Process tab, click the Database link.

9. If the server name, database name, or database logon information for your auditing database are different than the values originally specified for the sample report, click “Use custom database logon information specified here.”


Managing AuditingCreating custom audit reports10

10. Type the Server name (DSN) and Database name that you specified for your auditing database. Make sure you select the same database driver that you used when configuring the auditing database.

11. Type a User name and Password for a user with administrative rights to the auditing database.

12. Click Specify a custom table prefix, and then type DatabaseName.dbo. in the box, where DatabaseName is the name of the database that you specified above.

13. Click Update. The sample audit report is now configured to use your auditing database as its data source.

14. From the Process tab, click the Parameters link.

15. Click the value of any parameter to specify a default value for that parameter, or to indicate that the user should be prompted for a parameter value when the report is run. Click Update.

16. You may now view the report in BusinessObjects Enterprise.

Creating custom audit reportsThis section contains information to help you understand the auditing database and the information it records about audit actions. With this information, you can use Crystal Reports to create custom audit reports of user and system actions.See your Crystal Reports User’s Guide for full instructions on creating reports. Alternatively, you may wish to use Designer to create a universe against the auditing database, so that you can create your own Web Intelligence documents. Consult the Designer’s Guide and the Web Intelligence guides for details.


Managing AuditingCreating custom audit reports 10

Auditing database schema referenceThe Audit database contains six tables, as shown in the following entity-relationship diagram.

Audit_Event tableThis table stores one record per action that is audited.

Field DescriptionServer_CUID Server process ID.

Combined with the Event_ID to form the primary key for the Audit_Event table.

Event_ID A unique ID generated by the server to identify the audit event. Combined with Server_CUID to form the primary key for the Audit_Event table.

User_Name Name of user who performed the action.Start_Timestamp Time for start of action in UTC (Coordinated

Universal Time) to the nearest millisecond. The time stamp is created by the server recording the action in its log file, and includes any correction necessary to synchronize with CMS time. You may want to correct this time to your local time zone when creating audit reports.

Duration Duration, in seconds, of the action that is audited.



Audit_Detail tableThe Audit_Detail table records more information about each audit action recorded in the Audit_Event table. For example, when a user logon fails, the reasons for that failure are recorded as audit details.There may be more than one record in this table for each audit action recorded in the Audit_Event table.

Event_Type_ID Number that uniquely identifies the type of action the entry represents. Foreign key for the Event_Type table.

Object_CUID Info Object ID of object associated with the action. This number uniquely identifies an object.

Error_Code Field reserved for error codes generated by the Web Intelligence Report Server.

Field Description


Combined with the Event_ID and the Detail_ID to form the primary key for the Audit_Detail table.

Event_ID A unique ID generated by the server to identify the audit event. Combined with Server_CUID and the Detail_ID to form the primary key for the Audit_Detail table.

Detail_ID The Detail_ID field is used to number the individual details associated with each audit action. That is, if there are two details associated with a particular audit action, the first will have a Detail_ID of 1, and the second will have a Detail_ID of 2.

Detail_Type_ID Number that uniquely identifies the type of detail about the audit action that the entry represents. Foreign key for the Detail_Type table.

Detail_Text Information about the audit detail being recorded. For example, if the Detail_Type_Description were “universe name”, the detail text would contain the name of that universe.



Server_Process tableThe Server_Process table contains information about the servers running within your BusinessObjects Enterprise system which can generate audit events.

Event_Type tableThe Event_Type table contains a static list of the kinds of events that can be audited in your BusinessObjects Enterprise system. This table provides information roughly equivalent to that provided by AuditIDs and AuditStrings in Crystal Enterprise 10.

Event_Type table referenceThe following tables list the Event_Type_ID and Event_Type_Description of all events that can be audited in your system. For your convenience, these events are ordered according to the server that generates each type of event.


Primary key for the Server_Process table.Server_Name Machine name of the server that produced the

action. That is, the host name.Application_Type_ID A unique ID that identifies the type of application

that generated the audit action. Foreign key to the Application_Type table.

Server_FullName Friendly name of the server that produced the action. The server’s friendly name is the name displayed in the CMC. The default friendly name is hostname.servertype.

Server_Version Version of BusinessObjects Enterprise on server that produced the action.

Field DescriptionEvent_Type_ID Number that uniquely identifies the type of

audit event that the entry represents. Event_Type_Description Description of the type of audit event.



CMS audit events

Cache Server audit events

Event_Type_ ID Event_Type_Description Description

65537 Concurrent user logon succeeded.

The user logged on successfully, using a concurrent user license.

65538 Named user logon succeeded.

The user logged on successfully, using a named user license.

65540 User logged off.65541 User password has been

changed.65539 User logon failed. Logon failed because there was no valid

license key available.65542 New folder created. A new folder is created, or an existing folder is

copied. Note that this audit string will not be recorded when a new user account is created, even though creating a user creates a user folder.

65543 Folder deleted. A folder is deleted.Note that this audit string will be recorded when a user account (and therefore the user’s folder) is deleted.

65544 Folder modified. The name, location, or description of the folder was changed.

65545 Job failed. Reason: Unresponsive Job Server Child process.

A scheduled report or scheduled program failed to run because communication with the running instance was lost, and the scheduled time for running the job expired. Note: This action must be audited by the CMS as Job Servers are not aware of losing communications with a job.


196609 Crystal report viewed successfully.

User successfully viewed a Crystal report that has saved or live data.

196610 A report could not be viewed.

User attempted to view a Crystal report, but was not successful.



Job Server audit eventsFor scheduled objects, the audit messages give you information about the status of scheduled actions. For example, the audit messages can tell you if a scheduled report ran successfully. For the Destination Job Server, the audit messages give you information on whether an object was sent to a destination, as requested by a user.

Event Server audit events

Event_Type_ ID

Event_Type_Description Description

327681 Job successful. The object ran as scheduled (or requested) and the job completed successfully.

327682 Job failed. The scheduled job did not complete successfully.

327683 Job failed. Job will be retried by the CMS.

The scheduled job did not complete successfully. The job will be retried by the CMS at a later time. For more information on scheduling jobs, see “Scheduling objects” on page 450.


262145 Event registered User creates a file-based event that can be used to schedule objects.

262146 Event unregistered User deletes a file-based event.

262147 Event updated Event object was modified by a user, or by the system. Events are updated when a user modifies the name or description of the file-based event.

262148 Event triggered File-based event was initiated.



Report Application Server audit eventsThe Report Application Server (RAS) is used to view reports opened with the Advanced DHTML viewer, and to create reports using custom applications developed with the RAS SDK.


458753 Report was opened for viewing and/or modification

User opened a report for viewing or modification.Note: In a few cases, this Event_Type_ID may be generated when the report opens but cannot be viewed. This may occur when:• There are problems with the database

setup for the report. For example, you may see this message when the database driver for the report is not present on the client machine

• A processing extension associated with the report aborts viewing, or fails.

• The report used Business Views and the user did not have permissions to refresh the underlying data connections.

• The machine running the RAS ran out of space in its temporary directory.

458754 Report was saved to the CMS.

An existing report was saved.Note: This Event_Type_ID is generated when a custom application created using the RAS SDK saves a report (using the Save method). Consult your RAS SDK documentation for details.

458755 Report was created and saved to the CMS

A new report was created and saved. Note: • This Event_Type_ID is generated when

a custom application created using the RAS SDK saves a new report (using the Save As method). Consult your RAS SDK documentation for details.

458756 Report could not be opened.

The report could not be opened by the RAS.



Web Intelligence Report Server audit events

458757 Report could not be saved to the CMS.

An existing report could not be saved by RAS. Note: This Event_Type_ID is generated when a custom application created using the RAS SDK cannot save a new report (using the Save As method). Consult your RAS SDK documentation for details.

458758 Report could not be created in the CMS.

A newly created report could not be saved by RAS.



6 Get list of universes User accesses a list of universes as part of a document creation workflow.

9 Save document to repository

User saves a Web Intelligence document to BusinessObjects Enterprise.

11 Read document User opens an existing Web Intelligence document.

13 Selection of universe User selects a universe as part of a document creation workflow. This event occurs when a user opens the query panel.

19 Document refresh User manually refreshes a Web Intelligence document, or user opens a Web Intelligence document that has the “refresh on open” document property assigned.

21 List of values A list of values is retrieved from the database to populate a picklist associated with a prompt used to filter the data in a document.

22 Edit document User has moved into Edit document mode.28 Apply format User applies a formatting change to a

document, in a query panel.40 Get page User action results in a request to server to

generate the necessary data and layout to display all or part of a Web Intelligence document.



Application_Type tableThe Application_Type table contains a static list of the applications that can produce audit events. In BusinessObjects Enterprise XI, the applications that can be audited are servers.

Application_Type table reference

41 Generate SQL Appears when a user refreshes a document.42 Drill out of scope User drills past the scope of the data currently

in memory, and triggers a call to the database for more data.


Field Name DescriptionApplication_Type_ID A unique ID that identifies the type of

application that generated the audit action.

Application_Type_Description The description of the application generating the audit event.

Application_Type_ID Application_Type_Description

1 Unknown Application8 Web Intelligence Report Server11 Central Management Server

(CMS)12 Cache Server13 Report Job Server14 Report Application Server (RAS)15 Event Server16 Program Job Server18 Destination Job Server19 Web Intelligence Job Server



Detail_Type tableThe Detail_Type table contains a static list of the standard details that can be recorded about audited events. For example, a user logon can fail for a number of different reasons. These reasons are listed as entries in the Detail_Type table. The information in the Detail_Type table is equivalent to the information that was recorded in variable AuditStrings in Crystal Enterprise 10.

Field DescriptionDetail_Type_ID Number that uniquely identifies the type of

audit detail that the entry represents. Detail_Type_Description The description of the type of audit detail

generated by the audit event.


BusinessObjects Enterprise Security Concepts

chapter

BusinessObjects Enterprise Security ConceptsSecurity overview11
Security overview
The BusinessObjects Enterprise architecture addresses the many security concerns that affect today’s businesses and organizations. The current release supports features such as distributed security, single sign-on, resource access security, granular object rights, and third-party Windows NT, LDAP, and Windows AD authentication in order to protect against unauthorized access. To allow for further customization of security, BusinessObjects Enterprise supports dynamically loaded processing extensions. And, for monitoring and auditing purposes, BusinessObjects Enterprise allows you to log various web statistics, thus enabling you to detect potential security concerns.Because BusinessObjects Enterprise provides the framework for an increasing number of components from the Enterprise family of Business Objects products, this chapter details the security features and related functionality to show how the framework itself enforces and maintains security. As such, this chapter does not provide explicit procedural details; instead, it focuses on conceptual information and provides links to key procedures.

Related topics:• For key procedures that show how to modify the default accounts,

passwords, and other security settings, see “Making initial security settings” on page 38.

• For procedures that show how to set up authentication, users, and groups, see “Managing User Accounts and Groups” on page 235.

• For procedures that show how to set object rights for your BusinessObjects Enterprise content, see “Controlling User Access” on page 301.

Authentication and authorizationAuthentication is the process of verifying the identity of a user who attempts to access the system, and authorization is the process of verifying that the user has been granted sufficient rights to perform the requested action upon the specified object. This section describes the authentication and authorization processes in order to provide a general idea of how system security works within BusinessObjects Enterprise. Each of the components and key terms is discussed in greater detail later in this chapter.


BusinessObjects Enterprise Security ConceptsAuthentication and authorization 11

Because BusinessObjects Enterprise is fully customizable, the authentication and authorization processes may vary from system to system. This section uses InfoView as a model and describes its default behavior. If you are developing your own BusinessObjects Enterprise end-user or administrative applications using the BusinessObjects Enterprise Software Development Kit (SDK), you can customize the system’s behavior to meet your needs. For complete details, see the developer documentation available on your product CD.For procedures that show how to set up the different authentication types, see “Available authentication types” on page 238.

Primary authenticationPrimary authentication occurs when a user first attempts to access the system. The user provides a user name and password and specifies an authentication type. The authentication type may be Enterprise, Windows NT, LDAP, or Windows AD authentication, depending upon which type(s) you have enabled and set up in the Authorization management area of the Central Management Console (CMC). The user’s web browser sends the information by HTTP to your web server, which routes the information to the Web Component Adapter (WCA).The WCA passes the user’s information to logon.aspx and runs the script. Internally, this script communicates with the SDK and, ultimately, the appropriate security plug-in to authenticate the user against the user database.For instance, if the user specifies Enterprise Authentication, the SDK ensures that the BusinessObjects Enterprise security plug-in performs the authentication. The Central Management Server (CMS) uses the BusinessObjects Enterprise security plug-in to verify the user name and password against the system database. Alternatively, if the user specifies Windows NT, LDAP, or Windows AD Authentication, the SDK uses the corresponding security plug-in to authenticate the user.If the security plug-in reports a successful match of credentials (including a match to an appropriate group membership for Windows NT, Windows AD, or LDAP authentication), the CMS grants the user an active identity on the system and the system performs several actions:• The CMS stores the user’s information in memory in a CMS session

variable. While active, this session consumes one user license on the system.

• The CMS generates and encodes a logon token and sends it to the WCA.• The WCA stores the user’s information in memory in a WCA session

variable. While active, this session stores information that allows BusinessObjects Enterprise to respond to the user’s requests.


BusinessObjects Enterprise Security ConceptsAuthentication and authorization11

Note: • If you are familiar with the SDK, you should note that the WCA here

instantiates the InfoStore object and stores it in the WCA session variable.

• The session variable does not contain the user’s password.• The WCA sends the logon token to the user’s web browser, and the web

browser caches the token in a cookie. Until the logon token expires, its encoded information serves as the user’s valid ticket for the system.

Each of these steps contributes to the distributed security of BusinessObjects Enterprise, because each step consists of storing information that is used for secondary identification and authorization purposes. This is the model used in InfoView. However, if you are developing your own client application and you prefer not to store session state on the WCA, you can design your application such that it avoids using WCA session variables.Note: • The third-party Windows NT, LDAP, and Windows AD security plug-ins

work only once you have mapped groups from the external user database to BusinessObjects Enterprise. For details, see “Available authentication types” on page 238.

• In a single sign-on situation, BusinessObjects Enterprise retrieves users’ credentials and group information directly from the Windows NT or Windows AD system. Hence, users are not prompted for their credentials.

Secondary authentication and authorizationSecondary authentication is the process of double-checking the identity of each user who attempts to view, run, schedule, or otherwise act upon an object that is managed by BusinessObjects Enterprise. Authorization is the process of verifying that the user has been granted sufficient rights to perform the requested action upon the specified object.When a user attempts to access an object on the system, the web browser sends the request by HTTP to the WCA. Before fulfilling the user’s request, the WCA performs a series of security-related steps.1. First, the WCA ensures that the user has a valid logon token:

• If there is a valid logon token, the WCA proceeds to its next task.• If there is no valid logon token, the primary authentication process is

repeated.For more information about logon tokens, see “Logon tokens” on page 229.


BusinessObjects Enterprise Security ConceptsAuthentication and authorization 11

2. Second, the WCA checks internally for an active WCA session that matches the user’s logon token:• If the corresponding WCA session variable remains in memory, the

WCA proceeds to its next task.• If the WCA session variable has timed out, the user is logged back

on with the logon token. The SDK authenticates the user against the appropriate user database, and the CMS and the WCA recreate the required session variables. In this case, BusinessObjects Enterprise does not have to prompt the user for credentials, because the encoded logon token contains the required information.

3. Third, the WCA ensures that the appropriate server component actually processes the user’s request:• If the WCA can process the request itself, it queries the CMS database

for the rights associated with the object that the user requested.For instance, if the user requests a list of reports in a specific folder, the WCA queries the CMS database for a list of the reports that the user is authorized to see. The WCA then dynamically lists the reports in an HTML page, and sends the page to the user’s browser.

• If a different server component must process the request, the WCA sends the request and the user’s logon token to the appropriate server component. That server component then queries the CMS database for the rights associated with the object that the user requested.For instance, if the user attempts to refresh a report’s data, the WCA passes the request along to the Page Server. The Page Server passes the logon token to the CMS to ensure that the user is authorized to refresh the report.For details about how the CMS calculates a user’s effective rights to an object, see “Calculating a user’s effective rights” on page 314.

This secondary authentication and authorization process begins similarly to initial identification; here, however, the authentication algorithm followed by the WCA maintains system security in the fewest number of steps, thereby providing the most efficient response to the user’s initial request.Note: If the user does not have the right to perform the requested action, the WCA displays an appropriate message. For details about setting object rights, see “Controlling User Access” on page 301.


BusinessObjects Enterprise Security ConceptsAuthentication and authorization11
About single sign-on
The term single sign-on is used to describe different scenarios. At its most basic level, it refers to a situation where a user can access two or more applications or systems while providing their log-on credentials only once, thus making it easier for users to interact with the system.Single sign-on to BusinessObjects Enterprise can be provided by BusinessObjects Enterprise, or by different authentication tools such as Windows NT, Windows AD, or LDAP with SiteMinder.Within the context of BusinessObjects Enterprise, we distinguish the following levels of single sign-on:• “Single sign-on to BusinessObjects Enterprise” on page 218• “Single sign-on to database” on page 219• “End-to-end single sign-on” on page 219

Single sign-on to BusinessObjects EnterpriseSingle sign-on to BusinessObjects Enterprise means that once users have logged on to the operating system they can access BusinessObjects Enterprise without having to provide their logon credentials again. When they log on to the operating system, a logon token is created. The system uses this token to authenticate the users and grant them access to BusinessObjects Enterprise and its components.The term “anonymous single sign-on” also refers to single sign-on to BusinessObjects Enterprise, but it specifically refers to the single sign-on functionality for the Guest user account. When the Guest user account is enabled, which it is by default, anyone can log on to BusinessObjects Enterprise as Guest and will have single sign-on access to BusinessObjects Enterprise. For more information, see “Disabling the Guest account” on page 39.Single sign-on to BusinessObjects Enterprise was already supported in previous versions of Crystal Enterprise and continues to exist in BusinessObjects Enterprise XI. For information on configuring single sign-on to BusinessObjects Enterprise, see:• “Managing Enterprise and general accounts” on page 239• “Setting up NT single sign-on” on page 278• “Configuring LDAP authentication” on page 249• “Setting up AD single sign-on” on page 268


BusinessObjects Enterprise Security ConceptsSecurity management components 11

Single sign-on to databaseOnce users are logged on to BusinessObjects Enterprise, single sign-on to the database enables them to perform actions that require database access, in particular, viewing reports and Web Intelligence documents, without having to provide their logon credentials again. Single sign-on to the database can be combined with single sign-on to BusinessObjects Enterprise, to provide users with even easier access to the resources they need. See “End-to-end single sign-on” on page 219.In BusinessObjects Enterprise XI single sign-on to the database is supported through Windows AD using Kerberos. You may want to use single sign-on to the database rather than end-to-end single sign-on, if you don’t want the LocalSystem account for the IIS to be trusted for delegation.For more information see “Configuring Kerberos single sign-on” on page 285, in particular “Configuring IIS for single sign-on to databases only” on page 295, and “Configuring web applications for single sign-on to the databases” on page 299.

End-to-end single sign-onEnd-to-end single sign-on refers to a configuration where users have both single sign-on access to BusinessObjects Enterprise at the front-end, and single sign-on access to the databases at the back-end. Thus, users need to provide their logon credentials only once, when they log on to the operating system, to have access to BusinessObjects Enterprise and to be able to perform actions that require database access, such as viewing reports.In BusinessObjects Enterprise XI end-to-end single sign-on is supported through Windows AD and Kerberos. For more information, see “Configuring Kerberos single sign-on” on page 285.

Security management componentsSystem security within BusinessObjects Enterprise is distributed across most components, but it is managed primarily by the WCA, the CMS, the security plug-ins, and third-party authentication tools, such as SiteMinder and Kerberos. These components work together to authenticate and to authorize users who access BusinessObjects Enterprise, its folders, and its other objects.This section discusses the key components as they relate to system security. It includes:• “Web Component Adapter” on page 220• “Central Management Server” on page 220• “Security plug-ins” on page 221


BusinessObjects Enterprise Security ConceptsSecurity management components11

• “Processing extensions” on page 227Note: Because these components are responsible for additional tasks, several of the components discussed in this section are described in additional detail in “BusinessObjects Enterprise Architecture” on page 47.

Web Component AdapterThe WCA is the gateway between the web server and the remaining BusinessObjects Enterprise components. As such, the WCA receives all HTTP requests that are sent to BusinessObjects Enterprise from users’ web browsers.The WCA ensures that each user has a valid logon token for the system. If the logon token is missing, or if it has expired, the WCA initiates the primary authentication process. For details, see “Primary authentication” on page 215.The WCA is also responsible for maintaining the user’s session state in the WCA session variable. This session variable contains information that BusinessObjects Enterprise uses when fulfilling user’s requests. For details, see “Sessions and session tracking” on page 230.

Central Management ServerIn relation to system security, the Central Management Server (CMS) performs a number of important tasks. The majority of these tasks rely upon the database that the CMS uses to keep track of BusinessObjects Enterprise system data. This data includes security information, such as user accounts, group memberships, and object rights that define user and group privileges.When you first set up your system, the CMS allows you to create user accounts and groups within BusinessObjects Enterprise. And, with its third-party security plug-ins, the CMS allows you to reuse existing user accounts and groups that are stored in a third-party system (a Windows NT user database, an LDAP directory server, or a Windows AD server). The CMS supports third-party authentication, so users can log on to BusinessObjects Enterprise with their current Windows NT, LDAP, or Windows AD credentials.When users log on, the CMS coordinates the authentication process with its security plug-ins; the CMS then grants the user a logon token and an active session on the system. The CMS also responds to authorization requests made by the rest of the system. When a user requests a list of reports in a particular folder, the CMS authorizes the request only when it has verified that the user’s account or group membership provides sufficient privileges.



For details about the CMS and how it calculates a user’s effective rights to an object, see “Calculating a user’s effective rights” on page 314.For more information about the CMS and the CMS database, see “Central Management Server (CMS)” on page 55.

Security plug-insSecurity plug-ins expand and customize the ways in which BusinessObjects Enterprise authenticates users. BusinessObjects Enterprise currently ships with the system default BusinessObjects Enterprise security plug-in and with the Windows NT, LDAP, and Windows AD security plug-ins. Each security plug-in offers several key benefits.Security plug-ins facilitate account creation and management by allowing you to map user accounts and groups from third-party systems into BusinessObjects Enterprise. You can map third-party user accounts or groups to existing BusinessObjects Enterprise user accounts or groups, or you can create new Enterprise user accounts or groups that corresponds to each mapped entry in the external system.The security plug-ins dynamically maintain third-party user and group listings. So, once you map a Windows NT, LDAP, or Windows AD group into BusinessObjects Enterprise, all users who belong to that group can log on to BusinessObjects Enterprise. When you make subsequent changes to the third-party group membership, you need not update or refresh the listing in BusinessObjects Enterprise. For instance, if you map a Windows NT group to BusinessObjects Enterprise, and then you add a new NT user to the NT group, the security plug-in dynamically creates an alias for that new user when he or she first logs on to BusinessObjects Enterprise with valid NT credentials.Moreover, security plug-ins enable you to assign rights to users and groups in a consistent manner, because the mapped users and groups are treated as if they were Enterprise accounts. For example, you might map some user accounts or groups from Windows NT, and some from an LDAP directory server. Then, when you need to assign rights or create new, custom groups within BusinessObjects Enterprise, you make all of your settings in the CMC. Each security plug-in acts as an authentication provider that verifies user credentials against the appropriate user database. When users log on to BusinessObjects Enterprise, they choose from the available authentication types that you have enabled and set up in the Authorization management area of the CMC: Enterprise (the system default), Windows NT, LDAP, or Windows AD.Note: The Windows NT and Windows AD security plug-ins cannot authenticate users if your system uses the BusinessObjects Enterprise Java SDK.



BusinessObjects Enterprise supports the following security plug-ins:• “BusinessObjects Enterprise security plug-in” on page 222• “Windows NT security plug-in” on page 222• “LDAP security plug-in” on page 224• “Windows AD security plug-in” on page 226

BusinessObjects Enterprise security plug-inThe BusinessObjects Enterprise security plug-in (secEnterprise.dll) is installed and enabled by default when you install BusinessObjects Enterprise. This plug-in allows you to create and maintain user accounts and groups within BusinessObjects Enterprise; it also enables the system to verify all logon requests that specify Enterprise Authentication. In this case, user names and passwords are authenticated against the BusinessObjects Enterprise user list, and users are allowed or disallowed access to the system based solely on that information. For details on setting up Enterprise users and groups, see “Managing Enterprise and general accounts” on page 239.

Default accountsWhen you first install BusinessObjects Enterprise, this plug-in sets up two default Enterprise accounts: Administrator and Guest. Neither account has a default password. For details on setting these passwords, see “Making initial security settings” on page 38.

Single sign-onThe BusinessObjects Enterprise authentication provider supports anonymous single sign-on for the Guest account. Thus, when users connect to BusinessObjects Enterprise without specifying a user name and password, the system logs them on automatically under the Guest account. If you assign a secure password to the Guest account, or if you disable the Guest account entirely, you disable this default behavior. For details, see “Disabling the Guest account” on page 39.

Windows NT security plug-inThe Windows NT security plug-in (secWindowsNT.dll) allows you to map user accounts and groups from your Windows NT user database to BusinessObjects Enterprise; it also enables BusinessObjects Enterprise to verify all logon requests that specify Windows NT Authentication. Users are authenticated against the Windows NT user database, and have their membership in a mapped NT group verified before the CMS grants them an active BusinessObjects Enterprise session.



This plug-in is compatible with NT 4 and Windows 2000 Active Directory user databases (when Windows 2000 Active Directory is configured in non-native mode only). If a Windows 2000 Active Directory user database is configured in native mode and contains universal groups that span several domains, you must use the Windows AD security plug-in. For information on mapping Windows NT users and groups to BusinessObjects Enterprise, see “Managing NT accounts” on page 270. For information on the Windows AD security plug-in, see “Windows AD security plug-in” on page 226.Once you have mapped your NT users and groups, all of the BusinessObjects Enterprise client tools support NT authentication, except for the Import Wizard. You can also create your own applications that support NT authentication. For more information, see the developer documentation available on your product CD.Note: The Windows NT and Windows AD security plug-ins cannot authenticate users if your system uses the BusinessObjects Enterprise Java SDK.

Default accountIf you install BusinessObjects Enterprise on Windows as an Administrator of the local machine, then this plug-in is enabled by default. A new NT group (called Business Objects NT Users) is created on the local machine, and your NT user account is added to the group. The Business Objects NT Users group is then mapped to BusinessObjects Enterprise. The result is that you can log on to BusinessObjects Enterprise with your usual NT user credentials.

Single sign-onThe Windows NT security plug-in supports single sign-on, thereby allowing authenticated NT users to log on to BusinessObjects Enterprise without explicitly entering their credentials. The single sign-on requirements depend upon the way in which users access BusinessObjects Enterprise: either via a thick client, or over the Web. In both scenarios, the security plug-in obtains the security context for the user from the authentication provider, and grants the user an active BusinessObjects Enterprise session if the user is a member of a mapped NT group:• To obtain NT single sign-on functionality from a thick-client application

(such as the Publishing Wizard), the user must be running a Windows operating system, and the application must use the BusinessObjects Enterprise SDK.In this scenario, the Windows NT security plug-in queries the operating system for the current user’s credentials when the client is launched.



• To obtain single sign-on functionality over the Web, the system must use Microsoft components only. Specifically, the user must be running Internet Explorer on a Windows operating system, and the web server must be running Internet Information Server (IIS).In this scenario, Internet Explorer and IIS engage in Windows NT Challenge/Response authentication before IIS forwards the user’s credentials to BusinessObjects Enterprise. Note: IIS performs the Challenge/Response authentication for every web page viewed. This can result in severe performance degradation.For details on configuring IIS for single sign-on, see “Setting up NT single sign-on” on page 278.

Note: InfoView provides its own form of “anonymous single sign-on,” which uses Enterprise authentication, as opposed to Windows NT authentication. Design your own web applications accordingly (or modify InfoView) if you want to use NT single sign-on. For information on NT single sign-on, see “Setting up NT single sign-on” on page 278.

LDAP security plug-inThe LDAP security plug-in (secLDAP.dll) allows you to map user accounts and groups from your LDAP directory server to BusinessObjects Enterprise; it also enables the system to verify all logon requests that specify LDAP Authentication. Users are authenticated against the LDAP directory server, and have their membership in a mapped LDAP group verified before the CMS grants them an active BusinessObjects Enterprise session. User lists and group memberships are dynamically maintained by BusinessObjects Enterprise. You can specify that BusinessObjects Enterprise use a Secure Sockets Layer (SSL) connection to communicate to the LDAP directory server for additional security. LDAP authentication for BusinessObjects Enterprise is similar to NT and AD authentication in that you can map groups and set up authentication, authorization, and alias creation. Also as with NT or AD authentication, you can create new Enterprise accounts for existing LDAP users, and can assign LDAP aliases to existing users if the user names match the Enterprise user names. In addition, you can do the following:• Map users and groups from the LDAP directory service.• Specify multiple host names and their ports.For information on mapping your LDAP users and groups to BusinessObjects Enterprise, see “Managing LDAP accounts” on page 248.



Once you have mapped your LDAP users and groups, all of the BusinessObjects Enterprise client tools support LDAP authentication, except for the Import Wizard. You can also create your own applications that support LDAP authentication.

More about LDAPLightweight Directory Access Protocol (LDAP), a common, application-independent directory, enables users to share information among various applications. Based on an open standard, LDAP provides a means for accessing and updating information in a directory. LDAP is based on the X.500 standard, which uses a directory access protocol (DAP) to communicate between a directory client and a directory server. LDAP is an alternative to DAP because it uses fewer resources and simplifies and omits some X.500 operations and features.The directory structure within LDAP has entries arranged in a specific schema. Each entry is identified by its corresponding distinguished name (DN) or common name (CN). Other common attributes include the organizational unit name (OU), and the organization name (O). For example, a member group may be located in a directory tree as follows: cn=BusinessObjects Enterprise Users, ou=Enterprise Users A, o=Research. Refer to your LDAP documentation for more information.Because LDAP is application-independent, any client with the proper authorization can access its directories. LDAP offers you the ability to set up users to log on to BusinessObjects Enterprise through LDAP authentication. It also enables users to be authorized when attempting to access objects in BusinessObjects Enterprise. As long as you have an LDAP server (or servers) running, and use LDAP in your existing networked computer systems, you can use LDAP authentication (along with Enterprise, NT, and Windows AD authentication).If desired, the LDAP security plug-in provided with BusinessObjects Enterprise can communicate with your LDAP server using an SSL connection established using either server authentication or mutual authentication. With server authentication, the LDAP server has a security certificate which BusinessObjects Enterprise uses to verify that it trusts the server, while the LDAP server allows connections from anonymous clients. With mutual authentication, both the LDAP server and BusinessObjects Enterprise have security certificates, and the LDAP server must also verify the client certificate before a connection can be established. Note: The LDAP security plug-in provided with BusinessObjects Enterprise can be configured to communicate with your LDAP server via SSL, but always performs basic authentication when verifying users’ credentials. Before deploying LDAP authentication in conjunction with BusinessObjects



Enterprise, ensure that you are familiar with the differences between these LDAP types. For details, see RFC2251, which is currently available at http://www.faqs.org/rfcs/rfc2251.html

Windows AD security plug-inWindows AD security plug-in enables you to map user accounts and groups from your Windows 2000 Active Directory (AD) user database to BusinessObjects Enterprise; it also enables BusinessObjects Enterprise to verify all logon requests that specify Windows AD Authentication. Users are authenticated against the Windows AD user database, and have their membership in a mapped AD group verified before the Central Management Server grants them an active BusinessObjects Enterprise session.This plug-in is compatible with Windows 2000 Active Directory domains running in either native mode or mixed mode. Note that in order to use the Windows AD security plug-in, the CMS needs to run under a user account that has the “Act as Part of the Operating System” right. See your Windows 2000 documentation for more information. For information on mapping Windows AD users and groups to BusinessObjects Enterprise, see “Managing AD accounts” on page 261.Once you have mapped your AD users and groups, all of the BusinessObjects Enterprise client tools support AD authentication, except for the Import Wizard. You can also create your own applications that support AD authentication. For more information, see the developer documentation available on your product CD. For information on mapping Windows AD users and groups to BusinessObjects Enterprise, see “Managing AD accounts” on page 261.Note: • AD authentication only works for servers running on Windows systems.• AD authentication and aggregation is not functional without a network

connection.• AD authentication and aggregation may not continue to function if the

administration credentials become invalid (for example, if the administrator changes his or her password or if the account becomes disabled).

Single sign-onThe Windows AD security plug-in supports single sign-on, thereby allowing authenticated AD users to log on to BusinessObjects Enterprise without explicitly entering their credentials. The single sign-on requirements depend upon the way in which users access BusinessObjects Enterprise: either via a thick client, or over the Web. In both scenarios, the security plug-in obtains



the security context for the user from the authentication provider, and grants the user an active BusinessObjects Enterprise session if the user is a member of a mapped AD group:• To obtain AD single sign-on functionality from a thick-client application

(such as the Publishing Wizard), the user must be running a Windows operating system, and the application must use the BusinessObjects Enterprise SDK.In this scenario, the Windows AD security plug-in queries the operating system for the current user’s credentials when the client is launched.

• To obtain single sign-on functionality over the Web, the system must use Microsoft components only. Specifically, the user must be running Internet Explorer on a Windows operating system, and the web server must be running Internet Information Server (IIS).

Note: BusinessObjects Enterprise provides its own form of “anonymous single sign-on,” which uses Enterprise authentication, as opposed to Windows AD authentication. Design your own web applications accordingly (or modify InfoView) if you want to use AD single sign-on. For information on AD single sign-on, see “Setting up AD single sign-on” on page 268.

Processing extensionsBusinessObjects Enterprise offers you the ability to further secure your reporting environment through the use of customized processing extensions. A processing extension is a dynamically loaded library of code that applies business logic to particular BusinessObjects Enterprise view or schedule requests before they are processed by the system.Note: On Windows systems, dynamically loaded libraries are referred to as dynamic-link libraries (.dll file extension). You must include the file extension when you name your processing extensions.Through its support for processing extensions, the BusinessObjects Enterprise administration SDK essentially exposes a “handle” that allows developers to intercept the request. Developers can then append selection formulas to the request before the report is processed.A typical example is a report-processing extension that enforces row-level security. This type of security restricts data access by row within one or more database tables. The developer writes a dynamically loaded library that intercepts view or schedule requests for a report (before the requests are processed by the Job Server, Page Server, or Report Application Server). The developer’s code first determines the user who owns the processing job; then it looks up the user’s data-access privileges in a third-party system. The code then generates and appends a record selection formula to the report in


BusinessObjects Enterprise Security ConceptsActive trust relationship11

order to limit the data returned from the database. In this case, the processing extension serves as a way to incorporate customized row-level security into the BusinessObjects Enterprise environment.Tip: In BusinessObjects Enterprise XI, you can also set and enforce row-level security through the use of Business Views. For more information, see the Business Views Administrator's Guide.The CMC provides methods for registering your processing extensions with BusinessObjects Enterprise and for applying processing extensions to particular object. For details, see “Applying processing extensions to reports” on page 429.By enabling processing extensions, you configure the appropriate BusinessObjects Enterprise server components to dynamically load your processing extensions at runtime. Included in the SDK is a fully documented API that developers can use to write processing extensions. For more information, see the developer documentation available on your product CD.Note: In the current release, processing extensions can be applied only to Crystal report (.rpt) objects.

Active trust relationshipIn a networked environment, a trust relationship between two domains is generally a connection that allows one domain accurately to recognize users who have been authenticated by the other domain. While maintaining security, the trust relationship allows users to access resources in multiple domains without repeatedly having to provide their credentials.Within the BusinessObjects Enterprise environment, the active trust relationship works similarly to provide each user with seamless access to resources across the system. Once the user has been authenticated and granted an active session, all other BusinessObjects Enterprise components can process the user’s requests and actions without prompting for credentials. As such, the active trust relationship provides the basis for BusinessObjects Enterprise’s distributed security.Tip: When combined with single sign-on functionality, the active trust relationship allows users to access their BusinessObjects Enterprise resources without ever having to explicitly provide credentials to BusinessObjects Enterprise. When single sign-on functionality is combined third party ticket mechanisms, such as Kerberos or SiteMinder, the active trust relationship allows users to access BusinessObjects Enterprise and other network resources without ever having to explicitly provide credentials to the system.


BusinessObjects Enterprise Security ConceptsActive trust relationship 11

Logon tokensA logon token is an encoded string that defines its own usage attributes and contains a user’s session information. The logon token’s usage attributes are specified when the logon token is generated. These attributes allow restrictions to be placed upon the logon token to reduce the chance of the logon token being used by malicious users. The current logon token usage attributes are:• Number of minutes

This attribute restricts the lifetime of the logon token.• Number of logons

This attribute restricts the number of times that the logon token can be used to log on to BusinessObjects Enterprise.

Both attributes hinder malicious users from gaining unauthorized access to BusinessObjects Enterprise with logon tokens retrieved from legitimate users.

Ticket mechanism for distributed securityEnterprise systems dedicated to serving a large number of users typically require some form of distributed security. An enterprise system may require distributed security, for instance, to support features such as load balancing, stateless environments, or transfer of trust (the ability to allow another component to act on behalf of the user).BusinessObjects Enterprise addresses distributed security by implementing a ticket mechanism (one that is similar to the Kerberos ticket mechanism). The CMS grants tickets that authorize components to perform actions on behalf of a particular user. In BusinessObjects Enterprise, the ticket is referred to as the logon token.This logon token is most commonly used over the Web. When a user is first authenticated by BusinessObjects Enterprise, he or she receives a logon token from the CMS. The user’s web browser caches this logon token. When the user makes a new request, other BusinessObjects Enterprise components can read the logon token from the user’s web browser.This use of the logon token provides the distributed security that is required for load balancing to be implemented in conjunction with effective fault-protection. The user’s active identity is stored as a session variable on the WCA that processed the request; consequently, the user’s active identity is not immediately accessible by the other WCA. For this reason, the user’s logon token is used to route all of the user’s requests to the WCA that is storing the user’s session. By doing so, security is maintained while providing optimal


BusinessObjects Enterprise Security ConceptsSessions and session tracking11

performance: the user’s identity is verified, but the system does not have to repeatedly prompt the user for his or her credentials; in addition, the user is prevented from unnecessarily consuming resources on both Web Component Adapters.If the WCA that is storing the user’s active session is taken offline, the logon token again serves a critical purpose. If one WCA ceases to respond to a user’s requests, InfoView and the CMC are designed such that the request is redirected to the remaining WCA. The client application logs the user on with the valid logon token, and the remaining WCA can authenticate the user and create a new, active session without prompting the user for his or her credentials. The remaining WCA can then authorize and carry out the user’s request. In this way, the logon token enables the system’s load-balancing and fault-tolerance mechanisms to maintain a secure environment without affecting the user’s experience.In this scenario, when the original WCA is brought back online, the system automatically resumes its load balancing responsibilities by routing each subsequent request to the least used WCA.

Sessions and session trackingIn general, a session is a client-server connection that enables the exchange of information between the two computers. A session’s state is a set of data that describes the session’s attributes, its configuration, or its content. When you establish a client-server connection over the Web, the nature of HTTP limits the duration of each session to a single page of information; thus, your web browser retains the state of each session in memory only for as long as any single Web page is displayed. As soon as you move from one web page to another, the state of the first session is discarded and replaced with the state of the next session. Consequently, Web sites and Web applications must somehow store the state of one session if they need to reuse its information in another.BusinessObjects Enterprise uses two common methods to store session state: • Cookies—A cookie is a small text file that stores session state on the

client side: the user’s web browser caches the cookie for later use. The BusinessObjects Enterprise logon token is an example of this method.

• Session variables—A session variable is a portion of memory that stores session state on the server side. When BusinessObjects Enterprise grants a user an active identity on the system, information such as the user’s authentication type is stored in a session variable. So long as the


BusinessObjects Enterprise Security ConceptsSessions and session tracking 11

session is maintained, the system neither has to prompt the user for the information a second time nor has to repeat any task that is necessary for the completion of the next request.

Ideally, the system should preserve the session variable while the user is active on the system. And, to ensure security and to minimize resource usage, the system should destroy the session variable as soon as the user has finished working on the system. However, because the interaction between a web browser and a web server can be stateless, it can be difficult to know when users leave the system, if they do not log off explicitly. To address this issue, BusinessObjects Enterprise implements session tracking.

WCA session trackingThe WCA implements session tracking similarly to most web servers. The server-side script pages (Crystal Server Pages) programmatically save variables to the WCA session. By default, the WCA retains the session until the user explicitly logs off, or until 20 minutes after the user’s last request (whichever occurs first).Note: • If you are familiar with the SDK, you should note that a WCA session is

an instance of an InfoStore object.• The WCA session timeout can be programmatically configured in the

server-side .aspx pages to timeout earlier if the default of 20 minutes is not desired.

CMS session trackingThe CMS implements a simple tracking algorithm. When a user logs on, he or she is granted a CMS session, which the CMS preserves until the user logs off, or until the WCA session variable is released. The WCA session is designed to notify the CMS on a recurring basis that it is still active, so the CMS session is retained so long as the WCA session exists. If the WCA session fails to communicate with the CMS for a ten-minute time period, the CMS destroys the CMS session. This handles scenarios where client-side components shut down irregularly.Note: If you are familiar with the SDK, you should note that a CMS session is an instance of an EnterpriseSession object.


BusinessObjects Enterprise Security ConceptsEnvironment protection11
Environment protection
Environment protection refers to the security of the overall environment in which client and server components communicate. Although the Internet and web-based systems are increasingly popular due to their flexibility and range of functionality, they operate in an environment that can be difficult to secure. When you deploy BusinessObjects Enterprise, environment protection is divided into two areas of communication:• Web browser to web server• Web server to BusinessObjects Enterprise

Web browser to web serverWhen sensitive data is transmitted between the web browser and the web server, some degree of security is usually required. Relevant security measures usually involve two general tasks:• Ensuring that the communication of data is secure.• Ensuring that only valid users retrieve information from the web server.These tasks are typically handled by web servers through various security mechanisms, including the Secure Sockets Layer (SSL) protocol, Windows NT Challenge/Response authentication, and other such mechanisms.You must secure communication between the web browser and the web server independently of BusinessObjects Enterprise. For details on securing client connections, refer to your web server documentation.

Web server to BusinessObjects EnterpriseFirewalls are commonly used to secure the area of communication between the web server and the rest of the corporate intranet (including BusinessObjects Enterprise). BusinessObjects Enterprise supports firewalls that use IP filtering or static network address translation (NAT), or SOCKS proxy servers, and it supports a multitude of configurations. Supported environments can involve multiple firewalls, web servers, or application servers.For complete details on BusinessObjects Enterprise and firewall interaction, see “Working with Firewalls” on page 169.


BusinessObjects Enterprise Security ConceptsAuditing web activity 11

Auditing web activityBusinessObjects Enterprise provides insight into your system by recording web activity and allowing you to inspect and to monitor the details. The WCA allows you to select the web attributes—such as time, date, IP address, port number, and so on—that you want to record. The auditing data is logged to disk and stored in comma-delimited text files, so you can easily report off the data or import it into other applications.

Protection against malicious logon attemptsNo matter how secure a system is, there is often at least one location that is vulnerable to attack: the location where users connect to the system. It is nearly impossible to protect this location completely, because the process of simply guessing a valid user name and password remains a viable way to attempt to “crack” the system.BusinessObjects Enterprise implements several techniques to reduce the probability of a malicious user achieving access to the system. The various restrictions listed below apply only to Enterprise accounts—that is, the restrictions do not apply to accounts that you have mapped to an external user database (Windows NT, LDAP, or Windows AD). Generally, however, your external system will enable you to place similar restrictions on the external accounts.

Password restrictionsPassword restrictions ensure that Enterprise users create passwords that are relatively complex. You can enable the following options:• Enforce mixed-case passwords

This option ensures that passwords contain at least two of the following character classes: upper case letters, lower case letters, numbers, or punctuation.

• Must contain at least N charactersBy enforcing a minimum complexity for passwords, you decrease a malicious user’s chances of simply guessing a valid user’s password.


BusinessObjects Enterprise Security ConceptsProtection against malicious logon attempts11
Logon restrictions
Logon restrictions serve primarily to prevent dictionary attacks (a method whereby a malicious user obtains a valid user name and attempts to learn the corresponding password by trying every word in a dictionary). With the speed of modern hardware, malicious programs can guess millions of passwords per minute. To prevent dictionary attacks, BusinessObjects Enterprise has an internal mechanism that enforces a time delay (0.5–1.0 second) between logon attempts. In addition, BusinessObjects Enterprise provides several customizable options that you can use to reduce the risk of a dictionary attack:• Disable accounts after N failed attempts to log on• Reset failed logon count after N minute(s)• Re-enable account after N minute(s)

User restrictionsUser restrictions ensure that Enterprise users create new passwords on a regular basis. You can enable the following options:• Must change password every N day(s)• Cannot reuse the N most recent password(s)• Must wait N minute(s) to change passwordThese options are useful in a number of ways. Firstly, any malicious user attempting a dictionary attack will have to recommence every time passwords change. And, because password changes are based on each user’s first logon time, the malicious user cannot easily determine when any particular password will change. Additionally, even if a malicious user does guess or otherwise obtain another user’s credentials, they are valid only for a limited time.

Guest account restrictionsThe BusinessObjects Enterprise authentication provider supports anonymous single sign-on for the Guest account. Thus, when users connect to BusinessObjects Enterprise without specifying a user name and password, the system logs them on automatically under the Guest account. If you assign a secure password to the Guest account, or if you disable the Guest account entirely, you disable this default behavior. For details, see “Disabling the Guest account” on page 39.


Managing User Accounts and Groups

chapter

Managing User Accounts and GroupsWhat is account management?12
What is account management?
Account management can be thought of as all of the tasks related to creating, mapping, changing, and organizing user and group information. The Users and Groups management areas of the Central Management Console (CMC) provide you with a central place to perform all of these tasks.In the Users area, you can specify everything required for a user to access BusinessObjects Enterprise. To create user accounts, specify the following:• Account name (required)• Full name• Email• Description• Password settings• Connection type• Group membershipIn the Groups area, you can create groups that give a number of people access to the report or folder. This enables you to make changes in one place instead of modifying each user account individually. To create groups, specify the following:• Group name (required)• Description• Users who belong to the group• Subgroups that belong to the group• Group membershipAfter the user accounts and groups have been created, you can add report objects and specify rights to them. When the users log on, they can view the reports using InfoView or their custom web application. For more information on objects and rights, see “Controlling users’ access to objects” on page 303.

Default users and groupsThis section lists and describes the different types of default users and groups that are found within BusinessObjects Enterprise.

Default usersFor procedures on managing users, see “Managing Enterprise and general accounts” on page 239.


Managing User Accounts and GroupsDefault users and groups 12

AdministratorThe Administrator user belongs to the Administrators and Everyone groups. This user can perform all tasks in all BusinessObjects Enterprise applications (for example, the Central Management Console, Central Configuration Manager, Publishing Wizard, and InfoView). By default, the Administrator is not assigned a password. For security reasons, it is highly recommended that you create a password for the Administrator user as soon as possible. See “Setting the Administrator password” on page 39.Note: To use the Central Configuration Manager, your operating system account may require certain rights on the local machine. For more information, see “Using the Central Configuration Manager” on page 37.

GuestThe Guest user is a member of the Everyone group. This user can view reports that are found within the Report Samples folder. Generally, the Guest user accesses reports through InfoView. This account is enabled by default. To disable this default setting, see “Disabling the Guest account” on page 247.By default, the Guest user is not assigned a password. If you assign it a password, the single sign-on to InfoView will be broken.Note: If users in multiple time zones use the Guest account, see “Supporting users in multiple time zones” on page 511.

Default groupsIn addition to organizing users and simplifying administration, groups enable you to determine the functionality a user has access to. In BusinessObjects Enterprise, the following default groups are created. For procedures on managing groups, see “Managing Enterprise and general accounts” on page 239.

AdministratorsUsers who belong to the Administrators group are able to perform all tasks in all of the BusinessObjects Enterprise applications (Central Management Console, Central Configuration Manager, Publishing Wizard, and InfoView). By default, the Administrator group contains only the Administrator user.Note: To use the Central Configuration Manager, your operating system account may require certain rights on the local machine. For more information, see “Using the Central Configuration Manager” on page 37.


Managing User Accounts and GroupsAvailable authentication types12
BusinessObjects NT Users
When you install BusinessObjects Enterprise on Windows, BusinessObjects Enterprise creates a BusinessObjects NT Users group. This group is also added to Windows on the local machine and the user who installed BusinessObjects Enterprise is automatically added to this group.When NT authentication is enabled, BusinessObjects NT Users can use their NT accounts to log on to BusinessObjects Enterprise. By default, members of this group are able to view folders and reports.

EveryoneEach user is a member of the Everyone group. By default, the Everyone group allows access to all the reports that are found in the Report Samples folder.

Universe Designer UsersUsers who belong to this group are granted access to the Universe Designer folder and the Connections folder. They can control who has access rights to the Designer application. You must add users to this group as needed. By default, no user belongs to this group.

Available authentication types Before setting up user accounts and groups within BusinessObjects Enterprise, decide which type of authentication you want to use:• Enterprise authentication

Use the system default Enterprise Authentication if you prefer to create distinct accounts and groups for use with BusinessObjects Enterprise, or if you have not already set up a hierarchy of users and groups in a Windows NT user database, an LDAP directory server, or a Windows AD server. See “Managing Enterprise and general accounts” on page 239.

• Windows NT authenticationIf you are working in a Windows NT environment, you can use existing NT user accounts and groups in BusinessObjects Enterprise. When you map NT accounts to BusinessObjects Enterprise, users are able to log on to BusinessObjects Enterprise applications with their NT user name and password. This can reduce the need to recreate individual user and group accounts within BusinessObjects Enterprise. For more information, see “Managing NT accounts” on page 270.


Managing User Accounts and GroupsManaging Enterprise and general accounts 12

• LDAP authenticationIf you set up an LDAP directory server, you can use existing LDAP user accounts and groups in BusinessObjects Enterprise. When you map LDAP accounts to BusinessObjects Enterprise, users are able to access BusinessObjects Enterprise applications with their LDAP user name and password. This eliminates the need to recreate individual user and group accounts within BusinessObjects Enterprise. For more information, see “Managing LDAP accounts” on page 248.

• Windows AD authenticationIf you are working in a Windows 2000 environment, you can use existing AD user accounts and groups in BusinessObjects Enterprise. When you map AD accounts to BusinessObjects Enterprise, users are able to log on to BusinessObjects Enterprise applications with their AD user name and password. This eliminates the need to recreate individual user and group accounts within BusinessObjects Enterprise. For more information, see “Managing AD accounts” on page 261.

Note: You can use Enterprise Authentication in conjunction with either NT, LDAP, or AD authentication, or with all of the three authentication plug-ins.

Managing Enterprise and general accountsSince Enterprise authentication is the default authentication method for BusinessObjects Enterprise, it is automatically enabled when you first install the system. When you add and manage users and groups, BusinessObjects Enterprise maintains the user and group information within its database.This section focuses on the following account management tasks:• “Creating an Enterprise user account” on page 240• “Modifying a user account” on page 242• “Deleting a user account” on page 242• “Changing password settings” on page 243• “Creating a group” on page 244• “Modifying a group” on page 246• “Viewing group members” on page 247• “Deleting a group” on page 247• “Disabling the Guest account” on page 247• “Granting access to users and groups” on page 248


Managing User Accounts and GroupsManaging Enterprise and general accounts12

Note: In many cases, these procedures also apply to NT, LDAP, and AD account management. For specific information on NT authentication, see “Managing NT accounts” on page 270. For specific information on LDAP authentication, see “Managing LDAP accounts” on page 248. For specific information on AD authentication, see “Managing AD accounts” on page 261.

Creating an Enterprise user accountWhen you create a new user, you specify the user’s properties and select the group or groups for the user. For information on setting rights for the user, see “Granting access to users and groups” on page 248.

To create a user account1. Go to the Users management area of the CMC.2. Click New User.3. Select the Enterprise authentication type. 4. Type the account name, full name, email, and description information.

Use the description area to include extra information about the user or account.

5. Specify the password information and settings. Options include:• Password

Enter the password and confirm. This is the initial password that you assign to the user. The maximum password length is 64 characters.

• Password never expiresSelect the check box.

• User must change password at next logonThis check box is selected by default. If you do not want to force users to change the password the first time they log on, clear the check box.

• User cannot change password Select the check box.

6. Select the connection type.• Concurrent User

Choose Concurrent user if this user belongs to a license agreement that states the number of users allowed to be connected at one time.



• Named UserChoose Named user if this user belongs to a license agreement that associates a specific user with a license. Named user licenses are useful for people who require access to BusinessObjects Enterprise regardless of the number of other people who are currently connected.

7. Click OK.The user is added to the system and is automatically added to the Everyone group. You can now add the user to a group or specify rights for the user. See “Adding a user to groups” on page 241, Chapter 13: Controlling User Access. An inbox is also automatically created for the user.The user is also automatically assigned an Enterprise alias, for example, secEnterprise:bsmith. For more information, see “Managing aliases” on page 280.

Adding a user to groupsUse the following procedure to add a user to one or more groups directly from the user page. Note: You can also add users to a group from the group page. See “Adding users to a group” on page 245.

To add a user to a group1. Go to the Users management area of the CMC.2. Under Account Name, click the link to the user whose properties you

want to change.3. Click the Member of tab to specify the group or groups the user should

belong to.Note: All BusinessObjects Enterprise users of the system are part of the Everyone group.

4. Click the Member of button to view the available groups.5. In the Available groups area, select the group(s) that the new user should

be a member of.Use SHIFT+click or CTRL+click to select multiple groups.

6. Click the > arrow to add the group(s); click the < arrow to remove the group(s).

7. Click OK.The “Member of” tab appears and lists the groups in which the user is a member.


Modifying a user account
Use this procedure to modify a user’s properties or group membership. Note: The user will be affected if he or she is logged on when you are making the change.

To modify a user account1. Go to the Users management area of the CMC.2. Under Account Name, click the link to the user whose properties you

want to change.3. Make the required changes, as necessary, in the available fields.

In addition to all of the options that were available when you initially created the account, you now can disable the account by selecting the “Account is disabled” check box. You can also assign aliases. For more information, see “Managing aliases” on page 280.

4. Click Update.

Deleting a user accountUse this procedure to delete a user’s account. The user might receive an error if they are logged on when their account is deleted. When you delete a user account, the Favorites folder, personal categories, and inbox for that user are deleted as well.If you think the user might require access to the account again in the future, select the “Account is disabled” check box in the Properties page of the selected user, instead of deleting the account. See “Modifying a user account” on page 242.Note: Deleting a user account won’t necessarily prevent the user from being able to log on to BusinessObjects Enterprise again. If the user account also exists in a third-party system, and if the account belongs to a third-party group that is mapped to BusinessObjects Enterprise, the user may still be able to log on. For details, see “Deleting an alias” on page 283 and “Disabling an aliases” on page 284.



To delete a user account1. Go to the Users management area of the CMC.2. Select the check box associated with the user you want to delete.3. Click Delete.

The delete confirmation dialog box appears.4. Click OK.

The user account is deleted.

Changing password settingsWithin the Central Management Console, you can change the password settings for a specific user or for all users in the system. For information, see “Protection against malicious logon attempts” on page 233.The various restrictions listed below apply only to Enterprise accounts—that is, the restrictions do not apply to accounts that you have mapped to an external user database (Windows NT, LDAP, or Windows AD). Generally, however, your external system will enable you to place similar restrictions on the external accounts.

To change user password settings1. Go to the Users management area of the CMC.2. Click the user whose password settings you want to change.

The Properties tab appears.3. Select or clear the check box associated with the password setting you

wish to change.The available options are:• Password never expires• User must change password at next logon• User cannot change password

4. Click Update.

To change password settings1. Go to the Authentication management area of the CMC.2. Click the Enterprise tab. 3. Select the check box and enter the value related to the password setting.



The table below identifies the minimum and maximum values for each of the settings you can configure:

4. Click Update.

Creating a groupGroups are collections of users who share the same account privileges. For instance, you may create groups that are based on department, role, or location. Groups enable you to change the rights for users in one place (a group) instead of modifying the rights for each user account individually. Also, you can assign object rights to a group or groups. For information on object rights, see “Managing objects overview” on page 402. For information on granting users and groups administrative rights to other groups, see “Granting access to users and groups” on page 248.After creating a new group, you can add users, add subgroups, or specify group membership so that the new group is actually a subgroup. Because subgroups provide you with additional levels of organization, they are useful when you set object rights to control users’ access to your BusinessObjects Enterprise content.

To create a new group1. Go to the Groups management area of the CMC.2. Click New Group.3. On the Properties tab, enter the group name and description.4. Click OK.

Password Setting Minimum Recommended Maximum

Must contain at least N characters 0 characters 64 charactersMust change password every N days 1 day 100 daysCannot reuse the N most recent passwords 1 password 100 passwordsMust wait N minutes to change password 0 minutes 100 minutesDisable account after N failed attempts to log on

1 failed 100 failed

Reset failed logon count after N minutes 1 minute 100 minutesRe-enable account after N minutes 0 minutes 100 minutes



Adding users to a groupUse the following procedure to add users to a group, directly from the group page.Note: You can also add a user to groups from the user page. See “Adding a user to groups” on page 241.

To add users to a group1. In the Groups management area of the CMC, click the link for the group.2. Click the Users tab.3. Click Add Users.4. Select the users to add to the group; then click the > arrow.

Tip: • To select multiple users, use the SHIFT+click or CTRL+click

combination.• To search for a specific user, use the Look For field.• If there are many users on your system, click the Previous and Next

buttons to navigate through the list of users.5. Click OK.

The Users tab appears. It lists all of the users who belong to this group.

Adding subgroupsYou can add an existing group as a subgroup to another group. A subgroup inherits the rights of the parent group.Note: Adding a subgroup is similar to specifying group membership. See “Specifying group membership” on page 246.

To add subgroups 1. In the Groups management area of the CMC, click the link for the group.2. Click the Subgroups tab.3. Click Add/Remove Subgroups.4. Select the groups that should be members of this new group; then click

the > arrow.5. Click OK.


Specifying group membership
You can make a group a member of another group. The group that becomes a member is referred to as a subgroup. The group that you add the subgroup to is the parent group. A subgroup inherits the rights of the parent group.Note: Adding a subgroup is similar to specifying group membership. See “Specifying group membership” on page 246.

To make a group a member of another group1. In the Groups management area of the CMC, click the link for the group.2. Click the Member of tab. 3. Click the Member of button.4. Select the parent groups that this new group will be a member of; then

click the > arrow. Any rights associated with the parent group will be inherited by the new group you have created.

5. Click OK.

Modifying a groupYou can modify a group by making changes to any of the settings. Note: The users who belong to the group will be affected by the modification if they are logged on when you are making changes.

To modify a group1. In the Groups management area of the CMC, click the link for the group.2. Under the Group Name column, click the link to the group whose

configuration you want to change.3. Make the necessary changes in one of the four tabs:

• Properties• Users• Subgroups• Member of

4. Depending on which tab you have selected, click OK or Update after you have made your changes.



Viewing group membersYou can use this procedure to view the users who belong to a specific group.

To view group members1. In the Groups management area of the CMC, click the link for the group.2. Click Users.3. Click Refresh.

Note: It may take a few minutes for your list to refresh if you have a large number of users in the group or if your group is mapped to an NT user database, LDAP user directory, or AD user directory.

Deleting a groupYou can delete a group when that group is no longer required. You cannot delete the default groups Administrator and Everyone. Note: The users who belong to the deleted group will be affected by the change if they are logged on when the group is deleted.To delete a third-party authentication groups, such as the BusinessObjects NT Users group, use the Authentication management area in CMC. See “Unmapping LDAP groups” on page 258, “Unmapping AD groups” on page 266, and “Mapping NT accounts” on page 270.

To delete a group1. Go to the Groups management area of the CMC.2. Select the check box associated with the group you want to delete. 3. Click Delete.

The delete confirmation dialog box appears.4. Click OK.

Disabling the Guest accountBy disabling the Guest account, you ensure that no one can log on to BusinessObjects Enterprise with this account. By disabling the Guest account, you also disable the anonymous single sign-on functionality of BusinessObjects Enterprise, so users will be unable to access InfoView without providing a valid user name and password.


Managing User Accounts and GroupsManaging LDAP accounts12

To disable the Guest account1. Go to the Users management area of the CMC.2. In the Account Name column, click Guest.3. On the Properties tab, select the Account is disabled check box.4. Click Update.5. If you are prompted for confirmation, click OK.

Granting access to users and groupsYou can grant users and groups administrative access to other users and groups. Administrative rights include: viewing, editing, and deleting objects; viewing and deleting object instances; and pausing object instances. For example, for troubleshooting and system maintenance, you may want to grant your IT department access to edit and delete objects.For more information about granting rights to users and groups, see “Controlling access to users and groups” on page 338.

Managing LDAP accountsTo use LDAP authentication, you need to first ensure that you have your respective LDAP directory set up. For more information about LDAP, refer to your LDAP documentation. For more information on the LDAP security plug-in, see “LDAP security plug-in” on page 224.Note: When you install BusinessObjects Enterprise, the LDAP authentication plug-in is installed automatically, but not enabled by default.This section describes tasks related to LDAP accounts in BusinessObjects Enterprise. In particular, it includes information on:• “Configuring LDAP authentication” on page 249• “Mapping LDAP groups” on page 255• “Unmapping LDAP groups” on page 258• “Viewing mapped LDAP users and groups” on page 258• “Changing LDAP connection parameters and member groups” on

page 258• “Managing multiple LDAP hosts” on page 259• “Troubleshooting LDAP accounts” on page 260


Managing User Accounts and GroupsManaging LDAP accounts 12

Configuring LDAP authenticationTo simplify administration, BusinessObjects Enterprise supports LDAP authentication for user and group accounts. Before users can use their LDAP user name and password to log on to BusinessObjects Enterprise, you need to map their LDAP account to BusinessObjects Enterprise. When you map an LDAP account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account. Before setting up and enabling LDAP authentication, ensure that you have your LDAP directory set up. For more information, refer to your LDAP documentation.Configuring LDAP authentication includes the following main steps:• “Configuring the LDAP host” on page 249.• “Configuring the Secure Socket Layer authentication for LDAP” on

page 250.• “Configuring LDAP single sign-on with SiteMinder” on page 253.• “Configuring LDAP mapping options” on page 253.

Configuring the LDAP host To configure the LDAP host

1. Go to the Authentication management area of the CMC.2. Click the LDAP tab, and then click “Start LDAP Configuration Wizard”.

The LDAP Configuration Wizard will lead you through the setup of LDAP authentication, step by step.

3. The first screen of the wizard asks for information about your LDAP host. Type your LDAP host and port information in the Add LDAP host (hostname:port) field (for example, “myserver:123”); then click Add.Repeat this step to add more than one LDAP host of the same server type if you want to add hosts that can act as failover servers. If you want to remove a host, highlight the host name and click Delete. For more information on multiple hosts, refer to “Managing multiple LDAP hosts” on page 259.

4. Click Next.5. Select your server type from the LDAP Server Type list. Click Show

Attribute Mappings if you want to view or change any of the LDAP Server Attribute Mappings or the LDAP Default Search Attributes. By default, each supported server type’s server attribute mappings and search attributes are already set.



6. Click Next.7. In the Base LDAP Distinguished Name field, type the distinguished

name (for example, o=SomeBase).8. Click Next.9. Enter the credentials required by the LDAP hosts.

• In the “LDAP Server Administration Credentials” area, type the distinguished name and password for a user account that is authorized to administer your LDAP server.If your LDAP Server allows anonymous binding, leave this area blank—BusinessObjects Enterprise servers and clients will bind to the primary host via anonymous logon.

• Enter another distinguished name and password in the “LDAP Referral Credentials” area if all of the following apply:• The primary host has been configured to refer to another

directory server that handles queries for entries under a specified base.

• The host being referred to has been configured to not allow anonymous binding.

• A group from the host being referred to will be mapped to BusinessObjects Enterprise.

Although groups can be mapped from multiple hosts, only one set of referral credentials can be set. Therefore if you have multiple referral hosts, you must create a user account on each host that uses the same distinguished name and password.

10. Enter the number of referral hops in the Maximum Referral Hops field. If this field is set to zero, no referrals will be followed.

11. Click Next.12. Proceed with configuring the Secure Socket Layer.

Configuring the Secure Socket Layer authentication for LDAPNote: This section describes the CMC related information for configuring SSL for LDAP only. For additional information or for information on configuring the LDAP host server, refer to http://www.techsupport.businessobjects.com or your LDAP vendor documentation.



To configure the Secure Socket Layer authentication1. If necessary, go to the Authentication management area of the CMC

again. Click the LDAP tab, and then click Start LDAP Configuration Wizard. Click Next until the screen of the wizard asks for the Secure Socket Layer authentication information. Otherwise, skip to step 2.

2. Select the type of SSL authentication (Basic (no SSL), Server Authentication, or Mutual Authentication) your LDAP hosts uses to establish a connection with BusinessObjects Enterprise. Click Next.

3. If you selected Server Authentication or Mutual Authentication, choose one of the following options:• Always accept server certificate

This is the lowest security option. Before BusinessObjects Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive a security certificate from the LDAP host. BusinessObjects Enterprise does not verify the certificate it receives.

• Accept server certificate if it comes from a trusted Certificate AuthorityThis is a medium security option. Before BusinessObjects Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive and verify a security certificate sent to it by the LDAP host. To verify the certificate, BusinessObjects Enterprise must find the Certificate Authority that issued the certificate in its certificate database.

Tip: Java applications (such as the Java version of InfoView) always use this option, regardless of the setting you choose.• Accept server certificate if it comes from a trusted Certificate

Authority and the CN attribute of the certificate matches the DNS hostname of the serverThis is the highest security option. Before BusinessObjects Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive and verify a security certificate sent to it by the LDAP host. To verify the certificate, BusinessObjects Enterprise must find the Certificate Authority that issued the certificate in its certificate database. It must also be able to confirm that the CN attribute on the server certificate exactly matches the host name of the LDAP host as you typed it in the “Add LDAP host” field in the first step of the wizard. That is, if you entered the LDAP host name as ABALONE.rd.crystald.net:389, using CN =ABALONE:389 in the certificate would not work.



Tip: The host name on the server security certificate is the name of the primary LDAP host. Therefore if you select this option you cannot use a failover LDAP host.

4. In the SSL host box, you must next add the host name of each machine in your BusinessObjects Enterprise system that uses the BusinessObjects Enterprise SDK. (This includes the machine running your Central Management Server and the machine running your WCA.)Type the host name of each machine in the SSL Host box, and then click Add.

5. Now configure the SSL settings for each SSL host in the list, starting with the default host. • To select settings for the default host, first clear the Use default

value boxes. Then type your values for the path to the certificate and key database files, the password for the key database. Type a nickname for the client certificate in the cert7.db if you selected mutual authentication.The settings for the default host are used:• for any setting (for any host) where you leave the “Use default

value” box checked.• for any machine whose name you do not explicitly add to the list

of SSL hosts.• To select settings for another host, select its name in the list on the

left. Then type the appropriate values in the boxes on the right.



6. Click Next.7. Proceed with configuring LDAP for single sign-on.

Configuring LDAP single sign-on with SiteMinderSiteMinder is a third-party user access and authentication tool that you can use with the LDAP security plug-in to create single sign-on to BusinessObjects Enterprise. In order to use SiteMinder, you need to configure the single sign-on authentication for the LDAP plug-in.For more information about SiteMinder and how to install it, refer to the SiteMinder documentation.

To configure LDAP for single sign-on with SiteMinder1. If necessary, go to the Authentication management area of the CMC

again. Click the LDAP tab, and then click Start LDAP Configuration Wizard. Click Next until the screen of the wizard asks for the LDAP single sign-on authentication. Otherwise, skip to step 2.

2. Select the type of single sign-on authentication (Basic (no SSO) or SiteMinder).

3. Click Next.4. If you selected SiteMinder, configure the SiteMinder hosts:

• In the Policy Server Host box, type the name of each Policy Server, and then click Add.

• For each Policy Server Host, specify the Accounting, Authentication and Authorization port numbers.

• Enter the name of the Web Agent and the Shared Secret. Enter the shared secret again.

5. Click Next.6. Proceed with configuring the LDAP options.

Configuring LDAP mapping options To configure LDAP mapping options

1. If necessary, go to the Authentication management area of the CMC again. Click the LDAP tab, and then click Start LDAP Configuration Wizard. Click Next until the screen of the wizard asks you to map the LDAP users to BusinessObjects Enterprise users. Otherwise, skip to step 2.

2. The next screen of the wizard controls how BusinessObjects Enterprise maps LDAP users to BusinessObjects Enterprise users.



New Alias Options allow you to specify how LDAP aliases are mapped to Enterprise accounts. Select either:• Assign each added LDAP alias to an account with the same

nameUse this option when you know users have an existing Enterprise account with the same name; that is, LDAP aliases will be assigned to existing users (auto alias creation is turned on). Users who do not have an existing Enterprise account, or who do not have the same name in their Enterprise and LDAP account, are added as new LDAP users.or

• Create a new account for every added LDAP aliasUse this option when you want to create a new account for each user.

3. Update Options allow you to specify if LDAP aliases are automatically created for all new users. Select either:• New aliases will be added and new users will be created

Use this option to automatically create a new alias for every LDAP user mapped to BusinessObjects Enterprise. New LDAP accounts are added for users without BusinessObjects Enterprise accounts, or for all users if you selected the “Create a new account for every added LDAP alias” option.or

• No new aliases will be added and new users will not be createdUse this option when the LDAP directory you are mapping contains many users, but only a few of them will use BusinessObjects Enterprise. BusinessObjects Enterprise does not automatically create aliases and Enterprise accounts for all users. Instead, it creates aliases (and accounts, if required) only for users who log on to BusinessObjects Enterprise.



4. New User Options allow you to specify properties of the new Enterprise accounts that are created to map to LDAP accounts. Select either:• New users are created as named users

New user accounts are configured to use named user licenses. Named user licenses are associated with specific users and allow people to access the system based on their user name and password. This provides named users with access to the system regardless of how many other people are connected. You must have a named user license available for each user account created using this option.or

• New users are created as concurrent usersNew user accounts are configured to use concurrent user licenses. Concurrent licenses specify the number of people who can connect to BusinessObjects Enterprise at the same time. This type of licensing is very flexible because a small concurrent license can support a large user base. For example, depending on how often and how long users access BusinessObjects Enterprise, a 100 user concurrent license could support 250, 500, or 700 users.

5. Click Finish to save your LDAP settings. The LDAP Server Summary page appears.

Mapping LDAP groupsOnce you have configured LDAP authentication using the LDAP configuration wizard, you can map LDAP groups to Enterprise groups. See “Configuring LDAP authentication” on page 249.

To map LDAP groups using BusinessObjects Enterprise1. Go to the Authentication management area of the CMC.2. Click the LDAP tab.

If LDAP authorization is configured, the LDAP summary page appears.

3. In the “Mapped LDAP Member Groups” area, specify your LDAP group (either by common name or distinguished name) in the Add LDAP group (by cn or dn) field; click Add.



You can add more than one LDAP group by repeating this step. To remove a group, highlight the LDAP group and click Delete.

4. New Alias Options allow you to specify how LDAP aliases are mapped to Enterprise accounts. Select either:• Assign each added LDAP alias to an account with the same

nameUse this option when you know users have an existing Enterprise account with the same name; that is, LDAP aliases will be assigned to existing users (auto alias creation is turned on). Users who do not have an existing Enterprise account, or who do not have the same name in their Enterprise and LDAP account, are added as new LDAP users.



or• Create a new account for every added LDAP alias

Use this option when you want to create a new account for each user.

5. Update Options allow you to specify if LDAP aliases are automatically created for all new users. Select either:• New aliases will be added and new users will be created

Use this option to automatically create a new alias for every LDAP user mapped to BusinessObjects Enterprise. New LDAP accounts are added for users without BusinessObjects Enterprise accounts, or for all users if you selected the “Create a new account for every added LDAP alias” option.or

• No new aliases will be added and new users will not be createdUse this option when the LDAP directory you are mapping contains many users, but only a few of them will use BusinessObjects Enterprise. BusinessObjects Enterprise does not automatically create aliases and Enterprise accounts for all users. Instead, it creates aliases (and accounts, if required) only for users who log on to BusinessObjects Enterprise.

6. New User Options allow you to specify properties of the new Enterprise accounts that are created to map to LDAP accounts. Select either:• New users are created as named users

New user accounts are configured to use named user licenses. Named user licenses are associated with specific users and allow people to access the system based on their user name and password. This provides named users with access to the system regardless of how many other people are connected. You must have a named user license available for each user account created using this option.or


7. Click Update.


Unmapping LDAP groups
Similar to mapping, it is possible to unmap groups using BusinessObjects Enterprise.

To unmap LDAP groups using BusinessObjects Enterprise1. Go to the Authentication management area of the CMC.2. Click the LDAP tab.

If LDAP authorization is configured, the LDAP summary page will appear.3. In the “Mapped LDAP Member Groups” area, select the LDAP group you

would like to remove.4. Click Delete.5. Click Update.

The users in this group will not be able to access BusinessObjects Enterprise.Tip: To deny LDAP Authentication for all groups, clear the “LDAP Authentication is enabled” check box and click Update.Note: The only exceptions to this occur when a user has an alias to an Enterprise account. To restrict access, disable or delete the user’s Enterprise account. For more information, see “Managing Enterprise and general accounts” on page 239.

Viewing mapped LDAP users and groupsYou can view your LDAP mapped groups in BusinessObjects Enterprise by clicking the LDAP tab (located in the Authentication management area). If LDAP authorization is configured, the Mapped LDAP Member Groups area displays the LDAP groups that have been mapped to BusinessObjects Enterprise.

Changing LDAP connection parameters and member groupsAfter you have configured LDAP authentication using the LDAP configuration wizard, you can change LDAP connection parameters and member groups using the LDAP Server Configuration Summary Page. For information on configuring LDAP authentication using the LDAP configuration wizard, see “Configuring LDAP authentication” on page 249.

To change connection settings1. Go to the Authentication management area of the CMC.



2. Click the LDAP tab.If LDAP authorization is configured, the LDAP Server Configuration Summary page appears. On this page you can change any of the connection parameter areas or fields. You can also modify the Mapped LDAP Member Groups area.

3. Delete currently mapped groups that will no longer be accessible under the new connection settings.

4. Click Update.5. Change your connection settings.6. Click Update.7. Change your Alias and New User options.8. Click Update.9. Map your new LDAP member groups.10. Click Update.

Managing multiple LDAP hostsUsing LDAP and BusinessObjects Enterprise, you can add fault tolerance to your system by adding multiple LDAP hosts. BusinessObjects Enterprise uses the first host that you add as the primary LDAP host. Subsequent hosts are treated as failover hosts.The primary LDAP host and all failover hosts must be configured in exactly the same way, and each LDAP host must refer to all additional hosts from which you wish to map groups. For more information about LDAP hosts and referrals, see your LDAP documentation.To add multiple LDAP Hosts, enter all hosts when you configure LDAP using the LDAP configuration wizard (see “Configuring LDAP authentication” on page 249 for details.) Or if you have already configured LDAP, go to the Authentication management area of the Central Management Console and click the LDAP tab. In the LDAP Server Configuration Summary area, click the name of the LDAP host to open the page that enables you to add or delete hosts.Note: • The order in which the hosts are communicated with matters, so ensure

that you add the primary host first, followed by the remaining failover hosts.



• If you use failover LDAP hosts, you cannot use the highest level of SSL security (that is, you cannot select “Accept server certificate if it comes from a trusted Certificate Authority and the CN attribute of the certificate matches the DNS hostname of the server.”) For more information, see “Configuring LDAP authentication” on page 249.

Troubleshooting LDAP accounts

Creating a new LDAP user account• If you create a new LDAP user account, and the account does not belong

to a group account that is mapped to BusinessObjects Enterprise, either map the group to BusinessObjects Enterprise, or add the new LDAP user account to a group that is already mapped to BusinessObjects Enterprise. For more information, see “Configuring LDAP authentication” on page 249.

• If you create a new LDAP user account, and the account belongs to a group account that is mapped to BusinessObjects Enterprise, refresh the user list. For more information, see “Viewing mapped LDAP users and groups” on page 258.

Creating a new LDAP group account• If you create a new LDAP group account, and the group account does not

belong to a group account that is mapped to BusinessObjects Enterprise, add it to BusinessObjects Enterprise. For more information, see “Configuring LDAP authentication” on page 249.

• If you create a new LDAP group account, and the account belongs to a group account that is mapped to BusinessObjects Enterprise, refresh the group list. For more information, see “Viewing mapped LDAP users and groups” on page 258.

Disabling an LDAP user accountIf you disable an LDAP user account, and that LDAP user account is mapped to BusinessObjects Enterprise, the user will not be able to log on to BusinessObjects Enterprise. However, if the user also has an account that uses Enterprise authentication, the user can still access BusinessObjects Enterprise using that account.


Managing User Accounts and GroupsManaging AD accounts 12

Disabling an LDAP group accountIf you disable an LDAP group account, and that LDAP group account is mapped to BusinessObjects Enterprise, the users who belong to that group will not be able to log on to BusinessObjects Enterprise. However, if the user also has an account that uses Enterprise authentication, the user can still access BusinessObjects Enterprise using that account.

Managing AD accountsThis section provides an overview of AD authentication and the tasks related to managing it. For information on how AD authentication works in conjunction with BusinessObjects Enterprise, see “Windows AD security plug-in” on page 226.Once you have mapped your AD users and groups, all of the BusinessObjects Enterprise client tools support AD authentication, except for the Import Wizard. You can also create your own applications that support AD authentication. For more information, see the developer documentation available on your product CD.Note: • AD authentication only works for servers running on Windows systems.• AD authentication and aggregation is not functional without a network

connection.• Users cannot log on to BusinessObjects Enterprise using AD

authentication via the Java SDK.• AD authentication and aggregation may not continue to function if the

administration credentials become invalid (for example, if the administrator changes his or her password or if the account becomes disabled).

Managing AD accounts includes the following tasks:• “Mapping AD accounts” on page 262• “Unmapping AD groups” on page 266• “Viewing mapped AD users and groups” on page 266• “Troubleshooting AD accounts” on page 267• “Setting up AD single sign-on” on page 268


Managing User Accounts and GroupsManaging AD accounts12
Mapping AD accounts
To simplify administration, BusinessObjects Enterprise supports AD authentication for user and group accounts. However, before users can use their AD user name and password to log on to BusinessObjects Enterprise, their AD user account needs to be mapped to BusinessObjects Enterprise. When you map an AD account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account.

To map AD users and groupsBefore starting this procedure, ensure that you have the appropriate AD domain and group information. As well, you must have created a domain user account on your AD server for BusinessObjects Enterprise to use when authenticating AD users and groups.1. Go to the Authentication management area of the CMC.2. Click the Windows AD tab.

3. Ensure that the Windows Active Directory Authentication is enabled check box is selected.

4. If you will be using single sign-on, select the Single Sign On is enabled check box.Note: If you select this option, you must also configure the IIS for single sign-on. For details, see “Setting up AD single sign-on” on page 268. Failing to configure IIS could compromise your system security if the account that IIS runs under belongs to a mapped group, because users who use one of the web applications would automatically have the same access privileges as the IIS machine account.

5. In the “AD Administration Credentials” area, enter the name and password of the domain user account you’ve set up on your AD server for BusinessObjects Enterprise to use when authenticating AD users and groups.



Administration credentials can use one of the following formats:• NT name (DomainName\UserName)• UPN (user@DNS_domain_name)Administration credentials must be entered to enable AD authentication, map groups, check rights, and so on.

6. Complete the Default AD Domain field.Note: • Groups from the default domain can be mapped without specifying

the domain name prefix.• By entering the Default AD Domain name, users from the default

domain do not have to specify the AD domain name when they log on to BusinessObjects Enterprise via AD authentication.

7. In the “Mapped AD Member Groups” area, enter the AD domain\group in the Add AD Group (Domain\Group) field.Groups can be mapped using one of the following formats:• NT name (DomainName\GroupName)• DN (cn=GroupName, ......, dc=DomainName, dc=com)Note: If you want to map a local group, you can use only the NT name format (\\ServerName\GroupName). Windows AD does not support local users. This means that local users who belong to a mapped local group will not be mapped to BusinessObjects Enterprise. Therefore they will not be able to access BusinessObjects Enterprise.

8. Click Add.The group is added to the list.

9. New Alias Options allow you to specify how AD aliases are mapped to Enterprise accounts. Select either:• Assign each added AD alias to an account with the same name

Use this option when you know users have an existing Enterprise account with the same name; that is, AD aliases will be assigned to existing users (auto alias creation is turned on). Users who do not have an existing Enterprise account, or who do not have the same name in their Enterprise and AD account, are added as new AD users.or

• Create a new account for every added AD aliasUse this option when you want to create a new account for each user.



10. Update Options allow you to specify if AD aliases are automatically created for all new users. Select either:• New aliases will be added and new users will be created

Use this option to automatically create a new alias for every AD user mapped to BusinessObjects Enterprise. New AD accounts are added for users without BusinessObjects Enterprise accounts, or for all users if you selected the “Create a new account for every added AD alias” option.or

• No new aliases will be added and new users will not be createdUse this option when the AD directory you are mapping contains many users, but only a few of them will use BusinessObjects Enterprise. BusinessObjects Enterprise does not automatically create aliases and Enterprise accounts for all users. Instead, it creates aliases (and accounts, if required) only for users who log on to BusinessObjects Enterprise.Note: You can also add AD users individually by adding them as a new user in BusinessObjects Enterprise and selecting Windows AD authentication. For details, see “Creating a user and a third-party alias” on page 280.

11. New User Options allow you to specify properties of the new Enterprise accounts that are created to map to AD accounts. Select either:• New users are created as named users

New user accounts are configured to use named user licenses. Named user licenses are associated with specific users and allow people to access the system based on their user name and password. This provides named users with access to the system regardless of how many other people are connected. You must have a named user license available for each user account created using this option.




12. Click Update.A message appears stating that it will take several seconds to update the member groups.

13. Click OK.

Unmapping AD groupsSimilar to mapping, it is possible to unmap groups using BusinessObjects Enterprise.

To unmap AD groups using BusinessObjects Enterprise1. Go to the Authentication management area of the CMC.2. Click the Windows AD tab.3. In the “Mapped AD Member Groups” area, select the AD group you

would like to remove.4. Click Delete.5. Click Update.

The users in the deleted group will no longer be able to access BusinessObjects Enterprise.Tip: To deny AD authentication for all users, clear the “Windows Active Directory Authentication is enabled” check box and click Update.Note: The only exceptions to this occur when a user has an alias other than the one assigned for AD authentication. To restrict access, disable or delete the user’s Enterprise account. For more information, see “Managing Enterprise and general accounts” on page 239.

Viewing mapped AD users and groups1. Go to the Groups management area of the CMC.2. Under Group Name, click the hyperlink to a Windows AD group 3. Click the Users tab.

Note: You can view the groups by clicking the Windows AD tab from the Authentication management area and then viewing the “Mapped AD Member Groups” area; users cannot be viewed from the Windows AD tab.



Troubleshooting AD accounts

Creating a new AD user account• If you create a new AD user account, and the account belongs to a group

account that is mapped to BusinessObjects Enterprise, ensure that you update the user list by clicking Update in the Windows AD tab found in the Authentication management area. Note that you must click Update to ensure that new users are imported properly. For information on viewing AD users and groups, see “Viewing mapped AD users and groups” on page 266.

• User accounts are automatically created for AD users who are added to an AD group when these users successfully log on to BusinessObjects Enterprise.

Adding an AD group account to a mapped AD group• When you add an AD group account to an AD group that was previously

mapped to BusinessObjects Enterprise, and you would like the users of this nested group to get imported into BusinessObjects Enterprise, you need to click Update in the Windows AD tab (found in the Authentication management area). Note: The nested AD group will not get mapped to BusinessObjects Enterprise by this operation.

• When you have added a new account in AD, and the AD group to which the account belongs is already mapped to BusinessObjects Enterprise, there are three ways you can get the new AD account into BusinessObjects Enterprise. Choose the method that works best for your situation:

• When the new AD user logs on to BusinessObjects Enterprise and selects AD authentication, the system will add the user to BusinessObjects Enterprise. This is the simplest method and it doesn’t require any extra steps, but the user won’t be added until he or she logs on to BusinessObjects Enterprise.

• You can add the new user to BusinessObjects Enterprise and select Windows AD authentication. The user is added and is automatically assigned a Windows AD alias. See “Creating a user and a third-party alias” on page 280.

• You can go to the Windows AD tab in the Authentication management area and select the option to add all new aliases and create all new users, and then click Update. In this case all AD users will be added to BusinessObjects Enterprise. For details, see “Mapping AD accounts” on



page 262. However, if the AD group contains many users who don’t require access to BusinessObjects Enterprise, you may want to add the user individually instead.

Setting up AD single sign-onInstallation of the Active Directory plug-in for BusinessObjects Enterprise enables you to use AD single sign-on. However, for AD single sign-on to work, you have to configure the IIS Business Objects virtual directory.Note: • AD single sign-on is not supported on client machines running on

Windows 98.• By default, AD single sign-on is not enabled.Setting up AD single sign-on to BusinessObjects Enterprise includes the following tasks:• “Configuring IIS for AD single sign-on” on page 268• “Enabling AD single sign-on in CMC” on page 269• “Modifying the web.config file for AD single sign-on” on page 269Note: For information on how to set up end-to-end single sign on with AD and Kerberos, see “Configuring Kerberos single sign-on” on page 285.

Configuring IIS for AD single sign-on To configure the IIS web server for AD single sign-on

1. Using the documentation included with your IIS server, change the access and authentication settings for the Enterprise virtual directory as follows:• Deselect the Anonymous access and Basic authentication check

boxes. • Ensure that Integrated Windows authentication check box is

selected.Note: You must also enable AD single sign-on in the CMC. For details, see “Enabling AD single sign-on in CMC” on page 269.

2. Modify the web.config file. See “Modifying the web.config file for AD single sign-on” on page 269.

3. Restart your IIS server.Note: For AD single sign-on to function correctly, make sure you complete all tasks listed in “Setting up AD single sign-on” on page 268.


Enabling AD single sign-on in CMC To enable the Windows AD plug-in for single sign-on in CMC

1. Go to the Authentication management area of the CMC.2. Click the Windows AD tab.3. Select the Single sign-on is enabled check box.

Note: If you select this option, you must also configure the IIS for single sign-on. For details, see “Configuring IIS for AD single sign-on” on page 268. Failing to configure IIS could compromise your system security if the account that IIS runs under belongs to a mapped group, because users who use one of the web applications would automatically have the same access privileges as the IIS machine account.

4. Click Update.Note: For AD single sign-on to function correctly, make sure you complete all tasks listed in “Setting up AD single sign-on” on page 268.

Modifying the web.config file for AD single sign-onMake the following modifications to the web.config file to make sure Windows authentication is enabled.

To modify the web.config file for AD single sign-on1. Add the following lines to the <system.web> block in the C:\Program

Files\Business Objects\BusinessObjects Enterprise 11\Web Content\Enterprise11\WebAdmin\Web.config file:• <identity impersonate="true" />• <Authentication mode="Windows" />

2. Add the following lines to the <system.web> block in the C:\Program Files\Business Objects\BusinessObjects Enterprise 11\Web Content\Enterprise11\InfoView\Web.config file:• <identity impersonate="true" />• <Authentication mode="Windows" />

3. Comment out the following line in the <httpModules> block in the C:\Program Files\Business Objects\BusinessObjects Enterprise 11\Web Content\Enterprise11\InfoView\Web.config file as shown:

Note: For AD single sign-on to function correctly, make sure you complete all tasks listed in “Setting up AD single sign-on” on page 268.

Managing User Accounts and GroupsManaging NT accounts12
Managing NT accounts
This section provides an overview of NT authentication and the tasks related to managing it. For information on how NT authentication works in conjunction with BusinessObjects Enterprise, see “Windows NT security plug-in” on page 222.Note: • NT authentication only works for servers running on Windows systems. If

you install BusinessObjects Enterprise on a Windows NT, 2000, or 2003 machine, NT authentication is installed and enabled by default.

• NT accounts refer to Windows NT, 2000, or 2003 accounts.Managing NT accounts includes the following tasks:• “Mapping NT accounts” on page 270• “Unmapping NT groups” on page 274• “Viewing mapped NT users and groups” on page 275• “Troubleshooting NT accounts” on page 276• “Setting up NT single sign-on” on page 278

Mapping NT accountsTo simplify administration, BusinessObjects Enterprise supports user and group accounts that are created using Windows NT. However, before users can use their NT user name and password to log on to BusinessObjects Enterprise, their NT user account needs to be mapped to BusinessObjects Enterprise. When you map an NT account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account.You can map NT accounts to BusinessObjects Enterprise through Windows, by using the User Manager in Windows NT or Computer Management in Windows 2000, or through the CMC.Note: NT accounts refer to both Windows NT and 2000 accounts.

To map NT users and groups using Windows NT1. From the Windows Administrative Tools program group, click User

Manager.Note: Ensure that you have selected the domain that contains the BusinessObjects NT Users group.

2. Select the BusinessObjects NT Users group.


Managing User Accounts and GroupsManaging NT accounts 12

Note: The BusinessObjects NT Users group is created automatically in Windows NT when you install BusinessObjects Enterprise on Windows NT.

3. From the User menu, click Properties.4. Click Add.5. Select the group(s) and/or user(s); then click Add.6. Click OK to add the group(s) and/or user(s).7. Click OK to complete the process.

Tip: Users will now be able to log on to InfoView using their NT account if they use the following format:\\NTDomainName\NTusername orNTMachineName\LocalUserName

Users do not have to specify the NT Domain Name if it is specified in the “Default NT Domain” field on the Windows NT tab.

To map NT users and groups using Windows 20001. From the Windows Administrative Tools program group, click Computer

Management.2. Under System Tools, select Local Users and Groups.3. Click the Groups folder.4. Select the BusinessObjects NT Users and from the Action menu,

select Properties.5. Click Add.6. Select the group(s) and/or user(s); then click Add.7. Click OK to add the group(s) and/or user(s).8. Click OK or Apply (and then Close) to complete the process.

Tip: Users will now be able to log on to InfoView using their NT account if they use the following format:\\NTDomainName\NTusername orNTMachineName\LocalUserName

Users do not have to specify the NT Domain Name if it is specified in the “Default NT Domain” field on the Windows NT tab.

To map NT users and groups using BusinessObjects EnterpriseBefore starting this procedure, ensure you have the NT domain and group information.1. Go to the Authentication management area of the CMC.



2. Click the Windows NT tab.

3. Ensure that the NT Authentication is enabled check box is selected.4. If you will be using single sign-on, select the Single Sign On is enabled

check box.Note: If you select this option, you must also configure the IIS for single sign-on. For details, see “Setting up NT single sign-on” on page 278. Failing to configure IIS could compromise your system security if the account that IIS runs under belongs to a mapped group, because users who use one of the web applications would automatically have the same access privileges as the IIS machine account.

5. To change the Default NT domain, click the domain name. Complete the Default NT Domain field.Note: By typing the default NT Domain Name, users do not have to specify the NT Domain Name when they log on to BusinessObjects Enterprise via NT authentication. Also, you don’t have to specify the NT domain name when you map groups.



6. In the Mapped NT Member Groups area, enter the NT domain\group in the Add NT Group (NT Domain\Group) field.Note: If you want to map a local NT group, you must type \\NTmachinename\groupname.

7. Click Add.The group is added to the list.

8. New Alias Options allow you to specify how NT aliases are mapped to Enterprise accounts. Select either:• Assign each added NT alias to an account with the same name

Use this option when you know users have an existing Enterprise account with the same name; that is, NT aliases will be assigned to existing users (auto alias creation is turned on). Users who do not have an existing Enterprise account, or who do not have the same name in their Enterprise and NT account, are added as new NT users.or

• Create a new account for every added NT aliasUse this option when you want the system to create a new account for each user. The system ensures that the users are created with unique names. For example, if BusinessObjects Enterprise user bsmith already exists and an NT user with the same is added, the new user will be bsmith01.

9. Update Options allow you to specify if NT aliases are automatically created for all new users. Select either:• New aliases will be added and new users will be created

Use this option to automatically create a new alias for every NT user mapped to BusinessObjects Enterprise. New NT accounts are added for users without BusinessObjects Enterprise accounts, or for all users if you selected the “Create a new account for every added NT alias” option.or

• No new aliases will be added and new users will not be createdUse this option when the NT directory you are mapping contains many users, but only a few of them will use BusinessObjects Enterprise. BusinessObjects Enterprise does not automatically create aliases and Enterprise accounts for all users. Instead, it creates aliases (and accounts, if required) only for users who log on to BusinessObjects Enterprise.



10. New User Options allow you to specify properties of the new Enterprise accounts that are created to map to NT accounts. Select either:• New users are created as named users

New user accounts are configured to use named user licenses. Named user licenses are associated with specific users and allow people to access the system based on their user name and password. This provides named users with access to the system regardless of how many other people are connected. You must have a named user license available for each user account created using this option.


11. Click Update.A message appears stating that it will take several seconds to update the member groups.

12. Click OK.

Unmapping NT groupsSimilar to mapping, it is possible to unmap groups using the administrative tool in Windows NT/2000, or BusinessObjects Enterprise.

To unmap NT users and groups using Windows NT1. From the Administrative Tools program group, click User Manager.2. Select BusinessObjects NT Users.3. From the User menu, click Properties.4. Select the user(s) or group(s); then click Remove.5. Click OK.

The user or group will no longer be able to access BusinessObjects Enterprise.Note: The only exceptions to this occur when a user has an alias to an Enterprise account. To restrict access, disable or delete the user’s Enterprise account. For more information, see “Managing Enterprise and general accounts” on page 239.



To unmap NT users and groups using Windows 20001. From the Administrative Tools program group, click Computer

Management.2. Under System Tools, select Local Users and Groups.3. Click the Groups folder.4. Select BusinessObjects NT Users.5. From the Action menu, click Properties.6. Select the user(s) or group(s); then click Remove.7. Click OK or Apply (and then Close) to complete the process.

The user or group will no longer be able to access BusinessObjects Enterprise.Note: The only exceptions to this occur when a user has an alias to an Enterprise account. To restrict access, disable or delete the user’s Enterprise account. For more information, see “Managing Enterprise and general accounts” on page 239.

To unmap NT groups using BusinessObjects Enterprise1. Go to the Authentication management area of the CMC.2. Click the Windows NT tab.3. In the Mapped NT Member Groups area, select the NT group you would

like to remove.4. Click Delete.5. Click Update.

The users in this group will not be able to access BusinessObjects Enterprise.Tip: To deny NT Authentication for all groups, clear the “NT Authentication is enabled” check box and click Update.Note: The only exceptions to this occur when a user has an alias to an Enterprise account. To restrict access, disable or delete the user’s Enterprise account. For more information, see “Managing Enterprise and general accounts” on page 239.

Viewing mapped NT users and groupsThere are two methods to view mapped users and groups in BusinessObjects Enterprise. The method you use depends on the way the groups and users have been mapped.



To view users and groups that have been added using Windows NT/2000 or BusinessObjects Enterprise1. Go to the Groups management area of the CMC.2. If you added users and groups through Windows NT/2000, then click

BusinessObjects NT Users.If you added users and groups through the CMC, then select the appropriate group.

3. Click the Users tab.4. Click OK to the message which states that accessing the user list may

take several seconds.5. Click Refresh.6. Click OK.

To view users and groups that have been added using BusinessObjects Enterprise1. Go to the Authentication management area of the CMC.2. Click the Windows NT tab.

The “Mapped NT Member Groups” area displays the groups that have been mapped to BusinessObjects Enterprise.Note: You can view the groups and users by selecting the appropriate group from the Groups management area and then clicking the Users tab.

Troubleshooting NT accounts

Creating a new NT user account• If you create a new NT user account, and the account does not belong to

a group account that is mapped to BusinessObjects Enterprise, add it to BusinessObjects Enterprise. For more information, see “Mapping NT accounts” on page 270.

• If you create a new NT user account, and the account belongs to a group account that is mapped to BusinessObjects Enterprise, refresh the user list. For more information, see “Viewing mapped NT users and groups” on page 275.



Adding an NT account to a mapped NT groupWhen you have added a new account in NT, and the NT group to which the account belongs is already mapped to BusinessObjects Enterprise, there are three ways you can get the new NT account into BusinessObjects Enterprise. Choose the method that works best for your situation:• When the new NT user logs on to BusinessObjects Enterprise and

selects NT authentication, the system will add the user to BusinessObjects Enterprise. This is the simplest method and it doesn’t require any extra steps, but the user won’t be added until he or she logs on to BusinessObjects Enterprise.

• You can add the new user to BusinessObjects Enterprise and select Windows NT authentication. The user is added and is automatically assigned a Windows NT alias. See “Creating a user and a third-party alias” on page 280.

• You can go to the Windows NT tab in the Authentication management area and select the option to add all new aliases and create all new users, and then click Update. In this case all NT users will be added to BusinessObjects Enterprise. For details, see “Mapping NT accounts” on page 270. However, if the NT group contains many users who don’t require access to BusinessObjects Enterprise, you may want to add the user individually instead.

Creating a new NT group account• If you create a new NT group account, and the group account does not

belong to a group account that is mapped to BusinessObjects Enterprise, add it to BusinessObjects Enterprise. For more information, see “Mapping NT accounts” on page 270.

• If you create a new NT group account, and the account belongs to a group account that is mapped to BusinessObjects Enterprise, refresh the group list. For more information, see “Viewing mapped NT users and groups” on page 275.

Disabling an NT user account• If you disable an NT user account (using Windows Administrative Tools),

the user will not be able to log on to BusinessObjects Enterprise using the mapped NT account. However, if the user also has an account that uses Enterprise authentication, the user can still access BusinessObjects Enterprise using that account.


Setting up NT single sign-on
You can configure BusinessObjects Enterprise to allow users to use various BusinessObjects Enterprise applications without being prompted to log on. Users need only to enter their NT user name and password information once at the beginning of the NT session. For instance, if you have set up NT single sign-on, when you launch the CMC, NT authentication occurs in the background. You are not required to enter any additional information.Note: This feature is available if you are using a Microsoft Internet Information Server (IIS) web server and users are using Internet Explorer as their web browser. See the Platforms.txt file included with your product distribution for a complete list of version requirements.BusinessObjects Enterprise provides its own form of “anonymous single sign-on,” which uses Enterprise authentication, as opposed to Windows NT authentication. Design your own web applications accordingly (or modify InfoView) if you want to use NT single sign-on. When a user launches InfoView, he or she can log on using the Guest account (Enterprise authentication). You can disable this feature—for more information, see “Disabling the Guest account” on page 247. However, even when you disable the Guest account, BusinessObjects Enterprise is designed to display a logon page. With single sign-on enabled, the user can select Windows NT from the Authentication list and click Log On without entering his or her user name or password. In the developer documentation, refer to the tutorial for an example on creating a web application that uses single sign-on.Setting up NT single sign-on to BusinessObjects Enterprise includes the following tasks:• “Configuring IIS for NT single sign-on” on page 278• “Enabling NT single sign-on in CMC” on page 279• “Modifying the web.config file for NT single sign-on” on page 279Note: BusinessObjects Enterprise does not support the Kerberos protocol for Windows NT. For information on how to set up end-to-end single sign on with AD and Kerberos, see “Configuring Kerberos single sign-on” on page 285.

Configuring IIS for NT single sign-on To configure the IIS web server for NT single sign-on

1. Using the documentation included with your IIS server, change the access and authentication settings for the Enterprise virtual directory as follows:• Deselect the Anonymous access and Basic authentication check

boxes. • Ensure that the Integrated Windows authentication check box is

selected.



2. Modify the web.config file. See “Modifying the web.config file for NT single sign-on” on page 279.

3. Restart your IIS server.Note: For NT single sign-on to function correctly, make sure you complete all tasks listed in “Setting up NT single sign-on” on page 278.

Enabling NT single sign-on in CMC To enable the Windows NT plug-in for single sign-on in CMC

1. Go to the Authentication management area of the CMC.2. Click the Windows NT tab.3. Select the Single Sign On is enabled check box.

Note: If you select this option, you must also configure the IIS for single sign-on. For details, see “Configuring IIS for NT single sign-on” on page 278. Failing to configure IIS could compromise your system security if the account that IIS runs under belongs to a mapped group, because when users access one of the web applications they would automatically have the same access privileges as the IIS machine account.

4. Click Update.Note: For NT single sign-on to function correctly, make sure you complete all tasks listed in “Setting up NT single sign-on” on page 278.

Modifying the web.config file for NT single sign-onMake the following modifications to the web.config file to make sure Windows authentication is enabled.

To modify the web.config file for NT single sign-on1. Add the following lines to the <system.web> block in the C:\Program




Managing User Accounts and GroupsManaging aliases12

3. Comment out the following line in the <httpModules> block in the C:\Program Files\Business Objects\BusinessObjects Enterprise 11\Web Content\Enterprise 11\InfoView\Web.config file as shown:

Note: For NT single sign-on to function correctly, make sure you complete all tasks listed in “Setting up NT single sign-on” on page 278.

Managing aliasesIf a user has multiple accounts in BusinessObjects Enterprise, you can link the accounts using the assign alias feature. This is useful when a user has a third-party account that is mapped to Enterprise and an Enterprise account.By assigning an alias to the user, the user can log on using either a third-party user name and password or an Enterprise user name and password. Thus, an alias enables a user to log on via more than one authentication type.You can also reassign an alias in BusinessObjects Enterprise. For example, after you map your third-party accounts to BusinessObjects Enterprise, you can use the Reassign Alias feature to reassign an alias to a different a user.In CMC, the alias information is displayed at the bottom of the properties page for a user. A user can have any combination of BusinessObjects Enterprise, LDAP, AD, or NT aliases.Managing aliases includes:• “Creating a user and a third-party alias” on page 280• “Creating an alias for an existing user” on page 282• “Assigning an alias” on page 282• “Reassigning an alias” on page 283• “Deleting an alias” on page 283• “Disabling an aliases” on page 284

Creating a user and a third-party aliasWhen you create a user and select an authentication type other than Enterprise, the system creates the new user in BusinessObjects Enterprise and creates a third-party alias for the user.

Managing User Accounts and GroupsManaging aliases 12

Note: For the system to create the third-party alias, the following criteria must be met:• The authentication tool needs to have been enabled in CMC.• The format of the account name must agree with the format required for

the authentication type.• The user account must exist in the third-party authentication tool, and it

must belong to a group that is already mapped to BusinessObjects Enterprise.

To create a user and add a third-party alias1. Go to the Users management area of the CMC.2. Click New User.

The New User Properties page appears.3. Select the authentication type for the user, for example, Windows NT.

The New User Properties page appears.

4. Type in the third-party account name for the user, for example, bsmith.5. Select the connection type for the user.6. Click OK.

The user is added to BusinessObjects Enterprise and is assigned an alias for the authentication type you selected, for example, secWindowsNT:ENTERPRISE:bsmith. If required, you can add, assign, and reassign aliases to user.


Creating an alias for an existing user
You can create aliases for existing BusinessObjects Enterprise users. The alias can be an Enterprise alias, or an alias for a third-party authentication tool.Note: For the system to create the third-party alias, the following criteria must be met:• The authentication tool needs to have been enabled in CMC.• The format of the account name must agree with the format required for

the authentication type.• The user account must exist in the third-party authentication tool, and it

must belong to a group that is mapped to BusinessObjects Enterprise.

To create a new alias for a user1. Go to the Users management area of the CMC.2. Click the link for the user that you want to add an alias to.3. Click New Alias.

The New Alias page appears.4. Select the authentication type for the user, for example, Windows NT.5. Type in the account name for the user.6. Click OK.

An alias is created for the user. When you view the user in CMC, at least two aliases are shown, the one that was already assigned to the user and the one you just created.

Assigning an aliasWhen you assign an alias to a user, you move a third-party alias from another user to the user you are currently viewing. You cannot assign or reassign Enterprise aliases.Note: If a user has only one alias and you assign that last alias to another user, the system will delete the user account, and the Favorites folder, personal categories, and inbox for that account.

To assign an alias from another user1. Go to the Users management area of the CMC.2. Click the link for the user you want to assign an alias to.3. Click Assign Alias.

The Assign Alias page appears.


Managing User Accounts and GroupsManaging aliases 12

4. Select the alias you want in the list of available aliases.5. Click the > arrow.

Tip: • To select multiple aliases, use the SHIFT+click or CTRL+click

combination.• To search for a specific alias, use the Look For field.

6. Click OK.

Reassigning an aliasWhen you reassign an alias, you move a third-party alias from the user that you are currently viewing to another user. You cannot assign or reassign Enterprise aliases.Note: If a user has only one alias and you reassign that alias to another user, the system will delete the user account, and the Favorites folder, personal categories, and inbox for that account.

To reassign an alias to another user1. Go to the Users management area of the CMC.2. Click the link for the user whose alias you want to reassign, for example,

bsmith.3. Click the Reassign Alias button for the alias.

The Reassign Alias page appears.4. In the list, click the name of the user that you want to assign the alias to,

for example, jbrown.5. Click OK.

The alias for bsmith has now been assigned to the user jbrown, and the Properties page for user jbrown is displayed. The user jbrown can now log on using the third-party user account and authentication method. The user bsmith can no longer use this alias.

Deleting an aliasWhen you delete an alias, the alias is removed from the system. If a user has only one alias and you delete that alias, the system automatically deletes the user account and the Favorites folder, personal categories, and inbox for that account.



To delete an alias1. Go to the Users management area of the CMC.2. Click the link for the user whose alias you want to delete.3. Click the Delete Alias button for the alias.

The alias is deleted from the system. Note: Deleting a user’s alias does not necessarily prevent the user from being able to log on to BusinessObjects Enterprise again. If the user account still exists in the third-party system, and if the account belongs to a group that is mapped to BusinessObjects Enterprise, then BusinessObjects Enterprise will still allow the user to log on. Whether the system creates a new user or assigns the alias to an existing user, depends on which Update Options you have selected for the authentication tool in the Authentication management area of CMC.

Disabling an aliasesYou can prevent a user from logging on to BusinessObjects Enterprise using a particular authentication method by disabling the user’s alias associated with that method. To prevent a user from accessing BusinessObjects Enterprise altogether, disable all aliases for that user.Note: Deleting a user from BusinessObjects Enterprise does not necessarily prevent the user from being able to log on to BusinessObjects Enterprise again. If the user account still exists in the third-party system, and if the account belongs to a group that is mapped to BusinessObjects Enterprise, then BusinessObjects Enterprise will still allow the user to log on. To ensure a user can no longer use one of his or her aliases to log on to BusinessObjects Enterprise, it is best to disable the alias. See also “Deleting an alias” on page 283.

To disable an alias1. Go to the Users management area of the CMC.2. Click the name of the user whose alias you want to disable.3. In the Alias area on the Properties page, clear the Enabled check box for

the alias you want disable.Repeat this step for each alias you want to disable.

4. Click Update.The user can no longer log on using the type of authentication that you just disabled.


Managing User Accounts and GroupsConfiguring Kerberos single sign-on 12

Configuring Kerberos single sign-onThis section tells you how to set up end-to-end single sign-on to your BusinessObjects Enterprise system and its back-end databases by using Kerberos and Windows AD authentication.For general information about the levels of single sign-on that are supported in BusinessObjects Enterprise, see “About single sign-on” on page 218.BusinessObjects Enterprise currently supports single sign-on to the database with Windows AD using Kerberos for the Windows platform only. It requires a Microsoft Internet Information Services (IIS) web server and users require Internet Explorer (IE) as their web browser. See the Platforms.txt file included with your product distribution for a complete list of version requirements.

Configuration process overviewConfiguring end-to-end single sign-on using Kerberos includes the following main steps:1. “Setting up a service account” on page 285

Note: The order in which you complete these steps is not important. However, before you can proceed you must have set up the service account.

2. “Configuring the servers” on page 2863. “Configuring the Windows AD plug-in for Kerberos authentication” on

page 2874. “Configuring the IIS and browsers” on page 2895. “Configuring IIS for end-to-end single sign-on” on page 2916. “Configuring BusinessObjects Enterprise web applications” on page 2987. “Configuring the databases for single sign-on” on page 299

Setting up a service accountTo configure BusinessObjects Enterprise for end-to-end single sign-on using Kerberos and Windows AD authentication, you require a service account. This must be a domain account that has been trusted for delegation. You can either create a new domain account or use an existing domain account. The service account will be used to run the BusinessObjects Enterprise servers. Note: Instead of a service account, you could use a user or computer domain account. However, it is recommended you use a service account.


Managing User Accounts and GroupsConfiguring Kerberos single sign-on12

To set up the service accountOn the domain controller, set up the domain service account. For detailed instructions, refer to http://msdn.microsoft.com.Note: The procedure for setting up a domain service account varies, depending on whether you are using Windows 2000 or Windows 2003:• In Windows 2000, ensure that the Account is trusted for delegation

option has been selected for the account.• In Windows 2003, ensure that the following two options have been

selected for the account:• Trust this user for delegation to specified service only• Use Kerberos onlyIf you are using Windows 2003, you may have to first add a service principal name (SPN) for the domain account.

Configuring the serversConfiguring the BusinessObjects Enterprise servers includes:• “Configuring the server machines” on page 286• “Configuring the servers to use the service account” on page 287

Configuring the server machinesIn order to support end-to-end single sign-on, you must grant the service account the right to act as part of the operating system. This must be done on each machine running the following servers:• CMS• Page Server• Report Application Server• Web Intelligence Report Server

To configure the server machinesNote: To complete this procedure, you require a service account that has been trusted for delegation. See “Setting up a service account” on page 285.1. Click Start > Administrative Tools > Local Security Policy.2. Click Local Policies, then click User Rights Assignment.3. Double-click Act as part of the operating system.4. Click Add.5. Double-click the service account, and then click OK.



6. Ensure that the Local Policy Setting check box is selected, and then click OK.

7. Repeat the above steps on each machine running a BusinessObjects Enterprise server.For detailed instructions, see “Controlling users’ access to objects” on page 303.

Configuring the servers to use the service accountIn order to support Kerberos single sign-on, you must use CCM and configure the following servers to log on as the service account:• CMS server• Page Server• Report Application Server• Web Intelligence Report Server

To configure a serverNote: To complete this procedure, you require a service account that has been trusted for delegation. See “Setting up a service account” on page 285.1. Start the CCM.2. Stop the server you want to configure, for example, the CMS server.3. Double-click the server you want to configure. The Properties dialog box

is displayed.4. On the Properties tab:

a. In the Log On As area, deselect the System Account check box.b. Enter the user name and password for the service account.c. Click Apply, and then click OK.

5. Start the server again.6. Repeat steps 2 through 5 for each BusinessObjects server that has to be

configured.

Configuring the Windows AD plug-in for Kerberos authentication

In order to support Kerberos single sign-on, you have to configure the Windows AD security plug-in in the CMC to use Kerberos authentication. This includes:• Ensuring Windows AD authentication is enabled.



• Setting up an AD Administrator account. This account requires read access to Active Directory only; it does not require any other rights.

• Enabling Kerberos single sign-on and setting the service principal name (SPN) to use a service account.

To configure the Windows AD security plug-in1. Go to the Authentication management area of the CMC.2. Click the Windows AD tab.3. Ensure that the Windows Active Directory Authentication is enabled

check box is selected.4. Select the Single sign-on is enabled check box.

Note: For related information about configuring the Windows AD plug-in, see “Managing AD accounts” on page 261.

5. Set up the AD administrator account:a. Click AD Administrator Name.b. Enter the name and password for the account and the default AD

Domain.Note: The AD Administrator account requires read access to Active Directory only; it does not require any other rights.

c. Click Update.6. In the “Mapped AD Member Group” area, map the AD group for the AD

users who require access to BusinessObjects Enterprise via AD authentication and single sign-on. See “Mapping AD accounts” on page 262.

7. Under Authentication Options select the following:• Select the Use Kerberos authentication check box.• Select the Cache Security context (required for SSO to database)

check box.• In the Service Principal Name box, enter the service principal name

of the service account.Note: This must be the same account that you use to run the BusinessObjects Enterprise servers. See “Setting up a service account” on page 285.

8. Click Update.



Configuring the cache expiryWhen the system is using AD and Kerberos single sign-on, it uses the cache expiry for certain BusinessObjects Enterprise servers to determine whether a logon ticket is still valid. This applies to the CMS, Page Server, Report Application Server, and Web Intelligence Report Server.The CMS uses the cache expiry as follows:• If the CMS cache expiry is greater than that of the ticket, the system

renews the ticket until the CMS cache expiry is reached.• If the CMS cache expiry is less than that of the ticket, the ticket will expire

when the CMS cache expiry is reached.• If the CMS cache expiry is zero, the system will use the globally set ticket

expiry.The other servers use either their cache expiry or the ticket expiry, whichever has the lowest value. Regardless of whether the cache expiry for the server is greater or less than that of the ticket, the ticket will expire when the lowest expiry value is reached.The system comes configured with default values for the server cache expiry. Use the following procedure to change these settings when needed.Note: If you are running multiple instances of a server, you can control the cache expiry for each instance individually.

To configure the servers in CMC1. Go to the Servers management area of the CMC.2. Click the link for the server.3. Click the Single Sign-On tab.4. Type in a new cache expiry value.5. Click Update.

Configuring the IIS and browsersIn order to support Kerberos end-to-end single sign-on, you have to configure the BusinessObjects Enterprise clients. This includes:• “Configuring the BusinessObjects Enterprise clients on the IIS” on

page 290• “Configuring the Internet Explorer browser on a client machine” on

page 290


Configuring the BusinessObjects Enterprise clients on the IIS
To support Kerberos single sign-on, you have to configure the BusinessObjects clients on the IIS to use integrated Windows authentication.

To configure the clients for Windows authentication1. On the IIS, in the Internet Information Services window, expand the tree

on the left and go to businessobjects under Default Web Site.2. Right-click businessobjects and select Properties.3. On the Directory Security tab, click Edit.4. Turn off Anonymous Access.5. Turn on Integrated Windows Authentication.6. Click OK, and then click OK again.7. Repeat the above for crystalreportviewer.

Configuring the Internet Explorer browser on a client machineTo support Kerberos end-to-end single sign-on, you have to configure the Internet Explorer (IE) browser on the BusinessObjects Enterprise client machines. This includes:• Setting up the client machines for integrated Windows authentication.• Adding the IIS to the trusted sites.Note: If configuring the IIS for single sign-on to the database only, you do not need to configure the browser for single sign-on. See also “Configuring IIS for single sign-on to databases only” on page 295.Note: You can automate the following steps through a registry key. For details, refer to you Windows documentation.

To configure the IE browser on the client machines1. On the client machine, open an Internet Explorer browser window.2. Enable integrated windows authentication:

a. Click Tools > Internet Options. The Internet Options dialog box appears.

b. Click the Advanced tab.c. Navigate to the Security settings.d. Click the Enable integrated windows authentication option, and

then click Apply.



3. Add the IIS to the Trusted sites. You can enter the full domain name of the site:a. Click Tools > Internet Options. The Internet Options dialog box

appears.b. Click the Security tab.c. Click Sites.d. Click Advanced.e. Type in the web site for the IIS, and then click Add.f. Click OK, and then click OK twice more to close the Internet Options

dialog box.4. Close the Internet Explorer browser windows and then open them again

for the changes to take effect.5. Repeat the above steps on each BusinessObjects Enterprise client

machine.

Configuring IIS for end-to-end single sign-onTo support Kerberos end-to-end single sign-on, the worker processes of the IIS have to run under a domain account that is trusted for delegation. Refer to either of the following procedures, depending on whether you are using IIS5 or IIS6:• “Configuring IIS5 for Kerberos end-to-end single sign-on” on page 291• “Configuring IIS6 for Kerberos end-to-end single sign-on” on page 293Note: Instead of configuring the IIS worker processes for end-to-end single sign-on you can configure them to use single sign-on to the database only. You may want to do this, for example, if you don’t want to run the IIS worker processes under an account that has been trusted for delegation. For more information, see:• “Configuring IIS for single sign-on to databases only” on page 295• “Configuring web applications for single sign-on to the databases” on

page 299.

Configuring IIS5 for Kerberos end-to-end single sign-onTo support Kerberos end-to-end single sign-on, you have to set the IIS and the Aspnet_wp.exe worker process to run as a domain account that has been trusted for delegation.



You can run the IIS either under the machine domain account or under a user domain account. Each approach has advantages and disadvantages:• If you use a machine domain account, the password will be automatically

generated and won’t expire, nor can it be exposed or modified. • If you use a user domain account you have more control over the rights

for the account, but the password could be exposed or modified, and it may expire, which would result in an error condition.

Which approach you use, depends on how you want to manage your system security.For complete information about security risks associated with system or user domain accounts, refer to the Microsoft web site: www.microsoft.com.Refer to either of the following procedures, depending on whether you want to use a machine or user domain account:• “To run the IIS5 worker process under the machine domain account” on

page 292• “To run the IIS5 worker process under a user domain account” on

page 293

To run the IIS5 worker process under the machine domain account1. On the domain controller, set the domain account of the IIS machine to

be trusted for delegation.Changing this property can take several minutes to propagate.

2. Set the Aspnet_wp.exe to run as a machine domain account. To do this, change the following parameters in the <processModel> block in the \WINDOWS\Microsoft.NET\Framework\version\CONFIG\machine.config file:• userName="SYSTEM"• Password="AutoGenerate"

In the above path name, version represents the software version.Note: Configuring the Aspnet_wp.exe account to run as a machine domain account will cause all ASP.NET web applications on the web server to run as privileged system accounts.Note: For security reasons, make sure that the account which the IIS helper processes run under does not belong to a mapped group.

3. If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:setspn -A HTTP/serverhost.domainname.com serverhost

For example, if access is via www.domainname.com but the machine name is web.domainname.com.



To run the IIS5 worker process under a user domain account1. Set the Aspnet_wp.exe to run as a user domain account that has been

trusted for delegation. To do this, change the following parameters in the <processModel> block in the \WINDOWS\Microsoft.NET\Framework\version\CONFIG\machine.config file:• userName="domainaccount"

• Password="password"

Where domainaccount is a domain account that you have set to be trusted for delegation, and password is the password for the domain account.In the above path name, version represents the software version.Note: For security reasons, make sure that the account which IIS helper processes run under does not belong to a mapped group.



Configuring IIS6 for Kerberos end-to-end single sign-onTo support Kerberos for end-to-end single sign-on, you have to set the IIS and w3wp.exe worker process to run as an account that has been trusted for delegation. You can run the IIS either under the machine domain account or under user domain account. Each approach has advantages and disadvantages:• If you use a machine domain account, the password will be automatically



Which approach you use, depends on how you want to manage your system security.For complete information about security risks associated with system or user domain accounts, refer to the Microsoft web site: www.microsoft.com.Refer to either of the following procedures, depending on whether you want to use a machine or user domain account:



• “To run the IIS6 worker process under the machine domain account” on page 294

• “To run the IIS6 worker process under a user domain account” on page 295

To run the IIS6 worker process under the machine domain account1. On the domain controller, set account of the IIS machine to be trusted for

delegation.Changing this property can take several minutes to propagate! If you don’t want to use end-to-end single sign-on but want to provide single sign-on to the database, skip step 1. See also “Configuring IIS for single sign-on to databases only” on page 295.

2. Configure the account for the w3wp.exe worker process:a. In the Internet Service Manager window, right-click the machine

name and select Application Pool > New.b. Type in a name for the application pool.c. In the tree panel on the left, expand machine name > Web Site >

Default Web Site > businessobjects > EnterpriseXX.d. Right-click InfoView and select Properties.e. On the Directory tab select the new application pool name from the

list, and then click Apply.f. Right-click the application pool you created, and select

Properties.g. On the Identity tab select LocalSystem from the list, and then click

Apply.Note: Configuring the w3wp.exe account to run as a LocalSystem account will cause all ASP.NET web applications on the web server to run as privileged system accounts.Note: For security reasons, make sure that the account which the IIS worked processes run under does not belong to a mapped group.





To run the IIS6 worker process under a user domain account1. Set the w3wp.exe to run as a user domain account that has been trusted

for delegation. To do this, change the following parameters in the <processModel> block in the \WINDOWS\Microsoft.NET\Framework\version\CONFIG\machine.config file:• userName="domainaccount"

• Password="password"

In the above path name, version represents the software version.Where domainaccount is a domain account that you have set to be trusted for delegation, and password is the password for the domain account.Note: If you don’t want to use end-to-end single sign-on but want to provide single sign-on to the database, skip step 1. See also “Configuring IIS for single sign-on to databases only” on page 295. For security reasons, make sure that the account which the IIS worker processes run under does not belong to a mapped group.

2. Add the domain account to the IIS_WPG local group, and give it the relevant rights to access the needed files. For more information, see http://msdn.Microsoft.com.



Configuring IIS for single sign-on to databases onlyWhen using Kerberos with Windows AD, you can choose whether you want to provide end-to-end single sign-on, or whether you want users to provide their logon credentials when they log in to BusinessObjects Enterprise. When users log on to BusinessObjects Enterprise, the system generates a logon token to provide single sign-on access to the databases.

To use single sign-on to the databases only 1. Configure the IIS worker processes to run as a domain account in order

for the network to recognize their accounts, but the account does not have to be trusted for delegation. Refer to either of the following procedures, depending on whether you are using IIS5 or IIS6:• “Configuring IIS5 for single sign-on to database only” on page 296• “Configuring IIS6 for single sign-on to database only” on page 297



2. Configure the web applications for single sign-on to the database instead of end-to-end single sign-on. See “Configuring web applications for single sign-on to the databases” on page 299.Note: If configuring the IIS for single sign-on to the database only, you do not need to configure the browser for single sign-on. See “Configuring the Internet Explorer browser on a client machine” on page 290.

3. Clear the Single Sign On is enabled check box on the Windows AD page in the Authentication management area in CMC.

Configuring IIS5 for single sign-on to database onlyTo support single sign-on to the database only, you have to set the Aspnet_wp.exe worker process to run as a domain account, but the account does not have to be trusted for delegation. You can run the IIS worker process either under the machine domain account or under a user domain account. Each approach has advantages and disadvantages:• If you use a machine domain account, the password will be automatically



Which approach you use, depends on how you want to manage your system security.For complete information about security risks associated with system or user domain accounts, refer to the Microsoft web site: www.microsoft.com.

To configure the IIS5 for single sign-on to databases only1. Make sure IIS is running as a domain account2. Set the Aspnet_wp.exe to run as a machine domain account. To do this,

change the following parameters to the <processModel> block in the \WINDOWS\Microsoft.NET\Framework\version\CONFIG\machine.config file:• userName="SYSTEM"• Password:="AutoGenerate"

In the above path name, version represents the software version.Note: • Configuring the Aspnet_wp.exe account to run as a machine

domain account will cause all ASP.NET web applications on the web server to run as privileged system accounts.

• For security reasons, make sure that the account which IIS runs under does not belong to a mapped group.





Configuring IIS6 for single sign-on to database onlyTo support single sign-on to the database only, you have to set the w3wp.exe worker process to run as a machine or user domain account, but the account does not have to be trusted for delegation. You can run the IIS worker process either under the machine domain account or under a user domain account. Each approach has advantages and disadvantages:• If you use a machine domain account, the password will be automatically



Which approach you use, depends on how you want to manage your system security.For complete information about security risks associated with system or user domain accounts, refer to the Microsoft web site: www.microsoft.com.

To configure the IIS6 for single sign-on to databases only1. Make sure IIS is running as a domain account.2. Configure the account for the w3wp.exe worker process:

a. In the Internet Service Manager window, right-click the machine name and select Application Pool > New.

b. Type in a name for the application pool.c. In the tree panel on the left, expand machine name > Web Site >

Default Web Site > businessobjects > EnterpriseXX.d. Right-click InfoView and select Properties.e. On the Directory tab select the new application pool name from the

list, and then click Apply.f. Right-click the application pool you created, and select Properties.g. On the Identity tab select LocalSystem from the list, and then click

Apply.Note: • Configuring the w3wp.exe account to run as a machine domain

account will cause all ASP.NET web applications on the web server to run as privileged system accounts.


• For security reasons, make sure that the account which IIS runs under does not belong to a mapped group.



Configuring BusinessObjects Enterprise web applicationsIn order for the end-to-end single sign on to work, you have to configure the BusinessObjects Enterprise web applications to impersonate the user. See “Configuring web applications for end-to-end single sign-on” on page 298.Note: If you want to use single sign-on to the databases instead of end-to-end single sign-on, you have to set the BusinessObjects Enterprise web applications to not impersonate a user. See “Configuring web applications for single sign-on to the databases” on page 299.

Configuring web applications for end-to-end single sign-onIn order to use up end-to-end single sign-on, you have to set both the CMC and InfoView web applications to impersonate the user. To do this, edit the respective Web.config files on the IIS as follows.

To configure the web applications for full single sign-on1. Add the following lines to the <system.web> block in the C:\Program



3. Enable Windows authentication by commenting out the following line in the C:\Program Files\Business Objects\BusinessObjects Enterprise 11\Web Content\Enterprise 11\InfoView\Web.config as shown:


Configuring web applications for single sign-on to the databasesIf you want to use single sign-on to the databases instead of end-to-end single sign-on, you have to set BusinessObjects Enterprise web applications to not impersonate the user. To do this, edit their Web.config files on the IIS as follows.Note: If you want to use single sign-on to the database only, see also “Configuring IIS for single sign-on to databases only” on page 295.

To configure the web applications for single sign-on to the databases1. Set the CMC to not impersonate the user by adding the following lines to

the <system.web> block in the Web Content\Enterprise 11\WebAdmin\Web.config file:• <identity impersonate="false" />• <Authentication mode="Windows" />

2. Set InfoView to not impersonate the users, by adding the following lines to the <system.web> block in the Web Content\Enterprise 11\InfoView\Web.config file:• <identity impersonate="false" />• <Authentication mode="Windows" />

Note: Make sure you set identity impersonate to false.Users will now be able to log on to BusinessObjects Enterprise by providing their logon credentials in the InfoView or CMC logon dialog box and selecting Windows AD authentication. Once they are logged on, the users will have single sign-on access to the databases associated with BusinessObjects Enterprise.

Mapping AD accounts for Kerberos single sign-onIn order for the Kerberos single sign-on to work, you must map the groups containing the AD users that are to have access to BusinessObjects Enterprise to a BusinessObjects Enterprise group. See “Mapping AD accounts” on page 262.Note: For security reasons, ensure that the mapped groups do not contain the domain account that the IIS is running under.

Configuring the databases for single sign-onThis section provides information that is specific to setting up single sign-on to SQL Server databases.See the Platforms.txt file included with your product distribution for a complete list of tested database software and version requirements. For general information and for information about single sign-on to other supported databases, refer to the database vendors support documentation.


Configuring SQL Server for single sign-on
In order for Kerberos single sign-on to work, the machines running SQL Server database must be trusted for delegation. How to set up security delegation varies, depending on whether SQL Server has been configured to run under the LocalSystem account or under a service account:• If SQL Server is running under the LocalSystem account, no additional

configuration is required. SQL Server registers itself when it starts and the system registers the SPN. When SQL Server shuts down, the system automatically un-registers the SPNs for the LocalSystem account.

• If SQL Server is running under a service account, you have to configure to be trusted for delegation.

To run SQL Server under a service account1. In Active Directory, set up the SQL Server service account for security

delegation:a. Select Start > Programs > Administrative Tools > Active

Directory Users and Computers.b. Right-click the domain account and select Properties.c. On the Accounts tab, make sure the following options are selected:

• In Windows 2000, ensure that the Account is trusted for delegation option has been selected for the account.

• In Windows 2003, ensure that the following two options have been selected for the account: Trust this user for delegation to specified service only and Use Kerberos only.

If you are using Windows 2003, you may have to first add a service principal name (SPN) for the domain account.

2. Set the machine running SQL Server as follows:• Computer is trusted for delegationa. Click Apply, and then click OK.

3. Add an SPN for the service account of the SQL Server:setspn -A MSSQLSvc/host:port serviceaccount

Where host:port is the name of the machine running SQL Server and the port that, and serviceaccount is the name of the SQL Server service account.


Controlling User Access

chapter

Controlling User AccessControlling user access overview13
Controlling user access overview
Rights are the base units for controlling users’ access to objects, users, applications, servers, and other features in BusinessObjects Enterprise. When granted, each right provides a user or group with permission to perform a particular action. Using rights, you can set security levels that affect individual users and groups. Rights allow you to control access to your BusinessObjects Enterprise content, to delegate user and group management to different departments, and to provide your IT people with administrative access to servers and server groups.To set rights within the Central Management Console (CMC), you first locate the object, user, or server and then you specify the rights for different users and groups. Each right can be Explicitly Granted, Explicitly Denied, or Inherited. The BusinessObjects Enterprise security model is designed such that, if a right is left “not specified,” the right is denied by default. Additionally, if contradictory settings result in a right being both granted and denied to a user or group, the right is denied by default. This “denial based” design assists in ensuring that users and groups do not automatically acquire rights that are not explicitly granted.To facilitate administration and maintenance, BusinessObjects Enterprise includes a set of predefined access levels that allow you to set common security levels quickly. Each access level grants a set of rights that combine to allow users to accomplish common tasks (such as view reports, schedule reports, and so on). It is recommended that you use the predefined access levels whenever possible, because they can greatly reduce the complexity of your object security model. For more information, see “Setting common access levels” on page 306.Whether or not you use access levels, you can also take advantage of the inheritance patterns recognized by BusinessObjects Enterprise: users can inherit rights as the result of group membership; subgroups can inherit rights from parent groups; and both users and groups can inherit rights from parent folders. When you need to disable inheritance or to customize security levels for particular objects, users, or groups, the Advanced Rights pages allow you to choose from the complete set of available object rights. Most importantly, the advanced object rights allow you to explicitly deny any user or group the right to perform a particular task.Users require specific licensing and rights to create or modify reports through the Report Application Server (RAS). For details, see “Object rights for the Report Application Server” on page 552.


Controlling User AccessControlling users’ access to objects 13

Controlling users’ access to objectsTo secure the content that you publish to BusinessObjects Enterprise, you can set rights for each object. By setting object rights, you can control users’ access to specific content. For each object, you can grant or deny access to users and groups in your system. For example, you can use rights to make sure that you are the only one who can access your reports. You can ensure that confidential employee records can be accessed only by the human resources department.You can set rights for folders, report objects, program objects, and other BusinessObjects Enterprise objects. Tip: For detailed tutorials that walk you through sample implementations of object rights, see “Customizing a ‘top-down’ inheritance model” on page 317.

Setting object rights for users and groupsObject rights enable you to set access levels for your users and groups. You control which folders, reports, and other objects users and groups can access using BusinessObjects Enterprise. You set security settings at the object level. For objects that can be scheduled, the security settings are also reflected in the object instances object.To facilitate administration, BusinessObjects Enterprise includes a set of predefined rights (“access modes”) that allow you to set common security levels quickly. These include the following:• Inherited Rights• No Access• View• Schedule• View On Demand• Full Control• AdvancedIn addition to setting user and group rights for report objects from the Objects management area, you can also set user and group rights at the folder level. When you set rights at the folder level, these limits will be in effect for all objects that inherit rights from the folder (including any objects found within the subfolders). For detailed information on the different “access modes” for object rights and information on inherited rights, see “Controlling users’ access to objects” on page 303.


Controlling User AccessControlling users’ access to objects13

To add groups or users to an object’s rights settings1. In the Objects management area of the CMC, select an object by clicking

its link.2. Click the Rights tab.

The Rights tab appears.3. Click Add/Remove.

4. Select an option in the Select Operation list.5. Select the group(s) or user(s) you would like to add or remove.6. Click the > arrow to add the group(s) or user(s); click the < arrow to

remove the group(s) or user(s).7. Click OK.

To change a group or user’s report rights1. In the Objects management area of the CMC, select an object by clicking

its link.2. Click the Rights tab.

The Rights tab appears.



3. Change the access level for a group or user by selecting a right from the appropriate list in the Access Level column; then click Update.If you select Advanced from the list, you grant or deny granular rights from the Advanced Rights page. For more information, see “Setting advanced object rights” on page 308.

Viewing object rights settingsUse the CMC to view the object rights that a user or group has to any folder, report, or other BusinessObjects Enterprise object. This section shows how to locate the rights for any object and briefly explains the information displayed on the Rights tab.You can locate any given object in several ways. Go to the Folders management area in the CMC to browse your folder hierarchy for an object, or go to the Objects management area in the CMC to view a list of all the objects on the system.Click the link that corresponds to the folder or other object whose rights you want to see, then click the object’s Rights tab. A page similar to the following appears:

This example shows the rights for the Report Samples folder. The Name column lists all users and groups who have been given rights to the object. The Object column shows whether the entry is a User or a Group. In this case, users have not been specified individually; instead, users have been divided into two groups—Everyone and Administrators—which have been granted rights to the folder object. Click Add/Remove to add or remove a user or group to this object.The Access Level column shows how each user’s or group’s rights are determined. In this example, both groups possess Inherited Rights. You can change the rights for either group by selecting a predefined access level (or by selecting Advanced) from the list in the Access Level column. When you change an entry in the Access Level column, click Update to effect your changes. For more information, see “Setting common access levels” on page 306.The Net Access column displays the net effect of whatever is selected in the Access Level column. That is, the Net Access column shows the effective rights that each user or group has to the object. The Net Access column is



particularly useful when you are working with inheritance. In this example, the Everyone group inherits rights from a parent folder—one that is not displayed on this screen. The Net Access column shows that the rights inherited from the parent folder are equivalent to the Schedule access level.Tip: If you want to view the individual object rights that make up a user’s (or group’s) Net Access, click the corresponding Access Level list and select Advanced. The Advanced Rights page displays the user’s full array of object rights that have been specified explicitly and/or inherited. Click Cancel to exit without making changes. For more information, see “Setting advanced object rights” on page 308.For detailed tutorials that walk you through sample implementations of object rights, see “Customizing a ‘top-down’ inheritance model” on page 317.

Setting common access levelsAn access level is essentially a predefined set of object rights. BusinessObjects Enterprise provides a set of access levels that allow you to set common object security levels quickly. The available predefined access levels are No Access, View, Schedule, View On Demand, and Full Control. Access levels are based on a model of increasing rights: beginning with No Access and ending with Full Control, each access level builds upon the rights granted by the previous level. For example, the Schedule access level includes and adds to the rights that are granted by the View access level. For a complete listing of the object rights that make up each access level, see “Access levels” on page 549.Tip: By default, users or groups who have rights to a folder will inherit the same rights for any object that you subsequently publish to that folder. Consequently, the best strategy is to set the appropriate rights for users and groups at the folder level first. Then publish objects to that folder.Although access levels grant predefined sets of object rights, they do not explicitly deny any object rights. Instead, each access level grants some rights and leaves the other rights “not specified.” The system then denies the “not specified” rights by default. This is important, because it allows users to inherit the greatest rights when they belong to multiple groups:• When you assign an access level to a group, each user in the group will

have at least that level of access to the object. If the user is a member of multiple groups, then he or she inherits the combination of each group’s rights. Thus, when a user is a member of multiple groups, he or she inherits the greatest possible rights.

• When you assign an access level directly to a user, you ensure that the user has only that level of access to the object. In other words, you prevent the user from inheriting rights that he or she may have otherwise acquired by virtue of group membership.



This list provides a brief description of each access level:• No Access

The user or group is not able to access the object or folder. InfoView, the Publishing Wizard, and the CMC enforce this right by ensuring that the object is not visible to the user.

• ViewIf this access level is set at the folder level, the user or group is able to view the folder, the objects contained within the folder, and all generated instances of each object. If this access level is set at the object level, the user can view the object, the history of the object, and all generated instances of the object. The user cannot, however, schedule the object or refresh it against its data source.

• ScheduleThe user or group is able to view the object or folder and its contents, and to generate instances by scheduling the object to run against the specified data source once or on a recurring basis. The user or group can view, delete, and pause the scheduling of instances that they own. They can also schedule to different formats and destinations, set parameters and database logon information, pick servers to process jobs, add contents to the folder, and copy the object or folder.

• View On DemandIn addition to the rights provided by the Schedule access level, the user gains the right to refresh data “on demand” against the data source.

• Full ControlThis access level grants all of the available advanced rights. It is the only access level that allows users to delete objects (folders, objects, and instances). This access level also allows users to modify all of the object’s properties, including the object rights that are set on the folder or object. Basically, this access level is designed to provide a user or group with administrative control over one or more folders or objects. Users can then log on to the CMC and add, edit, and remove content as required, without being members of the actual Administrators group.

• AdvancedThis access level does not include a predefined set of object rights. Instead, it allows you to customize a user’s or group’s access to an object by selecting from the complete range of available object rights. For more information, see “Setting advanced object rights” on page 308.



Note: There is no predefined access level to grant users the rights required to create or modify reports through the Report Application Server (RAS). For details, see “Object rights for the Report Application Server” on page 552.For a detailed listing of the object rights that make up each access level, see “Rights and Access Levels” on page 547.Note: In the developer documentation, access levels are referred to as roles.

To set an access level for a user or group1. Go to the Objects or Folders management area of the CMC.2. Locate the object whose rights you want to modify.3. Click the link to the object, and then click its Rights tab.4. In the Name column, locate the user or group whose rights you want to

specify.If the user or group is not listed, click Add/Remove. Add the appropriate user or group and click OK. You are returned to the object’s Rights tab.

5. In the Access Level column, select the access level (No Access, View, Schedule, View On Demand, or Full Control) that is appropriate for the user or group.

6. Click Update.Tip: For detailed tutorials that walk you through sample implementations of object rights, see “Customizing a ‘top-down’ inheritance model” on page 317.

Setting advanced object rightsTo provide you with full control over object security, the CMC allows you to make Advanced object rights settings for any user or group. These Advanced settings enable you to choose from a complete set of granular object rights. The result is an increased flexibility as you define security levels for objects that you have published to BusinessObjects Enterprise.Use advanced rights, for instance, if you need to customize a user’s or group’s rights to a particular object or set of objects, or if you want to customize the default inheritance patterns. Most importantly, use advanced rights to explicitly deny a user or group any right that should not be permitted to change when, in the future, you make changes to group memberships or folder security levels.Tip: By default, users or groups who have rights to a folder will inherit the same rights for any object that you subsequently publish to that folder. Consequently, the best strategy is to set the appropriate rights for users and groups at the folder level first. Then publish objects to that folder.



Note: Because of the relative priorities assigned by BusinessObjects Enterprise to granted and denied rights, you must disable inheritance entirely when you need to explicitly grant a right that has been denied elsewhere to the user or group. For complete details, see “Priorities affecting advanced inheritance settings” on page 316.

To view or set advanced rights1. Go to the Objects or Folders management area of the CMC.2. Locate the object whose rights you want to modify.3. Click the link to the object, and then click its Rights tab.4. In the Name column, locate the user or group whose rights you want to


5. The next step depends upon the entry that already appears in the Access Level list for this user or group:• If the Access Level is not already set to Advanced, click the list and

select Advanced.• If the Access Level is already set to Advanced, click the Advanced

link in the Net Access column.The available object rights are displayed in the Advanced Rights page. This example shows advanced rights being applied to the Guest user for an Employee Profile report.



The first two options specify which types of inheritance affect the Guest user’s rights to this object. In this example, the Guest user cannot inherit rights by virtue of group membership. But, the Guest user may inherit any rights that he or she has been granted to this report’s parent folder.The remainder of the Advanced Rights page lists all available object rights and shows how each right applies to the Guest user. To customize the overall security levels, you can explicitly grant or deny any given right, or you can specify that you want certain rights to be inherited.The Inherited column serves as an indicator to show how inherited rights affect the Guest user’s effective rights to this report object. A user or group can be granted or denied a right by virtue of inheritance. In addition, some rights may remain “not specified”—that is, they are neither granted nor denied. If an inherited right is labelled as “Not Specified”, BusinessObjects Enterprise treats it as having been denied. (And if the right is later granted for a parent group or object, the user or group will automatically inherit the right at this level.)In this example, the Guest user has two inherited rights (the right to “View document instances that the user owns” and to “Pause and Resume document instances that the user owns”). Currently, these rights are not specified, so the rights are denied by default. However, if the Guest user’s rights should change on the report’s parent folder, the rights will also change for this report object. This demonstrates how inheritance can facilitate future changes to the overall security model.Tip: For scalability and manageability, it is recommended that you leave as many rights as possible inherited, because the system automatically updates those rights as you modify and update your security settings throughout the folder and group hierarchies.The Explicitly Granted column shows which actions the Guest user is allowed to perform on this report. The Guest user is currently granted eleven rights to this report (the right to “View objects,” “Schedule the document to run,” and so on). Because group inheritance is disabled, the Guest user will retain these rights, even if its group membership is modified or changed completely. This demonstrates how you can use explicit rights to override a group’s rights for a particular group member.The Explicitly Denied column works similarly to the Explicitly Granted column. Regardless of any future changes to the user’s group membership, an explicitly denied right always prevents a user from performing the associated action. In this example, the Guest user has been explicitly denied eleven rights (the right to “Add objects to the folder,” “Edit objects,” and so on). Again, this demonstrates how you can use explicit rights to override a group’s rights for a particular group member.When you have made your changes on the Advanced Rights page, click OK.



Tip: For detailed tutorials that walk you through sample implementations of object rights, see “Customizing a ‘top-down’ inheritance model” on page 317.

Base rights and available rightsThe BusinessObjects Enterprise system defines a set of base rights that apply to all objects in the system. For example, the “View objects” right is a base right: it applies equally well to folders, to reports, and to other BusinessObjects Enterprise objects. In addition to these base rights, however, each type of object provides an additional set of rights that apply only to that object type. For example, the “Refresh the report’s data” right applies only to report objects.The Central Management Server (CMS) is the component that keeps track of available rights. The list of available rights includes the base rights and all other object-specific rights that have been provided by particular object types, such as Crystal report objects.On the Advanced Rights pages, you will find that all of the available rights are displayed for every object on the system. These rights are grouped based on what type of file they apply to. The four groups are General, Report, Text, and Web Intelligence Document. When you are setting rights for folders, these groups make it easier to see where the rights will be applied. For example, the object-specific right “Refresh the report’s data” appears in the Report folder because it only applies to report objects.Available rights are displayed for every object on the system for purposes of inheritance, so that you can set object security at the folder level (rather than repeating the same settings for every object in the folder). Although certain object-specific rights do not strictly apply to the folder object itself, these rights may apply to objects that inherit rights from the folder. In other words, the “Refresh the report’s data” right is displayed for the folder object so that you can grant a user the right to refresh the data in all reports for which the user inherits rights from this folder. Note: This is only one type of object inheritance. For more information, see “Group and folder inheritance” on page 312.

Using inheritance to your advantageIn regards to object rights, BusinessObjects Enterprise recognizes two types of inheritance: group inheritance and folder inheritance. By taking advantage of the ways in which object rights are inherited, you can reduce the amount of time it takes to secure the content that you have published to BusinessObjects Enterprise. Additionally, you can set up BusinessObjects Enterprise such that you can integrate new users and new content quickly and easily.



To facilitate administration, it is recommended that you enable and disable inheritance with access levels whenever possible (instead of with advanced rights). Additionally, it is recommended that you make your initial settings at the top-level BusinessObjects Enterprise folder and disable inheritance only when necessary. For detailed tutorials that walk you through sample implementations of object rights, see “Customizing a ‘top-down’ inheritance model” on page 317.Tip: By default, users or groups who have rights to a folder will inherit the same rights for any object that you subsequently publish to that folder. Consequently, the best strategy is to set the appropriate rights for users and groups at the folder level first. Then publish objects to that folder.

Group and folder inheritanceGroup inheritance allows users to inherit rights as the result of group membership. Group inheritance proves especially powerful when you organize all of your users into groups that coincide with your organization’s current security conventions. For example, if you create a user called Sample User, and add it to an existing group called Sales, then Sample User will automatically inherit the appropriate rights for each of the reports and folders that the Sales group has been added to.When group inheritance is enabled for a user who belongs to more than one group, the rights of both groups are considered when the system checks credentials. The user is denied any right that is explicitly denied in any group, and the user is denied any right that remains completely “not specified”; thus, the user is granted only those rights that are granted in one or more groups (explicitly or through access levels) and never explicitly denied.Folder inheritance allows users to inherit any rights that they have been granted on an object’s parent folder. Folder inheritance proves especially powerful when you organize BusinessObjects Enterprise content into a folder hierarchy that reflects your organization’s current security conventions. For example, suppose that you create a folder called Sales Reports, and you provide your Sales group with View On Demand access to this folder. By default, every user that has rights to the Sales Reports folder will inherit the same rights to the reports that you subsequently publish to this folder. Consequently, the Sales group will have View On Demand access to all of the reports, and you need only set the object rights once, at the folder level.Note: If you need to disable or modify inheritance patterns for a particular folder or object within your folder hierarchy, you can do so with access levels or with advanced rights.



Enabling and disabling inheritance with access levelsWith access levels, you can enable or disable group inheritance, folder inheritance, or both. You can alternatively enable one or both types of inheritance with Advanced rights settings. For details, see “Inheritance with advanced rights” on page 314.

To enable inheritance with an access level1. Go to the Objects or Folders management area of the CMC.2. Locate the object whose rights you want to modify.3. Click the link to the object, and then click its Rights tab.4. In the Name column, locate the user or group whose rights you want to


5. In the Access Level column, select Inherited Rights for the user or group.6. Click Update.

The Net Access column now displays the effective rights that the user or group has inherited for this object.Note: If the entry displayed in the Net Access column is Advanced, ensure that both types of inheritance are enabled in the parent folder’s advanced rights settings. For details, see “Setting advanced object rights” on page 308.

To disable inheritance with an access levelNote: This procedure disables group and folder inheritance for a user account. When applied to a group, this procedure does not prevent group members from inheriting rights by virtue of membership in other groups.1. Go to the Objects or Folders management area of the CMC.2. Locate the object whose rights you want to modify.3. Click the link to the object, and then click its Rights tab.4. In the Name column, locate the user whose rights you want to specify.

If the user is not listed, click Add/Remove. Add the appropriate user and click OK. You are returned to the object’s Rights tab.

5. In the Access Level column, select the access level (No Access, View, Schedule, View On Demand, or Full Control) that is appropriate for the user.

6. Click Update.The Net Access column now displays the effective rights that the user has to the object. Because you have disabled all inheritance, the Net Access entry equals the Access Level entry.


Inheritance with advanced rights
When you apply an Advanced set of object rights to a user or group for a particular object, you can enable or disable group and folder inheritance together or individually. On the Advanced Rights pages, the settings for inheriting rights from parent folders or groups serve as powerful tools that allow you to customize inheritance patterns in many ways.Note: You see the “Username will inherit rights from its parent groups” option if you are setting rights for a user; this option does not appear if you are setting rights for a group.Tip: When modifying inheritance patterns with Advanced rights settings, keep in mind that you can always assign a user a specific set of rights, either by explicitly applying a predefined access level, or by explicitly applying an Advanced setting in which both types of inheritance are disabled.To take full advantage of inheritance patterns and Advanced rights settings, it is useful to understand not only the types of inheritance that are available, but also the ways in which a user’s effective rights are calculated by the CMS.For more information on the two types of inheritance, see “Group and folder inheritance” on page 312.

Calculating a user’s effective rightsWhen a user attempts to perform an action on a BusinessObjects Enterprise object, the CMS determines the user’s rights to that object. If the user possesses sufficient rights, the CMS permits the user to perform the requested action.Although the calculations performed by the CMS can become quite complex, there are several ways to keep your object security model clear, consistent, and easy to maintain. For complete details on setting up a system that makes sense for your BusinessObjects Enterprise system, see “Customizing a ‘top-down’ inheritance model” on page 317.To calculate the user’s effective rights, the CMS follows a complex algorithm. This sequence of steps, and its various possible outcomes, is provided for administrators and/or system architects who prefer to know exactly how the CMS calculates the rights a user has to any object. The algorithm is described here and then illustrated in a different way using pseudocode:1. The CMS checks the rights that have been directly granted or denied to the

user’s account. The CMS immediately denies any right that is explicitly denied.Tip: If an individual user’s account has not been assigned any rights to the object, then group inheritance is enabled by default. As the result, you can make all your object rights settings at the group level to save administrative effort.

2. If folder inheritance is enabled for the user, the CMS determines the rights that the user has to the object’s parent folder. The CMS determines



these rights by ascending the inheritance tree to the level at which the inherited rights begin to take effect. The CMS denies any right that is explicitly denied (even if the right had already been explicitly granted).

3. If group inheritance is enabled for the user, the CMS determines the rights specified on the object for each of the groups that the user belongs to. The CMS denies any right that is explicitly denied in any group (even if the right had already been explicitly granted).

4. If group inheritance is enabled for the user, and folder inheritance is enabled for a group that the user belongs to, then the CMS determines the rights that the group has to the parent folder. The CMS denies any right that is explicitly denied in any group (even if the right had already been explicitly granted).

5. The CMS completes the algorithm by denying any rights that remain “Not Specified.”

As the result, when both types of inheritance are enabled, the CMS grants the user only those rights that are explicitly granted in one or more locations and never explicitly denied.When you disable both types of inheritance for a user, you reduce this algorithm to two steps (1 and 5). Thus, the CMS grants the user only those rights that he or she has been explicitly granted. This provides you with the least complicated way of ensuring that a user has only those rights that you have explicitly granted to him or her for a particular object.When you disable folder inheritance for a user, you reduce this algorithm to three steps (1, 3, and 5). When you disable group inheritance for a user, you reduce this algorithm to three different steps (1, 2, and 5). In both cases, the CMS grants the user only those rights that are explicitly granted in one or more locations and never explicitly denied.This pseudocode is provided as another way to illustrate and describe the algorithm that the CMS follows in order to determine whether a user is authorized to perform an action on a particular object:IF {

(User granted right to object = True)OR [

(Inherit Parent Folder Rights = True) AND (User granted right to parent folder = True)

] OR [

(Inherit Group Rights = True) AND (Group granted right to object = True)

]OR [

(Inherit Group Rights = True) AND (Group granted right to parent folder = True)]

}



AND {(User denied right to object = False)AND [

(Inherit Parent Folder Rights = False)OR ((Inherit Parent Folder Rights = True) AND (User

denied right to parent folder = False))]

AND [(Inherit Group Rights = False)OR ((Inherit Group Rights = True) AND (Group denied

right to object = False))]

AND [(Inherit Group Rights = False)OR ((Inherit Group Rights = True) AND (Group denied

right to parent folder = False))]

}THEN {

User action authorized = True}ELSE {

User action authorized = False}

Priorities affecting advanced inheritance settingsWhen you modify inheritance patterns with advanced rights, there are several important considerations to keep in mind. Where relevant, these considerations appear elsewhere in this chapter. They have been summarized here for reference.Denied rights take precedence over granted rights. This can cause seemingly contradictory results when inheritance is enabled. Suppose that the “View objects” right is explicitly denied to a Sales group for a particular folder of reports. For the same folder, the “View objects” right has been explicitly granted to a Manager user, and the “Respect current security by inheriting rights from parent groups” check box is selected. The Manager user is a member of the Sales group. In this scenario, the Manager user is both granted and denied the “See object” right to the folder. Because denied rights take precedence, the Manager user is effectively denied the ability to see the folder, so long as the user account inherits rights from its parent group (Sales). To remedy this situation, you could clear the “Respect current security by inheriting rights from parent groups” check box on the Advanced Rights page for the Manager user, or you could remove the Manager user from the Sales group.



Rights that are not specified are denied by default. On the Advanced Rights page for any object, the Inherited Rights column may label certain rights as “Not Specified.” This entry denotes rights that are neither granted nor denied by inheritance. To prevent possible security breaches, BusinessObjects Enterprise automatically denies rights that are not specified.

Customizing a ‘top-down’ inheritance modelWith the flexibility offered by object rights, inheritance, and advanced rights, you can customize your object-level security environment in many ways. However, as the complexity of any security system increases, so too can that system become more difficult and time-consuming to maintain. This section recommends two general ways of setting up object security such that you achieve the desired security levels without complicating future administrative tasks. To this purpose, this section provides two tutorials that shows how to set up object security from the top-level folder (the root folder) down:• “Setting up an open system of decreasing rights” on page 320

This detailed tutorial creates an open security model. By default, all users and groups are first granted rights to all objects on the system. As you add folders and subfolders to the system, you decrease the rights of users and groups, as required, in order to secure particular BusinessObjects Enterprise content.

• “Setting up a closed system of increasing rights” on page 332This shorter tutorial creates the basis for closed security model. By default, users and groups cannot access any objects on the system. As you add folders and subfolders to the system, you increase the rights of users and groups, as required, in order to grant access to particular BusinessObjects Enterprise content.

You can use your own Enterprise, NT, or LDAP groups when following along with these tutorials, or you can create new groups that correspond to those used in the tutorial. For details on setting up these groups and subgroups, see “Creating groups for the tutorials” on page 318.In each tutorial, you will specify the object rights that particular groups have to certain folders on the system. By making all of your security settings at the group and folder levels, you reduce the administrative efforts now and later. After finishing each tutorial, you may decide to add users to each group and to publish objects to each folder. If you do so, each user will inherit the appropriate rights for every folder and object on the system.


Creating groups for the tutorials
The object security tutorials make use of eight Enterprise groups. The four primary groups are named Administrators, Everyone, Sales, and Marketing. The Sales group has four additional subgroups: Sales USA, Sales Japan, Sales Managers, and Sales Report Designers. The Administrators and Everyone groups are created by default when you install BusinessObjects Enterprise, so these two procedures show only how to create the remaining groups for the tutorials.Note: For the shorter tutorial entitled “Setting up a closed system of increasing rights” on page 332, you need only create the Sales group and its Sales USA, Sales Japan, and Sales Managers subgroups.

To create the Sales and Marketing groups1. Go to the Groups management area of the CMC.2. Click New Group.

The new group’s Properties tab appears.

3. In the Group Name field, type Marketing.4. In the Description field, type This group contains all users who

work in Marketing.

5. Click OK.The Marketing group is added to the system and the page is refreshed.Tip: Click the Users tab if you want to add your own users to this group.

6. Repeat steps 1 to 5 to create another group called Sales. Use this description for the group: This group contains all users who work in Sales (worldwide).



To create the Sales subgroups1. Go to the Groups management area of the CMC.

2. Click New Group.3. In the Group Name field, type Sales USA4. In the Description field, type This group contains all users who

work in Sales in the USA.

5. Click OK.The Sales USA group is added to the system and the page is refreshed.Tip: Click the Users tab if you want to add your own users to this group.

6. Click the Member of tab; then click the Member of button.The Modify Member of page appears.

7. In the Available groups list, select Sales; then click the > arrow.The Sales group is added to the “Sales USA is a member of” list, as displayed here:



8. Click OK.You are returned to the “Member of” tab. The Sales USA group is now a member (or subgroup) of the Sales group.

9. Repeat steps 1 to 8 to create the remaining Sales subgroups for the tutorials. Use the following values for the Group Name and Description fields:

If you now return to the Groups management area of the CMC, all of the new groups are displayed as follows:

You are now ready to proceed to either of the object security tutorials:• “Setting up an open system of decreasing rights” on page 320.• “Setting up a closed system of increasing rights” on page 332.

Setting up an open system of decreasing rightsThis tutorial shows how to create an open security model, wherein groups of users are first granted rights to all objects on the system by default. As you add folders and subfolders to the system, you decrease the rights of users and groups, as required, in order to secure particular BusinessObjects Enterprise content.

Group Name Description

Sales Japan This group contains all users who work in Sales in Japan.

Sales Managers This group contains all users who manage a Sales team.

Sales Report Designers

This group contains all users who design and publish reports for the Sales teams.



In this scenario, you are creating folders for several groups within your organization. You have some reports that you want to add to the system immediately. Because some groups plan to add their own reports later, you also need to give some users the ability to add subfolders and to publish reports. These are your security requirements for each folder:• Everyone must be able to view the majority of your reports.• Administrators require Full Control access to all folders and objects on

the system.• Sales Managers are allowed to refresh most reports against the database

to view the most recent data.• The Marketing group needs Full Control access to its own set of folders

that no other user can access (other than Administrators).• The Sales groups need a hierarchy of folders containing worldwide

reports, regional reports, and management reports:• All Sales staff can view worldwide reports.• Sales staff can also view reports for their own regions. If the staff

member is also a Manager, he or she can view and refresh reports from all regions.

• Sales Managers require Full Control access to the management reports.• Sales Report Designers require custom administrative privileges to

all Sales folders.For a shorter, less detailed tutorial, see “Setting up a closed system of increasing rights” on page 332.

Changing default rights on the top-level folderThe first step is to set object rights on the top-level BusinessObjects Enterprise folder. This folder serves as the root for all other folders and objects that you add to the system. Each subfolder, report, or other object that you add to this top-level folder will by default inherit rights from this folder. So, by setting rights here first, you minimize the need to repeatedly customize object rights throughout your folder hierarchy.With this procedure, you set security on the top-level folder in order to meet your first three security requirements:• Everyone must be able to view the majority of your reports.• Administrators require Full Control access to all folders and objects on

the system.• Sales Managers are allowed to refresh most reports against the database

to view the most recent data.



To change the rights on the top-level folder1. Go to the Settings management area of the CMC.2. Click the Rights tab.

By default, the Everyone and the Administrators groups are granted access to this folder. You now need to reduce the rights of the Everyone group and to increase the rights of the Sales Managers.

3. Click the Access Level list that corresponds to the Everyone group, and select View.

4. Click Update.The rights for the Everyone group are reduced and the View access level is now displayed in the Net Access column.Now you will customize the top-level rights for the Sales Managers group.

5. Click Add/Remove.The Add/Remove page appears.

6. In the Select Operation list, click Add/Remove Groups.7. In the Available groups list, select Sales Managers.8. Click the > arrow; then click OK.

You are returned to the Rights tab on the Settings page. Ensure that you grant the Sales Managers group View On Demand access. If necessary, change the Access Level list and click Update. This provides the Sales Managers group with sufficient rights to refresh reports.

Now, your system meets your first three security requirements. The Everyone, Administrators, and Sales Managers groups will initially inherit these rights for any folders, subfolders, or reports that you subsequently publish to BusinessObjects Enterprise. You might, for instance, create folders for all of your generally accessible inventory reports, customer list reports, purchasing order reports, and so on.Now that you have created an open basis for your object security model, you will proceed to restricting access to certain folders within the system.

Decreasing rights to a private folderAnother security requirement for this tutorial is that the Marketing group needs Full Control access to their own set of folders that no other user can access. To accomplish this, you will create a private folder called Marketing Only and ensure that only the appropriate group of users has access to its contents.



To decrease rights to a private folder1. Go to the Folders management area of the CMC.2. Click New Folder.3. On the Properties tab, in the Folder Name field, type Marketing Only4. In the Description field, type This folder is accessible only to

Marketing.

5. Click OK.6. Click the Rights tab.7. In the Access Level column, select the following rights for each group:

• Administrators: (Inherited Rights)• Everyone: No Access• Sales Managers: No Access

8. Click Update.The Net Access column shows that you have secured this folder from all users other than Administrators.Next, you will grant the Marketing group Full Control access to this folder.

9. Click Add/Remove.The Add/Remove page appears.

10. In the Select Operation list, click Add/Remove Groups.11. In the Available groups list, select Marketing.12. Click the > arrow; then click OK.

You are returned to the Rights tab. The Marketing group is granted access to the folder. You need to change the default setting to grant them Full Control access.

13. Click the Access Level list that corresponds to the Marketing group, and select Full Control.

14. Click Update.The Net Access column shows that you have granted the Marketing group Full Control access to this folder.

Members of this group now have the ability to perform all tasks in this folder. They can add and delete reports, folders, and subfolders, and they can view, schedule, and export reports to all available destinations and formats.To complete this tutorial, you need to customize the rights that various Sales groups have to a hierarchical set of Sales folders. Before setting the rights for each group, you will see how to create multiple folders quickly when you publish a set of reports to BusinessObjects Enterprise.



Publishing a set of folders and reportsThe final security requirements for this tutorial are related to the Sales group and its subgroups. They require a hierarchy of folders containing worldwide reports, regional reports, and management reports.Because this tutorial sets up a system of decreasing rights, you will first create a set of folders that places the most general content at the top of the directory tree. In this case, all Sales staff can view the worldwide reports, so the folder for those reports requires the lowest level of security. The regional reports will go in subfolders that are accessible only to users who belong to the appropriate regional Sales group. The management reports will be located in subfolders of each of the regional folders.You could create this set of folders using the CMC, as in the earlier sections of this tutorial. However, if you already have a set of reports, the Publishing Wizard provides the quickest way to add content and create folders at the same time.

To create a set of folders while publishing reports1. On your local hard drive, create a set of folders that correspond to the

folders you want to add to BusinessObjects Enterprise.For this tutorial, the Sales folders are named and arranged hierarchically as follows:

2. Arrange your reports (.rpt files) in the new folders on your local hard drive.If you do not have any of your own reports, use some of the sample reports included with BusinessObjects Enterprise. The sample reports are typically installed to C:\Program Files\Business Objects\BusinessObjects Enterprise 11\Samples\language \Reports (replace language with, for example, en, de, fr, or jp, depending upon your version of BusinessObjects Enterprise).Note: To complete this procedure, you must place at least one report file in each of the folders that you have created on your local hard drive. Otherwise, the Publishing Wizard will not create the appropriate directories on the BusinessObjects Enterprise system.



3. From the BusinessObjects Enterprise XI Programs group, start the Publishing Wizard and, when it appears, click Next.

4. In the System field, type the name of the CMS to which you want to add objects.

5. In the User Name and Password fields, type your BusinessObjects Enterprise credentials.

6. From the Authentication list, select the appropriate authentication type.7. Click Next.

The Select A File dialog box appears.8. Click Add Folders.

9. Select the top level Worldwide Sales folder that you created on your local hard drive.

10. Select the Include subfolders check box, and then click OK.



You are returned to the Select A File dialog box. All of the reports are added to the list.

11. Click Next.The Specify Location dialog box appears.

12. In the Specify Location dialog box, click New Folder. 13. Name the folder Worldwide Sales and ensure that it is located at the top

of the directory tree, as shown here:



14. Click Next.The Specify Folder Hierarchy dialog box appears.

15. Select Duplicate the folder hierarchy to duplicate the local folder hierarchy on the BusinessObjects Enterprise system; then click Next.The Confirm Location dialog box appears. You can see here that the Regional Sales folders will be created below the Worldwide Sales folder, and the Managers Only folders will be created as additional subfolders. The actual report files are arranged in the appropriate folders.

16. Click Next.17. Proceed through the rest of the Publishing Wizard and make any desired

changes to your reports.Tip: If you are publishing sample reports for the purpose of this tutorial, click Next to accept all the default values. For more information on the rest of the Publishing Wizard, see “Publishing with the Publishing Wizard” on page 362.When the Publishing Wizard has added the reports and folders to the system, it displays a summary:

18. Click Finish to close the Publishing Wizard.



You are now ready to set each Sales group’s object rights for the new set of Sales folders.

Setting the base rights on the Sales foldersNow that you have used the Publishing Wizard to add reports and create the appropriate folders and subfolders, you are ready to set the object rights for each level of reporting content.The security requirements are as follows:• All Sales staff can view worldwide reports.• Sales staff can also view reports for their own regions. If the staff member

is also a Manager, he or she can view and refresh reports from all regions.• Sales Managers require Full Control access to the management reports.• Sales Report Designers require custom administrative privileges to all

Sales folders.

To set the base rights on the Worldwide Sales folder1. Go to the Folders management area of the CMC.2. Click the link to the Worldwide Sales folder.3. On the folder’s Rights tab, click Add/Remove.4. In the Select Operation list, click Add/Remove Groups.5. In the Available groups list, select Sales and Sales Report Designers.

Tip: Use CTRL+click to select multiple groups.6. Click the > arrow; then click OK.

You are returned to the Rights tab.



7. In the Access Level column, select the following rights for each group:• Administrators: Inherited Rights• Everyone: No Access• Sales: View• Sales Managers: Inherited Rights• Sales Report Designers: This group requires additional rights to

publish content to this folder. You will use advanced rights to make these changes in the next procedure. For now, leave the Access Level list with the default settings.

8. Click Update.The Net Access column is updated to show your new security settings.

You now need to grant the Sales Report Designers group a set of advanced rights, so group members can administer all the Sales folders.

Creating a group of folder administratorsThis section of the tutorial shows how to provide a particular group of users with a customized level of administrative control over a set of folders. In general, you can accomplish this with the Full Control access level. This example, however, uses advanced rights to grant the Sales Report Designers group a particular set of administrative privileges to all Sales folders.

To create a group of Sales folder administrators1. If you are not already there, go to the Rights tab of the Worldwide Sales

folder.2. In the Access Level list for the Sales Report Designers group, select

Advanced.The Advanced Rights page appears. You will use this page to grant group members a high level of control over the folder and its contents. However, you will not let any group member delete objects that have been added to a Sales folder.

3. To ensure that you completely break all inheritance patterns, clear the “Worldwide Sales” will inherit rights from its parent folders check box.

4. Click Apply.Now that you have disabled all rights inheritance, the advanced rights that you specify will be the only rights that group members have to the folder.

5. In the Explicitly Denied column, select the following rights:• Modify the rights users have to objects• Delete objects



Tip: You may choose to explicitly deny additional rights to suit your needs. For instance, to prevent these folder administrators from copying confidential reports to public folders, you could deny the “Copy objects to another folder” right. Or, if you prefer to retain all administrative control over report-processing servers, you could deny the “Define server groups to process jobs” right.

6. In the Explicitly Granted column, select all remaining rights.7. Click OK.

You are returned to the Rights tab for the Worldwide Sales folder. The Net Access column now shows that the Sales Report Designers group has Advanced rights to this folder.

Tip: Click the Advanced link in the Net Access column when you need to review or modify a set of advanced rights that have already been applied to a user or group.Now that you have set object rights on the uppermost Sales folder, you will proceed to decrease rights as you descend the folder hierarchy.

Decreasing rights to the Sales subfoldersRecall that the security requirements for the regional sales reports are as follows:• Sales staff can view reports for their own region and can refresh these

reports against the database to view the most recent data.• If the staff member is also a Manager, he or she can view and refresh

reports from all regions.You will use the various Sales groups to decrease rights appropriately for each Regional Sales folder.

To decrease rights to the regional Sales folders1. Go to the Regional Sales - JP folder and click its Rights tab.2. Click Add/Remove.3. In the Select Operation list, click Add/Remove Groups.4. In the Available groups list, select Sales Japan.5. Click the > arrow; then click OK.

You are returned to the Rights tab of the Regional Sales - JP folder.6. In the Access Level column, select the following rights for each group:

• Administrators: Inherited Rights• Everyone: Inherited Rights• Sales: No Access



• Sales Japan: View On Demand• Sales Managers: Inherited Rights• Sales Report Designers: Inherited Rights

7. Click Update.The Net Access column shows your new security settings. As required, the Sales Japan and the Sales Managers groups have View On Demand access, which allows them to refresh reports against the database to view the latest data. The Sales Report Designers retain their advanced rights, and all other users are prevented from accessing the folder (except for Administrators).

8. Repeat steps 1 to 6 for the Regional Sales - USA folder, but grant View On Demand access to the Sales USA group (instead of to the Sales Japan group).

You are now ready to complete the tutorial by customizing security for the final level of Sales folders—the Managers Only folders.

To decrease rights to the Managers Only folders1. Go to the Regional Sales - JP folder and click its Subfolders tab.2. Click the link to the Managers Only folder and click its Rights tab.3. In the Access Level column, select the following rights for each group:

• Administrators: Inherited Rights• Everyone: Inherited Rights• Sales: Inherited Rights• Sales Japan: No Access• Sales Managers: Full Control• Sales Report Designers: Inherited Rights

4. Click Update.The Rights tab of this Managers Only folder now shows that the Administrators, Sales Managers, and Sales Report Designers groups all have Full Control access to the folder. Members who do not belong to one of these groups are completely restricted from the folder.

5. Go to the Regional Sales - USA folder and click its Subfolders tab.6. Click the link to the Managers Only folder and click its Rights tab.7. In the Access Level column, select the following rights for each group:

• Administrators: Inherited Rights• Everyone: Inherited Rights• Sales: Inherited Rights



• Sales Managers: Full Control• Sales Report Designers: Inherited Rights• Sales USA: No Access

8. Click Update. The Rights tab of this Managers Only folder shows again that the Administrators, Sales Managers, and Sales Report Designers groups all have Full Control access to the folder. Members who do not belong to one of these groups are completely restricted from the folder.

You have now reached the end of this tutorial.

Setting up a closed system of increasing rightsThis tutorial shows how to set up the basis for a closed security model, wherein groups of users are first denied rights to all objects on the system by default. As you add folders and subfolders to the system, you increase the rights of users and groups, as required, so they can access their BusinessObjects Enterprise content.In this scenario, you are creating folders for several groups within your organization. These are your security requirements for each folder:• The majority of your reports should be inaccessible to most users.• Administrators require Full Control access to all folders and objects on

the system.• The Sales groups need a hierarchy of folders containing management

reports and regional reports:• Only the Sales Managers can view the management reports and all

regional reports.• Sales staff can only view reports for their own region.

Because this scenario first completely restricts access to the top-level folders, and then gradually increases access to subfolders further down the folder hierarchy, the results are essentially incompatible with the design of InfoView. The closed security model works best when you deploy a web desktop or other application that provides users with a list of all reports and/or folders to which they have access. The sample Report Thumbnail Client and the In-frame Client applications provide examples that are compatible with a closed security model. You can access these applications from the Client Samples area of the Crystal Enterprise Launchpad.InfoView, by contrast, adheres to a hierarchical view of the system’s folder structure. Thus, if users cannot access a top-level folder, they have no way of browsing its subfolders (even if they have Full Control over those subfolders



and their contents). If you implement this closed security model in conjunction with InfoView, users will need to search for specific reports by name or description.For a lengthier, more detailed tutorial, see “Setting up an open system of decreasing rights” on page 320.

Restricting access from the top-level folderThe first step is to set object rights on the top-level BusinessObjects Enterprise folder. This folder serves as the root for all other folders and objects that you add to the system. Each subfolder, report, or other object that you add to this top-level folder will inherit rights from this folder by default. So, by setting rights here first, you minimize the need to repeatedly customize object rights throughout your folder hierarchy.With this procedure, you set security on the top-level folder in order to meet your first two security requirements:• The majority of your reports should be inaccessible to most users.• Administrators require Full Control access to all folders and objects on

the system.This procedure gives the Everyone group No Access to all published content. This is how you set the basis for a closed security model. Do not use advanced rights to explicitly deny rights to the Everyone group (or any other group) at the top-level folder of your BusinessObjects Enterprise system, because once a right has been explicitly denied, you have to break all inheritance patterns in order to grant the same right further down the folder hierarchy.

To change the rights on the top-level folder1. Go to the Settings management area of the CMC.2. Click the Rights tab.

You need only reduce the rights of the Everyone group.3. Click the Access Level list that corresponds to the Everyone group, and

select No Access.Note: If users access reports through BusinessObjects Enterprise, they will be unable to browse subfolders once you make this initial security setting. Users will, however, be able to search for reports by name or description.

4. Click Update.The rights for the Everyone group are reduced and No Access is displayed in the Net Access column.



Now, your system meets your first two security requirements. The Everyone group is prevented from seeing all subsequently published content, and the Administrators group retains Full Control in order to maintain the system.Now that you have created a closed basis for your object security model, you will increase access to certain folders within the system.

Increasing access by descending the folder hierarchyThe remaining security requirements for this tutorial are related to the Sales group and its subgroups. They require a hierarchy of folders containing management reports and regional reports. Because this tutorial sets up a system of increasing rights, the most secure content will be stored at the top of the directory tree.With these procedures, you create the folder hierarchy and set access levels in order to meet the remaining security requirements:• Only the Sales Managers can view the management reports and all

regional reports.• Sales staff can only view reports for their own region.

To provide minimal access to the management reports1. Go to the Folders management area of the CMC.2. Click New Folder.3. On the Properties tab, in the Folder Name field, type Management

Reports

4. Click OK.The new folder is created and the page is refreshed.

5. On the Rights tab, click Add/Remove.6. In the Select Operation list, click Add/Remove Groups.7. In the Available Groups list, select Sales Managers.8. Click the > arrow; then click OK.

You are returned to the Rights tab of the Management Reports folder.9. Click the Access Level list for the Sales Managers group, and select

View.10. Click Update.

The Rights tab now shows that the Sales Managers group has View access to this folder and to any objects that you subsequently publish to it. As required, the Everyone and Administrators groups have inherited the rights that you set on the top-level BusinessObjects Enterprise folder.


Controlling User AccessControlling access to applications 13

Now you need only create folders for the regional reports and grant access to the appropriate regional Sales groups.

To provide selective access to the regional reports1. If you are not already there, go to the Management Reports folder.2. On the Subfolders tab, click New Folder.3. On the Properties tab, in the Folder Name field, type Regional

Reports - JP

4. Click OK.The new folder is created and the page is refreshed.

5. On the Rights tab, click Add/Remove.6. In the Select Operation list, click Add/Remove Groups.7. In the Available Groups list, select Sales Japan.8. Click the > arrow; then click OK.

You are returned to the Rights tab of the Management Reports folder.9. In the Access Level list for the Sales Japan group, select View.10. Click Update.

The Rights tab now shows that the Sales Japan group has View access to this folder and to any objects that you subsequently publish to it. The Administrators, Everyone, and Sales Managers groups automatically inherit the appropriate rights for this folder.

11. Repeat this procedure to create a subfolder called Regional Reports - USA and to provide the Sales USA group with View access to the folder.When you finish, the Rights tab of the Regional Reports - USA folder shows that you have set the rights as required for this tutorial.

You have now reached the end of this tutorial.

Controlling access to applicationsYou can use rights to control users’ access to certain features in BusinessObjects Enterprise applications. You can grant or deny users access to the Central Management Console. For InfoView, you can grant users or groups the ability to:• change their preferences• organize folders • search


Controlling User AccessControlling access to applications13

• filter object listings by object type• view the Favorites folderFor example, if you have already created your users’ folders using a standard naming convention, you may want to deny your users the ability to organize their own folders.Note: By default, all users have access to these features.

To grant access to a Business Objects application’s features1. Go to the BusinessObjects Enterprise Applications management area

of the CMC.2. Click the link for the application whose access rights you want to change.3. Click the Rights tab.4. Click Add/Remove to add users or groups you want to give access to the

features.5. On the Add/Remove page, in the Select Operation list, select Add/

Remove Groups, Add Users, or Remove Users.6. Select the user or group you want to grant access to the features.

Tip: If you have many users on your system, select the Add Users operation; then use the “Look for” field to search for a particular account.

7. Click OK.8. On the Rights tab, click Advanced.


Controlling User AccessControlling administrative access 13

9. For each feature, choose Inherited, Explicitly Granted, or Explicitly Denied for the user or group.Note: For the Web Intelligence application, make sure you grant access to the Allows interactive HTML viewing option in order for users to be able use the Interactive view format and use the Query HTML panel. The user can select this view format and report panel option in the Web Intelligence Document Preferences tab in InfoView.

10. Click OK.

Controlling administrative accessIn addition to controlling access to objects and settings, you can use rights to divide administrative tasks between functional groups within your organization. For example, you may want people from different departments to manage their own BusinessObjects Enterprise users and groups. Or you may have one administrator who handles high-level management of BusinessObjects Enterprise, but you want all server management to be handled by people in your IT department. With all of the tasks facing a BusinessObjects Enterprise administrator, it can be very helpful to delegate responsibility to other managers and groups.This section describes how to grant rights for managing users, groups, servers, and server groups.


Controlling User AccessControlling administrative access13
Controlling access to users and groups
You can delegate user and group administration to the appropriate people in your organization by granting specific access rights.

To grant access to a user or group1. Go to the Users or Groups management area of the CMC.2. Select the user or group you want to grant access to.3. Click the Rights tab.4. Click Add/Remove to add users or groups that you want to give access

to the selected user or group.The Add/Remove page appears.

5. In the Select Operation list, select Add/Remove Groups, Add Users, or Remove Users.

6. Select the user or group you want to grant access to the specified user or group.Tip: If you have many users on your system, select the Add Users operation; then use the “Look for” field to search for a particular account.

7. Click OK.8. On the Rights tab, change the Access Level for each user or group, as

required.9. To choose specific rights, choose Advanced.

Note: For complete details on the predefined access levels and advanced rights, see “Rights and Access Levels” on page 547.

10. Click Update.

Controlling access to user inboxesWhen you add a user, the system automatically creates an inbox for that user. The inbox has the same name as the user. By default, only the user and the administrator have the right to access a user’s inbox. Use the following procedure to change the access rights to a user’s inbox as needed.User inboxes can serve as destinations for scheduled reports. When scheduling a report, you can specify that you want the system to store the report instances in the inbox of one or more users. You can also send existing report objects or instances to a user’s inbox by using the “Send to” feature. For more information, see “Selecting a destination” on page 465, and “Sending an object or instance” on page 406.



To grant a user access to another user’s inbox1. Go to the Inbox management area of the CMC.2. Select the inbox you want to grant access to.3. Click the Rights tab.4. Click Add/Remove to add users or groups that you want to give access

to the selected user or group.The Add/Remove page appears.


6. Select the user or group you want to grant access to the specified inbox.7. Click OK.8. On the Rights tab, change the Access Level for each user or group, as



10. Click Update.

Controlling access to servers and server groupsYou can use rights to grant people access to servers and server groups, allowing them to perform tasks such as starting and stopping servers.Depending on your system configuration and security concerns, you may want to limit server management to the BusinessObjects Enterprise administrator. However, you may need to provide access to other people using those servers. Many organizations have a group of IT professionals dedicated to server management. If your server team needs to perform regular server maintenance tasks that require them to shut down and start up servers, you need to grant them rights to the servers. You may also want to delegate BusinessObjects Enterprise server administration tasks to other people. Or you may want different groups within your organization to have control over their own server management.

To grant access to a server or server group1. Go to the Servers or Server Groups management area of the CMC.2. Select the server or server group you want to grant access to.3. Click the Rights tab.



4. Click Add/Remove to add users or groups that you want to give access to the selected server or server group.The Add/Remove page appears.


6. Select the user or group you want to grant access to the specified server or server group.Tip: If you have many users on your system, select the Add Users operation; then use the “Look for” field to search for a particular account.



Note: For complete details on the predefined access levels and advanced rights, see “Rights and Access Levels” on page 547.Click Update.

Controlling access to universesYou can use rights to grant people access to universes, allowing them to create and view Web Intelligence documents that use universes and connections.

To control who has access to a universe1. Go to the Universes management area of the CMC.2. Click the link for the universe.3. Click the Rights tab.4. In the Name column, locate the user or group whose rights you want to




link in the Net Access column.



Controlling access to universe connectionsYou can use rights to grant people access to universe connections, allowing them to create and view Web Intelligence documents that use universes and universe connections. You can either set the rights to all universes by using the Rights button on the Universe Connections page, or you can set the rights to individual universe connections.

To view or set the access levels for all universe connections1. Go to the Universe Connections management area of the CMC.2. Click the Rights button.3. In the Name column, locate the user or group whose rights you want to





To view or set who has access to a specific universe connection1. Go to the Connections management area of the CMC.2. Click the link for the connection.3. Click the Rights tab.4. In the Name column, locate the user or group whose rights you want to






Organizing Objects

chapter

Organizing ObjectsOrganizing objects overview14
Organizing objects overview
Creating an intuitive and logical organizational structure is the key to ensuring that your users can find the information they need quickly and easily. BusinessObjects Enterprise provides two methods for organizing content: folders and categories. By combining folders and categories, and setting appropriate rights for them, you can organize data according to multiple criteria and improve both security and navigation.

About folders and categoriesFolders and categories provide you with the ability to organize and facilitate content administration. They are useful when there are a number of reports that a department or area requires frequent access to, because you can set object rights and limits once at the folder or category level, rather than setting them for each report or object.By default, new objects that you add to a folder or category inherit the object rights that are specified for the folder or category.It’s good practice to set up folders that represent a structure that already exists in your organization, such as departments, regions, or even your database table structure. Then use categories to set up an alternate system of organization.For example, you could organize your content into departmental folders, and then use categories to create an alternate filing system that divides content according to different roles in your organization, such as managers or VPs. This organizational model allows you set security on groups of documents based on department or job role.

Working with foldersFolders are objects used to organize documents. You can use folders to separate content into logical groups. Because you can set security at the folder level, you can use folders as a tool for controlling access to information.

Creating and deleting foldersThere are several ways to create new folders in BusinessObjects Enterprise. In the Central Management Console (CMC), go to the Folders management area to create new folders and to add subfolders to the existing hierarchy of folder objects.


Organizing ObjectsWorking with folders 14

Tip: When you publish local directories and subdirectories of reports with the Publishing Wizard, you can duplicate your local directory structure on the BusinessObjects Enterprise system. This method provides you with an efficient way of creating multiple folders and subfolders at the same time. For details, see “Publishing with the Publishing Wizard” on page 362.

Creating a new folderThis procedure shows how to create a new folder at the top of your folder hierarchy. Folders created in this way are, in effect, subfolders of the top-level (or root) BusinessObjects Enterprise folder.1. Go to the Folders management area of the CMC.2. Click New Folder.3. On the Properties tab, type the name, description, and keywords of the

new folder.This example creates a new Marketing folder:

4. Click OK.The new folder is added to the system, and its Properties tab is refreshed. You can now use the Objects, Subfolders, Limits, and Rights tabs to add objects and to change settings for this folder.


Organizing ObjectsWorking with folders14
Creating a new subfolder at any level
1. Go to the Folders management area of the CMC.The initial level of folders is displayed.

2. In the Title column, click the link to the folder where you want to add a subfolder.

3. Click the Subfolders tab. Tip: You can browse through existing subfolders to add a new folder elsewhere in the folder hierarchy. When you have found the right parent folder, go to its Subfolders tab.The Subfolders tab appears.

4. Click New Folder.5. On the Properties tab, type the name and description of the new folder.6. Click OK.

The new folder is added to the system, and its Properties tab is refreshed. You can now use the Objects, Subfolders, Limits, and Rights tabs to add objects and to change settings for this folder.



Deleting foldersWhen you delete a folder, all subfolders, reports, and other objects contained within it are removed entirely from the system.

To delete folders1. Go to the Folders management area of the CMC.2. Select the check box associated with the folder you want to delete.

If the folder you want to delete is not at the top level, locate its parent folder. Then make your selection on the parent folder’s Subfolders tab.Tip: Select multiple check boxes to delete several folders from their parent folder.

3. Click Delete, and click OK to confirm.

Copying and moving foldersWhen you copy or move a folder, the objects contained within it are also copied or moved. BusinessObjects Enterprise treats the folder’s object rights differently, depending upon whether you copy or move the folder:• When you copy a folder, the newly created folder does not retain the

object rights of the original. Instead, the copy inherits the object rights that are set on its new parent folder. For instance, if you copy a private Sales folder into a Public folder, the contents of the new Sales folder will be accessible to all users who have rights to the Public folder.

• When you move a folder, all of the folder’s object rights are retained. For instance, if you move a private Sales folder into a publicly accessible folder, the Sales folder will remain inaccessible to most users.

To copy or move a folder1. Go to the Folders management area of the CMC.2. Select the check box associated with the folder that you want to copy or

move.If the folder you want to copy or move is not at the top level, locate its parent folder. Then make your selection on the parent folder’s Subfolders tab.Tip: Select multiple check boxes to copy or move several folders from their parent folder to a different folder.



3. Click Copy/Move.The Copy/Move Folder page appears.

4. Select the action to perform:• Copy to: Makes a copy of the folder.• Move to: Moves the folder.

5. Select the Destination folder from the list.Tip: If there are many folders on your system, use the “Look for” field to search, or click Previous, Next, and Show Subfolders to browse the folder hierarchy.

6. Click OK.The folder you selected is copied or moved, as requested, to the new destination.

Adding a report to a new folderYou can add objects individually to any folder in a number of ways. Follow this procedure to add a report to a new folder that you have just created. For complete information on publishing reports and other objects, see “Publishing overview” on page 360.



To add a report to a new folder1. Once you’ve created the new folder, click its Objects tab.

2. Click New Object.The New Object page appears.

3. On the Report tab, in the File name field, type the full path to the report.If you do not know the path, click Browse to perform a search.

4. If you do not want the user to see a thumbnail preview of the report in BusinessObjects Enterprise, clear the Generate thumbnail for the report check box.Tip: To display thumbnails for a report, open the report in Crystal Reports and click Summary Info on the File menu. Select the “Save preview picture” check box and click OK. Preview the first page of the report and save your changes.



5. If the report references objects in your BusinessObjects Enterprise Repository, select the Use Object Repository when refreshing report check box to update these objects now.For details about setting up the BusinessObjects Enterprise Repository, see “BusinessObjects Enterprise Repository overview” on page 158.

6. Ensure that the correct folder name appears in the Destination field.Tip: If there are many folders on your system, use the “Look for” field to search, or click Previous, Next, and Show Subfolders to browse the folder hierarchy.

7. Click OK.The report is published to BusinessObjects Enterprise.

Specifying folder rightsFollow this procedure to change the object rights for a new folder that you have just created. By default, new objects that you add to a folder inherit the object rights that are specified for the folder. For complete information on object rights, see “Controlling users’ access to objects” on page 303.

To specify rights for a new folder1. Once you’ve created the new folder, click its Rights tab.2. Click Add/Remove to add groups or users to this folder.

The Add/Remove page appears.



3. In the Select Operation list, select Add/Remove Groups, Add Users, or Remove Users.The page is refreshed and displays options that depend upon whether you are working with users or with groups. The example above shows the options that are available when you are working with groups.

4. Select the user/group whose rights you want to specify and click the arrows to specify whether the user/group does or does not have access to the folder.Tip: If you have many users on your system, select the Add Users operation; then use the “Look for” field to search for a particular account.

5. Click OK.You are returned to the Rights tab.

6. Change the Access Level for each user or group, as required.Note: For complete details on the predefined access levels and advanced rights, see “Controlling users’ access to objects” on page 303.

7. Click Update.

Setting limits for folders, users, and groupsLimits allow you to delete report instances on a regular basis. You set limits to automate regular clean-ups of old BusinessObjects Enterprise content. Limits that you set on a folder affect all objects that are contained within the folder. At the folder level, you can limit the number of instances that remain on the system for each object or for each user or group; you can also limit the number of days that an instance remains on the system for a user or group.Follow this procedure to enforce default limits on a folder that you have just created. For more information on limits, see “Setting instance limits for an object” on page 482.



To limit instances at the folder level1. Once you’ve created the new folder, click its Limits tab.

2. Modify the available settings according to the types of instance limits that you want to implement, and click Update after each change.The available settings are:• Delete excess instances when there are more than N instances of an

objectTo limit the number of instances per object, select this check box. Then type the maximum number of instances that you want to remain on the system. (The default value is 100.)

• Delete excess instances for the following users/groupsTo limit the number of instances per user or group, click Add/Remove in this area. Select from the available users and groups and click OK. Then type the maximum number of instances in the Instance Limit column. (The default value is 100.)

• Delete instances after N days for the following users/groupsTo limit the age of instances per user or group, click Add/Remove in this area. Select from the available users and groups and click OK. Then type the maximum age of instances in the Maximum Days column. (The default value is 100.)



In this example, two settings have been combined to keep a maximum of 50 instances of any object in the folder, and to keep a maximum of 25 instances that belong to any member of the Administrators group.

Managing User FoldersBusinessObjects Enterprise creates a folder for each user on the system. These folders are organized within the CMC as User Folders. By default, there are User Folders for the Administrator and Guest accounts. When you log on to the CMC and view the list of User Folders, you will see only those folders to which you have View access (or greater).Within InfoView, these folders are referred to as the Favorites folders. When a user logs on to BusinessObjects Enterprise, he or she is redirected immediately to his or her Favorites folder. (Users can change this default behavior my modifying their Preferences.)

To view the User Folders1. Go to the Folders management area of the CMC.2. Click the User Folders link.3. If it is not already displayed, click the Subfolders tab.

A list of subfolders appears. Each subfolder corresponds to a user account on the system. Unless you have View access (or greater) to a subfolder, it will not appear in the list.


Organizing ObjectsWorking with categories14
Working with categories
Like folders, categories are objects used to organize documents. You can associate documents with multiple categories, and you can create subcategories within categories. BusinessObjects Enterprise provides two types of categories:• Administrative (or corporate) categories are created by the administrator,

or other users who have been granted access to these categories. If you have the appropriate rights, you can create administrative categories.

• Personal categories can be created by each user to organize their own personal documents.

Note: For information about importing existing categories, see “Importing information from BusinessObjects Enterprise 6.x” on page 376.

Creating and deleting categoriesThere are several ways to create new categories in BusinessObjects Enterprise. In the Central Management Console (CMC), go to the Categories management area to create new categories and to add subcategories to the existing hierarchy of category objects.

Creating a new category1. Go to the Categories management area of the CMC.2. Click New Category.3. On the Properties tab, type the name and description of the new category.4. Click Update.

The new category is added to the system, and its Properties tab is refreshed. You can now use the Documents, Subcategories, and Rights tabs to add objects and to change settings for this category.

Creating a new subcategory at any level1. Go to the Categories management area of the CMC.

The initial level of categories is displayed.2. In the Title column, click the link for the category where you want to add

a subcategory.


Organizing ObjectsWorking with categories 14

3. Click the Subcategories tab. Tip: You can browse through existing subcategories to add a new category elsewhere in the hierarchy. When you have found the right parent category, go to its Subcategories tab.

4. Click New Category.5. On the Properties tab, type the name and description of the new folder.6. Click Update.

The new category is added to the system, and its Properties tab is refreshed. You can now use the Documents, Subcategories, and Rights tabs to add objects and to change settings for this category.

Deleting categoriesWhen you delete a category, all subcategories within it are remove entirely from the system. Unlike folder deletion, the reports and other objects contained within the category are not deleted from the system.

To delete categories1. Go to the Categories management area of the CMC.2. Select the check box associated with the category you want to delete.

If the category you want to delete is not at the top level, locate its parent category. Then make your selection on the parent category’s Subcategories tab.Tip: Select multiple check boxes to delete several categories from their parent category.

3. Click Delete, and click OK to confirm.

Moving categoriesWhen you move a category, any object assigned to the category maintains its association with it. All of the category’s object rights are retained. For instance, if you move a private Sales category into a publicly accessible category, the Sales category will remain inaccessible to most users.

To move a category1. Go to the Categories management area of the CMC.2. Select the check box associated with the category that you want move.

If the category you want to move is not at the top level, locate its parent category. Then make your selection on the parent category’s Subcategories tab.



Tip: Select multiple check boxes to copy or move several categories from their parent category to a different category.

3. Click Move.The Move page appears.

4. Select the Destination category from the list.Tip: If there are many categories on your system, use the “Look for” field to search, or click Previous, Next, and Show Subcategories to browse the category hierarchy.

5. Click OK.The category you selected is moved to the new destination.

Adding an object to a new categoryYou can add objects individually to any category in a number of ways. Follow this procedure to add a report to a new category that you have just created. For complete information on publishing reports and other objects, see “Publishing overview” on page 360.

To add a report to a new category1. Once you’ve created the category, click its Documents tab.2. Click New Document.

The New Document page appears.

Removing or deleting objects from a categoryYou can either remove or delete objects from a category. When you remove an object, you remove it from the category only. When you delete an object, you remove it from the category and also delete it from the system.

To remove or delete objects from a category1. Go to the Categories or Personal Categories management area of the

CMC.2. Click the link for the category from which you want to remove or delete an

object.3. Click the Objects tab.4. Select the check box for the object or objects you want to remove or delete.


Organizing ObjectsWorking with categories 14

5. Click either of the following buttons, depending on what you want to do:• Click Remove to remove the object from the category only. In this

case, the object continues to exist in the system.• Click Delete to remove the object from the category and at the same

time delete it from the system.

Specifying category rightsFollow this procedure to change the object rights for a new category that you have just created. By default, new objects that you add to a category inherit the object rights that are specified for the category. For complete information on object rights, see “Controlling users’ access to objects” on page 303.

To specify rights for a new category1. Once you’ve created the category, click its Rights tab.2. Click Add/Remove to add groups or users to this category.

The Add/Remove page appears.3. In the Select Operation list, select Add/Remove Groups, Add Users,

or Remove Users.The page is refreshed and displays options that depend upon whether you are working with users or with groups. The example above shows the options that are available when you are working with groups.

4. Select the user/group whose rights you want to specify and click the arrows to specify whether the user/group does or does not have access to the category.Tip: If you have many users on your system, select the Add Users operation; then use the “Look for” field to search for a particular account.

5. Click OK.You are returned to the Rights tab.

6. Change the Access Level for each user or group, as required.Note: For complete details on the predefined access levels and advanced rights, see “Controlling users’ access to objects” on page 303.

7. Click Update.


Managing personal categories
If you are granted the appropriate rights, you can view, edit, and delete users’ personal categories. For more information, see “Managing User Accounts and Groups” on page 235.

To view the Personal Categories1. Go to the Personal Categories management area of the CMC.2. Click the user account whose personal categories you want to view.

A list of the user’s personal categories appears.


Publishing Objects to BusinessObjects Enterprise

chapter

Publishing Objects to BusinessObjects EnterprisePublishing overview15
Publishing overview
Publishing is the process of adding objects such as reports to the BusinessObjects Enterprise environment and making them available to authorized users. There are several types of objects that you can publish to BusinessObjects Enterprise: reports (from Crystal Reports, OLAP Intelligence, and Web Intelligence), programs, Microsoft Excel files, Microsoft Word files, Microsoft PowerPoint files, Adobe Acrobat PDFs, rich text format files, text files, and hyperlinks, as well as object packages, which consist of report and/or program objects. When you publish an object to BusinessObjects Enterprise, an entry is made in the Central Management Server (CMS) database. The Input File Repository Server stores the new object below the \Enterprise\FileStore\Input\ data\ directory. When a user schedules an instance of any object, BusinessObjects Enterprise queries the CMS for the location of the object file; the appropriate server component then retrieves and processes the object file from the Input File Repository. The processed instance is stored by the Output File Repository Server below the \Enterprise\FileStore\Output\data\ directory.Note: Only reports, programs, and object packages can be scheduled. Thus, only these three types of objects have instances.You can publish objects to BusinessObjects Enterprise in three ways:• Use the Publishing Wizard when you:

• Have access to the locally installed application.• Are adding multiple objects or an entire directory.For details, see “Publishing with the Publishing Wizard” on page 362.

• Use the Central Management Console (CMC) when you are:• Publishing a single object.• Taking care of other administrative tasks.• Performing tasks remotely.For details, see “Publishing with the Central Management Console” on page 371.

• Save directly to your Enterprise folders when you are:• Designing reports with Crystal Reports.• Using the OLAP Intelligence Application Designer.• Creating other objects with BusinessObjects Enterprise plug-in

components.For details, see “Saving objects directly to the CMS” on page 373.


Publishing Objects to BusinessObjects EnterprisePublishing overview 15

Note: BusinessObjects Enterprise supports reports created in versions 6 through XI of Crystal Reports. Once published to BusinessObjects Enterprise, reports are saved, processed, and displayed in version XI format.

Publishing optionsDuring the publishing process, you specify how often an object is run. You can choose to set a schedule (recurring), or you can choose to let users set the schedule themselves (on demand).For RPT report files, this affects when data is refreshed and what data users see. (You cannot schedule OLAP Intelligence reports (CAR files).)Each publishing option has potential benefits and drawbacks:• Specifying the data that users see (recurring)

This option is recommended for objects that are accessed by a large number of people and that do not require separate database logon credentials.Benefits• Users view the same instance of the report, reducing the number of

times the database is hit (and thus system resources are used more effectively).

• The report instance is static (contains saved data) and is stored on the Cache Server, allowing multiple users to access the report at the same time.

Drawbacks• The report instance the users see is based on the selection criteria

(parameters and record selection formulas) and schedule set by the administrator.

• Allowing users to update the data in the report (on demand)This option is recommended for smaller reports that use parameters and selection formulas, require separate database logon credentials, or have frequent data changes.Benefits• Users are able to determine the frequency in which the data in the

report is updated.Drawbacks• Multiple users generating reports at the same time increases the

load on the system and the number of times the database is hit.• Each unique report page is cached separately. It’s possible that the

Cache Server can contain many copies of the cached report, each of them being generated by hitting the Page Server and database.


Publishing Objects to BusinessObjects EnterprisePublishing with the Publishing Wizard15
Publishing with the Publishing Wizard
The Publishing Wizard is a locally installed, 32-bit Windows application. The wizard is made up of a series of screens. Only the screens applicable to the objects or folders you are publishing appear. For example, the settings for parameters and schedule format do not appear when you publish OLAP Intelligence applications. This section of the guide features a series of procedures to help you through the Publishing Wizard.Once the object has been published, it will appear in the folder you specified in InfoView (or other web desktop) and in the Objects management area of the CMC.Note: Depending on the rights assigned by your BusinessObjects Enterprise administrator, you may not be able to publish objects using the Publishing Wizard.

Logging on to BusinessObjects Enterprise1. From the BusinessObjects Enterprise XI program group, click

Publishing Wizard.2. Click Next.3. In the System field, type the name of the CMS to which you want to add

objects.4. In the User Name and Password fields, type your BusinessObjects

Enterprise credentials.5. From the Authentication list, select the appropriate authentication type.6. Click Next.

The Select Files dialog box appears.

Adding objects1. In the Select Files dialog box, depending on the type of object you are

adding, click either Add Files or Add Folders.2. Navigate to and select the object you want to add.

If you are adding a folder, you can choose to also add its subfolders by selecting the Include Subfolders check box.Tip: Ensure the appropriate file type is listed in the Files of type field; by default this value is set to Report (*.rpt).

3. Repeat steps 1 and 2 for each of the objects you want to add.4. Click Next.


Publishing Objects to BusinessObjects EnterprisePublishing with the Publishing Wizard 15

Note: If the Specify Object Type dialog box appears, choose a file type for each unrecognized object, then click Next.The Specify Location dialog box appears.

Creating and selecting a folder on the CMSTo add the selected objects, you must create or select a folder on the host CMS. Only the folders that you have full control access to will appear.1. In the Specify Location dialog box, click the folder you want to add the

objects to. Click + to the left of the folder to view the subfolders.To add a new folder to the CMS, select a parent folder and then click the New Folder button. The new folder appears and can be renamed.To add a new object package to the CMS, select a parent folder and then click the New Object Package button. The new object package appears and can be renamed.To delete a folder or object package, select the item and click the Delete button.

Note: From the wizard, you can delete only new folders and object packages. (New folders are green; existing folders are yellow.)If you are adding multiple objects and want to place them in separate directories, see “Duplicating the folder structure” on page 364.

2. Click Next.The Confirm Location dialog box appears.


Moving objects between folders
1. In the Confirm Location dialog box, move objects to the desired folders by selecting each object and then clicking Move Up or Move Down.

You can also add folders and object packages by selecting a parent folder and clicking the New Folder or New Object Package button. To delete a folder or object packages, select it and click the Delete button. You can drag-and-drop objects to place them where you want. And you can right-click objects to rename them.By default, objects are displayed using their titles. You can display the objects’ local file names by clicking the “Show file names” button.

2. Click Next when you are finished.The Specify Categories dialog box appears.

Duplicating the folder structureIf you are adding multiple objects from a directory and its subdirectories, you are asked if you want to duplicate the existing folder hierarchy on the CMS.1. In the Specify Folder Hierarchy dialog box, choose a folder hierarchy

option.To place all of the objects in a single folder, select Put the files in the same location.



To recreate all of the folders and subfolders on the CMS as they appear on your hard drive, select Duplicate the folder hierarchy. Choose the topmost folder that you want to include in the folder hierarchy.

2. Click Next.The Confirm Location dialog box appears.

Adding objects to a categoryIf you want to add the selected objects to a category, you can create or select a category on the host CMS.1. In the Specify Categories dialog box, click the category you want to add

the objects to. Click + to the left of the folder to view the subfolders.To add a new category to the CMS, select a parent category and then click the New Category button. The new category appears and can be renamed.

2. In the File list, choose the object that you want to add to the category, then click the Insert File button.To delete a category or to remove an object from a category, select the item and click the Delete button.Note: From the wizard, you can delete only new categories. (New categories are green; existing categories are blue.)

3. Click Next.The Specify Schedule dialog box appears.

Changing scheduling optionsThe Specify Schedule dialog box allows you to schedule each report, program, and/or object package that you are publishing to run at specific intervals.Note: This dialog box appears only for objects that can be scheduled.1. In the Specify Schedule dialog box, select the object you want to schedule.2. Select one of three intervals:

• Run once onlySelecting the “Run once only” option provides two more sets of options:• when finished this wizardThis option runs the object once when you’ve finished publishing it. The object is not run again until you reschedule it.



• at the specified date and timeThis option runs the object once at a date and time you specify. The object is not run again until you reschedule it.

• Let users update the objectThis option does not schedule the object. Instead, it leaves the task of scheduling up to the user.

• Run on a recurring scheduleOnce you have selected this option, click the Set Recurrence button to set the scheduling options.The “Pick a recurrence schedule” dialog box appears.The options in this dialog box allow you to choose when and how often the object runs. Select the appropriate options and click the OK button.

3. Click Next after you have set the schedule for each object you are publishing.

Refreshing repository fieldsThe BusinessObjects Enterprise Repository is a central location which stores shared elements such as text objects, bitmaps, custom functions, universes, and custom SQL commands. You can choose to refresh an object’s repository fields if the object references the repository. To complete this task, the Publishing Wizard needs to connect to your BusinessObjects Enterprise Repository database from the local machine. For details, see “BusinessObjects Enterprise Repository overview” on page 158. For details, see the BusinessObjects Enterprise Administrator’s Guide.Note: The Specify Repository Refresh dialog box appears only when you publish report objects.1. In the Specify Repository Refresh dialog box, select a report, and then

select the Use Object Repository when refreshing report check box if you want to refresh it against the repository.Tip: Click the Enable All button if you want to refresh all objects that reference the repository; click the Disable All button if you want to refresh none of the objects.

2. Click Next when you are finished.



Selecting a program typeThe Program Type dialog box appears only when you publish program objects. For details about program objects and program object types, see “What are report objects and instances?” on page 411the BusinessObjects Enterprise Administrator’s Guide.1. In the Program Type dialog box, select a program.2. Specify one of three program types:

• Binary/Batch Binary/Batch programs are executables such as binary files, batch files, or shell scripts. They generally have file extensions such as: .com, .exe, .bat, .sh. You can publish any executable program that can be run from the command line on the machine where the Program Job Server is running.

• JavaYou can publish any Java program to BusinessObjects Enterprise as a Java program object. They generally have a .jar file extension.

• ScriptScript program objects are JScript and VBScript scripts.

3. Once you have specified the type of each program you are adding, click Next.The Program Credentials dialog box appears.

Specifying program credentials1. In the Program Credentials dialog box, select a program.2. In the User Name and Password fields, specify the user credentials for

the account for the program to run as. The rights of the program are limited to those of the account that it runs as.

3. Once you have specified the user credentials for each program to run as, click Next.The Change Default Values dialog box appears.

Changing default valuesYou can publish objects without changing any of the default properties, or you can go through the remaining screens and make changes.



Note: If you use the default values, your object may not schedule properly if the database logon information is not correct, or if the parameter values are invalid.

To publish objects without making modifications1. Select Publish without modifying properties.2. Click Next through the wizard’s remaining dialog boxes.

To review or modify objects before publishing1. Select Review or modify properties.2. Click Next.

The Review Object Properties dialog box appears.

Changing object properties1. In the Review Object Properties dialog box, select the object you want

to modify.2. Enter a new title or description.3. Select the Generate thumbnail image check box if you want users to

see a thumbnail of a report object before they open it.Tip: The “Generate thumbnail image” check box is available only if the object is an RPT file and was saved appropriately. To display thumbnails for a report, open the report in Crystal Reports and click Summary Info on the File menu. Select the “Save preview picture” check box and click OK. Preview the first page of the report and save your changes.

4. Click Next.The Specify Database Credentials dialog box appears if it is needed.

Entering database logon informationSome objects use data sources that require logon information. If objects you are adding are of this type, follow these steps.1. In the Specify Database Credentials dialog box, double-click the object,

or click + to the left of the object to expose the database.

2. Select the database and change the logon information in the appropriate fields.



If the database does not require a user name or password, leave the fields blank.Note: Enter user name and password information carefully. If it is entered incorrectly, the object cannot retrieve data from the database.

3. Once you have completed the logon information for each object using a different database, click Next.The Set Report Parameters dialog box appears if it is needed.

Setting parametersSome objects contain parameters for data selection. Before such an object can be scheduled, you must set the parameters in order to determine the default prompts.1. In the Set Report Parameters dialog box, select the object whose

prompts you want to change.The object’s prompts and default values appear in a list on the right-hand side of the screen.

2. Click Edit Prompt to change the value of a prompt.Depending on the type of parameter you have chosen, different dialog boxes appear.

3. If you want to set the prompts to contain a null value (where possible), then click Set Prompts to NULL.

4. Click Next after you have finished editing the prompts for each object.The Specify Format dialog box appears.


Setting the schedule output format
You can choose an output format for each scheduled report that you publish. For some of the formats, you can customize the schedule format options.1. In the Specify Format dialog box, select the object whose schedule

format you want to change.2. Select a format from the list (Crystal Report, Microsoft Excel, Microsoft

Word, Adobe Acrobat, and so on).Where applicable, customize the schedule format options. For example, if you select Paginated Text, enter the number of lines per page.

3. Click Next.

Adding extra files for programsSome programs require access to other files in order to run.1. Select a program.2. Click Add to navigate to and select the necessary file.3. Once you have added all necessary extra files for each program, click

Next.The Command line for Program dialog box appears.

Specifying command line argumentsFor each program, you can specify any command-line arguments supported by your program’s command-line interface. They are passed directly to the command-line interface, without parsing.1. Select a program.2. In the Command line area, type the command-line arguments for your

program, using the same format you would use at the command line itself.

3. Once you have specified all necessary command-line arguments for each program, click Next.

Finalizing the objects to be addedAfter you have provided all of required information for the objects, the Publishing Wizard displays a final list of the objects that it is going to publish.


Publishing Objects to BusinessObjects EnterprisePublishing with the Central Management Console 15

1. After ensuring all the objects you want to publish have been added to the list, click Next.The objects are added to the CMS, scheduled, and run as specified. When the processing is done, you are returned to the final screen of the Publishing Wizard.

2. To view the details for an object, select it from the list.3. Click Finish to close the wizard.

Publishing with the Central Management Console

If you have administrative rights to BusinessObjects Enterprise, you can publish objects over the Web from within the CMC.

To add an object with the CMC1. Go to the Objects management area of the CMC.2. Click New Object.

The New Object page appears, with the Report properties displayed.

3. On the left side of the page, click the type of object you want to add.4. Enter the object’s properties.


Publishing Objects to BusinessObjects EnterprisePublishing with the Central Management Console15

The properties that appear vary according to the type of object you are adding:

Property Object Types Description

File name Report, Program, Microsoft Excel, Microsoft Word, Microsoft PowerPoint, Adobe Acrobat, Text, Rich Text

Type the full path to the object, or click Browse to perform a search.

Title Object Package, Hyperlink Type the name of the object.Description Object Package, Hyperlink Type a description of the object.Generate thumbnail for the report

Report If you do not want the user to see a thumbnail preview of the report in BusinessObjects Enterprise, clear the “Generate thumbnail for the report” check box.Tip: To display thumbnails for a report, open the report in Crystal Reports and click Summary Info on the File menu. Select the “Save preview picture” check box and click OK. Preview the first page of the report and save your changes.

Use Object Repository when refreshing report

Report Select this option to automatically refresh an object's repository fields against the repository each time the report runs.

Program Type Program Select Executable, Java, or Script. Tip: • Run Java programs as Java program

objects.• Run JScript and VBScript programs as

Script program objects.• Run all other programs as Executable

program objects.URL Hyperlink Type the URL address of the page you want

the hyperlink object to link to.


Publishing Objects to BusinessObjects EnterpriseSaving objects directly to the CMS 15

5. If you want to place the object in a category, select the category from the list.

6. Ensure that the correct folder or object package name appears in the Destination field.Tip: • To expand a folder, select it and click Show Subfolders.• To search for a specific folder or object package, use the Look For

field.Note: Only report and program objects can be published to object packages.

7. Click OK.When the object has been added to the system, the CMC displays the Properties screen. If necessary, you can now modify the object’s properties, such as its title and description, the database logon information, scheduling information, user rights, and so on.

Saving objects directly to the CMSIf you have installed one of the Business Objects designer components, such as Crystal Reports or OLAP Intelligence, you can use the Save As command to add objects to BusinessObjects Enterprise from within the designer itself.For instance, after designing a report in OLAP Intelligence, click Save As on the File menu. In the Save As dialog box, click Enterprise Folders; then, when prompted, log on to the Central Management Server (CMS). Specify the folder where you want to save the report and click Save.


Publishing Objects to BusinessObjects EnterpriseSaving objects directly to the CMS15


Importing Objects to BusinessObjects Enterprise

chapter

Importing Objects to BusinessObjects EnterpriseImporting information16
Importing information
The Import Wizard is a locally installed Windows application that allows you to import existing user accounts, groups, folders, and reports to your new BusinessObjects Enterprise system. The Import Wizard runs only on Windows, but you can use it to import information from a source environment that is running on Windows or UNIX to a new BusinessObjects Enterprise system that is running on Windows or on UNIX. You can import information from any of these products:• BusinessObjects Enterprise XI• BusinessObjects Enterprise 6.x• Crystal Enterprise 10• Crystal Enterprise 9• Crystal Enterprise 8.5• Crystal Enterprise 8 • Crystal Info 7.5 The functionality provided by the Import Wizard varies, depending upon the product from which you are importing information. In general, the Import Wizard imports settings that are specific to each object, rather than global system settings. For instance, a global “minimum number of characters” password restriction is not imported. But a user-level “must change password at next log on” restriction is imported with the user account. For details, see the section for the product from which you are importing information:• “Importing information from BusinessObjects Enterprise 6.x” on page 376• “Importing information from Crystal Enterprise” on page 382• “Importing information from Crystal Info” on page 386.For procedural details, see “Importing with the Import Wizard” on page 388.

Importing information from BusinessObjects Enterprise 6.x

If you have upgraded from BusinessObjects Enterprise 6.x, use the Import Wizard to import existing user accounts, groups, categories, Web Intelligence documents, universes, connection objects, universe restriction sets, and third-party documents to BusinessObjects Enterprise XI.


Importing Objects to BusinessObjects EnterpriseImporting information from BusinessObjects Enterprise 6.x 16

Before importing from BusinessObjects Enterprise 6.xBefore you use the Import Wizard to import data into the new BusinessObjects Enterprise XI system, you need to perform the following steps:• Make sure the Import Wizard is deployed on a Windows machine.

Use the Custom installation if you want to install only the Import Wizard on a machine.

• If you are importing from a BusinessObjects Enterprise 6.x source environment, create data sources on the destination machine for every domain that is part of the source deployment. The name and configuration details for the data sources must match the data sources in the source deployment.

• On the machine that is running the Import Wizard, map drives to the following folders (where installdir represents the BusinessObjects Enterprise 6.x installation directory).• installdir/nodes/<name of node>/mycluster/locdata

Map this folder for access to the .key files.• installdir/nodes/<name of node>/mycluster/user

Map this folder if you are importing personal documents and categories.

• installdir/nodes/<name of node>/mycluster/mail Map this folder if you are importing the content of users’ Inbox folders.

• Back up all repositories in the source deployment.Note: The Import Wizard modifies BusinessObjects Enterprise 6.x repositories to make them consistent with version 6.5 format before importing data into BusinessObjects Enterprise XI. If you need to access the repositories from a 6.x deployment, you will need to restore them from your backup copies.

• Stop all servers in the source deployment.• Start the following servers in the BusinessObjects Enterprise XI

deployment:• Central Management Server• Input File Repository Server and Output File Repository Server


Importing Objects to BusinessObjects EnterpriseImporting information from BusinessObjects Enterprise 6.x16
Importing objects from BusinessObjects Enterprise 6.x
The following sections describe what happens to objects that have been imported from BusinessObjects Enterprise 6.x into BusinessObjects Enterprise XI. Generally, the Import Wizard imports the object if it is an object type that is supported by BusinessObjects Enterprise XI. By default, an imported object will not overwrite an object with the same name that is already stored in the BusinessObjects Enterprise XI CMS database.

UniversesYou can import universes into the BusinessObjects Enterprise repository. There are two ways to import the universes:• Import all universes, connections, and associated objects.

You must import all the universes in one batch. You cannot select individual universes or connections to import.

• Import only universes, connections, and objects that are associated with the documents you are importing. Known as document dependency, this option imports only the objects used by the Web Intelligence documents that you are importing. You can also use this option if you want to import a subset of selected universes and their dependencies.

When you import a universe, the Import Wizard also imports connection objects associated with the universe. It also imports universe restriction sets associated with the universe (if the restriction sets are associated with users or groups that are being imported). When you select a Web Intelligence document to import, the Import Wizard automatically selects the associated universe for import. You can select additional universes for import.Note: • Universe domains are converted into folders under the Universe folder.

Each universe folder will be named after the corresponding Business Objects 6.x universe domain. When you import a universe from a domain, it is placed in the corresponding domain folder.

• When you import BusinessObjects Enterprise 6.x universes, the associated connections are imported automatically. They are converted into connection objects.

• When you import connection objects from BusinessObjects Enterprise 6.x, ensure that the Import Wizard can access the database the same way that the BusinessObjects Enterprise 6.x accesses it. This may involve installing database drivers or configuring connection settings on the machine.



For example, if you import SQL Server connection objects from a BusinessObjects Enterprise 6.x source environment, you must configure the connections on the destination machine via the Control Panel before you import the connection objects. You must use the exact same name and settings as the connection used on the source machine when you created the domain key.

• If a selected universe is a derived universe, then all relevant core universes and their connections will also be imported.

• For more information about importing universes, see “Selecting information to import” on page 391.

Universe restriction setsThe Import Wizard automatically migrates all universe restriction sets that are associated with the imported universes for any of the selected users and groups being imported. If no principal users or groups are selected for import, no restriction sets are imported. Because of the differences between restriction sets in BusinessObjects Enterprise 6.x and BusinessObjects Enterprise XI (and how they handle rights aggregation), the Import Wizard may create additional restriction sets on the destination deployment in order to preserve the restriction sets for all imported users. When restriction sets are migrated, they are converted into objects. They remain connected to the universes that they were connected to on your existing installation. Universe restriction sets are migrated using both object names and object IDs to identify universe components.

Users and groupsAll existing BusinessObjects Enterprise 6.x users and groups can be migrated to BusinessObjects Enterprise XI. Users are imported into the BusinessObjects Enterprise repository. For each BusinessObjects Enterprise 6.x user, BusinessObjects Enterprise XI creates a user folder, a personal category, and an Inbox folder.User profiles from BusinessObjects Enterprise 6.x are mapped to default groups in BusinessObjects Enterprise XI as follows:

BusinessObjects Enterprise 6.x user profile

BusinessObjects Enterprise XI default group

• All user profiles Added to the Everyone group.• General Supervisor Added to the Administrators group.


Importing Objects to BusinessObjects EnterpriseImporting information from BusinessObjects Enterprise 6.x16

If you want to preserve security settings that are assigned to an imported object, select all users and groups that are principals on the selected object and ensure that you select the “Enforce rights fidelity” option in the Import Wizard. The “Enforce rights fidelity” option ensures that the effective rights match between the source and destination environments. If effective rights in the source and destination environments do not match for a principal on an object, the Import Wizard sets the effective rights as determined by aggregation rules in the source deployment for the principal user or group on the object in the destination deployment.Whenever possible, BusinessObjects Enterprise 6.x security settings are preserved in BusinessObjects Enterprise XI. If a BusinessObjects Enterprise 6.x right does not map exactly to a BusinessObjects Enterprise XI right, the right will not be granted to the user. Note: • The Import Wizard migrates external users and groups (LDAP or

Windows AD users and groups, for example). • For more information about the migration of security settings, see the

BusinessObjects Enterprise Installation Guide.

Folders, domains, and categoriesUniverse and document domains are converted to folders named after the respective domains. Objects corresponding to the universes and documents contained in these domains are imported to these folders. By default, BusinessObjects Enterprise XI creates folders for Categories and Personal Categories and preserves the hierarchy of subcategories. Corporate (or administrative) categories are imported as categories under the Categories folder. For each imported user, selected personal categories are imported to a new subfolder (named after the user) under the Personal Categories folder.

• Supervisor Granted appropriate rights on all imported objects, but not added to the Administrators group.

• Designer Added to the Universe Designer Users group.

• Supervisor-Designer Added to the Universe Designer Users group.

• User/Versatile Added to the Everyone group.

BusinessObjects Enterprise 6.x user profile

BusinessObjects Enterprise XI default group



Personal categories can be imported only as part of a batch import. You can select individual corporate categories and import Web Intelligence documents grouped by corporate category.

DocumentsTo have access to a Web Intelligence document from the Import Wizard, the user must be granted access to the document in BusinessObjects Enterprise 6.x, and the user must be a member of the group to which the document is assigned.You can select which domains or documents you want to import into BusinessObjects Enterprise. When you select a document, the document's domain is also imported. Documents (and universes) cannot be imported without importing the domain.Note: If you import a large number of Web Intelligence documents from your existing BusinessObjects Enterprise 6.x deployment, it may require significant processing time.

BusinessObjects (.rep) documentsBusinessObjects (.rep) documents, also known as “full-client” documents, are not supported in BusinessObjects Enterprise XI. Therefore, you must migrate your .rep documents to Web Intelligence (.wid) format—in a separate procedure—before migrating the system.To migrate .rep documents to .wid format, you can use the Report Migration Utility, delivered with the BusinessObjects 6.x suite. Instructions are in the Report Migration Utility guide.

Inbox documentsVersion 6.x Inbox documents are migrated to the user’s Inbox folder in BusinessObjects Enterprise.

Inbox rights• Everyone [Add Document]• Administrators [Full Control]• Owner [Full Control]

Personal DocumentsYou can import BusinessObjects Enterprise 6.x Personal documents to BusinessObjects Enterprise. These documents are added to the user’s Favorites folder.


Importing Objects to BusinessObjects EnterpriseImporting information from Crystal Enterprise16

Third-party documentsBusinessObjects Enterprise 6.x supports third-party (agnostic) documents. The Import Wizard migrates these documents into BusinessObjects Enterprise XI if the format is supported. Supported formats are: Adobe Acrobat PDF; Microsoft PowerPoint, Word, RTF, and Excel; and *.txt documents.

TimestampsTimestamps are not migrated from BusinessObjects Enterprise 6.x to BusinessObjects Enterprise XI.

Importing information from Crystal EnterpriseIf you have upgraded from Crystal Enterprise, use the Import Wizard to import existing user accounts, groups, folders, report objects, and report instances to BusinessObjects Enterprise XI.You can also use the Import Wizard to import information from an existing version XI installation to a new version XI installation. When doing so, you have the additional option of importing calendars, events, repository objects, and server groups. Events and server groups can also be imported from a version 8.5 or 9 installation.When using the Import Wizard, if any of an object’s dependencies are not imported, the wizard makes appropriate modifications to the object (in most cases, the dependency is removed). For example, if a user has Full Control rights on an object, but the user is not imported, the Full Control right for that user is discarded when the object is imported. In the case of objects brought across without their owners, the Administrator becomes the new owner of the objects.As another, more involved example, User A owns an object and has Full Control rights while User C has View rights on the same object. If User D runs the Import Wizard and brings the object across along with User C, but not User A, the object becomes owned by the Administrator: User A loses Full Control rights, but User C still has View rights on the object.Note: Always import users if you want to bring across the associated rights for an object, even if the user already exists in the destination system. If the user already exists, the Import Wizard maps all rights for the user on the source system to the existing user on the destination system. If the user is not brought across, all rights information for that user is discarded.


Importing Objects to BusinessObjects EnterpriseImporting information from Crystal Enterprise 16

Importing objects from Crystal EnterpriseThe following sections describe what happens to the objects that are imported from a Crystal Enterprise 8.x system. Generally, if the object will not overwrite an object that is already in the BusinessObjects Enterprise system, then the Import Wizard imports the object.

Users and groupsThe Import Wizard imports users and groups and their hierarchical relationships. A user or group is imported only if it does not exist already by name.If you import a group that already exists in the destination environment, the list of group members is updated with any additional users who were members of the group in the source environment. These additional users are added to BusinessObjects Enterprise if their accounts do not exist already.User licensing can affect the behavior of the Import Wizard. If the source environment uses Concurrent licensing, the wizard imports all users as Concurrent Users. However, if the source environment uses Named User licensing, the wizard first checks the number of Named User license keys in the destination environment. If there are enough Named User licenses in the destination environment, the wizard imports all users as Named Users. If there are not enough Named User licenses in the destination environment, the wizard imports all users as Concurrent Users. For more information about licensing, see “Licensing overview” on page 514the BusinessObjects Enterprise Administrator’s Guide.Note: BusinessObjects Enterprise XI does not include a New Sign-Up feature. However, if your Crystal Enterprise source environment includes users that belong to the New Sign-Up group, the group is migrated to the destination BusinessObjects Enterprise XI environment.

AliasesIf a user in the destination system has an alias that is identical to a user who is being imported, the destination user keeps all aliases, and the imported user loses that particular alias.

Windows ADWhen importing users that employ Windows Active Directory authentication, ensure that the administrative credentials are the same on both the source and destination systems. Active Directory authentication must also be enabled on the destination system.


Importing Objects to BusinessObjects EnterpriseImporting information from Crystal Enterprise16

LDAPWhen importing users that employ LDAP authentication, the Host list and Base LDAP name need to be the same on both the source and destination systems. LDAP authentication must also be enabled on the destination system.

FoldersFolders are imported, whether or not they exist already in the destination environment. To ensure that existing folders are not overwritten, make sure you choose the “Automatically rename top-level folders that match top-level folders on the destination system.” option in the “Please choose an import scenario” dialog box. When this option is selected, the Import Wizard appends a number to the end of any duplicated folder names to indicate the number of copies. For example, if you import a folder called Sales Reports when a folder called Sales Reports already exists, then the imported folder is added to BusinessObjects Enterprise with the name Sales Reports(2).

Report objectsThe Import Wizard can import Crystal report objects only if they are based on native drivers, ODBC data sources, OLAP data sources, Crystal Info Views, or Business Views. You can import the report instances for each report object, and the scheduling patterns that you have set up in the source environment are imported automatically.Supported reports are always imported with their parent folders, whether or not they exist already in the destination environment. However, so as not to overwrite existing folders, the Import Wizard appends a number to the end of any duplicated folder names to indicate the number of copies.When you import content from one deployment to another, you can ensure that a particular user account retains ownership of its objects and scheduled instances by importing the user along with the content. If you don’t import the user account, the ownership properties of its objects and instances are reset to your current administrative account. In the SDK, ownership is reflected by an object’s SI_OWNERID property and by a scheduled instances’s SI_SUBMITTERID properties.

RightsWhen you import folders and reports from one BusinessObjects Enterprise system to another, the associated object rights are imported for every user or group who is imported at the same time. If the user or group is not imported at the same time, the object rights are discarded. For instance, suppose that you import a report that explicitly grants View On Demand rights to the Everyone group in the source environment—but you do not import the Everyone group.


Importing Objects to BusinessObjects EnterpriseImporting information from Crystal Enterprise 16

In this case, the newly imported report in the destination environment will not grant the same explicit rights to the Everyone group. Instead, the report inherits any rights that have been set on its parent folder.If you do import the appropriate user or group, and it already exists by name in the destination environment, then the corresponding object rights are imported and applied to the existing user or group. For instance, modifying the example above, suppose that you import the report and the Everyone group. In this case, the Import Wizard imports the object rights along with the report. So the newly imported report in the destination environment will explicitly grant the View On Demand right to the Everyone group.

Events and server groupsWhen you use the Import Wizard to import information from a Crystal Enterprise 8.5 or later system, you have the additional option to import events and server groups from the source environment.When importing server groups, the wizard does not bring across the servers that belong to that group. You need to manually add servers to the imported group in the Central Management Console (CMC). For more information about how to do this, see the BusinessObjects Enterprise Administrator’s Guide.Note: • When importing report objects associated with a server group, if the server

group exists on the destination system, the report objects are added to the existing group and the source system’s server group is not imported.

• If you have jobs scheduled or pending on a server or server group that you are importing, you might notice odd behavior on the destination system with the individual jobs involved until they run or time out.

Objects that have server group restrictions lose the restrictions if the objects are imported and the server group is not. For example, if a report is scheduled to run only under server group A and that server group is not imported, the report loses that restriction and will run under any server group. You need to import the server group at the same time as the objects that use it to keep the relationship between them.The same logic applies for events: if an object is set up to wait for an event or to trigger an event, you need to import the event at the same time as the object. Otherwise, the object is imported without the dependency and no longer waits for, or triggers, the event.Note: • If Event A is being imported from the source system but there is already

an Event A on the destination system, and it is a different type (for


Importing Objects to BusinessObjects EnterpriseImporting information from Crystal Info16

example, a File event instead of a Custom event), the wizard removes the dependency on Event A from the object when it is imported.

• Events are based on Event Servers and, since servers are not imported, you need to manually reset the event server and file name information on the event in the destination system. Once this is set, the event should work as expected.

Importing information from Crystal Info

Importing objects from Crystal InfoThe following sections describe what happens to objects that have been imported from Crystal Info to BusinessObjects Enterprise. Generally, if the Crystal Info object is of a type that is supported within BusinessObjects Enterprise, and if the Crystal Info object will not overwrite an object that is already in the BusinessObjects Enterprise system, then the Import Wizard imports the object.Note: Users who are accessing your Crystal Info implementation when you are importing objects to BusinessObjects Enterprise might experience a delay.

Users and groupsThe Import Wizard imports users and groups and their hierarchical relationships as they exist in Crystal Info. A user or group is added to BusinessObjects Enterprise only if it does not exist already by name.If you import a group that already exists in BusinessObjects Enterprise, the list of group members is updated with additional users who were members of the Crystal Info group. These additional users are added to BusinessObjects Enterprise if their accounts do not exist already.User licensing can affect the behavior of the Import Wizard. If the source environment uses Concurrent licensing, the wizard imports all users as Concurrent Users. However, if the source environment uses Named User licensing, the wizard first checks the number of Named User license keys in the destination environment. If there are enough Named User licenses in the destination environment, the wizard imports all users as Named Users. If there are not enough Named User licenses in the destination environment, the wizard imports all users as Concurrent Users. For more information about licensing, see “Licensing overview” on page 514the BusinessObjects Enterprise Administrator’s Guide.


Importing Objects to BusinessObjects EnterpriseImporting information from Crystal Info 16

FoldersFolders are imported, whether or not they exist already in BusinessObjects Enterprise. To ensure that existing folders are not overwritten, make sure you choose the “Automatically rename top-level folders that match top-level folders on the destination system” option in the “Please choose an import scenario” dialog box. When this option is selected, the Import Wizard appends a number to the end of any duplicated folder names to indicate the number of copies. For example, if you import a folder called Sales Reports, when a folder called Sales Reports already exists in BusinessObjects Enterprise, then the imported folder is added to BusinessObjects Enterprise with the name Sales Reports(2).

Report objectsThe Import Wizard can import Crystal report objects only if they are based on native drivers, ODBC data sources, or OLAP data sources.Supported reports are always imported with their parent folders, whether or not they exist already in the destination environment. However, so as not to overwrite existing folders, the Import Wizard appends a number to the end of any duplicated folder names to indicate the number of copies.The Import Wizard can import successful instances and some recurring instances from Crystal Info systems. Recurrence patterns that cannot be automatically recreated within BusinessObjects Enterprise are written to the log file created by the Import Wizard.When you import reports based on a Crystal Info View, you are prompted to save the report files. Choose a specific folder where you want to save these reports. You can then run a conversion utility on all reports in that folder to convert them to use metadata. After converting the reports, you can publish them to BusinessObjects Enterprise with the Publishing Wizard.

RightsBusinessObjects Enterprise enforces security through object rights, which differ from the user rights used within Crystal Info. Consequently, the Import Wizard does not import any of the folder security that is set up within the Crystal Info environment.If you transfer reports from Crystal Info to BusinessObjects Enterprise, the rights associated with the report are not transferred, only the ownership. If the owner of a report is the Administrators group, the Administrators group will have Full Control access to it. If the owner of the report is not an administrator, the report will be transferred and the View On Demand access mode will be associated with the report.


Importing Objects to BusinessObjects EnterpriseImporting with the Import Wizard16
Other objects
The Import Wizard cannot import Crystal Info objects that are not supported by BusinessObjects Enterprise. Such objects include report packages, query objects, Info cubes, Open OLAP cubes, Holos Applications, and Crystal reports based on query files.

Importing with the Import WizardThe Import Wizard provides a series of screens that guide you through the process of importing user accounts, groups, folders, and reports. The screens that appear depend on the source environment and the types of information that you choose to import.When you import information, you first connect to the Central Management Server (CMS) of your existing installation (the source environment) and specify the CMS of your new BusinessObjects Enterprise system (the destination environment). You then select the information that you want to import, and the Import Wizard copies the requested information from the source to the destination.You can choose to merge the contents of the source repository into the destination repository, or you can update the destination with the contents of the source CMS.Before starting this procedure, ensure that you have the Administrator account credentials for both the source and the destination environment. The overall process is divided into the following procedures:• “Specifying the source and destination environments” on page 388• “Selecting information to import” on page 391• “Importing objects with rights” on page 393• “Choosing an import scenario” on page 393• “Importing specific objects” on page 395• “Finalizing the import” on page 400

Specifying the source and destination environmentsThis procedure shows how to specify a source environment and a destination environment using the initial screens of the Import Wizard.

To specify the source and destination environments1. From the BusinessObjects Enterprise program group, click Import

Wizard.2. Click Next.


Importing Objects to BusinessObjects EnterpriseImporting with the Import Wizard 16

The “Specify source environment” dialog box appears.3. In the Source list, select the product from which you want to import

information. The available options are:• Crystal Info 7.5• Crystal Enterprise 8• Crystal Enterprise 8.5• Crystal Enterprise 9• Crystal Enterprise 10• BusinessObjects Enterprise 6.x• BusinessObjects Enterprise XIYou are prompted for administrative account information. The fields that appear depend on the type of source environment you chose.

4. If your source environment is Crystal Info, Crystal Enterprise 10 or earlier, or BusinessObjects Enterprise XI:• In the CMS Name field, type the name of the source environment’s

CMS (Central Management Server).• Type the User Name and Password that provide you with

administrative rights to the source environment.This example imports information from BusinessObjects Enterprise XI.



5. If your source environment is BusinessObjects Enterprise 6.x:• Type the User Name and Password that provide you with

administrative rights to the source environment. Note: You must have the General Supervisor profile.

• In the Domain key file field, provide the full path of the domain file for the BusinessObjects Enterprise system, or click the browse button to select the domain file.

6. Click Next.The “Specify destination environment” dialog box appears.

7. In the CMS Name field, type the name of the destination environment’s Central Management Server.

8. Type the User Name and Password of an Enterprise account that provides you with administrative rights to the BusinessObjects Enterprise system; then click Next.

The “Choose objects to import” dialog box appears.



Selecting information to importThis procedure shows how to select the users, groups, folders, and reports that you want to import. If you have not already started the Import Wizard, see “Specifying the source and destination environments” on page 388.

To choose which objects to import1. In the “Choose objects to import” dialog box, select the check box (or

boxes) corresponding to the information you want to import:• Import users and user groups

• Import inbox documents• Import personal categories• Import personal Web Intelligence documents• Import favorite folders for selected users• Import application rights

• Import corporate categories• Import corporate Web Intelligence documents• Import folders and objects

• Import discussions associated with the selected reports• Import events• Import server groups• Import repository objects• Import calendars• Import universesNote: The options available depend on the version of the source environment. Events and server groups can be imported from Crystal Enterprise 8.5 or later. Repository objects and calendars can be imported from Crystal Enterprise 10. Universes, categories, and Web Intelligence documents can be imported from BusinessObjects Enterprise 6.x. All object can be imported from BusinessObjects Enterprise XI.

2. Click Next.3. If the “Import personal documents and inbox documents” dialog box

appears, provide the paths for your personal and/or inbox documents.Note: You do not need to provide a path for corporate documents because they are stored in the repository.

4. If the “Import universe and connection objects” options dialog box appears, choose an import option:



• Import all universes, connections, and associated objects.This option imports all universes from the source environment in one batch. You cannot select individual universes or connections to import.

• Import only the universes and connection objects that are associated with the documents you are importing. Known as document dependency, this option imports only the objects used by the Web Intelligence documents that you are importing. You can also use this option if you want to import a subset of selected universes and their dependencies.

5. Click Next.The “Import Object Principals Option” dialog box appears.



Importing objects with rightsIf you import objects that already have rights assigned to them, you need to import the users and groups that have been granted these rights. To preserve the rights from the source system, enable the rights fidelity setting in the Import Wizard. If you enable rights fidelity, the rights on the destination system will closely match those on the source system. The setting also affects how the system handles duplicate objects. If you enable rights fidelity, users and groups from the source system overwrite users and groups that have the same name on the destination system. If you do not enable rights fidelity, the Import Wizard prompts you to either merge or update users and groups that have the same name on both the source and destination systems. If you enable rights fidelity, only the update option is available.

To enable rights fidelity1. In the “Import Object Principals Option” dialog box, select the “Enforce

rights fidelity” option.

2. Click Next. The “Please choose an import scenario” dialog box appears. Proceed to “Choosing an import scenario” on page 393.

Choosing an import scenarioYou can merge the source and destination systems, or you can add the source system’s information to the destination system without merging.



Merging systemsIf you merge the source and destination systems, the Import Wizard adds all objects from the source system into the destination CMS without overwriting objects in the destination. Note: This is the safest import option. All of the objects in the destination system are preserved. Also, at a minimum, all objects from the source system with a unique title are copied to the destination system.

Updating the destination systemYou can add the source system’s information to the destination system without merging. When you update the contents of the destination system using the source system as a reference, you add all objects in the source system to the destination CMS. If an object in the source system has the same unique identifier as an object in the destination, the object in the destination is overwritten. For more information about merging and updating systems, see “Importing data from a Crystal Enterprise 10 or BusinessObjects Enterprise XI CMS” on page 158the Crystal Repository chapter in the BusinessObjects Enterprise Administration guide.

To choose an import scenario1. In the “Please choose an import scenario” dialog box, choose the type of

import you want.

To merge the source and destination systems, choose “I want to merge the source system into the destination system.”



To add the source system’s information to the destination system without merging, choose “I want to update the destination system by using the source system as a reference.”

2. Click Next.If you are prompted to select specific objects for import, proceed to “Importing specific objects” on page 395.If the “Information collection complete” dialog box appears, proceed to “Finalizing the import” on page 400.

Importing specific objectsIf you chose to import users, groups, domains, Web Intelligence documents, categories, universes, folders, or repository objects, you are prompted to choose the specific objects you want to import. You can import all of the objects or select individual objects.

To select users and groups1. If you chose to import users and groups, the “Select Users and Groups”

dialog box appears. In the Groups list, select the groups that you want to import.

2. In the Subgroups and Users list, select specific members of any group. 3. Click Next.

This example imports all but one of the users in the Administrators group.

4. If the “Import Groups Option” dialog box appears, choose how you want to map third-party groups, and click Next.



Note: • Ensure that the third party authentication is configured the same way

on both the source and destination environments. • If you are importing third-party (or external) users and groups from

BusinessObjects Enterprise 6.x, you need to determine how these users will be handled upon import into BusinessObjects Enterprise XI. For information about setting alias creation and assignment for LDAP and Active Directory users, see “Managing User Accounts and Groups” on page 235.

To select categories• If you chose to import categories, the “Select categories” dialog box

appears. Select the check boxes for the categories that you want to import, then click Next.The Import Wizard imports the selected categories and the objects that belong to the categories.

To select domains and Web Intelligence documents• If you chose to import Web Intelligence documents, the “Select Domains

and Web Intelligence documents” dialog box appears. Select the check boxes for domains or individual documents that you want to import, then click Next.



To select universes or universe folders1. If you chose to import a subset of the universes from the source

environment, the “Select Universe Folder and Universes” dialog box appears. Select the check boxes for the universes that you want to import, then click Next.

Note: When you import a universe, its connection objects are imported automatically. Before you can import connection objects from BusinessObjects Enterprise 6.x, ensure that the Import Wizard can access the database the same way that the source environment



accesses it. This may involve installing database drivers or configuring connection settings on the machine. For example, if you import SQL Server connection objects from a BusinessObjects Enterprise 6.x source environment, you must configure the connections on the destination machine via the Control Panel before you import the connection objects. You must use the exact same name and settings as the connection used on the source machine when you created the domain key.

2. If the universe uses a connection object that is associated with a secure connection that was created with the “Use Business Objects username and password” option selected, the “Connection SSO Option” dialog box appears. Select the connection object, provide your connection information, and click Next.If your database supports Kerberos authentication, you can specify logon credentials for database access during scheduling, and you can enable Single Sign-On for database access during viewing and designing.Note: • SSO can be enabled, but you do not need to provide SSO

information for described connections. • You can specify logon credentials for access when scheduling, and if

SSO is not enabled, these credentials will also be used for access when viewing Web Intelligence documents or designing universes.

• You can enable SSO only for connections that support Kerberos SSO in BusinessObjects Enterprise XI.

To select folders and objects• If you chose to import folders and objects, the “Select Folders and

Objects” dialog box appears. Select the check boxes for the folders and reports that you want to import. Then click Next.Tip: You can also choose to “Import all instances of each selected report and object package.”This example imports the Report Samples folder and a subset of its contents.



To select repository objects• If you chose to import repository objects, the “Import repository objects

options” dialog box appears. Choose an importing option for repository objects, then click Next.


Finalizing the import
1. When the “Information collection complete” dialog box appears, click Finish to begin importing the information.The “Import Progress” dialog box displays status information and creates an Import Summary while the Import Wizard completes its tasks.

2. If the import summary shows that some information was not imported successfully, click View Detail Log for a description of the problem. Otherwise, click Done.Note: The information that appears in the Detail Log is also written to a text file called ImportWiz.log, which you will find in the directory from which the Import Wizard was run. By default, this directory is: C:\Program Files\Business Objects\BusinessObjects

Enterprise 11\win32_x86\

The log file includes a system-generated ID number, a title that describes the imported information, and a field that describes the action and the reason why it was taken.


Managing Objects

chapter

Managing ObjectsManaging objects overview17
Managing objects overview
There are several types of objects that can exist in BusinessObjects Enterprise: reports, Web Intelligence documents, programs, Microsoft Excel files, Microsoft Word files, Microsoft PowerPoint files, Adobe Acrobat PDFs, rich text format files, text files, and hyperlinks, as well as object packages, which consist of report and/or program objects. After publishing objects to BusinessObjects Enterprise, you manage them through the Central Management Console (CMC) by going to the Objects management area. Tip: • Go to the Object management area by clicking the Objects link on the

CMC Home page.• Use folders to organize and facilitate object administration for you and

your users. For more information, see “Managing User Folders” on page 353.

This chapter is broken up into four sections:• “General object management” on page 403

This section describes general object management concepts that apply to all objects, such as moving, copying, and deleting objects. It also describes how to search for objects, how to modify object properties, and how to set object rights for users and groups.

• “Report object management” on page 411This section explains report objects and instances, and how to manage them through the Central Management Console (CMC). Managing report objects includes applying processing extensions, specifying alert notification, changing database information, updating parameters, using filters, and working with hyperlinked reports.

• “Program object management” on page 436This section explains program objects and instances, and how to manage them through the Central Management Console (CMC). Additionally, this section covers type-specific program object configuration, and security considerations for program objects.

• “Object package management” on page 444This section explains object packages and instances, and how to manage them through the Central Management Console (CMC). Additionally, this section explains how to create an object package and how to add objects to an object package.


Managing ObjectsGeneral object management 17

General object managementThis section describes general tasks related to managing objects and their instances. It includes the following sections:• “Copying, moving, or creating a shortcut for an object” on page 403• “Deleting an object” on page 405• “Searching for an object” on page 405• “Sending an object or instance” on page 406• “Changing properties of an object” on page 408• “Assigning an object to categories” on page 410Tip: You can also manage an object by going to the Folders management area in the CMC, selecting a folder (and any subfolders) by clicking the appropriate link(s), and selecting the object that is located under the Object Title column. See Chapter 14: Organizing Objects.Note: For information setting the rights for an object, see “Setting object rights for users and groups” on page 303.

Copying, moving, or creating a shortcut for an objectUse this procedure to copy or move an object, or to create a shortcut to an object within BusinessObjects Enterprise:• “Copy” creates another copy of the object in a different location. The new

copy of the object inherits all object rights from its new parent folder. You use copy, for example, when scheduling objects by using an object package, to copy the objects to the package. See “Scheduling objects using object packages” on page 455.

• “Move” changes the location of the object from one folder to another. The object retains its original set of object rights.

• “Create shortcut” enables you to create an alternate, more convenient, access route for an object. You can also create a shortcut to give users access to the object when you don’t want them to access the folder that the actual object is located in. The shortcut inherits object rights from its parent folder. However, the shortcut object rights do not override the rights of the original object. For example, if a user does not have rights to schedule a report, they are not able to schedule that report even through a shortcut that allows them full rights.


Managing ObjectsGeneral object management17

To copy, move, or create a shortcut for an object1. Go to the Objects management area of the CMC.2. Select the check boxes associated with the object(s) you want to copy,

move, or create a shortcut for.3. Click Copy/Move/Shortcut.

The Copy/Move/Create Shortcut page appears.

4. Select one of the following options:• Copy to• Move to• Create shortcut inTip: You may want to create a shortcut if you want to give someone access to an object without giving that user access to the entire folder that the object is located in. After you create the shortcut, users who have access to the folder where the shortcut is located can access this object and its instances. For more information on folder rights, see “Specifying folder rights” on page 350.

5. Select the appropriate destination folder; then click OK.Tip: • To expand a folder, select it and click Show Subfolders.• To search for a specific folder or object package, use the Look For

field.



Deleting an objectThis procedure explains how to delete either a single object or multiple objects. You can also delete a folder (by selecting a folder and clicking Delete in the Folders management area), which deletes all of the objects and instances that are stored in that folder. As well, you have the option of deleting object instances, rather than the object itself. For more information, see “Managing and viewing the history of instances” on page 479.Note: When you delete an object, all of its existing instances and scheduled instances will be deleted.

To delete an object1. Go to the Objects management area of the CMC.2. Select the check boxes associated with the object(s).3. Click Delete.4. Click OK.

Searching for an objectThe search feature enables you to search for specific text within object titles or descriptions.

To search for an object or objects1. Go to the Objects management area of the CMC.2. Specify the search criteria.

In the “Search for” fields, specify the object field to search (title or description) and the matching method to use (is, is not, contains, does not contain). In the Text field, type the text to search for.

3. Click Search.


Sending an object or instance
You can use the “Send to” feature to send existing objects or instances of an object to different destinations. You can send an object, for example, a Word or Excel file, or you can send instances of an object, for example, a report instance.The “Send to” function handles existing objects or instances only. It does not cause the system to run the object and create new instances, nor does it refresh the data for a report instance.You can send either a copy of an object or instance, or a shortcut to the object or instance. You can also select the destination, for example, FTP or Inbox. Not all types of objects can be sent to all destinations. For details about which types of objects can be sent to which destinations, see See also “Available destinations by object type” on page 407.

To send an object or an instance to a destination1. Go to the Objects management area of the CMC.2. Select the check boxes for the objects that you want to send.

To send an instance of the object, click the link for the object. Click the History tab, and then select the check boxes for the instances you want to send.Select only instances with a status of Success or Failed. Instances with a status or Recurring or Pending are scheduled and do not contain any data yet.

3. Click Send to.The Send to page appears.



4. If you want, you can the temporary instances that are created when you send an object or instance, deselect Clean up temporary objects created after objects have been sent.By default, this option is selected and the system deletes any temporary objects or instances after they have been sent. If you want to keep these

5. Select the destination option you want:• Each selected object’s scheduling destination

Sends the objects or instances to the destination specified on the Destination pages for the objects.

• A new destination for all selected objectsAllows you to specify a destination.If you select this option, you must specify additional parameters for the destination information. See “Available destinations by object type” on page 407 and “Selecting a destination” on page 465.If you want the destination to become the default destination for the object, select the Set this destination as the selected object’s scheduling destination option. The system will update the destination information for the object when you click Send.Note: Send Web Intelligence documents to the “Inbox” destination only, or to an Email destination within BusinessObjects Enterprise.

6. Click Send.The system sends the selected objects or instances to the specified destinations.

Available destinations by object typeMost destinations can be used for most types of objects, but there are some exceptions. In some cases recipients must have access to the BusinessObjects Enterprise system to be able to open the object. The following table summarizes which objects cannot use certain destinations. For example, for a Web Intelligence document you cannot specify an unmanaged disk destination.

Object typeUnm. DIsk

Email (SMTP) Inbox

FTP File Link File Link

Report Yes Yes Yes Yes Yes Yes

Object Package - - - - Yes Yes

Program Yes Yes Yes Yes Yes Yes



Changing properties of an objectIn the Properties page of an object, you can modify an object’s title and description. As well, you can view its file name, its location, and the date it was created. For objects that can be scheduled (reports, programs, and object packages), you can see the last times the object was modified and/or run.

To change the properties of an object1. In the Objects management area of the CMC, select an object by clicking

its link.2. On the Properties page, change any of the properties as required.3. Click Update.Note that once you have clicked Update, you cannot click Reset to undo changes.

View buttonFor Microsoft Word, Microsoft Excel, Microsoft PowerPoint, Adobe Acrobat, Text, and Rich Text objects, a View button appears on the Properties page. Provided that you have the appropriate software installed on your browser machine, you can click the View button to open and view the object.

Web Intelligence document

- - - Yes Yes Yes

Excel file Yes Yes Yes Yes Yes Yes

Word file Yes Yes Yes Yes Yes Yes

PDF file Yes Yes Yes Yes Yes Yes

Text file Yes Yes Yes Yes Yes Yes

RTF file Yes Yes Yes Yes Yes Yes

PowerPoint file Yes Yes Yes Yes Yes Yes

Hyperlink - - - Yes Yes Yes

Object typeUnm. DIsk

Email (SMTP) Inbox




Preview buttonSimilarly, for report objects and Web Intelligence documents, a Preview button appears. The Preview button enables you to view a report on demand with all of your current report settings. BusinessObjects Enterprise connects to the report’s data source(s) if no cached pages are available. To use the Preview function, the user will need to have rights at the Schedule level or higher. (To preview a report with saved data, the user will need to have rights at the View level or higher.) By default, administrators have rights at the Full Control level (the highest rights setting) for all report objects. For details about object rights, see “Report object management” on page 411.

Show report thumbnail optionFor reports, the “Show report thumbnail” check box is selected by default. If you do not want a thumbnail preview of this report to be available in InfoView or another web application, clear the Show report thumbnail check box.Note: A thumbnail is a graphical representation of the first page of a report. If the original report does not contain a thumbnail, then a thumbnail will not be stored on BusinessObjects Enterprise. The Show report thumbnail checkbox does not apply to Web Intelligence document objects.



Scheduled package fails upon individual component failure optionFor object packages, the “Scheduled package fails upon individual component failure” check box is selected by default. (A component is an object in an object package.) This means that if one of objects in a package fails, the object package instance in the History will appear as Failed. If you do not want the object package instance to fail if one of the objects fails, clear the “Scheduled package fails upon individual component failure” check box.

Assigning an object to categoriesLike folders, categories are objects used to organize documents. You can associate objects with multiple categories, or subcategories within categories. A category can be a corporate or a personal category. For complete information, see Chapter 14: Organizing Objects. Use the following procedure to assign an object to a category by using the objects page. You can also assign objects to a category by using the categories page. See “Adding an object to a new category” on page 356.

To assign an object to a category1. In the Object management area of the CMC, select an object by clicking

its link.2. Click the Categories tab.3. To assign an object to a personal category, click the Personal link.

Otherwise, skip this step.4. Click Assign Categories.

The Assign Corporate Categories page appears.5. In the Available Categories list, select the category that you want the

object to belong to and use the arrow buttons to move to the Assigned Categories list.The Available Categories list includes all corporate or personal categories and their subcategories.Repeat this step for each category that you want the object to be assigned to.

6. Click OK.Note: To remove an object from a category, see “Removing or deleting objects from a category” on page 356.


Managing ObjectsReport object management 17

Report object managementThis section explains report objects and instances, and how to manage them through the Central Management Console (CMC). It includes the following sections:• “What are report objects and instances?” on page 411• “Setting report refresh options” on page 412• “Setting report processing options” on page 414• “Applying processing extensions to reports” on page 429• “Working with hyperlinked reports” on page 433Note: Most information in this section also applies to Web Intelligence document objects. Any exceptions have been identified.

What are report objects and instances?A report object is an object that is created using a Business Objects designer component (such as Crystal Reports or OLAP Intelligence). A Web Intelligence document object Web Intelligence is created using the Report panel and HTML Query panel in InfoView. Both types of objects contain report information (such as database fields). Both types of objects can also contain saved data.A report object or Web Intelligence document object can be made available to everyone or to individuals in selected user groups.

Scheduled instancesWhen you schedule an object, the system creates a scheduled instance for the object. A scheduled instance contains object and schedule information. It does not contain any data yet. Scheduled instances appear on the History page of the respective object and have a status of Recurring or Pending.You can schedule objects either from CMC or by using a BusinessObjects Enterprise application, such as InfoView or a custom web application.Typically, report objects are designed such that you can create several instances with varying characteristics. For example, if you run a report object with parameters, you can schedule one instance that contains report data that is specific to one department and schedule another instance that contains information that is specific to another department, even though both instances originate from the same report object. For more information about scheduling, see Chapter 18: Scheduling Objects.


Managing ObjectsReport object management17

Object instancesAt the specified time, the system runs the object and creates an object instance. The instance contains actual data from the database. It appears on the History page of the object and has a status of Success or Failed.

Making changes to an objectAny changes you make to the an object (by making the changes and then clicking Update) affect the default settings for the object only. Those changes do not affect any existing scheduled instances or object instances. The next time you schedule the object, whether you use CMC or an application such as InfoView, the new default settings are displayed. You can then change these settings as needed for the scheduled instance you want to create.Note: BusinessObjects Enterprise supports reports created in versions 6 through XI of Crystal Reports. Once published to BusinessObjects Enterprise, reports are saved, processed, and displayed in version XI format.

Setting report refresh optionsNote: This feature does not apply to Web Intelligence document objects. You can set report refresh options that determine which settings of a report object are updated when you refresh it in BusinessObjects Enterprise.When you refresh a report object, BusinessObjects Enterprise compares the report object stored in BusinessObjects Enterprise with the original .rpt file stored in the Input File Repository Server. BusinessObjects Enterprise deletes or adds report elements in the report object to make it match the .rpt file, overwriting any changes you’ve made in BusinessObjects Enterprise. Where report elements are the same in the source report and the report object, the report refresh settings allow you to control which settings in the report object are updated with values from the source .rpt file.For example, if a prompt appears only in the source .rpt file, then refreshing the report adds the prompt to the report object. This holds true no matter which report refresh options you select.If a prompt appears in both the source .rpt and the report object and you have selected the “Prompt Values” option, then BusinessObjects Enterprise updates the default value of the prompt in the report object. Any changes that you have made to the default value of the parameter in BusinessObjects Enterprise are overwritten.



To preserve your changes to the values of report elements when you refresh a report, clear the appropriate report refresh option.Note: • If you select Prompt Values, BusinessObjects Enterprise ensures that

changes to either the default value of a prompt or to the current value of a prompt are updated in the report object when the report is refreshed.

• If you select Prompt Options, BusinessObjects Enterprise ensures that changes to the metadata describing a prompt is updated in the report object. For example, “Can be null” is a prompt option.

• If you select “Use Object Repository when refreshing report”, repository objects in the report object will be refreshed against the repository. For more information, see “Refreshing repository objects in published reports” on page 166.

To set a report object’s refresh options1. In the Objects management area of the CMC, select a report object by

clicking its link.2. On the Properties page, click the Refresh Options link.3. Choose the report elements that you want to refresh from the source

report file.4. Click Refresh Report.

Viewing the universes for a Web Intelligence documentYou build queries for Web Intelligence documents using objects in a universe. A universe is a representation of the information available in the database. In CMC you can view which universes are used by a Web Intelligence document.

To view the universes for a Web Intelligence document1. In the Objects management area of the CMC, select a Web Intelligence

document object by clicking its link.2. On the Properties page, click the Universes link.

The Universes page appears, listing the universes that are used by the document.


Setting report processing options
For each object you can set several processing options. These options appear on the Process page for the object. Setting the report processing options includes the following tasks:• “Setting report viewing options” on page 414• “Specifying servers for scheduling” on page 416• “Specifying servers for viewing and modification” on page 418• “Changing database information” on page 420• “Updating parameters” on page 423• “Using filters” on page 425• “Setting printer and page layout options” on page 427• “Applying processing extensions to reports” on page 429

Setting report viewing optionsNote: This feature does not apply to Web Intelligence document objects. The report viewing options available in BusinessObjects Enterprise allow you to balance users’ need for up-to-date information with the need to optimize data retrieval times and overall system performance.BusinessObjects Enterprise allows you to enable data sharing, which permits different users accessing the same report object to use the same data when viewing or refreshing a report. Enabling data sharing reduces the number of database calls, thereby reducing the time needed to generate a report instance for subsequent users of the same report, while greatly improving overall system performance under load. You can control data sharing settings on either a per-report or a per-server basis:• If you specify which servers a report uses for viewing, you can use per-

server settings to standardize data sharing settings for groups of reports, and centrally administer these settings. (See “Specifying servers for viewing and modification” on page 418.)

• Per-report settings permit you to specify that particular reports will not share data. They also allow you to tailor the data sharing interval for each report to meet the needs of that report’s users. In addition, per-report settings enable you to decide on a report-by-report basis whether it is appropriate to allow users to access the database whenever they refresh reports.



Data sharing may not be ideal for all organizations, or for all reports. To get full value from data sharing, you must permit data to be reused for some period of time. This means that some users may see “old” data when they view a report on demand, or refresh a report instance that they are viewing. The default report viewing options for BusinessObjects Enterprise emphasize data freshness and integrity. By default, when you add a report to BusinessObjects Enterprise it is configured to use per-server settings for report sharing. The default server settings ensure that users always receive up-to-date information when they refresh a report, and guarantee that the oldest data given to any user is 0 minutes old. If you choose to enable per-report settings, the default settings allow data sharing, allow a viewer refresh to retrieve fresh data from the database, and ensure that the oldest data given to a client is 5 minutes old.Tip: Disabling the sharing of report data between clients is not the same as setting the “Oldest on-demand data given to a client” to 0 minutes. Under high load, your system may receive more than one request for the same report instance at the same time. In this case, if the data sharing interval is set to 0 but the “Share report data between clients” option is enabled, BusinessObjects Enterprise shares data between the client requests. If it is important that data not be shared between different clients (for example, because the report uses a User Function Library (UFL) that is personalized for each user), disable data sharing for that report.For details on setting report viewing options on a per-server basis, see:• “Modifying Cache Server performance settings” on page 103• “Modifying Page Server performance settings” on page 106• “Modifying performance settings for the RAS” on page 111• “Configuring the Web Intelligence Report Server” on page 113For more information on configuring BusinessObjects Enterprise to optimize report viewing in your system, see the planning chapter in the BusinessObjects Enterprise Installation Guide. Note: This feature does not apply to Web Intelligence document objects.

To set report viewing options for a report1. In the Objects management area of the CMC, select a report by clicking

its link.2. Click the Process tab.3. In the “Data Refresh for Viewing” area, click “Use report specific viewing

settings.” Then select the options that you want to set for this report.4. Click Update.


Specifying servers for scheduling
You can specify the default servers that BusinessObjects Enterprise will use to run an object, and to schedule and process instances. When specifying your servers, you have three options:• Use the first available server.• Use the servers that belong to a selected group first (and, if the servers

from that group aren’t available, use any available server).• Use only servers that belong to a specific group.Depending on the type of object, BusinessObjects Enterprise uses the following servers:• Crystal reports are run on the Report Job Server.• Web Intelligence documents are run on the Web Intelligence Report Server.By selecting a particular server or server group, you can balance the load of your scheduling, because specific objects can be processed by specific job servers. You must first create server groups by using the Server Groups management area in the CMC, before you can select servers that belong to a selected group. You can also set the maximum number of jobs that a job server will accept. For more information, see “Modifying performance settings for job servers” on page 112.Also, you can balance the load of your scheduling, because specific objects can be processed by specific job servers. You must first create server groups by using the Server Groups management area in the CMC, before you can select servers that belong to a selected group. You can also set the maximum number of jobs that a job server will accept. For more information, see “Modifying performance settings for job servers” on page 112.Note: • If you choose the “Use the first available server” option, the Central

Management Server (CMS) will check the job servers to see which one has the lowest load. The CMS does this by checking the percentage of the maximum load on each job server. If all of the job servers have the same load percentage, then the CMS will randomly pick a job server.

• If you are scheduling a program object that requires access to files stored locally on a Program Job Server, but you have multiple Program Job Servers, you must specify which server to use to run the program.

• See “Specifying servers for viewing and modification” on page 418 for information on specifying the servers used to view or modify an object.

To specify the servers to use for an object1. In the Objects management area of the CMC, select an object by clicking

its link.



2. Click the Process tab.

3. In the “Default Servers To Use For Scheduling” area, choose from one of the three options:• Use the first available server

BusinessObjects Enterprise will use the server that has the most resources free at the time of scheduling.

• Give preference to servers belonging to the selected groupSelect a server group from the list. This option will attempt to process the object from the servers that are found within your server group. If the specified servers are not available, then the object will be processed on the next available server.

• Only use servers belonging to the selected groupThis option ensures that BusinessObjects Enterprise will only use the specified servers that are found within the selected server group. If all of the servers in the server group are unavailable, then the object will not be processed.



4. Click Update.5. In the “Default Servers To Use For Viewing” area, repeat the activities

from steps 3 and 4.Note: “Default Servers To Use For Viewing” applies only to report objects.

Specifying servers for viewing and modificationYou can specify the default servers that BusinessObjects Enterprise will use when a user views or modifies a report or Web Intelligence document. When specifying your servers, you have three options:• Use the first available server.• Use the servers that belong to a selected group first (and, if the servers

from that group aren’t available, use any available server).• Use only servers that belong to a specific group. Depending on the type of object, BusinessObjects Enterprise uses the following servers:• Crystal reports are run on the Cache Server and Page Server, or the

Report Application Server, depending on which viewer is used.• Web Intelligence documents are run on the Web Intelligence Report Server.By selecting a particular server or server group, you can balance the load of your viewing, as specific reports can be processed using specific servers. You must first create server groups by going to the Server Groups management area in the CMC before you are able to select servers that belong to a selected group. You can also set the maximum number of jobs a server will accept. For more information, see “Modifying Cache Server performance settings” on page 103, “Modifying Page Server performance settings” on page 106, or “Modifying performance settings for the RAS” on page 111.



Note: • If you choose the “Use the first available server” option, the Central

Management Server(CMS) will check the servers to see which one has the lowest load. The CMS does this by checking the percentage of the maximum load on each server. If all of the servers have the same load percentage, then the CMS will randomly pick a server.

• See “Specifying servers for scheduling” on page 416 for information on specifying Job Servers used to schedule an object.

To specify the servers to use for a report object1. In the Objects management area of the CMC, select an object by clicking

its link.2. Click the Process tab.



3. In the “Default Servers To Use For Viewing” area, choose from one of the three options:• Use the first available server

BusinessObjects Enterprise will use the server that has the most resources free at the time of viewing.

• Give preference to servers belonging to the selected groupSelect a server group from the list. This option will attempt to process the object from the servers that are found within your server group. If the specified servers are not available, then the object will be processed on the next available server.

• Only use servers belonging to the selected groupThis option ensures that BusinessObjects Enterprise will only use the specified servers that are found within the selected server group. If all of the servers in the server group are unavailable, then the object will not be processed.

4. Click Update.

Changing database informationNote: This feature does not apply to Web Intelligence document objects.You can select your database type and set the default database logon information on the Database page for a report. The Database page displays the data source or data sources for your report object and its instances. You can choose to prompt the user for a logon name and password when he or she views a report instance.

To change database settings1. In the Objects management area of the CMC, select a report object by

clicking its link.2. Click the Process tab, and then click the database link.



The Database page appears.



3. In the Data Source(s) list, select the data source.4. Select Use original database logon information from the report or

Use custom database logon information specified here.If you select the first option, you can specify a user name and password to be used with the original report database.If you select the second option, you can specify a server name (or a DSN in the case of an ODBC data source), a database name, a user name, and a password for a number of predefined database drivers, or for a custom database driver that you’ve specified. If you’ve changed the default table prefix in your database, specify a custom table prefix here.For a complete list of supported databases and drivers, refer to the platform.txt file included with your installation.

5. Select the database logon option you want.• Prompt the user for database logon

The system will prompt users for a password when they refresh a report.Note: This option has no effect on a scheduled instance. Also, BusinessObjects Enterprise only prompts users when they first refresh a report; that is, if they refresh the report a second time, they will not be prompted.

• Use SSO context for database logonThe system will use the user’s security context, that is, the user’s logon and password, to log on to the database.Note: For this option to work, you must have your system configured for end-to-end single sign-on, or for single sign-on to the database. For more information, see “Configuring Kerberos single sign-on” on page 285.

• Use same database logon as when report is runThe system will use the same database logon information as was used when the report was run on the job server.

6. Click Update.



Updating parametersNote: This feature does not apply to Web Intelligence document objects.Parameter fields (with preset values) enable users to view and to specify the data that they want to see. If a report contains parameters, you can set the default parameter value for each field or fields (which is used whenever a report instance is generated). Through a BusinessObjects Enterprise application such as InfoView, your users are either able to use the report with the preset default value(s) or choose another value or values. If you do not specify a default value, users will have to choose a value when they schedule the report.Note: The Parameters link is available only if the report object contains parameters.

To view parameter settings1. In the Objects management area of the CMC, select a report object by

clicking its link.2. Click the Process tab, and then click the Parameters link.

3. Under the Value column, select the value associated with the parameter you want to change.A page opens that allows you to change the parameter value. Depending on the parameter value type, you either type a value in the field or choose a value from a list. If there is a list, you can also click Edit to type a new value.



4. Select the Clear the current parameter value(s) check box if you want to clear the current value that is set for the specified parameter.

5. Select the Prompt the user for new value(s) when viewing check box if you want your users to be prompted when they view a report instance through a BusinessObjects Enterprise application such as InfoView.

6. Click Update.

Updating prompts for Web Intelligence document objectsNote: This feature does not apply to Crystal reports objects. See “Updating parameters” on page 423 instead.Prompt fields (with preset values) enable users to view and to specify the data that they want to see. If a report contains parameters, you can set the default prompt value for each field or fields (which is used whenever a report instance is generated). Through a BusinessObjects Enterprise application such as InfoView, your users can either use the report with the preset default value(s) or choose another value or values. If you do not specify a default value, users will have to choose a value when they schedule the report.Note: The Prompts link is available only if the Web Intelligence document object contains prompts.



To update the prompts for a Web Intelligence document object1. In the Objects management area of the CMC, select a report object by

clicking its link.2. Click the Process tab, and then click the Prompts link.

The Prompts page appears, showing a dialog box with prompts.3. Select the prompt and enter a value for the prompt. Repeat this step for

every prompt whose you want to change.4. Click Update.

Using filtersNote: This feature does not apply to Web Intelligence document objects.In the Filters page, you set the default selection formulas for the report. Selection formulas are similar to parameter fields in that they are used to filter results so that only the required information is displayed. Unlike parameters, end users will not be prompted for selection formula values when they view or refresh the report. When users schedule reports through a web-based client such as InfoView, they can choose to modify the selection formulas for the reports. By default, if any formulas are set in the CMC, they will be used by the web-based client. For more information on selection formulas, see the Crystal Reports User’s Guide.In addition to changing selection formulas, if you have developed your own processing extensions, you can select the processing extensions that you want to apply to your report. For more information, see “Applying processing extensions to reports” on page 429. When you use filters in conjunction with processing extensions, a subset of the processed data is returned. Selection formulas and processing extensions act as filters for the report.

To use filters1. In the Objects management area of the CMC, select a report object by

clicking its link.2. Click the Process tab, and then click the Filters link.

The Filters page appears.



3. Update or add new selection formulas.• Record Selection Formula

Use the Record Selection Formula to create or edit a record selection formula or formulas that limit the records used when you or a user schedules a report.

• Group Selection FormulaUse the Group Selection Formulas to create or edit a group selection formula or formulas that limit the groups used when you or a user schedules a report.

4. In the processing extensions area, select a processing extension you want from the Available Processing Extensions list, and move it to the Use these Processing Extensions list.Repeat this step until you have selected the processing extensions you want.

5. Click Update.

Setting printer and page layout optionsNote: This feature does not apply to Web Intelligence document objects. You can choose to print a report instance when scheduling it; report instances are always printed in Crystal Reports format. When printing a report, you can set the number of copies and the page range. The Print Setup page contains two areas: the first area specifies whether or not a report instance is printed, and if printed, the printer to use, the number of copies, and the page range; the second area specifies custom layout settings for changing the page size and orientation (regardless of whether the report instance is printed or not).

Specifying a printerNote: This feature does not apply to Web Intelligence document objects.You can choose to print a report (each time it runs) using the Job Server’s default printer or a different printer. By selecting the Printer destination, BusinessObjects Enterprise prints your report after it is processed.Note: The Job Server must run under an account that has sufficient privileges to access the printer you specify. See “Changing the server user account” on page 130 for information on changing the user account.



To assign a printer1. In the Objects management area of the CMC, select a report object by

clicking its link.2. On the Process tab, click the Print Setup link.

The Print Setup page appears.3. Select Print in Crystal Reports format using the selected printer

when scheduling if you want report instances to be sent directly to a printer.The report instances are automatically sent to the printer in Crystal Reports format. This does not interfere with the format selected when scheduling the report.

4. Leave Default printer selected if you want to print to the Job Server’s default printer, otherwise, select Specify a printer.

5. Enter a printer’s path and name, select the number of copies, and choose the print page range.If your job server is using Windows, in the “Specify a printer” field, type:\\printserver\printername

Where printserver is the name of your printer server, and printername is the name of your printer.

6. Click Update.

Specifying page layoutNote: This feature does not apply to Web Intelligence document objects.When viewing or scheduling a report instance to any format, you can first specify page layout criteria such as page orientation, page size, and so on. The settings you choose in this section of the Print Setup page affect how you’ll see a report instance when displaying it.Note: Page layout settings are not specifically related only to scheduling a report to a printer, but also to the overall look of the report. The overall look is affected by the properties of the device for which the report is displayed in (that is, the font metrics and other layout settings of the display and/or the printer).

To set a report’s page layout1. In the Objects management area of the CMC, select a report object by

clicking its link.2. On the Process tab, click the Print Setup link.



The Print Setup page appears.

3. Make your settings according to the type of layout you want. The options are as follows:• Report file default

Choose this option if you want the page layout to conform to the settings that were chosen for the report in Crystal Reports.

• Specified printer settingsChoose this option if you want the page layout to conform to the settings of a specified printer. You can choose the Job Server’s default printer or another printer. For information about specifying another printer, see “Specifying a printer” on page 427.When you choose this option, you can print scheduled report instances only to the printer you specify in the “Specified printer settings” area. In other words, you cannot set your report to display with one printer’s setting and then print to a different printer.

• Custom settingsChoose this option if you want to customize all page layout settings. You can choose page orientation, page size, measurement units (inches or millimeters), page width, and page height.

4. Click Update.

Applying processing extensions to reportsNote: This feature does not apply to Web Intelligence document objects.BusinessObjects Enterprise supports the use of customized processing extensions. A processing extension is a dynamically loaded library of code that applies your business logic to particular BusinessObjects Enterprise view or schedule requests before they are processed by the system. This section shows how to register your processing extension with BusinessObjects Enterprise, and how to apply an available processing extension to a particular report object.



For general information about processing extensions and how you can use them to customize report processing and security, see “Processing extensions” on page 227. For information on writing your own processing extensions with the Processing Extension API, see the developer documentation available on your product CD.Note: On Windows systems, dynamically loaded libraries are referred to as dynamic-link libraries (.dll file extension). You must include the file extension when you name your processing extensions. Also, file names cannot include the \ or / characters.

Registering processing extensions with the systemNote: This feature does not apply to Web Intelligence document objects.Before you can apply your processing extensions to particular objects, you must make your library of code available to each machine that will process the relevant schedule or view requests. The BusinessObjects Enterprise installation creates a default directory for your processing extensions on each Job Server, Page Server, and Report Application Server (RAS). It is recommended that you copy your processing extensions to the default directory on each server. On Windows, the default directory is C:\Program Files\Business Objects\BusinessObjects Enterprise 11\win32_x86\ProcessExt. Tip: It is possible to share a processing extension file. For details, see “Sharing processing extensions between multiple servers” on page 433.Depending upon the functionality that you have written into the extension, copy the library onto the following machines:• If your processing extension intercepts schedule requests only, copy your

library onto each machine that is running as a Job Server.• If your processing extension intercepts view requests only, copy your

library onto each machine that is running as a Page Server or RAS.• If your processing extension intercepts schedule and view requests, copy

your library onto each machine that is running as a Job Server, Page Server, or RAS.

Note: If the processing extension is required only for schedule/view requests made to a particular Server Group, you need only copy the library onto each processing server in the group.



To register a processing extension with the system1. Go to the Objects management area of the CMC.2. Click Object Settings.

3. In the Name field, type a display name for your processing extension.4. In the Location field, type the file name of your processing extension

along with any additional path information:• If you copied your processing extension into the default directory on

each of the appropriate machines, just type the file name (but not the file extension).

• If you copied your processing extension to a subfolder below the default directory, type the location as: subfolder/filename

Note: Although the actual file name must include the .dll or .so extension (as appropriate to the server’s operating system), you must not include the file extension in the Location field.

5. Use the Description field to add information about your processing extension.

6. Click Add.You can now select this processing extension to apply its logic to particular objects. For details, see “Selecting a processing extension for a report” on page 431.Tip: To delete a processing extension, select its check box and click Delete. (Make sure that no recurring jobs are based on this processing extension because any future jobs based on this processing extension will fail.)

Selecting a processing extension for a reportNote: This feature does not apply to Web Intelligence document objects.

To select a processing extension for a report1. Go to the Objects management area of the CMC.2. Click the link to the report object that you want to apply your processing

extension to.



3. Click the Process tab, and then click the Filters link.

4. Select your processing extension in the Available Processing Extensions list.Note: Your processing extensions appear in this list only after you have registered them with the system. For details, see “Registering processing extensions with the system” on page 430.Tip: You may apply more than one processing extension to a report object. Repeat steps 4 and 5 for each processing extension; then use the up and down arrows to specify the order in which the processing extensions should be used.

5. Click Update.Your processing extension is now enabled for this report object.



Sharing processing extensions between multiple serversNote: This feature does not apply to Web Intelligence document objects. If you want to put all processing extensions in a single location, you can override the default processing extensions directory for each Job Server, Page Server, and RAS. First, copy your processing extensions to a shared directory on a network drive that is accessible to all of the servers. Map (or mount) the network drive from each server’s machine.Note: Mapped drives on Windows are valid only until you reboot the machine. For details, see “Ensuring that server resources are available on local drives” on page 510.Finally, change each server’s command line to modify the default processing extensions directory. Do this by adding “-report_ProcessExtPath <absolute path>” to the command line. Replace <absolute path> with the path to the new folder, using whichever path convention is appropriate for the operating system that the server is running on (for example, M:\code\extensions, /home/shared/code/extensions, and so on).The procedure for making this modification depends upon your operating system:• On Windows, use the CCM to stop the server. Then open the server’s

Properties to modify the command line. Start the server again when you have finished.

Working with hyperlinked reports Note: This feature does not apply to Web Intelligence document objects.Crystal Reports lets you use hyperlinks to navigate from one report object to another. You can move to a Report Part within the report itself, to other report objects or their parts, or to specific instances of reports or Report Parts. This navigation is available only in the new script-based DHTML viewers (zero-client, server-side viewers) included in BusinessObjects Enterprise XI. By linking directly from one object to another, the required data context is passed automatically so that you navigate to the object and data that is relevant.Initially, when you add hyperlinks between reports in Crystal Reports, you create a link from one file directly to another. However, when you publish linked report files simultaneously to the same object package, the links are modified to point to managed report objects. (Each link is changed, so that it references the appropriate destination report by Enterprise ID, rather than by file path.) Also, the modified links become relative inside the object package. When you schedule the object package, BusinessObjects Enterprise processes its reports, and again modifies hyperlinks within each report



instance: hyperlinks between report objects in an object package are converted to hyperlinks between report instances in a specific instance of the object package. For more information on object packages, see “Scheduling objects using object packages” on page 455.To view hyperlinked reports, you must publish both the home and destination reports to the same BusinessObjects Enterprise system. (A home report is one that contains a hyperlink to another report: the destination report.)Note: For information about how to create hyperlinks between report objects, see the Crystal Reports Online Help.

Publishing and hyperlinking reportsNote: This feature does not apply to Web Intelligence document objects.To avoid breaking hyperlinks between reports, it is best to publish the reports first and then to create the hyperlinks.

To publish and then hyperlink reports1. Create the reports, without hyperlinks, in Crystal Reports.2. Publish them to BusinessObjects Enterprise.3. Use Crystal Reports to log on to your BusinessObjects Enterprise

system.4. Create the hyperlinks between the home and destination reports. See the

Crystal Reports Online Help.Crystal Reports automatically determines what type of link—relative or absolute—to establish between the reports. In BusinessObjects Enterprise, relative links are those between reports in the same object package, and absolute links are links to specific report objects or instances.

Publishing reports with existing hyperlinksNote: This feature does not apply to Web Intelligence document objects.The recommended method for creating hyperlinked reports is first to publish the individual reports, then create hyperlinks between them. See “Publishing and hyperlinking reports” on page 434.) However, because this is not always possible, use the following procedure to publish reports after they have been hyperlinked. When you publish reports this way, the hyperlinks are converted to relative links.



To publish reports with existing hyperlinksUsing the Publishing Wizard, publish the reports (that are linked to each other) to the same object package.Note: If you publish hyperlinked reports independently of each other, rather than publishing them simultaneously to the same object package, all hyperlinks between the reports will break. You must re-establish the links using Crystal Reports and save the report back to BusinessObjects Enterprise. (For more information, see the Crystal Reports Online Help.)

Viewing hyperlinks in a reportNote: This feature does not apply to Web Intelligence document objects.You can view a list of the links in a report by clicking the Links link on the report’s Properties page. The links are listed as either relative or absolute. In BusinessObjects Enterprise, relative links are those between reports in the same object package, and absolute links are links to specific report objects or instances.

To view a list of links in a report object1. In the Objects management area of the CMC, select the report object by

clicking its link.2. Click the Properties tab, and then click the Links link.

The Links page appears.

Viewing hyperlinked reportsNote: This feature does not apply to Web Intelligence document objects.BusinessObjects Enterprise supports navigation between hyperlinked reports only with script-based viewers, specifically the DHTML and Advanced DHTML viewers in InfoView. To change your preferred viewer in the CMC, click the Preferences button in the upper-right corner of the CMC, and select the appropriate viewer from the Viewer list. For information on how to change your preferred viewer, see the BusinessObjects Enterprise User’s Guide.Parameter information is not carried over between the home and destination reports. That is, when you view a destination report by clicking a hyperlink in a home report, you are prompted to enter any parameters that the destination report requires.


Managing ObjectsProgram object management17

Security considerationsTo view hyperlinked reports through BusinessObjects Enterprise, you must have the appropriate rights both in BusinessObjects Enterprise and at the database level.In BusinessObjects Enterprise, to view a destination report through a hyperlink in a home report, you must have View rights to the destination report. When the hyperlink points to a report object, you must have View On Demand rights to be able to refresh the data against the data source. For information about setting the levels of access to objects, see “Setting common access levels” on page 306.Database logon information is carried over between hyperlinked reports. If the credentials you specified to view the home report are not valid for the destination report, you are prompted for a valid set of database logon credentials for the destination report.

Program object managementThis section explains program objects and instances, and how to manage them through the Central Management Console (CMC). It includes the following sections:• “What are program objects and instances?” on page 436• “Setting program processing options” on page 438

What are program objects and instances?A program object is an object in BusinessObjects Enterprise that represents an application. Publishing a program object to BusinessObjects Enterprise allows you to use BusinessObjects Enterprise to schedule and run the program object and to manage user rights in relation to the program object. For information about publishing program objects, see “Publishing overview” on page 360.When you publish a program object or its associated files to BusinessObjects Enterprise, they are stored in the Input File Repository Server (FRS). Each time a BusinessObjects Enterprise program runs, the program and files are passed to the Program Job Server, and BusinessObjects Enterprise creates a program instance. Unlike report instances, which you can view in their completed format, program instances exist as records in the object history. BusinessObjects Enterprise stores the program’s standard out and standard error in a text output file. This file appears when you click a program instance in the object History.


Managing ObjectsProgram object management 17

Program typesThree types of applications can be published to BusinessObjects Enterprise as program objects:• Executable

Executable programs are binary files, batch files, or shell scripts. They generally have file extensions such as: .com, .exe, .bat, .sh. You can publish any executable program that can be run from the command line on the machine that runs the Program Job Server.

• JavaYou can publish any Java program to BusinessObjects Enterprise as a Java program object. For Java program objects to have access to Java SDK objects, your class must implement the IProgramBase interface from the BusinessObjects Enterprise Java SDK (com.businessobjects.sdk.plugin.desktop.program.IProgramBase). For details, see the BusinessObjects Enterprise Java SDK Guide.

• ScriptScript program objects are JScript and VBScript scripts. They are run on Windows using an embedded COM object and can—once published—reference the BusinessObjects Enterprise SDK objects. For details, see the BusinessObjects Enterprise COM SDK Guide.Note: Script program objects are not supported on UNIX.

Note: As the administrator, you can choose to enable or disable any of the types of program objects. For details, see “Authentication and program objects” on page 443.Once you have published a program object to BusinessObjects Enterprise, you can configure it in the Objects management area of the CMC. For each type of program object (Executable, Java, or Script) you can choose to specify command-line arguments and a working directory. For executable and Java programs, there are additional ways, both required and optional, to configure the program objects and provide them with access to other files.Tip: Program objects allow you to write, publish, and schedule scripts or Java programs that run against BusinessObjects Enterprise, and perform maintenance tasks, such as deleting instances from the history. Furthermore, you can design these scripts and Java programs to access BusinessObjects Enterprise session information. This ensures that the scheduled program objects retain the security rights or restrictions of the user who scheduled the job. (Your scripts or java programs require access to the BusinessObjects Enterprise SDK. For details, see the BusinessObjects Enterprise COM SDK Guide or the BusinessObjects Enterprise Java SDK Guide.)


Setting program processing options
For each object you can set several processing options. These options appear on the Process page for the object. Setting the program processing options includes the following tasks:• “Specifying command-line arguments” on page 438• “Setting a working directory for a program object” on page 439• “Configuring executable programs” on page 440• “Configuring Java programs” on page 441• “Authentication and program objects” on page 443

Specifying command-line argumentsFor each program object you can specify command-line arguments on the Parameters page for the object. You can specify any argument that is supported by the command-line interface for your program. Arguments are passed directly to the command-line interface, without parsing.

To specify command-line arguments1. In the Objects management area of the CMC, select the program object

by clicking its link.2. Click the Process tab, then click the Parameters link.

The Parameters page appears.

3. In the Arguments field, type the command-line arguments for your program, using the same format you would use at the command line itself.For example, if your program has a loops option, to set the loops value to 100, you might type -loops 100

4. Click Update.



Setting a working directory for a program objectBy default, when a program object runs, BusinessObjects Enterprise creates a temporary subdirectory in the Program Job Server’s working directory, and uses this subdirectory as the working directory for the program. The subdirectory is automatically deleted when the program finishes running.You can specify an alternative working directory for the program object by modifying the Working Directory field on the Parameters page of the object. Or, you can modify the default setting for the working directory for the Program Job Server.Note: The account under which the program runs must have appropriate rights to the folder that you set as the working directory. The level of file permissions required depend on what the program does; however, the program’s account generally needs read, write, and execute permissions to the working directory. For information about setting credentials for an account under which a program object will run, see “Authentication and program objects” on page 443

To set a working directory for a program object1. In the Objects management area of the CMC, select the program object

by clicking its link.2. Click the Process tab, then click the Parameters link.

The Parameters page appears.3. In the Working Directory field, type the full path to the directory that you

want to set as the program object’s working directory.For example, on Widows, if you created a working directory named working_directory, type C:\working_directoryOn UNIX, type /working_directory

4. Click Update.

To modify the default working directory for the Program Job Server1. Go to the Servers management area of the CMC.2. Click the link for Program Job Server.

The Properties page appears.3. In the Temp Directory field, type the full path to the directory you want to

set as the working directory for the Program Job Server.4. Click Update.


Configuring executable programs
When you publish an executable program object to the CMC, you can:• Configure the object to have access to external or auxiliary files. See

“Providing Java programs with access to other files” on page 442.• Customize environment variables for the shell in which BusinessObjects

Enterprise runs the program. See “Specifying environment variables” on page 441.

Providing executable programs with access to other filesSome binary files, batch files, and shell scripts require access to external or auxiliary files to run. Aside from setting a working directory for the program object, there are two ways to provide access to these files:• If a required file is on the same machine as the Program Job Server, you

can specify the full path to the file.• Alternatively, if the file is not located on the Program Job Server, you can

upload the file to the File Repository Server, which will pass the files to the Program Job Server as necessary.

To specify paths to required files1. In the Objects management area of the CMC, select the executable

program object by clicking its link.2. Click the Process tab, then click the Parameters link.

The Parameters page appears.3. In the External Dependencies field, type the full path to the required file

and click Add.4. Repeat step 3 for each file required.5. Click Update.Tip: To edit or remove external dependencies that you have specified, select the file path (in the list of external dependencies on the Parameters page) and click the appropriate button, either Edit or Remove.

To upload required files1. In the Objects management area of the CMC, select the executable

program object by clicking its link.2. Click the Process tab, then click the Auxiliary Files link.

The Auxiliary Files page appears. 3. Click Browse to navigate to the required file, then click Add File.4. Repeat step 3 for each required file.5. Click Update.



Tip: To remove auxiliary files that you have specified, select the file(s) (in the list of external dependencies on the Parameters page) and click Remove File(s).

Specifying environment variablesIn the CMC, you can configure your program by adding or modifying environment variables. Modifications to an existing environment variable override this variable, rather than append to it. Any changes you make to environment variables exist only in the temporary shell in which BusinessObjects Enterprise runs the program. Thus, when the program exits, the environment variables are destroyed.

To add an environment variable1. In the Objects management area of the CMC, click the link for the

program object.2. Click the Process tab, then click the Parameters link.

The Parameters page appears.3. In the Environment Variables field, type the environment variables you

want to set.Use the form name=value, where name is the environment variable name and value is the value for the environment variable. For example, you can set the path variable to append a user’s bin directory to the existing path:• On Windows, you might type: path=%path%;c:\usr\bin• On UNIX, you might type:PATH=$PATH:/usr/binNote: BusinessObjects Enterprise sets your environment variables using the syntax that is appropriate for your operating system. However, on UNIX you must follow convention, and use the appropriate case. For example, all name values on UNIX must be typed in upper-case.

4. Click Update.Tip: To edit or remove environment variables that you have specified, select the variable (in the list of environment variables on the Parameters page), and click the appropriate button, either Edit or Remove.

Configuring Java programsTo successfully schedule and run Java programs in BusinessObjects Enterprise, you must specify the required parameters for the program object. See “Setting required parameters for Java programs” on page 442.Additionally, you can provide the Java program with access to other files located on the Program Job Servers, and you can specify Java Virtual Machine options. See “Providing Java programs with access to other files” on page 442.



Setting required parameters for Java programsTo successfully schedule and run a Java program, you must provide BusinessObjects Enterprise with the base name of the .class file that implements the IProgramBase interface from the BusinessObjects Enterprise Java SDK.Note: The Java Runtime Environment must be installed on each machine that is running a Program Job Server.

To specify required parameters for Java programs1. In the Objects management area of the CMC, click the link for the Java

program object.2. Click the Parameters tab.

The Parameters page appears. 3. In the Class to run field, type the base name of the .class file that

implements the IProgramBase from the BusinessObjects Enterprise Java SDK (com.businessobjects.sdk.plugin.desktop.program.IProgramBase).For example, if the file name is Arius.class, type Arius

4. Click Update.

Providing Java programs with access to other filesYou can provide Java programs with access to files, such as Java libraries, located on the Program Job Server.

To provide Java programs with access to other files1. In the Objects management area of the CMC, click the link for the Java

program object.2. Click the Process tab, then click the Parameters link.

The Parameters page appears. 3. In the Classpath field, type the full paths to the locations of any Java

library files that are required by the Java program, and stored on the Program Job Server.You must separate multiple paths with the classpath separator that is appropriate to your operating system: a semi-colon for Windows, a colon for UNIX.

4. Click Update.



Authentication and program objectsBe aware of the potential security risks associated with the publication of program objects. As the administrator, you must protect the system against abuse. The level of file permissions for the account under which a program object runs will determine what modifications, if any, the program can make to files.You can control the types of program objects users can run, and you can configure the credentials required to run program objects.

Enabling or disabling a type of program objectAs a first level of security, you can configure the types of program objects available for use.

To enable or disable a type of program object1. In the Objects management area of the CMC, click Object Settings.2. Click the Program Objects tab.3. Select the type or types of program objects you want users to run.4. Click Update.

Authentication on all platformsIn the Objects management area of the CMC, you must specify credentials for the account under which the program runs. This feature allows you, the administrator, to set up a specific user account for the program, and assign it appropriate rights, to have the program object run as that account. For details, see “Controlling users’ access to objects” on page 303. Alternatively, users who publish program objects to BusinessObjects Enterprise can assign their own credentials to a program object, to give the program access to the system. Thus, the program will run under that user account, and the rights of the program will be limited to those of the user. If you choose not to specify a user account for a program object, it runs under the default system account, which generally has rights locally but not across the network.Note: By default, when you schedule a program object, the job fails if credentials are not specified. To provide default credentials, click Object Settings in the Objects management area, then click the Program Objects tab. Click “Schedule with the following operating system credentials” and provide a default user name and password.

To specify a user account for a program object1. In the Objects management area of the CMC, click the link for the

program object.2. Click the Process tab, then click the Logon link.

The Logon page appears.


Managing ObjectsObject package management17

3. In the User Name and Password fields, type the credentials for the user account under which the program should run.

4. Click Update.

Authentication for Java programsBusinessObjects Enterprise allows you to set security for all program objects. For Java programs, BusinessObjects Enterprise forces the use of a Java Policy File, which has a default setting that is consistent with the Java default for unsecure code. Use the Java Policy Tool (available with the Java Development Kit) to modify the Java Policy File, to suit your specific needs.The Java Policy Tool has two code base entries. The first entry points to the BusinessObjects Enterprise Java SDK and allows program objects full rights to all BusinessObjects Enterprise JAR files. The second code base entry applies to all local files. It uses the same security settings for unsecure code as the Java default for unsecure code.Note: • The settings for the Java Policy are universal for all Program Job Servers

running on the same machine.• By default, the Java Policy File is installed to the Java SDK directory in

the BusinessObjects Enterprise install root directory. For example, a typical location on Windows is:C:\Program Files\Business Objects\BusinessObjects Enterprise 11\conf\crystal-program.policy

Object package managementThis section explains object packages and instances, and how to manage them through the Central Management Console (CMC). It includes:• “What are object packages, components, and instances?” on page 444• “Creating an object package” on page 445• “Adding objects to an object package” on page 446• “Configuring object packages and their objects” on page 447• “Authentication and object packages” on page 448

What are object packages, components, and instances?Object packages function as distinct objects in BusinessObjects Enterprise. Think of them as folders you can schedule, along with all of their contents. Object packages can be composed of any combination of report and program objects that are published to the BusinessObjects Enterprise system. (Non-


Managing ObjectsObject package management 17

BusinessObjects Enterprise objects, such as Excel, Word, Acrobat, Text, Rich Text, PowerPoint, and Hyperlink objects, cannot be added to object packages.) Placing multiple objects in a single object package allows you to schedule them simultaneously. For reports, object packages allow users to view synchronized data across reports. Component objects are not autonomous. They have more limited configuration options than other objects, and they do not appear in the list of all objects on the first page of the Objects management area of the CMC. Rather, you can only view them by opening their object package. BusinessObjects Enterprise creates an object package instance each time it runs an object package. The object package instance contains individual instances of each of its component objects. Component instances are tied to object package instances, rather than to component objects. For example, if you run an object package, and thereby create an instance, then remove a report object from the object package, the existing object package instance does not change; it still contains the report instance from the report object that you removed. Future instances of the object package, however, will reflect the change.For hyperlinked report instances in object package instances, the hyperlinks point to the other report instances in the same object package instance. For details about hyperlinked reports, see “Working with hyperlinked reports” on page 433.

Creating an object package1. Go to the Objects management area of the CMC.2. Click New Object, then click the Object Package tab.

The Object Package tab appears.3. In the Title field, type the name of the object package you want to create.4. In the Description field, type a description of the object package.

This field is optional.5. Ensure the correct folder name appears in the Destination field.

Note: You cannot place object packages in the top level folder or inside other object packages.Tip: • To expand a folder, select it and click Show Subfolders.• To search for a specific folder, use the Look For field.

6. Click OK.



Note: When the object package has been added to the system, the CMC displays the Properties page. You can now modify the properties, contents, scheduling information, destination, user rights, object settings, and notification for the object package.

Adding objects to an object packageIn the CMC, after you have created an object package, you can add report and/or program component objects to it. You can add previously unpublished objects directly to the object package, or you can copy existing objects into the object package. You can only move copies of existing objects into the object package, or between object packages; you cannot move the existing objects themselves. For details on copying objects, see “Copying, moving, or creating a shortcut for an object” on page 403.When you copy an object into an object package, the component object retains the same settings as the original object. However, once you create the copy of the original object inside the object package, the component and the original are separate entities. Changes in one object are not reflected in the other.Note: You publish objects to new or existing object package using the Publishing Wizard. For details, see “Publishing with the Publishing Wizard” on page 362.

To publish a new object directly to an object package1. In the Objects management area of the CMC, view an object package by

clicking its link.2. Click the Objects tab, then click the New Object button.3. A list of object tabs appears. Note that you can add only report objects or

program objects to an object.4. Click the appropriate tab, Report or Program.5. Specify the file name or, or click browse to navigate to the object you

want to publish.6. Set the appropriate properties.

• For reports, set whether to generate a thumbnail for the report, and whether to use the Object Repository when refreshing the report.

• For programs, set the program type: Executable, Java, or Script.7. Click OK.


Managing ObjectsObject package management 17

Configuring object packages and their objectsObject packages are intended to save you time scheduling objects that have similar scheduling requirements. As a result, you configure some parameters at the object package level, and some at the object level, that is, for the individual objects in the object package.For example, you have to specify the destination for an object package, but you cannot specify destinations for the individual objects in the package. When the system runs the object package, it will save the output instances to the destination you specified for the object package.Note: Because the objects in an object package are copies of objects that exist outside the package, the changes you make will not affect the objects outside the object package.The following table indicates which configuration parameters you can modify for an object package or for individual objects in a package. The parameters are identified by tab or link. For information on how to set or modify these parameters, see:• “General object management” on page 403• “Report object management” on page 411• “Program object management” on page 436• Chapter 18: Scheduling Objects

Configuration tabs and links

Configure for an object package

Configure for individual objects in a package

Properties tab yes yesRefresh Options -- yesLinks -- yes

History tab yes --Process tab Scheduling server View & Modify server

Database -- yesParameters -- yesFilters -- yesPrint Setup -- yes

Schedule tab yes --Notification -- yesAlert Notification -- yes



Authentication and object packagesObject packages simplifies both Enterprise and database authentication. You enter your Enterprise authentication only once to schedule the object package, including all of its component objects. Consequently, you must have scheduling rights for each of the objects inside the object package. If you attempt to schedule a package that contains one or more component objects to which you do not have schedule rights, the component instance(s) fail(s).For database authentication, you specify database logon information for each report component object in the object package. (If you copied the report into the object package, it initially inherits the database logon information of the original report.)

Format -- yesDestination yes --Schedule For yes --

Categories tab n/a n/aCorporate yes yesPersonal yes yes

Rights tab yes --

Configuration tabs and links

Configure for an object package

Configure for individual objects in a package


Scheduling Objects

chapter

Scheduling ObjectsScheduling objects overview18
Scheduling objects overview
Scheduling an object lets you run it automatically at specified times. You can schedule report objects, Web Intelligence documents, program objects, and object packages. For details about object types and object management, see Chapter 17: Managing Objects.When you schedule an object, the system creates a scheduled instance for the object. A scheduled instance contains object and schedule information. It does not contain any data yet. Scheduled instances appear on the History page of the respective object and have a status of Recurring or Pending.When the system runs the object, it creates an output instance for the object, for example, a report or program instance. A report instance contains actual data from the database. A program instance is a text file that contains the standard out and standard error produced when the program object was run. Output instances also appear on the History page of an object and have a status of Success or Failed.This chapter contains the following sections:• “Scheduling objects” on page 450

This section provides information on how to schedule objects.• “Managing instances” on page 479

This section describes how to manage instances for an object.• “Setting the scheduling options” on page 460

This section describes the options on the different Schedule pages for an object, such as Notification, or Destination.

Scheduling objectsWhen you schedule an object, the system creates a scheduled instance for the object. A scheduled instance contains object and schedule information. It does not contain any data yet. Scheduled instances appear on the History page of the respective object and have a status of Recurring or Pending. Scheduled instances use the settings that are presently configured for the object in CMC.In order for a program object to be successfully scheduled and run, you must provide logon information for the account that the program object will run as. For details, see “Authentication and program objects” on page 443.


Scheduling ObjectsScheduling objects 18

For end users to schedule and run objects, they must use a web-based client such as InfoView or a custom web application. InfoView is designed primarily to schedule objects and view reports, whereas CMC enables you to manage and administer objects in addition to scheduling objects and viewing reports.Many scheduling options allow you to schedule an instance with events. For details, see “Scheduling an object with events” on page 457.Note: If a Web Intelligence document has been set to “refresh on open” then the system will access the database to obtain the latest information each time a user views the document. Therefore, it may not be advantageous to schedule Web Intelligence documents that are set to “refresh on open”, because running the document at scheduled times will not reduce the number of database hits.

To schedule an object1. In the Objects management area of the CMC, select an object by clicking

its link.2. Click the Schedule tab.

The Schedule page appears, showing the default settings for the object.3. Select the recurrence pattern you want. For example, select Weekly.

For a list and descriptions of the recurrence patterns, see “Recurrence patterns” on page 453.

4. Specify the Run option and parameters that you want. For example, select “Every week on” and then specify Monday, Wednesday, Friday.For a list and descriptions of the Run options and parameters, see “Run options and parameters” on page 453.

5. Set any of the other schedule options and parameters as required. For details, see “Setting the scheduling options” on page 460.

6. Click Schedule. The system creates a scheduled instance and it will run the instance according to the schedule information you just specified. You can view the scheduled instance on the History page for the object. See also “Managing and viewing the history of instances” on page 479.Note: To save the schedule settings as the new default setting for the object, click Update. The new settings on the Schedule tab for the object are saved.


Scheduling ObjectsScheduling objects18
About the scheduling options and parameters
When you schedule an object, you choose the recurrence pattern that you want. For example, you select Daily or Weekly, and then the run option (for example, “Every week on”). You then specify additional parameters to control exactly when and how often the object will be run.The recurrence patterns appear on the left of the Schedule page. The Run options list and related parameters appear to the right of the recurrence patterns.



Which run options and parameters are available depends on the recurrence pattern you selected. In many case the same parameters appear, such as start and end dates. The names of the recurrence patterns, options, and fields are generally self explanatory, but for a complete description, see:• “Recurrence patterns” on page 453• “Run options and parameters” on page 453

Recurrence patternsWhen scheduling an object, you can choose from the following recurrence patterns:• On demand—The object will only be run when a user request it to be

run. • Once—The object will be run only once. It can be run now or in the

future, or when a specified event has occurred.• Daily—The object will be run every day. It can be run once or several

times a day. You can specify what time as well as a start and end date.• Weekly—The object will be run every week. It can be run once a week or

several times a week. You can specify which days, what time, and a start and end date.

• Monthly—The object will be run every month or every several months. You can specify on which days of the month, what time, and a start and end date you want it to run.

• Calendar—The object will be run on the dates specified in a calendar. You can specify which calendar. The calendar must have been previously created. See Chapter 19: Managing Calendars.

Run options and parametersThis section describes the Run parameters for scheduling an object. Not all parameters apply in all cases, but when they apply, their function is the same.RunThis list always appears, but the options vary depending on which recurrence pattern you select.For example, if you select Daily, you can select to run the object “Once each day” or “Every X day(s).” If you select Monthly, you can select to run the object “On the Nth day of the month” or “On the first Monday of the month.” To see all the Run options for a recurrence pattern, refer to the software.



X and N variablesApplies to certain Daily and Monthly recurrence patterns only. When you select a Run option that contains these variables, the system displays their default values. You can then changes these values as needed.For example, if you select the “Daily” recurrence pattern and the “Every X hour(s), N minute(s)” Run option, you could specify to run the report every 4 (X) hours and 30 (N) minutes. If you don’t change the X or N value, the system will run the report every hour.Start DateApplies to most, but not all recurrence patterns and Run options. The default is the current date and time. The system will run the object according to the schedule that you specified, as soon as it can, after the Start Date has passed.For example, if you specify a start date that is three months into the future, the system won’t run the object until the start date has passed, even if all the other criteria are met. After that, the system will run the report at the specified time.End DateApplies to most, but not all, recurrence patterns and Run options. The default is the current time and a date in the distant future, to ensure an object will be run indefinitely. Specify a different End Date if required. Once the End Date has passed, the system no longer runs the object.Available EventsApplies to all Run options that include “with events.” Select an event and click the Add button to move it to the “Events to wait for” box. You can select one or several events. The system will run the object only when those events have been successfully completed. See also “Scheduling an object with events” on page 457.Available Schedule EventsApplies to all Run options that include “with events.” Select an event and click the Add button to move it to the “Events to trigger on completion” box. You can select one or several events. A successful run of the object will trigger the events that you specified. This list of events contains schedule events only. You cannot trigger file or custom events. See also “Scheduling an object with events” on page 457, and Chapter 20: Managing Events.Number of retries allowedAlways applies. The number of times the system attempts to process an object if the first attempt is not successful. By default, the number is zero.Retry interval in secondsAlways applies. The period, in seconds, that the system will wait before it attempts to process the object again if the first attempt is unsuccessful.



Scheduling objects using object packagesYou can schedule objects in batches using the object packages feature. Object packages function as distinct objects in BusinessObjects Enterprise. They can contain any combination of objects that can be scheduled, such as report and program objects, and Web Intelligence documents. Using object packages simplifies authentication. In terms of reports and Web Intelligence document, it allows users to view synchronized data across instances.This procedure describes how to use the CMC to schedule objects by using object packages. First you publish an object package. Then, you copy existing objects into the object package. Finally, you schedule the object package as you would any object. Alternatively, you can publish objects directly to an object package, and then you can schedule that object packages as you would any object. For details on publishing directly to an object package, see “Publishing overview” on page 360. For details on configuring object packages, see “Object package management” on page 444.Note: • You must configure the processing information of each of the

components of an object package individually. For example, if you want a report object in an object package to print when scheduled, you must configure it through the Print Setup link available on the report object’s Process tab. For more information about configuring objects, see “Managing Objects” on page 401.

• For information about publishing hyperlinked report objects, see “Working with hyperlinked reports” on page 433.

To schedule objects using object packages1. Go to the Objects management area of the CMC.2. If the object package already exist, skip this step. Otherwise:

a. Click New Object, and then click the Object Package tab. b. Type the package name and a description.c. Select a destination for the object package.d. If you want, assign the object package to a category.e. Click OK.f. Go to the Objects management area of the CMC again.See also “Publishing with the Central Management Console” on page 371.



3. Select the check boxes associated with each object you want to place in the object package.

4. Click Copy/Move/Shortcut.The Copy/Move/Create Shortcut page appears.

5. Select Copy to.Note: Existing objects cannot be moved into an object packages; they must be copied to the object package.

6. Select the object package you created as the Destination for the objects, and then click OK.Tip: • Object packages are indicated by [square brackets].• To expand a folder, select it and click Show Subfolders.• To search for a specific folder or object package, use the Look For

field.7. Schedule the object package.

See “Scheduling objects” on page 450.



Scheduling an object with eventsWhen you schedule an object with events, the object will be run only when the additional condition (that is, the event) occurs. You can tell an object to wait for any, or all of the three event types: file-based, custom-based, and schedule-based. If you want a scheduled object to trigger an event, you must choose a schedule-based event.Note: A file-based event is triggered upon the existence of a specified file. A custom-based event is triggered manually. A schedule-based event is triggered by another object being run.

Scheduling objects based on an eventWhen you schedule an object that waits for a specified event, the object will run only when the event is triggered, and only when the rest of the schedule conditions are met. If the event is triggered before the start date of the object, the object will not run. If you have specified an end date for this object, and if the event is not triggered before the end date occurs, the object will not run because not all of the conditions will have been met. Also, if you choose a weekly, monthly, or calendar schedule, the object will have a specified time frame in which it can be processed. The event must be triggered within this specified time for the object to run. For example, if you schedule a weekly report object that runs every Monday, the event must be triggered within the 24-hour period on Monday; if the event is triggered outside of the 24-hour period, then the report will not run.

Scheduling objects to trigger an eventYou can also schedule an object which triggers a schedule-based event upon completion of the object being run. When the object is run, BusinessObjects Enterprise will trigger the specified event. For a schedule-based event, if the event is based on the instance being run successfully, for example, the event won’t be triggered if the instance fails. For a sample scenario on when you would use a schedule-based event, see “Schedule-based events” on page 496.Note: To schedule an object with events, first ensure that you have created the event. See “Managing events overview” on page 494.

To schedule an object to run based on events1. In the Objects management area of the CMC, select an object by clicking

its link.2. Click the Schedule tab.3. Select the recurrence pattern you want. For example, select Weekly.

For a list and descriptions of the recurrence patterns, see “Recurrence patterns” on page 453.



4. In the Run list, select a run option that contains the words, “with events.”

5. Select and complete the schedule parameters for your object (scheduling option, Start Date, End Date, and so on).For a list and descriptions of the Run options and parameters, see “Run options and parameters” on page 453.

6. In the Available Events area, select from the list of events and click Add.For example, the report object above is set to wait for a Custom-based event to occur before the report is processed.

7. To update the default scheduling information, click Update.If you don’t click Update, any changes you made to the scheduling information are not saved.

8. Click the Schedule button to schedule the object.



To schedule an object to trigger an event1. In the Objects management area of the CMC, select an object by clicking

its link.2. Click the Schedule tab.3. From the list on the left of the page, select a recurrence pattern: Once,

Daily, Weekly, Monthly, or by Calendar.For a list and descriptions of the recurrence patterns, see “Recurrence patterns” on page 453.

4. In the Run list, select a run option that contains the words, “with events.”5. Select and complete the schedule parameters for your object (scheduling

option, Start Date, End Date, and so on).

6. In the Available Schedule Events area, select from the list of events and click Add.


Scheduling ObjectsSetting the scheduling options18

For example, the report object above is set to trigger a Schedule-based event only if the report is successfully processed.Note: You can only select schedule-based events in this list.

7. To update the default scheduling information, click Update.If you don’t click Update, any changes you made to the scheduling information are not saved.

8. Click the Schedule button to schedule the object.

Setting the scheduling optionsBusinessObjects Enterprise allows you to control the process and schedule settings for an object. Setting the scheduling options includes the following tasks:• “Scheduling objects” on page 450• “Setting notification for an object’s success or failure” on page 460• “Specifying alert notification” on page 463• “Selecting a destination” on page 465 • “Choosing a format” on page 475• “Scheduling an object for a user or group” on page 477

Setting notification for an object’s success or failureYou can set scheduling options that automatically send notification when an object instance succeeds or fails. You can send notification using audit or email notification. You can also combine multiple notification methods, and provide different notification settings for successful and failed instances. For example, you may have a large number of reports that run every day. You need to check each instance to make sure it ran properly, and then send out emails to the users who need to know that the new report is available. With thousands of reports, it would take too much time to manually check the reports and contact the users who need the information. Using notification settings in BusinessObjects Enterprise, you can set each object to automatically notify you when the report fails to run properly, and you can automatically inform users when new report instances run successfully.


Scheduling ObjectsSetting the scheduling options 18

Determining an object’s success or failureWhen you schedule an object, the scheduled instance either succeeds or fails. The conditions required for an instance’s success or failure depend on the type of object you schedule: • Report and Web Intelligence document objects

A report instance runs successfully if it doesn’t encounter any errors while processing the report object or accessing the database. A report instance may fail if the user does not provide the correct parameters or logon information.

• Program objectsFor program objects, the program must run in order to succeed. If the program does not run, the instance is considered a failure. If the program runs, but does not perform the tasks it is supposed to, it is still considered a successful instance because the program object ran. BusinessObjects Enterprise does not monitor problems with the program object’s code.

• Object packagesAn object package may fail if one of its components fails. To change this setting, click the object package’s Properties tab and clear the “Scheduled package fails upon individual component failure” option. You can also set scheduling options for individual objects within an object package.Note: You cannot set audit or email notification for object packages, but you can set any type of notification for the individual objects in the object package. You can also schedule object packages with events on the Schedule tab. For more information about events, see “Schedule-based events” on page 496.

About notificationYou can set notification at the object level. You can select unique notification options for each object, sending different types of notification for different conditions. For object packages, you can set only event notification, which will trigger an event based on success or failure of the object package. To monitor object successes and failures from a more general perspective, use the auditing functionality within BusinessObjects Enterprise. If notification fails, then the object instance fails. For example, if an email notification sends a message to an invalid email address, then the notification fails and the object instance is recorded as a failure in the object’s history.You can choose to notify using:



• Audit notificationTo use audit notification, you must configure the auditing database and enable auditing for the servers. If you use auditing to monitor your BusinessObjects Enterprise system, you can use audit notification. For more information about configuring the auditing database and enabling auditing, see “Managing Auditing” on page 189.When you select audit notification, information about the scheduled object is written to the auditing database. You can choose to have a notification sent to the auditing database when the job runs successfully, when it fails to run, or both.Note: For the job servers you can also set audit notification on the Auditing tab.

• Email notificationYou can send an email as a notification of an object instance’s success or failure. You can choose the sender and recipients of the email message. You can send an email when the instance fails and when it succeeds. For example, you could send your administrator an email if the report fails, but when the report succeeds you can automatically send a notification to everyone who needs the report to let them know it is now available.Note: To enable email notification, you must have the Email SMTP destination enabled and configured on the job servers. See “Configuring the destinations for job servers” on page 116

Note: Notification of a scheduled object’s success or failure is not the same as alert notification. Alert notification must be built into the design of the report. For example, alert notification can send an email to you whenever a specific value in the report exceeds $1000000. In this case, the notification has nothing to do with the contents of the report - it’s just about whether or not the report object instance has failed or succeeded.

To set notification for an instance’s success or failure1. Select a object in the Objects management area of the CMC.2. Click the Schedule tab, then click the Notification link.3. Click the notification type (or types) you want to use.

Note: If the notification type is already being used, it will be labelled “Enabled”. If not, it will be labelled “Not in use”.

4. Choose the specific settings for the notification.



Audit notificationTo send a record to the auditing database when the job succeeds, select “A job has been run successfully.” To send a record when the job fails, select “A job has failed to run.”Email notificationChoose whether you want to send a notification when the job fails or when it succeeds. To specify the contents and recipients of the email notification, select “Set the vales to be used here” and provide the From and To email addresses, the email subject line, and the message.Note: By default, the notification is sent to the server’s default email destination. For details on how to change the default email settings, see “Email (SMTP) destination properties” on page 119.

5. Click Update.

Specifying alert notificationNote: This feature does not apply to Web Intelligence document objects.Alerts are custom messages, created in Crystal Reports, that appear when certain conditions are met by data in a report. Alerts may indicate action to be taken by the user or information about report data. If the alert condition (as defined in Crystal Reports) is true, the alert is triggered and its message is displayed.In BusinessObjects Enterprise, you can choose to send alert notification when scheduling a report. If you enable alert notification, messages are sent through an SMTP server. You can configure email delivery options, specify the “To,” “Cc,” and “From” fields for the email, add subject and message information, set a URL for the viewer you want the email recipient to use, and set the maximum number of alert records to send.Note: • The Alert Notification link is available only if the report object contains alerts.• Alerts are triggered in the report object even if you disable alert notification.• To enable alert notification, you must have the Email SMTP destination

enabled and configured on the job servers. See “Configuring the destinations for job servers” on page 116.



To set alert notification1. In the Objects management area of the CMC, select a report object by

clicking its link.2. Click the Schedule tab, and then click the Alert Notification link.

The Alert Notification page appears.

3. Clear the Enable alert notification check box if you do not want to send an alert notification.

4. Select either Use the Job Server’s defaults or Set the values to be used at schedule time here.If you select the first option, BusinessObjects Enterprise will deliver the alert notification using the Job Server’s default settings. You can change these settings in the Servers management area. For more information, see “Configuring the destinations for job servers” on page 116.



If you select the second option, you can specify the email settings:• From

Type a return address or distribution list.• To

Type the addresses or distribution list that you wish to send the report to.

• CcType the addresses or distribution list that you wish to send a copy of the alert notification to.

• SubjectComplete the subject field.

• MessageType a short message, if required.

Note: Separate multiple addresses or distribution lists using semicolons.5. Type the URL for the viewer in which you want the email recipient to view

the report. Alternatively, you can select the default viewer by clicking Use default.The viewer URL appears in the hyperlink that is sent in the alert notification email. You can set the default URL by clicking Object Settings on the main page of the objects management area of the CMC. For more information, see the developer documentation available on your product CD.Note: You must use World Wide Web Consortium (W3C) URL encoding when typing the viewer URL. For example, replace spaces in the path with %20. For more information, see http://www.w3.org/

6. Type the maximum number of alert records to be included in the alert notification.The hyperlink in the alert notification displays a report page that contains the records that triggered the alert. Use this field to limit the number of records displayed.Tip: The Alert Name and Status fields are set in Crystal Reports.

7. Click Update.

Selecting a destinationUsing BusinessObjects Enterprise, you can configure an object or instance for output to a destination other than the default Output File Repository Server (FRS). When the system runs an object, it always stores the output instance on the Output FRS. Being able to choose an additional destination gives you the flexibility to deliver instances across your enterprise system or to destinations outside your enterprise system.


http://www.w3.org/


For example, you can set an object to have its output automatically delivered by email to other users.Note: You can also configure object instances to be printed after they have been run. See “Setting printer and page layout options” on page 427.When you specify a destination other then “Default,” BusinessObjects Enterprise generates a unique name for the output file or files. To generate a file name, you can use a combination of ID, name or title of the object, owner information, or the date and time information.The following destinations are available:• “Default destination support” on page 467• “Unmanaged Disk destination support” on page 467• “FTP support” on page 469• “Email (SMTP) support” on page 471• “Inbox support” on page 474Note: You can change the destination setting for an object or instance either in the Central Management Console (CMC) or in InfoView. When you specify the destination settings through the CMC, these settings are also reflected in the default scheduling settings for InfoView.For program and report objects you can specify any of the available destinations. However, for object packages and Web Intelligence documents you cannot do this, because the recipients must have access to the BusinessObjects Enterprise system to be able to open these types of objects. For example, you cannot specify Unmanaged Disk as a destination for a Web Intelligence document. The following table summarizes which destinations you can configure for which types of objects.

Object type Unm. DIsk

Email (SMTP) Inbox


Report - - - - - -

Object Package No No No No - -

Program - - - - - -

Web Intelligence document

No No No - - -



Default destination supportBy default, object instances are saved to the Output File Repository Server (FRS). If you want to save instances to the FRS only and not to any other destinations, select that option.

To set your destination to default1. In the Objects management area of the CMC, select an object by clicking

its link.2. Click the Schedule tab, then click the Destination link.

The Destination page appears.3. Select Default from the Destination list.4. Click Update.

Unmanaged Disk destination supportWhen scheduling objects, you can configure the objects for output to an unmanaged disk. In that case, the system will save an output instance to both the Output File Repository Server and the specified destination.If the object is a Web Intelligence document or an object package, you cannot specify Unmanaged Disk as a destination. However, for an object package you can configure the individual objects in the object package for output to Unmanaged Disk.Note: • To use a destination, you must have the destination enabled and

configured on the job servers. See “Configuring the destinations for job servers” on page 116.

• The location must be a local or mapped directory on the processing server. For servers using Windows, the location can also be a Universal Naming Convention (UNC) path.

• The processing server must have sufficient rights to the specified location.

To set your destination to unmanaged disk1. In the Objects management area of the CMC, select an object by clicking


The Destination page appears.



Select Unmanaged Disk from the Destination list.

3. If you want, select the Clean up instance after scheduling option.When that option is selected, the system automatically deletes the report or program instance from the Output File Repository Server to keep the number of instances on the server to a minimum.

4. Select either Use the Job Server’s defaults or Set the values to be used at schedule time here.If you select the first option, BusinessObjects Enterprise will schedule an object using the Job Server’s default settings. You can change these settings in the Servers management area. For more information, see “Configuring the destinations for job servers” on page 116.If you select the second option, you can set the file name properties and enter user information:• Destination Directory

Enter a local location, mapped location, or a UNC path.



• Default File Name (randomly generated)Select this option if you want BusinessObjects Enterprise to generate a random file name.

• Specified File NameSelect this option if you want to specify a file name—you can also add a variable to the file name. To add a variable, choose a placeholder for a variable property from the list and click Add. When the instance is run, the variable will be replaced with the specified information from the instance. For example, if you add the variable “Owner,” when you schedule an object, its file name will include the object owner’s name.

• User NameSpecify a user who has permission to write files to the destination directory.

• PasswordType the password for the user.

Note: You can specify a user name and password only for servers using Windows.

5. Click Update.

FTP supportWhen scheduling objects, you can configure the objects for output to a File Transfer Protocol (FTP) server. To connect to the FTP server, you must specify a user who has the necessary rights to upload files to the server.If you specify an FTP destination, the system will save an output instance to both the Output File Repository Server and the specified destination.If the object is a Web Intelligence document or an object package, you cannot specify FTP as a destination. However, for an object package you can configure the individual objects in the object package for output to FTP.Note: To use a destination, you must have the destination enabled and configured on the job servers. See “Configuring the destinations for job servers” on page 116.

To set an FTP server as the destination1. In the Objects management area of the CMC, select an object by clicking


The Destination tab appears.



3. Select FTP from the Destination list.


5. Select either Use the Job Server’s defaults or Set the values to be used at schedule time here.If you select the first option, BusinessObjects Enterprise will schedule an object using the Job Server’s default settings. You can change these settings in the Servers management area. For more information see “Configuring the destinations for job servers” on page 116.



If you select the second option, you can set the FTP and file name properties:• Host

Enter the FTP host information.• Port

Enter the FTP port number (the default is 21).• FTP User Name

Specify a user who has the necessary rights to upload an object to the FTP server.

• FTP PasswordEnter the user’s password.

• AccountEnter the FTP account information, if required.Account is part of the standard FTP protocol, but it is rarely implemented. Provide the appropriate account only if your FTP server requires it.

• Destination DirectoryEnter the FTP directory that you want the object to be saved to.


• Specified File NameSelect this option if you want to enter a file name—you can also add a variable to the file name. To add a variable, choose a placeholder for a variable property from the list and click Add.

6. Click Update.

Email (SMTP) supportWith Simple Mail Transfer Protocol (SMTP) mail support, you can choose to send the instances of an object, for example, a report instance, to one or more email destinations. After it has run the object, the system will send a copy of the output instance as an attachment to the email addresses you specified.When you select the Email (SMTP) destination, the system will save the instance to the Output File Repository Server as well as email it to the specified destinations. BusinessObjects Enterprise supports Multipurpose Internet Mail Extensions (MIME) encoding.



Note: To use a destination, you must have the destination enabled and configured on the job servers. See “Configuring the destinations for job servers” on page 116.Note: If the object is a Web Intelligence document, you cannot specify Email (SMTP) as a destination.

To send an object by email1. In the Objects management area of the CMC, select an object by clicking


The Destination page appears.3. Select Email (SMTP) from the Destination list

4. If you want, select the Clean up instance after scheduling option.



When that option is selected, the system automatically deletes the report or program instance from the Output File Repository Server to keep the number of instances on the server to a minimum.

5. Select either Use the Job Server’s defaults or Set the values to be used at schedule time here.If you select the first option, BusinessObjects Enterprise will schedule an object using the Job Server’s default settings. You can change these settings in the Servers management area. For more information, see “Configuring the destinations for job servers” on page 116.If you select the second option, you can specify the email settings and the file name properties:• From

Enter a return address.• To

Enter an address or addresses that you wish to send the object to. Separate multiple addresses with semicolons.

• CcEnter an address or addresses that you wish to send a carbon copy of the object to.

• SubjectComplete the subject field.

• MessageType a short message, if required.

• Add viewer hyperlink to message bodyClick Add if you want to add the URL for the viewer in which you want the email recipient to view the object. You can set the default URL by clicking Object Settings on the main page of the Objects management area of the CMC.

• Attach object instance to email messageClear this check box if you do not want a copy of the instance attached to the email.


• Specified File NameSelect this option if you want to enter a file name—you can also add a variable to the file name. To add a variable, choose a placeholder for a variable property from the list and click Add.

6. Click Update.


Inbox support
When scheduling objects, you can configure objects for output to the inboxes of users. In this case, the system will save the instance to both the Output File Repository Server and the inboxes you specified. Instead of sending the actual file to the inboxes, you can choose to send a shortcut.Note: To use a destination, you must have the destination enabled and configured on the job servers. See “Configuring the destinations for job servers” on page 116.

To send an object to inboxes1. In the Objects management area of the CMC, select an object by clicking


The Destination tab appears.3. Select Inbox from the Destination list.




5. Select the processing option that you want:• Use the Job Server’s defaults

BusinessObjects Enterprise will schedule the object with the job server’s default settings. For more information, see “Configuring the destinations for job servers” on page 116.

• Set the values to be used at schedule time hereBusinessObjects Enterprise will schedule the object with the parameters you specify.

6. If you selected “Set the values to be used at schedule time here,” set the parameters for that option, otherwise skip this step:Send Document as• Shortcut The system will send a shortcut to the instance, rather

than send a copy of the instance itself.• Copy The system will send a copy of the instance. Send List• Operation Specify who must receive the report instance. You can

select individual users or user groups.• Look for Use this feature to search for a specific user or users

group. Type the name and then click Find now.7. Click Update.

Choosing a formatWeb Intelligence document formatsFor Web Intelligence documents, you can select the format that the document will be saved in when it is generated. This format will be saved to the destination you have selected. For more information on destinations, see “Selecting a destination” on page 465. You can select from the following formats:• WebIntelligence• Microsoft Excel• Adobe Acrobat



Crystal report formatsFor Crystal report objects, you can select the format that a report instance will be saved in when it is generated by BusinessObjects Enterprise. This format will be saved to the destination you have selected for the report object and its instances. For more information on destinations, see “Selecting a destination” on page 465. You can select from the following formats:• Crystal Report• Microsoft Excel• Microsoft Excel (Data Only)• Microsoft Word (RTF)• Adobe Acrobat• Rich Text• Editable Rich Text• Plain Text• Paginated Text• Tab-Separated Text• Tab-Separated Values• Character-separated ValuesFor Excel, Paginated Text, Tab-separated Values, and Character-separated Values, you specify certain formatting properties for the report. For example, if you select Character-separated Values, you can enter characters for the separator and delimiter; you can also select the two check boxes: “Same number formats as in report” and “Same date formats as in report.”Note: • If you choose to print the report when it is scheduled (by checking the

“Print in Crystal Reports format using the selected printer when scheduling” check box on the Print Setup page), the report instance is automatically sent to the printer in Crystal Reports format. This does not conflict with the format you select when scheduling the report.

• The difference between Excel and Excel (Data only) is that Excel attempts to preserve the look and feel of your original report, while Excel (Data only) saves only the data, with each cell representing a field.

• The Tab-separated Values format places a tab character between values; the Character-separated Values format places a specified character between values. Each of these two formats produce data lists. In contrast, the Tab-separated Text format attempts to preserve the formatting of the report.



To select a format for the report1. In the Objects management area of the CMC, select a report object by

clicking its link.2. On the Schedule tab, click the Format link.

The Format page appears.3. Select a format from the Format list.4. Complete any fields that appear below the list and select (where

appropriate) the check boxes that appear.5. Click Update.

Selecting cache options for Web Intelligence documentsWhen the system runs a scheduled Web Intelligence document it stores the the instance it generates on the Output File Repository Server. In addition, you can choose to have the system cache the report on the Web Intelligence Report Server by selecting a cache format for the document. If you don’t select a cache format, then the system won’t cache the document when it runs the document.Note: To select a cache option, the format you specified on the Schedule tab for the object must be WebInteligence. If you select a different format, the Cache Options link is disabled for the object.

To select a cache format for Web Intelligence documents1. In the Objects management area of the CMC, select Web Intelligence

object by clicking its link.2. On the Schedule tab, click the Caching Options link.

The Caching Options page appears.3. Select the format you want.4. Click Update.

Scheduling an object for a user or groupThe Schedule For feature allows you to generate reports that contain data for specific users only. It is intended to be used for either of the following types of objects:• Crystal reports that are based on Business Views• Web Intelligence documents that use Universes



Using the Schedule For feature you can schedule an object and specify for which users you want the system to run the object. The system will run the object and generate multiple instances of the report or document. Each instance will contain data that is relevant to the individual user only.For example, you can schedule a sales report and on the Schedule For page you can specify the users names for all your sales representatives. At the specified time, the system runs the report object and generates the individual report instances. Each instance would contain sales information for the individual sales representative only.

To change the Schedule For settings for an object1. In the Objects management area of the CMC, select a report object by

clicking its link.2. On the Schedule tab, click the Schedule For link.

The Schedule For page appears.

3. Select who you want to schedule the object for.• Schedule only for myself• Schedule for specified users and user groups

4. If you selected Schedule for specified users and user groups, select one or more users or groups and add them to the “Groups to be added to the scheduling list” by using the arrow buttons. Otherwise, skip this step.

5. Click Update.


Scheduling ObjectsManaging instances 18

Managing instancesTo view or manage instances, go to the History page for the object. That page lists the scheduled instances and the output instances for an object:• Scheduled instances will have a status of Recurring or Pending. The

system has not yet run these instances, and the instances do not contain any data yet.

• Output instances, that is, actual report or program instances, will have a status of Success or Failed, which indicate whether they were run successfully:• A report instance contains actual report data.• A program instance stores the program’s standard out and standard

error in a text output file. From the History page, you can also choose to delete, run, pause, and refresh instances. See “Managing and viewing the history of instances” on page 479.To manage storage space, it is good practice to limit the number of possible instances for an object, or to provide a time limit for the instances. See “Setting instance limits for an object” on page 482.

Managing and viewing the history of instancesThe History page displays all of the instances for a selected object. The Instance Time column displays the title of the instances and the date of the last update for each instance. The Status column displays the status of each instance. The Run By column indicates which user scheduled the instance.For report objects, the Format column displays which format the report is, or will be stored in and the Parameters column indicates what parameters were or will be used for each instance. For program objects, the Arguments column lists the command-line options that were or will be passed to the command line interface for each instance. BusinessObjects Enterprise creates instances from objects. That is, a report instance is created when a report object is scheduled and run by the Job Server. Essentially, a report instance is a report object that contains report data that is retrieved from one or more databases. Each instance contains data that is current at the time the report is processed. You can view specific report instances on the History page of the report object.BusinessObjects Enterprise creates a program instance each time that a program object is scheduled and run by the Program Job Server. Unlike report instances, which can be viewed in their completed format, program


Scheduling ObjectsManaging instances18

instances exist as records in the object history. BusinessObjects Enterprise stores the program’s standard out and standard error in a text output file. This file appears when you click a program instance in the object History.Managing instances includes the following tasks:• “Viewing an instance” on page 480• “Pausing or resuming an instance” on page 481• “Deleting an instance” on page 482• “Sending an object or instance” on page 406

To manage instances1. In the Objects management area of the CMC, select an object by clicking

its link.2. Click the History tab.

The History tab appears.3. Select an instance or instances by selecting the appropriate check boxes.

To select all instances, click the check box in the column heading.Note: To refresh the list, click Refresh. In this case you don’t need to select an instance first.

4. Click either Run Now, Pause, Resume, Send to, or Delete.If you click Run Now, the system schedules the object to be run immediately. The scheduled job will have a status of Pending.For information about the Send to button, see “Sending an object or instance” on page 406.

Viewing an instance To view an instance

1. Select a object in the Objects management area of the CMC.2. Click the History tab.



The History page appears.

3. In the Instance Time column, click the instance you want to view.You can also use the Instance Manager tool to view a list of instances by status or by user. Access the Instance Manager by clicking its link in the Administrative Tools area of the BusinessObjects Enterprise Administration Launchpad.

Pausing or resuming an instanceYou can pause and then resume an instance as needed. Pause and resume can be applied to scheduled instances only, that is, instances that have a status of Recurring or Pending. For example, if a job server is down for maintenance reasons, you may want to pause a scheduled instance. This prevents the system from running the object, and the object from failing because the job server is not running. When the job server is running again, you can resume the scheduled object.

To pause and resume an instance1. Go to the History page for an object.2. Select the check box for the scheduled instance you want to pause.3. Click Pause.

To resume an instance after pausing it1. Go to the History page for an object.2. Select the check box for the scheduled instance you want to resume.3. Click Resume.


Deleting an instance
You can delete instances from an object as needed. You can delete both scheduled instances, which have a status of recurring or pending, and report or program instances, which have a status of success of failed.

To delete an instance1. Go to the History page for an object.2. Select the check box for the instance or instances you want to delete.Click Delete.

Setting instance limits for an objectIn the Limits page, you can set the limits for the selected object and its instances. You set limits to automate regular clean-ups of old BusinessObjects Enterprise content. At the object level, you can limit the number of instances that remain on the system for the object or for each user or group; you can also limit the number of days that an instance remains on the system for a user or group.In addition to setting the limits for the objects from the Objects management area, you can also set limits at the folder level. When you set limits at the folder level, these limits will be in effect for all objects that reside within the folder (including any objects found within the subfolders). For information on setting folder limits, see “Setting limits for folders, users, and groups” on page 351.Note: When you set the limits at the object level, the object limits will override the limits set for the folder; that is, the object will not inherit the limits of the folder.

To set limits for instances1. In the Objects management area of the CMC, select an object by clicking

its link.2. On the History tab, click the Limits link.



The Limits page appears.

3. Make your settings according to the types of limits you want to set for your instances. The options are as follows:• Delete excess instances when there are more than N instances

of an objectTo limit the number of instances per object, select this check box. Then type the maximum number of instances that you want to remain on the system. (The default value is 100.)

• Delete excess instances for the following users/groupsTo limit the number of instances for users or groups, click Add/Remove in this area. Select from the available users and groups and click OK. Then type the maximum number of instances in the Instance Limit column. (The default value is 100.)

• Delete instances after N days for the following users/groupsTo limit the number of days that instances are saved for users or groups, click Add/Remove in this area. Select from the available users and groups and click OK. Then type the maximum age of instances in the Maximum Days column. (The default value is 100.)

4. Click Update.


Managing Calendars

chapter

Managing CalendarsOverview19
Overview
Calendars make it easy for you to schedule complex recurring jobs efficiently. A calendar is a customized list of run dates for scheduled jobs. When users schedule objects, they can use a calendar to run the job on a predefined set of dates. By providing calendars for your users, you can create more complex processing schedules than you can with the standard scheduling options.Calendars are particularly useful when you want to run a recurring job on an irregular schedule, or if you want to provide users with sets of regular scheduling dates to choose from. Calendars also allow you to create more complex processing schedules, combining unique scheduling dates with recurring ones. For example, if you want a report object to run every business day except for your country’s statutory holidays, you can create a calendar with the holidays marked as “non-run” days, on which the report object cannot be run. BusinessObjects Enterprise will run the job every day you have specified as a “run” day in your calendar.You can set up as many calendars as you want in BusinessObjects Enterprise. Calendars you create appear in the Calendar selection list available when you choose to schedule an object using a calendar. When you apply the calendar to a job, runs the job on the run dates as scheduled.You can apply calendars to any object that can be scheduled, including report objects, program objects, and object packages.Managing calendars includes:• “Creating calendars” on page 486• “Adding dates to a calendar” on page 487• “Deleting calendars” on page 491• “Specifying calendar rights” on page 492

Creating calendarsIn the Central Management Console (CMC), go to the Calendars management area to create new calendars and to modify existing calendars. To create a calendar, you need to provide a name and description. When the calendar is created, you can add run dates to it using the Dates tab.Tip: It is good practice to create a calendar for users to use as a template for creating new calendars. They can copy this template calendar and modify it as necessary. For example, you can create a default Weekdays calendar that includes all days as run dates except weekends and company holidays.


Managing CalendarsAdding dates to a calendar 19

To create a calendar1. Go to the Calendars management area of the CMC. 2. Click New Calendar. 3. On the Properties tab, type the name and description of the new

calendar. This example creates a calendar for Canadian employees that schedules an object on all weekdays except statutory Canadian holidays.

4. Click Update.The new calendar is added to the system, and its Properties tab is refreshed. You can now use the Dates tab to add run dates to this calendar. For details, see “Adding dates to a calendar” on page 487.

Adding dates to a calendarYou can add dates to a calendar using a number of different formats. You can choose specific dates using a yearly, quarterly, or monthly view of the calendar, or you can choose recurring dates using general formats based on the day of the month or week. See “Recurring dates” on page 490.

To add dates to a calendar1. Go to the Calendars management area of the CMC. 2. Click the link for the calendar you want to change.3. Click the Dates tab.


Managing CalendarsAdding dates to a calendar19

4. In the “Select a calendar displaying format” list, choose from one of the five calendar format options:• Yearly

Yearly displays the calendar’s run dates for the year. To change the year displayed, you can click the Previous Year and Next Year buttons. To add a date from the Yearly format, click a month to open it in Monthly format, where you can add run dates to specific days.

• QuarterlyQuarterly displays the calendar’s run dates for the current calendar quarter. You can change the displayed quarter using the Previous Quarter and Next Quarter buttons. To add a date from the Quarterly format, click a month to open it in Monthly format, where you can add run dates to specific days.

• MonthlyMonthly displays the calendar’s run dates for the current month. You can change the displayed month using the Previous Month and Next Month buttons.

• Generic Monthly, by Day of WeekGeneric Monthly, by Day of Week allows you to add general recurring dates based on the day of the week. The dates are applied to the months specified between the Start and End Dates. Week 1 starts on the Sunday of the week of the Start Date you specify. Note that this format does not display the currently selected dates from the calendar; it only allows you to add new dates and update the schedule.

• Generic Monthly, by Day of MonthGeneric Monthly, by Day of Month allows you to add general recurring dates based on the day of the month. The dates are applied to the months specified between the Start and End Dates. This format allows you to add new dates and update the schedule; it does not display currently selected dates from the calendar.

See also “Specific dates” on page 489 and “Recurring dates” on page 490.5. Click the days of the month that you want to include as run days for the

calendar.To remove a run day, click the day again.Tip: For the Monthly and Generic Monthly, by Day of Week formats, you can select multiple dates at once by clicking the row or column headings.

6. To add the new dates to the calendar, click Update.


Managing CalendarsAdding dates to a calendar 19

If you added dates using a generic format, the Yearly format will automatically appear, displaying the new dates.Note: When you change an existing calendar, BusinessObjects Enterprise checks all currently scheduled instances in your system. Objects that use the edited calendar are automatically updated to run on the revised date schedule.

Specific datesTo add a specific date to a calendar, use the Yearly, Quarterly, and Monthly formats to add dates to the calendars.The Yearly format displays the run schedule for the entire year. The Quarterly format displays the run dates for the current quarter. You can also view the Monthly format for the calendar, which displays the run dates for the current month. In all three formats, you can change the displayed time range by clicking the previous and next buttons.You can add specific dates in the Monthly calendar format. To add dates for the Yearly and Quarterly calendar formats, click a month to open it in the Monthly format, where you can select specific days as run dates.

For example, if your company ships products according to an irregular schedule that cannot be defined using the daily or weekly settings, you can create a list of these dates in a “Shipping dates” calendar. The Shipping department can now check the inventory after each shipment by scheduling a report that uses the calendar to run at the end of each shipping day.


Managing CalendarsAdding dates to a calendar19

Recurring datesTo create a recurring pattern of monthly run dates, use the generic Monthly formats. You can add the generic dates based on the day of the week or the day of the month. To view existing run dates, you must use the Yearly, Quarterly, or Monthly format; the generic formats are used to add dates to the calendar. Although you can set a recurring schedule using the standard scheduling options, calendars allow you to specify several different recurring run patterns at once. You can also run instances on dates that do not follow the pattern by adding individual days to a calendar.For example, to schedule a report object to run on the first four days of every month, and on the second and fourth Friday of every month, first create a new calendar object and name it. Then, use the Generic Monthly, by Day of Month format to add the first four days of the month to this calendar. When you update the calendar, the Yearly format appears with the new run dates.

To add every second and fourth Friday to the calendar, use the Generic Monthly, by Day of Week format.


Managing CalendarsDeleting calendars 19

Deleting calendarsWhen you delete a calendar, any objects that are scheduled according to the deleted calendar will be run one more time by the system. After that, the system won’t be able to schedule the objects again, because the calendar no longer exists. To ensure the objects continue to be run, change the scheduling information for the objects either by selecting a different calendar or a different recurrence pattern. See “Scheduling objects” on page 450.

To delete a calendar1. Go to the Calendars management area of the CMC.2. Select the check box associated with the calendar you want to delete.

Tip: Select multiple check boxes to delete several calendars.3. Click Delete, and click OK to confirm.


Managing CalendarsSpecifying calendar rights19
Specifying calendar rights
You can grant or deny users and groups access to calendars. Depending how you organize your calendars, you may have specific sets of dates that you want to be available only for certain employees or departments. For example, your finance team may use a series of financial tracking dates that aren’t useful for other departments. Users will only be able to see the calendars they have the rights to see, so you can use rights to hide calendars that aren’t applicable to a particular group. Follow this procedure to change the rights for a calendar. By default, calendars are based on current security settings, inheriting rights from the users’ parent folders.

To grant access to a calendar1. Go to the Calendars management area of the CMC.2. Select the calendar you want to grant access to.3. Click the Rights tab.4. Click Add/Remove to add users or groups that you want to give access

to the selected calendar.The Add/Remove page appears.


6. Select the user or group you want to grant access to the specified calendar.If you have many users on your system, select the Add Users operation; then use the “Look for” field to search for a particular account.



For complete details on the predefined access levels and advanced rights, see “Rights and Access Levels” on page 547.

10. Click Update.


Managing Events

chapter

Managing EventsManaging events overview20
Managing events overview
Event-based scheduling provides you with additional control over scheduling objects: you can set up events so that objects are processed only after a specified event occurs. Working with events consists of two steps: creating an event and scheduling an object with events. That is, once you create an event, you can select it as a dependency when you schedule an object. The scheduled job is then processed only when the event occurs. This chapter shows how to create events in the Events management area of the Central Management Console (CMC).You can create three kinds of events:• File events

When you define a file-based event, you specify a filename that the Event Server should monitor for a particular file. When the file appears, the Event Server triggers the event. For instance, you might want to make some reports dependent upon the regular file output of other programs or scripts.For details, see “File-based events” on page 495.

• Schedule eventsWhen you define a schedule-based event, you select an object whose existing recurrence schedule will serve as the trigger for your event. In this way, schedule-based events allow you to set up contingencies or conditions between scheduled objects. For instance, you might want certain large reports to run sequentially, or you might want a particular sales summary report to run only when a detailed sales report runs successfully.For details, see “Schedule-based events” on page 496.

• Custom eventsWhen you create a custom event, you create a shortcut for triggering an event manually. Basically, your custom event occurs only when you or another administrator clicks the corresponding “Trigger this event” button in the CMC.For details, see “Custom events” on page 498.


Managing EventsFile-based events 20

When working with events, keep in mind that an object’s recurrence schedule still determines how frequently the object runs. For instance, a daily report that is dependent upon a file-based event will run, at most, once a day (so long as the file that you specify appears every day). In addition, the event must occur within the time frame established when you actually schedule the event-based report.Note: For information on scheduling an event-based object in the Objects management area of the CMC, see “Scheduling an object with events” on page 457.

File-based eventsFile-based events wait for a particular file (the trigger) to appear before the event occurs. Before scheduling an object that waits for a file-based event to occur, you must first create the file-based event in the Events management area of the CMC. Then you can schedule the object and select this event. For more information on scheduling an object with events, see “Scheduling an object with events” on page 457.File-based events are monitored by the Event Server. When the file that you specify appears, the Event Server triggers the event. The Central Management Server (CMS) then releases any schedule requests that are dependent on the event. For instance, suppose that you want your daily reports to run after your database analysis program has finished and written its automatic log file. To do this, you specify the log file in your file-based event, and then schedule your daily reports with this event as a dependency. When the log file appears, the event is triggered and the reports are processed.Note: If the file already exists prior to the creation of the event, the event is not triggered. In this case, the event is triggered only when the file is removed and then recreated. If you want an event to be triggered multiple times, you must remove and recreate the file each time.

To create a file-based event1. Go to the Events management area of the CMC.2. Click New Event.

The New Event page appears.


Managing EventsSchedule-based events20

3. In the Type list, select File.4. Type a name for the event in the Event Name field.5. Complete the Description field.6. In the Server list, select the Event Server that will monitor the specified

file.7. Type a filename in the Filename field.

Note: Type the absolute path to the file that the Event Server should look for (for example, C:\folder\filename, or /home/folder/filename). The drive and directory that you specify must be visible to the Event Server. Ideally, the directory should be on a local drive.

8. Click OK.

Schedule-based eventsSchedule-based events are dependent upon scheduled objects. That is, a schedule-based event is triggered when a particular object has been processed. When you create this type of event, it can be based on the success or failure of a scheduled object, or it can be based simply on the completion of the job.Most importantly, you must associate your schedule-based event with at least two scheduled objects. The first object serves as the trigger for the event: when the object is processed, the event occurs. The second object is


Managing EventsSchedule-based events 20

dependent upon the event: when the event occurs, this second object runs. For more information on scheduling objects with events, see “Scheduling an object with events” on page 457.For instance, suppose that you want report objects R1 and R2 to run after program object P1 runs. To do this, you create a schedule-based event in the Events management area. You specify the “Success” option for the event, which means that the event is triggered only when program P1 runs successfully. Then, you schedule reports R1 and R2 with events, and select your new schedule-based event as the dependency. Schedule program P1 with events, and set program P1 to trigger the schedule-based event upon successful completion. Now, when program P1 runs successfully, the schedule-based event is triggered, and reports R1 and R2 are subsequently processed.

To create a schedule-based event1. Go to the Events management area of the CMC.2. Click New Event.

The New Event page appears.

3. In the Type list, select Schedule.4. Type a name for the event in the Event Name field.5. Complete the Description field.


Managing EventsCustom events20

6. In the “Event based on” area, select from three options:• Success

The event is triggered only upon successful completion of a specified object.

• FailureThe event is triggered only upon non-successful completion of a specified object.

• Success or FailureThe event is triggered upon completion of a specified object, regardless of whether that object was processed successfully or not.

7. Click OK.

Custom eventsA custom event occurs only when you explicitly click its “Trigger this event” button. As with all other events, an object based on a custom event runs only when the event is triggered within the time frame established by the object’s schedule parameters. Custom events are useful because they allow you to set up a shortcut that, when clicked, triggers any dependent schedule requests.Tip: When developing your own web applications, you can trigger Custom events from within your own code, as required. For more information, see the developer documentation available on your product CD.For instance, you may have a scenario where you want to schedule a number of reports, but you want to run them after you have updated information in your database. To do this, create a new custom event, and schedule the reports with that event. When you update the data in the database and you need to run the reports, return to the event in the CMC and trigger it manually. BusinessObjects Enterprise then runs the reports. For more information on event-based scheduling, see “Scheduling an object with events” on page 457.Note: You can trigger a custom event multiple times. For example, you might schedule two sets of event-based program objects to run daily—one set runs in the morning, and one set runs in the afternoon. When you first trigger the related custom event in the morning, one set of programs is run; when you trigger the event again in the afternoon, the remaining set of programs is run. If you neglect to trigger the event in the morning and trigger it only in the afternoon, both sets of programs run at that time.


Managing EventsSpecifying event rights 20

To create a custom event1. Go to the Events management area of the CMC.2. Click New Event.3. In the Type list, select Custom.4. Type a name for the event in the Event Name field.5. Complete the Description field.6. Click OK.

Note: Before you trigger this custom event, schedule an object that is dependent upon this event.

To trigger a custom event1. Go to the Events management area of the CMC.2. In the Event Name column, select a custom event by clicking its link.3. Click Trigger this event.

A message appears: “This event has been triggered.”

Specifying event rightsYou can grant or deny users and groups access to events. Depending how you organize your events, you may have specific events that you want to be available only for certain employees or departments. For example, you may want certain events to be triggered only by management or IT. Users will only be able to see events they have the rights to see, so you can use rights to hide events that aren’t applicable to a particular group. For example, by granting only the ITadmin group access to IT-related events, those events won’t appear for a user from the HRadmin group; this makes the event list easier for the HRadmin group to navigate. Follow this procedure to change the rights for an event. By default, events are based on current security settings, inheriting rights from the users’ parent folders.

To grant access to an event1. Go to the Events management area of the CMC.2. Select the event you want to grant access to.3. Click the Rights tab.


Managing EventsSpecifying event rights20

4. Click Add/Remove to add users or groups that you want to give access to the event.The Add/Remove page appears.


6. Select the user or group you want to grant access to the specified event.7. If you have many users on your system, select the Add Users operation;

then use the “Look for” field to search for a particular account.8. Click OK.9. On the Rights tab, change the Access Level for each user or group, as



11. Click Update.


General Troubleshooting

chapter

General TroubleshootingTroubleshooting overview21
Troubleshooting overview
BusinessObjects Enterprise is designed to integrate with a multitude of different operating systems, web servers, network and firewall configurations, database servers, and reporting environments. Thus, any troubleshooting that you may need to undertake will likely reflect the particularities of your deployment environment. This chapter includes general troubleshooting steps along with solutions to some specific configuration issues.In general, consider the following key points when troubleshooting:• Ensure that client and server machines are running supported operating

systems, database servers, database clients, and appropriate server software. For details, consult the Platforms.txt file, included with your product distribution.

• Verify that the problem is reproducible, and take note of the exact steps that cause the problem to recur.On Windows, use the sample reports and sample data included with the product to confirm whether or not the same problem exists.

• Determine whether the problem is isolated to one machine or is occurring on multiple machines. For instance, if a report fails to run on one processing server, see if it runs on another.If the problem is isolated to one machine, pay close attention to any configuration differences in the two machines, including operating system versions, patch levels, and general network integration.

• If the problem relates to connectivity or functionality over the Web, check that BusinessObjects Enterprise is integrated properly with your web environment. For details, see BusinessObjects Enterprise Installation Guide and “Web accessibility issues” on page 503.

• If the problem relates to report viewing or report processing, verify your database connectivity and functionality from each of the affected machines. Use Crystal Reports to verify that the report can be viewed properly. If the Job or Page Servers are running on Windows, open the report in Crystal Reports on the server machine and check that you can refresh the report against the database. For details, see “Report viewing and processing issues” on page 505.

• Look for solutions in the documentation included with your product. For details, see “Documentation resources” on page 503.


General TroubleshootingDocumentation resources 21

• Check out the Business Objects Customer Support technical support web site for white papers, files and updates, user forums, and Knowledge Base articles:http://support.businessobjects.com/

Documentation resourcesThe BusinessObjects Enterprise Release Notes are provided in the root directory of your product distribution, as is the Platforms.txt file. These documents list supported third-party software along with any known issues or implementation-specific configuration details.BusinessObjects Enterprise also includes a number of manuals.CHM and PDF files are located in the doc directory of your product distribution. Access the HTML versions from the BusinessObjects Enterprise Administrator Launchpad, or from within the CMC or InfoView.Additional Compiled HTML Help (CHM) files are provided with the following client tools:• Central Configuration Manager• Publishing Wizard• Repository Migration Wizard• Import Wizard• Crystal Report Offline ViewerPress F1 or click Help to launch the online help from within these applications.

Web accessibility issues

Using an IIS web site other than the defaultOn Windows, the BusinessObjects Enterprise installation creates virtual directories on the Internet Information Server (IIS) “Default Web Site.” If you are using a web site other than the default, you must copy the virtual directory configuration from the default web site to the web site you are using. BusinessObjects Enterprise also sets up several application mappings on the default site. These can be viewed and copied from the default web site to the web site you are using. Restart the web server once you have made these changes. For more information, see BusinessObjects Enterprise Installation Guide.


http://support.businessobjects.com/

General TroubleshootingWeb accessibility issues21
Unable to connect to CMS when logging on to the CMC
If you attempt to log on to the CMC while the Central Management Server (CMS) is not running, the following error message appears:Unable to connect to CMS (<servername>) to retrieve cluster

members. Logon can not continue.

Use the CCM to start the CMS. (If the CMS was already started, use the CCM to restart it.)

Windows NT authentication cannot log you onWhen you attempt to log on to the Central Management Console (CMC) or to InfoView, the following error occurs:NT Authentication could not log you on. Please make sure your

logon information is correct. If your account is in any domain other than "DOMAIN NAME" you must enter your user name as DomainName\UserName.

This error may occur for various reasons. Investigate these common solutions:• Ensure that the specified authentication type corresponds to the user

name and password provided on the log on page. To log on with a Windows NT user name, verify that the authentication type is set to Windows NT Authentication and not Enterprise.

• Netscape users must provide a valid Windows NT user name in the form of Domain\User.

• Microsoft Internet Explorer users must provide a valid Windows NT user name. It must be in the form of Domain\User if the user account does not reside in the default domain of the CMS.

• If Windows NT Integrated security (NT Challenge/Response) is enabled in Internet Information Services (IIS) and in the Web Component Adapter (WCA), then users must use Microsoft Internet Explorer. In addition, users must log on to the client machine with a valid NT domain user account before logging on to BusinessObjects Enterprise. Users must log on to BusinessObjects Enterprise with a valid Windows NT user name. It must be in the form of Domain\User if the user account does not reside in the default domain of the CMS.

• The web server and all BusinessObjects Enterprise components must be running on Windows NT/2000 for Windows NT authentication to work.


General TroubleshootingReport viewing and processing issues 21

Report viewing and processing issuesWhen troubleshooting reports, it is especially useful to determine whether the problem is isolated to one machine or is occurring on multiple machines. For instance, if a report fails to run on one processing server, see if it runs on another.If the problem is isolated to one machine, pay close attention to any configuration differences in the two machines, including operating system versions, patch levels, and general network integration.In particular, check the database client configurations, the drivers and versions, and the accounts under which the processing servers are running. If the reports are based off ODBC data sources, compare the ODBC driver versions, the DSN configurations, and the versions of the MDAC layer. Check to see if the Page Server or Job Server is running under an account that has the appropriate access rights to the report database server. If the report database server is on a remote machine, change the Page Server or Job Server to use a valid domain account with enough rights to view or process the report.If you follow these steps and the problem persists, contact Business Objects technical support. Before you call, take note of the database client and version you are running, the database server version that you are connecting to, and the driver name and version that you are using to connect.

Troubleshooting reports with Crystal ReportsOn Windows, you can install Crystal Reports on all Job Server, Page Server, and RAS machines in order to speed up the troubleshooting of reports and database connectivity. In this way, you use Crystal Reports to simulate the steps that are performed by the BusinessObjects Enterprise processing servers when a scheduled report is processed, or when a report is viewed on demand over the Web. By locating the step where Crystal Reports is unable to open, refresh, or save the report, you may be able to locate the source of the problem.Note: The exact steps and menu options may differ, depending on your version of Crystal Reports.

To troubleshoot a report1. Start Crystal Reports on the appropriate machine:

• If the report runs successfully on demand, but fails when scheduled, start Crystal Reports on the Job Server.

• If the report fails when viewed on demand, but runs successfully when scheduled, start Crystal Reports on the Page Server.


General TroubleshootingReport viewing and processing issues21

• If the report fails when viewed on demand with the Advanced DHTML viewer, start Crystal Reports on the RAS.

• If the report fails in all cases, first complete these troubleshooting steps on one processing server; then verify whether or not the problem is resolved on all processing servers. If not, repeat the steps on a different processing server.

2. Open the report from the CMS.On the File menu, click Open. Click Enterprise Folders and log on to your CMS. If you cannot open the report, verify network connectivity between the server you are working on, the CMS, and the Input File Repository Server.

3. Test your database connection and authentication.On the Database menu, click Log On/Off Server. If you cannot log on to the database server, check the configuration of the database client software and ensure that the report contains a valid database user name and password.

4. If the report’s parameters or record selection need to be modified by BusinessObjects Enterprise users when they schedule or view the report, change the parameter values or record selection formula accordingly. If the values are invalid, Crystal Reports will report an error.

5. Verify that the tables used in the report match the tables in the database.On the File menu, clear the “Save Data with Report” check box. On the Database menu, click Verify Database. Correct any issues reported by Crystal Reports, and then save the report.

6. Refresh the report and, if current data is not returned from the database, check these possible causes:• If the report fails, ensure that the database credentials provide READ

rights to all tables in the report.• If the database credentials are valid, the report’s SQL statement is

evaluated at this time. Check the join information. Note any ODBC errors that are produced.

• If the SQL statement is valid, data begins to return to Crystal Reports. As this happens, the temporary files increase in size. Verify resource allocation in case the machine is running out of memory or disk space.

7. Go to the last page of the report.Crystal Reports will report any errors that it encounters within the report (such as formulas, subreports, and other objects).

8. Export the report to Crystal Reports format (or any other desired format).



This step ensures that Crystal Reports is able to create temporary files that are required in order to complete the processing of a report.

9. If the report now refreshes successfully, save it back to the CMS.10. Close the report.11. Close Crystal Reports.12. Repeat the activity that caused the original report to fail: view the report

on demand over the Web, or schedule the report for processing.

Troubleshooting reports and looping database logon prompts

A common issue when viewing reports over the Web is a persistent database logon prompt that is displayed repeatedly by the user’s browser. Regardless of the credentials provided by the user, the report will not display. This problem is typically caused by the configuration of the Page Server or the Report Application Server (RAS). This section provides a series of troubleshooting steps that should resolve this problem and others that are specific to reports and database connectivity.

To troubleshoot reports and looping database logon prompts1. Verify the report with Crystal Reports.

Use Crystal Reports to verify the report. If you have the Crystal Reports Designer installed on the Page Server, Job Server, or RAS machine, test database connectivity by opening the report in Crystal Reports on the server. For details, see “Troubleshooting reports with Crystal Reports” on page 505.

2. Change the server’s logon account.BusinessObjects Enterprise servers require access to various local and/or remote resources and to the database server. Experience shows that running the Page Server, Job Server, RAS, and Web Component Adapter (WCA) under a Domain Administrator account allows them to access the components necessary to connect successfully to data sources. To change a server’s logon account, see “Configuring Windows processing servers for your data source” on page 123.Tip: Running a background application under an Administrator account does not inadvertently grant administrative privileges to another user, because users cannot impersonate services.

3. Verify the server’s access to ODBC Data Source Names (DSNs).



Base reports off System DSNs (and not File or User DSNs), and set up each System DSN identically on every Job Server, Page Server, and RAS machine that will process the report.If the report is based off an ODBC data source, the processing server must have permission to access the corresponding DSN configuration. This information is stored in the Windows registry. The Job Server, Page Server, and RAS require Full Control or Special Access to the ODBC registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI

Consult your Windows documentation for information about working with the registry. Additional configuration may be required, depending upon the database that you are reporting off of. For details, see “Configuring Windows processing servers for your data source” on page 123.

4. Determine the configuration of the database client software.If you are not using ODBC, the database client software must be installed on each machine that will process reports. On Windows, many database clients store their configuration in the registry below HKEY_LOCAL_MACHINE. If your database client stores its configuration below HKEY_CURRENT_USER, the BusinessObjects Enterprise services cannot use the database client software to communicate with the database.

5. Verify the NTFS permissions granted to the Job Server, Page Server, and RAS.Insufficient NTFS rights on the server may cause a number of problems to arise when you view reports over the Web. As in step 2, changing each server’s logon account to that of a Domain Administrator account should resolve such problems. For the minimum set of NTFS permissions required by BusinessObjects Enterprise, see “Configuring NTFS Permissions” on page 553.

6. Check whether or not NT authentication is performed by the database.If you report against a database that uses NT authentication for access control (Microsoft SQL Server, Sybase, and so on), the Job Server, Page Server, and RAS must run under a Windows NT/2000 domain user account that has access to the appropriate database tables. (In this scenario, each server’s logon account determines the level of access it is granted by the database. BusinessObjects Enterprise does not pass end-users’ NT tokens through to the database server.)To retain the access control levels that are set up within the database, you can instead change each ODBC DSN so that it implements SQL Server Login instead of NT authentication.



7. Check the available environment variables.Environment variables are used by the operating system to govern and manage system files for particular users. On Windows, BusinessObjects Enterprise servers are generally most affected by the TMP and TEMP environment variables. Because the servers are run as services, they cannot access the User Environment variables that are created by default. Therefore, it is recommended that you create System Environment variables if they do not already exist. Consult your Windows documentation for details.

8. Reference remote data sources with UNC paths.Ensure that servers have access to remote databases through UNC paths, instead of through mapped drives. For example, if you design a report off a PC database that resides on a network drive, ensure that the report references its data source with the appropriate UNC path. For details, see “Ensuring that server resources are available on local drives” on page 510.

9. Ensure that you have enough database client licenses.If all database client licenses are in use, the BusinessObjects Enterprise servers are unable to retrieve data from the database.

10. Check that database connections are closed in a timely fashion.If a database connection is not closed quickly, the database may not service another request until the connection has been closed. To decrease the “Minutes Before an Idle Job is Closed” setting, see “Modifying Page Server performance settings” on page 106.

11. Use multi-threaded database drivers.Multi-threaded database drivers allow the processing servers to connect to the database without having to wait for the database to fulfill initial requests. ODBC connections are typically recommended because they provide multithreaded connections to the database. However, Crystal Reports now includes a number of thread-safe native and OLEDB drivers. A list of these thread-safe drivers is available in the Crystal Reports Release Notes.

12. Check for problems with particular data sources.If your report is based on a Lotus Notes database, you may need to perform additional configuration. Download the latest instructions from the Business Objects Customer Support Knowledge Base.



IBM offers several client applications for connecting to DB2. The recommended client is IBM DB2 Direct Connect, whose ODBC drivers were written for actual programmatic interaction with products like BusinessObjects Enterprise. See the Business Objects Customer Support Knowledge Base for discussions of this and other DB2 clients.If you encounter problems with any other specific data sources, check the Knowledge Base for the latest information.

Ensuring that server resources are available on local drivesWhen the BusinessObjects Enterprise servers are running on Windows, many can be configured to use specific directories to store files. For example, you can specify the root directory for each File Repository Server, the temporary directories for the Cache and Page Servers, or the directory from which the Job Servers load processing extensions. In all cases, the directory that you specify must be on a local drive (such as C:\InputFRS or C:\Cache). Do not use Universal Naming Convention (UNC) paths or mapped drives.Although some BusinessObjects Enterprise servers can recognize and use UNC paths, do not configure the servers to access network resources in this manner. Use local drives instead, because UNC paths can limit performance due to limitations in the underlying protocol.Tip: If your report runs against a PC database that resides on a network drive, then the report itself must reference its data source through a UNC path. In this case, the service must run under a domain user account with network permissions. For details, see “Configuring Windows processing servers for your data source” on page 123.Similarly, if you configure a server to use a mapped drive, the server may appear to function correctly. However, servers cannot access mapped resources when the machine is restarted. Drives are mapped according to your user profile when you log on to Windows NT/2000, but, once a drive is mapped, it is available to the entire operating system. So, when you log on and map a local or network drive, the mapped drive is accessible to the LocalSystem account, and hence to the BusinessObjects Enterprise servers running on the local machine. When you log off the local machine, the servers may retain access to the mapped drive for some time (Windows will release the drive mapping if no application maintains a persistent connection to the mapped resource). However, when you restart the local machine, the mapped drive is not restored until you log back on.Note: Changing a server’s log on account from the LocalSystem account to a Windows NT/2000 user account with network privileges will not resolve the problem, because the servers do not actually log on to the network with that


General TroubleshootingInfoView considerations 21

account. Instead, the servers perform “account impersonation.” This provides access to some profile-specific resources (such as printers and email profiles), but not others (such as ODBC User Data Source Names and mapped drives).

Page Server error when viewing a reportWhen you attempt to run or preview a report, the following error message appears:There are no Page Servers connected to the Cache Server or

all the connected Page Servers are disabled. Please try to reconnect later. [On Page Server : <servername>.Cacheserver]

This error indicates that the Page Server is not started and enabled. Use the CCM to start the Page Server and then enable it. (If the Page Server was already started and enabled, use the CCM to restart it.)

InfoView considerations

Supporting users in multiple time zonesAvoid granting Schedule access to the default Guest account if you deploy InfoView for users in different time zones. Instead, ensure that each user who is allowed to schedule reports has a dedicated account on the system, and that each user's InfoView preferences include the appropriate time-zone setting. To view or modify the time-zone setting for any user account, use the Preferences Manager, which is available as a Client Sample on the Crystal Enterprise User Launchpad. Dedicated accounts are recommended because the default Guest account does not allow users to modify account preferences that would affect other users. For more information about using specific time-zone properties in your custom web applications, see the BusinessObjects Enterprise SDK documentation.

Setting default report destinationsBy default, a report's destination that is set in the CMC will be the selected destination when a report is scheduled in InfoView. A user can also select alternate destinations in InfoView by updating the Destination option. Note that the destination set in InfoView applies only to the scheduled instance. Thus, when a user schedules another instance in InfoView, the destination that is set in the CMC will be selected, unless the user changes the Destination option. If the user selects the Default destination setting in


General TroubleshootingInfoView considerations21

InfoView, reports are processed on the Job Server and sent to the File Repository Server. The Default destination setting in InfoView is equivalent to the Default destination setting in the CMC.


Licensing Information

chapter

Licensing InformationLicensing overview22
Licensing overview
BusinessObjects Enterprise is a scalable product that provides you with the ability to add license keys as the demand for report information increases in your organization. You can purchase concurrent, named, and processor licenses. RAS Report Modification licenses are also available.Concurrent licenses specify the number of people who can connect to BusinessObjects Enterprise at the same time. This type of licensing is very flexible because a small concurrent license can support a large user base. For example, a 100 user concurrent license could support 250, 500, or 700 users depending on the frequency with which the system is accessed and the number and size of the reports.Named user licenses are associated with specific users and allow people to access the system based on their user name and password. This provides named users with access to the system regardless of how many other people are connected. You may want to purchase named user licenses for people in your organization who require access to BusinessObjects Enterprise at all times. For example, you could purchase a named user license for each of the 25 managers and a concurrent license for 175 general users.Processor licenses are based on the number of processors that are running BusinessObjects Enterprise. To determine the number of processor licenses you require, count the number of processors on any servers running any component of BusinessObjects Enterprise.BusinessObjects Enterprise Embedded or RAS Report Modification licenses enable the Report Application Server’s Software Development Kit (SDK) for report-creation, thereby providing you with tools for building your own web-based reporting and query tools. In addition, these licenses add standard report-creation and report-modification wizards to InfoView, so users can create and modify reports over the Web in an ad hoc fashion.Note: If you are upgrading from a trial version of the product, be sure to delete the Evaluation key prior to adding any new license keys or product activation keycodes.For more information about licenses, sessions, and session handling see “BusinessObjects Enterprise Security Concepts” on page 213.


Licensing InformationAccessing license information 22

Accessing license informationThe License Keys tab identifies the number of concurrent, named, and processor licenses associated with each key.1. Go to the License Keys management area of the CMC.

2. Select a license key.The details associated with the key appear in the Licensing Information area. To purchase additional license keys:• Contact your Business Objects sales representative.• Contact your regional office. For details, go to:

http://www.businessobjects.com/company/contact_us/


http://www.businessobjects.com/company/contact_us/

Licensing InformationAdding a license key22
Adding a license key
Note: If you are upgrading from a trial version of the product, be sure to delete the Evaluation key prior to adding any new license keys or product activation keycodes.1. Go to the License Keys management area of the CMC.2. Type the key in the Add Key field.

Note: Key codes are case-sensitive.3. Click Add.

The key is added to the list.

Viewing current account activity1. Go to the Settings management area of the CMC.2. Click the Metrics tab.

This tab displays current license usage, along with additional job metrics.


Licensing InformationViewing current account activity 22

Feature Express Professional

Crystal Repository refresh X XInsert subreport X XUnicode support X XSetting locale of the Report Engine X XNew viewer architecture X XSmart Tags X XExporting page ranges X XNew Excel export options X XOLAP integration X XExport drill down views X XEmbed URL link to report in email XSet database location X XCustom printer settings X XJava SDK X.NET SDK XRAS support for processing extensions

X

Distributed servers XAbility to define users/personalization

X

Concurrent users XThird-party authentication support X XEvents XObject distribution (Destinations) XBusinessObjects Enterprise Mobile Desktop

X X

Server group re-direction X X


Licensing InformationViewing current account activity22


BusinessObjects Enterprise Administrator’s Guide

From BusinessObjects 6.x to BusinessObjects XI

appendix

From BusinessObjects 6.x to BusinessObjects XIProduct offeringA
Product offering
Here is a list of the applications in each version’s offering. Although the applications in each row belong to the same area of functionality, those in the BusinessObjects 6.x column and those in the BusinessObjects XI column are not necessarily equivalent:

In BusinessObjects 6.x In BusinessObjects XI• Designer • Designer

• Business View Manager

• Supervisor• Supervisor over the Web

• Central Management Console

Several applications allow you to add objects to the repository.

• Publishing WizardSeveral other applications allow you to add objects to the repository as well.

• Administration Console • Central Configuration Manager• Central Management Console

• Auditor Auditing is incorporated in the Central Management Console.

• InfoView • InfoView

• BusinessObjects

• BusinessQuery

• WebIntelligence • Web Intelligence

• • Crystal Reports

• WebIntelligence for OLAP Data Sources

• OLAP Intelligence

• OLAP Intelligence Designer

• Broadcast Agent • Central Management Console (CMC)

• Developer Suite • Developer Suite

The Application Foundation suite and Data Integrator are available to complement the BusinessObjects 6.x suite, but are not part of it.

• Performance Management (formerly Application Foundation)

• Data Integrator

• Import Wizard


From BusinessObjects 6.x to BusinessObjects XIArchitecture A

ArchitectureThe overall architecture of the two systems is organized in a similar manner.

BusinessObjects 6.xBusinessObjects 6.x is organized five logical layers:• The client tier contains products or features that run on the end-user’s

computer (either as a standalone application or in the web browser).• The presentation layer contains the web and application servers, as well

as the Business Objects components hosted on them (server SDKs, portal pages, servlets, Dispatcher, and HSAL).

• The application services layer provides the essential framework and services to the processing layer, such as WISessionManager, WILoginServer, and WIStorageManager.

• The processing layer contains report engines, as well as the additional components that implement business logic (portal workflows, repository access, scheduling, etc.).

• The database tier is made up of the databases containing the data used in documents and reports.


From BusinessObjects 6.x to BusinessObjects XIArchitectureA
BusinessObjects XI
BusinessObjects XI is organized into five tiers:• The client tier contains client applications.• The application tier includes the web and application servers, as well as

the Business Objects components hosted on them.• The intelligence tier manages the BusinessObjects XI system,

maintaining security information, routing requests to the appropriate processing layer services, managing audit information, and storing report instances for rapid report viewing. There are no strict equivalents for these servers in the BusinessObjects 6.x system.

• The processing tier accesses the data and generates reports. This layer contains fewer “servers,” or processes, than the BusinessObjects 6.x processing layer. Transactional workflows are therefore simplified, with each server processing requests for a specific type of object. In a BusinessObjects 6.x context, this corresponds a dedicated role such as WIReportServer, which processes WebIntelligence 6.x reports only, rather than a provider of shared services such as WIQT, which plays a shared role in several types of processing workflows.

• The data tier is made up of the databases containing the data used in reports.


From BusinessObjects 6.x to BusinessObjects XIBasic terminology A

Basic terminologyHere are some of the main differences in terminology between the two releases:

In BusinessObjects 6.x In BusinessObjects XI

RepositoryThe BusinessObjects 6.x suite uses a repository — a database that is stored in a relational database management system. The repository is used to secure access to your data warehouse and to provide an infrastructure for distributing information to be shared by users.

The repository exists here as well, as one of the databases maintained by the Central Management Server (CMS). The CMS is the central service/daemon in the BusinessObjects Enterprise XI system (see its entry further along in this table).

The repository database actually contains the data associated with the security, universe and document domains. Making sure the repository database has enough space is therefore critical.

Although the repository database stores specific information about the objects published to it, including users, servers, security, groups, folders, categories and parameters, it does not actually store physical copies of the objects; it also contains pointers to the physical objects, such as Web Intelligence WID files, Crystal Reports RPT files, universe UNV files and third-party documents, stored in storage associated with the File Repository Servers.

Repository domainsThe repository must have a security domain. It can also contain universe and document domains.

When universe and document domains are imported from a BusinessObjects 6.x deployment, they are made into folders in the CMS database. Although the security domain itself is not imported, you can import its contents (user rights, etc.). See “Migration” on page 526.


From BusinessObjects 6.x to BusinessObjects XIBasic terminologyA

Business Objects serversAt a minimum, the Business Objects server back end must be installed on the cluster’s primary node and all secondary nodes. This installs all the processing layer modules on the server machines.

Central Management Servers (CMS)The CMS is a single service which provides framework services, security management, administers scheduling tasks, and also is responsible for maintaining the database (CMS database) containing system information, such as users/groups, security levels, and services. In addition it maintains the repository and audit databases. The CMS serves as the central nervous system of the BusinessObjects Enterprise intelligence layer. Disabling the CMS is roughly equivalent to disabling the Session Stack (starting with version 6.1, the set of core processing modules enabled or disabled as a group).

ModulesProcesses used in Business Objects transactions which can be configured through the Administration Console are called modules.

ServersProcesses in the BusinessObjects Enterprise XI system are called servers. They run as services under Windows, and as daemons under UNIX.The CMC’s ability to enable/disable and even group servers, for example, concerns processes, not actual Business Objects servers, or server machines.

A few examples of modules are:• Broadcast Agent Manager (which

manages Schedulers)• WIStorageManager• WIReportServer

A few examples of servers are:• Job Server

• the File Repository Servers• Web Intelligence Report Server



From BusinessObjects 6.x to BusinessObjects XIBasic terminology A

ClustersA cluster is one or more Business Objects servers which provide the functional processing for a given BI portal. Each server hosts the entire set of Business Objects modules; the Session Stack must be activated in order for the server to contribute to cluster processing.

CMS clustersA Central Management Server cluster (CMS cluster) consists of two or more CMSs working together to maintain the system databases and repository. The CMSs can be on the same machine or on different ones.This means that at a minimum only the CMS component must be installed and activated on the machine. Other processes (servers) can be installed and run on other machines.

When a cluster contains more than one server machine, it is called a distributed deployment.

A CMS cluster is called an expanded deployment.

Clusters can contain the following elements:• The primary node serves as the

central coordinator amongst all the nodes in the cluster. There is one and only one primary node in a cluster; if the cluster contains only one node, it is a primary node.

• Optional secondary nodes run the ORB components required to communicate with the primary node and start Business Objects processes on the secondary node(s), as well as optional services.

Both primary and secondary nodes are considered cluster nodes.

The distinction between primary and secondary nodes does not apply.When you add a new CMS to a deployment containing a previously- installed CMS, you instruct the new CMS to connect to the existing CMS database and to share the processing workload with any existing CMS machines. By default, the new cluster is given the name of the first installed CMS, prefaced by “@”.

WebIntelligence Web IntelligenceApplication servers Web application serversBroadcast Agent Scheduling functions are handled by the CMS,

which instructs the Job Server to process the job on a schedule managed by the CMS.

WIReportServer Web Intelligence Report ServerCorporate documents page Public folderFile Watcher allows the processing of a scheduled task only when a specified file is present in a specified location.

The Event Server manages file-based events. Schedule-based and custom events, on the other hand, are managed by the CMS.



From BusinessObjects 6.x to BusinessObjects XIMigrationA
Migration
To import repository objects such as domains, universes, universe restriction sets, users and groups, categories, documents, and reports from BusinessObjects 6.x, you use the Import Wizard. This Wizard and how to use it is described in the BusinessObjects Enterprise XI Installation Guide.Here is a summary of what the Import Wizard does and doesn’t import:

Migration and mapping of specific objectsHere is some important information about migrating specific objects from BusinessObjects 6.x to BusinessObjects Enterprise XI:

The Import Wizard imports: The Import Wizard doesn’t import:• Users and groups• WebIntelligence reports• Universes• Connections• Categories• Security

• BusinessObjects documentsTo migrate .rep documents to .wid format, you can use the Report Migration Utility, delivered with the BusinessObjects 6.5 suite. Instructions are in the Report Migration Utility guide.• WebIntelligence OLAP• Custom applications and

interfaces created using the SDK• Broadcast Agent Scheduler or

Publisher tasks• BusinessObjects Auditor• Timestamps

Object Specific migration information

User properties• Identification Strategy• Logon• Enable Real Time User

Rights Update

These properties are not mapped.

• Enable Password Modification flag

This maps to the User cannot change password property, which when True, means what it says.

Password Validity settings This property must be reset manually by the administrator at the global level.


From BusinessObjects 6.x to BusinessObjects XIMigration A

Object Security level Expressed as limit rights set on the universe folder; object levels in BusinessObjects 6.x map to appropriately-named user groups.

User profiles Most BusinessObjects 6.x user profiles map to default groups in the new system. For example, General Supervisors become members of the Administrators groups. Supervisors, on the other hand, are not mapped to the Administrators group, but instead simply granted the appropriate rights on all imported objects. Users with the User/Versatile profile are added to an Object Level Security group based on their Object Security levels.

Groups The Company group maps to the Everyone group. External groups The Import Wizard maps static LDAP groups. Dynamic groups

are mapped with Enterprise authentication. After migration, Administrators need to create dynamic groups.

Inbox documents Inbox documents are imported to the Inbox folder. If Inbox already includes duplicate documents, they are also migrated to the File Repository Servers, which manage all document instances that have been scheduled or published to the repository.

Personal documents Personal documents are imported to the user’s Favorites folder, where only the BusinessObjects administrator and their owners have access to them. Any personal or corporate categories that referred to these documents in BusinessObjects 6.x continue to refer to them in BusinessObjects Enterprise XI.

Categories Both personal and corporate categories are imported. When you import corporate categories, you can select individual categories and subcategories to import into BusinessObjects Enterprise XI.

Domains Document and universe domains become folders with the same name. User and group access to these folders is equivalent to the rights they had on the BusinessObjects 6.x domains.Documents and universes cannot be imported unless their domain is imported as well.



From BusinessObjects 6.x to BusinessObjects XIMigrationA

Migration of user rightsKey security features provided by BusinessObjects 6.x (as applied to the integrated components) are available in BusinessObjects XI. Along with the ability to specify rights at the object level, BusinessObjects XI provides the ability to specify global rights for Web Intelligence, Dashboard Manager, and Performance Manager applications.

Universes Users can choose between importing all universes and connections, or only those associated with the WebIntelligence reports being imported.WebIntelligence documents that used a BusinessObjects 6.x universe use the same universe in BusinessObjects Enterprise XI. BusinessObjects 6.x universe IDs are updated to BusinessObjects Enterprise XI IDs and CUIDs:• For universes: Universe ID, connection ID, and core

universe ID• For Web Intelligence reports: universe ID

Scope management Scope management is a Supervisor option which allows you to control the extent of the access that all supervisors are granted to users and user groups.General supervisors can limit other supervisors’ access by setting their scope management setting to Standard, Secured or Extended mode, each of which defines a different level of access to user/group information and management.Although this feature is mapped to the Delegated Administration feature in Business Objects Enterprise XI, the two features are not strictly equivalent; in particular, Delegated Administration does not support “modes”. Import attempts to set rights in the destination deployment that are at least as restrictive as the effective rights in the source deployment. This is true for all restrictions that limit modification and administration of objects. A delegated administrator may nonetheless be able to view imported objects (such as connections) that were previously hidden in the source deployment. It is recommended to verify effective rights on imported objects for “delegated administrators” after import and to set appropriate rights for access to objects that only exist in BusinessObjects Enterprise XI and not in BusinessObjects 6.x (e.g. calendars, events, etc.). By default, imported “delegated administrators” will inherit the rights specified for the Everyone group for access to such objects.



From BusinessObjects 6.x to BusinessObjects XIMigration A

The following identifies the migration path for integrated rights:

Different default and aggregate rulesThe fundamental default and aggregate rules governing rights change radically in BusinessObjects Enterprise XI, to maintain greater system security:

Right Type in BusinessObjects 6.x Migrated to BusinessObjects Enterprise XI as...

Product Access (PA) right Right to view application objectSecurity Command right Right to application object, domain

folder, or content objectDomain Access right Right to view domain folderDocument/Universe Access right Right to view content object

Right Type (6.x)

Default Value in Version 6.x

Default Value in Version XI

Aggregation Rules in Version 6.x

Aggregation Rules in Version XI

Product Access (PA) Right

Granted (The Designer and Supervisor PA right is set to Denied on the root folder at install time.)

Denied If granted (or unspecified) anywhere: granted

If unspecified or denied anywhere, then denied

Security Command Right

Enabled Denied • If hidden anywhere, then hidden

• If disabled anywhere, then disabled

• Otherwise, enabled

• Hidden in 6.x = denied in XI

• If unspecified or denied anywhere, then denied

Domain Access Right

Granted Denied If granted (or unspecified) anywhere: granted


Document/Universe Access Right

Denied Denied If granted anywhere: granted



From BusinessObjects 6.x to BusinessObjects XIInstallation, configuration, and deploymentA
Installation, configuration, and deployment
Here is an overview of key differences in installation, configuration, and deployment:


Server operating systemsBusinessObjects 6.5 supports heterogeneous clusters, in which Business Objects servers are hosted on Windows and UNIX machines.

The CMS “servers” in a BusinessObjects Enterprise XI cluster must all be running on machines running the same operating system and version. The other “servers” in the intelligence layer, however, such as the Job Server, can be hosted on machines running completely different (but supported) operating systems.

Initial installation options• Desktop• Server• Custom

• Client• ServerThe Server option provides three installation options:• New• Expand• Custom

Distributed deploymentsTo distribute processing, you add additional cluster nodes to a cluster. To add a cluster node, you must install Business Objects server on the node machine.This installs the entire set of processes required for system processing on each machine. At a minimum, the Session Stack must be activated on each cluster node to share the transaction load.

You can distribute a single deployment’s transactional capabilities on the same machine by creating multiple instances of a “server”, or you can install on additional machines to distribute the load. This capability offers you the ability to scale your system vertically (more services on the same machine) or horizontally (more machines).The CMS does not need to run on each machine.


From BusinessObjects 6.x to BusinessObjects XIInstallation, configuration, and deployment A

Installation and the repositoryRepository creation is completely independent of the installation of Business Objects software.

Setting up the CMS database, which includes the repository, is an integral part of BusinessObjects Enterprise installation.In a New server installation, if you install a Central Management Server in a Windows environment, and you do not choose to connect the CMS to an existing database, the installation procedure automatically installs and configures Microsoft Data Engine (MSDE) as the CMS database. In similar circumstances in UNIX environments, MySQL is installed.After installation, you can select or create a new CMS database at any time using the Central Configuration Manager (CCM).

Command-line installation Silent installationApplication serversApplication servers communicate with the Business Objects cluster through the ORB. If the application server is hosted on a machine which is neither a primary nor secondary node, you must configure the ORB on it in order to allow it to communicate with the cluster.You configure the ORB on the application server machine either by installing the Configuration Tool on that machine, then using it to configure the server as a client node of the cluster, or by configuring the ORB manually.

You must install a Web Component Adapter (WCA) on any machine hosting an application server. The WCA allows your application server to run BusinessObjects Enterprise applications making Crystal Web Requests, and to host the Central Management Console. Not all applications require the WCA. For example, InfoView doesn’t need it unless users will be viewing OLAP Intelligence documents.Installing BusinessObjects Enterprise XI on the same machine as the application server is called a server-side installation. When you perform this installation, the client and server components are installed, the default user and group accounts are created, and the sample reports are published to the system. When the installation is complete, the servers are started as services on the local machine.

For information on deploying web applications on application servers, see “Deploying web applications” on page 533 in this table.

For information on deploying web applications on application servers, see “Deploying web applications” on page 533 in this table.



From BusinessObjects 6.x to BusinessObjects XIInstallation, configuration, and deploymentA

Web serversTo configure the web server to work with a cluster, you must install a third-party connector to the cluster’s application server.

If you connect BusinessObjects Enterprise to a web server, the web server must be able to communicate with the machine that runs your Web Component Adapter (WCA).

For information on deploying web applications on web servers, see “Deploying web applications” on page 533 in this table.

For information on deploying web applications on web servers, see “Deploying web applications” on page 533 in this table.

License key managementBefore installation, you copy your license key to a directory to which all nodes or application client machines have access. During installation, you specify where these XML files are located.

License keys are stored in the CMS database. You can view your deployment’s current license keys, as well as add or delete them, using the CMC.

OLAPYou install Web Intelligence for OLAP Data Sources using the standard installation process.

OLAP Intelligence is installed separately.

Configuring clusters and the ORBYou create clusters and configure their ORB on their nodes using the Configuration Tool.You configure the cluster’s primary node and then its secondary nodes.

When you install the first Central Management Server (typically a New install), you can define it as a cluster. This creates a cluster of one and sets the cluster up for subsequent Expand installs, which add additional CMSs to the cluster. The subsequent machines on which you install the CMS become part of a CMS cluster named <@Name of First CMS>.At the installation of each additional CMS, you specify the name of the first CMS you installed. This makes it part of the cluster.



From BusinessObjects 6.x to BusinessObjects XIInstallation, configuration, and deployment A

Available web applications• Administration Console• InfoView• Auditor• Supervisor over the Web• Custom web applications developed

using the SDKAlthough not part of the BusinessObjects 6.x suite, Application Foundation applications can also be deployed.

• Central Management Console• InfoView• Performance Manager applications (formerly

Application Foundation), J2EE only• Custom web applications developed using the

SDK

Deploying web applicationsYou can deploy web applications in three ways:• If you’re using IIS or Tomcat/Apache,

the Configuration Tool can deploy the applications automatically on web and application servers.

• You can use the wdeploy tool, a command-line utility that you can run on all other supported application and/or web servers.

• You can manually deploy the application on all other supported web and/or application servers.

If you choose a New installation and are using IIS or Apache/Tomcat, the Business Objects web applications are deployed automatically on the web and/or application server, unless you are deploying to an existing Java application server.Otherwise, you must deploy web applications manually.

Repository creationYou create the repository after installation and configuration, using the Supervisor application.After repository creation, you must copy the bomain.key file corresponding to the repository on each node in the cluster.

If you do not have a supported database client on the machine, installation can install and configure MSDE (Windows) or mySQL (UNIX) for use as the CMS database. To use your own database server, you must create a new, empty database on your database server prior to running the installation. This database will be configured during the install. Whenever you add a new CMS to a cluster in an Expand installation, you define the connection to the initial CMS’s database. This allows the server to connect to it.



From BusinessObjects 6.x to BusinessObjects XISecurityA

SecurityBusinessObjects 6.x applications use a very different security model than that provided with BusinessObjects Enterprise XI, and as such, administrators of BusinessObjects 6.x systems are encouraged to read with attention the documentation shipped with BusinessObjects Enterprise XI.Through BusinessObjects 6.5.1, authentication is defined for an entire cluster and/or all desktop users. Implementing an authentication method is broken down into selecting an authentication mode, then its source, which can be Repository, External then Repository, or External. You can choose between Microsoft AD or an LDAP user management system for external authentication sources. In BusinessObjects XI, security is much more granular. You implement an authentication method for each user, when you create the user’s account. When users log into the system, they specify their username and password, but may enter their authentication method as well.

Multiple service instancesIn BusinessObjects 6.x, certain modules such as WIQT, BusinessObjects.exe (Windows)/bolight (UNIX), Connection Server, and WIReportServer, are designed to be multi-instance on cluster nodes. You use the Administration Console to set the number of instances in each process pool.BusinessObjects 6.5 also supports multiple Business Objects servers on the same UNIX box.

Multiple instances of the same service can run on the same machine (providing vertical scaling), or on separate machines (for horizontal scaling), in any mixture of supported operating systems. The single exception is the Central Management Server, which must run on the same operating system within a single cluster.

Unicode databasesThe use of Unicode databases, which can store information in different languages and centralize all the information in a company, is supported as a data source for Web Intelligence reports. Unicode databases are not supported for repositories or BusinessObjects documents.

All CMS databases must support the Unicode protocol.



From BusinessObjects 6.x to BusinessObjects XISecurity A


bomain.keyThe bomain.key tells Business Objects applications where to find the repository’s security domain.

There is no bomain.key file. At login, the Central management Server (CMS) verifies the user name and password against the security information stored in the CMS database. Each CMS is configured either at installation or subsequently using the Central Management Console (CMC) to connect to a specific database.

Setting the authentication and authorization methodsUp through version 6.5.1, you set authentication/authorization for the entire cluster using the Security Configuration Tool.

You select the authentication method for each user at the creation of the user’s account, using the CMC.You can even assign multiple aliases, or authentication modes, to a single user, or create new aliases then assign them to exiting users in the system.If you import external users via LDAP, Windows NT or Active Directory, users are automatically created. So if you are not using complex scenarios in which users can log on with both NT and LDAP authentications, you don’t need to create the settings for each user individually.

Configuring authentication and authorizationYou set authentication/authorization for the entire cluster using the Security Configuration Tool.

You configure authentication in the Authentication management area of the CMC.


From BusinessObjects 6.x to BusinessObjects XISecurityA

Available authentication modes• Business Objects standard• Windows-NTLM (similar to

BusinessObjects XI Windows NT authentication)

• Single Sign-On• Basic authentication (user

authentication is delegated to the web server)

• Enterprise authentication (automatically enabled when you install the system, and similar to Business Objects standard in version 6.x)

• Windows NT authentication• LDAP authentication• Windows AD authenticationOther authentication modes are available through add-in products, such as SAP authentication.Single Sign-On is not a mode in itself, but is available for certain authentication modes. See below.

Single-Sign-On (SSO)To enable SSO, you must use Netegrity SiteMinder.

Single Sign-On to BusinessObjects Enterprise can be provided through the use of third-party systems such as Windows AD or Netegrity SiteMinder.End-to-end single sign-on includes SSO to the database at the back end.Note: If you use SiteMinder, you must use LDAP for external user management.

AuthorizationYou can use security commands in Supervisor to restrict user and group access to functionalities in Business Objects products.You cannot restrict access at the object level. For example, if you grant a group the right to refresh, but not create documents, the restriction will apply regardless of the documents being used.

Because of the use of Access Control Lists (ACL), an industry standard method of controlling cascading security access, the imposition of restrictions is much more granular. You can apply user, group, and role level security at the object level, to documents, categories, folders, universes, and connections.This means, for example, that you could allow a group to refresh document A, but not refresh document B.



From BusinessObjects 6.x to BusinessObjects XIAdministration A

AdministrationThe administrative model applied to BusinessObjects Enterprise XI is very different from the BusinessObjects 6.x model.• The Central Management Console (CMC)

The CMC allows you to perform user management tasks such as setting up authentication and adding users and groups. It also allows you to publish, organize, and set security levels for all of your BusinessObjects Enterprise content. Additionally, the CMC enables you to manage servers and create server groups, whenever the Central Management Server (CMS) is running.

• The Central Configuration ManagerThe CCM is a server-management tool that allows you to view and configure each of your BusinessObjects Enterprise server components while Business Objects servers are offline. This tool allows you to start, stop, enable, and disable Business Objects servers, as well as view and configure advanced server settings. On Windows, these settings include default port numbers, CMS database and clustering details, SOCKS server connections, and more. In addition, on Windows the CCM allows you to add servers to, or remove servers from your BusinessObjects Enterprise system.The CCM comes in two forms. In a Windows environment, the CCM allows you to manage local and remote servers through its Graphical User Interface (GUI) or from a command line. In a UNIX environment, the CCM shell script (ccm.sh) allows you to manage servers from a command line.At first, the CCM takes into account only the servers running locally. You can then connect to servers on a remote machine.

This section covers administrative tasks concerning the repository, users and groups, universes, server and cluster management, and auditing.


From BusinessObjects 6.x to BusinessObjects XIAdministrationA


Repository creation and managementYou create your cluster’s repository after Business Objects installation and configuration, using the Supervisor application.

If you do not have a supported database client on the machine, installation can install and configure MSDE (Windows) or mySQL (UNIX) for use as the CMS database. To use your own database server, you must create a new, empty database on your database server prior to running the installation. This database will be configured during the install. Whenever you add a new CMS to a cluster in an Expand installation, you define the connection to the initial CMS’s database. This allows the server to connect to it.

User/group creation and managementYou use Supervisor or Supervisor over the Web.

You use the CMC.

An initial General Supervisor account is created when you create the repository.

By default, an initial Administrator and Guest account is created at installation.

A “company name” group is automatically created at repository creation.

Two default groups are automatically created at installation:• Administrators• EveryoneIf you’re using Windows NT/2000, an additional group called Business Objects NT Users is also created.

Using DesignerYou can use Designer in online or offline mode.

You can use Designer in online mode only. This means that unless you are logged into the repository, you cannot work on a universe.


From BusinessObjects 6.x to BusinessObjects XIAdministration A

Cluster start/stopUnder Windows, you can use WINotify or the Start menu; during installation, you can also set the Business Objects server to run automatically as a Windows service.Under UNIX, you start the cluster manually using the wstart command, or use S99WebIntelligence to start it automatically on machine startup.

You use the CCM to stop a Central Management Server (CMS), regardless of the operating system. At installation, you can also configure the server to start automatically at machine startup.Note: You cannot use the Central Management Console (CMC) to stop a CMS.

Cluster server enable/disableYou use the Administration Console. In Windows, you use the Central Configuration

Manager (CCM) to disable a Central Management Server (CMS).In UNIX, you use the cms.sh script.Caution: You can use the CMC to disable/enable and even group servers, but this refers to what BusinessObjects 6.x users refer to as modules, not the actual cluster nodes.

Server settings managementYou use the Administration Console. You use the Central Management Console or the

Central Configuration Manager, depending on the type of setting you want to define, and whether you are online or offline.

Audit managementYou use the Audit facility in the Administration Console.You can also use the Auditor application for enhanced system monitoring and analysis.

You use the CMC. You can also use the CMC to view server metrics, including information about the machine that the server is running on—its name, operating system, total hard disk space, free hard disk space, total RAM, number of CPUs, and local time. The CMC allows you to configure what information you want each server/service to audit.Auditor is not part of this release.

Setting up Broadcast Agent schedulersYou create and manage schedulers using the Broadcast Agent Manager’s Properties page in the Administration Console.

Because the scheduler is incorporated into the CMS, it comes automatically installed with BusinessObjects Enterprise XI and requires little or no additional configuration beyond setting up access to email servers, printers and file servers.



From BusinessObjects 6.x to BusinessObjects XIAdministrationA

Viewing scheduled tasksYou can view the full list of scheduled documents and their status using the Broadcast Agent Console.

You cannot view a global list of scheduled jobs. You can view the status of one scheduled object at a time in the CMC in the object’s History page. This list includes all scheduled jobs for the object, as well as existing instances of the object (i.e. reports that have already been run and contain data).In InfoView, you can also view a list of an object’s instances by looking at the object’s history.A sample application built using the Administration SDK and available from the BusinessObjects Enterprise User’s Launchpad also allows you to see all the jobs scheduled by any specific user.

InfoView appearance and functionality managementYou can use Supervisor security commands to prevent users from modifying the default settings in the InfoView Options page.

You can modify the appearance and some functionality using the BusinessObjects Enterprise Applications management area in the CMC.

Setting locale You set the cluster’s language at installation; you can subsequently use the Site Properties tab in the Administration Console to modify it. Users can set the language of their interface in InfoView.

You don’t specifically set the CMS locale. Users set the locale for their own interface in InfoView; if they don’t, InfoView uses the locale specified on the web server.



From BusinessObjects 6.x to BusinessObjects XIReporting, analysis, information sharing A

Reporting, analysis, information sharingThis section includes information on available reporting tools, as well as end-user tasks such as accessing, distributing and scheduling corporate data:


Reporting tools• BusinessObjects• WebIntelligence• WebIntelligence for OLAP Data

Sources

• Crystal Reports• Web Intelligence• OLAP Intelligence

What reporting tools use universes?• BusinessObjects• WebIntelligence

• Crystal Reports• Web IntelligenceCrystal Reports can also connect directly to databases using a variety of methods including ODBC and native drivers, as well as XML and text files. It can also use Business Views (the semantic layer from Crystal Enterprise) as a data source.

InfoViewInfoView is a web application that must be deployed after Business Objects installation using the Configuration Tool, wdeploy, or manual procedures.It is available in JSP and ASP platforms.

The out-of-the-box portal in BusinessObjects Enterprise XI is also called InfoView. Available for both Java and .NET platforms, its interface is somewhat different from the BusinessObjects 6.x application.


From BusinessObjects 6.x to BusinessObjects XIReporting, analysis, information sharingA

CategoriesWithin InfoView, you can use categories to organize documents on a particular document list page.

BusinessObjects Enterprise XI uses both categories and folders to organize documents. Folders are used for the storage location of information, while categories are used more for the classifying information regardless of its storage location. • BusinessObjects Enterprise XI automatically

creates a folder for each user in the system, called Personal Folders. These folders are organized within the CMC as User folders. Within InfoView, these folders are called Favorites folders. Folders are created and managed from the CMC.

• Categories are equivalent to BusinessObjects 6.x categories.

Folders contain actual copies of objects, while categories simply point to objects.

There are two kinds of categories:• Corporate• Personal

There are two types of categories:• Corporate• Personal

Corporate categories can be created from InfoView, BusinessObjects, or Supervisor. As a general supervisor or supervisor, you can grant specific users or groups the right to create categories, and to rename and delete the categories they create, from BusinessObjects or WebIntelligence. You do this by enabling the security command Manage All Categories or Manage My Categories.

Corporate categories can be created either in InfoView (with reduced management capabilities) or from the CMC (full management capabilities).

You can use security commands to restrict access to corporate categories.

In the CMC you can restrict users’ and/or groups’ access to categories and folders. You can set limits on folders, which automate regular clean-ups of old Business Objects content by eliminating excess instances of particular objects, or object instances which have remained more than the specified number of days in the folder.



From BusinessObjects 6.x to BusinessObjects XIReporting, analysis, information sharing A

SchedulingYou schedule for refresh documents and files either from 2-tier deployments of BusinessObjects, or from InfoView.

You schedule for refresh objects from the CMC or from InfoView.



From BusinessObjects 6.x to BusinessObjects XIReporting, analysis, information sharingA

You can schedule:• BusinessObjects documents• WebIntelligence reports• WebIntelligence OLAP reports

You can schedule:• Crystal reports• Web Intelligence reportsYou can also schedule program objects, such as executables, Java programs, or scripts (Jscripts and VBscripts) to run at specified times.

Publishing to the repositoryYou add objects to the repository by:• Exporting universes from Designer

or Supervisor• Adding users and groups and

managing security settings from Supervisor and/or Supervisor over the Web

• Saving documents to the repository from InfoView

• Publishing documents from 2- and 3-tier deployments of BusinessObjects

You can publish objects to BusinessObjects Enterprise in several ways.Use the Publishing Wizard when you:• Have access to the locally installed application.• Are adding multiple objects or an entire directory.

The Publishing Wizard is a locally installed Windows application that enables both administrators and end users to add any supported document to BusinessObjects Enterprise.

Use the Central Management Console (CMC) when you are:• Publishing a single object.• Taking care of other administrative tasks.• Performing tasks remotely.Save directly to your Enterprise folders when you are:• Designing reports with Crystal Reports or Web

Intelligence.• Using the OLAP Intelligence Application

Designer.• Creating other objects with BusinessObjects

Enterprise plug-in components.Upload documents stored on your local computer when you’re using InfoView.Use Designer to export universes to the repository.Use the Import Wizard to migrate objects to a BusinessObjects Enterprise XI repository from BusinessObjects 6.x or Crystal Enterprise 10.



From BusinessObjects 6.x to BusinessObjects XISDK A

SDK


Development platforms• Java• WebServices

• Java• WebServices• .NET• .COM


From BusinessObjects 6.x to BusinessObjects XISDKA


Rights and Access Levels

appendix

Rights and Access LevelsRightsB
Rights
This table lists the rights available within the Advanced Rights page of the Central Management Console (CMC). Other BusinessObjects Enterprise plug-in components may in future add their own, object-specific rights to this list. The table matches the descriptions used in the CMC with the programmatic name that developers use when assigning rights with the BusinessObjects Enterprise SDK.

Description used in the CMC Name used in the SDK

Respect current security by inheriting rights from parent groups

AdvancedInheritGroups

Respect current security by inheriting rights from parent folders

AdvancedInheritFolders

Add objects to the folder ceRightAddView objects ceRightViewEdit objects ceRightEditModify the rights users have to objects ceRightModifyRightsSchedule the document to run ceRightScheduleDelete objects ceRightDeleteDefine server groups to process jobs ceRightPickMachinesDelete instances ceRightDeleteInstanceCopy objects to another folder ceRightCopySchedule to destinations ceRightSetDestinationView document instances ceRightViewInstancePause and Resume document instances

ceRightPauseResumeSchedule

Print the report’s data ceReportRightPrintReportRefresh the report’s data ceReportRightRefreshOnDemand

ReportExport the report’s data ceReportRightPageServerExportView objects that the user owns ceRightOwnerViewEdit objects that the user owns ceRightOwnerEditModify the rights users have to objects that the user owns

ceRightOwnerModifyRights


Rights and Access LevelsAccess levels B

Access levelsThis section lists the rights that constitute each of the predefined access levels that are available through the Advanced Rights page of the Central Management Console (CMC).Note: There is no predefined access level to grant users the rights required to create or modify reports through the Report Application Server (RAS). For details, see “Object rights for the Report Application Server” on page 552.

No AccessThis access level ensures that all rights remain unspecified. That is, rights are neither explicitly granted nor explicitly denied. When rights are unspecified, the system denies the right by default.

View

Schedule

Delete objects that the user owns ceRightOwnerDeleteDelete instances that the user owns ceRightOwnerDeleteInstanceView document instances that the user owns

ceRightOwnerViewInstance

Pause and resume document instances that the user owns

ceRightOwnerPauseResumeSchedule



View objects ceRightViewView document instances ceRightViewInstance


View objects ceRightViewSchedule the document to run ceRightScheduleDefine server groups to process jobs

ceRightPickMachines


Rights and Access LevelsAccess levelsB

View On Demand

Copy objects to another folder ceRightCopySchedule to destinations ceRightSetDestinationView document instances ceRightViewInstancePrint the report’s data ceReportRightPrintReportExport the report’s data ceReportRightPageServerExportEdit objects that the user owns ceRightOwnerEditDelete instances that the user owns ceRightOwnerDeleteInstancePause and resume document instances that the user owns




View objects ceRightViewSchedule the document to run ceRightScheduleDefine server groups to process jobs

ceRightPickMachines

Copy objects to another folder ceRightCopySchedule to destinations ceRightSetDestinationView document instances ceRightViewInstancePrint the report’s data ceReportRightPrintReportRefresh the report’s data ceReportRightRefreshOnDemand

ReportExport the report’s data ceReportRightPageServerExportEdit objects that the user owns ceRightOwnerEditDelete instances that the user owns

ceRightOwnerDeleteInstance

Pause and resume document instances that the user owns



Rights and Access LevelsDefault rights on the top-level folder B

Full Control

Default rights on the top-level folderThe top-level BusinessObjects Enterprise folder serves as the root for all other folders and objects that you add to the system. This folder provides the following rights by default:• The Everyone group is granted the Schedule access level.• The Administrators group is granted the Full Control access level.


Add objects to the folder ceRightAddView objects ceRightViewEdit objects ceRightEditModify the rights users have to objects

ceRightModifyRights

Schedule the document to run ceRightScheduleDelete objects ceRightDeleteDefine server groups to process jobs ceRightPickMachinesDelete instances ceRightDeleteInstanceCopy objects to another folder ceRightCopySchedule to destinations ceRightSetDestinationView document instances ceRightViewInstancePause and Resume document instances

ceRightPauseResumeSchedule

Print the report’s data ceReportRightPrintReportRefresh the report’s data ceReportRightRefreshOnDemand

ReportExport the report’s data ceReportRightPageServerExport


Rights and Access LevelsObject rights for the Report Application ServerB
Object rights for the Report Application Server
To allow users to create or modify reports over the Web through the Report Application Server (RAS), you must have RAS Report Modification licenses available on your system. You must also grant users a minimum set of object rights. When you grant users these rights to a report object, they can select the report as a data source for a new report or modify the report directly:• View objects (or “View document instances”, as appropriate)• Edit objects• Refresh the report’s data• Export the report’s dataUser must also have permission to add objects to at least one folder before they can save new reports back to BusinessObjects Enterprise.To ensure that users retain the ability to perform additional reporting tasks (such as copying, scheduling, printing, and so on), it’s recommended that you first assign the appropriate access level and update your changes. Then, change the access level to Advanced, and add any of the required rights that are not already granted. For instance, if users already have View On Demand rights to a report object, you allow them to modify the report by changing the access level to Advanced and explicitly granting the additional Edit objects right.When users view reports through the Advanced DHTML viewer and the RAS, the View access level is sufficient to display the report, but View On Demand is required to actually use the advanced search features. The extra Edit objects right is not required.Tip: For more information about RAS Report Modification licenses, see “Licensing overview” on page 514.


Configuring NTFS Permissions

appendix

Configuring NTFS PermissionsConfiguring NTFS permissionsC
Configuring NTFS permissions
When you view reports over the Web, insufficient New Technology File System (NTFS) permissions on the server can cause a number of problems. For example, a report may not appear in the viewer, even after you repeatedly enter the correct database logon information.NTFS provides security for file storage in Microsoft Windows. If a BusinessObjects Enterprise component is running on a user account that does not have the required NTFS permissions, users may be unable to access reports over the Web.To troubleshoot NTFS permissions, ensure that each BusinessObjects Enterprise component uses an account with the appropriate permissions. You may need to change the user account or change the NTFS access for particular files and folders.For details on changing server user accounts, see “Changing the server user account” on page 130. For information on changing NTFS permissions, see the Microsoft Windows help.

Configuring NTFS permissions for BusinessObjects Enterprise components

Each component requires a user account with certain NTFS access rights to specific files and folders. Ensure that each component is running on the correct user account, and make sure the user account has the required NTFS permissions.


Configuring NTFS PermissionsConfiguring NTFS permissions C

Web Component Adapter (WCA)By default, the Central Management Server uses the LocalSystem account to access resources and BusinessObjects Enterprise components. Ensure this user account has the appropriate NTFS permissions for specific folders:

Note: • This table shows the default installation paths.• If your BusinessObjects Enterprise deployment includes OLAP

Intelligence, the WCA user account also needs Read permission for the OLAP Intelligence FileStore\Input folder.

File Repository Servers (FRS)The Input and Output File Repository Servers (Input and Output FRS) use the local System account by default; these accounts provide sufficient access to files and folders on the local machine. However, if the Input or Output FRS needs access to directories on other machines, set its user account to a domain user account with local administrative access to all computers hosting BusinessObjects Enterprise components. For details on changing the user account, see “Changing the server user account” on page 130.

NTFS permissions Files and folders• Read • C:\Winnt\system32

• Read & Execute • C:\Program Files\BusinessObjects Enterprise\Web Content\enterprise

• C:\Program Files\BusinessObjects Enterprise\WCA\CRImages

• C:\Program Files\BusinessObjects Enterprise\WCA

• C:\Program Files\Business Objects\BusinessObjects Enterprise 11\win32_x86

• Write • C:\Program Files\BusinessObjects Enterprise\WCA\Logging



Ensure that the user account for the Input FRS has the appropriate NTFS permissions for the following folders:

For the Output FRS, make sure the user account has access to the following folders:

Note: • The Input and Output File Repository Servers cannot share the same

directories.• If the Input folder or the Output folder does not exist, the respective FRS

creates it when the service starts.

Central Management Server (CMS)The CMS uses the local System account by default. This account does not need access to other machines. Ensure that the System account has the appropriate NTFS permissions for specific files and folders:


• Read & Execute • C:\Program Files\Business Objects\BusinessObjects Enterprise 11\FileStore\Input

• Write • C:\Program Files\Business Objects\BusinessObjects Enterprise 11\FileStore\Input


• Read & Execute • C:\Program Files\Business Objects\BusinessObjects Enterprise 11\FileStore\Output

• Write • C:\Program Files\Business Objects\BusinessObjects Enterprise 11\FileStore\Output

NTFS rights Folders• Read & Execute • C:\Winnt\system32\drivers\etc\hosts

• Write • C:\Program Files\Business Objects\BusinessObjects Enterprise 11\win32_x86\CITemp


Configuring NTFS PermissionsConfiguring NTFS permissions C

Cache ServerThe Cache Server uses the local System account by default. If the Cache Server needs to access BusinessObjects Enterprise components on other machines, you must set its user account to a domain user account that has local administrative access to all computers hosting components. For details on changing the user account, see “Changing the server user account” on page 130.Ensure that the Cache Server’s user account has the correct NTFS permissions for the following folders:

Job ServerThe Job Server uses the local System account by default. The Job Server must use a different user account if it needs to access BusinessObjects Enterprise components on other machines. If the CMS, the Input FRS, or the Output FRS is not located on the same machine as the Job Server, set the Job Server’s user account to a domain user account that has local administrative access to all computers hosting these components. For details on changing the user account, see “Changing the server user account” on page 130.Ensure that the Job Server’s user account has the correct NTFS permissions for the following folders:


• Read & Execute • C:\Program Files\Business Objects\BusinessObjects Enterprise 11\win32_x86

• Write • C:\Program Files\Business Objects\WCA


• Read & Execute • The system’s temporary directory• C:\Winnt\Business Objects• C:\Winnt\Fonts• C:\Program Files\Business

Objects\Shared

• Write • C:\Program Files\Business Objects\WCA• C:\Program Files\Business

Objects\BusinessObjects Enterprise 11\FileStore


Page Server
The Page Server connects to the database to retrieve the information needed to build the report. For most BusinessObjects Enterprise deployments, the reporting database is located on a separate machine. If the Page Server is on a different machine from the database, you must change the Page Server’s user account from the default local System account to a domain user account with local administrative access to the computer hosting the reporting database. For details on changing the user account, see “Changing the server user account” on page 130.Ensure that the Page Server’s user account has the correct NTFS permissions for the following folders:


• Read & Execute • The system’s temporary directory• C:\Winnt\Business Objects• C:\Winnt\Fonts• C:\Program Files\Business

Objects\Shared• C:\Program Files\Business

Objects\BusinessObjects Enterprise 11\FileStore\Input

• Write • C:\Program Files\Business Objects\WCA


Customizing the appearance of Web Intelligence documents

appendix

Customizing the appearance of Web Intelligence documentsCustomizing the appearance of Web Intelligence documentsD
Customizing the appearance of Web Intelligence documents
You can customize the default appearance of all new Web Intelligence documents created using the Web Intelligence Java Report Panel or the HTML - Query Panel. To do so, you must edit a file called defaultconfig.xml.By editing defaultconfig.xml, you can change the default appearance of many interface elements:• fonts and font sizes for tables, cells, chart axes, and so on• background colors (“wallpaper”)• lines and borders for cells and tables• color palettesThe new settings take effect only for reports created after the defaultconfig.xml file is modified and saved. Earlier reports are not affected by the new settings.In the defaultconfig.xml file, settings are grouped by “key value.” (See “List of key values” on page 564.) To modify a setting, open the defaultconfig.xml file in a text editor and modify the parameter you want. Back up the original file before you start.For an example of how to modify the defaultconfig.xml file, see “Example: Modifying the default font in table cells” on page 565.Note: • You cannot use defaultconfig.xml to customize the appearance of the

HTML Report panel.• The defaultconfig.xml is also used by the REBean Editing SDK. For more

information, see the developer documentation.


Customizing the appearance of Web Intelligence documentsCustomizing the appearance of Web Intelligence documents D

What you can do with the defaultconfig.xml fileWith the defaultconfig.xml file, you can change certain aspects of the look and feel of Web Intelligence reports. You can make the reports adhere to your corporate visual guidelines.Here’s what a Web Intelligence report looks like before changes are made to the defaultconfig.xml file:



By modifying a few settings—stable header and body cell fonts, alternative row settings, chart axes values, label fonts, and section cell borders—default Web Intelligence tables and charts can look like this:

Locating and modifying defaultconfig.xmlTo customize the default appearance of a new Web Intelligence document, you must edit the defaultconfig.xml associated with the report panel used to create that document. Each report panel has its own defaultconfig.xml file.



BusinessObjects Enterprise Java InfoViewIf you deploy the BusinessObjects Enterprise Java InfoView, you can customize the default appearance of documents created using the Java Report Panel or the HTML-Query Report Panel. On Windows, you must edit the defaultconfig.xml files inside the desktop.war file. For additional information on modifying XML and .war files, see the BusinessObjects Enterprise Installation Guide.

To update defaultconfig.xml in the .war file1. Stop the web application server if it is running.2. Find the desktop.war file. On Windows, it’s found at C:\Progam

Files\Business Objects\BusinessObjects Enterprise 11\java\applications\desktop.war.

3. Extract defaultconfig.xml from the desktop.war file.For the Java Report Panel, extract webiApplet\AppletConfig\defaultconfig.xml

For the HTML-Query Report Panel, extractWEB-INF\classes\defaultconfig.xml

Tip: On Windows, you can use a tool such as WinZip to extract and replace files in a .war file.

4. Make a backup of the defaultconfig.xml file.5. Open defaultconfig.xml, and make your changes.

See “List of key values” on page 564 for information on the values you can change, and “Example: Modifying the default font in table cells” on page 565 for an example.

6. Save and close defaultconfig.xml.7. Reinsert defaultconfig.xml into desktop.war. Ensure that you insert the

file into the correct directory within the .war file.8. Restart your web application server and redeploy desktop.war. See the

BusinessObjects Enterprise Installation Guide for details.

BusinessObjects Enterprise .NET InfoViewIf you deploy the BusinessObjects Enterprise .NET InfoView, you can customize the appearance of new documents created using the Java Report Panel. To customize the appearance of reports created with the Java Report Panel, edit the copy of defaultconfig.xml found at:C:\Program Files\Common Files\Business Objects\3.0\java\webiApplet\AppletConfig


List of key values
In the defaultconfig.xml file, settings are grouped by “key value.” The following table lists the key values and the corresponding interface elements.

Key value Interface element

Block*defaultBg Background colors for blocksBlock*selectionBg Background colors for selected blocksCell*selectionColor Selected cell colorcell_skin0,report_skin0,section_skin0,bloc_skin0

Combo default skin

freeCell*default Free cells (not section cells)freeCell*section Section cellsgraph*Data Removing black line around bar chartsgraph*Graph General settings for graphsgraph*Palette*0 Adding a new color palettegraph*Palette*1 Adding a new color palettegraph*Wall Default background colors for chartsgraph*YGrid Color for horizontal grid (Y axis)graph*ZGrid Removing X-axis and Z-axis gridgraph*XLabels X-axis labels in a graphgraph*YLabels Y-axis labels in a graphgraph*ZLabels Z-axis labels in a graphgraph*XValues X-axis values in a graphgraph*YValues Y-axis values in a graphgraph*ZValues Z-axis values in a graphpage*default Default page layout. For example: A4,

Letter; portrait or landscape.Section*arrowColor Color of section arrowSection*background General settings for sectionsSection*selectionColor Color of selected section arrowtable*AltBody Alternate body cells in a tabletable*body Body cells in a tabletable*BodyForm Body cells in a form



Example: Modifying the default font in table cellsYou can modify the default font to another font available on your system, including non-standard fonts that you install on the server. The default font is Arial.This setting is found in the table*Body key value in the defaultconfig.xml file.Languages and fonts must be supported on the client machine for correct display. In addition, all fonts must be defined in the fontalias.xml file.Note: To change the default appearance of Web Intelligence documents created in a report panel, you must modify and deploy the correct copy of the defaultconfig.xml file. See “Locating and modifying defaultconfig.xml” on page 562 for more information.

To modify the default font1. Make a backup of the defaultconfig.xml file.2. Open the defaultconfig.xml file.3. Find the table*Body key value.

Here’s what it looks like:

table*ExtraHeader Object name cells in a crosstabletable*Footer Footer cells in a tabletable*Form General settings for formstable*Header Header cells in a tabletable*HeaderForm Header cells in a formtable*Table General settings for tablesUI*default Custom fonts

Key value Interface element



4. To change the default font for specified languages, enter the font name after FACE=.For example, to change only Japanese to a font named “SpecialFont,” you would enter:<FONT xml:lang="ja" FACE="SpecialFont" ...

5. To change the overall default font for all non-specified languages, enter the new font name after FONT FACE=.Note: You must modify the default font values separately for each language you want to change.

6. Modify any other attributes you want, such as font size.7. Save and close the defaultconfig.xml file.


Server Command Lines

appendix

Server Command LinesCommand lines overviewE
Command lines overview
When you start or configure a server through the Central Management Console (CMC) or the Central Configuration Manager (CCM), the server is started (or restarted) with a default command line that includes a typical set of options and values. In the majority of cases, you need not modify the default command lines directly. Moreover, you can manipulate the most common settings through the various server configuration screens in the CMC and the CCM. For reference, this appendix provides a full listing of the command-line options supported by each server. You can modify each server’s command line directly if you need to further customize the behavior of BusinessObjects Enterprise.Throughout this appendix, values provided in square brackets [ ] are optional.

To view or modify a server’s command line• On Windows, use the CCM to stop the server. Then open the server’s

Properties to modify the command line. Start the server again when you have finished.


Server Command LinesStandard options for all servers E

Standard options for all serversThese command-line options apply to all of the BusinessObjects Enterprise servers, unless otherwise indicated. See the remainder of this appendix for options specific to each type of server.

Option Valid Arguments

Behavior

-name string Specify the friendly name of the server. The server registers this name with the Central Management Server (CMS), and the name is displayed in the CMC. The default friendly name is hostname.servertypeNote: • Do not modify -name for a CMS.• If you modify -name for an Input or Output File

Repository Server, you must include “Input.” or “Output.” as the prefix to the value you type for string (for example, -name Input.Server01 or -name Output.UK).

-ns cmsname[:port] Specify the CMS that the server should register with. Add port if the CMS is not listening on the default (6400). This option does not apply to the CMS itself.

-requestPort port Specify the port that the server listens on. The server registers this port with the CMS. If unspecified, the server chooses any free port > 1024.Note: This port is used for different purposes by different servers. Before changing, see the section on changing the default server port numbers in the BusinessObjects Enterprise Administrator’s Guide“Changing the default server port numbers” on page 124.


Server Command LinesCentral Management ServerE

Central Management ServerThis section provides the command-line options that are specific to the CMS. The default path to the server on Windows is:C:\Program Files\Business Objects\BusinessObjects Enterprise

11\win32_x86\CrystalMS.exe

-port [interface:][port] Bind WCA or CMS to the specified port, or to the specified network interface and port. Binds other servers to the specified network interface. Useful on multihomed machines or in certain NAT firewall environments.Note: • Use -port port or -port interface:port for WCA

and CMS. Use -port interface for other servers. The port command is used for different purposes by different servers. Before changing, see the section on changing the default server port numbers in the BusinessObjects Enterprise Administrator’s Guide“Changing the default server port numbers” on page 124.

• If you change the default port value for the CMS, you must perform additional system configuration. For more information please see the section on changing the default server port numbers in the BusinessObjects Enterprise Administrator’s Guide“Changing the default server port numbers” on page 124.

-restart Server restarts if it exits with an unusual exit code.


Behavior


Behavior

-threads number Use a thread pool of the specified size. The default is one thread per request.

-reinitializedb Cause the CMS to delete the system database and recreate it with only the default system objects.

-quit Force the CMS to quit after processing the -reinitializedb option.


Server Command LinesCentral Management Server E

-receiverPool number Specify the number of threads the CMS creates to receive client requests. A client may be another Business Objects server, the Report Publishing Wizard, Crystal Reports, or a custom client application that you have created. The default value is 5. Normally you will not need to increase this value, unless you create a custom application with many clients.

-maxobjectsincache number Specify the maximum number of objects that the CMS stores in its memory cache. Increasing the number of objects reduces the number of database calls required and greatly improves CMS performance. However, placing too many objects in memory may result in the CMS having too little memory remaining to process queries. The upper limit is 100000.

-ndbqthreads number Specify the number of CMS worker threads sending requests to the database. Each thread has a connection to the database, so you must be careful not to exceed your database capacity. In most cases, the maximum value you should set is 10.

-AuditInterval minutes Specify interval at which the CMS requests audit information from audited servers. The default value is 5 minutes. (Maximum value is 15 minutes, and minimum value is 1 minute.).

-AuditBatchSize number Specify the maximum number of audit records that the CMS requests from each audited server, per audit interval. The default value is 200 records. (Maximum value is 500, and minimum value is 50.)


Behavior


Server Command LinesPage Server and Cache ServerE

Page Server and Cache ServerThe Page Server and the Cache Server are controlled in much the same way from the command line. The command-line options determine whether the server starts as a Page Server, a Cache Server, or both. Options that apply only to one server type are noted below.The default paths to the servers on Windows are:C:\Program Files\Business Objects\BusinessObjects Enterprise

11\win32_x86\cacheserver.exeC:\Program Files\Business Objects\BusinessObjects Enterprise

11\win32_x86\pageserver.exe

-auditMaxEventsPerFile number Specify the maximum number of records in the audit log file. The default value is 500. If the number specified by -auditMaxEventsPerFile is exceeded, the server opens a new log file.

-AuditeeTimeSyncInterval minutes Specify the interval between time synchronization events. The CMS broadcasts its system time to audited servers at the interval specified by -AuditeeTimeSyncInterval. The audited servers compare their internal clocks to the CMS time, and then adjust the timestamps they give to all subsequent audit records so that the time of these records synchronizes with the CMS time. The default interval is 60 minutes. (Maximum value is 1 day, or 1440 minutes. Minimum value is 15 minutes. Setting the interval to 0 turns off time synchronization.)


Behavior


Behavior

-cache Enable Cache Server functionality.-dir absolutepath Specify the cache directory for a Cache

Server and the temp directory for the Page Server. The directories created are absolutepath/cache and absolutepath/temp


Server Command LinesPage Server and Cache Server E

-deleteCache Delete the cache directory every time the server starts and stops.

-psdir absolutepath Specify the temp directory for the Page Server. This option overrides -dir.

-refresh minutes Share cached pages for the specified number of minutes.

-maxDBResultRecords number Limit the number of database records that are returned from the database. The default limit is 20000 records. If a user views an on-demand report containing more than 20000 records, an error message indicates that the report contains too many database records. To increase the enforced limit, increase number accordingly; to disable the limit, replace number with 0 (zero).

-noautomaticdbdisconnect Disable automatic database disconnection for the Page Server. By default the Page Server will automatically disconnect from the reporting database after retrieving data, to free up database licenses. This may affect performance if your site uses many reports with on-demand subreports, or group-by-on-server.

-report_ProcessExtPath absolutepath Specify the default directory for processing extensions. For details, see the BusinessObjects Enterprise Administrator’s Guide.“Applying processing extensions to reports” on page 429.

-auditMaxEventsPerFile number On the Cache Server, specifies the maximum number of audit actions recorded in the audit log file. The default value is 500. If this maximum number of records is exceeded, the server will open a new log file.


Behavior


Server Command LinesJob serversE
Job servers
This section provides the command-line options that are specific to the job servers, which include Job Servers, Program Job Servers, Destination Job Server, and List of Values Job Server.The default path to the server on Windows is:C:\Program Files\Business Objects\BusinessObjects Enterprise

11\win32_x86\JobServer.exe

Option Valid Arguments Behavior-dir absolutepath Specify the data directory for the Job

Server.-lib processinglibrary Specify the processing library to load:

• procReport or• procProgramLoading procReport starts the Job Server as a Report Job Server. Loading procProgram starts the Job Server as a Program Job Server. This option is used in conjunction with -objectType.

-objectType progID The program ID of the processing library, which determines the class of object supported by the Job Server:• CrystalEnterprise.Report or• CrystalEnterprise.ProgramUsed with -lib to specify whether the Job Server becomes a Report Job Server or a Program Job Server.

-maxJobs number Set the maximum number of concurrent jobs that the server will handle. The default is five.

-requestJSChildPorts lowerbound-upperbound

Specify the range of ports that child processes should use in a firewall environment. For example, 6800-6805 limits child processes to six ports.


Server Command LinesReport Application Server E

Report Application ServerThis section provides the command-line options that are specific to the Report Application Server. The default path to the server on Windows is:C:\Program Files\Common Files\Business Objects\3.0\

bin\crystalras.exe



Option Valid Arguments Behavior


Behavior

-ipport port Specify the port number for receiving TCP/IP requests when running in stand-alone mode (outside of BusinessObjects Enterprise).



Server Command LinesReport Application ServerE

-ProcessAffinityMask mask Use a mask to specify exactly which CPUs that RAS will use when it runs on a multi-processor machine.The mask is in the format 0xffffffff, where each f represents a processor, and the list of processors reads from right to left (that is, the last f represents the first processor). For each f, substitute either 0 (use of CPU not permitted) or 1 (use of CPU is permitted).For example, if you run the RAS on a 4 processor machine and want it to use the 3rd and 4th processor, use the mask 0x1100. To use the 2nd and 3rd processor, use 0x0110. Note: • RAS uses the first permitted processors in

the string, up to the maximum specified by your license. If you have a two processor license, 0x1110 has the same effect as 0x0110.

• The default value of the mask is -1, which has the same meaning as 0x1111.



Behavior


Server Command LinesWeb Intelligence Report Server E

Web Intelligence Report ServerThis section provides the command-line options that are specific to the Web Intelligence Report Server.The default paths to the server on Windows is:C:\Program Files\Business Objects\BusinessObjects Enterprise

11\win32_x86\WIReportServer.exe


Behavior

-ConnectionTimeoutMinutes

minutes Specify the number of minutes before the server will timeout.

-MaxConnections number Specify the maximum number of simultaneous connections that the server allows at one time.

-DocExpressEnable Enables caching of Web Intelligence documents when the document is being viewed.

-DocExpressRealTimeCachingEnable

Enables real time caching of Web Intelligence documents.

-DocExpressCacheDurationMinutes

minutes Specify the amount of time (in minutes) that content is stored in cache.

-DocExpressMaxCacheSizeKB

kilobytes Specify the size of the document cache.

-EnableListOfValuesCache

Enables the caching per user sessions of lists of values

-ListOfValuesBatchSize number Specify the maximum number of values that can be returned per list of values batch.

-UniverseMaxCacheSize number Specify the number of universes to be cached.

-WIDMaxCacheSize number Specify the maximum number of Web Intelligence documents that can be stored in cache.


Server Command LinesInput and Output File Repository ServersE
Input and Output File Repository Servers
This section provides the command-line options that are specific to the Input and Output File Repository Servers.The default paths to the servers on Windows are:C:\Program Files\Business Objects\BusinessObjects Enterprise

11\win32_x86\inputfileserver.exeC:\Program Files\Business Objects\BusinessObjects Enterprise

11\win32_x86\outputfileserver.exe

Note: If you modify -name for an Input or Output File Repository Server, you must include “Input.” or “Output.” as the prefix to the value you type (for example, -name Input.Server01 or -name Output.UK).


Behavior

-rootDir absolutepath Set the root directory for the various subfolders and files that are managed by the server. File paths used to refer to files in the File Repository Server are interpreted relative to this root directory.Note: All Input File Repository Servers must share the same root directory, and all Output File Repository Servers must share the same root directory (otherwise there is a risk of having inconsistent instances). Additionally, the input root directory must not be the same as the output root directory. It is recommended that you replicate the root directories using a RAID array or an alternative hardware solution.

-tempDir absolutepath Set the location of the temporary directory that the FRS uses to transfer files. Use this command line option if you want to control the location of the FRS temporary directory, or if the default temporary directory name generated by the FRS exceeds the file system path limit (which will prevent the FRS from starting).

-maxidle minutes Specify the number of minutes after which an idle session is cleaned up.


Server Command LinesEvent Server E

Event ServerThis section provides the command-line options that are specific to the Event Server.The default path to the server on Windows is:C:\Program Files\Business Objects\BusinessObjects Enterprise

11\win32_x86\EventServer.exe


Behavior

-poll seconds Specify the frequency (in seconds) with which the server checks for File events.

-cleanup minutes Specify the frequency (in minutes) with which the server cleans up listener proxies.



Server Command LinesEvent ServerE


International Deployments

appendix

International DeploymentsInternational deployments overviewF
International deployments overview
When you distribute reports to a worldwide audience, you need to accommodate users working in various languages, time zones, and countries. BusinessObjects Enterprise and Crystal Reports provide powerful capabilities for presenting data in a number of languages. This chapter provides recommendations for creating and managing content deployed through BusinessObjects Enterprise to a multilingual, worldwide audience. International deployments require thorough planning, from choosing the best server configuration to adopting special report design techniques. To support multiple languages in BusinessObjects Enterprise, you need to ensure that the servers have the appropriate resources for delivering content in different languages. In Crystal Reports, you can create flexible reports that allow users to choose between different languages or formats.Note: For large BusinessObjects Enterprise deployments, it is good practice to work with our global team of certified consultants and consulting partners.

Deploying BusinessObjects Enterprise internationally

Deploying a BusinessObjects Enterprise system for an international audience introduces a unique set of challenges. When you increase support to address a specific user need such as a new language, you may need to increase the complexity of your deployment. Many problems can be avoided by planning the BusinessObjects Enterprise deployment in advance. How much multilingual support do your users need? Do you have the people, processes, hardware, and software in place to provide an international BusinessObjects Enterprise system?When you have determined the best approach, you can configure the available resources to deliver the best possible BusinessObjects Enterprise solution for your users.


International DeploymentsDeploying BusinessObjects Enterprise internationally F

Planning an international BusinessObjects Enterprise deployment

To ensure that your deployment is successful, you need to thoroughly plan the deployment with international considerations in mind.Assess the language needs of your users. Begin with a comprehensive list of job tasks and other user requirements. Then ensure that you have the appropriate resources for delivering BusinessObjects Enterprise to all of your users, and for maintaining its future growth.

LanguagesA quick survey of your organization should provide enough information to determine your language requirements. Which languages are used most often across the organization? Is there a demand for reports in all of these languages? Which languages does your company currently support on its web site? How many languages do your report users speak? It may be necessary to provide reports in only two or three languages. Make sure you check your language requirements against the list of supported languages for BusinessObjects Enterprise. BusinessObjects Enterprise software is available in two versions, an English version and a multilingual version. The multilingual version provides components for the following languages:

For these languages, the software itself has been translated (or localized), with all functions and features available in the specific language. You can publish objects in these languages using the English or multilingual versions of BusinessObjects Enterprise.

• Dutch • Japanese• English • Korean• French • Simplified Chinese• German • Spanish• Italian • Traditional Chinese


International DeploymentsDeploying BusinessObjects Enterprise internationallyF
Resources
After you determine which languages are required, look at the resources required to implement the different server configurations that will meet the language needs of your users. You can provide separate BusinessObjects Enterprise deployments for each language, or you can ask users to create reports in one language and deliver them using servers in another language. Do you have the resources and people you need to manage multiple systems or can you support only one BusinessObjects Enterprise deployment?For any deployment that involves more than one language, you must account for additional server requirements. For example, if you run an English version of BusinessObjects Enterprise on a multilingual operating system, you must ensure that you have the correct combination of components for both languages.You should choose the right deployment based on the available resources. For each server, ensure that you have the appropriate operating system, fonts, and language files.• Languages

Install the appropriate languages on all servers. Even if only a few users design reports in Spanish and Japanese, Spanish and Japanese language files must be installed on all servers used in the deployment.For information on installing languages, consult your operating system’s documentation.

• Fonts If a language requires a special font, install the font files on all machines running BusinessObjects Enterprise components. For information on installing fonts, consult your operating system’s documentation.Note: • Depending on the languages, data may not be displayed properly.

For example, if you publish reports in a “double-byte” language like Japanese to an English server, the double-byte characters may not display properly in chart titles, drill-down tabs, group tree values, and strings in formulas. These strings use the system font specified by the server to display text. Unless the system font supports double-byte characters, BusinessObjects Enterprise will not display the strings properly.


International DeploymentsDeploying BusinessObjects Enterprise internationally F

• If, after installing the necessary fonts on the various servers, BusinessObjects Enterprise does not render the report properly, install Crystal Reports on the problematic servers. Then, open the problem report and refresh it. For more information, see “Troubleshooting reports with Crystal Reports” on page 505.

• Operating systemsDepending on your language needs, you may need to install a localized operating system on machines running BusinessObjects Enterprise components. The operating system may affect certain messages that appear when working with BusinessObjects Enterprise. To ensure that all messages appear in the language you want, make sure you install the appropriate version of the operating system, and make sure it is a language supported by BusinessObjects Enterprise.For example, if you access French reports from a French client using an English version of BusinessObjects Enterprise on the server, you must have a French operating system on the server.

• PeopleDepending on your configuration, you may need additional people to help deliver and maintain your BusinessObjects Enterprise system. If you deploy multiple systems for different languages, you may need another system administrator or IT professional to configure and maintain the system. When you are working with localized versions of operating systems and software, it is good practice to have someone on staff who not only has the technical IT skills, but also the language skills required to manage the system.

Providing a client tier for multiple languagesBy default, BusinessObjects Enterprise installs and configures a client tier in the same language as its server components. For example, the English version of BusinessObjects Enterprise installs the English version of InfoView.If you are using the English version of BusinessObjects Enterprise, and you need to provide a web desktop in English and another localized language, you can install a localized version of the client components under a different directory from the directory that contains the English components. If you are using the multilingual version of BusinessObjects Enterprise, you can install the localized versions of the client components. When your users change their locale settings for their machines, the appropriate language will appear in their InfoView.


International DeploymentsDeploying BusinessObjects Enterprise internationallyF


Creating Accessible Reports

appendix

Creating Accessible ReportsAbout accessibilityG
About accessibility
When you create Crystal reports for a large audience across the organization—and around the world—you need to account for the diverse needs of that audience. Report designers often create reports for specific languages, countries, job tasks, or work groups, but it is also important to consider the accessibility requirements of users. Report users may have physical, sensory, or cognitive limitations that affect their ability to access the Web. They may not be able to see, move, or hear. They may have low vision or limited movement. Some people have dyslexia, color-blindness, or seizure disorders; others have difficulty reading or understanding text. They may have a combination of disabilities, with varying levels of severity.People with disabilities often use assistive technologies: products or techniques that help people perform tasks they cannot perform otherwise. Assistive technologies include adaptive software programs such as screen readers (which translate text into audible output), screen magnifiers, and speech-recognition software. People with disabilities may also use special browsers that allow only text or voice-based navigation. They may use assistive devices such as refreshable Braille displays, or alternative keyboards that use “sip-and-puff” switches or “eyegaze” technology.To meet the reporting needs of people with disabilities, your reports should be designed to work with as many assistive technologies as possible. Despite the wide range of potential accessibility issues, you can use the techniques described in this chapter to create reports that are useful for everyone.

Benefits of accessible reportsAs more business and government leaders adopt new standards for delivering web content to people with disabilities, accessible design is becoming critical to information management and delivery.Accessible design provides many benefits:• Accessible reports are easier for everyone to use.

Many accessibility guidelines result in improved usability. An accessible report must provide logical and consistent navigation. Its content must be clearly written and easy to understand.

• Accessible reports are more compatible with a variety of technologies, new and old.


Creating Accessible ReportsAbout accessibility G

Accessible content is easier to export to simple formats that are more compatible with mobile phone browsers, personal digital assistants (PDAs), and other devices with low-bandwidth connections.Some people may not have a keyboard or a mouse. They may have a text-only screen, a small screen, or a slow Internet connection. Accessible design makes it easier for people with limited technology to access information.

• Accessible content is easier to reuse for other formats. In the viewers, accessible reports are more accurately copied or exported to other formats.

• Accessible reports improve server efficiency.You may reduce the number of HTTP requests on the server, by providing clear navigation so people can find what they need faster. Providing text-only alternatives can reduce the number of graphics, which take up valuable bandwidth.

• Recent initiatives indicate a worldwide trend towards providing accessible web content. More companies are making accessibility a requirement for their web content, especially in the United States, where the government introduced section 508 of the Rehabilitation Act. Accessibility is quickly becoming an essential part of web content delivery.

• You may be legally required to provide accessible content.Each year, more countries introduce anti-discrimination laws that ensure equal opportunities for people with disabilities. Even if you are not legally required to meet accessibility guidelines, you may want to do business with an organization that is required to adhere to them.

• Creating accessible reports is easier than modifying existing reports to make them accessible.If you build accessible features into your reports now, it will be significantly less expensive than to redesign existing reports later.

About the accessibility guidelinesThe most comprehensive accessibility guidelines are the Web Content Accessibility Guidelines (WCAG), developed by the international World Wide Web Consortium (W3C). The WCAG is widely considered the definitive set of recommendations for delivering web content to people with disabilities. The WCAG has influenced the development of similar web content standards around the world.


Creating Accessible ReportsAbout accessibilityG

Organizations and governments worldwide are adopting the accessibility recommendations of the W3C. In Australia, the Disability Discrimination Act includes standards for web site accessibility. Similar guidelines have been introduced in the United Kingdom and throughout Europe. In Canada, all government web content is now developed according to the Common Look and Feel (CLF) initiative, which is largely based on the W3C's Web Content Accessibility Guidelines. Taking web accessibility a step further, the United States government introduced legislation in the form of Section 508 of the Rehabilitation Act, which ensures the right to accessible government web content. Common to all guidelines is a focus on providing web content that is useful for all people, regardless of disability or impairment. For reports, accessible design is focused on the same key concepts:• Content must be easy to understand and navigate.• Text equivalents or alternatives should be provided for non-text objects.• Objects should be logically organized to clarify relationships between

objects.• Reports must not rely on any one specific type of hardware, such as a

mouse, a keyboard, or a color screen. For more information on specific accessibility guidelines, see “Resources” on page 612.

Accessibility and Business Objects productsBusiness Objects products allow you to design accessible reports and deliver them to your users via the Web. The products provide different levels of accessibility support.

Crystal ReportsBy observing accessibility guidelines, you can use Crystal Reports to create reports that are accessible to users with disabilities. However, Crystal Reports does not currently provide complete accessibility for report designers with disabilities.Note: The reports in this chapter were created in Crystal Reports and tested using screen readers (including JAWS 4.5).

Web IntelligenceWeb Intelligence provides accessible access through its HTML Report Panel interface, where you can view, create, and edit Web Intelligence documents. Web Intelligence documents are read from left to right and top to bottom, and you can navigate through the report panel’s frames and tabs using the Tab key.


Creating Accessible ReportsImproving report accessibility G

OLAP IntelligenceAlthough you can use many of the same design guidelines to improve the accessibility of Crystal Analysis Professional reports, Worksheets are difficult to format for accessibility. Web Intelligence or Crystal reports are the recommended options for delivering reports to people with disabilities.

BusinessObjects EnterpriseAfter you create accessible Web Intelligence documents or Crystal reports, you can publish them to BusinessObjects Enterprise, where people with disabilities can view them on the Web using InfoView and the DHTML viewers. The management components of BusinessObjects Enterprise, including the Central Management Console (CMC) and the Central Configuration Manager (CCM), do not currently provide access for people with disabilities. The ActiveX and Java viewers are also not accessible.

Improving report accessibilityTo begin improving the accessibility of your reports, start with accessibility guidelines that are quick and easy to implement. A small change in your design conventions or company template may have a significant impact on accessibility. Simple navigation and clearly-written content are critical for accessibility, but they are easy to implement and useful for all report users.

Placing objects in reportsThere are a few general guidelines to keep in mind when you place objects on a report.

Organizing objects logicallyWhen you place objects on reports, make sure their placement is clear and logical, especially when you need to imply a relationship between two objects in a report. For example, if you include a text description of a chart, ensure that it is close enough to the chart to make the connection clear. Many assistive technologies read from left to right and from top to bottom; therefore, if you include a text description and title for a chart, you should decide which one you want the user to read first. This will ensure that the objects in a report are read in the correct order.


Creating Accessible ReportsImproving report accessibilityG
Placing objects in order
When you publish a Crystal report to BusinessObjects Enterprise, the HTML version organizes the objects in the report according to the consecutive order that you added them in Crystal Reports, not according to where they were positioned on the report. The report appears the same on the screen, but the underlying HTML code lists the reports objects in the order they were inserted. Instead of reading the report from left to right and top to bottom, screen readers and other assistive devices may follow the order specified in the HTML. To make a report accessible, you must add objects to reports in the order that you want a screen reader to read them.For example, you place Quarter, Year, and Invoice fields in the Details section and then add the report title “Invoices by Quarter” to the Report Header. When you publish the report to BusinessObjects Enterprise, it looks the same as it did in Crystal Reports, but the underlying HTML displays the database field headings first, followed by the title. Instead of reading the report title first, a screen reader reads the headings first: “Quarter, Year, Invoice, Invoices by Quarter.”To avoid this, insert the “Invoices by Quarter” title first. Before you add the data table, you could provide an introductory text object that describes the table. Finally, add the fields to the Details section. The report will now make more sense in a screen reader, which will read “Invoices by Quarter”. The following table lists our invoices for each quarter. Quarter, Year, Invoice.” followed by the data. (For details on providing accessible data tables, see “Improving data table accessibility” on page 603.)Therefore, to create accessible reports, you must plan the order of your report before you begin working in Crystal Reports. Plan it on paper. Make sure you know which objects you want to add and where you want them. Include all calculations, images, and charts on your plan. When you create a new report based on your plan, you can start adding objects from the upper left corner and work your way to the bottom right corner of the report. Once the objects are placed, you can make changes to them afterwards without affecting their order. Note: If you create a text-only alternative of your report, add it to your report as a subreport and, most importantly, add the subreport before you add any other object to your report. For further details, see “Text” on page 593.After you add all objects to the report, you can test their placement order by tabbing through the objects.

To test the placement order of objects in a Crystal report1. Make sure no objects in the report are selected. 2. Press the Tab key.

Crystal Reports selects the object that was placed on the report first.



3. Tab through the remaining objects.The order that Crystal Reports uses to tab through the objects is the same order adopted by a screen reader that views the published version of the report.

TextThe most common accessibility issue encountered by report designers is also one of the easiest to resolve: providing text-only versions of non-text objects. A non-text object is an object that conveys meaning through a picture or sound. Non-text objects include pictures, charts, graphical buttons, graphical representations of text, sounds, animations, and audio or video clips. People who use assistive technologies are accustomed to text-only substitutes and, therefore, will respond well to the text-only alternatives you provide.There are a number of ways you can use text to substantially improve your reports’ accessibility:• Provide text equivalents for objects in reports.• Provide text alternatives for reports.• Ensure that text is written and formatted clearly.Text is a useful tool for creating accessible reports. Most assistive technologies require text input, including screen readers, speech synthesizers, and Braille displays. You can easily resize and format text, and text is the most flexible medium for import and export.

Providing text equivalentsWhen you create reports, there are many opportunities to use text equivalents to clarify non-text objects. • Place a descriptive text object next to a non-text object, and be sure to

add them to the report in consecutive order (for more details see “Placing objects in order” on page 592). Whenever possible, a text equivalent should communicate the same information as its corresponding object in the report. If a report displays data in a pie chart, for example, include a text box next to the chart that summarizes its contents.Describe the purpose of the non-text object. For example, if an image performs an action when you click it, describe the action. For a button that opens your web site, provide a text box labeled “Click to view our web site.”



• If a report includes audio links, provide a transcript for significant audio clips.

• If a report links to a multimedia or video presentation, provide a transcript. You may also want to provide captioning for the audio portion and an audio description of the visual portion. Captioning should be synchronized with the audio.

Providing text-only alternativesIf there are too many non-text objects on a report, or if you do not have the resources to integrate accessible design into all of your reports, then you can provide complete text-only alternatives. For reports that represent data using only charts and graphics, for example, you can provide a link to a text-only alternative that provides the same data in data tables and text objects.Whenever possible, a text-only alternative should provide the same information as the original report. The information conveyed through images in the main report should also be described using text objects on the alternative report.Note: If you cannot produce a complete text-only version of the report, you can still improve accessibility by providing a descriptive summary of key information or conclusions illustrated by the report.It is good practice to provide the text-only alternative on a subreport, linked from the top left corner of the main report, so the user has the opportunity to switch to the text-only version as soon as possible. Add the subreport to the report before any other object to ensure that a screen reader will read it first. If you want the subreport link to appear only for people using screen readers or similar software, you can create a subreport link that is the same color as the background color. The link will appear as a small blank space, but a screen reader will read the text for the link.

To add a text-only alternative to a subreport1. Create a text-only version of the report and save it.2. Open a new report.3. On the Insert menu, click Subreport.4. In the Insert Subreport dialog box, select Choose an existing report and

click Browse to locate the report you created in step 1.5. Click the subreport, then choose Format Subreport from the Format

menu.6. In the Format Editor, on the Subreport tab, select On-demand

Subreport.



7. To hide the subreport link, on the Font tab, choose the color that matches the background color of the report. Note: Instead of hiding the subreport link, you can conditionally suppress the section that contains the subreport. For details, see “Accessibility and subreports” on page 603.

Using punctuationTo improve the logical flow of spoken text, you may need to add extra punctuation to create pauses. Without extra punctuation, screen readers may read several text objects as one continuous sentence, making the content difficult to understand. For example, information in data tables may be read without stopping. To prevent this, you can break up information in data tables by inserting periods between fields.Certain punctuation marks are read aloud, which may be distracting if used too frequently. For example, when a screen reader reads a colon “:”, it may read it aloud as “colon” instead of a pause. You can change the amount of spoken punctuation in your screen reader's settings.To troubleshoot your report's punctuation, it is good practice to read the report using a screen reader. Do objects run together too quickly? Or are there too many pauses? Are any punctuation marks read aloud? Does this improve or deter from the usability of the report?

Formatting textAfter you create text equivalents or alternatives for non-text objects, ensure that the text is clearly written and easy to read. Observe the following design guidelines: • Use a larger font.

Although people with visual impairments can use the Zoom feature to increase the size of the report, they will not need to magnify the report as much if the font size is larger. For example, chart labels or legends can appear in a small font by default. For general legibility, it is good practice to use a font larger than 8 point. For accessibility, ensure that text is larger than 11 point.

• Use a “sans serif” font. Simple fonts such as Arial and Helvetica can be easier to read than serif fonts like Times or Palatino.

• Choose left or justified alignment. Left-aligned or justified text is easier to read than centered or right-aligned text.



• Ensure that text follows the guidelines for color usage. For details, see “Color” on page 597.

Note: You can allow users to choose different font settings using a parameter and conditional formatting. For details, see “Accessibility and conditional formatting” on page 601.

Finding the right balance between text and non-text objectsText equivalents are very flexible and often the best solution for accessibility, but they are not always necessary or preferred. Not all non-text objects require text equivalents. You need to include text alternatives only for non-text objects that provide information or navigation elements that the user cannot do without. Images used for decorative purposes do not need a text description. If a report has a watermark image that acts as a background for the data, you do not need to provide a text equivalent. Adding text descriptions for decorative objects can produce unnecessary clutter.Text versions of visual or auditory objects in reports should be used as a complement to the object—not as a replacement. You do not need to remove non-text objects. Visual objects in reports can be very helpful, especially for people with learning disabilities such as attention deficit disorder, or for people who are deaf. People with hearing impairments may be accustomed to visual communication such as sign language, and may find images more useful than text.No one presentation method can meet the needs of all users. Audio clips can be very useful for people with visual impairments, but people with hearing impairments will be unable to use them. To help both groups, provide a combination of audio and text. Multimedia presentations may provide audio information for people with visual impairments, as well as video information for people who are deaf or hard of hearing. Multimedia presentations are particularly effective for people with attention deficit disorder. However, people with certain mental health disabilities may be distracted by visual or audio objects.The best approach is to communicate the same information with both text and non-text objects. Add descriptive text to support the images, and add images that support the text. If text objects begin to overwhelm your report, you may want to provide a complete text-only version in a separate report or a subreport. For details, see “Providing text-only alternatives” on page 594.To learn more strategies on how to choose presentation methods that meet the needs of a variety of audiences, see “Designing for flexibility” on page 600.



ColorThe colors you choose for objects in reports can have a significant impact on accessibility for people with visual impairments, low vision, or color blindness. Ensure that your reports can be understood when viewed without color.

Contrasting colorsUsers with limited vision may be unable to distinguish between colors. To test the color contrast in your report, print or view a black and white copy. You should be able to distinguish between values or fields displayed in different colors (in a pie chart, for example).If you cannot distinguish between colors on the report, try different colors or use gray shading. If this does not resolve the issue, you can change other characteristics.For text, use the Format Editor to change the font, size, or style. You can add borders, underlining, or background shading to differentiate text objects from each other.For charts, use a combination of shading and patterns. You can automatically convert a color chart to a black and white one using the Chart Expert, or you can select values individually and choose your own patterns.

To convert a chart into black and white1. Select the chart and choose Chart Expert from the Format menu.2. In the Chart Expert, click the Options tab.3. In the “Chart color” area, select Black and white, then click OK.

The chart colors convert to a variety of high-contrast pattern and color fills.

To change the fill for a chart value1. Select the chart, then click the shaded area you want to change.2. On the Chart menu, point to Chart Options, and then click Selected

Item.3. In the Formatting dialog box, on the Fill tab, choose a color and click

Pattern.4. In the Choose A Pattern dialog box, click a pattern, then click OK.Note: You can also select a texture, gradient, or picture as a fill for the chart value. See the Chart Help for more information.


Using color to convey information
Do not use color as the only identifying characteristic for critical information in a report. For example, a text object may instruct users to “click the green button” to open a subreport. Users with limited vision cannot tell which button is green. The button should be recognizable by another defining characteristic besides its color. For example, you can change the button graphic to a shape that is not used elsewhere on the report, and instruct users to “click the green arrow button”. This solution provides color information for people who can distinguish colors, and extra information for people who cannot.Other common situations where color may be used to provide important information include:• Highlighting

To highlight particular values in a table, do not change only the color of the value. If you highlight outstanding invoices in red, for example, they may look the same as the paid invoices to someone with limited vision. In the Highlighting Expert dialog box, change a font characteristic other than color, such as font style.

• HyperlinksUsing color as the only method for identifying hyperlinks may also cause problems for color-blind users. When you print your report in black and white, check the hyperlinks to ensure that they are still visible.

• Identifying important areas of the reportDo not organize a report by using color as a background or as a separator between different sections or areas. Instead of using color to identify sections, establish clear and consistent navigation for the entire report.

NavigationAs with other aspects of accessible design, providing several alternative navigation methods can help you meet the reporting needs of more people. The W3C recommends including several different navigation methods. On the other hand, simplicity is critical for intuitive navigation. Section 508 recommends simple navigation that uses the least number of navigation links possible. Either approach can be effective for your reports, as long as you maintain clarity and consistency.You may want to use report parts to navigate a report (or to connect several reports). If you provide a series of links in a page header, keep in mind that screen-reading software will reread the navigation information every time the



user refreshes the page or views a new page. In this case, simple navigation is preferable. For a large report, you could provide a list of navigation links as a table of contents in the report header. More extensive navigation can be useful when you have a large volume of data. To allow users to skip the list, you could start with a “Skip the table of contents” link that jumps ahead to the first page header.In general, report navigation should follow these guidelines:• Identify the target of each link.• Provide information at the start of the report that describes the layout and

navigation.• Use navigation consistently.• Provide the opportunity to skip repetitive navigation links.

Parameter fieldsWhen you include parameter fields in a report, make sure they are clear and simple. Although parameter fields can be a useful tool for providing accessible content, they can also introduce several accessibility concerns. It is important to test all parameter fields for accessibility. Parameter fields should follow these guidelines:• Provide a list of default values for the user to choose from.

Avoid requiring the user to type a value for a parameter. When users provide their own values, they need to make sure the format of the value will be recognized by the parameter field. A list of default values is easier to use, and it ensures that the user chooses from values with valid formats.

• Try to avoid complex parameter fields. A complex parameter field may be more accessible when it is broken down into multiple parameters. When you test the accessibility of your parameter fields, pay particular attention to parameters that require a range. It may be easier to understand if you provide two parameter fields that prompt for discrete values for the top and bottom of the range, rather than ask the user to choose both values in the same parameter field.

• For date fields, do not allow users to choose their own values. The calendar used to select date values is not currently accessible. Provide a pick-list of default date values. Using a list of default values also helps avoid invalid date formats.


Creating Accessible ReportsDesigning for flexibilityG
Designing for flexibility
Flexibility is the key to providing accessible reports. Because different users require different levels of accessibility, it is good practice to provide a variety of presentation styles and methods to meet the needs of as many people as possible. For a detailed report, however, you may not be able to provide multiple presentation styles without cluttering the report with extra objects. To address this problem, plan the degree to which you want to integrate accessible formats into your reports. You can provide accessible formatting for each object, for each section, or as a subreport. You can then allow users to choose their own accessibility options using a parameter field that prompts them to choose whether or not to display accessible formats. Using this parameter field, you can conditionally format objects, or conditionally suppress sections that address different access needs. Or you can provide different display options by using subreports.

To create an accessibility parameter field1. In Crystal Reports, on the View menu, click Field Explorer.2. In the Field Explorer, right-click Parameter Fields and click New.3. In the Create Parameter Field dialog box, type the parameter name

(Access, for example) and the prompting text (Do you want to enable accessible formatting for this report?).

4. Ensure that the Value type is set to String.5. Click Set default values.6. In the Set Default Values dialog box, create Yes and No values and move

them to the Default Values area using the arrow buttons.7. Click OK.8. Click OK in the Create Parameter Field dialog box.


Creating Accessible ReportsDesigning for flexibility G

Accessibility and conditional formattingUsing the accessibility parameter field in simple formulas, you can provide multiple formats for any object in a report. If a user chooses “Yes” when prompted by the parameter, the conditional formulas will ensure that the objects are modified with accessible formatting conventions. If a user chooses “No”, then the report appears without accessible formatting, perhaps in the standard company template.For accessible text formatting, you can follow the guidelines suggested by this chapter and by the W3C, or you can survey your report users to determine the formats that work best for them. After you determine the formatting options you want to use, you can create conditional formulas that define the options. For example, you can display all database fields in a large Arial font, in white text on a black background, with the Can Grow option enabled.The following procedure creates a conditional formatting formula based on the ?Access parameter field. The formula increases the font size if the ?Access parameter field is set to “Yes”. You can use similar formulas to change colors, add borders, or enable the Can Grow setting. For complete instructions on conditionally formatting fields and using the Format Formula Editor, see the Crystal Reports Online Help.Note: If text objects are too small to accommodate the enlarged font, you can use a similar conditional formatting formula to enable the Can Grow setting, which appears on the Common tab of the Format Editor.

To apply accessible settings to font size conditionally1. Open the report in the Design tab of Crystal Reports.2. In the Details section, right-click the field you want to conditionally format,

and select Format Field.3. In the Format Editor, click the Font tab.4. Click the Formula button that corresponds to the Size list.

The Format Formula Editor opens a new formula named Font Size.5. In the Formula text window, type this formula (which uses Crystal Syntax):

if {?Access} = "Yes"then 20

else 10

This formula ensures that the font size for the currently selected field is increased from 10 point to 20 point when the user chooses to display accessible formatting.

6. Click Save and close.


Creating Accessible ReportsDesigning for flexibilityG
Accessibility and suppressing sections
Instead of formatting individual objects conditionally, you can create separate sections for accessible versions of the report content, then use the accessibility parameter field to conditionally suppress sections. The accessible and non-accessible sections can be suppressed or shown, based on the parameter value the user selects. Creating separate sections for accessible versions of report content may be more time-consuming, but there are a few situations where suppressing sections conditionally can be more practical than formatting on the object level:• If a report contains many objects, suppressing sections may require

fewer conditional formulas. • Not all settings and features can be formatted conditionally. By

suppressing sections, however, you can make any formatting changes you want.

• You may want to provide completely different types of information for people viewing the accessible version of the report. For example, you may want to split visual and audio objects into two different sections and conditionally suppress them based on the parameter value the user chooses.

To suppress an accessible section1. Right-click the left boundary of the section you want to suppress

conditionally, and click Section Expert.2. In the Section Expert, click the Formula button that corresponds to the

Suppress (No Drill-Down) setting.The Format Formula Editor opens a new formula named Suppress (No Drill-Down).

3. In the Formula text window, type this formula (which uses Crystal Syntax):if {?Access} = "No" then True

This formula selects the Suppress option if the user chooses not to view accessible report content.

4. Click Save and close.5. Click OK in the Section Expert.


Creating Accessible ReportsImproving data table accessibility G

Accessibility and subreportsAccessible report design may become too cumbersome using conditionally formatted objects and suppressed sections. Two situations in particular may be problematic:• To make the report accessible, you may need to change the overall

organization of the report sections, or you may need to provide different objects.

• If the report contains a large number of objects or sections, it may take too much time to create conditional formulas for all of them.

For example, if a report contains many non-text objects displayed in a complex series of groups and sections, you may want to provide a text-only version that uses different objects and a simplified group structure to meet accessibility guidelines. The easiest way to address this problem is to create a subreport that displays the accessible version of the report and place the subreport at the beginning of the main report. For details on creating a text-only accessible subreport, see “Providing text-only alternatives” on page 594.If you want only screen readers to be able to see the subreport, you can hide it by changing the subreport link to the same color as the background. Alternatively, you can use the ?Access parameter field to allow users to choose whether or not the subreport appears in the report. Place the subreport in its own section and conditionally suppress the section based on the ?Access parameter field. For details, see “Accessibility and suppressing sections” on page 602.

Improving data table accessibilityLarge tables of data can be difficult to interpret if a person is using a non-visual means of accessing the web, such as a screen reader. People using screen magnifiers or the Zoom feature may also find data tables hard to navigate because they cannot see the table headings at all times. It can easily become difficult to associate the value that a screen reader is reading with the corresponding column and row headings. Users need to be able to understand the data value's position in the table and its relationship to other values.To improve data table navigation, you can use text objects to provide contextual information with each value. Using conditional formatting or suppression, you can create a report that displays these objects only if the user chooses to view them. Other design guidelines can help make large tables of data easier to understand, such as providing summary paragraphs and expanded column headings.


Creating Accessible ReportsImproving data table accessibilityG

Note: This chapter uses terminology consistent with the W3C accessibility guidelines. In these guidelines, the term data table refers to values arranged in columns and rows. In Crystal Reports, data tables take the form of group or page headings combined with database fields in the Details section. Do not confuse data tables with database tables, which are data sources used by Crystal Reports.

Text objects and data table valuesYou can make a large table easier to understand and navigate by adding text objects that provide information about each value in the table. Include whatever information is necessary to establish the meaning and context of the value displayed. When appropriate, include information that describes column headings or neighboring fields. For example, if a report displays employee names and salaries, you can add a text object before the Salary database field that reads “{Last Name}'s salary is “. The user can determine the context and meaning of the value by reading the accompanying text object.Ensure that your text objects use punctuation that will make the content easier to understand when read aloud by a screen reader. Without accessibility-orientated punctuation, data tables may be read as one long sentence, making navigation and interpretation very difficult. For example, you can add periods after values so a screen reader will pause between columns and rows. For details, see “Using punctuation” on page 595.As with all objects in reports, the order in which you place text objects on the report can affect accessibility. Screen readers read the objects in the order they were originally added. (For details, see “Placing objects in order” on page 592.) The correct placement order is critical when you add a text object that identifies the contents of a particular column in a data table. If you add the text objects at the end of the design process, they may be read after the columns that they refer to. When you add text objects that describe values in a report, ensure that you place them on the report in the order that you want them to be read. Before you can create an accessible data table, you must plan your report in advance, determining which objects and database fields you want to include. Because objects must be placed in the order you want them to be read, planning your content for accessibility is essential. As part of this planning, it is good practice to choose how you will use text objects to identify data table values. You can simply add text objects before each database field. Or you can conditionally suppress text objects or use formulas to combine text objects and values.



Labelling data tables with text objectsBefore each field, add a text object that describes the field's position in the table. In the following example, the text box provides information about the Employee ID number. When the report is read with a screen reader, each number is preceded by the brief explanation in the text box.

Providing extra information for each value can make a data table appear cluttered for people without vision impairments, so you may want to hide the extra text objects by changing the font color to the same color as the background. The extra text is invisible, but is still detected and read by screen readers.

Labelling data tables conditionallyAlthough adding text objects is relatively easy to implement, it does not address all accessibility concerns. Invisible text is read by screen readers, but does not help people with limited vision. You can allow the user to choose whether or not to display text descriptions in the data table by conditionally formatting or suppressing text objects.Make sure your report includes an accessibility parameter field. For instructions on how to create the ?Access accessibility parameter field, see “Designing for flexibility” on page 600.



You can use the parameter field to suppress the text objects conditionally. While it has the same effect as changing the font color to the background color, conditionally-suppressed text also allows you to use the parameter field to specify other formatting options such as font size and style.To display the text objects only when the user chooses Yes for the ?Access parameter field, the following report uses a simple conditional formula to enable the Suppress option on the Common tab of the Format Editor.{?Access}="No"

The formula must be added for each text object you want to suppress. When the user chooses Yes for the ?Access parameter field, the text objects are not suppressed; the data table displays text descriptions.

Note: The report shown also uses the ?Access parameter field to enable the Can Grow option (also on the Common tab of the Format Editor) and increase the font size for people with visual impairments. When the user chooses No for the ?Access parameter field, the conditional formula suppresses the text objects, leaving spaces in the report in place of the text objects.

Labelling data tables with formulasAnother method for adding explanatory text to a data table is to create formulas that combine text, database fields, and conditional formatting. By adding the text and the database fields together in a conditional formula based on the ?Access parameter, you can provide optional text for values in a table without leaving blank spaces in the report. Using formulas also reduces the number of objects on the report, making it easier to maintain the proper placement order.Note: Do not use this method if the report has summary fields or calculated fields. Although formulas provide the best display of data, they can interfere with calculations because the data is converted to text.



The following report uses formulas placed in the Details section that combine the database fields and the extra text. When the user chooses Yes for the ?Access parameter field, each formula builds a string that includes the description and the value.

This report uses the following formulas:@Employee IDIf {?Access}="Yes" then "Employee ID " + ToText({Employee.Employee ID},0) + ". "else ToText({Employee.Employee ID},0)

@Last NameIf {?Access}="Yes" then "Employee last name is " + {Employee.Last Name} + "."else {Employee.Last Name}

@SalaryIf {?Access}="Yes" then {Employee.Last Name} + "'s Salary is

" + ToText({Employee.Salary}) + "."else ToText({Employee.Salary})

Notice the added punctuation. The periods at the end of each formula improve screen reader legibility by creating a pause between fields. Note: • The report also uses the ?Access parameter field to enable the Can

Grow option and increase the font size. • In @Employee ID, ?Access parameter field has been set to “0” to enable

the Can Grow option and increase the font size. When the user chooses No for the ?Access parameter field, the formula returns only the data. The report does not display blank spaces in place of the conditional text objects. Both versions of the report are easy to read.



Other data table design considerationsIn addition to labelling data values with text objects, other report design techniques can help you create data tables that are easier to understand and navigate.• Include an introductory paragraph that summarizes the content of the

table. The summary should be brief: one or two sentences if possible.• Ensure that headings provide enough information to clearly identify the

values that they label. • To test a table's accessibility, read its headings and values in a linear

fashion from left to right and from top to bottom. For example, if a report displays last and first name fields for each customer, it may read better if it displays first name followed by last name. Whenever possible, test the report using assistive technologies such as screen reading software.

The final accessible report includes a summary of the data table.


Creating Accessible ReportsAccessibility and BusinessObjects Enterprise G

To display the table summary conditionally, the report designer divided the Page Header into two sections. The first page header is suppressed when the ?Access parameter field is set to No. The second page header is suppressed if the user chooses Yes. For details, see “Accessibility and suppressing sections” on page 602.

Accessibility and BusinessObjects EnterpriseDesigning accessible reports is only part of the solution. You need to make sure that you deliver reports through an accessible interface that follows the same design guidelines. Although the administrative components and scheduling functionality of BusinessObjects Enterprise are not currently accessible to everyone, InfoView and the DHTML viewer allow for accessible access to reports over the Web.Several enhancements have been made to BusinessObjects Enterprise to account for accessibility issues. Text descriptions are now provided in ALT tags for the toolbar buttons and other images. Descriptions for text boxes are clearer, and shortcut links are provided in the DHTML viewer so you can navigate past the toolbar and group tree.

Setting accessible preferences for BusinessObjects EnterpriseFor the best accessibility support in BusinessObjects Enterprise, you need to set certain display preferences.For InfoView, display objects in the Action view. The Action view is more accessible because it provides a text list of the available reports and does not use shortcut menus for report commands. Depending on your users’ needs, you may also want to reduce the number of reports displayed on each page.For viewing reports, choose the DHTML viewer as the default viewer in your preferences. If you administer accounts for other users, you can set their BusinessObjects Enterprise preferences as well. To change another user’s preferences, use the Preferences Manager, which is located in the Client Samples area of the Crystal Enterprise User Launchpad.Note: You must have your own account on the system in order to set preferences.

To set accessible preferences for BusinessObjects Enterprise1. Log on to BusinessObjects Enterprise.


Creating Accessible ReportsAccessibility and customizationG

2. On the title bar, click Preferences. 3. On the General Preferences page, in the “On my desktop, show me”

area, select Action view.4. To reduce the number of reports displayed on each page, type a number

in the text box next to the Action view option.5. Click the Crystal Report Preferences link.6. In the “View my reports using the” area, select the DHTML viewer.7. Click Apply.

Accessibility and customizationWhen you customize Crystal reports or InfoView, or if you incorporate BusinessObjects Enterprise into an existing web site, ensure that your changes follow the accessibility guidelines set forth by the U.S. Access Board in section 508, or the W3C's Web Accessibility Initiative. If you customize Crystal reports or InfoView extensively, you may encounter other accessibility issues. For online resources that provide comprehensive accessibility guidelines, see “Resources” on page 612. The following list provides some common accessibility issues that may cause problems when you customize Crystal Reports or BusinessObjects Enterprise content.• Frames

Frames should be clearly labelled, for easier identification and navigation. Provide text at the top of the frame that describes its purpose. For example, if a frame provides a list of links to different countries, you can clarify its purpose by adding text to the frame, such as a title (“Countries”) or short instructions (“Click a country for details”).

• Style sheetsIf you have a visual impairment, you can create a style sheet with specific viewing preferences to accommodate the disability. For example, you could create a style sheet that displays all web pages in a large font with white characters on a black background. Users cannot apply personalized style sheets to Crystal reports, but the viewers provide a Zoom button that enables people with visual impairments to increase the magnification to suit their needs. You can also allow users to choose from different formatting options using conditional formatting. For details, see “Accessibility and conditional formatting” on page 601.

• Scripts


Creating Accessible ReportsAccessibility and customization G

If you modify Business Objects content to include a script that displays content or an interactive object, ensure that the script is identified by text that conveys the purpose of the script. Make sure that pages with scripts are still usable when the scripts are turned off or unsupported. For more information about scripts and accessibility, see “Resources” on page 612.

• Image mapsServer-side image maps identify active regions using coordinates, which are not meaningful to a screen reader. Client-side image maps provide better accessibility because you can assign a link or URL to each active region within the image map.

• Electronic formsElectronic forms can present difficulties for screen readers, and must be set up carefully. When you label a component in a form, ensure the label is clearly located next to the form component. For example, for a Search box, ensure that the “Search” title appears alongside the appropriate text box.

• Applets and plug-insIf a report needs an applet, plug-in, or other application on the client machine in order to interpret page content, the plug-in or applet must follow accessibility guidelines.If you attach multimedia or other additional resource files to your report, such as PDF or Real Audio files, provide a link to install the required plug-ins or software, and ensure that the required software also meets accessibility design standards.

• FlickeringFlickering images can trigger seizures for people with seizure disorders. The W3C recommends to avoid use of images that flicker or flash between four and 59 times per second.

• Search engine placementDo not use hidden text to enhance your web site’s placement in search engines. Hidden text reduces readability, because it is read by the screen readers. Also, hidden text is actively discouraged by popular search engines such as Google, and thus offers little benefit.


Creating Accessible ReportsResourcesG
Resources
This chapter focuses on how you can create and distribute accessible reports with Business Objects software. The report design techniques in the chapter were tested using JAWS 4.5. It is good practice to test all accessible reports using JAWS and other assistive technologies whenever possible.To make all of your Web communications accessible, consult the detailed guidelines available through the W3C or from your government's web site.• World Wide Web Consortium's Web Accessibility Initiative:

http://www.w3.org/WAI/• the United States Access Board's web site for Section 508:

http://www.access-board.gov/sec508/guide/• the Government of Canada Internet Guide:

http://www.cio-dpi.gc.ca/ig-gi/


http://www.w3.org/WAI

http://www.access-board.gov/sec508/guide/

http://www.cio-dpi.gc.ca/ig-gi/

Business Objects Information Resources

appendix

Business Objects Information ResourcesDocumentation and information servicesH
Documentation and information services
Business Objects offers a full documentation set covering its products and their deployment. Additional support and services are also available to help maximize the return on your business intelligence investment. The following sections detail where to get Business Objects documentation and how to use the resources at Business Objects to meet your needs for technical support, education, and consulting.

DocumentationYou can find answers to your questions on how to install, configure, deploy, and use Business Objects products from the documentation.

What’s in the documentation set?View or download the Business Objects Documentation Roadmap, available with the product documentation at http://www.businessobjects.com/support/.The Documentation Roadmap references all Business Objects guides and lets you see at a glance what information is available, from where, and in what format.

Where is the documentation?You can access electronic documentation at any time from the product interface, the web, or from your product CD.

Documentation from the productsOnline help and guides in Adobe PDF format are available from the product Help menus. Where only online help is provided, the online help file contains the entire contents of the PDF version of the guide.

Documentation on the webThe full electronic documentation set is available to customers on the web from support web site at: http://www.businessobjects.com/support/.

Documentation on the product CDLook in the docs directory of your product CD for versions of guides in Adobe PDF format.


http://www.businessobjects.com/support/


Business Objects Information ResourcesCustomer support, consulting and training H

Send us your feedbackDo you have a suggestion on how we can improve our documentation? Is there something you particularly like or have found useful? Drop us a line, and we will do our best to ensure that your suggestion is included in the next release of our documentation: [email protected]: If your issue concerns a Business Objects product and not the documentation, please contact our Customer Support experts. For information about Customer Support visit: http://www.businessobjects.com/support/.

Customer support, consulting and trainingA global network of Business Objects technology experts provides customer support, education, and consulting to ensure maximum business intelligence benefit to your business.

How can we support you?Business Objects offers customer support plans to best suit the size and requirements of your deployment. We operate customer support centers in the following countries:• USA• Australia• Canada• United Kingdom• Japan

Online Customer SupportThe Business Objects Customer Support web site contains information about Customer Support programs and services. It also has links to a wide range of technical information including knowledgebase articles, downloads, and support forums.http://www.businessobjects.com/support/





Business Objects Information ResourcesCustomer support, consulting and trainingH
Looking for the best deployment solution for your company?
Business Objects consultants can accompany you from the initial analysis stage to the delivery of your deployment project. Expertise is available in relational and multidimensional databases, in connectivities, database design tools, customized embedding technology, and more.For more information, contact your local sales office, or contact us at:http://www.businessobjects.com/services/consulting/

Looking for training options?From traditional classroom learning to targeted e-learning seminars, we can offer a training package to suit your learning needs and preferred learning style. Find more information on the Business Objects Education web site:http://www.businessobjects.com/services/training


http://www.businessobjects.com/services/consulting.htm

http://www.businessobjects.com/services/consulting.htm

http://www.businessobjects.com/services/education.htm

http://www.businessobjects.com/services/education.htm

Business Objects Information ResourcesUseful addresses at a glance H

Useful addresses at a glance

Address Content

Business Objects product informationhttp://www.businessobjects.com

Information about the full range of Business Objects products.

Product documentationhttp://www.businessobjects.com/support

Business Objects product documentation, including the Business Objects Documentation Roadmap.

Business Objects Documentation [email protected]

Send us feedback or questions about documentation.

Online Customer Supporthttp://www.businessobjects.com/support/

Information on Customer Support programs, as well as links to technical articles, downloads, and online forums.

Business Objects Consulting Serviceshttp://www.businessobjects.com/services/consulting/

Information on how Business Objects can help maximize your business intelligence investment.

Business Objects Education Serviceshttp://www.businessobjects.com/services/training

Information on Business Objects training options and modules.


http://www.businessobjects.com

http://www.businessobjects.com/support

http://www.businessobjects.com/support



http://www.businessobjects.com/services/consulting/

http://www.businessobjects.com/services/consulting/

http://www.businessobjects.com/forms/tipsandtricks_login.asp

http://www.techsupport.businessobjects.com/

http://www.techsupport.businessobjects.com/

http://www.businessobjects.com/services/training

http://www.businessobjects.com/services/training

Business Objects Information ResourcesUseful addresses at a glanceH


Index
Aaccess
to applications 335to universe connections 341to universes 340

Access Level column 305access levels

administration 337Advanced 307, 308available in the CMC 549calendars 492enabling and disabling inheritance 313events 499folders 350, 357for RAS 552Full Control 307groups 338InfoView 335inheritance 311No Access 307NTFS 554reference 547restricting from the top-level folder 333Schedule 307server groups 339servers 339setting 306specifying on folders 350, 357tutorials 317types of 306users 338View 307View On Demand 307when copying/moving folders 347, 355

access rights to Query HTML panel 43accessibility 588

and BusinessObjects Enterprise 609and Crystal Reports 588

benefits of 588design considerations 591guidelines 589resources 612

accounts, managing 236Active Directory 261active sessions, viewing 77, 77active trust relationship 228AD authentication plug-in 226adding

CMS cluster members 87servers 153

administration 32configuration tools 74delegating 329, 337events 499folders 350, 357over the Web 32remote Windows machines 37rights 337servers and server groups 339tools 32users and groups 338

Administrator account 237setting password 39

Administrator group 237Administrators group, default rights 551Advanced access level 307advanced rights 308

and inheritance 311priorities affecting 316

denied by default 316enabling and disabling inheritance 314precedence 316reference 548setting 308viewing 308

Advanced Rights page 309reference 548


Index

affinity, and SSL 229alerts, setting notification 463aliases

assigning to a user 282creating

for existing user 282for new user 280

deleting 283disabling 284managing 280reassigning for a user 283

anonymous single sign-on 218application servers 53application tier 52applications 50

CCM 51CMC 50Import Wizard 51InfoView 50Publishing Wizard 51

APS. See CMSarchitecture 48

diagram 48areas, management 34assigning an alias 282assistive technology 588attributes, logon tokens 229audience, intended 20audit actions

enabling auditing of 196reference list 191synchronizing records 198

auditee 190auditing 190

configuring database 195database schema 203enabling 196information flow 190notification 461optimizing performance 198reporting results 199, 202synchronizing records 198user and system actions 191web activity 233

auditing database

configuring 195database schema 203

Application_Type table 210Audit_Detail table 204Audit_Event table 203Detail_Type table 211Event_Type table 205Server_Process table 205

auditor 190authentication

BusinessObjects Enterprise security plug-in222

LDAP security plug-in 224object packages 448primary 215program objects 443secondary 216security plug-ins 221troubleshooting log on 504Windows AD security plug-in 226Windows NT Challenge/Response 223, 226Windows NT security plug-in 222

authentication, types of 238authorization. See also object rightsauthorization, effective rights 314Automated Process Scheduler. See CMSavailable rights 311

Bbase rights 311business calendars. See calendarsBusiness Objects

consulting services 616, 617support services 615training services 616, 617

BusinessObjects applicationsCCM 51CMC 50CMS 55Import Wizard 51InfoView 50Publishing Wizard 51

BusinessObjects Enterprisecommunication between servers 174


Index

compared to BusinessObjects Enterprise 6.x519

disabling Guest account 39firewall integration 174international deployments 582primary authentication process 215single sign-on 222single sign-on with NT 223system architecture 48

BusinessObjects Enterprise 6.x 376compared to BusinessObjects Enterprise 11

519BusinessObjects Enterprise Central Management

Console. See CMCBusinessObjects Enterprise Repository 158

refreshing objects in reports 166BusinessObjects Enterprise SDK 216, 227

Java SDK 53.NET SDK 53

BusinessObjects Enterprise security plug-in 222BusinessObjects Enterprise servers 55, 58

Cache Server 57configuring hosts file for firewall 180description 48Event Server 58File Repository Servers 57Job Server 59Page Server 62Program Job Server 60Report Application Server 61

BusinessObjects Enterprise Sizing Guide 142BusinessObjects NT Users group 238

Ccache format for Web Intelligence documents 477Cache Server 57

auditable actions 192command-line options 572configuring 103

NTFS 557metrics 76performance settings 103viewing with 66

Cache Server for viewing reports 418

caching Web Intelligence documents, when scheduling 477

calendarsadding dates to 487creating 486deleting 491specifying rights 492

categories 354, 380assigning an object to 410creating 354

CCM 51accessing 37adding a server 153changing

server startup type 129server user account 130Windows server dependencies 128

copying server status 83deleting a server 155enabling and disabling servers 81for Windows 37printing server status 82refreshing the list of servers 83starting, stopping, and restarting servers 78working with 37

Central Configuration Manager. See CCMCentral Management Console. See CMCCentral Management Server. See CMScertificate files 131characters, setting CMC preferences 34client side viewers 63client tier 50clusters 87, 89, 90

changing names 91requirements 87viewing details 77

CMC 50, 371access to 335changing password 35enabling and disabling servers 81logging off 37logging on 33management areas 34navigating 34publishing objects with 371


Index

setting preferences 34setting Query size threshold 36starting, stopping, and restarting servers 78unable to connect 504working with 32

CMS 55, 220adding to a cluster 90and authentication 215, 216and authorization 216and distributed security 229and security 220, 220and security plug-ins 220as nameserver 124auditable actions 192, 193, 194base rights and available rights 311calculating effective rights 314changing cluster name 91clustering 87

installing new cluster member 89requirements 87

command-line options 570configuring 99, 100, 124

NAT 178NTFS 556SOCKS 185

database 55default port 124metrics 77, 77session variables 230

and authentication 215, 216tracking 231

stopping 80unable to connect 504when enabling and disabling other servers 81

CMS databasechanging password 100configuring 92copying 92deleting 99migrating 92recreating 99selecting 100

colorand accessibility 597contrast 597

command line argumentsspecifying 370

for program objects 438command lines 568command-line options

all servers 569Cache Server 572CMS 570Event Server 579Input and Output File Repository Servers 578Job Server 574Page Server 572Program Job Server 574Report Application Server 575SSL 130Web Intelligence Job Server 574Web Intelligence Report Server 577

communicationbetween browser and WCA 215between BusinessObjects Enterprise servers

174components, security management 219conditional formatting for accessibility 601configuration, common scenarios 143configuring

auditing database 195Cache Server 103CMS clusters 87, 91CMS database 92, 99, 100Event Server 105executable programs 440File Repository Servers 102firewalls 178intelligence tier 87Job Server 112, 112, 116, 123NTFS permissions 554object packages 447Page Server 106, 123processing tier 106server settings 74servers 74

connecting to remote Windows machines 37Connection folder, access to 238connections. See universe connectionsconsultants, Business Objects 616


Index

content, folders 344contrast, color 597cookies

and session tracking 230logon tokens 229

copying/moving folders 347, 355creating

categories 354custom audit reports 202folder administrators 329folders 344, 361server groups 136server subgroups 138subfolders 346, 354

Crystal Info Views 388Crystal Info, importing information 386Crystal Reports

and accessibility 588saving objects to CMS 373troubleshooting reports 505

Crystal reportschoosing a format 476job server for scheduling 416server for viewing and modifying 418

Crystal Reports Cache Server. See Cache ServerCrystal Reports Page Server. See Page ServerCrystal Repository. See BusinessObjects

Enterprise Repositorycustom events 494, 498custom web applications, enhancing 150customer support 615customizing

inheritance model 317object rights 308your configuration 142

Ddata

choosing live/saved 70formatting for accessibility 603live 70refreshing 361saved 70

data sharing 74on Cache Server 103

on Page Server 106on RAS 109

data sources on Windows 123data tier 62databases

changing settings 420configuring servers for 123copying CMS data 92initializing the CMS 99modifying RAS interactions 109selecting for the CMS 100single sign-on access 219troubleshooting logon 507

default groups 237default settings

authentication 222Enterprise accounts 222groups 236modifying security 40NT account 223object rights 547ports 124security plug-in 222users 236

default users 236defaultconfig.xml 560

finding correct version to change 562list of customizable elements 564modifying for Java Report Panel 563modifying for .NET InfoView 563

delegated administration. See administrationdeleting

aliases 283CMS database 99folders 347, 355report objects 405servers 155universe connections 41universes 40

denied rights 316dependencies of servers on Windows 128designing reports

and accessibility 591in multiple languages 582

destination environment, and importing 160, 388


Index

Destination Job Serverauditable actions 193destinations

configuring 117enabling or disabling 116

enabling Inbox destination 116metrics 77performance settings 112

destinations 465available, by object type 407default settings 467email 471for job servers


FTP 469sending to 406troubleshooting 511unmanaged disk 467

directories, publishing 362directory servers

about LDAP 225security plug-in 224

disabilities. See accessibilitydisabling

aliases 284destinations for job servers 116Guest account 39inheritance 313program objects 443servers 81

discussion threadcancelling search 44searching 44sorting search results 46

Discussionsaccess rights to objects 46accessing 44

DLL. See dynamic-link librariesdocumentation

additional 503feedback on 615on product CD 614on the web 614roadmap 614

domains 378, 380dynamic-link libraries as processing extensions

227

Eeducation. See trainingeffective rights, calculating 314email destination 471

setting defaults 119email notification 461enabling

auditing 196destinations for a job server 116inheritance 313program objects 443servers 81

encoding logon tokens 229end-to-end single sign-on 219Enterprise authentication 238environment variables, specifying for program

objects 441ePortfolio. See InfoViewerrors

Page Server 511troubleshooting 502

Event Log 124, 128Event Server 58

auditable actions 194, 194command-line options 579configuring 105metrics 76polling time 105

events 494access to 499custom 498file-based 495importing from Crystal Enterprise 385notification 461polling time 105schedule-based 496scheduling 457

Everyone group 238Everyone group, default rights 551executable programs 436

configuring 440


Index

expanding the system 142Explicitly Denied column 309Explicitly Granted column 309extensions, processing 227

Ffailure, notification 460Favorites folders 353features, new 21feedback, on documentation 615file events 494, 495File Repository Servers 57

command-line options 578configuring NTFS permissions 555maximum idle times 102metrics 76Properties page 102root directories 102

filters for report objects 425firewall rules

specifying for NAT 180specifying for packet filtering 183

firewall types 171NAT 172packet filtering 172SOCKS 173

firewalls 170, 232configuration scenarios 176configuring 178

NAT 178packet filtering 182SOCKS 184thick client 181with application tier 178with WCA 186

forcing servers to register by name 127integration with BusinessObjects Enterprise

174server communications, and 174

folder administrators, creating 329folders 344

access to 350, 357adding a report 348, 356changing top-level rights 322copying/moving 347, 355

creating 344, 361default rights at top level 551default user folders 353, 358delegated administration 329deleting 347, 355Favorites folder 353, 358importing

from Crystal Enterprise 384from Crystal Info 387

inheritance 312moving 347, 355object rights 303

access levels 306advanced settings 308inheritance 312setting access levels 306viewing 305when copying/moving 347, 355

rights 350, 357setting instance limits 351specifying rights 350, 357

formatchoosing for Crystal reports 476choosing for Web Intelligence documents 475

formatting, and accessibility 595FTP destination 469

setting defaults 121Full Control access level 307

reference 551

Gglobal deployments, BusinessObjects Enterprise

582granted rights 316group inheritance 312group rights 303grouping servers 136groups

access to 338creating 244

for tutorials 318default 237deleting 247


Index

importingfrom Crystal Enterprise 383from Crystal Info 386

modifying 246object rights

access levels 306advanced rights 308inheritance 312

of servers 136setting

instance limits on folders 351object rights 303

viewing members 247Guest account 237

default rights 551disabling 39, 247

Hhelp, documentation resources 503highlighting exceptions and accessibility 598Holos applications, from Crystal Info 388hosts file, configuring for NAT firewall 180HTTP 215, 230hyperlinks between reports 433

Iidle times

Cache Server 103File Repository Servers 102Page Server 106

Import Wizard 51, 376selecting information 162, 391specifying source and destination 160, 388

importingfrom BusinessObjects Enterprise 6.x 376from Crystal Enterprise 382from Crystal Info 386Import Wizard 376selecting information 162, 391specifying source and destination 160, 388

Inbox documents 381index, setting CMC preferences 34Info cubes 388information flow, between servers 64

information resources 614InfoView 50

accessing 33categories 358considerations 511controlling access to 335folders 353in multiple languages 585Java version 41, 84managing 41scheduling 450troubleshooting 511

inheritance 311and advanced rights 309, 314base rights and available rights 311enabling and disabling 313priorities affecting 316tutorials 317

Inherited column 309initializing CMS database 99Input File Repository Server 57

command-line options 578configuring NTFS permissions 555maximum idle time 102metrics 76root directory 102

instancesdeleting 482from Crystal Info 387importing from Crystal Enterprise 384managing 479, 480notification 461object packages 444pausing 481program objects 436report objects 411resuming 481sending 406setting limits at the folder level 351

intelligence tier 55configuring 87

international deployments, planning 583Internet Information Services (IIS), default web

site 503


Index

JJava InfoView, customizing appearance of Web

Intelligence documents 563Java platform 54Java programs 436

authentication 444configuring 441providing access to other files 442setting parameters 442

Java SDK 54Job Server

command-line options 574configuring 123

NTFS permissions 557destinations


metrics 77performance settings 112specifying 416

Job Servers 59, 60auditable actions 194

job serversconfiguring destinations 117performance settings 112

KKerberos single sign-on 219, 285key files 131

LLDAP 225

about 225and SSL 225

LDAP accounts 225managing 248modifying

connection parameters 258member groups 258

troubleshooting 260, 260LDAP authentication 239

configuring 249configuring mapping options 253

LDAP authentication plug-in 224

LDAP groupsmapping 255troubleshooting 260, 261unmapping 258viewing mapped groups 258

LDAP hostsconfiguring 249managing multiple 259

LDAP security plug-in 224LDAP single sign-on, configuring 253license keys 514

adding 516and CMS database migration 93reinitializing the CMS database 99viewing account activity 516

licensing 514accessing information 515

Lightweight Directory Access Protocol. See LDAPlimits, setting at the folder level 351List of Values Job Server

auditable actions 194description 62destinations


metrics 77performance settings 112

live data 70load balancing

and distributed security 229CMS clustering 87

Local System account 123log on

processing server accounts 123protection against malicious attempts 233to the CMC 33with token 216

loggingserver activity 124web activity 233

logon tokens 229and authentication 215and authorization 216and distributed security 229and secondary authentication 216


Index

and session tracking 230logon.csp 215

Mmalicious logon attempts, protection against 233management areas, defined 34mapped drives 510mapped groups

aliases, managing 280viewing

Windows AD 266Windows NT 275

mapped users, managing aliases 280mapped Windows AD groups, viewing 266mapped Windows AD users, viewing 266mapping

Windows AD accounts and groups 262Windows NT accounts 270

menu styles, setting CMC preferences 34metrics

viewing 75account activity 516

migrating 376CMS database 92from Crystal Enterprise 382from Crystal Info 386selecting information 162, 391specifying source and destination 160, 388

multihomed machines 127My Password, setting CMC preferences 34

Nnameserver, role of CMS 124NAT. See Network Address Translationnative drivers 123navigation

and accessibility 598between reports 433

Net Access column 305.NET InfoView

customizing appearance of Web Intelligence documents 563

Network Address Translationapplication tier, and 178

configuring 178CMS (Windows) 179server hosts file 180servers behind firewall 179

definition 172specifying firewall rules 180thick client, and 181

new features 21No Access level 307

reference 549non-text objects 593Not Specified rights, and access levels 306notification 461

alerts 463audit 461email 461event 461for a scheduled object 460

NT authentication plug-in 222NT LM Security Support Provider 128NT single sign-on and Windows NT security plug-

in 223NTFS permissions 554number of logons, logon tokens 229number of minutes, logon tokens 229

Oobject packages

adding objects to 446authentication 448configuring 447creating 363, 445managing 444moving 364publishing objects to 371scheduling 455

object rights 303access levels 306advanced setting 308available in the CMC 548base and available 311calculating effective 314for creating/modifying reports 552for RAS 552


Index

importingfrom Crystal Enterprise 384from Crystal Info 387

inheritance 311, 312, 314reference 547setting 306specifying for a folder 350, 357tutorials 317

decreasing rights 320increasing rights 332

viewing 305when copying/moving folders 347, 355

object scheduling, recurrence pattern 453objects

adding to an object package 446Advanced Rights page 308and access levels 306assigning to a category 410copying 403creating a shortcut 403enabling and disabling inheritance 313importing


managing 402, 403moving 403properties, changing 408publishing 359

multiple 362options 361with CMC 371

refreshing from BusinessObjects Enterprise Repository 166

Rights tab 305saving to CMS 373scheduling 450searching for 405sending 406viewing rights 305

objects displayed, setting maximum 36objects per page, setting maximum 34ODBC

CMS database 90connectivity 93

drivers 123

processing server accounts 123OLAP Intelligence, saving objects to CMS 373one-machine setup 143Online Customer Support 615Open OLAP cubes 388options, publishing 361Output File Repository Server 57

command-line options 578configuring NTFS permissions 555maximum idle time 102metrics 76root directory 102

overloads 379

Ppacket filtering 172

configuring for 182packets, firewalls and 170page index, setting CMC preferences 34page layout, specifying 428Page Server 62

command-line options 572configuring for data source 123configuring NTFS permissions 558for viewing and modifying 418metrics 77performance settings 106Properties page 106viewing with 66

pages, setting CMC preferences 34parameter fields

and accessibility 600conditional formatting with 601

parameters for Java programs 442passwords

changing 243for CMS database 100

restrictions 233setting

for Administrator account 39for current CMC user 34

pausing an instance 481performance 142

Cache Server settings 103CMS clusters 87


Index

common scenarios 143general considerations 146, 146load balancing 229of jobs per server 112Page Server settings 106RAS settings 111while auditing 198Windows NT Challenge/Response

authentication 223, 226performance improvement, delegating XSL

transformation 149permissions 303

NTFS 554personal categories 358Personal documents 381platforms

Java 54Windows .NET 54

plug-ins, security 221polling time, setting for Event Server 105port numbers, changing 124ports

definition 171firewalls, and 171opening on firewall 179

predefined access levels 306preferences, setting in the CMC 34primary authentication 215printer, specifying 427printing

setting printer options 427setting the default printer 427

processing extensions 227applying to reports 429registering 430selecting 431sharing 433

processing threadsCache Server 103Page Server 106

processing tier 58configuring 106

program credentials specifying 367Program Job Server

auditable actions 194

destinationsconfiguring 117enabling or disabling 116

metrics 77Program Job Server, command-line options 574program objects 436

accessing other files 370authentication 443batch 367binary 367command line arguments 370configuring 440disabling 443enabling 443environment variables, specifying 441Java 367

configuring 441providing access to other files 442setting parameters 442

processing options, setting 438properties, changing 408providing executables with access to other

files 440script 367working directory, specifying 439

programs. See program objectsProperties tab for job servers 112publishing 360

and object rights 324folders 344object packages 371options 361reports and objects 359with CMC 371with Publishing Wizard 362

Publishing Wizard 362adding

folders 362objects 362

creating category on CMS 365creating folder on CMS 363database log on 368duplicating folder structure 364


Index

modifyingdefault values 367object properties 368

moving reports between folders 364repository refresh 366scheduling objects 365selecting

category on CMS 365folder on CMS 363

setting parameters 369

Q.qry files 509Query HTML panel, access rights 43query objects, from Crystal Info 388

RRAS

database settings 109for viewing and modifying 418metrics 77object rights required 552performance settings 111Properties page 111

reassigning an alias 283recurrence patterns, object scheduling 453recurring dates 487refreshing

cache files 103reports 412repository objects 166

Rehabilitation Act, Section 508 589, 612Remote Procedure Call 128remote resources, troubleshooting 510remote servers

CCM for Windows 37CMC 32

Report Application Server 61auditable actions 192command-line options 575viewing with 67

report instancesdescription 412

managing 411, 480history 479

setting limits 482viewing 480

Report Job Server 194auditable actions 194

Report Job Server, performance settings 112report objects

and accessibility 591applying processing extensions 429assigning to a category 410database settings, specifying 420deleting 405destination 465filters, specifying 425managing 411page layout, specifying 428parameters, specifying 423properties, changing 408refreshing against BusinessObjects Enterprise

Repository 166rights for creating/modifying 552searching for 405setting

instance limits 482rights 303

specifying Job Servers for 416specifying servers for viewing and modifying

418report packages 388report thumbnails, adding with reports 348, 356Report Viewers 63report_view_advanced.aspx 66report_view_dhtml.aspx 66reports

adding to a folder individually 348, 356audit 199, 202

custom 202sample 199

configuring servers for data sources 123hyperlinking 433importing


managing 411


Index

modifying RAS SQL options 109publishing 359

multiple 362options 361with CMC 371

refresh options 412saving to CMS 373scheduling 64scheduling with events 457, 457troubleshooting 505, 507viewing 65viewing options 414

repositories 377Repository Migration Wizard 163, 165repository. See BusinessObjects Enterprise

Repositoryrequirements, clustering 87resources 614restarting servers 78restrictions

access from the top level 333guest account 234logon 234password 233user 234

resuming instance 481rights 303

administration 337Advanced 307available 311base 311calendars 492CMC 335events 499folders 350, 357for RAS 552Full Control 307groups 338importing


InfoView 335No Access 307Schedule 307server groups 339

servers 339setting object rights 303specifying for a folder 350, 357tutorials 317users 338View 307View On Demand 307

rights. See also object rightsRights tab 305root directories, File Repository Servers 102root folders

default rights 551modifying security 40

row-level security, processing extensions 227run dates 487run options, object scheduling 453

Ssaved data 70scalability 142

common scenarios 143general considerations 146

scaling the system 141Schedule access level 307

reference 549schedule events 494, 496Schedule page 452

setting for an object 460scheduled instance, description 411scheduling

an object 460events 457from Crystal Info 388importing from Crystal Enterprise 384increasing capacity 147information flow 64notification 460object packages 455objects 450

in batches 455recurrence patterns 453run options 453

specifying server for 416screen readers 588script programs 436


Index

searches, setting CMC preferences 36searching

discussion threads 44for objects 405

secEnterprise.dll 222secLDAP.dll 224secondary authentication 216Section 508, Rehabilitation Act 589, 612sections, and accessibility 602Secure Sockets Layer 130Secure Sockets Layer (SSL) 225, 232

and LDAP 225and load balancing 229configuring for LDAP 250

security 214active trust relationship 228auditing web activity 233closed model 332components 219distributed 229environment protection 232firewalls 232Guest account restrictions 234initial settings 38logon restrictions 234, 234modifying default levels 40object rights 303

inheritance 311tutorials 317

open model 320password restrictions 233, 233plug-ins 221predefined access levels 306processing extensions 227protection against malicious logon attempts

233restrictions 234session tracking 230user restrictions 234web browser to web server 232web servers 232

security plug-ins 221Enterprise authentication 222LDAP authentication 224Windows AD authentication 226

Windows NT authentication 222secWindows.dll 222selecting CMS database 100sending

objects or instances 406to inboxes, default configuration 116

server dependencies, changing 128server groups 136

access to 339creating 136importing from Crystal Enterprise 385subgroups 138

servers 48, 55, 58, 74access to 339accessing the CCM 37activity, logging 124adding 153application tier 52changing

status 78user account on Windows 130

changing startup type 129command lines 568communication 174

application tier and CMS 175CMS directory listing 174

configuring 74default settings 74deleting 155dependencies, adding or removing 128disabling 81enabling 81for scheduling 416for viewing and modifying reports 418grouping 136information flow 64, 64intelligence tier 55logging activity 124managing 73metrics, viewing 75modifying group membership 139processing tier 58refreshing list using the CCM 83registering by name 127restarting 78


Index

standard command-line options 569starting 78status

changing 78copying 83printing 82

stopping 78troubleshooting 510user account, changing 130

session variables 230and authentication 215, 216

sessionstracking 230viewing active 77

settingsaccess levels 306advanced object rights 308InfoView 41initial security levels 38Query size threshold 36report refresh 412report viewing 414viewing account activity 516

shared libraries, as processing extensions 227single sign-on

anonymous 218disabling Guest account 39

authenticationEnterprise 222LDAP 225NT 223Windows AD 226

end-to-end 219with Kerberos 285

setting upKerberos 285LDAP 253SiteMinder 253Windows AD 268Windows NT 278

to BusinessObjects Enterprise 218to database 219

SiteMinder, setting up single sign-on with LDAP253

six-machine setup 144

SMTP destinations, setting defaults 119SOCKS 173

configuring 184CMS 185WCA 186

source environment, specifying 160, 388SSL 130

certificates 131configuring servers 130, 130keys 131

SSL. See Secure Sockets Layer (SSL)sslc.cnf 130sslc.exe 130starting

CCM for Windows 37servers 78

startup type, changing for servers 129startup types, configuring servers 129statistics, auditing web activity 233status, viewing and changing for servers 78stopping

CMS 80servers 78

styles, setting CMC preferences 34subfolders, creating 346, 354subgroups of servers 136subreports and accessibility 594, 603success, notification 460support

customer 615locations 615technical 615web site 615

synchronizing audit actions 198system actions, list of auditable 194system architecture 48system data, copying 92system database, migrating 92system metrics, viewing 77system security 214

Ttables, and accessibility 603TCP/IP, firewalls and 170technical support 615


Index

temporary files, configuring Page Server 106text objects

formatting for accessibility 595placing on the report 593

thick client, firewall configuration 177NAT 181

third-party documents 381third-party security plug-ins 221three-machine setup 144thumbnails, adding with reports 348, 356tickets

for distributed security 229logon tokens 229

tiers 48application 52client 50data 62intelligence 55processing 58

time zonessetting CMC preferences 34supporting multiple 511, 582

timestamps 382tools

administration 32Central Configuration Manager (CCM) 37, 37Central Management Console (CMC) 32

top-level folder, modifying security 40top-level, creating new categories 354top-level, creating new folders 345tracking, sessions 230training, on Business Objects products 616transfer of trust 229troubleshooting 502

access 554InfoView deployments 511LDAP accounts 260NTFS permissions 554report viewing and processing 505web accessibility 503Windows AD accounts 267Windows NT accounts 276

trust, active trust relationship 228tutorials 317

UUNC paths 510universe connections

deleting 41importing 378managing 41

Universe Designer Users group 238Universe Designer, access to 238universe domains 378universe restriction sets 379universes

access to 340deleting 40importing 378managing 40

UNIXapplication server 53installation 54WCA 54

unmanaged disk destination 467setting defaults 122

unmappingLDAP groups 258Windows AD accounts 266Windows NT accounts 274

upgradingfrom BusinessObjects Enterprise 6.x 376from Crystal Enterprise 382from Crystal Info 386Import Wizard 376

user accounts 236configuring servers 130creating 240default 236deleting 242managing 236modifying 242NTFS permissions 554

user actions, list of auditable 192user aliases

assigning to 282creating

for existing user 282for new user 280

deleting 283


Index

disabling 284reassigning 283

user databases, NT4 and Windows 2000 Active Directory 222

user folders 353user groups, default 237user rights 303user rights, setting 46users

access to 338auditing actions of 190delegated administrators 329importing

from BusinessObjects Enterprise 6.x 379from Crystal Enterprise 383from Crystal Info 386

object rightsaccess levels 306advanced rights 308effective rights 314inheritance 313

settinginstance limits on folders 351object rights 303

viewing active sessions 77, 77users with AD authentication, importing from

Crystal Enterprise 383users with aliases, importing from Crystal

Enterprise 383users with LDAP authentication, importing from

Crystal Enterprise 384

VView access level 307

reference 549View On Demand access level 307

reference 550viewers

and InfoView 65client-side 63setting CMC preferences 34zero client 63

viewingactive users 77, 77advanced object rights 309

BusinessObjects Enterprise architecture 65CMS cluster details 77current account activity 516current metrics 75information flow 65licensing information 515object rights 305server metrics 75system metrics 77with the Cache Server 66with the Page Server 66with the Report Application Server 67

viewrpt.aspx 66

WWCA 53

and authentication 215and authorization 216and logon tokens 220and security 220auditing web activity 233configuring for SOCKS 186description 53

WCA session variables 230primary authentication 215secondary authentication 216tracking 231

WCS, configuring NTFS permissions 555web

customer support 615getting documentation via 614useful addresses 617

Web Accessibility Initiative 612Web application environments 54Web Component Adapter. See WCAWeb Content Accessibility Guidelines 589web desktop. See InfoViewWeb Intelligence

application rights 43documents

changing default appearance 560customizing for Java InfoView 563customizing for .NET InfoView 563finding correct defaultconfig.xml 562list of customizable elements 564


Index

Query HTML access rights 43Web Intelligence documents 381

See also report objectsassigning to a category 410choosing a format 475delegating XSL transformation 149properties, changing 408scheduling 450searching for 405selecting cache format 477server for scheduling 416server for viewing and modifying 418

Web Intelligence Job Serverauditable actions 194command-line options 574destinations


metrics 77performance settings 112

Web Intelligence Report Serverauditable actions 192, 193command-line options 577metrics 77performance settings 113

web response speeds, improving 150web servers 55

improving response speeds 150securing 232

web sitessupport 615training 616

WindowsCentral Configuration Manager 37Event Log 124Local System account 123server dependencies 128

Windows 2000 Active Directory 222Windows 2000, unmapping accounts in 275Windows AD accounts

See also Windows AD usersadding to mapped groups 267creating 267mapping 262troubleshooting 267

unmapping 266Windows AD authentication 239Windows AD groups

mapped, viewing 266mapping 262unmapping 266

Windows AD security plug-in 226Windows AD single sign-on 268

end-to-end 285to BusinessObjects Enterprise 268

Windows AD usersSee also Windows AD accountsviewing 266

Windows AD, viewing mapped groups and users266

Windows .NET platform 54Windows NT accounts

adding to mapped groups 277creating 276disabling 277managing 270mapping 270

in CMC 271in Windows 2000 271in Windows NT 270

troubleshooting 276unmapping 274

Windows NT authentication 238Windows NT Challenge/Response authentication

223, 226, 232Windows NT groups

creating 277mapping 270unmapping 274, 274viewing 275

Windows NT security plug-in 222Windows NT single sign-on, setting up 278Windows NT users, viewing 275

XXSL transformation for Web Intelligence

documents 149


Index

Zzero client viewers 63
