September 10-‐13, 2012 Orlando, Florida
Delivering Personalized and Secure Business Intelligence
Using the SAP BusinessObjects Business Intelligence 4.0 InformaAon Design Tool Session 1213
Breakout DescripAon
Do you need to tailor semantic layer security to speci!c users or groups within your organization? Attend this session to learn about security pro!les in the new Information Design Tool in SAP BusinessObjects Business Intelligence 4.0 (BI4.0). Understand how security pro!les can control objects, rows, query types, and connections. See live demonstrations of each type of restriction and the effect they have on end users’ interactive experience.
2
About Dallas Marks § Dallas Marks is a Principal Technical Architect and Trainer
at EV Technologies, an SAP Software Solutions and Sybase partner focusing on business intelligence and business analytics.
§ Dallas is an SAP Certi!ed Application Associate and authorized trainer for Web Intelligence, Universe Design, Dashboards, and SAP BusinessObjects BI Platform administration. Dallas has worked with SAP BusinessObjects tools since 2003 and presented at the North American conference each year since 2006.
§ Dallas has implemented SAP BusinessObjects solutions for a number of industries, including energy, health care, and manufacturing. He holds a master’s degree in Computer Engineering from the University of Cincinnati.
§ Dallas is a co-author of the upcoming SAP Press title SAP BusinessObjects Web Intelligence, 2nd edition, and blogs about various business intelligence topics at http://dallasmarks.org/.
3
EV Technologies is an SAP BusinessObjects solutions !rm SAP Software Solutions Partner SAP Certi!ed Solutions provider
Sybase Certi!ed Solutions provider SAP BusinessObjects Enterprise Certi!ed
ASUG Members/Volunteers Migration experts – classic BusinessObjects products to
SAP BusinessObjects XI R2 – XI 3.1- BI4
5
Beginning September 27, 2012, a series of 9 free webinars to help you improve the health
and stability of your SAP BusinessObjects deployment.
Visit http://evtechnologies.com/webinars to register.
Webinar Series – Be a BeKer SAP BusinessObjects Administrator
Diversi!ed Semantic Layer
§ A podcast devoted to business intelligence with SAP BusinessObjects
§ Recorded by a bunch of folks active in the SAP BusinessObjects global community
§ Perfect companions for your morning commute
§ Follow on twitter at @dslayered http://dslayer.net
Agenda
§ The Information Design Tool § The Need for Universe Security § Introducing Security Pro!les § Creating Security Pro!les § Next Steps
7
THE INFORMATION DESIGN TOOL Delivering Personalized and Secure Business Intelligence
Disclaimer
“I'm just a simple man trying to make my way in the universe.” ―Jango Fett
9
This presentation focuses on BI 4.0 universes created with the Information Design Tool. For XI R2 and XI 3.0/XI 3.1 universes created with Universe Design Tool (Designer), refer to the following presentation. Secure Universes Using Restriction Sets Insight 2007 BusinessObjects User Conference October 2007, Orlando, Florida
10
Disclaimer
Learn more about InformaAon Design Tool
11
§ Go, Universe, Go! Techniques for Performance Tuning David Rathbun | Session 0607 Tuesday, September 11, 2012 11:15 AM -‐ 12:15 AM
§ ASUG SemanMc Layer Influence Council Derek Loranca & Pierpaolo Vezzosi | Session 0906 Tuesday, September 11, 2012 10:00 AM -‐ 11:00 PM
§ InformaMon Design Tool Primer and Review Cindi Howson | Session 0606 Tuesday, September 11, 2012 10:00 AM -‐ 11:00 AM
§ Preparing for Life on Planet UNX Alan Mayer | Session 0611 Wednesday, September 12, 2012 8:00 AM -‐ 9:00 AM
§ SAP BusinessObjects Web Intelligence 4.0 on SAP NetWeaver BW Shawn Patrick Duffy | Session 1209 Tuesday, September 11, 2012 2:45 PM -‐ 3:45 PM
This list represents only a portion of the 22 semantic layer breakout sessions at the ASUG SAP BusinessObjects User Group Conference. Please check the official conference schedule for a full listing.
What is a legacy UNV Universe?
12
Connection
*.unv
What is a tradiAonal UNV Universe?
13
Created with the Universe Design Tool, formerly known as “Universe Designer”
or simply “Designer”.
Business Layer
Data Foundation
What is a UNX Universe?
14
Connection
Data Foundation
Business Layer
*.cns
*.dfx
*.blx
*.unx
The term “Common Semantic Layer” is also used to describe this new universe format.
What is a UNX Universe?
15
*.cns
*.dfx
*.blx
Created with the new Information Design Tool
Business Layer
Data Foundation
Web Intelligence 4.0 Query Methods
§ Web Intelligence now allows BEx (SAP NetWeaver® BW) and Analysis View to be queried directly without a universe
16 16
Related Sessions: SAP BusinessObjects Web Intelligence 4.0 on SAP NetWeaver BW Shawn Patrick Duffy | Session 1209 Tuesday, September 11, 2012 2:45 PM - 3:45 PM
§ Web Intelligence now allows BEx (SAP NetWeaver® BW) and Analysis View to be queried directly without a universe
§ Web Intelligence Rich Client (shown) adds support for Excel, Text, and Web Services
17
Web Intelligence Query Methods (cont.)
17
§ Web Intelligence now allows BEx (SAP NetWeaver® BW) and Analysis View to be queried directly without a universe
§ Web Intelligence Rich Client (shown) adds support for Excel, Text, and Web Services
§ This presentaMon focuses on securing universes created with the new InformaMon Design Tool 4.0
Web Intelligence Query Methods (cont.)
18
THE NEED FOR UNIVERSE SECURITY Delivering Personalized and Secure Business Intelligence
Restrict access to enAre universe by sehng universe rights in the Central Management Console (CMC)
Two Methods for Securing Universes
20
Create various forced and opAonal restricAons within InformaAon Design Tool Forced � Object restricAons � Self-‐restricAng joins � Inferred extra tables
OpAonal � Filter objects
Personalizing Ad Hoc Queries
21
Need to secure business-‐criMcal data based on a user’s role in the organizaMon, but standard universe design soluMons affect all users unilaterally …
… a different soluMon is required to apply security
condi.onally to specific users and groups:
Security profiles.
Personalizing Ad Hoc Queries
22
Database-‐specific techniques such as Teradata Query Banding and Oracle Virtual Private Databases can be used but are beyond the scope of this discussion
Security Profiles are ideal for organizaMons that use mulMple database pladorms and need a
single, integrated approach to data security
Securing and Personalizing eFashion
23
Gotta analyze those party pants sales!
Securing and Personalizing eFashion
24
How do we ensure that Bennett is limited to only Colorado Springs data…
Securing and Personalizing eFashion
25
While allowing executives to look across the organization?
SECURITY PROFILES Delivering Personalized and Secure Business Intelligence
What is a Security Profile?
27
A security profile is a group of security settings that apply to a universe published in the repository
Similar features are available in the Universe Design Tool for traditional universes (UNV), known as access restrictions or restriction sets
What is a Security Profile?
28
Data Security Profiles have security settings defined on objects in the data foundation and on data connections
Business Security Profiles have security settings defined on objects in the business layer
Type of restriction Description
Connection Override the default universe connection with an alternate connection
Query controls Limit the size of the result set and query execution time
SQL generation controls Control how SQL is generated by user query
Row access Row-level security – force restrictions into the WHERE clause of inferred SQL
Alternative table access Replace a table referenced in the universe with another table in the database
Object access Column-level security
What can be restricted in tradiAonal UNV universes?
29
Type of restriction Description
Connection Override the default universe connection with an alternate connection
Query controls Limit the size of the result set and query execution time
SQL generation controls Control how SQL is generated by user query
Row access Row-level security – force restrictions into the WHERE clause of inferred SQL
Alternative table access Replace a table referenced in the universe with another table in the database
What can be restricted in new UNX universes?
Data Foundation Restrictions
Similar restrictions exist in Universe Design Tool
30
Type of restriction Description
Create Query Defines the universe views* and business layer objects** available to the user in the query panel.
Display Data Grants or denies access to the data retrieved by objects in the business layer when the user runs a query.*
Filters Defines filters using objects in the business layer.*
What can be restricted in new UNX universes?
Business Layer Restrictions
* New feature of BI 4.0 ** Similar to object restrictions in Universe Design Tool
31
CREATING SECURITY PROFILES Delivering Personalized and Secure Business Intelligence
1) Create & Manage Security Model
2) Build and Export
Universe
3) Add Security Profile
4) Create Web
Intelligence Documents*
5) Deploy using
Lifecycle Manager
* Crystal Reports and SAP BusinessObjects Dashboards (formerly Xcelsius®) based on universes can also leverage Security Profiles
33
Securing Universes — Design Process
ImporAng Secure Universes from XI R2 & XI 3.1
Import BIAR file into BI 4.0 using Upgrade Management Tool
Import and Convert UNV to UNX using Information Design Tool (IDT)
Validate Converted Security Profile
Test and Deploy
34
35 35
Default Universe Parameters — Data FoundaAon Layer
Default Universe Parameters — Business Layer
36
Editing Toolbar
Tools Menu
Access restrictions can be accessed from either the tools menu or the editing toolbar
Access RestricAons in the Universe Design Tool (UNV)
37
Access restrictions are available via Security Editor on Window menu or editing toolbar
Security Profiles in InformaAon Design Tool (UNX)
38
InformaAon Design Tool — Security Editor
39
1. Select universe and create security profiles
Using the Security Editor — Step 1 of 4
40
41
2. Assign Users or Groups
41
Using the Security Editor — Step 2 of 4
Using the Security Editor — Step 3 of 4
42
3. Adjust Options
Using the Security Editor — Step 4 of 4
43
4. Test Specific Users and Groups
Data Security Profile — ConnecAons
§ Replace default universe connecAon
§ Use Case: Default connecAon may point to producAon but Security Profile points UAT users to UAT connecAon
44
Data Security Profile — Controls
§ Limit number of rows or execuAon Ame
§ Use Case: ConservaAve default sehngs for all users but more aggressive sehngs for power users
45
Data Security Profile — SQL
§ Control complexity of user queries
§ Use case: Default sehngs may allow sub-‐queries and combined queries, but security profile limits casual business users
46
Data Security Profile — Rows
§ Force restricAons into SQL WHERE clause
§ Use case: Row level security for sales team so they only see “their” numbers
§ TABLE.COLUMN= @VARIABLE(‘BOUSER’)
§ May also desire to disable ability to view SQL in Web Intelligence
47
Data Security Profile — Tables
§ Point to different table in database schema
§ Use Case: Default users point to one year of facts, but security profile points to three years of facts for power users
§ Not necessary for replacement table to be defined in universe
48
Business Security Profile — Create Query
§ Hide business layer views or business layer objects from certain users
§ Use Case: Control visibility of sensiAve measures such as profit margin
49
Business Security Profile — Display Data
§ Prevents display of objects on report
§ If AUTO_UPDATE_QUERY parameter is No, then refreshing report generates an error
§ If AUTO_UPDATE_QUERY parameter is Yes, then the denied objects are removed from query and any business layer filters
50
§ Filter universe objects at the business layer, not database columns at data foundation layer
§ Still applies !lter to SQL statement
51
Business Security Profile — Filters
DEMONSTRATIONS Delivering Personalized and Secure Business Intelligence
NEXT STEPS Delivering Personalized and Secure Business Intelligence
Additional Resources SAP BusinessObjects Business Intelligence 4.0: Business Intelligence Platform Administrator Guide
54
Quick Reference Getting Around Information Design Tool (SCN, June 2011).
SAP BusinessObjects Business Intelligence 4.0: Web Intelligence User’s Guide
SAP BusinessObjects Business Intelligence 4.0: Information Design Tool Guide
Official Product Tutorials on SCN
www.sap.com/learnbi
55
Dallas Marks @dallasmarks Principal Technical Architect hKp://dallasmarks.org/ hKp://linkedin.com/in/dallasmarks/ Visit EV Technologies at Booth 210 in the Partner Showcase!
56
Thank You!
Thank you for participating.
Please provide feedback on this session by completing a short survey via the event
mobile application.
SESSION CODE: 1213
Learn more year-round at www.asug.com