September  10-­‐13,  2012  Orlando,  Florida  

Delivering  Personalized  and  Secure  Business  Intelligence  

Using  the  SAP  BusinessObjects  Business  Intelligence  4.0  InformaAon  Design  Tool  Session  1213  

Breakout  DescripAon  

Do you need to tailor semantic layer security to speci!c users or groups within your organization? Attend this session to learn about security pro!les in the new Information Design Tool in SAP BusinessObjects Business Intelligence 4.0 (BI4.0). Understand how security pro!les can control objects, rows, query types, and connections. See live demonstrations of each type of restriction and the effect they have on end users’ interactive experience.

2

About  Dallas  Marks  §  Dallas Marks is a Principal Technical Architect and Trainer

at EV Technologies, an SAP Software Solutions and Sybase partner focusing on business intelligence and business analytics.

§  Dallas is an SAP Certi!ed Application Associate and authorized trainer for Web Intelligence, Universe Design, Dashboards, and SAP BusinessObjects BI Platform administration. Dallas has worked with SAP BusinessObjects tools since 2003 and presented at the North American conference each year since 2006.

§  Dallas has implemented SAP BusinessObjects solutions for a number of industries, including energy, health care, and manufacturing. He holds a master’s degree in Computer Engineering from the University of Cincinnati.

§  Dallas is a co-author of the upcoming SAP Press title SAP BusinessObjects Web Intelligence, 2nd edition, and blogs about various business intelligence topics at http://dallasmarks.org/.

3

EV Technologies is an SAP BusinessObjects solutions !rm SAP Software Solutions Partner SAP Certi!ed Solutions provider

Sybase Certi!ed Solutions provider SAP BusinessObjects Enterprise Certi!ed

ASUG Members/Volunteers Migration experts – classic BusinessObjects products to

SAP BusinessObjects XI R2 – XI 3.1- BI4

5

Beginning September 27, 2012, a series of 9 free webinars to help you improve the health

and stability of your SAP BusinessObjects deployment.

Visit http://evtechnologies.com/webinars to register.

Webinar  Series  –  Be  a  BeKer  SAP  BusinessObjects  Administrator  

Diversi!ed Semantic Layer

§  A podcast devoted to business intelligence with SAP BusinessObjects

§  Recorded by a bunch of folks active in the SAP BusinessObjects global community

§  Perfect companions for your morning commute

§  Follow on twitter at @dslayered http://dslayer.net

Agenda  

§ The Information Design Tool § The Need for Universe Security §  Introducing Security Pro!les § Creating Security Pro!les § Next Steps

7

THE  INFORMATION  DESIGN  TOOL  Delivering  Personalized  and  Secure  Business  Intelligence  

Disclaimer  

“I'm just a simple man trying to make my way in the universe.” ―Jango Fett

9

This presentation focuses on BI 4.0 universes created with the Information Design Tool. For XI R2 and XI 3.0/XI 3.1 universes created with Universe Design Tool (Designer), refer to the following presentation. Secure Universes Using Restriction Sets Insight 2007 BusinessObjects User Conference October 2007, Orlando, Florida

10

Disclaimer  

Learn  more  about  InformaAon  Design  Tool  

11

§  Go,  Universe,  Go!  Techniques  for  Performance  Tuning  David  Rathbun  |  Session  0607  Tuesday,  September  11,  2012  11:15  AM  -­‐  12:15  AM  

§  ASUG  SemanMc  Layer  Influence  Council  Derek  Loranca  &  Pierpaolo  Vezzosi  |  Session  0906  Tuesday,  September  11,  2012  10:00  AM  -­‐  11:00  PM    

§  InformaMon  Design  Tool  Primer  and  Review  Cindi  Howson  |  Session  0606  Tuesday,  September  11,  2012  10:00  AM  -­‐  11:00  AM  

§  Preparing  for  Life  on  Planet  UNX  Alan  Mayer  |  Session  0611  Wednesday,  September  12,  2012  8:00  AM  -­‐  9:00  AM  

§  SAP  BusinessObjects  Web  Intelligence  4.0  on  SAP  NetWeaver  BW  Shawn  Patrick  Duffy  |  Session  1209  Tuesday,  September  11,  2012  2:45  PM  -­‐  3:45  PM  

This list represents only a portion of the 22 semantic layer breakout sessions at the ASUG SAP BusinessObjects User Group Conference. Please check the official conference schedule for a full listing.

What  is  a  legacy  UNV  Universe?  

12

Connection

*.unv

What  is  a  tradiAonal  UNV  Universe?  

13

Created with the Universe Design Tool, formerly known as “Universe Designer”

or simply “Designer”.

Business Layer

Data Foundation

What  is  a  UNX  Universe?  

14

Connection

Data Foundation

Business Layer

*.cns

*.dfx

*.blx

*.unx

The term “Common Semantic Layer” is also used to describe this new universe format.

What  is  a  UNX  Universe?  

15

*.cns

*.dfx

*.blx

Created with the new Information Design Tool

Business Layer

Data Foundation

Web  Intelligence  4.0  Query  Methods  

§  Web  Intelligence  now  allows  BEx  (SAP  NetWeaver®  BW)  and  Analysis  View  to  be  queried  directly  without  a  universe  

16 16

Related Sessions: SAP BusinessObjects Web Intelligence 4.0 on SAP NetWeaver BW Shawn Patrick Duffy | Session 1209 Tuesday, September 11, 2012 2:45 PM - 3:45 PM

§  Web  Intelligence  now  allows  BEx  (SAP  NetWeaver®  BW)  and  Analysis  View  to  be  queried  directly  without  a  universe  

§  Web  Intelligence  Rich  Client  (shown)  adds  support  for  Excel,  Text,  and  Web  Services  

17

Web  Intelligence  Query  Methods  (cont.)  

17

§  Web  Intelligence  now  allows  BEx  (SAP  NetWeaver®  BW)  and  Analysis  View  to  be  queried  directly  without  a  universe  

§  Web  Intelligence  Rich  Client  (shown)  adds  support  for  Excel,  Text,  and  Web  Services  

§  This  presentaMon  focuses  on  securing  universes  created  with  the  new  InformaMon  Design  Tool  4.0  

Web  Intelligence  Query  Methods  (cont.)  

18

THE  NEED  FOR  UNIVERSE  SECURITY  Delivering  Personalized  and  Secure  Business  Intelligence  

Restrict  access  to  enAre  universe  by  sehng  universe  rights  in  the  Central  Management  Console  (CMC)  

Two  Methods  for  Securing  Universes  

20

Create  various  forced  and  opAonal  restricAons  within  InformaAon  Design  Tool  Forced  �  Object  restricAons  �  Self-­‐restricAng  joins  �  Inferred  extra  tables  

OpAonal  �  Filter  objects  

Personalizing  Ad  Hoc  Queries  

21

Need  to  secure  business-­‐criMcal  data  based  on  a  user’s  role  in  the  organizaMon,  but  standard  universe  design  soluMons  affect  all  users  unilaterally  …  

…  a  different  soluMon  is  required  to  apply  security  

condi.onally  to  specific  users  and  groups:  

 Security  profiles.  

Personalizing  Ad  Hoc  Queries  

22

Database-­‐specific  techniques  such  as  Teradata  Query  Banding  and  Oracle  Virtual  Private  Databases  can  be  used  but  are  beyond  the  scope  of  this  discussion  

Security  Profiles  are  ideal  for  organizaMons  that  use  mulMple  database  pladorms  and  need  a    

single,  integrated  approach    to  data  security  

Securing  and  Personalizing  eFashion  

23

Gotta analyze those party pants sales!

Securing  and  Personalizing  eFashion  

24

How do we ensure that Bennett is limited to only Colorado Springs data…

Securing  and  Personalizing  eFashion  

25

While allowing executives to look across the organization?

SECURITY  PROFILES  Delivering  Personalized  and  Secure  Business  Intelligence  

What  is  a  Security  Profile?  

27

A security profile is a group of security settings that apply to a universe published in the repository

Similar features are available in the Universe Design Tool for traditional universes (UNV), known as access restrictions or restriction sets

What  is  a  Security  Profile?  

28

Data Security Profiles have security settings defined on objects in the data foundation and on data connections

Business Security Profiles have security settings defined on objects in the business layer

Type of restriction Description

Connection Override the default universe connection with an alternate connection

Query controls Limit the size of the result set and query execution time

SQL generation controls Control how SQL is generated by user query

Row access Row-level security – force restrictions into the WHERE clause of inferred SQL

Alternative table access Replace a table referenced in the universe with another table in the database

Object access Column-level security

What  can  be  restricted  in  tradiAonal  UNV  universes?  

29

Type of restriction Description

Connection Override the default universe connection with an alternate connection

Query controls Limit the size of the result set and query execution time

SQL generation controls Control how SQL is generated by user query

Row access Row-level security – force restrictions into the WHERE clause of inferred SQL

Alternative table access Replace a table referenced in the universe with another table in the database

What  can  be  restricted  in  new  UNX  universes?  

Data Foundation Restrictions

Similar restrictions exist in Universe Design Tool

30

Type of restriction Description

Create Query Defines the universe views* and business layer objects** available to the user in the query panel.

Display Data Grants or denies access to the data retrieved by objects in the business layer when the user runs a query.*

Filters Defines filters using objects in the business layer.*

What  can  be  restricted  in  new  UNX  universes?  

Business Layer Restrictions

* New feature of BI 4.0 ** Similar to object restrictions in Universe Design Tool

31

CREATING  SECURITY  PROFILES  Delivering  Personalized  and  Secure  Business  Intelligence  

1) Create & Manage Security Model

2) Build and Export

Universe

3) Add Security Profile

4) Create Web

Intelligence Documents*

5) Deploy using

Lifecycle Manager

* Crystal Reports and SAP BusinessObjects Dashboards (formerly Xcelsius®) based on universes can also leverage Security Profiles

33

Securing  Universes  —  Design  Process  

ImporAng  Secure  Universes  from  XI  R2  &  XI  3.1  

Import BIAR file into BI 4.0 using Upgrade Management Tool

Import and Convert UNV to UNX using Information Design Tool (IDT)

Validate Converted Security Profile

Test and Deploy

34

35 35

Default  Universe  Parameters  —  Data  FoundaAon  Layer  

Default  Universe  Parameters  —  Business  Layer  

36

Editing Toolbar

Tools Menu

Access restrictions can be accessed from either the tools menu or the editing toolbar

Access  RestricAons  in  the  Universe  Design  Tool  (UNV)  

37

Access restrictions are available via Security Editor on Window menu or editing toolbar

Security  Profiles  in  InformaAon  Design  Tool  (UNX)  

38

InformaAon  Design  Tool  —  Security  Editor  

39

1. Select universe and create security profiles

Using  the  Security  Editor  —  Step  1  of  4  

40

41

2. Assign Users or Groups

41

Using  the  Security  Editor  —  Step  2  of  4  

Using  the  Security  Editor  —  Step  3  of  4  

42

3. Adjust Options

Using  the  Security  Editor  —  Step  4  of  4  

43

4. Test Specific Users and Groups

Data  Security  Profile  —  ConnecAons  

§  Replace  default  universe  connecAon  

§  Use  Case:    Default  connecAon  may  point  to  producAon  but  Security  Profile  points  UAT  users  to  UAT  connecAon  

44

Data  Security  Profile  —  Controls  

§  Limit  number  of  rows  or  execuAon  Ame  

§  Use  Case:  ConservaAve  default  sehngs  for  all  users  but  more  aggressive  sehngs  for  power  users  

45

Data  Security  Profile  —  SQL  

§  Control  complexity  of  user  queries  

§  Use  case:  Default  sehngs  may  allow  sub-­‐queries  and  combined  queries,  but  security  profile  limits  casual  business  users  

46

Data  Security  Profile  —  Rows  

§  Force  restricAons  into  SQL  WHERE  clause  

§  Use  case:  Row  level  security  for  sales  team  so  they  only  see  “their”  numbers  

§  TABLE.COLUMN=  @VARIABLE(‘BOUSER’)  

§  May  also  desire  to  disable  ability  to  view  SQL  in  Web  Intelligence  

47

Data  Security  Profile  —  Tables  

§  Point  to  different  table  in  database  schema  

§  Use  Case:  Default  users  point  to  one  year  of  facts,  but  security  profile  points  to  three  years  of  facts  for  power  users  

§  Not  necessary  for  replacement  table  to  be  defined  in  universe  

48

Business  Security  Profile  —  Create  Query  

§  Hide  business  layer  views  or  business  layer  objects  from  certain  users  

§  Use  Case:  Control  visibility  of  sensiAve  measures  such  as  profit  margin  

49

Business  Security  Profile  —  Display  Data  

§  Prevents  display  of  objects  on  report  

§  If  AUTO_UPDATE_QUERY  parameter  is  No,  then  refreshing  report  generates  an  error  

§  If  AUTO_UPDATE_QUERY  parameter  is  Yes,  then  the  denied  objects  are  removed  from  query  and  any  business  layer  filters  

50

§  Filter universe objects at the business layer, not database columns at data foundation layer

§  Still applies !lter to SQL statement

51

Business  Security  Profile  —  Filters  

DEMONSTRATIONS  Delivering  Personalized  and  Secure  Business  Intelligence  

NEXT  STEPS  Delivering  Personalized  and  Secure  Business  Intelligence  

Additional Resources SAP BusinessObjects Business Intelligence 4.0: Business Intelligence Platform Administrator Guide

54

Quick Reference Getting Around Information Design Tool (SCN, June 2011).

SAP BusinessObjects Business Intelligence 4.0: Web Intelligence User’s Guide

SAP BusinessObjects Business Intelligence 4.0: Information Design Tool Guide

Official  Product  Tutorials  on  SCN  

www.sap.com/learnbi

55

Dallas  Marks  @dallasmarks  Principal  Technical  Architect        hKp://dallasmarks.org/  hKp://linkedin.com/in/dallasmarks/    Visit  EV  Technologies  at  Booth  210  in  the  Partner  Showcase!    

       

56

Thank  You!  

Thank you for participating.

Please provide feedback on this session by completing a short survey via the event

mobile application.

SESSION CODE: 1213

Learn more year-round at www.asug.com