September 10-‐13, 2012 Orlando, Florida
Delivering Personalized and Secure Business Intelligence
Using the SAP BusinessObjects Business Intelligence 4.0 InformaAon Design Tool Session 1213
Breakout DescripAon
Do you need to tailor semantic layer security to
specific users or groups within your organization?
Attend this session to learn about security profiles
in the new Information Design Tool in SAP
BusinessObjects Business Intelligence 4.0 (BI4.0).
Understand how security profiles can control
objects, rows, query types, and connections. See
live demonstrations of each type of restriction and
the effect they have on end users’ interactive
About Dallas Marks
§ Dallas Marks is a Principal Technical Architect and Trainer at EV Technologies, an SAP Software Solutions and
Sybase partner focusing on business intelligence and business analytics.
§ Dallas is an SAP Certified Application Associate and
authorized trainer for Web Intelligence, Universe Design, Dashboards, and SAP BusinessObjects BI Platform
administration. Dallas has worked with SAP
BusinessObjects tools since 2003 and presented at the North American conference each year since 2006.
§ Dallas has implemented SAP BusinessObjects solutions for a number of industries, including energy, health care, and manufacturing. He holds a master’s degree in
Computer Engineering from the University of Cincinnati.
§ Dallas is a co-author of the upcoming SAP Press title SAP BusinessObjects Web Intelligence, 2nd edition, and blogs about various business intelligence topics at
http://dallasmarks.org/.
EV Technologies is an SAP BusinessObjects solutions firm
SAP Software Solutions Partner
SAP Certified Solutions provider
Sybase Certified Solutions provider
SAP BusinessObjects Enterprise Certified
ASUG Members/Volunteers
Migration experts – classic BusinessObjects products to
SAP BusinessObjects XI R2 – XI 3.1- BI4
5
Beginning September 27, 2012,
a series of 9 free webinars to
help you improve the health
and stability of your SAP
BusinessObjects deployment.
Visit http://evtechnologies.com/webinars to register.
Diversified Semantic Layer
§
A podcast devoted to
business intelligence
with SAP
BusinessObjects
§
Recorded by a bunch
of folks active in the
SAP BusinessObjects
global community
§
Perfect companions
for your morning
commute
§
Follow on twitter at
@dslayered
Agenda
§
The Information Design Tool
§
The Need for Universe Security
§
Introducing Security Profiles
§
Creating Security Profiles
§
Next Steps
THE INFORMATION DESIGN TOOL
Disclaimer
“I'm just a simple
man trying to
make my way in
the universe.
”
―Jango Fett
This presentation focuses on BI 4.0
universes created with the Information Design Tool. For XI R2 and XI 3.0/XI 3.1 universes created with Universe Design Tool (Designer), refer to the following presentation.
Secure Universes Using Restriction Sets
Insight 2007 BusinessObjects User Conference October 2007, Orlando, Florida
Learn more about InformaAon Design Tool
11
§ Go, Universe, Go!
Techniques for Performance Tuning David Rathbun | Session 0607
Tuesday, September 11, 2012 11:15 AM -‐ 12:15 AM
§ ASUG SemanMc Layer Influence Council
Derek Loranca & Pierpaolo Vezzosi | Session 0906 Tuesday, September 11, 2012 10:00 AM -‐ 11:00 PM
§ InformaMon Design Tool Primer and Review Cindi Howson | Session 0606
Tuesday, September 11, 2012 10:00 AM -‐ 11:00 AM
§ Preparing for Life on Planet UNX
Alan Mayer | Session 0611
Wednesday, September 12, 2012 8:00 AM -‐ 9:00 AM
§ SAP BusinessObjects Web Intelligence 4.0 on
SAP NetWeaver BW
Shawn Patrick Duffy | Session 1209
Tuesday, September 11, 2012 2:45 PM -‐ 3:45 PM
This list represents only a portion of the 22 semantic layer breakout sessions at the ASUG SAP BusinessObjects User Group Conference. Please check the official conference schedule for a full listing.
What is a legacy UNV Universe?
Connection
What is a tradiAonal UNV Universe?
13
Created with the Universe Design Tool, formerly known as “Universe Designer”
or simply “Designer”.
Business
Layer
Data
What is a UNX Universe?
Connection
Data Foundation
Business Layer
*.cns *.dfx *.blx *.unxThe term “Common Semantic Layer” is also used to
describe this new universe format.
What is a UNX Universe?
15
*.cns *.dfx *.blx
Created with the new Information Design Tool
Business
Layer
Data
Web Intelligence 4.0 Query Methods
§ Web Intelligence now allows BEx (SAP NetWeaver® BW)
and Analysis View to be queried directly without a universe
Related Sessions:
SAP BusinessObjects Web Intelligence 4.0 on SAP NetWeaver BW Shawn Patrick Duffy | Session 1209
§ Web Intelligence now allows
BEx (SAP NetWeaver® BW)
and Analysis View to be queried directly without a universe
§ Web Intelligence Rich Client (shown) adds support for
Excel, Text, and Web Services
17
Web Intelligence Query Methods (cont.)
§ Web Intelligence now allows
BEx (SAP NetWeaver® BW)
and Analysis View to be queried directly without a universe
§ Web Intelligence Rich Client
(shown) adds support for
Excel, Text, and Web Services
§ This presentaMon focuses on securing universes created with the new InformaMon Design Tool 4.0
THE NEED FOR UNIVERSE SECURITY
Restrict access to enAre universe by sehng universe rights in the Central Management Console (CMC)
Two Methods for Securing Universes
Create various forced and opAonal restricAons within InformaAon Design Tool
Forced
Object restricAons
Self-‐restricAng joins
Inferred extra tables
OpAonal
Personalizing Ad Hoc Queries
21
Need to secure business-‐criMcal data based on
a user’s role in the organizaMon, but standard
universe design soluMons affect all users
unilaterally …
… a different soluMon is
required to apply security
condi.onally to specific users
and groups:
Security profiles.
Personalizing Ad Hoc Queries
Database-‐specific techniques such as
Teradata Query Banding and Oracle Virtual
Private Databases can be used but are beyond
the scope of this discussion
Security Profiles are ideal for
organizaMons that use mulMple
database pladorms and need a
single, integrated approach
to data security
Securing and Personalizing eFashion
23
Gotta analyze those party pants sales!
Securing and Personalizing eFashion
How do we ensure that Bennett is limited to only Colorado Springs data…Securing and Personalizing eFashion
25 While allowing executives to look across the organization?SECURITY PROFILES
What is a Security Profile?
27
A
security profile
is a group of
security settings that apply to a
universe published in the repository
Similar features are available in
the Universe Design Tool for
traditional universes (UNV), known
as access restrictions or restriction
What is a Security Profile?
Data Security Profiles
have security
settings defined on objects in the
data foundation and on data
connections
Business Security Profiles
have
security settings defined on objects
in the business layer
Type of restriction Description
Connection Override the default universe connection
with an alternate connection
Query controls Limit the size of the result set and query execution time
SQL generation controls Control how SQL is generated by user query
Row access Row-level security – force restrictions
into the WHERE clause of inferred SQL Alternative table access Replace a table referenced in the universe
with another table in the database
Object access Column-level security
What can be restricted in tradiAonal UNV universes?
Type of restriction Description
Connection Override the default universe connection
with an alternate connection
Query controls Limit the size of the result set and query execution time
SQL generation controls Control how SQL is generated by user query
Row access Row-level security – force restrictions
into the WHERE clause of inferred SQL Alternative table access Replace a table referenced in the universe
with another table in the database
What can be restricted in new UNX universes?
Data Foundation Restrictions
Type of restriction Description
Create Query Defines the universe views* and business
layer objects** available to the user in the query panel.
Display Data Grants or denies access to the data
retrieved by objects in the business layer when the user runs a query.*
Filters Defines filters using objects in the
business layer.*
What can be restricted in new UNX universes?
Business Layer Restrictions
* New feature of BI 4.0
** Similar to object restrictions in Universe Design Tool
CREATING SECURITY PROFILES
1) Create & Manage Security Model 2) Build and Export Universe 3) Add Security Profile 4) Create Web Intelligence Documents* 5) Deploy using Lifecycle Manager
* Crystal Reports and SAP BusinessObjects Dashboards (formerly Xcelsius®) based on
universes can also leverage Security Profiles
33
ImporAng Secure Universes from XI R2 & XI 3.1
Import BIAR file into BI 4.0 using
Upgrade Management Tool
Import and Convert UNV to UNX
using Information Design Tool (IDT)
Validate Converted Security Profile
Test and Deploy
35
35
Editing Toolbar Tools Menu
Access restrictions can be
accessed from either the tools menu or the editing toolbar
Access RestricAons in the Universe Design Tool (UNV)
Access restrictions are available via Security Editor on Window menu or editing toolbar
InformaAon Design Tool — Security Editor
1. Select universe
and create security
profiles
41
2. Assign Users or
Groups
41
Using the Security Editor — Step 3 of 4
Using the Security Editor — Step 4 of 4
43
Data Security Profile — ConnecAons
§ Replace default
universe connecAon
§ Use Case:
Default connecAon may point to
producAon but
Security Profile points UAT users to UAT
Data Security Profile — Controls
§ Limit number of rows
or execuAon Ame
§ Use Case:
ConservaAve default sehngs for all users but more aggressive sehngs for power users
Data Security Profile — SQL
§ Control complexity of
user queries
§ Use case:
Default sehngs may allow sub-‐queries and combined queries, but security profile limits casual business users
Data Security Profile — Rows
§ Force restricAons into
SQL WHERE clause
§ Use case:
Row level security for sales team so they only see “their” numbers
§ TABLE.COLUMN=
@VARIABLE(‘BOUSER’)
§ May also desire to
disable ability to view SQL in Web
Intelligence
Data Security Profile — Tables
§ Point to different table
in database schema
§ Use Case:
Default users point to one year of facts, but security profile points to three years of facts for power users
§ Not necessary for
replacement table to be defined in universe
Business Security Profile — Create Query
§ Hide business layer views
or business layer objects from certain users
§ Use Case:
Control visibility of
sensiAve measures such as profit margin
Business Security Profile — Display Data
§ Prevents display of objects
on report
§ If AUTO_UPDATE_QUERY
parameter is No, then refreshing report
generates an error
§ If AUTO_UPDATE_QUERY
parameter is Yes, then the denied objects are
removed from query and any business layer filters
§ Filter universe objects at the business layer, not database columns at data foundation layer
§ Still applies filter to SQL
statement
51
DEMONSTRATIONS
NEXT STEPS
Additional Resources
SAP BusinessObjects Business Intelligence 4.0: Business Intelligence Platform Administrator Guide
Quick Reference Getting Around Information Design Tool (SCN, June 2011).
SAP BusinessObjects Business Intelligence 4.0: Web Intelligence User’s Guide
SAP BusinessObjects Business Intelligence 4.0: Information Design Tool Guide
Official Product Tutorials on SCN
www.sap.com/learnbi
55Dallas Marks
@dallasmarks
Principal Technical Architect hKp://dallasmarks.org/ hKp://linkedin.com/in/dallasmarks/
Visit EV Technologies at Booth 210 in the Partner Showcase! 56