Post on 13-Apr-2018
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 1/40
CMC EssentialsDallas Marks, Integra SolutionsBreakout Session #9015
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 2/40
Poll
By a show of hands:
• How many people using version 6.x and earlier?
• Crystal Enterprise 10 and earlier?
• XI R2 in production?
• XI 3.0 in development?
• XI 3.0 in production?
• What about XI 3.1?
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 3/40
Agenda
• Brief History of Business Objects Administration
• Comparing XI R2 and XI 3.x Security
• Security Basics
• Terminology
•
Folder and Group Inheritance• Breaking Inheritance
• Custom Access Levels
• Scope of Rights
• Demonstration
• Custom Access Levels, Permissions Explorer and Security Query
• Best Practices
• Q&A
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 4/40
HISTORY OF
ADMINISTRATION
CMC Essentials
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 5/40
History of BusinessObjectsAdministration
Supervisor 4.0
March 1996
Central Management
Console XI Release 1
January 2005
Central Management
Console XI Release 2
November 2005
Central Management
Console
XI 3.0 - February 2008
XI 3.1 –
September 2008
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 6/40
Yoda on BusinessObjects XI R2
“You must unlearn what you have learned”
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 7/40
Yoda on BusinessObjects XI 3.x
“You must confront BusinessObjects Enterprise XI 3.1.
Then, only then, a Jedi will you be.”
NOTE: There are many new management areas in
the redesigned CMC XI 3.x, but this presentation
focuses on security-related changes.
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 8/40
COMPARING XI R2 AND
XI 3 X SECURITY
CMC Essentials
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 9/40
Users XI R2 XI 3.x
Administrator yes yes
Guest yes yes
QaaWSServletPrincipal no yes
PMUser yes no
Set Administrator password during install? no yes
Guest user disabled by default? no yes
Groups XI R2 XI 3.x
Administrators yes yes
Everyone yes yes
QaaWS Group Designer no yes
Report Conversion Tool Users yes yes
BusinessObjects NT Users yes no
Universe Designer users yes yes
Translators no yes
Default Users and Groups
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 10/40
Feature XI R2 XI 3.xFolder Inheritance yes yes
Group Inheritance yes yes
Predefined Access Levels yes yes
No Access yes yes*
View yes yes
Schedule yes yes
View On Demand yes yes
Full Control yes yes
Advanced Rights yes yes
Custom Access Levels no yes
Break Inheritance yes yesScope of Rights no yes
Combined Access Levels no yes
Security Features
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 11/40
Application XI R2 XI 3.xCentral Management Console yes yes!
Web Component Adapter (WCA) yes no
Administrative Launchpad yes no
Query Builder yes yes
Security Viewer Add-on yes no
Security Query no yes
Permissions Explorer no yes
Security Applications
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 12/40
SECURITY BASICS
CMC Essentials
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 13/40
Terminology
• Principal – a user or group
• Rights override - a rights behavior in which
rights that are set on child objects override
the rights set on parent objects
• General Global Rights – access rightsenforced regardless of content type
• Content Specific Rights – access rights
unique to content type (Crystal Report, Web
Intelligence, etc)
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 14/40
Predefined Rights
Rights Option Description XI R2 XI 3.x
No Access Unable to access an object yes
slightly
different
View Able to view historical (scheduled) instances of an object yes yes
Schedule Able to schedule instances of an object yes yes
View on Demand Able to view live data on-demand yes yes
Full Control Able to change or delete an object yes yes
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 15/40
Advanced/Granular Rights
Rights Option Description XI R2 XI 3.xGranted The right is granted to a principal. yes yes
Denied The right is denied to a principal. yes yes
Not Specified
The right is unspecified for a principal. By
default, rights set to Not Specified are denied. yes yes
Apply to Object
The right applies to the object. This optionbecomes available when you click Granted or
Denied. no yes
Apply to Sub-Objects
The right applies to sub-objects. This option
becomes available when you click Granted or
Denied. no yes
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 16/40
Folder Inheritance
Global Rights
Object
Object
Object
Object
Top Level Folder
Subfolder
Subfolder
NOTE:
In XI R2, global rights are set on the Rights tab
in the Settings management area.
In XI 3.x, global rights are set in the Folders
management area as “All Folders Security”
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 17/40
Group Inheritance Rules
eFashion Sales Managers 2008
eFashion East eFashion South eFashion West
Barrett Richards Larry Leonard Bennett Steve
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 18/40
Breaking Inheritance
• Still possible in XI 3.x asit was in XI Release 2
• Can disable folder
inheritance, group
inheritance, or both• May not be as
necessary in XI 3.x
because of new scope
of rights features
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 19/40
Custom Access Levels
• New Management Area in CMC XI 3.x
• Can create new access levels or copy
existing access levels
• Pre-defined rights (View, Schedule, ViewOn Demand, Full Control) levels cannot
be altered
• Easier to manage than setting Advanced
rights
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 20/40
Scope of Rights
• Scope of rights – new in XI 3.x, the ability to limitthe extent of rights inheritance (Apply to Object,
Apply to Sub-object)
• In BusinessObjects Enterprise XI R2, the
administrator was forced to break inheritance whenthey wanted to give user rights to child folders that
were different to those given to the parent folder
• In XI 3.x, rights are effective for both the parent
object and the child objects by default (same as XIR2). However…
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 21/40
Scope of Rights, cont.
• With BusinessObjects Enterprise XI 3.x, the administrator can nowspecify that a right set on a parent object should apply to that object
only.
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 22/40
DEMONSTRATION
CMC Essentials
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 23/40
Demonstration
• Custom Access Levels
• Permissions Explorer
• Security Query
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 24/40
Demonstration – Users & Groups
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 25/40
Demonstration – Folders and Content
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 26/40
DEMONSTRATION
CUSTOM ACCESS LEVELS
CMC Essentials
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 27/40
Demonstration – Custom Access Levels
Custom Access Level demo…
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 28/40
PERMISSIONS EXPLORER
AND SECURITY QUERY
CMC Essentials
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 29/40
Permissions Explorer (object centric)
• Use the Permissions Explorer to determinethe rights a principal has on an object
• Improvement upon Check User Rights
button in XI Release 2. Check User Rightsonly identified the effective rights – the source
of the rights assignment was still unknown
• Available from any object (folder, document,
universe, connection, etc.) that can haverights assigned
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 30/40
Permissions Explorer
Permissions Explorer demo…
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 31/40
Security Query (User Centric)
• Use Security Query to determine the objects to which aprincipal has been granted or denied access.
• Available from Users and Groups or Query Results
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 32/40
Security Query – Query Principal
Query Principal - the user or group that you
want to run the security query for. You can
specify one principal for each security query
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 33/40
Security Query – Query Permission
Query Permission - the right or rights you
want to run the security query for, the status
of these rights, and the object type these
rights are set on
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 34/40
Security Query – Query Context
Query Context - the CMC areas that youwant the security query to search. For each
area, you can choose whether to include
sub-objects in the security query. A security
query can have a maximum of four areas
Security Query demo…
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 35/40
BEST PRACTICES
CMC Essentials
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 36/40
Security Best PracticesXI R2 only
• Disable Guest account if there is norequirement for anonymous access
• Set global access (Settings
management area) to NO ACCESS,then assign rights at top level folders
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 37/40
Security Best PracticesXI R2 or XI 3.x
• Grant rights to groups on folders. Although rights can begranted on individual objects or users, the security model
can become difficult to maintain.
• Use pre-defined rights wherever possible. Understand the
additional complexity that advanced rights can introduce.
• Avoid breaking inheritance, while understanding it is
sometimes necessary
• Add multiple users to Administrators group rather than
sharing Administrator user account to improve traceability
• Document and maintain your security structure outside ofthe CMC – MS Excel is a good choice
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 38/40
Security Best PracticesXI 3.x
• Allot time in your upgrade/migration for administrative staffto understand both the new CMC interface/workflows as
well as its new features
• Use custom access levels where you would have
previously resorted to advanced rights.
• Identify opportunities to limit the scope of rights instead of
breaking inheritance
• Take advantage of the Permissions Explorer and Security
Query tools to diagnose and correct security issues
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 39/40
For More Information
• BusinessObjects Enterprise Administrator’s Guide• BusinessObjects Enterprise XI 3.0/3.1 Upgrade Guide
• BusinessObjects 5/6 to XI 3.1 Migration Guide
• Business Objects Education
• BusinessObjects Enterprise XI R2: Securing Users and Content (SA210R2)
• BusinessObjects Enterprise XI 3.0/3.1: Administration and Security
(SA210V3.0 or SA210V3.1)
• My Life With Business Objects, a blog
http://dallasmarks.blogspot.com/
• Integra Solutions Library
http://www.IntegraSolutions.net/
7/27/2019 Bouc2008 Marks 9015 Cmc Essentials Security
http://slidepdf.com/reader/full/bouc2008-marks-9015-cmc-essentials-security 40/40
Q&A
• Questions• Dallas Marks, Senior Consultant and Trainer
Integra Solutions, a business unit of Quorum Business Solutions
• I will repeat questions to ensure everyone can hear
• Contact information
• Email: dallas_marks@qbsol.com
• Evaluations
• This was breakout session #9015