Skip to Content

The security model we’re implementing here is an example of the Type III model that is described in this article on different security model patterns.

We start by creating a baseline security model that involves locking down the Everyone group and creating three functional groups. Next we create the group and folder structure for a typical BI application. If you are unfamiliar with the concept of developing BI applications then the article Developing BI Applications provides a good overview.

 

Intended Audience

Readers of this article should be familiar with working with the Central Management Console (CMC) and further information on the CMC can be found in chapter 17 “Working with the Central Management Console” of the SAP BOE Administrator’s Guide.

Baseline Security Model

Lockdown the Everyone Group

First we need to make some changes to the Everyone group. When BOE is first installed the Everyone group is a bit too generous with the rights in grants members and so we should reduce the amount of permissions granted to a suitable minimum.

For a simple set of requirements we want users who are only a member of the Everyone group to be able to,

  • Logon to InfoView
  • View the top level public folder and view any agnostic document within that folder
  • Not be able to create or upload any new documents
  • Not be able to logon to any other application other than InfoView

The reason for allowing access to the root public folder is so that any user in the Everyone group can read any “getting started” type documents that we create and put in this folder. Examples of these documents include information on contacting support, how to request access to different applications, etc.

Access to Root Public Folder

By default the Everyone group does not provide access to the root folder however when we grant view rights to the root folder the user will end up seeing all subfolders including “Administration Tools”, “Auditor” etc so we then need to update these folders and explicitly deny the Everyone group from viewing these admin folders.

To update the Everyone group,

     

  1. Logon to the CMC and navigate to Folders
  2.  

  3. Select the All Folders node and from the Manage menu select Top Level Security, All Folders. Click OK to the warning message
  4.  

  5. Select the Everyone group and then click Assign Security
  6.  

  7. Enable the two inheritance modes by checking on the check boxes and click apply
  8.  

  9. Select View Access Level and click the > button. Your screen should look similar to below
  10.  

  11. Click OK and click Close to return to the main display.

screenshot of assigning view access to Root Folder for Everyone group

That’s all we need to do to allow the Everyone group access to public folders. We now need to deny access to each of the top level administration folders “Administration Tools”, “Auditor” etc.

     

  1. From within the Folders view expand the All Folders node
  2.  

  3. Select the Administration Tools folder and click the Manage User Security icon or select User Security from the Manage menu.
  4.  

  5. Select the Everyone group and click the Assign Security button
  6.  

  7. Uncheck the inheritance option “Inherit From Parent Folder” and click OK
  8.  

  9. Click OK to the warning message
  10.  

  11. Click OK in the Assign Security dialog and close the User Security dialog.

Repeat with remaining administration folders: “Auditor” and you may also wish to hide the “Feature Samples” and “Report Samples” folders in a similar manner. Alternatively these samples folders can be safely exported to a BIAR file and then deleted if not required on a production server.

Denying Access to CMC

The Everyone group by default also has logon access to the CMC. Certainly once logged on there is very little a user can do but it may be preferable to deny access to all users other than Administrators.

To prevent the Everyone group from accessing the CMC,

     

  1. Logon to the CMC as Administrator and navigate to Applications
  2.  

  3. Select CMC from the list
  4.  

  5. Click the Manage User Security icon
  6.  

  7. Select the Everyone group and click Assign Security
  8.  

  9. Click the Remove Access button and click OK
  10.  

  11. Click OK to the warning message.The Everyone group should now be listed as having No Access.
  12. Click close to close the dialog

We can test logging in to the CMC with a user that is not an Administrator. Unfortunately when logging in as a user who does not have permission we don’t get a nice and friendly “you don’t have permission” error as expected but instead we just get a blank screen.

Reduce Web Intelligence Application Functionality to the Everyone group

The Everyone group has View access to Web Intelligence. This is not necessarily a concern as any user who is only a member of the Everyone group should not have access to any folder containing a Web Intelligence document or be able to create a new document.

The access is still to high however as we are intending to control functional access through assigning users to appropriate functional access groups. Therefore we should remove all access to Web Intelligence for the Everyone group.

  1. Logon to the CMC as Administrator and navigate to Applications
  2. Select Web Intelligence from the list
  3. Click the Manage User Security icon
  4. Select Everyone from the list of principals (by default it should be set to View access) and click Assign Security.
  5. Click the Remove Access button and click OK
  6. Click OK to the warning message. 
  7. Everyone should now be listed as having No Access

Managing Connections

Security also applies to connections used by a Universe and the easiest way to manage connections is to grant the Everyone group permission to use all the connections. This may seem a little extreme as it grants too wide an access but universe connections can only be used by an end user via a Universe. This means that so long as we control access to the universes we don’t need to worry about the connections.

Universe designers on the other hand can work with connections directly and there may be a situation where we want to restrict a universe designer’s access to a connection, for example, if the underlying database contains sensitive data.

Here we will enable access to all connections and to grant the Everyone group access to a connection,

     

  1. Logon to the CMC as Administrator and navigate to Connections
  2.  

  3. Select each connection in turn and click the Manage User Security icon
  4.  

  5. Select the Everyone group and click Assign Security
  6.  

  7. Click the Advanced tab and the click Add/Remove Rights button

This screen allows us to assign or deny individual rights (see example screen shot below). On the left hand sign we see a set of nodes that contain categories, selecting a category will update the right hand display. The right hand panel lists all the rights available in the category and you can set access as either ‘granted’, ‘denied’ or ‘not specified’.

Descriptions of all of these rights across all areas are detailed in the BOE XI 3.1 Administrator’s Guide in the section “Rights Appendix”

     

  1. Under the General node grant access to the View Objects right
  2.  

  3. Click the connection node under System and grant Data Access right
  4.  

  5. Click OK to save these changes and
  6.  

  7. Click OK to close the Assign Security dialog

Setting security rights for a connection

That’s all we need to do with reducing access rights for the Everyone group. If you are using any other application such as Performance Manager or Desktop Intelligence then you’ll also need to reduce some access rights for those. The next section looks at creating the baseline functional access groups. 

Create Functional Access Groups

In this example we are creating three user groups that will control what functionality a user has when working with SAP BusinessObjects Enterprise. These functional access groups will work across the BI applications we deploy to the system, that is, a user who is in the “Advanced” group will be an advanced user in all applications that they have access to.

Note, it is possible to create functional access groups that only work within an application and so you can have a user who is Advanced for one application but only an Intermediate user in another application.

When first deployed BOE comes with prebuilt functional groups: Administrators, Universe Designers, QaaWS Group Designers and Report Conversion Tool Users. Membership of these groups grant a user different functionality, for example a user in the Administrators group has full access to the system, membership of Universe Designers allows user to create and edit universes.

We will create further functional groups that allow a user different functional access to Web Intelligence. These are

  • Standard Users. Users can view and refresh Web Intelligence documents and Crystal Reports
  • Intermediate Users.  Member of this group have same rights as Standard Users but can also create new Web Intelligence documents on the universes they have access to. They cannot save new documents to the public folders but can save to their private folders
  • Advanced Users. Members have same rights as Intermediate users but can also save to public folder (but only be allowed to edit or delete documents they have created)

These groups are created in a hierarchy:
  Everyone > Standard > Intermediate > Advanced

Create Functional User Groups

By default all new users will reside in the Everyone group. This grants the use permission to log on but very little else. The Standard User group allows users to view and refresh existing documents. Note, document access is controlled by the application groups.

To create the Standard User group,

  1. Logon to the CMC as Administrator and navigate to Users and Groups
  2. Select Everyone group and click Create New Group icon
  3. Provide a Group Name “Standard Users” and a meaningful description that describes what functionality members of this group are entitled to – “All members of this group have the right to view and refresh reports that they have been granted access to.”
  4. Expand the Everyone group by clicking on the plus sign next to Everyone and select the newly created Standard Users group
  5. Click the Create New Group icon again and enter a group name and description for the Intermediate Users group
  6. Expand the Standard Users group, select Intermediate Users and once more click the Create New Group Icon
  7. Enter a group name and description for Advanced Users
  8. Click OK once done and return to main screen

Assign Rights for Functional Groups

We have now created these groups we now need to implement their security. First we’ll set functional access permission for the Web Intelligence application.

  1. Logon to the CMC as Administrator and navigate to Applications
  2. Select Web Intelligence from the list and click the Manage User Security icon
  3. Click Add Principals and add the Standard Users groups we created above.
  4. Click Add and Assign Security button.
    Note, although we can use this screen to add all three principals at once we need to do them in turn. This is because when we click Add and Assign Security we then have a screen that forces us to assign the same security settings to all the groups selected but ours need different security settings.
  5. Uncheck the inheritance permission “Inherit from Parent Folder” – this then forces inheritance to be purely group based – and click Apply
  6. Click Advanced tab and then click Add/Remove Rights button
  7. Under General section grant the right “Log on to Web Intelligence and view this object in the CMC” and click Apply. This grants essentially allows users to be able to use Web Intelligence application in InfoView.
  8. Expand Application node in left hand menu and select Web Intelligence.
    There are quite a few functional rights for Web Intelligence and depending on your exact requirements you can enable required. In this worked example we will update the following rights to be granted for Standard User,
    Data Tracking: Enable for users
    Data Tracking: Enable format display changes by users
    Enable drill mode
    Enable HTML Report Panel
    Interactive: Left pane – Enable data summary  
    Interactive: Left pane – Enable document structure and filters  
    Interactive: Left pane – Enable document summary
  9. Click Apply and click OK to close the dialog
    You will notice that some functionality is not listed here, for example, the ability to send a document by email or download to PDF. This functionality is controlled at the folder level and so we need to control these permission from there.
    At this stage we can complete the functional permissions for the remaining two groups.
  10. Click Add Principal and select the Intermediate Users group
  11. Click Add and Assign Security button.
  12. Uncheck the inheritance permission “Inherit from Parent Folder” and click Apply
  13. Click Advanced tab and then click Add/Remove Rights button
    When viewing the rights we should see that this group has automatically inherited the rights of the Standard Users group. So here we just need to add additional rights for the group
  14. Expand Application node in left hand menu and select Web Intelligence.
  15. Update the following rights to granted,
    Create Document
    Enable Autosave for this user
    Enable formula and variable creation
    Enable interactive HTML viewing (if license permits)
    Enable Java Report Panel
    Enable Query – HTML
    Extend scope of analysis
    Interactive: Formatting – Enable toolbar and menus
    Interactive: General – Ability to hide / show toolbars
    Interactive: General – Edit ‘My Preferences’
    Interactive: General – Enable right click menu
    Interactive: Left pane – Enable available objects, tables and charts
    Interactive: Reporting – Apply and remove existing alerters
    Interactive: Reporting – Create and edit break
    Interactive: Reporting – Create and edit predefined calculation
    Interactive: Reporting – Create and edit report filter
    Interactive: Reporting – Create and edit sort
    Interactive: Reporting – Insert and remove report, table, chart and cell
    Merge dimensions for synchronization
    Web Intelligence Rich Client : Save a document locally on the file system
    Web Intelligence Rich Client: Allow local data providers
    Web Intelligence Rich Client: Create a document
    Web Intelligence Rich Client: Enable a client to use it
    Web Intelligence Rich Client: Export a document
    Web Intelligence Rich Client: Import a document
    Web Intelligence Rich Client: Install from InfoView
    Web Intelligence Rich Client: Print a document
    Web Intelligence Rich Client: Save a document for all users
  16. Click OK to save these changes
  17. Click OK to close the Assign Security dialog
  18. Click Add Principals and select Advanced users.
  19. Click Add and Assign Security
  20. Uncheck the inheritance permission “Inherit from Parent Folder” and click OK
  21. Click Close to close the Security dialog

Advanced Users have same functional access as Intermediate, their difference is the ability to save to public folders. This is set in the following section.

Define Functional Access for Public Folders

We define default permissions to top level folders to the functional groups and these will inherit down to the application folders that a user has access to.

     

  1. Logon to CMC as Administrator and navigate to Folders
  2.  

  3. From the Manage menu select Top Level Security, All Folders.
  4. Click OK to warning message
  5.  

  6. Click Add Principals, select Standard Users and click Add and Assign Security.
  7.  

  8. Click Advanced tab and click Add/Remove Rights.
      For Standard Users we want to enable minimum rights including ability to Refresh documents.
  9.  

  10. No changes are required to General section so expand the Content node in left hand menu and select Crystal Reports.
  11.  

  12. Update the following rights to granted and click Apply
          Download files associated with the report
          Export the report’s data
          Print the report’s data
          Refresh the report’s data
  13.  

  14. Select the node Note and grant permission to allow discussion threads.
  15.  

  16. Click Apply
  17.  

  18. Select Web Intelligence node and grant the following rights. Click apply once done
          Download files associated with the object
          Export the report’s data  
          Refresh List of Values  
          Refresh the report’s data  
          Save as CSV
          Save as Excel
          Save as PDF
          Use Lists of Values
          Note, the two rights we are not allowing are Edit Query and View SQL.
  19.  

  20. Click OK and then OK again to return to the User Security dialog.
          Intermediate Users have same permissions at folder level as Standard Users but we also allow the user to copy a document to their local folder and to edit queries in a report.
  21.  

  22. Click Add Principals, select Intermediate Users and click Add and Assign Security.
  23.  

  24. Click Advanced tab and click Add/Remove Rights.
  25.  

  26. In the General section update the right “Copy objects to another folder” to granted. Click apply
  27.  

  28. Expand Content and select Web Intelligence Report and grant permission for Edit Query to granted.
      Note, since the Intermediate group is inheriting from Standard Users we see that some rights are already. See screenshot below
  29.  

  30. Click OK

Security Rights for Web Intelligence

Our requirement for Advanced Users is to allow those users to save new documents to the public folder for the applications that they have access to.

If we grant this permission at root level then an Advanced user can save a document to this root level which is not what we want. So we need to set the Advanced Users permissions to at the BI application level.

To simplify this and to ensure that we apply same settings to all application folders we define a custom access level that we can then set for the Advanced User at the application folder.

Create Custom Access Level for Advanced Users

To create a custom access level,

     

  1. Logon to the CMC as Administrator and navigate to Access Levels
  2.  

  3. Click the icon to Create a New Access Level
  4.  

  5. Enter a name “Advanced User Folder Rights” and a suitable description “Applies advanced user functional rights to a folder” and click OK
  6.  

  7. Select the newly created access control in the list and from the Action menu select Included Rights
  8.  

  9. Click the Add/Remove Rights button
  10.  

  11. We only need to update the rights under the General node and we set the following rights to granted,
      Add objects to the folder
      Copy objects to another folder
      Delete objects that the user owns
      Edit objects that the user owns
      Note, the edit and delete only apply to objects that the user owns, i.e. objects (documents) that the user has saved to the folder themselves.
  12. Click OK to save these changes and we should be left with the screen shot below,
  13. Click close to close this window

 Creating custom access levels

We can now apply this access level to each application group. This is done in the activities below.

Create the BI Application Security Model

Overview

Here we look in detail at how to set up security to define a BI application in SAP BOE.

The BI application requires the creation of 3 security areas,

     

  • a user group that defines which users have access to the application
  •  

  • a public folder in which application documents can be shared
  •  

  • a universe folder that controls access to the universes of the application

Below are the steps required to create these items and setup their security.

In this example we will create a user group called “Financial Analysis Users”, a public folder called “Financial Analysis” and a universe folder called “Financial Analysis Universes”.

Create the BI Application’s User Group

All members of this group will have access to the BI application, that is, they will have access to the BI Application’s public folder and universes.

To create the user group

     

  1. Logon to the CMC as Administrator and navigate to Users and Groups
  2.  

  3. Make sure Group Hierarchy is selected and either click Create New Group icon
  4.  

  5. Enter a group name “Financial Analysis” and provide a description and click OK
      The name should reflect the application name the description should indicate what the group enables the users to do: “Members of this group have access to the Financial Analysis BI application”
  6.  

  7. Click OK to close the dialog and return to the original screen.

Create the BI Application Report Folder

 

Having created the user group we now create the BI application’s top level public folder for the reports. Once the folder is created we then only allow the applications user group access to the contents of the folder. And finally we apply the Advanced User custom access level for the Advanced Users functional group.

To create the folder,

     

  1. In the CMC select Folders from the navigation menu
  2.  

  3. Select All Folders in the left hand menu
  4.  

  5. Click the new folder icon or select Manage, New, Folder
  6.  

  7. Enter a name for the folder ‘Financial Analysis’
  8.  

  9. Select the newly created folder from the left hand menu and select Manage, Properties
  10.  

  11. Provide a suitable description that describes the BI application in general: “The Financial Analysis application allows reporting and analysis of budgeting and forecasting financial information.”
  12.  

  13. Click Save (not Save & Close) and from the left hand menu select User Security.
  14.  

  15. Select Everyone group and click Assign Security button
  16.  

  17. Uncheck the inheritance option Inherit From Parent Folder and click OK
  18.  

  19. Click Add Principal
  20.  

  21. From the next screen select the Groups radio button and select the group we created above: ‘Financial Analysis Users’.
  22.  

  23. Click the > button to move the group to the right hand list. Click Apply
  24.  

  25. Click Add and Assign Security button
          Here we want all members of this group to be able to view this folder and the contents of the folder. What they can then do with this folder is controlled by membership of the functional groups.
  26.  

  27. Check on the inheritance option Inherit From Parent Folder and click Apply.
  28.  

  29. Select View from the Available Access Levels and click the > button to assign the access level and click Apply
  30.  

  31. Click OK
          Finally we must also apply the Advanced Users functional access rights to this folder.
  32.  

  33. Select the Advanced Users group and click Assign Security
  34.  

  35. Select the custom access control level we created earlier Advanced User Folder Rights and click the > button to add the right to the Assigned Access Level list.
  36.  

  37. Click OK to apply the setting. We should now have a set of groups with different access to this folder.
  38.  

  39. Click OK to close the dialog.

Create the BI Application Universe Folder

Lastly we create a folder in which all universes of the application are to be placed.

  1. Logon to the CMC as Administrator and navigate to Universes
  2. Select the webi universes folder in the left hand menu
  3. Click the new folder icon or select Manage, New, New Folder
  4. Enter a name “Financial Universes” for the folder
  5. Select the newly created folder and then select Manage, Properties
  6. Update the description field with a description that describes the universes in the folder: “These universes provide access to the data marts of the Financial Analysis application”
  7. Click Apply and select User Security from the left hand menu
  8. Click Add Principals
  9. Select the appropriate application group “Finance Users” and use the > button to move the group to the right hand list
  10. Click Add and Assign Security button
  11. Click Advanced tab, then Add/Remove Rights button
  12. Under the General section update the right “View Objects” to explicitly grant and click Apply
  13. Expand System and update the rights Data Access and Create and Edit Queries Based on Universe to granted.
  14. Click OK
  15. Click OK to close the Assign Security dialog
  16. then click Close to return to the main Universe screen.

Above we had to modify individual rights on the universe folder. If we are creating many applications then we’ll need to make the same changes for each BI application universe folder. It would be preferable then to make use of a custom access level called say “View Universe” that can be set to grant these same rights. This then simplifies the process and also ensures consistency across applications.

Conclusion

Although that seems like quite a lot of work it is reasonable straightforward to implement. What is important is that you document all the security settings made, this helps with troubleshooting and maintaining the security model.

In addition it is also importantly to conduct unit testing of any implemented security model. Security models should be developed in a Dev environment and then promoted to a test environment using BIAR file or the Life Cycle Management tool. Security Models should never be implemented directly into a production system.

Hopefully this article gave you some ideas on what to do when implementing a security model, what areas to consider and the impact of some of the settings.

To report this post you need to login first.

8 Comments

You must be Logged on to comment or reply to a post.

  1. Atul Chowdhury
    Al –

    Great, GREAT write-up on XI3.x security.  I’ve actually thought about packaging a pre-configured CMS – much like the eFashion database people use today, but for developing fluency in security and administration concepts.  While I have sample data/usergroups/structures, until now I’ve struggled with how to layer security, but I’ll take the approach described here and see how it works out.  Nice work.

    Atul

    (0) 
  2. D J
    when i implemented this model & created a user under financial analysis user group but i am getting error message saying “session closed.(Error: INF)” Please advise what is this error and what needs to be done with this.
    (0) 
  3. Marta Perez Romero
    Hi Al!

    First of all, I found this post very very useful.

    I am implementing a BO platform (BOE XI3.0) in my company and had some trouble when building the security model.

    After reading everything I could online I came to this post you published in SAP Comunity Network Blogs (http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/18728).

    I found this Type III Model quite adequated to my required structure, so I followed the instructions step by step (again thanks very much for the clarity).

    Now, once setup there are a couple of things that are not working as I wish. Maybe I missed something or there´s something else I still need to do:
    1) So I finish ALL the steps and have things set as you described. Next point I guess is to create the users in the system so I go to Users and Groups -> User List and create 3 different users: “Financial_Analysis_User_Standard”, “Financial_Analysis_User_Intermediate” and “Financial_Analysis_User_Advanced”.
    Then I add the first user to these two groups (Standard Users and Financial Analysis Users). Second user added to Intermediate Users and Financial Analysis Users groups and the last one added to Advanced Users and Financial Analysis Users groups.
    This obviously means that for each user in my system I want them to belong to a “thematic” area (Financial Analysis in your example) and be assigned a specific level (Standard, Intermediate or Advanced).
    So I do this with all my users, and therefore after this each user belongs to at least 2 groups (the theme group and level group).
    Fine! But… when I access Infoview with each of these three users, this is the result:
    – “Financial_Analysis_User_Standard”: access, click on Document List and see only “Public Folders” and nothing behind it.
    – “Financial_Analysis_User_Intermediate”: access, click on Document List and see only “Public Folders” and nothing behind it.
    – “Financial_Analysis_User_Advanced”: this one works well: can see the Financial Analysis folder, all the documents and subfolders inside.

    So how I can do to say that a specific user is only standard or intermediate?

    2) A problem with analytics created on the system: when I access with the “Financial_Analysis_User_Advanced” user, I see the Finacial Analysis folder and all the documents. I can view any of them, drill down in WebI documents, refresh Crystal documents, but I can´t:
    – When I create a new WebI document, I select the universe, then I get the WebI rich client, add a query, select the fields and when I click on Run query I just get an empty table. No data, nothing. But I can click on refresh data and I don´t get any error, it seems to be retrieving but the result is just no data. It also correctly saves the document on any public folder I select, and deletes it after.
    – When I want to view an Analytic that is already in the folder I also get the empty analytic. For example, I have some analytics added to a Dashboard. When I open the dashboard, I just see the spaces on the canvas with the name of the chart but nothing else. Same when I individually open each of the analytics.
    – When I want to create a new analytic, I get the “Select the type of analytic you want to create”, I select for example Traffic Light, select Universe Query and get the full list of universes I have. Choose the Measure to display, the dimensions, etc, no problem there but when I click on OK the result is just nothing: an empty screen where I can only read “Traffic Light” and “Add to My Dashboard”, “Edit”, “Email”, “Save” (disabled), “Save As” and the blue refresh button.

    I want advanced users to be able to create analytics, dashboards and webi docs and see the analytics and dashboard contents that are already create.

    What I am missing, any suggestion?

    Thanks a lot for your help 🙂
    Marta

    (0) 
    1. Alastair Gulland Post author
      hi

      I’m not certain what is the problem with your first question. under the type III model I described above any user who is in the Financial Analysis group should have access to the Financial analysis folder – see section “Create the BI Application Report Folder” for how this is setup.

      So I’m not sure what has gone wrong – you have three users all belonging to Financial Analysis group and al should see the Financial analysis folder. 

      It sounds like you’re unit testing your security model here. It is useful to do this in a more specific manner, for example, test the functional security first and check that it meets your requirements – the bullet points in section “Create Functional Access Groups”. Then seperately test application access. Then test the combination. this will help you pin point where something has gone wrong.

      For your second question and the report with no data, first execute the SQL for the report against source database and check that you get results. if you do check that report doesn’t have any filters that will filter out all results. Also test using Administrator account – does report show data this time?

      Your other two questions sound like they’re related to performance manager, last time I used performance manager it required as specially built metrics universe to drive the analytics, I think it is still the same.

      regards

      AL

      (0) 
      1. Marta Perez
        Hi Al,

        Thanks very much for your answer.

        Still stuck at the first point. I understand it does not make sense that a standard user can´t see any folder behind the root but if he is advanced then he can…
        I had another security model in place before, so maybe there is something I changed for the everyone group, maybe, that is avoiding this to work properly.
        Would you know by any chance which are the defaults values for the Everyone group as you first install BO?.

        Second problem. This is actually the most critical one.
        Yes, I executed the SQL against source database and it gave me data.  No filters at all. Also, the Administrator account works perfectly, when looging as Administrator I see all the analytics I have, I create a webi and get data from the universes, etc.
        So yes, looks related to performance manager, maybe. Do I need to configure performance manager under Applications as I did with WebIntelligence?

        I did and the problem is still there.

        Also, checked the Connections tab, groups are set as discribed in your article, same with Universes folders.

        I don´t understand why, if I login as Finantial User (advanced):
        – I can view a webI which is in a folder, I can refresh the data against the universe, I can click on edit, and then edit query, and then get the results.
        Whereas:
        – I can create a WebI, connect to the same universe as the document before, add the same query I refreshed in the document before, but when running it, no data is retrieved (no error, just blank).
        Again, I am able to retrieve data from a webI that was already created, but if I create a new one, with the same universe and query, then I don´t get anything.

        Is this normal?

        Thanks a lot!
        Marta

        (0) 
        1. Alastair Gulland Post author
          Hi,

          Its unusual that one user running a query gets no results while administrator does when essentially it is same SQL being executed against the database.  My only thought is that somehow in these two cases the report is executing against different databases – dev and production say.  There are 2 things that can cause this:

          Firstly you have two universes of the same name (but in different folders) and the normal user and
          administrator are accessing different universes. Each universe is using a different connection
          pointing to different databases. So check if you do indeed have two universes of same name, also check if you have two or more connection objects on server that point to same database in different environments (dev/test/prod etc).

          The second cause is that in the universe you are using there is access restrictions that define two groups to use different connections. In Designer this is accessed via Tools > Manage Security > Manage Access Restrictions. Check for this.

          Also normally when a report doesn’t return any rows you get a message saying “no data found”. Are
          you getting this? If not then you are getting data it is just not getting displayed and you’ll need to investigate why not.

          Other than this I can’t think what could be going wrong. If possible you may want to check database
          activity when running the report using each account. You could try posting this issue on other
          forums as someone else may have seen the same problem.

          The article here is an example of how to setup a security model and it assumed that you would be
          working on a clean install. it sounds like you already had some security settings in place? And what may have happened is that these are now conflicting with the model described in this article.

          Troubleshooting security issues is not at all easy but there are some techniques you can use to
          help.

          My first piece of advice is to fully document everything in a word doc or a spreadhseet. This gives you a baseline of what security is in place and when you make changes you can track what those
          changes are.

          Secondly have a well defined unit test plan such that if you make a change you can then test the
          system to see if that change has worked and has not adversely impacted any other area.

          Lastly always implement security in development system, test it and then when its working export to production. never change anything directly in production.

          You can use the Security Query feature in the CMC to check how a security setting is affecting a
          user or group. this is explained in the administrator’s guide in the section “Checking security settings for a principal” under “Setting Rights”.

          Hopefully that gives you some ideas of how to investigate the issue

          regards

          AL

          (0) 
  4. Abani Pattanayak

    Very detailed explanation. Thanks for putting this together. This is equally applicable for BI 4.x as well.

    Please consider updating the article for BI 4.x or post a new one.

    (0) 
  5. Ladislav Varga

    Good afternoon to everyone,

    what roles/ rights has to have user for ability to upgrade the BOXI/ BOBI itself?

    I mean, I need to revoke  full rights from Administrator account and setup it for being able to install/ upgrade the BOXI/ BOBI, only. And do not allow him to read any reports except default ones (eFashion) for example.

    Thank you very much.

    (0) 

Leave a Reply