Securing Business Objects Content – Folder Level, Top Level and Application Security
Business Objects Enterprise XI 3.0 / 3.1, for more information, SAP Business objects Solutions Homepage.
Unlike SAP systems, Business Object Enterprise XI 3.0/3.1 do not comprise of Roles, Profiles and
Authorization objects. Security in Business Objects is different than SAP and it consists of: Folder level
security, Application Security, Object Level Security and inheritance concepts. This document begins with
simple example on how to create users, user groups and ends with creating access Levels and basic
troubleshooting techniques using the Security Query.
Author(s): Shikha Baxi Dhiraj Wamanacharya & Milind Desai
Company: IBM India Pvt. Ltd
Created on: 18th May 2011
Shikha Baxi,Dhiraj Wamanacharya & Milind Desai are working with IBM and have more than 3.5 yrs of experience in SAP
Administration, Security, and have been extensively working in Business Objects in the area of
implementation and upgrade.
User and User Group Creation:
Users in Business Objects are of various types, and a user can login to Business Objects (CMC or InfoView)
using that particular authentication with which it has been created. The authentications are:
- 1. Enterprise
- 2. LDAP
- 3. Windows AD
- 4. SAP
The document covers Enterprise and SAP user administration from the above list.
Creating an Enterprise User:
The example below illustrates “How to create an Enterprise user” in Business Objects.
Login to CMC _ Go to Users and Groups
Select the Authentication Type in the next screen and maintain the required fields.
1 ) Authentication Type as Enterprise :
2) Authentication Type as SAP :
When Authentication type is SAP (secSAPR3) then you only need to maintain Account Name as
<SAP SID>~<Client No.>/<SAP User ID> .
User will login in Business Object Using his SAP Login credentials.
Concurrent – This user belongs to a license agreement that states the number of users allowed to be
connected at one time.
Named : This user belongs to a license agreement that associates a specific user with a license. Named
user licenses are useful for people who require access to Business Objects Enterprise regardless of the
number of other people who are currently connected.
Click Create & Close
“Administrator” is the default user that comes along with the Business Objects installation.
User Group Creation:
The user group is a collection of users who require same kind of authorization. So instead of assigning
authorization to every new user that is created, we can create a user group and assign the requisite
authorization to it, and later simply assign the user to that particular user Group.
Name the User Group:
You can add a newly created or existing group to some other group while you can also assign a user to a
Administrators and Everyone are the default groups that come along with the Business Objects installation.
Importing Roles from the backend SAP system:
Let us continue with ‘How to import roles’, which in turn import users from a backend SAP system to the
Business Objects System’.
Login to the CMC, Click Authentication _ SAP
Click the Options tab, now you need to check the field Automatic import User and click Update
Since your Business Objects System is connected to a Backend SAP System you are able to see a list of
Roles in the left Pane which belong to the SAP system. You can now Import the roles from the Backend SAP
roles then click Update :
When a role is imported all the users assigned to that role in your backend SAP system, will also get
imported into the Business Objects system.
Here, PBW is our SAP system Id, while 100 is the client number from where the users arrive, hence the
naming convention: PBW~100 /
Whenever a user assignment is done to a role in backend (already imported in Business Objects) and user
should get created in Business Objects automatically, then you should also check Force Synchronization
under Options tab and click Update:
Now when a user get assigned to a role in backend , only you need to click Update button under Role
Import tab and the user will get created in the Business Objects system. To automate this activity also, we
have elaborated the step in the next section.
Schedule a SAP Authentication Role / Group update in Business Objects XI 3.1 using a java program
To schedule (automate) the updating of SAP Users in the Business Objects system, you need to follow the
steps mentioned below:
1 .Download SAP Update. jar file from SAP Note : 1406037
2. Unzip the file
3. Login in Business Objects CMC ->Folders–>Manage_New _ folder called Objects ,
4. Select the folder “Objects” and click on Manage | Add | Program File
5. Choose as Program Type as Java and add SAPUpdate.jar
6. Right Click on SAPUpdate within your Objects folder and choose Properties | Default Settings | Program
Specify as “Class to run:” sapupdate.Main
Using the “Run Now” and schedule the Program Object
Set the Recurrence for this Program as desired.
Now, the SAP user will get imported every time when it is created and assigned the role in the SAP system
which is already imported in Business Objects CMC. As such, there is no need to create a user in the
Business Object CMC every time a new user is created in the SAP system. .
Note: The statement assumes that every user which is created in the SAP system needs to be created in
Business Objects system. Else,if all the users are not required in the Business Objects system , the role
which is imported in the Business Objects system should not be assigned to such users in the SAP backend.
Access Levels in Business Objects:
Pre-Defined access levels:
There are four default access levels that come along with the Business Objects Installation for securing the content. These levels are explained as below:
1. Full Control: A principal has full administrative control of the object.
2. Schedule: A principal can generate instances by scheduling an Schedule object to run against a
specified data source once or on a recurring basis.
3. View: If set on the folder level, a principal can view the folder, View objects within the folder, and
each object’s generated instances.
4. View on Demand: A principal can refresh data on demand against a data source.
5. No Access: The user or group is not able to access the object or folder.
To see what rights are included in an access level; go to CMC -> select Access Level, right click -> Include
Custom Access Levels:
In addition to the predefined access levels, you can also create and customize your own access level, which
can greatly reduce administrative and maintenance costs associated with security.
How to create access levels: Login to CMC _ Select Access Levels.
Maintain Title and Description:
To include rights in an access level, select the Access level, right click -> included rights
Click Add/Remove Rights:
You will be able to see four types of rights collections in the left panel namely:
By default you will be guided to the “General Global rights” window. Now set your general global rights:
Each right can have a status of:
- Not Specified.
You can also choose whether to apply these rights to the object only or to their sub-objects only, or both.
To set type-specific rights for the access level, in the navigation list, click the Rights collection, and then
click the Subcollection that applies to the object type you want to set the rights for.
Folder level Security:
Folder-level security enables you to set access-level rights for a folder and the objects contained within that
- folder. While folders inherit security from the top-level folder (root folder), subfolders inherit the security of
their parent folder. Rights set explicitly at the folder level override inherited rights.
To set folder level security:
1. Login to CMC _ Select Folders
2. Right click on the particular folder & select User Security.
Select the Principal (user / group) you wish to add:
On the same screen in the bottom right corner click:
Provide the requisite Access Level to this Principal. Here we have provided “Full Control” to the
Click Apply, and then Click OK.
To View, what access has been provided to the Principal click “View Security”
Top Level Security:
The below example shows, how Top Level Security can be assigned to a principal against the Business
Manage the Top Level Security for Severs:
1. Login to CMC -> Servers-> Manage
2. Select Top Level Security _ All Servers/ All Server Groups.
If your Principal is a part of multiple groups and to avoid “Conflict of Rights” you can uncheck the:
- 1. Inherit From Parent Folder
- 2. Inherit From Parent Group.
Now, provide access/advanced level security as required.
Application Level Security:
Users need access to particular Business Objects applications to perform their jobs effectively. As a
Business Objects Administrator you are responsible for setting appropriate application security levels
according to the needs of your organization.
Application security is used to control the functionality that users and groups have to the Business Objects
Enterprise applications. The Manage area of the CMC allows you to control access for the following
Business Objects Enterprise applications:
Manage CMC User Security:
To Manage CMC security:
Logon to CMC -> Click Applications _ Select CMC
Now Right Click and select User Security.
Click Add Principals:
Select the principal for which you want to assign security.
On the same screen in the bottom right corner click:
Now assign the security as required:
Now Click “View Security” on the Next screen to check what access has been provided to “test” user:
Similarly you can manage Security, and access for rest of the applications.
Advance Rights :
You may sometimes need to override certain granular rights in an access level. Advanced rights let you
customize the rights for a principal on top of the access levels, the principal already has.
There are 3 Type of rights exist as explained earlier:
- Not Specified
• In general, the rights that are set on child objects override the rights that are set on parent
• In general, the rights that are set on subgroups or members of groups override the rights that are set on
If a user belongs to more than one group, and there is a conflict in rights assignments between the groups to
which the user belongs to, the Denied (D) right wins over a Granted (G) right, and the Granted (G) right wins
over a Not Specified
Case Study I: (Advanced Rights)
We will be explaining, how advanced rights are used through this Case Study:
Consider an example where your user needs to have following access:
i) Needs to be provided no access to any folder or report , ii) Need to have access to schedule a report
(Material Plant) , iii) Need to view, pause and resume its scheduled instances iv)Need to be restricted to
delete a instance and view a report.
We proceed as below:
2. Select the Material plant report and click User Security
Break inheritance and click Advance tab ->Add/Remove Rights
Once done, you are able to view the General global rights, Now maintain the rights by clicking on radio
buttons for grant denied or not specified
- Select the Grant radio button for providing access to schedule a report, view, pause and resume its
- Select Deny radio button to deny access to any folder or report, and to view, delete a report.
Rights are divided into the following collections based on the object types they apply to:
- You can also allow the rights to be applied to a Sub object, by checking the Object and Sub Object
check boxes, next to the Rights column.
- Only after you click grant or deny radio button, object and sub-object check boxes are enabled. Now
you can maintain the scope of rights.
- If you want to apply a right only for a folder and not for its sub folders, then uncheck sub-object check
Due to the complexities inherent in a security system as complicated as Business Objects Enterprise XI 3.1,
systems administrators sometimes find it difficult to pinpoint from where a particular user right is inherited.
Security queries let you determine which objects a principal has certain rights to and enables you to manage
In the earlier part of our Case studies we have created a group called “Basis_Monitors”. In this exercise we
will find out what access Basis_Monitors have on Servers using the “Security Query”. For this:
Logon to CMC -> Select Query Results
Now select Security Queries -> Right click _ Create Security Query.
Provide the required inputs like :
i) Principal (Basis_Monitors).
ii) Check /Uncheck Query Permission as per the requirement.
iii) Select the Query Context (Servers)
After selecting the required parameters click OK.
Now, the next screen appears showing the result regarding what access the principal has on the Querycontext.
You can also click on the Source column to view, from where the Principal is obtaining its access:
In case you see, the source along with (Inherited) it implies that access comes either from the Parent group
or from the parent folder.
- 1. http://help.sap.com/businessobjects/
- 2. http://www.sdn.sap.com/irj/sdn/sbo-solutions
- 3. http://www.sap.com/services/education/catalog/businessobjectstraining/businessintelligence
For more information, visit https://www.sdn.sap.com/irj/sdn/nw-bi
© Copyright 2010 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9,
iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server,
PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,
BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,
Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems
Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of
Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide WebConsortium, Massachusetts
Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned
herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and
other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document
serves informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies (“SAP
Group”) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the
express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an