Business Objects Enterprise XI 3.0 / 3.1, for more information, SAP Business objects Solutions Homepage.
Unlike SAP systems, Business Object Enterprise XI 3.0/3.1 do not comprise of Roles, Profiles and Authorization objects. Security in Business Objects is different than SAP and it consists of: Folder level security, Application Security, Object Level Security and inheritance concepts. This document begins with
simple example on how to create users, user groups and ends with creating access Levels and basic troubleshooting techniques using the Security Query.
Author(s): Shikha Baxi,Dhiraj Wamanacharya & Milind Desai
Company: IBM India Pvt. Ltd
Created on: 18th May 2011
User and User Group Creation:
Users in Business Objects are of various types, and a user can login to Business Objects (CMC or InfoView) using that particular authentication with which it has been created. The authentications are:
3. Windows AD
The document covers Enterprise and SAP user administration from the above list.
Creating an Enterprise User:
The example below illustrates “How to create an Enterprise user” in Business Objects.
Login to CMC Go to Users and Groups
To create a new User click on and for User group creation click on
Select the Authentication Type in the next screen and maintain the required fields.
1 ) Authentication Type as Enterprise :
2) Authentication Type as SAP :
When Authentication type is SAP (secSAPR3) then you only need to maintain Account Name as
<SAP SID>~<Client No.>/<SAP User ID> .
User will login in Business Object Using his SAP Login credentials.
Concurrent – This user belongs to a license agreement that states the number of users allowed to be connected at one time.
Named : This user belongs to a license agreement that associates a specific user with a license. Named user licenses are useful for people who require access to Business Objects Enterprise regardless of the number of other people who are currently connected.
Click Create & Close
“Administrator” is the default user that comes along with the Business Objects installation.
User Group Creation:
The user group is a collection of users who require same kind of authorization. So instead of assigning authorization to every new user that is created, we can create a user group and assign the requisite authorization to it, and later simply assign the user to that particular user Group.
Click Create User group:
Name the User Group:
To add a user to the group click (Add member to user group)
You can add a newly created or existing group to some other group while you can also assign a user to a group.
Administrators and Everyone are the default groups that come along with the Business Objects installation.
Importing Roles from the backend SAP system:
Let us continue with ‘How to import roles’, which in turn import users from a backend SAP system to the Business Objects System’.
Login to the CMC, Click Authentication SAP
Click the Options tab, now you need to check the field Automatic import User and click Update
Since your Business Objects System is connected to a Backend SAP System you are able to see a list of Roles in the left Pane which belong to the SAP system. You can now Import the roles from the Backend SAP system to the Business Objects system, select the role in the left pane and click to import the
roles then click Update :
When a role is imported all the users assigned to that role in your backend SAP system, will also get imported into the Business Objects system.
Here, PBW is our SAP system Id, while 100 is the client number from where the users arrive, hence the naming convention: PBW~100 /
Whenever a user assignment is done to a role in backend (already imported in Business Objects) and user should get created in Business Objects automatically, then you should also check Force Synchronization under Options tab and click Update:
Now when a user get assigned to a role in backend , only you need to click Update button under Role Import tab and the user will get created in the Business Objects system. To automate this activity also, we have elaborated the step in the next section.
Schedule a SAP Authentication Role / Group update in Business Objects XI 3.1 using a java program object:
To schedule (automate) the updating of SAP Users in the Business Objects system, you need to follow the steps mentioned below:
1 .Download SAP Update. jar file from SAP Note : 1406037
2. Unzip the file
3. Login in Business Objects CMC ->Folders–>Manage New folder called Objects ,
4. Select the folder “Objects” and click on Manage | Add | Program File
5. Choose as Program Type as Java and add SAPUpdate.jar
5. Right Click on SAPUpdate within your Objects folder and choose Properties | Default Settings | Program
Specify as “Class to run:” sapupdate.Main
Using the “Run Now” and schedule the Program Object
Set the Recurrence for this Program as desired.
Under Authentication tab -> Options, you need to check the field Automatic import User and Force User Synchronization
Go to Authentication Tab -> Select Role and Import, click update.
Now, the SAP user will get imported every time when it is created and assigned the role in the SAP system which is already imported in Business Objects CMC. As such, there is no need to create a user in the Business Object CMC every time a new user is created in the SAP system. .
Note: The statement assumes that every user which is created in the SAP system needs to be created in Business Objects system. Else,if all the users are not required in the Business Objects system , the role which is imported in the Business Objects system should not be assigned to such users in the SAP backend.
Access Levels in Business Objects:
Pre-Defined access levels:
There are four default access levels that come along with the Business Objects Installation for securing the content. These levels are explained as below:
1. Full Control: A principal has full administrative control of the object.
2. Schedule: A principal can generate instances by scheduling an Schedule object to run against a specified data source once or on a recurring basis.
3. View: If set on the folder level, a principal can view the folder, View objects within the folder, and each object’s generated instances.
4. View on Demand: A principal can refresh data on demand against a data source.
5. No Access: The user or group is not able to access the object or folder.
To see what rights are included in an access level; go to CMC -> select Access Level, right click -> Include rights
Custom Access Levels:
In addition to the predefined access levels, you can also create and customize your own access level, which can greatly reduce administrative and maintenance costs associated with security.
How to create access levels: Login to CMC Select Access Levels.
Maintain Title and Description:
To include rights in an access level, select the Access level, right click -> included rights
Click Add/Remove Rights:
You will be able to see four types of rights collections in the left panel namely:
By default you will be guided to the “General Global rights” window. Now set your general global rights:
Each right can have a status of:
• Not Specified.
You can also choose whether to apply these rights to the object only or to their sub-objects only, or both.
To set type-specific rights for the access level, in the navigation list, click the Rights collection, and then click the Subcollection that applies to the object type you want to set the rights for.
Folder level Security:
Folder-level security enables you to set access-level rights for a folder and the objects contained within that folder. While folders inherit security from the top-level folder (root folder), subfolders inherit the security of their parent folder. Rights set explicitly at the folder level override inherited rights.
To set folder level security:
1. Login to CMC Select Folders
2. Right click on the particular folder & select User Security.
Select the Principal (user / group) you wish to add:
On the same screen in the bottom right corner click:
Provide the requisite Access Level to this Principal. Here we have provided “Full Control” to the “Basis_Monitors” group.
Click Apply, and then Click OK.
To View, what access has been provided to the Principal click “View Security”
Top Level Security:
The below example shows, how Top Level Security can be assigned to a principal against the Business Objects Servers:
Manage the Top Level Security for Severs:
1. Login to CMC -> Servers-> Manage
2. Select Top Level Security All Servers/ All Server Groups.
If your Principal is a part of multiple groups and to avoid “Conflict of Rights” you can uncheck the:
1. Inherit From Parent Folder
2. Inherit From Parent Group.
Now, provide access/advanced level security as required.
Application Level Security:
Users need access to particular Business Objects applications to perform their jobs effectively. As a Business Objects Administrator you are responsible for setting appropriate application security levels according to the needs of your organization.
Application security is used to control the functionality that users and groups have to the Business Objects Enterprise applications. The Manage area of the CMC allows you to control access for the following
Business Objects Enterprise applications:
Manage CMC User Security:
To Manage CMC security:
Logon to CMC -> Click Applications Select CMC
Now Right Click and select User Security.
Click Add Principals:
Select the principal for which you want to assign security.
On the same screen in the bottom right corner click:
Now assign the security as required:
Now Click “View Security” on the Next screen to check what access has been provided to “test” user:
Similarly you can manage Security, and access for rest of the applications.
Advance Rights :
You may sometimes need to override certain granular rights in an access level. Advanced rights let you customize the rights for a principal on top of the access levels, the principal already has.
There are 3 Type of rights exist as explained earlier:
• Not Specified
• In general, the rights that are set on child objects override the rights that are set on parent Object.
• In general, the rights that are set on subgroups or members of groups override the rights that are set on groups.
If a user belongs to more than one group, and there is a conflict in rights assignments between the groups to which the user belongs to, the Denied (D) right wins over a Granted (G) right, and the Granted (G) right wins over a Not Specified
Case Study I: (Advanced Rights)
We will be explaining, how advanced rights are used through this Case Study:
Consider an example where your user needs to have following access:
i) Needs to be provided no access to any folder or report ,
ii) Need to have access to schedule a report
(Material Plant) ,
iii) Need to view, pause and resume its scheduled instances iv)Need to be restricted to delete a instance and view a report.
We proceed as below:
1. Maintain No Access at root level security at Folders:
2. Selectthe Material plant report and click User Security
Break inheritance and click Advance tab ->Add/Remove Rights
Oncedone, you are able to view the General global rights, Now maintain the rights by clicking on radio buttons for grant denied or not specified
• Select the Grant radio button for providing access to schedule a report, view, pause and resume its scheduled instances.
• Select Deny radio button to deny access to any folder or report, and to view, delete a report.
Rights are divided into the following collections based on the object types they apply to:
• You can also allow the rights to be applied to a Sub object, by checking the Object and Sub Object check boxes, next to the Rights column.
• Only after you click grant or deny radio button, object and sub-object check boxes are enabled. Now you can maintain the scope of rights.
• If you want to apply a right only for a folder and not for its sub folders, then uncheck sub-object check box.
Due to the complexities inherent in a security system as complicated as Business Objects Enterprise XI 3.1, systems administrators sometimes find it difficult to pinpoint from where a particular user right is inherited.
Security queries let you determine which objects a principal has certain rights to and enables you to manage user rights:
In the earlier part of our Case studies we have created a group called “Basis_Monitors”. In this exercise we will find out what access Basis_Monitors have on Servers using the “Security Query”. For this:
Logon to CMC -> Select Query Results
Now select Security Queries -> Right click Create Security Query.
Provide the required inputs like :
i) Principal (Basis_Monitors).
ii) Check /Uncheck Query Permission as per the requirement.
iii) Select the Query Context (Servers)
After selecting the required parameters click OK.
Now, the next screen appears showing the result regarding what access the principal has on the Query context.
You can also click on the Source column to view, from where the Principal is obtaining its access:
In case you see, the source along with (Inherited) it implies that access comes either from the Parent group or from the parent folder.
For more information, visit https://www.sdn.sap.com/irj/sdn/nw-bi