Delegated administration in SAP BI 4.0 SP4
The responsibilities of a Business Intelligence Platform system administrator include managing a large number of documents, folders, users, servers, and other objects.
However, administration effort of a large corporate environment may be very large and may exceed the resources of a single administrator. A system administrator who wants to focus only on high-priority tasks can create delegated administrators and assign a subsets of management tasks to them (for example, the administration of a department or tenant content in case of BI platform as part of a SaaS application).
Unlike system administrators, delegated administrators can perform a limited set of tasks and have fewer rights in the system. For example: delegated administrators can manage documents, or manage users for a department of a tenant. Most critical or advanced tasks are typically not delegated.
Central Management Console (CMC) application has a large number of tabs. For example CMC has a “Folders” tab for document management, a “Users and Groups” tab for user management, a “Servers” tab for server management, etc. In the previous version of SAP BI platform the delegated administrators would have access to all available CMC tabs. This sometimes resulted in delegated administrators being confused and intimidated due to perceived high complexity of administration: too many tabs, too many options being presented even if they were never designed for use by the delegated administrator.
Since SAP BI 4.0 SP4, a system administrator has the capability to hide any of the CMC tabs that a delegated administrator is not expected to use. For example a delegated administrator in charge of content management may have access to “Folders” and “Users and Groups” tab, while other tabs are hidden.
Having said that the management of CMC tab access only affects the visual appearance of the CMC user interface and hiding of CMC tabs is not a security measure. It does not set or modify security rights on objects within tabs. In order to ensure that users cannot perform unauthorized operations on unauthorized objects (for example, manage servers through the Central Configuration Manager or third-party software based on the BI platform SDK), you must set appropriate security rights on objects (for example on server objects). Hence it is recommended to always set proper security rights on objects inside the CMC tab in addition to setting up CMC tab access. The out of the box “Administrator” user will always have access to all CMC tabs.
To grant a user access to CMC tab administrator should grant both:
- CMC tab access
- A “View” right should be granted on the CMC tab’s top level folder.
The following CMC tabs support top level folder: folders, personal folders, personal categories, categories, users and groups, profiles, inboxes, servers and groups, replication lists, federations, temporary storage, universes, (universe) connections, access levels, calendars, events, cryptographic keys, web service query, OLAP connection.
For improved system security only members of Administrators group can access the following tabs: settings, authentications, license keys, auditing, cryptographic keys, user attribute management, monitoring. To access the above tabs the user must be a member of “Administrators” group and should have CMC Tab access granted. Users who are not members of Administrators group will not be able to access above tabs, even if CMC tab access is granted.
To ensure consistency with previous versions of the Business Intelligence platform, CMC tab access is initially unrestricted after the BI platform installation – any user who can access the CMC will have access to all available tabs.
To prevent users from accessing tabs to which they have no access rights, a system administrator can restrict CMC tab access.
- Log on to the CMC as Administrator.
- On the “Applications” tab, right-click Central Management Console and select CMC Tab Access Configuration.
- The “CMC Tab Access” window is displayed.Configure the CMC tab access rule.
- Click Save and Close.
Further a system administrator can configure the tabs that a principal can access. To do so navigate to the “Users and Groups” tab, right-click a principal and select CMC Tab Configuration. If CMC tab access is unrestricted, the following message will appear:
WARNING: CMC tab access is unrestricted. Settings below do not take effect until CMC tab access will be restricted. To restrict CMC access navigate to Applications tab, select CMC and set CMC tab access to restricted.
You can still configure CMC tab access. However, the configuration will not take effect until you restrict CMC tab access.
Once clicked you can see the permissions for the principal. All rights are inherited. Select a tab row and you see that the menus above the permissions/title area becomes active and you are now able to Grant, Deny or give Inherit rights to the tab you selected.
In the “Configure CMC Tab Access” window, a table is displayed:
- ✔ or ✘ indicates which CMC tabs the principal can access.
- “Inherited” indicates that the CMC tab access was inherited from its parent user group(s).
- “Explicit” indicates that the CMC tab access right was explicitly specified on the principal level.
It is recommended to manage the tab security level through the user group level rather than the user level. It simplifies the management process and reduces the need for maintenance and troubleshooting.
Again for tabs that have top level folder a “View” right should be granted on the CMC tab’s top level folder, otherwise the tab will not show for that user.
To simplify CMC tab management you can create a set of delegated administrator user groups. You can grant CMC tab access by making an existing user or user group a member of a delegated administrator user group without configuring CMC tab access individually.
The following user groups may be created, but it can be modified for specific business needs.
|User Group||CMC Tabs Access Granted|
|System Administrators||Grant access to all tabs.|
Grant access to Access Levels, Folders, Inboxes, Personal Folders, Personal Categories, Query Results, Sessions, and User and Groups.
Set all other tabs to Inherited.
Grant access to Calendars, Categories, Events, Folders, Instance Manager, Personal Categories, Personal Folders, Profiles, Query Results, and Universes.
Set all other tabs to Inherited.
Grant access to Servers and Applications.
Set all other tabs to Inherited.
Membership in multiple groups will result in the addition of rights, if the rights are set to Inherited. CMC tab access rights and the permission to configure CMC tab access for others (to be discussed later) are both inherited in the same manner as other security rights.
If a principal has no rights specified, the principal will inherit the access rights of its user group. If a principal is a member of multiple user groups, tab access is calculated in the same manner as all other Business Intelligence platform rights are calculated.
For example, if access to a CMC tab is granted in one of the groups and denied in the other, the principal will not be able to access the CMC tab.
Modifying the CMC tab access right of a user group will result in the modification of the same right for all users or user groups that inherit CMC tab access from the user group, if their CMC tab access permission is set to “Inherited”.
In a large corporate environment, a system administrator may need to delegate CMC tab access configuration to a delegated administrator. Or in a multitenant system each tenant may have a delegated administrator responsible for managing CMC tab access for other users and user groups. To do so navigate to the “Configure CMC Tab Access” for the principal that you would like to give the delegation right to, at the top there is “Permission to configure CMC tab access for other users or user groups” displayed. The symbols have the following meaning
- ✔ or ✘ indicates whether the principal has permission to configure CMC tab access for others.
- “Inherited” indicates that the access right was inherited from its parent user group(s).
- “Explicit” indicates that the access right was explicitly specified on the principal level.
More information about CMC tab access can be found in the Business Intelligence platform Administrator Guide.