Tutorial: How to secure the Top-Level Root Public Folder in BusinessObjects
With the release of SAP BusinessObjects XI 3.1, and this is still true today with SAP BusinessObjects BI 4.x, the default out-of-the-box rights given to the Everyone group are more secured. In the old days of SAP BOXI R2 and before, the Everyone group was able to do (too) many things such as:
- Logon to the Central Management Console (yep! – ok only view rights only but still… you could view server names, configuration, etc)
- Logon to the InfoView
- View reports
This was a pain because the first thing you had to do after installing the software is go around and take a lot away (I’m careful in not using the word deny here).
Thankfully, this is something of the past but yet, nothing is perfect! Below is what a user outside of the Administrators group would see if they logged on to the InfoView / BI Launch pad after a clean installation. Notice the missing Top-Level Root Public Folder!
As it affects every installation, I frequently get asked about the above situation. It has been on my mind for a while to write something about it which I can easily reuse but after stumbling on this article on SCN which in my opinion is misleading and not following best practices, I have decided to finally do it! It won’t be a training course but I’ll try to be as detailed as I can.
As always, the best strategy when creating a security model is to follow those simple rules:
- Start by making sure the Everyone group doesn’t have rights, anywhere using No Access (Not Specified rights)
- Create User Groups and add Users to those groups
- Assign rights to the User Groups (Principal) to the relevant objects (Granted rights)
- Never use the Denied rights
|Not Specified = “Denied”|
|Granted + Not Specified = Granted|
|Granted + Denied = Denied|
Note: I have seen before a post before where something had a picture showing how the rights are calculated. I’ll be happy to add it here if something finds it!
What we want to do is give just enough access for the Top-Level Root Folder to be visible without giving access to every sub folders. For this reason, we cannot use the View Access Level.
Once this is done, you then assign rights to the folders you want to give permissions to. This way you never have to take away (Deny) permissions.
Step by Step Tasks:
1. Logon to the CMC
2. Click on Folders
3. Open the “Manage” menu > Top-Level Security > All Folders
4. There will be a warning message. Click: OK
5. Highlight the “Everyone” Principal. Click: Assign Security
6. Click the “Advanced” tab
7. Click: Add/Remove Rights
8. Scroll down to “View Objects” > Click: Granted > Unselect: Apply to Subobjects
9. Click: OK > OK > Close
Note: The best solution would be to create an Access Level with above rights. There are already other articles on SCN on how to do this.
For more information about permissions see the Business Intelligence Platform Administrator Guide from the SAP Help Portal.
There are many more good articles and blogs on the BI Platform space.
Hope this helps!