Skip to Content

Data Services uses the Central Management Server (CMS) for user and rights management. In a stand-alone DS environment, the same functionality is supplied by the Information Platform Services (IPS). Setting up user security is a rather cumbersome process. The procedure for granting access to a DS developer consists of four steps:

  • Create the user
  • Grant access to the DS Designer application
  • Grant access to one or more (or all) repositories
  • Allow automatic retrieving of the DS repository password from the CMS

1. Creating the user

By default, the DS installation program does not create any user accounts. Use the “Users and Groups” management area of the CMC to create users.

/wp-content/uploads/2014/01/1_362944.png

Figure 1: User List

Right click on the “User List” entry, select New > “New User” and specify the required details.

/wp-content/uploads/2014/01/2_362963.png

Figure 2: Create New User

Select the “Create & Close” button to finalize this step.

2.  Granting access to DS Designer

User name and password are entered in the DS Designer Repository Logon window.

/wp-content/uploads/2014/01/3_362964.png

Figure 3: DS Repository logon

2.1. User management

Unfortunately, the newly created user only has a limited number of access rights by default. More specifically, authorization to run DS
Designer is not granted automatically.

When trying to start the application with this user and password, access is denied:

/wp-content/uploads/2014/01/4_362965.png

Figure 4: Access Denied

Access can be granted to an individual user in the Applications area of the CMC. Right-click “Data Services Application” and select “User Security”.

/wp-content/uploads/2014/01/5_362966.png

Figure 5: Applications area in CMC

Select the “Add Principals” button:

/wp-content/uploads/2014/01/6_362967.png

Figure 6: User security

Select the user from the “User List” in the “Available users/groups” panel and select the “>” button to move it to the “Selected users/groups” panel.

7B.png7A.png

Figure 7: Add Principals

Select the Advanced tab and then the “Add/Remove Rights” link.

/wp-content/uploads/2014/01/8_362973.png

Figure 8: Assign Security

Grant access to Designer and select OK.

/wp-content/uploads/2014/01/9_362974.png

Figure 9: Add/remove Rights

2.2. Group management

As mentioned above, the DS installation program does not create any default user accounts. But it does create several default group accounts. One of these groups is called “Data Services Designer”. Members of this group automatically have access to the DS Designer.

After creating a new user, assign it to this group account. That will grant the user with access to DS Designer, the same result as with
the explicit user-level grant, but achieved in a much simpler way.

Return to the “Users and Groups” management area of the CMC. Right-click on the user and select “Join Group”.

/wp-content/uploads/2014/01/10_362978.png

Figure 10: Users and Groups

Select the group from the “Group List” in the “Available groups” panel and select the “>” button to move it to the “Destination Group(s)” panel and hit OK.

11B.png11A.png

Figure 11: Join Group

3.  Granting access to the repositories

When an authorized user connects to the DS Designer application, following error message is displayed:

/wp-content/uploads/2014/01/12_362981.png

Figure 12: No repositories are associated with the user

That is because a user in the “Data Services Designer Users” group has no default access to any of the DS repositories:

/wp-content/uploads/2014/01/13_362982.png

Figure 13: Access control list: No access by default

If a user needs access to a given repository, that access has to be explicitly granted to him.

Navigate to the “Data Services” area in the CMC. Right-click on the name of the repository and select “User Security”.

/wp-content/uploads/2014/01/14_362983.png

Figure 14: Data Services

The “User Security” dialog box appears and displays the access control list for the repository. The access control list specifies the users and groups that are granted or denied rights to the repository.

/wp-content/uploads/2014/01/15_362990.png

Figure 15: User Security

Select the “Add Principals” button. Then select the users or groups from the “User List” or “Group List” respectively in the “Available users/groups” panel and select the “>” button to move it to the “Selected users/groups” panel. Finally, select “Add and Assign Security”.

/wp-content/uploads/2014/01/16_362991.png

Figure 16: Add principals

Select the access level to be granted to the user or group:

  • To grant read-only access to the repository, select “View”.
  • To grant full read and write access to the repository, select “Full Control”.
  • To deny all access to the repository, select “No Access”.

Select the “>” button to move it from the “Available Access Levels” to the “Assigned Access Levels” panel. And hit OK.

/wp-content/uploads/2014/01/17_362992.png

Figure 17: Assign security

Note: By applying the same method at the level of the Repositories folder in the “Data Services” area in the CMC, the user will be granted the same access level to all repositories at once. Both mechanisms can be combined to give the developers full control over their own repository and read access to anybody else’s:

 

  • Grant View access to every individual developer (or to the “Data Services Designer Users” group or to a special dedicated group, for that matter) at the level of the Repositories folder. Make sure that, when using the default group for this, it comes with the default settings. If it doesn’t, simply reset security settings (on object repositories and on all children and descendants of object repositories) on the default group before attempting this operation.
  • Grant “Full Control” access to every individual developer for his own repository.

When logging in to DS, developers see the full list of repositories they are granted access to. A value of “No” in the second column means full access, “Yes” means read-only.

/wp-content/uploads/2014/01/18_362996.png

Figure 18: Typical DS Designer logon screen

 

Don’t make the list too long. The logon screen is not resizable. And scrolling down may become very tedious!

4.  Retrieving the DS repository password from the CMS

The users can now connect to the repositories from within DS Designer. When he starts the application, as an extra security feature, he is prompted for the (database) password of the repository:

/wp-content/uploads/2014/01/19_362997.png

Figure 19: Repository password

If this extra check is not wanted, it can be explicitly removed.

Return to the “User Security” dialog box that displays the access control list for the repository. Select the User, then the “Assign Security” button.

In the “Assign Security” dialog box, select the Advanced tab and then the “Add/Remove Rights” link.

/wp-content/uploads/2014/01/20_362998.png

Figure 20: Assign Security

Grant both “Allow user to retrieve password” and “Allow user to retrieve password that user owns”  privileges and hit OK.

/wp-content/uploads/2014/01/21_363002.png

Figure 21: Add/remove Rights

DS Designer will not prompt for a database password anymore when the user tries to connect to this repository.

Note: By applying the same method at the level of the Repositories folder in the “Data Services” area in the CMC, this extra check will be removed from all repositories accessible by this user at once.

To report this post you need to login first.

27 Comments

You must be Logged on to comment or reply to a post.

  1. Chethan Lingaraju

    Hello Dirk,

    Can we configure to retrieve DS repository password from CMS for all the users which we create in future as well? We tried your 4th point on the group “Everyone”, still users were prompted for password.

    Basically, we don’t want designer to prompt for password for anyone. Is there a way to disable that extra security once for all?

    (0) 
    1. Dirk Venken Post author

      Sure. When you apply those instructions to the principal Everyone at the level of the Repositories folder, the extra check will be removed for all future users and all repositories for once and for all.

      (0) 
  2. Shashidhar Koppal

    Hello Dirk,

    We have successfully upgraded our test environment from 4.0 to 4.2 using the upgrade patches.But after up-gradation we facing user access issues.

    Problem Faced – In 4.0, when we provide access to particular user on BODS Data Service Designer ( View access ), So user will not be having execute or monitoring access on Management console unless the same user is included in Data Services operator Users or Data services Monitor Users groups respectively, but where as in 4.2 when we are including user on Data Services Designer Users group and providing view access only on BODS Data Services Designer, the same user can login to Management console and has full access on console ( User can execute jobs as well from console ) where in the user is not included in Data Services operator Users or Data services Monitor Users groups .

    Basically, we don’t want this to happen. Is there a way to disable this access ?

    (0) 
  3. Upamanyu Mukherjee

    Hi Dirk,

    Is it possible to assign folder/object specific privileges in BODS 4.x.?

    As per my requirement I need a user which can execute only selected batch jobs from Data Services Management Console.

    It should not have execute privileges on the entire repository…

    Please let me know if it’s possible!!!

    Regards,

    Upamanyu

    (0) 
    1. Dirk Venken Post author

      No, that’s not possible. Access rights are granted at repository level only.

      You can solve your issue by creating a separate repository. Grant access to that repository to your user. And copy only those jobs to it you want that user to execute.

      (0) 
  4. Anil Kumar Karanam

    Hi Dirk,

    my requirement is that the user should be able create and edit objects in the repository but should not be able to execute the batch jobs.

    This is what I tried:

    • Copied the full control access level to new access level (named “Edit”) and denied below rights:

    Application Rights.JPG

    Application Rights2.JPG

    • Basically the access level allows only “Access to Designer”; All the remaining rights are “Not Specified”
    • Created user (edit_user)
    • User is part of a group called “edit_group”
    • This group is assigned “edit” acess level in Data Services Application
    • The user “edit_user” is assigned “edit” access level to the repository
    • now, edit_user is still able to login and execute batch jobs from Designer.

    How can I restrict a user from executing batch jobs from their repository?

    They should still be able to create and edit the objects.

    Could you please help?

    Thanks in advance.

    Regards,

    Anil.

    (1) 
    1. Dirk Venken Post author

      You cannot. The privileges you’re looking at refer to the DS Management Console. For DS Designer, there are only 2 options: full access with all options and read-only that prevents you from modifying the content.

      (0) 
      1. Jerry Liu

        I believe there is workaround, like blocking the job server by firewall form accessing from client computer. designer can still edit jobs but when running job will be prompted that job server error.

        (0) 
  5. Peter Neil

    Hi,

    Version 14.2.2.446

    I’m having a problem where a user does not the connection to the Central Object Library activated automatically.  Then when he goes to manually Activate he is prompted for the User and Password every time.  I went thru all the above steps and it did not change the behavior.

    Suggestions please ?

    Thank you,

    Peter.

    (0) 
  6. Paul McLaren

    Hi

    With BODS 4.2 SP6, does anyone know how to set security to give user readonly access to a repository within Management Console but allow them to be able to set schedule and/or abort batch job?

    After spending several days, there does not appear to be a way to achieve this?  I know there is a group called Data Services Monitor User but if I add this to the user as View only they are still unable to abort/set schedule unless if I give them full control on the repository which defeat the purpose the user would then be able to edit objects within the repository

    Any suggestions?

    Thanks

    Paul

    (0) 
    1. Leonel Dinamik

      Remember that this is the BO authorization way.

      If a permission is denied it doesn’t matter if you allow in other group. Deny overwrite other permissions.

      try with Data Services Monitor User and explicit allow the following:

      Capture222.JPG

      (0) 
    1. Dirk Venken Post author

      Users are maintained in the CMC and stored i nthe CMS database. I know there are query possibilities on that database. Unfortunately, I cannot help you with the details. You should post your question in the BI space.

      (0) 
  7. Preethi kotian

    Hello Dirik,

     

    Thank you for the wonderful Blog. I had a question. If you can show me the right path that would be great.

    Is there any way we can create a group for Security administrator just to have access for user admin and group admin ? If yes, can I know how ?

     

    Regards,

    Preethi

    (0) 
    1. Dirk Venken Post author

       

      Please check Section 7 Setting Rights in the Information platform services Administrator Guide (help.sap.com). Especially section 7.5 Using rights to delegate administration will be applicable.

      (0) 

Leave a Reply