Trusted Data Discovery using SAP Lumira – Security Webcast
This was an SAP webcast today. Below are my notes. The usual SAP Legal Disclaimer applies; things in the future are subject to change.
Figure 1: Source: SAP
You should think of security on data sets, when stories are published to Cloud, BI Platform, Server
What security do you have on this?
What can be done when designing on desktop before sharing?
Figure 2: Source: SAP
Figure 2 shows you need to think about security
There are two different kind of dataset groups – one is download approach including the universe and HANA
When using the Connect online approach Lumira respects user rights
Figure 2 shows you can enforce a refresh for the universe
Lumira Desktop Governance
Companies have concerns about sharing to the cloud
Figure 3: Source: SAP
IT can enforce desktop governance
It can handle the data source type
Preferences have configurable URLs – the admin can restrict
The speaker said you need the BI Platform with Lumira add-on installed (not Server; server is needed for sharing)
Figure 4: Source: SAP
Need to create text file
Looks at CMC and fetches properties for user
Using BOE for this and authentication type depends on what is set for CMC
Figure 5: Source: SAP
Figure 5 shows the properties file; you create a file by naming, and maintain the parameters
Figure 6: Source: SAP
Figure 6 shows where the preferences defined. You can allow the URL to be edited or not
Figure 7: Source: SAP
Figure 7 shows before and after screen shots. The lower right shows “Editing URL has been disabled”
Figure 8: Source: SAP
Figure shows using the BI platform to define access to features
You can define security for a specific users or user groups
Figure 9: Source: SAP
Figure 9 shows before and after with the data source rights. There is no access to the HANA or BW.
Figure 10: Source: SAP
Before and after sharing rights is shown in Figure 10
Figure 11: Source: SAP
Figure 11 shows priority of access rights.
Document Security
Figure 12: Source: SAP
Infographics – what is use case?
Normally they are static
If have fresh on open set it will refresh
Figure 13: Source: SAP
Figure 13 shows you can share a story with team or others
If share story you share access to dataset as well
You can also stop sharing of dataset
SAP plans to work on security in Cloud – for the admin to give Cloud security access right – restricting sharing private, not public
Figure 14: Source: SAP
Figure 14 shows Lumira Server access. The HANA admin needs to assign roles to user – data consumer or analyst.
Figure 15: Source: SAP
Figure 15 shows you share only with those who have access
You decide which roles to share in edit or view mode
Figure 16: Source: SAP
You can use BI platform security on the folders in CMC
Figure 17: Source: SAP
Figure 17 shows access to the universe, fetched from BI Platform
There are different options.
Universes have the option to do a data refresh to ensure have latest data
It can be an on demand refresh or scheduled refresh
For BW offline use case – might be able to have server side refresh for data like universes and user sees only data they have access to (future)
The session included a demonstration; when the recording is available I encourage you to watch it.
Thanks Tammy, great summary (as always) of a highly relevant topic.
Kind regards,
Niklas
Hi Tammy,
Great blog! Do find it rather strange to use a separate file to enforce governance. Isn't this hard to maintain and error prone? I would rather see a similar check box as in Design Studio where you can select the start up mode (BI platform, standalone, HANA, etc.)
What are your thoughts on this Sharon Om ?
With kind regards,
Martijn van Foeken | Intenzz
Hi Martijn - great question!
I'll be the first to say I am not a security expert. It would be interesting to hear what other security experts say on this.
Thank you for reading and commenting.
A longer term better way to manage would probably be using active directory policies to activate/deactivate the governance. It certainly wouldn't be an end user initiated action, because what user wants to limit what they can do voluntarily? 🙂 .
It wouldn't say necessarily error prone, it's either on or off, but do do it in any scale with this requires a centralized software push mechanism which may not be present in some companies, and of course it needs to be set as read only by the administrator. You would test it once centrally, make sure it works and push it out to clients
From a pure security standpoint (taking the view of a hacker), only the server can be trusted, and the client cannot. This is true for any application in the software world. This is because on the client side you could change the contents of your memory and change the actual execution path of the code.
The target here is not to protect from the hackers intent on using workflows they're not supposed to. Your business user is not easily or accidentally going to bypass the limitations set on the desktop by the centralized administrator, but it does really require a centralized software push infrastructure.
Room for improvement for sure. I will forward it to my colleagues who own this look into it.
Hi Tammy ! Thanks for sharing.
It is indeed a very interesting topic for everyone thinking about Lumira as part of a corporate Analytics stack. Is there anything in the roadmap about managing centrally from Lumira Server as we do with BO / BW ?
Cheers,
SJR
Hi SJR 🙂
I don't see that called out in the official roadmap here https://websmp105.sap-ag.de/~sapidb/011000358700000212382013E.pdf (SMP logon) - maybe you might want to ask this as a discussion so SAP answers?
Thank you for reading and commenting