Skip to Content

This was an SAP webcast today.  Below are my notes.  The usual SAP Legal Disclaimer applies; things in the future are subject to change.

/wp-content/uploads/2014/11/1fig_579149.png

Figure 1: Source: SAP

You should think of security on data sets, when stories are published to Cloud, BI Platform, Server

What security do you have on this?

What can be done when designing on desktop before sharing?

/wp-content/uploads/2014/11/2fig_579150.png

Figure 2: Source: SAP

Figure 2 shows you need to think about security

There are two different kind of dataset groups – one is download approach including the universe and HANA

When using the Connect online approach Lumira respects user rights

Figure 2 shows you can enforce a refresh for the universe

Lumira Desktop Governance

Companies have concerns about sharing to the cloud

/wp-content/uploads/2014/11/3fig_579151.png

Figure 3: Source: SAP

IT can enforce desktop governance

It can handle the data source type

Preferences have configurable URLs – the admin can restrict

The speaker said you need the BI Platform with Lumira add-on installed (not Server; server is needed for sharing)

/wp-content/uploads/2014/11/4fig_579152.png

Figure 4: Source: SAP

Need to create text file

Looks at CMC and fetches properties for user

Using BOE for this and authentication type depends on what is set for CMC

/wp-content/uploads/2014/11/5fig_579153.png

Figure 5: Source: SAP

Figure 5 shows the properties file; you create a file by naming, and maintain the parameters

/wp-content/uploads/2014/11/6fig_579154.png

Figure 6: Source: SAP

Figure 6 shows where the preferences defined.  You can allow the URL to be edited or not

/wp-content/uploads/2014/11/7fig_579164.png

Figure 7: Source: SAP

Figure 7 shows before and after screen shots.  The lower right shows “Editing URL has been disabled”

/wp-content/uploads/2014/11/8fig_579165.png

Figure 8: Source: SAP

Figure shows using the BI platform to define access to features

You can define security for a specific users or user groups

/wp-content/uploads/2014/11/9fig_579166.png

Figure 9: Source: SAP

Figure 9 shows before and after with the data source rights.  There is no access to the HANA or BW.

/wp-content/uploads/2014/11/10fig_579167.png

Figure 10: Source: SAP

Before and after sharing rights is shown in Figure 10

/wp-content/uploads/2014/11/11fig_579168.png

Figure 11: Source: SAP

Figure 11 shows priority of access rights.

Document Security

/wp-content/uploads/2014/11/12fig_579169.png

Figure 12: Source: SAP

Infographics – what is use case?

Normally they are static

If have fresh on open set it will refresh

/wp-content/uploads/2014/11/13fig_579170.png

Figure 13: Source: SAP

Figure 13 shows you can share a story with team or others

If share story you share access to dataset as well

You can also stop sharing of dataset

SAP plans to work on security in Cloud – for the admin to give Cloud security access right – restricting sharing private, not public

/wp-content/uploads/2014/11/14fig_579171.png

Figure 14: Source: SAP

Figure 14 shows Lumira Server access.  The HANA admin needs to assign roles to user – data consumer or analyst.

/wp-content/uploads/2014/11/15fig_579172.png

Figure 15: Source: SAP

Figure 15 shows you share only with those who have access

You decide which roles to share in edit or view mode

/wp-content/uploads/2014/11/16fig_579176.png

Figure 16: Source: SAP

You can use BI platform security on the folders in CMC

/wp-content/uploads/2014/11/17fig_579177.png

Figure 17: Source: SAP

Figure 17 shows access to the universe, fetched from BI Platform

There are different options.

Universes have the option to do a data refresh to ensure have latest data

It can be an on demand refresh or scheduled refresh

For BW offline use case – might be able to have server side refresh for data like universes and user sees only data they have access to (future)

The session included a demonstration; when the recording is available I encourage you to watch it.

To report this post you need to login first.

7 Comments

You must be Logged on to comment or reply to a post.

  1. M. van Foeken

    Hi Tammy,

    Great blog! Do find it rather strange to use a separate file to enforce governance. Isn’t this hard to maintain and error prone? I would rather see a similar check box as in Design Studio where you can select the start up mode (BI platform, standalone, HANA, etc.)

    What are your thoughts on this Sharon Om ?

    With kind regards,

    Martijn van Foeken | Intenzz

    (0) 
    1. Tammy Powlas Post author

      Hi Martijn – great question!

      I’ll be the first to say I am not a security expert.  It would be interesting to hear what other security experts say on this.

      Thank you for reading and commenting.

      (0) 
      1. Greg Wcislo

        A longer term better way to manage would probably be using active directory policies to activate/deactivate the governance.   It certainly wouldn’t be an end user initiated action, because what user wants to limit what they can do voluntarily? 🙂 . 

        It wouldn’t say necessarily error prone, it’s either on or off, but do do it in any scale with this requires a centralized software push mechanism which may not be present in some companies, and of course it needs to be set as read only by the administrator.  You would test it once centrally, make sure it works and push it out to clients

        From a pure security standpoint (taking the view of a hacker), only the server can be trusted, and the client cannot.   This is true for any application in the software world.  This is because on the client side you could change the contents of your memory and change the actual execution path of the code.

        The target here is not to protect from the hackers intent on using workflows they’re not supposed to.   Your business user is not easily or accidentally going to bypass the limitations set on the desktop by the centralized administrator, but it does really require a centralized software push infrastructure.

        (0) 
  2. Santiago Reig

    Hi Tammy ! Thanks for sharing.

    It is indeed a very interesting topic for everyone thinking about Lumira as part of a corporate Analytics stack. Is there anything in the roadmap about managing centrally from Lumira Server as we do with BO / BW ?

    Cheers,

    SJR

    (0) 

Leave a Reply