Update:  This feature is now available with BI4.1 SP5 FP3 and does not require the Lumira Integration add-on.    


If you’ve attended the ASUG2014 BusinessObjects User Conference or have been attending some of the latest webinars, you will have heard about the ability to restrict the Lumira Desktop functionality using rights in the CMC.

Let’s dive into the details:

Prerequisites:

  • Lumira Desktop 1.19 or higher
  • BI4.1 SP5 or higher (or BI4 Integration for Lumira)

Overview of the rights:

From the Applications tab in the CMC, navigate down to SAP Lumira. 

The following is a set of rights you can set, which should be fairly self explanatory.

Enabling/Forcing Desktop Governance

This feature is managed through forcing a logon to your BI system at each startup of the Lumira Desktop.

You can, and it is recommended that you do set up kerberos SSO for lumira desktop to make this step seamless.

The logon is controlled through the placement of a .properties file, placed in the Lumira Desktop application directory.

The steps are also described in section 4.6 of the BI add-on for Lumira.

The format of the LumiraGovernance.properties file should look something like this:

enable=true

adapter.type=boe

authentication.type=secEnterprise

rest.url=http://myserver:6405/biprws

useSSO=false

Where enable/disable turns this feature on or off,

“adapter.type” will need to be boe, but you can see that this could in the future open up other types like Lumira Server

“authentcation.type” will be enterprise, AD, LDAP or SAP, in the following formats:

secEnterprise
secLDAP
secWinAD
secSAPR3

The rest.url will be the same that is used to publish to the BI platform and

“useSSO” will dictate if a prompt should appear or if single signon will be used.

SSO Bonus:  You do NOT need to perform additional configuration here to enable kerberos for this workflow, such as a krb5.ini file.  In other words, you do NOT need to perform the steps that you would need to access universe data described in this KB http://service.sap.com/sap/support/notes/1995864

Place the file in the user’s work directory.

C:\Users\<user>\.sapvi

Provisioning the LumiraGovernance.properties file

By now you will have noticed that this is just a plan text file.  How do you get this onto the user’s desktop?

To make the feature effective, you do need a centralized software distribution system, and one that will set this file to read only.

See the effect

The following shows a difference in UI between the full unrestricted mode and restricted mode for data acquisition.  We have limited the user to use only certified corporate data from a universe and their local system.


The below shows limiting the publishing destinations to BI only, and includes the prevention of exporting to a file.


Pushing settings to client

Using the settings of the SAP Lumira applicaiton object, you can also control whether your end users are allowed to update the desktop.

Or even force them to use a specific server for publishing, if you have set up the full Lumira BI integration (requires Lumira Server), or specific cloud destination.

Offline Support

The desktop tool will go into last known restricted mode if launched offline.

To report this post you need to login first.

21 Comments

You must be Logged on to comment or reply to a post.

  1. Donatas Budrys

    Hi, Greg,

    Thank you for your post and valuable information. I have several questions:

    1. When BI4.1 SP05 will be released? I still can’t find it nor in the HELP portal, nor in the SAP Downloads area.
    2. Your post is named “Governing Lumira Desktop using BI4 without HANA”. What specifically you had in mind stating “without HANA”?
    3. Does BI4.1 SP05 completely replaces “SAP BusinessObjects BI, add-on for SAP Lumira”?

    Thank you and have a nice day.

    Best regards,

    Donatas Budrys

    (0) 
    1. Greg Wcislo Post author

      The Lumira integration, and Lumira Server in general today require HANA.  This is detailed here:

      Lumira integration for BI4 functionality detailed.

      And why do I need a HANA:  Why Do I Need Lumira Server (on HANA) To View Storyboards in SAP BI 4?

      The Lumira integration includes the desktop governance piece.  However with SP5, we will bundle that governance feature directly so installing the whole add-on is not necessary.

      SP5 will NOT include integration of Lumira to allow you to view & explore documents in lumira directly in BI launchpad.   For that you still need the Lumira BI4 integration, as detailed in the first link above.

      SP5 should be available in the coming days.

      (0) 
      1. Donatas Budrys

        Hi, Greg,

        Thank you for your feedback. It’s nice to have part of SAP Lumira and BI4 integration bundled into BI4 Platform.

        Have a nice day.

        Best regards,

        Donatas Budrys

        (0) 
  2. Lluis Aspachs

    Thanks!

    Just tested and after introducing credentials we are getting an error with Lumira v20 and BI41SP5 and cannot continue, is that happening to anyone?

    Many thanks in advance.

    Error

    Could not acquire settings from Trusted Data Discovery source.

    Error retrieving the Trusted Data Discovery governing data. Unexpected response status from server.

    (HDB 14112)

    LumiraGovernance.properties

    enable=true

    adapter.type=boe

    authentication.type=secEnterprise

    rest.url=http://myserver:6405/biprws

    useSSO=false

    (0) 
    1. M. van Foeken

      Hi Lluis,

      Have you used the FQDN for the your server? Or try the IP address instead. You need to update the URL but that’s a nobrainer right ;-).

      With kind regards,

      Martijn van Foeken | Intenzz

      (0) 
      1. Sylvain Dutilh

        Hello,

        I am having the exact same problem. Of course I replaced the url with the rest webservices url for my platform, but the error pops up, even with a FQDN or the IP address, the cluster name… I tried pretty much everything.

        After logging in :

        Could not acquire settings from Trusted Data Discovery source.

        Error retrieving the Trusted Data Discovery governing data. Unexpected response status from server.

        (HDB 14112)

        (0) 
        1. Greg Wcislo Post author

          It might be a long shot, but try modifying your hosts file to resolve the machine name of the server to the actual IP address.    This normally shouldn’t be needed but I’ve seen this issue with some VM ware setups where the networking isn’t fully configured.

          (0) 
  3. Dallas Marks

    Greg,

    Thanks for this write-up. I was confused that what was built into SP5 was the Lumira integration kit. Any idea when the Lumira integration will come out of ramp-up?

    Regards,

    Dallas

    (0) 
    1. Greg Wcislo Post author

      With the upcoming release of Lumira desktop you should be able to save a lums file to the platform as long as you’re on SP5.  Think of the deski compatibility pack, the platform in this case is being used to host content but you need desktop to download & view it. 

      I do hope/expect Lumira will get natively integrated into BI4.x core package at some point, but when is not yet decided.   Lumira is moving much faster than the BI4.x maintenance line, so expect that to continue to be an add-on, as that makes more sense in the short term.

      Unfortunately I don’t have any dates of ramp-up exit.   A lot of work is being done currently which is touched on by Ashish’s blog post here:

      SAP Lumira Server is Not a Ford Model “T”

      To quote:  we are innovating to ensure that all of our customers can benefit from Lumira functionality today and have the option to scale up to SAP HANA”

      (0) 
  4. Howard Stiles

    Hi Greg,

    I’m using BI4.1 SP5 and SAP Lumira 1.20

    I am getting exactly the same error:

    Could not acquire settings from Trusted Data Discovery source.

    Error retrieving the Trusted Data Discovery governing data. Unexpected response status from server.

    (HDB 14112)

    I have tried FQDN, IPAddress and editing the hosts file but no luck.

    Anything else I should check, really keen to see this working.

    Howard Stiles

    (0) 
    1. Lluis Aspachs

      Hello,

      Recently we had to do a demo with BI41SP5 and Lumira v21 and these were our findings after reading SAP docs and testing the products:

      WITHOUT ADD-ON

      • The new “data governance” features mean we can now hide buttons or grey out some ticks in Lumira Desktop depending on the user profile, e.g. “export to explorer”, “install updates” , etc -> This is cool
      • Publish to SAP BI does not work – cannot publish datasets or stories or .lums files
      • Lumira v21 cannot export .lums file to BOE, could not find the button for it  – Lumira v22 or later might do

      WITH ADD-ON

      • The new “data governance” features are also applicable
      • Publish to SAP BI works (for datasets or stories), can view stories from web browser or even SAP BI Mobile -> Great!
      • Lumira v21 cannot export .lums file to BOE neither – maybe in an upcoming version

      So summarizing, today:

      • BI4SP5 itself provides a new integration with Lumira which is still partial and only related to security, not to publishing or viewing
      • Lumira Add-on for BOE & HANA are still absolutely needed for publishing and viewing Lumira content in BOE
      • Lumira v21 cannot publish .lums file to BOE, could not find the button for it – an upcoming version might do

      Let us know if this helps or something is inaccurate.

      Best Regards,

      (0) 
      1. Sharon Om

        Great feedback. I am confirming that saving lums file to BI platform still requires the add-on. We are anticipating in the next release of Lumira you can save lums file to platform without the add-on. But in order to open the lums file you will need the Desktop.

        If you want to publish the stories or datasets you do need the add-on in this and next release.

        (0) 
      2. Greg Wcislo Post author

        Thanks for confirming, what you describe is exactly what is expected.  Indeed the button to publish a lums file will be available in 1.22, expect this very soon. 

        It does not explain why some are seeing the error of not being able to acquire trusted settings.  As long as you have web services correctly deployed and accessible this should work for everyone with 4.1 SP5.  We continue our investigation. 

        (0) 
      3. Greg Wcislo Post author

        I can confirm that engineering has found the source of the issue and is working on releasing a fix.

        Will update here once the release vehicle is set.

        (0) 
  5. Chong Chen

    Hi, Greg,

    I have one question.

    Do we need to install the property file into every user’s local PC as well? Or by just saving it in the administrator’s PC, the datasource/share restriction restriction would be applied to all the users who are assigned to the group with restriction settings.

    Thank you and best regards.

    Chen

    (0) 

Leave a Reply