Governing Lumira Desktop using BI4 without HANA
Update: This feature is now available with BI4.1 SP5 FP3 and does not require the Lumira Integration add-on.
If you’ve attended the ASUG2014 BusinessObjects User Conference or have been attending some of the latest webinars, you will have heard about the ability to restrict the Lumira Desktop functionality using rights in the CMC.
Let’s dive into the details:
Prerequisites:
- Lumira Desktop 1.19 or higher
- BI4.1 SP5 or higher (or BI4 Integration for Lumira)
Overview of the rights:
From the Applications tab in the CMC, navigate down to SAP Lumira.
The following is a set of rights you can set, which should be fairly self explanatory.
Enabling/Forcing Desktop Governance
This feature is managed through forcing a logon to your BI system at each startup of the Lumira Desktop.
You can, and it is recommended that you do set up kerberos SSO for lumira desktop to make this step seamless.
The logon is controlled through the placement of a .properties file, placed in the Lumira Desktop application directory.
The steps are also described in section 4.6 of the BI add-on for Lumira.
The format of the LumiraGovernance.properties file should look something like this:
enable=true
adapter.type=boe
authentication.type=secEnterprise
rest.url=http://myserver:6405/biprws
useSSO=false
Where enable/disable turns this feature on or off,
“adapter.type” will need to be boe, but you can see that this could in the future open up other types like Lumira Server
“authentcation.type” will be enterprise, AD, LDAP or SAP, in the following formats:
● secEnterprise
● secLDAP
● secWinAD
● secSAPR3
The rest.url will be the same that is used to publish to the BI platform and
“useSSO” will dictate if a prompt should appear or if single signon will be used.
SSO Bonus: You do NOT need to perform additional configuration here to enable kerberos for this workflow, such as a krb5.ini file. In other words, you do NOT need to perform the steps that you would need to access universe data described in this KB http://service.sap.com/sap/support/notes/1995864
Place the file in the user’s work directory.
C:\Users\<user>\.sapvi
Provisioning the LumiraGovernance.properties file
By now you will have noticed that this is just a plan text file. How do you get this onto the user’s desktop?
To make the feature effective, you do need a centralized software distribution system, and one that will set this file to read only.
See the effect
The following shows a difference in UI between the full unrestricted mode and restricted mode for data acquisition. We have limited the user to use only certified corporate data from a universe and their local system.
The below shows limiting the publishing destinations to BI only, and includes the prevention of exporting to a file.
Pushing settings to client
Using the settings of the SAP Lumira applicaiton object, you can also control whether your end users are allowed to update the desktop.
Or even force them to use a specific server for publishing, if you have set up the full Lumira BI integration (requires Lumira Server), or specific cloud destination.
Offline Support
The desktop tool will go into last known restricted mode if launched offline.
Hi Greg,
Thanks for posting this. Good stuff!
Cheers,
Leo
Hi, Greg,
Thank you for your post and valuable information. I have several questions:
Thank you and have a nice day.
Best regards,
Donatas Budrys
The Lumira integration, and Lumira Server in general today require HANA. This is detailed here:
Lumira integration for BI4 functionality detailed.
And why do I need a HANA: Why Do I Need Lumira Server (on HANA) To View Storyboards in SAP BI 4?
The Lumira integration includes the desktop governance piece. However with SP5, we will bundle that governance feature directly so installing the whole add-on is not necessary.
SP5 will NOT include integration of Lumira to allow you to view & explore documents in lumira directly in BI launchpad. For that you still need the Lumira BI4 integration, as detailed in the first link above.
SP5 should be available in the coming days.
Hi, Greg,
Thank you for your feedback. It's nice to have part of SAP Lumira and BI4 integration bundled into BI4 Platform.
Have a nice day.
Best regards,
Donatas Budrys
SP05 was release overnight, should be on the www.service.sap.com/swdc
Yes, I checked, you can search for Support Package, containing phrase "SBOP BI PLATFORM 4.1 SP05 SERVER"
Regards,
H
Hi, Henry,
Yes, indeed SP05 is ready and accessible.
Thank you.
Best regards,
Donatas Budrys
Thanks!
Just tested and after introducing credentials we are getting an error with Lumira v20 and BI41SP5 and cannot continue, is that happening to anyone?
Many thanks in advance.
Error
Could not acquire settings from Trusted Data Discovery source.
Error retrieving the Trusted Data Discovery governing data. Unexpected response status from server.
(HDB 14112)
LumiraGovernance.properties
enable=true
adapter.type=boe
authentication.type=secEnterprise
rest.url=http://myserver:6405/biprws
useSSO=false
Hi Lluis,
Have you used the FQDN for the your server? Or try the IP address instead. You need to update the URL but that's a nobrainer right ;-).
With kind regards,
Martijn van Foeken | Intenzz
Hello,
I am having the exact same problem. Of course I replaced the url with the rest webservices url for my platform, but the error pops up, even with a FQDN or the IP address, the cluster name... I tried pretty much everything.
After logging in :
Could not acquire settings from Trusted Data Discovery source.
Error retrieving the Trusted Data Discovery governing data. Unexpected response status from server.
(HDB 14112)
It might be a long shot, but try modifying your hosts file to resolve the machine name of the server to the actual IP address. This normally shouldn't be needed but I've seen this issue with some VM ware setups where the networking isn't fully configured.
Greg,
Thanks for this write-up. I was confused that what was built into SP5 was the Lumira integration kit. Any idea when the Lumira integration will come out of ramp-up?
Regards,
Dallas
With the upcoming release of Lumira desktop you should be able to save a lums file to the platform as long as you're on SP5. Think of the deski compatibility pack, the platform in this case is being used to host content but you need desktop to download & view it.
I do hope/expect Lumira will get natively integrated into BI4.x core package at some point, but when is not yet decided. Lumira is moving much faster than the BI4.x maintenance line, so expect that to continue to be an add-on, as that makes more sense in the short term.
Unfortunately I don't have any dates of ramp-up exit. A lot of work is being done currently which is touched on by Ashish's blog post here:
SAP Lumira Server is Not a Ford Model “T”
To quote: "we are innovating to ensure that all of our customers can benefit from Lumira functionality today and have the option to scale up to SAP HANA"
Hi Greg,
I'm using BI4.1 SP5 and SAP Lumira 1.20
I am getting exactly the same error:
Could not acquire settings from Trusted Data Discovery source.
Error retrieving the Trusted Data Discovery governing data. Unexpected response status from server.
(HDB 14112)
I have tried FQDN, IPAddress and editing the hosts file but no luck.
Anything else I should check, really keen to see this working.
Howard Stiles
Hello Howard,
I e-mailed Lumira and tried a few other things as well. See here :
Lumira governance on BI Platform 4.1SP5
So far the latest answer was "Nah, you still need the add-on", but this is still under investigation.
Yes, our product management are going to clarify here as soon as possible.
Hello,
Recently we had to do a demo with BI41SP5 and Lumira v21 and these were our findings after reading SAP docs and testing the products:
WITHOUT ADD-ON
WITH ADD-ON
So summarizing, today:
Let us know if this helps or something is inaccurate.
Best Regards,
Great feedback. I am confirming that saving lums file to BI platform still requires the add-on. We are anticipating in the next release of Lumira you can save lums file to platform without the add-on. But in order to open the lums file you will need the Desktop.
If you want to publish the stories or datasets you do need the add-on in this and next release.
Thanks for confirming, what you describe is exactly what is expected. Indeed the button to publish a lums file will be available in 1.22, expect this very soon.
It does not explain why some are seeing the error of not being able to acquire trusted settings. As long as you have web services correctly deployed and accessible this should work for everyone with 4.1 SP5. We continue our investigation.
I can confirm that engineering has found the source of the issue and is working on releasing a fix.
Will update here once the release vehicle is set.
Patch 5.3 is now available with the fix.
Hi, Greg,
I have one question.
Do we need to install the property file into every user's local PC as well? Or by just saving it in the administrator's PC, the datasource/share restriction restriction would be applied to all the users who are assigned to the group with restriction settings.
Thank you and best regards.
Chen
Dear Greg,
I yust tried to implement the Desktop Governance with the LumiraGovernance.properties file I used before with SAP Lumira 1.31 in SAP Lumira 2.1. I copied the LumiraGovernance.properties into the path C:\Users\<username>\.sapvi_2 directory in the same format worked before in SAP Lumira 1.31. If I start SAP Lumira 2.1 no logon screen is shown. Do you have any idea why it is not working as expected? SAP Lumira 2.1 add-on is installed on BOE server side.
Than you,
Eric