This is a follow up document for the Geek Tweaks series of SAP BI Platform and provides some best practices on managing and configuring security in BI Platform with some real life scenarios. Read the Geek Tweaks SAP BI Platform &#8211; Geek Tweaks | SCN
Configuring External groups in BI Platform
BI Platform support integration to external platform including SAP R/3 for Authentication and Authorization. Most of the time the Authorization groups are managed at the third party system like Windows Active Directory or SAP R/3 and consumed in BOBJ by assigning access to the resources.
The best practice to configure access to external groups is by using nested group. Assign the external group as part of an Enterprise BOBJ group and assign the access to the enterprise group.
This way when the external integration is disabled or when the external system is changed, all the access remains intact for the resources and only the external group have to be added as member of the Enterprise group.
Consider the example of importing the group from Windows Active Directory
The department as Windows AD groups are mapped as nested group to the Enterprise group created for the department and all the access has been given to the enterprise groups to the respective department resources.
Nested Folder Permissions
Consider the following scenario. You have users of various departments belonging to each region publishing their Budget reports in their respective folder. The Finance team can view all the report by the respective region and each region users should only be able to see their folders for publishing.
How can this be implemented? This can be implemented with the help of Nested group permissions and Root folder permissions in BOBJ. In BOBJ, rights for the access can be applied for the Objects in the Folder and the children of the objects (Sub Folders). This is identified by the two checkbox in the Access rights
Create a new access rights called Root level View and provide it only the following rights
Note that the Nested permissions is unchecked. Save the access rights and it is used to achieve the above scenario
Each Region users from each department can only see their region’s department folders. More departments or regions can be added easily as this setup is scale-able and easy to manage.
Lookout for more Geek Tweaks, Best practices and more.