SAP BusinessObjects Best Practices: Effective Delegation of CMC Access
As part of the SAP BusinessObjects landscape management, administrative delegation becomes a necessity with growth in the landscape and adoption. From a single admin managing the entire role to multiple people managing the single system, setting up the delegation effectively is vital for the proper functioning of the SAP BusinessObjects system.
Common delegation tasks include providing access to parts of CMC like User management or Promotion management. In this blog, we will see the best practices in effective delegation of SAP BusinessObjects landscape management.
Role Matrix
The first step in the process is to identify the role matrix, which highlights the types of roles & access needed to perform different activities. The following is an example of a role matrix.
| Role | CMC Tabs |
| User Management | Users and Groups, User attribute management |
| Content Management | Access levels, Folders, Categories, Universes, Connections, OLAP Connections |
| Promotion Management | Promotion Management |
| Auditors | Auditing, Query results, Cryptographic Keys |
| Server Administrator | Servers, Instance Manager, Events |
This role matrix helps in dividing the responsibilities and assigning them to one or more users/groups.
Delegated Group
The delegated group is used to implement the roles in the SAP BusinessObjects systems. These groups are assigned for each role and the relevant CMC tabs access are provided for the groups. The groups can be prefixed / suffixed (e.g.: DG) to identify that it is for delegated access according to the naming policy followed. The following are the group mappings for the above roles.
| Groups | Role |
| User Management – DG | User Management |
| Content Management –DG | Content Management |
| Promotion Management –DG | Promotion Management |
| Auditors –DG | Auditors |
| Server Admin –DG | Server Administrator |
Restricting CMC Tab Access
The next step would be to restrict the CMC access by default. Navigate to applications tab and open the context menu of Central Management Console and select CMC Tab access Configuration.
Select CMC Tab access to Restricted. Save to apply the setting. By default the CMC access will be restricted which can be overridden explicitly for each of the groups.
Creating Groups
The next step would be to create the groups. The groups can be created from the User and Groups section in the CMC. Navigate to this section and click on ‘Create a group’.
Provide the group name of the mapping created and create the group for all the mapping
Providing CMC Tab Access to the Groups
The next step is to provide necessary CMC Tab access to the groups. On the context menu of the group select CMC Tab configuration.
Select the necessary tabs and grant explicit access to them. The selected ones will be have permission with green icon.
Adding Users to the Group
Finally, add the users to their respective groups using the Users and Groups tabs. When the users login to the CMC, they will be able to access the CMC with only the set of Tabs that are designated to them.
Key Practices for Delegation
These are some of the key practices that should be followed in order to setup a delegated system:
- Provide restricted access to only those resources needed
- Have a flat role structure and do not overlap different roles into one
- Have a direct group to role mapping. Avoid having single group for multiple roles
- Audit the users in the Group and revoke access as needed