Skip to Content
Technical Articles

Folder Level Authorization in SAP BO (end-to-end)

In this article I will show how to handle folder authorization in SAP Business Objects (BO), explaining all the steps needed to give access to specific folders for specific users without showing everything under the Public Folder (root).

Here are the big steps:

  • Configuring root folder
  • Create new folders
  • Create a user group
  • Grant user group access to a Folder
  • Assign users to user groups

 

Configuring root folder

In SAP BO, there is a root folder called Public “Folders”. If the Everyone group has no access to the root folder, nobody will be able to see any folder under Document List session on BI Launchpad, even if you assign rights to the subfolders.

On the other hand, if Everyone group has view access to the root folder, we have to go in each subfolder and give the Everyone group “No Access”. Now imagine if you have 50 folders under the root folder and want the user to see only one specific folder? you have to set “No Access” to Everyone group in 49 folders.

Solution:

To solve this, we have to set up Everyone group to View only the root folder and not the subfolders.

Log into the Central Management Console (CMC), and go to Folders. Click on All Folders, click on Manage / Top-Level Security / All Folders. Click OK at the pop-up box.Select the Everyone Group, then “Assign Security” button.Click in “Advanced” tab.Then, click Add/Remove Rights.

Find the setting for View Objects. Choose exactly the following settings (do not check Sub Objects option, that’s the trick!!)Nobody has access to any folder unless they belong to user group that has rights to that folder. The only folder the user can see at this moment using BI Launchpad is the root folder.

Now, we need to create folders and user groups and assign them to users.

Create New Folders

Access BO Central Management Console and select “Folders”.Click on “Folder” button or go to menu Manage / New / Folder.There will be created two folders to show how authorization works in the next steps.

Create a User Group

Access BO Central Management Console and select “Users and Groups”.Click on “Create a Group” button or go to menu Manage / New / New Group.Indicate the group name, description, and click “OK”.New user group is created.

Grant User Group access to a Folder

Access BO Central Management Console and select “Folders”.Right click on the folder you want to assign a User Group and select “User Security” option.Click on “Add Principals”.Select the User Group you want to have access to this folder.Click on “Add and Assign Security”.

Select the access level “View” and “View on demand” and click “OK”.

A quick explanation about the difference between the two access levels:

View On Demand View
On-demand reporting gives users real-time access to live data, straight from the database server. For instance, if the managers of a large distribution center need to keep track of inventory shipped on a continual basis, then live reporting is the way to give them the information they need. To reduce the amount of network traffic and the number of hits on your database servers, you can schedule reports to be run at specified times. For example, if your sales database is updated once a day, you can run the report on a similar schedule. Sales representatives then always have access to current sales data, but they are not hitting the database every time they open a report.

Let’s move on.Now, users assigned to the User Group “Z_TEST_GROUP” will have access to the folder “01.Test” and its objects.

Assign users to user groups

As last step, we need to assign the users to the User Group Z_TEST_GROUP, so that they have access to the folder “01.Test”.

Access BO Central Management Console and select “Users and Groups”.

You can do it in two different ways:

  • Go to user, right click and select “Member of”. Then select the user group.
  • Go to user groups, right click and select “Add member to Group”

I prefer using the second option because you can add many users to the user group at once.After selecting the users, click “OK”.Now we have the configuration done, and the scenario is:Therefore, the expected result is the user TEST_ACCESS2 to be able to see only the folder “01.Test” in the BI Launchpad.Just to recap, there are many other folders created in the system, but the user can only see the folder we allowed.

 

Now you know how to create new folders and manage the accesses to them by configuring and assigning user groups. You can also configure the root folder (Public Folders) accordingly to show only the folders that you assigned with proper authorization.

Images credit: the screenshots have been taken from a test system.

I hope it helps!

Be the first to leave a comment
You must be Logged on to comment or reply to a post.