Microsoft Drive support in SAP BusinessObjects 4.3 SP03 Release

This blog is about Microsoft OneDrive support in the  BI Platform with the SAP BusinessObjects BI 4.3 SP03 release.

As you know, SAP BusinessObjects support Azure authorization servers on OAuth 2.0 protocol in 4.2 SP02. More information you can find here

Steps to Configure Authorization Configuration: 

1. 1. Launch and log in to Central Management Console as an Administrator
   2. In-Home Page, click on the “Applications” section under the Manage column
   3. In Applications, double click on “Authorization Server Configuration” application
   4. In the “Authorization Server Configurations” pop-up window, Click on either “Manage >  New Authorization Server Configuration” in the top menu bar or click the “Create a New Authorization Server Configuration” toolbar icon.
   5. Fill in the following parameters in “Create an Authorization Server Configuration”:
      • Reference Name – Choose a unique random string and enter the same to identify the configuration, to recognize and choose the configuration in different workflows for achieving Authorization-based SSO.
      • Description (Optional) – Enter any statement and keywords to describe and quickly identify the configuration out of the list of available configurations.
        • Note: Following fields are specific to “OpenID Connect Authentication” and are not required for Authorization SSO; you do not need to enable these unless this configuration is required to serve for OpenID Connect Authentication.
          • A checkbox with the following label “Enabled for “OpenID Connect” Authentication.”
          • Issuer URI
          • JSON Web Key Sets URI (jwks_uri)
          • ID Token Signing Algorithm
      • Authorization Endpoint – Enter the URL of the authorization server with which one can get the authorization grant
      • Token Endpoint – Enter the URL of the authorization server, with which one can request an access token by exchanging the authorization code
      • Client ID – Enter the name of the Application which is used to register BI Landscape with the Authorization Server
      • Client Secret – Enter the specific secret code corresponding to the Application which is used in registering the BI Landscape with the Authorization Server
      • Redirect URL – Enter the URL of the BI Landscape endpoint to which the authorization code has to be sent by the Authorization server after successfully validating the authorization. For this purpose, a new endpoint has been introduced in the REST API of the BI Platform, i.e. /oauth2/callback. Hence the URL should be as follows: https://<hostname: port>/biprws/v1/oauth2/callback.
        • Note:
          • Here the hostname will be the system name hosting the BI landscape application server, where RESTful web services application (biprws) is deployed. And port will be the SSL port of the application server.
          • And the same URL should be configured while registering the application (client app to register BI Landscape) on Authorization Server (OAuth Server) as the value for the callback URI.
      • Revocation Endpoint (Optional) – Enter the URL of the authorization server, with which the application can request the revocation of all previously issued Access Tokens through a specific Refresh Token
      • Authorization Scope – offline_access OpenID email Files.ReadWrite.All
      • Type of Resource –
        • Microsoft Drive enables support of Microsoft One Drive /Share Point/ Microsoft Teams.
      • Custom Parameters (Optional) – Enter any custom parameters required to send while requesting the authorization based on any custom requirements (if needed) of the Authorization Server being configured.
        • Note:
          • The name of the custom parameter should be unique in the configuration
          • At maximum 5 custom parameters are allowed to be configured in any Authorization configuration
   6. After filling in all the required parameters, click the OK button to validate the details and save the configuration. And the configuration will be saved as a system object in the repository with the kind “AuthorizationReference “. And you can refer to the configuration in all supported scenarios with its “Reference Name “.

Steps to Enable Microsoft Drive Destination in Job Server

1. 1. Launch and log in to Central Management Console as an Administrator
   2. Open servers page
   3. In the Job Server Destinations, Select “Microsoft Drive “

  Steps to Generate Token in  BI Launchpad

1. After the successful Creation of the Microsoft Authorization server configuration, launch BI Launchpad and login
2. Navigate to Settings by clicking on the same from the drop-down menu under the user icon in the top right corner
3. In the Settings pop-up window, navigate to the Authorization Tokens tab in the User Account section.
4. Click on the Generate button under the Manage Tokens column, which is against the  Microsoft Authorization Reference saved above
5. As per your organization policy, based on the Authorization configuration in your authorization server, either the account validation will happen based on the certificates configured in the system, or you will be challenged with the user name, password and/or multi-factor authentication challenges based on the configuration settings, answer those challenges
6. Once the credentials/certificate is successfully validated, then BI Platform should have received the Refresh Token, and it should have been stored securely in BI Platform Repository against the BI Platform user currently logged in; once all this is successful, then you should see the following changes in the Authorization Token tab:
   • In the Expires On column against the Authorization Reference from where you clicked on the “Generate” button, you should see the expiration value for the Token issued by the Authorization Server. If your Authorization Server gives a Token with no expiry, the column value will be updated as “No Expiry. “
   • And also, under the Manage Tokens column, you should see a Delete button appearing next to Generate button.
     • The Delete button is to delete the token issued by the Authorization Server, and this deletion is not limited to deleting the ticket from the BI Platform repository storage. Still, it can also be propagated to the Authorization Server based on the configuration and support.
     • That means if the optional parameter Revocation Endpoint is filled with the proper URL based on your Authorization server’s support for the same, then the issued token will be revoked at the Authorization server level and cleared from the BI Platform repository storage.
7. Suppose the token is issued and the Expires On column is updated according to the token’s expiry. In that case, the configuration is working and ready for BI Developers’ and end users’ consumption.

Scheduling to Microsoft Drive:

To Schedule the report to Microsoft Drive, the user can choose “Microsoft OneDrive “as the destination.

Users can browse the One drive folder.

OneDrive window displays Two options:

1. OneDrive: it shows the user’s personalized OneDrive content
2. Shared with me: if BI Administrator configured a shared folder under Microsoft Teams, Microsoft share point or Microsoft OneDrive, it would display under the “Shared with me” folder.

The following drive browsing page is native to BI Launchpad and the same experience you can get while browsing Google Drive, which has been supported since BI4.3 SP02.

Sending Documents to Microsoft Drive In BI Launchpad:

Similarly, like scheduling, user can send documents  directly to Microsoft drives in BILaunchpad using the “Send To “Option

Important Note: “Sent To “functionality is not supported for WebI documents

Access Rights for Microsoft Drive:

Individual rights are provided to restrict the users from accessing Microsoft Drive while scheduling.

Access Rights for “Sent to Microsoft Drive”:

Similarly, like scheduling, administrators can restrict users using the “Send To” functionality in BI Launchpad.