BusinessObjects XI R2 11.20 EPM Performance Suite Profitability Administration & Security Guide BusinessObjects XI R2 11.20 Windows
Patents Trademarks Copyright Third-party Contributors Business Objects owns the following U.S. patents, which may cover products that are offered and sold by Business Objects: 5,555,403, 6,247,008 B1, 6,578,027 B2, 6,490,593 and 6,289,352. Business Objects, the Business Objects logo, Crystal Reports, and Crystal Enterprise are trademarks or registered trademarks of Business Objects SA or its affiliated companies in the United States and other countries. All other names mentioned herein may be trademarks of their respective owners. Copyright 2007 Business Objects. All rights reserved. Business Objects products in this release may contain redistributions of software licensed from third-party contributors. Some of these individual components may also be available under alternative licenses. A partial listing of third-party contributors that have requested or permitted acknowledgments, as well as required notices, can be found at: http://www.businessobjects.com/thirdparty
Contents Chapter 1 Chapter 2 Chapter 3 Chapter 4 Administration in EPM...3 1.1 Introduction...4 Application Security...5 2.1 User Security Features...6 2.2 Users & Groups...6 2.2.1 System Administrator...6 2.2.2 System Defined User Groups...7 2.2.3 User Group Security Licenses...8 2.2.4 User Group Security Access Levels...10 2.2.5 Creating a new Group...10 2.2.6 Creating and Maintaining Users...10 2.2.7 User & Group Maintenance Information and Management...15 2.3 User Model Access...17 2.4 Password Security...19 2.4.1 Strong Passwords...19 2.4.2 Password Expiry...19 2.4.3 Configuring Login Failure Count...19 2.5 System Login Options...20 2.5.1 EPM Standard Security...20 2.5.2 Single Sign On...20 2.5.3 Web Security...20 Model Security...23 3.1 Model Security Features...24 3.2 Group/Dimension Security...24 3.3 Security Descriptors...25 3.3.1 Action Access Security Group...26 3.3.2 Field Access Security Group...26 3.3.3 Dimension Access Security Group...26 3.3.4 Report Task Access Security Group...27 3.4 Group / Descriptor Assignments...27 3.4.1 Security Access Levels...28 3.4.2 Security Access Interactions...29 3.5 Books Security...29 3.5.1 Books Action Access...29 3.5.2 Home Pages/Default Books...29 3.5.3 Book Security Assignment...30 3.6 Security Export...30 Managing Models...31 4.1 Model Administration...32 4.2 Access to Model Administration...32 4.3 Model Management functions...34 4.3.1 New Model...34 4.3.2 Open Model...34 4.3.3 Copy Model...34 4.3.4 Rename Model...34 4.3.5 Delete Model...34 4.4 Modify Model Properties...35 4.4.1 Amend Model Description...35 4.4.2 Change Model Server...36 BusinessObjects Administration & Security Guide 1
Contents Chapter 5 Chapter 6 Appendix A 4.4.3 Enable/Disable Model...36 4.4.4 Audit Model...36 4.5 Partitioning...36 Language Capabilities...37 5.1 Localization Issues...37 5.2 Managing Data Aliases...37 EPM Monitor...37 6.1 Monitoring Current Usage...37 6.2 User Details...37 6.3 Logging off a User...37 6.4 License Details...37 Business Objects Information Resources...37 A1. Documentation and information services...37 A2. Documentation...37 A3. Customer support, consulting and training...37 A4. Useful addresses at a glance...37 Appendix B Security Descriptor Definitions...37 B1. Action Access Security Group Definitions and Security Levels...37 B2. Field Access Security Group Definitions...37 B3. Dimension Access Security Group...37 B4. Report Task Access Security Group...37 Index...37 2 BusinessObjects Administration & Security Guide
Administration in EPM
Administration in EPM 1 Introduction 1.1 Introduction EPM is a powerful financial modeling tool that uses the latest technology to make budgeting, forecasting and forward planning both responsive and simple to control. It is one of the main components in the Business Objects Enterprise Performance Management suite that has been assembled to provide for all aspects of strategic planning. EPM has been designed to operate in a web environment with an international user community. These users require a diverse range of security privileges to the various financial models used by any company. Administrators are responsible for creating and maintaining this user security, for managing the financial models and for supporting the international language requirements within an organization. Security in EPM is broadly managed on two levels, one being application security for individual users which is applied across all models in the database, and the other being model security, in which case settings are specific for each model. Other administrative functions within EPM include the management and maintenance of models, and setting options for viewing dimension items in alternate languages or codes through the use of aliases. Additionally, an administration utility is available on the EPM server for monitoring and controlling users connected to the EPM suite. The functionality available to an Administrator is described in the following topics: Application Security Model Security Managing Models Language Capabilities EPM Monitor Users that are not Administrators can perform some of these functions, but only if an Administrator has given them the security privilege to do so (see 3 Model Security). 4 BusinessObjects Administration & Security Guide
Application Security
Application Security 2 User Security Features 2.1 User Security Features Security in EPM is assigned to users through User Groups. User Groups can be thought of as holding a collection of users with identical functions and security access levels. This section describes how to set up users within appropriate User Groups, together with their password and login requirements. The user security settings apply to all models across the system. Tip: When setting up security in EPM it is useful to start from a User category point of view and create relevant User Groups rather than trying to tailor Groups around a specific user s requirements. This will provide greater flexibility in the long term. The following sections describe the procedures for setting up User Groups and Users, together with user access to applications and models via security settings, passwords and login options. Users & Groups User Model Access Password Security System Login Options 2.2 Users & Groups User access to each model is controlled by User Group model specific security settings. Therefore when setting up security in EPM, it is useful to start by defining the access requirements at the User Group level. There are five system defined user groups, and any number of additional groups may be created as required (see section 2.2.5). EPM is supplied with a default system administrator who is a member of every system defined group and has access to all models and settings. Users and Groups are discussed in the areas detailed below. System Administrator System Defined User Groups User Group Security Licenses User Group Security Access Levels Creating a new Group Creating and Maintaining Users User & Group Maintenance Information and Management 2.2.1 System Administrator EPM is supplied with a default Administrator user when first installed. This Administrator user is a super user that always has full access rights to all system facilities and models. For greater security, this system-defined user should be renamed and the default password changed. It is recommended that you create administrator users specific to your organization rather than use this default Administrator user which is intended for the initial setup. This default user does not use any of the license allocations that will have been purchased for EPM and can be unassigned from any User Group which is not needed (e.g. End Users). 6 BusinessObjects Administration & Security Guide
Application Security Users & Groups 2 2.2.2 System Defined User Groups Five system-defined User Groups exist in EPM. These are system generated on installation and are used to define basic user types and thereby automatically allow or restrict access to different forms of the EPM application. These system-defined User Groups are distinguishable from user defined groups by their uppercase lettering with accompanying icons. Tip: It is useful to think of these system-defined User Groups in terms of attaching basic user functionality and to create additional User Groups (see 2.2.5) to allocate more specific User security access levels (see 2.2.4). Every new user automatically belongs to the Everyone group, and will need to be made a member of another group to gain access to an EPM application. Each of the system-defined groups is discussed below: Everyone Administrators Modelbuilders Bookbuilders Endusers 2.2.2.1 Everyone All users must belong to this group. The Everyone group defines a basic level of access to different functions, values and general dimension attributes in EPM. Access levels are cumulative for any other groups to which a user belongs, so the Everyone access levels should be left at a basic level while additional groups should be used for defining higher access levels. 2.2.2.2 Administrators An administrator can: Create and manage models Create and manage users and groups Create security descriptors and allocate security options Create and unlock Books Create Item Properties Create Aliases View Model Security and Security Alerts Perform all other actions and edit all items within EPM dependent on which license type is inherited through additional group membership. This restricts access according to principles outlined in each user group below for each user. Membership of the Modelbuilders, Bookbuilders or Enduser group gives access to the corresponding Model Building application, Book Building application or Enduser interface respectively. See the corresponding section for more information on each of these role types. Modelbuilders Bookbuilders Endusers By default Administrators have full access to all Dimensions and Security Descriptors. This level of access cannot be altered. BusinessObjects Administration & Security Guide 7
Application Security 2 Users & Groups 2.2.2.3 Modelbuilders Model Builders primarily have access to the Model Builder application. A member of Modelbuilders inherits a Model builder license and Enduser functionality. This allows potential access to almost all components of EPM. A Model Builder, given the correct access can potentially: Manage Models Import and Export data Edit Dimensions items Perform Dimension assignments Build and save Grid layouts Create and edit Books Perform Driver Analysis Access Books over the web Note: Model Builders cannot access the Book Builder application as their license is not suitable for this form of EPM (see 2.2.3.1 for more information). 2.2.2.4 Bookbuilders Membership of the Book Builder group gives users access to the Book Builder application. A member of Bookbuilders inherits a Book Builder license and an Enduser license. This allows potential access to a more targeted set of functions which are useful to users who build books. A Book Builder can potentially: Build and export layouts in the View Builder Create and edit Books Access Books over the web Note: Book Builders cannot access the Model Builder application as their license is not suitable for this form of EPM (see 2.2.3.2 for more information). 2.2.2.5 Endusers Membership of the Enduser group gives users access to published Books over the web or through the Book Viewer application. The books which are available to Endusers are specified by either an Administrator or Modelbuilder. Access can also be determined by membership of additional user defined User Groups. This ensures that Endusers can only see these Books, and the grids they contain which are relevant to them. An Enduser can: View information within Books in the form of grids, reports and charts. View and edit data Select which Data Alias to use for viewing information Select which currency monetary values are displayed in View Model alerts Note: Endusers have no access rights to the EPM Win32 client (Book Builder or Model Builder applications). See 2.2.3.3 for more information on End User licenses. 2.2.3 User Group Security Licenses EPM is divided into three main applications comprising of a Model Builder application, Book Builder application and End User interface. Membership to one of these User Groups is compulsory in order to 8 BusinessObjects Administration & Security Guide
Application Security Users & Groups 2 access the relevant part of EPM. Access to these applications is determined using the system predefined User Groups. System predefined User Groups have an additional purpose other than to physically restrict access to specific Security Descriptors. These User Groups are also linked to license types which are utilized in defining user roles at the base level. Such user roles are defined to a certain extent in terms of which particular form of EPM application you may access. Licenses are inherited according to User Group membership with some User Groups inheriting more than one type of user license. These are detailed in each section below. Model Builder Access Book Builder Access End User Access Administrator Access 2.2.3.1 Model Builder Access A member of Model Builders automatically inherits a license to access the Model Builder application including Books in addition to the web interface. See 2.2.2.3 for more information on Model Builders. (A Model Builder may be involved in creating Books as well as model structures and may therefore wish to preview Books over the web). Note: A Model Builder cannot access the Book Builder application but is given access to all Book building functionality through the Model Builder application. 2.2.3.2 Book Builder Access A member of Book Builders automatically inherits a license to access the Book Builder application in addition to a license to access the web interface. See 2.2.2.4 for more information on Book Builders. (A Book Builder may want to preview newly created Books over the web interface to ensure that they appear to an acceptable standard). Note: A Book Builder cannot access the Model Builder application but instead is given access to the Book Builder application which contains all Book Building functions including the View Builder in addition to general EPM functions. 2.2.3.3 End User Access A member of End Users only inherits a license permitting them to access the EPM web interface or Book Viewer application. See 2.2.2.5 for more information on End Users. Note: An End User cannot access either the Model Builder or Book Builder EPM application due to their license restrictions. An End User can only login and access EPM through a web enabled Book. 2.2.3.4 Administrator Access A member of Administrators inherits an Administrator User license permitting them to perform certain administration functions such as basic user security, model security and partitioning. When this access is combined with a Modelbuilder license then the user will have Full Access to all aspects of the Modelbuilder application and Web use. This will allow a user to assign specific security to dimension items and user groups within all models they have access to depending on Model Security. See 2.2.2.2 for more information on Administrator users. BusinessObjects Administration & Security Guide 9
Application Security 2 Users & Groups 2.2.4 User Group Security Access Levels Security access for each user group is controlled by Security Descriptors and these are described in more detail in section 3.3 as part of Model Security. However, before defining your users and groups, it is important to understand how access levels for groups can be applied to suit your requirements. Individual users inherit the security levels assigned to each of the groups to which they belong for a specific model. Where a user belongs to more than one User Group they inherit a combination of the widest security permitted within all of the User Groups. For example, if the Administrators group has No Access to Maintaining Users and a User Maintenance group has Full Access, a user who is a member of both groups will attain Full Access to Maintaining users. For licensing purposes, some tasks require users to be a member of one of either of the Administrators, ModelBuilders or BookBuilders groups, in order to perform the operation. However, every user does not need to be permitted the access levels that are assigned to these predefined groups by default, if this is not required. For example, the default access level to Create Model Security is Full Access for Model Builders. To allow users to open the Model Builder application but prevent them from creating new models, change Create Model Security access to No Access for Model Builders. Now you can have users that belong solely the ModelBuilders group, who can open the Model Builder application without being able to create new models. Next, create another new User Group and assign it Full Access to Create Model Security. Thus, you can have other users belonging to both the ModelBuilders group and the newly created group, who can open the Model Builder application and also create new models. 2.2.5 Creating a new Group Groups are used to assign security access permissions. They allow you to define types of users with common access permissions to data and actions in EPM thus saving time when adding users with common requirements. Any number of groups can be defined. To create a new Group, select Tools Security Users and Groups. Once in the User and Group Maintenance screen, hover the cursor in the Groups area and right click to bring up the Context Menu. Select Add New Group from the menu. A default group name is inserted in an editable box, into which you should enter the name required for the new group. There is no minimum limit on the number of characters in a Group name. A group name may contain spaces, mixed case letters, alphanumeric and non-alphanumeric characters. Once you have entered a group name it will appear in the Groups list. You may then want to create new Users (see 2.2.6 for details) and assign them to existing User Groups (see 2.2.6.2 for details). 2.2.6 Creating and Maintaining Users The User and Group Maintenance screen is accessed by selecting Tools Security Users and Groups. Using this screen, administrators can create new users and carry out basic security 10 BusinessObjects Administration & Security Guide
Application Security Users & Groups 2 administration tasks for users such as assigning them to groups, enabling or disabling user accounts and resetting passwords. User Properties are maintained which hold individual user details and options for password protection. The Default Model Group option provides additional security as it allows a user group to be associated with an individual model builder that will subsequently control access for all users to models created by that individual. Creating a New User Assign User Groups User s Default Model Group Password Reset Password Properties Account Enable / Disable Tip: Password protection can be further configured to ensure the use of strong passwords and to cause passwords to expire at set intervals, by applying settings in System Properties (see section 2.4 for further information). 2.2.6.1 Creating a New User Only members of the administrator group can access the security screens and create new users. To create a new User, select Tools Security Users and Groups. Once in the User and Group Maintenance screen, hover the cursor in the Users area and right click to bring up the context menu. Select Add from the menu. A default user name is inserted in an editable box. Enter the required User name in this field. User names can contain spaces, mixed case letters, alphanumeric and non-alphanumeric characters. A user name must be at least 1 character and is not case sensitive. Once a user is created the username will appear in the Users list. When a user is highlighted their user group assignments are displayed in the screen. By default a new user belongs to the group Everyone. Once a new user has been created a warning is displayed indicating that a random password is generated for that user. In order that the new user can enter EPM their password must be reset from the random system password. Administrators can reset user passwords at any point (see 2.2.6.4 for further information). Select Reset Password(s) from the right-click context menu in the Users window. An edit box will pop up prompting you to enter a new password and confirm this password. Select OK to set the new password. BusinessObjects Administration & Security Guide 11
Application Security 2 Users & Groups Tip: Several user passwords can be reset simultaneously if the reset passwords are identical. To do this select the Users to be reset and right-click to bring up the Context Menu then reset the user passwords in the normal fashion. If you have just created a new user they now need to be assigned to the desired User Groups (see 2.2.6.2), and the user s Default Model Group may also be set as required (see 2.2.6.3). For details on creating a new User Group see 2.2.5. 2.2.6.2 Assign User Groups Users must be assigned to Groups to inherit security settings and allow access to EPM. A user can be assigned to more than one Group in which case they will inherit the widest level of security access assigned to each of the security descriptors (i.e. least restricted). To assign a user to a group, select Tools Security Users and Groups. In the User and Group Maintenance screen, users are assigned to groups by selecting the required users(s) and selecting the check box adjacent to the relevant group. Similarly User Groups are unassigned by clicking on a checked box so that it is cleared. 2.2.6.3 User s Default Model Group Default Model Group allows a user group to be associated with an individual model builder. This is located by selecting Default Model Group from the right click context menu on the Users window of the User and Group Maintenance screen (see 2.2.7). The default setting for Default Model Group is Modelbuilders, which would give all members of the Modelbuilders group access to all new models. However, an individual user may be assigned to an alternative Default Model Group if required, and new models subsequently created by that user may only be accessed by users that are members of this group. This would be useful, for example, if you wished to create a model that should only be accessed by members of a User Group named European Model Builders. For the user that is to create the model, you would set the Default Model Group to European Model Builders. Once the model has been created by this user, it can then only be accessed by users who are members of the European Model Builders group. 12 BusinessObjects Administration & Security Guide
Application Security Users & Groups 2 Access to models is therefore controlled by membership of the Default Model Group, rather than on the basis of being a Model Builder. This allows more than one Model Builder to work within a system without having access to all the models present. (Administrators can see all models by default.) The model security access will remain associated with a model, regardless of whether it is copied, and this may only be amended by an administrator. Note that the act of allocating a default model group to a user does not automatically make this user a member of the group and they will need to be assigned to it manually (see section 2.2.6.2). The group access for a model can be seen on the Model Administration Security tab (see 2.3) and this screen can be used to change the access if required. 2.2.6.4 Password Reset An administrator can reset user passwords at any point. Reset Password is located on the right click context menu on the Users window of the User and Group Maintenance screen (see 2.2.7). Multiple users can be reset at the same time, providing the password is to be the same across all users. Note: The default Administrator password cannot be reset using this screen. This user password can only be reset by the Administrator using the change password function in Tools Change Password. When a user s password needs to be reset, this state is denoted by a symbol next to the user name. The most likely circumstances that would require a user s password to be reset are: When users are first created (as a random password is set for new users) When users are imported into a database with a model, as user passwords cannot be exported from the original model. Alternatively a user may forget their password and need it to be reset without having been locked out of EPM. An administrator can in this case reset a user password using the procedure outlined above. Passwords can contain spaces, mixed case letters, alphanumeric and non-alphanumeric characters and are case sensitive. The default minimum password length is 5 characters. Password properties such as minimum password length and keyboard combinations (strong passwords) are defined on the System Properties Security tab (see section 2.4). After resetting the user s password, the administrator can set the User Properties to force the user to change their password when they next login (see section 2.2.6.5). 2.2.6.5 Password Properties The options on the User Properties General tab allow the administrator to set individual user password options. This tab is located by selecting Properties from the right click context menu on the Users window of the User and Group Maintenance screen (see 2.2.7). The Security Identifier (SID) may be stored against a user in the EPO system as an alternative means of User access, instead of the Username and Password. The use of SIDs increases the security of SSO integration, as a SID is not easily identifiable with a specific user. When a SID is used to log in, the Windows Client user interface and Web user interface will display the Username, rather than the SID. Password expiry can improve security by forcing users to change their password at set intervals. By default when new users are created the Password never expires property is switched on. Expiry Interval and Expiry Warning interval are configured in the System Properties window (see section 2.4.2 for further information). BusinessObjects Administration & Security Guide 13
Application Security 2 Users & Groups The user properties window enables a number of password settings to be configured. User must change password at next login forces the user to reset their password when first logging on to the system. It is required if the user is to be forced to change their password once it has been either set at creation time or reset at any other time. User cannot change password should only be set if the Administrator intends to manage all user password changes or in conjunction with the Password never expires option. Password never expires is the default setting when a new user is created. This should be left enabled if the password expiry security is not required. Account is disabled provides the same functionality as the disable account function on the User context menu (see 2.2.6.6). 2.2.6.6 Account Enable / Disable To enable an account simply select the user in the User panel of the User and Groups Maintenance screen (see 2.2.7). A disabled account is denoted by a red cross next to the user name. Right click to bring up the context menu. Select Enable Account(s) and the account will no longer appear to be locked out. This function is useful when a user has disabled their account through too many unsuccessful login attempts. The number of unsuccessful logins allowed is held in System Properties (see 2.4.3). This value is normally set to 3 and a user account is automatically disabled after the fourth unsuccessful login attempt. Once this occurs the user must contact an Administrator to enable their account again in the Users and Groups screen. Similarly a user s account will become disabled if the user fails to change their password before the number of days set in the Password Expiry Interval (see 2.4.2). Alternatively, a user account may be set to disabled if you want to deny them access (perhaps they no longer need to use the system). To do this, select the user name and bring up the context menu as above. Then select Disable Account(s) and the selected account will be disabled and appear with a red cross next to the user name. The account Enable / Disable functionality is also found on the Properties screen, which is selected via the Properties option on the Users context menu. 14 BusinessObjects Administration & Security Guide
Application Security Users & Groups 2 2.2.7 User & Group Maintenance Information and Management Users and Groups are created and maintained via the User and Group Maintenance screen. This is accessed by selecting Tools Security Users and Groups. By default the left-hand area contains the user names, the middle area contains User Groups and the right-hand area displays user information. The Users and Groups sections can be swapped using the context menu to allow an alternative focus displaying members according to Group membership. Information about a user is displayed when a user is selected in the Users area. There are two main areas of additional features on the User & Group Maintenance screen. These are the information panel down the right-hand side and additional features on the Context Menu. User & Group Maintenance Information Panel User Context Menu Group Context Menu Users & Groups Sorting 2.2.7.1 User & Group Maintenance Information Panel The Security screen has an information area to the right of Users and Groups. This area displays information about a selected User. A user must be selected for any information to appear in this screen. Standard user information available in this screen is the user name, when the user was created, who the user was created by, email address (for use in additional EPM applications such as Work Manager) and user group membership. BusinessObjects Administration & Security Guide 15
Application Security 2 Users & Groups If multiple users are selected in the user screen their user information is displayed in order in the user information area. This panel can be minimized by selecting the area between the two arrows in the cross bar dividing the areas. Similarly select the same area at the right hand side of the window to display the User information panel when it is minimized. 2.2.7.2 User Context Menu The User Context Menu contains the main functions required to manage Users. Add New User inserts a new User with an initial default name (see section 2.2.6.1 for more information). Delete User(s) allows you to delete one or more selected Users in the panel. Reset Password(s) allows you to reset one or more selected User passwords (see 2.2.6.4 for further details). Rename allows you to rename a selected user. Enable Account(s) allows you to enable a user account which has been locked out after too many unsuccessful login attempts (an account is locked on the fourth unsuccessful login attempt see 2.2.6.6 for further details). Disable Account(s) allows you to disable a user account which will prevent that user being able to login to EPM (see 2.2.6.6 for further details). Properties - the options on the General tab allow the administrator to set individual user password options and enter Full Name, Description and E-mail data (see section 2.2.6.5 for details on security options). The Member Of tab shows Group Membership for that user. Default Model Group allows you to specify a user group to which all new models created by that user will be assigned (see 2.2.6.3 for further details). Swap User / Group Focus swaps the position of Users and Groups on the screen for personal preference. 16 BusinessObjects Administration & Security Guide
Application Security User Model Access 2 2.2.7.3 Group Context Menu Add New Group allows you to add additional groups which initially have a default group name to be to be edited (see 2.2.5 for more information). Delete Group(s) allows you to delete one or more selected groups. Rename allows you to edit an existing group name. Filter on Membership allows you to filter the groups viewed. If this is checked only the groups to which a selected user is assigned will be displayed in the Groups panel. Swap User / Group Focus swaps the position of Users and Groups on the screen for personal preference. 2.2.7.4 Users & Groups Sorting User names and Group names can be sorted in alphabetical order in their respective panels by selecting their column headers. The order in which they are sorted is denoted by the arrow in the column header. Note: The Groups panel is sorted slightly differently to the Users panel as the predefined User Groups are grouped together followed by user defined Groups. 2.3 User Model Access The Security tab on the Model Administration screen is only available to administrators (see 4.2). Model Security restricts access to models according to the User Group that a model is assigned to. To be able to view a model in the Select Models screens in the Windows client or the Web, a user must be a member of a User Group assigned to that model. Without being assigned to an appropriate group, the user is effectively denied access to the model. Security access is assigned to each Model created within EPM according to User Group membership. By default a model is created with Administrators and Modelbuilders access only. This will not be the case if the user that created a model has been assigned an alternative Default Model Group (see section 2.2.6.3) BusinessObjects Administration & Security Guide 17
Application Security 2 User Model Access In order for members of any other groups to access the model an Administrator must assign each Group security access within the Model Security tab in Model Administration. A user who is a member of several User Groups will have access to see each model that Group is assigned to. Further security restrictions can then be assigned within each model as outlined in section 3.4. All columns within the Model Security screen are sort-able and the Group / Model focus can be switched, in a similar manner to the Users and Groups screen, to allow security assignments to be viewed in a variety of manners. Sorting is denoted by an arrow in the column header. It is also possible to view Models according to the Users assigned to them using the View Models by User button within the Model Security screen. Selecting this will allow an Administrator to select a User name and to see which models that user has access to. 18 BusinessObjects Administration & Security Guide
Application Security Password Security 2 2.4 Password Security The System Properties window is accessed via Tools Security System Properties. The Security tab provides system level options for password control that may be set by an administrator: The default minimum password length may be specified as required. Other options for password properties are: Strong Passwords Password Expiry Configuring Login Failure Count 2.4.1 Strong Passwords Strong password protection ensures that users are forced to use a combination of letters and numbers or keyboard symbols when creating a login password. This is configured in the System Properties window accessed from the Tools Security System Properties window. 2.4.2 Password Expiry Password expiry can improve security by forcing users to change their password at set intervals. The Password Expiry settings are held on the System Properties window accessed from the Tools Security System Properties window. The Password Expiry Interval is set to 90 days by default whilst the minimum value that can be set is 30 days. The Password Expiry Warning is the number of days before a password is due to expire that will cause the user will be prompted to change their password. With the correct privileges a user can reset their password at any time and the expiry period will be reset. If the user fails to change their password before the expiry date the account will become disabled and will need to be reset by an administrator (see section 2.2.6.6). 2.4.3 Configuring Login Failure Count It is possible to configure the number of login failures before a user account is locked. This is set on the System Properties window accessed from the Tools Security System Properties window. The minimum value is 3 attempts, which is also the default setting. Once a user account is locked, only an administrator can reset it (see section 2.2.6.6). BusinessObjects Administration & Security Guide 19
Application Security 2 System Login Options 2.5 System Login Options EPM can be configured to use either EPM standard security or can be integrated with Windows NT LAN Manager (NTLM), Windows Active Directory or LDAP compliant systems to allow Single Sign on (SSO). In addition it is possible to integrate logins over the web with Web Security directory services. EPM Standard Security Single Sign On Web Security 2.5.1 EPM Standard Security This is the default. Only those users created by the EPM administrator and stored in the EPM database can log into EPM suite applications, dependent on their assigned roles. 2.5.2 Single Sign On A user login that matches the user s Windows login must have been created in EPM. If the windows and EPM logins match and the roles assigned to that user permit access then EPM applications will open without requiring the user to enter a login and password. User logins created in EPM do not require a password as the user has already been authenticated. However configuring passwords will permit a user to bypass SSO and access applications using EPM standard security. This maybe useful, in the first instance, in order to logon as administrator and create EPM logins that match a user s Windows login or where a user wishes to gain access using a different login or when the machine is not networked. Bypassing SSO is done by holding down the Shift key whilst clicking the Login icon, which will cause the default Login screen to appear. It is possible to install EPM with the following login options. Windows NT Security - A user s access is determined by authentication against a windows domain via NTLM. Microsoft Active Directory Security - EPM access is determined by user authentication against the Active Directory service for the domain. LDAP Security - EPM access is determined by user authentication against an LDAP compliant directory service. Tip: If logging onto the Web through SSO fails for any reason, then provided that Enable Secondary Logon has been set during EPO Configure, the usual login form will be displayed. If the configuration option has not been set, then an error message will be displayed. To use the override procedure, cancel the login dialog or any error message then, while holding down the Shift key, click on the Refresh icon or the GO button. You will then be able to enter the required username and password. 2.5.3 Web Security EPM login can be integrated with Web security to allow SSO access to books viewed over the web. The following is guidance for the System Administrator in order to allow EPM security to be integrated with Web security. The following steps assume you have set up a Form based Authentication scheme which is used in the Policy Domain protecting the IIS EPM web resources: 1. In the COREid Access Manager locate the Policy Domain that was created to protect the Resource for the IIS EPM Directory. 2. Select the Policy and select the Default Rules Tab. 3. In the Authentication Rule > Actions Tab, Select Add. 20 BusinessObjects Administration & Security Guide
Application Security System Login Options 2 4. In the Redirect To box for the Authentication Success enter the hostname and path to book.asp, found in the EPM IIS files folder. e.g. /epo/book.asp 5. Click Save. 6. In the Authorization Rules Tab, Select the Actions Tab. 7. Select Add. 8. In the Authorization Success Return Section, add a Return Attribute with the following properties: Type: HeaderVar Name: [header var name] (the default value used in the EPM Configuration Wizard i.e. EPMSSO). If a SID (Security Identifier) has been provided for the user, this will be used in place of the Username value. For details of SIDs, see 2.2.6.5 Password Properties. Return Attribute: [Attribute name] e.g. cn Where [Attribute name] is the identifier that will be used to match the user names defined in EPM security, or an attribute that equates to the SID. 9. Click Save. 10. Ensure the Policy is enabled. The system should now be configured to allow SSO access to the EPM Web application. BusinessObjects Administration & Security Guide 21
Application Security 2 System Login Options 22 BusinessObjects Administration & Security Guide
Model Security
Model Security 3 Model Security Features 3.1 Model Security Features EPM allows a great deal of flexibility in the levels of security access that can be applied to different parts of the application. Security can be used to allow different levels of access to individual Dimension items, Grid Values, Books and actions in the Performance Optimization / Activity Analysis / IT Services Costing applications. Security access is allocated using Security Descriptors that are referenced by User Groups. Security Descriptors are labels that are attached to actions, data fields and specific components within a model. Security access levels are then assigned to these Security Descriptors to determine what users can do according to the User Groups they belong to. Different levels of security access are possible for different security actions, fields and dimension descriptors ranging from Full Access to No Access dependent on the particular Security Descriptor. Security Access Levels may be set for User groups in the Group/Descriptor Assignment screen which is described in 3.4. Users and groups are common to all models but Security Descriptors and Group assignment levels are on a per model basis (excluding the Model Administration actions). Therefore, if you have more than one model on the same database then users and user groups will be visible across all models; however security levels will not automatically be inherited across models. The exception to this is the administrator group, who automatically has full access to all security descriptors. Note: Only a member of the ADMINISTRATORS group can assign security within EPM. Group/Dimension Security Security Descriptors Group / Descriptor Assignments Books Security It is possible to export some model security settings to an XML file using the standard export procedure. For further information see: Security Export 3.2 Group/Dimension Security Group/Dimension security is intended primarily as a way of restricting access to certain parts of a dimension hierarchy. It is possible to set the default hierarchy level at which a member will be able to view a dimension. Setting a level will allow a user to see all elements at that level and below but nothing at a higher level. Note: Users and groups are common to all models but Group/Dimension access levels are set on a per model basis. Any user who is a member of the Administrators group can configure Group / Dimension security through the Group/Dimension Security screen which is accessed from the Tools Security menu. 24 BusinessObjects Administration & Security Guide
Model Security Security Descriptors 3 From the drop down menu the user selects the Dimension for which security is to be configured. All the existing groups are listed in the main section. To set a default access level the user highlights a group and then clicks the adjacent area under the Root Item column. This displays the hierarchy, including the attribute groups, for the selected Dimension. Apart from the Administrators and Everyone groups the default setting for all other groups is NONE. Whilst the setting for the Everyone group is set to be the top level item of the dimension then all parts of that dimension are visible to all users. In order to implement Group/Dimension security the setting for the Everyone group should be set to the lowest acceptable level of access for all users or set to none. Highlighting an element sets a default dimension for the group and the selection set by clicking outside the selection area. Changes are not finalized until the screen is closed. All the assigned levels for the selected group are summarized in a separate window on the right of the screen. 3.3 Security Descriptors Security Descriptors in EPM are used to assign security access levels to Groups. Security Descriptors are labels which can be assigned to actions, data fields or dimension elements and books within a model. Security access levels are then assigned to these Security Descriptors on a group by group basis to allow or restrict User Group access to various actions or elements within a model. Security is divided into four groups within the Security Descriptor screen. The Group level items in this screen can be expanded or contracted for display preferences by double clicking a selected Security group. The description for each security descriptor is displayed in the information area of the screen. BusinessObjects Administration & Security Guide 25
Model Security 3 Security Descriptors The descriptors in the Action Access and Field Access Security Groups are all pre-defined and may not be edited. The Dimension Access and Report Task Access Security Groups each contain a pre-defined descriptor which may be edited, and the groups may also have additional descriptors defined by an administrator for each particular model. Further information on the security descriptors groups is provided in the following sections: Action Access Security Group Field Access Security Group Dimension Access Security Group Report Task Access Security Group 3.3.1 Action Access Security Group Action Access Security Descriptors are predefined actions in EPM over which you may limit a user s access. For example security levels may be assigned according to the role of a user, especially where different levels of access are required within each role (e.g. View Builder, Book Builder, Model Builder). Action Access Security is only relevant for Win32 client users. Action Access Security is mainly divided into Import / Export, Books, Model Management, Driver Analysis, Assignment functionality, Password Access and Data Alias Access. Action Access Security Descriptors and their functions are listed in Appendix B Action Access Security Group Definitions and Security Levels. 3.3.2 Field Access Security Group Field Access Security Descriptors refer to Value fields as defined on Grid layouts. Different levels of user may need different levels of access to specific values. Field Access Security Descriptors can be used to restrict access to values displayed in both the Win32 client and End User. Field Access Security Descriptors and their functions are listed in Appendix B Field Access Security Group Definitions. Tip: Field Access security works in conjunction with Dimension Descriptor security. A user must have sufficient levels of access in BOTH of these groups to edit or view Values. 3.3.3 Dimension Access Security Group Dimension Access Security Descriptors are definable security labels which can be applied to almost any Dimension line item (only excluding Currencies, Capacity Rules and User defined Rules). Default Dimension Security is the only descriptor initially available under which all Dimension items are automatically assigned when they are first created. However, personalized security descriptors may also be added to this group. Dimension Access Security Descriptors are assigned to Dimension items using the Security section of the Dimension screen item details bar. They can also be assigned to Books using the Book Security setting within the Formatting tab of specific books. To restrict access to specific Dimension items within your model, personalized descriptors must be assigned. Personalized Dimension Security Descriptors can be created by selecting either the group or another descriptor within the group, then right-click to display the context menu and select Add. A text box will pop up prompting you to enter a new Security Descriptor name and description. This facility allows you to personalize security across Dimensions. Once you have defined a Dimension Security Descriptor it will appear under this group in the Security Descriptors list and security access can now be assigned to this in the Group / Descriptor Assignment screen (see 3.4). 26 BusinessObjects Administration & Security Guide
Model Security Group / Descriptor Assignments 3 The name and/or description associated with any Dimension Access Security Descriptor can be amended to provide more detailed information appropriate for each action. Select the required Descriptor then click Edit Name or Edit Description to amend as required. Dimension Access Security Descriptors can be removed by highlighting the item required in the Security Descriptor area then clicking the Delete button. A message box will ask you to confirm the remove action. Selecting OK will remove the Security Descriptor. Selecting Cancel will cancel the operation and the Security Descriptor will remain. Note: Dimension Access Security Descriptors can be used in Books to restrict User Group access to specific Books. See 3.5.3 for more information. 3.3.4 Report Task Access Security Group This group contains a single descriptor, Default Report Task Security Descriptor, which controls access to the Report Manager application. 3.4 Group / Descriptor Assignments Security is assigned to groups using the Group / Descriptor Assignments screen. In this screen all predefined and user-defined Security Descriptors are displayed with an associated Security Access Level for each group. Note: Users and groups are common to all models but Security Descriptors and Group assignment levels are on a per model basis. To view the Security Access level of a group you need to select a group in the User Groups area. Assigned security levels are then displayed next to each Security Descriptor. Security Descriptor groups can be expanded and collapsed to group level or leaf level by clicking on the group node icon. Security access levels may only be amended by members of the Administrator group. Security levels for a User Group are assigned in the following way: Select the group in the User Group area. View the required Security Descriptor by expanding the group node if necessary. Select the current Security level for that group. This will display a drop down box with all Security Levels available for that Descriptor. BusinessObjects Administration & Security Guide 27
Model Security 3 Group / Descriptor Assignments Select the required level of Security Access in the list. The box will close automatically and the selected access level will be assigned to the Group. Multiple Security Descriptors and Groups can be assigned to the same Security Level at the same time: Select the required Groups using the Ctrl key or SHIFT key then select the Security Descriptors to be assigned. Once these are highlighted select one of the Security Levels to display the drop down box and select an access level. Only the access levels that are common to all the selected descriptors will be available for selection. All the highlighted Security Descriptors will be assigned to this level. Repeat this process for all the Security Descriptors required for the group. Security assignments take effect almost immediately. The effects of Security Access Levels when assigned to security Descriptors are discussed in the following topics: Security Access Levels Security Access Interactions 3.4.1 Security Access Levels Security Descriptors can be assigned differing levels of Security Access. The number of access levels available will vary depending on the actual Security Descriptor selected. See Appendix B Security Descriptor Definitions for a detailed explanation of the effects of different security levels on the Action Access Security Group Descriptors. The basic levels of security are detailed below: No Access denies a user any access to an action, value or Dimension item. The user cannot see the item in their view. View Only will allow a user to view an item assigned with that security but they cannot edit the item or data of that item. Values which would normally appear editable will not be editable when this Security level is assigned. Edit Data allows a user to view an item and to edit values of that item but not the structure. Dimension items cannot be edited or inserted with this level of access. Edit Structure allows a user to view and edit a Dimension item in name and hierarchy structure. With this level of Dimension Access security you can insert new items, move existing items and edit item names. Books may be created but not edited. Full Access gives a user full access to an item similar to the level of an Administrator. By Default the Administrators group has Full Access to all Security Descriptors except for the following: Resource Drivers Assignment 28 BusinessObjects Administration & Security Guide
Model Security Books Security 3 Responsibility Center / Activity Assignment Activity Reassignment Cost Object Assignment 3.4.2 Security Access Interactions Field Access Security and Dimension Access Security levels can be used to restrict the Values and Dimension items users can view or edit. These two Security Descriptor types interact in Grid Layouts within both Books and View Builders. If a user has restricted access to either a Dimension item or Grid Value then they will be restricted in viewing or editing all items directly relevant to these elements. Security of this type is useful to restrict access across Responsibility Centers and their associated Line Items, for example, or the Values a user can see at different levels within a Company (e.g. data entry, cost center manager) 3.5 Books Security Books have several different levels of security. Access can be restricted to all Books within the EPM Win32 client and individual Books either in the client application or over the web or book viewer. The Book which is defined as the default book for each user group i.e. the default book selection available to a user over the web or book viewer can also be used to restrict access. Finally a custom descriptor can be assigned to a book and access controlled through this. Books Action Access Home Pages/Default Books Book Security Assignment 3.5.1 Books Action Access Access to the Books function in the EPM application can be restricted by an Administrator using the Group / Descriptor Assignment screen (see 3.4). Limited security access to Books Security will restrict a user s ability to create or edit all Books within the client application. Restricted access is displayed with a red cross over Book names in the Books pane. 3.5.2 Home Pages/Default Books A Home Page (or Default Book) is required for all Groups of users who access the Web. This page may be an individual Book if only one Book is to be accessed or it can be created as a home page purely to provide access to other Books over the Web using a series of Hyperlinks which direct users to appropriate Books. Different Home Pages/Default Books can be set up for each different Group of users. This way you can create different Books that contain different series of Hyperlinks so Users will only see the Hyperlinks to Books which are relevant to the particular Groups they belong to. Note: Where a User is a member of more than one Group, all Default Books will be available for selection over the Web. Default Books are set by an Administrator using the Group / Default Book Assignment screen accessed via the Tools Security menu. To set the Default Book for a User Group: BusinessObjects Administration & Security Guide 29
Model Security 3 Security Export Select the required group. Click in the Default Book column or on the existing Default Book that you wish to change for that group. This will display a drop down box, from which you can select the required book. These settings can then be exported and imported with each corresponding model. 3.5.3 Book Security Assignment Book security works in the same manner as security for Dimensions screens. The Default Dimension Security descriptor is assigned by default to all newly created books. A user needs Full Access to this descriptor in order to both create and edit books. Personalized dimension security can be defined by the introduction of additional descriptors within the Dimension Access Security group (see 3.3.3). This allows a specific Dimension Access Security descriptor to be applied to an individual Book using the Book Security field from the Book Properties formatting Tab. Potentially, any Dimension Access Security Descriptor could be assigned to a Book whether it has previously applied to Dimension items or is just relevant to the Book. Once a Dimension Access Security Descriptor has been applied, if an end user with restricted access to the Dimension Descriptor then tries to follow a link to the Book an appropriate error message appears and prevents display of the Book. Access is assigned in the usual manner by groups in the Group / Descriptor Assignments screen (see 3.4). 3.6 Security Export Some security settings within a model can be exported into an XML file using the standard export procedure. This facility is only available to Administrators and Modelbuilders with sufficient security access privileges to Import and Export data. This facility can be exported with a normal model and will be included with the model data or can be exported separately with no other model data. The following parameters can be exported into an XML file: Security Descriptors (both name and type) Model Security Descriptors (Dimension Security Descriptors assigned to dimension items) Security Descriptor Groups (Group / Descriptor access assignments) Users and Groups information and assignments Default Book security assignments Model Security (User Group access to a particular model) User passwords are not exported. 30 BusinessObjects Administration & Security Guide
Managing Models
Managing Models 4 Model Administration 4.1 Model Administration Model Administration can only be performed within the Modelbuilder application by an Administrator or a Model Builder who has been given access rights to Manage Models via security. Administrator users automatically inherit these access rights and can assign them to other users (see 2.2). General model administration tasks such as creating and deleting models are performed through the Model Administration Screen. Note: It is strongly advised that you keep the number of models on a database to an absolute minimum as each model present on a system (whether enabled or disabled) increases the number of records held in the database by significant amounts. Therefore with each separate model present on a database, response times for significant tasks such as calculation and export / import may be detrimentally affected. Similarly regular database maintenance should be carried out on your EPM Database Server to maintain the size and to optimize performance of database and log files. Having opened the Model Administration screen, you will have access to Model Management and Model Properties functions. You will also be able to set the Model Access for User Groups using the Security tab, and set up Model Partitioning using the Partitioning tab. Access to Model Administration Model Management functions Modify Model Properties User Model Access Partitioning 4.2 Access to Model Administration Only an Administrator has access to the full range of functions provided for Model Administration including Administration, Security and Partitioning. Model Builders may have access to a basic set of model management functions, but this is at the discretion of the Administrator. Model Administration can be accessed only if you are logged in to the Model Builder application with no Model open. With the appropriate security privilege (see 3.3.1) you can achieve this in three different ways: Close the model you are in and click on the Manage Models toolbar icon Close the model you are in and select Tools Models Admin. 32 BusinessObjects Administration & Security Guide
Managing Models Access to Model Administration 4 After entering your user name and password to login, the Model Selection screen is displayed, where you can click on the Model Admin button. (The first time EPM is entered the Available Models pane will appear blank; otherwise it will show all accessible models.) Any of the above three methods will give you access to Model Administration. The Model Administration screen has three tabs: Administration, Security and Partitioning. A set of Model Management functions is provided under the Administration tab through buttons displayed along the foot of the screen. These include: create a New model, Open, Copy, Rename and Delete a model. Model Maintenance functionality is also provided via the Modify button which allows you to change a model s properties such as its description, the model server and whether or not it is enabled or audited. The screen layout is shown below with the first few buttons visible. A list is displayed of the models you have access to. Each of these has a description, an operational status and a specific Application Server that the model has been assigned to. On creation of a model, the Creation Date is generated automatically. To apply a Model Administration function, select the required model then either click on the appropriate button at the bottom of the screen or select your option from the right click context menu. The Administration functions are described in the following sections: Model Management functions Modify Model Properties For information on the Security tab see section 2.3, and for information on the Partitioning tab, see section 4.5. BusinessObjects Administration & Security Guide 33
Managing Models 4 Model Management functions 4.3 Model Management functions The following Model Management functions are available on the Administration tab of the Model Administration screen: New Model Open Model Copy Model Rename Model Delete Model 4.3.1 New Model In the Model Administration screen a new Model can be created by selecting the Create New Model button. Note that without the required security privilege (see 3.3.1) this option is not displayed and that Administrators have this privilege by default. The Model Name provided must be unique. It is possible at this point to add a description for the model and to select a specific Model Server, where more than one Model Server exists. Provided Database Auditing has been enabled during EPM Configure, you will also have the option of recording audit information for this model (please refer to your Database User Guide for further information on Database Auditing). The model s creation date is stored automatically when a new model is created. This is displayed in the Model Administration screen (see 4.2). Models that were created prior to Release 2.5 will appear with a default creation date of 01/01/1900. Note: You should be aware that certain characters are disallowed in Model names as they cause problems in the Web aspects of EPM Applications. 4.3.2 Open Model A model may be opened by either double clicking a specific Model name or using the Open Model button which can also be accessed using the appropriate accelerator key. 4.3.3 Copy Model This function is only available to users with the appropriate security privilege. It is located in the Model Administration screen described. Selecting the Copy Model option will duplicate the selected Model. Without the required security privilege this option is not enabled. The name given to the new model must be unique. All the items, values and Books created in the existing Model are reproduced in the duplicate. 4.3.4 Rename Model This function is only available to users with the appropriate security privilege. It is located in the Model Administration screen. Selecting the Rename Model option allows the user to change the Name and Description for the Model. The new name chosen must be unique and should avoid certain characters as these can cause problems in Web use and Data Bridge import. 4.3.5 Delete Model In the Model Administration screen, highlight the model you wish to delete and select the Delete model option. Note that without the required security privilege (see 3.3.1) this option is 34 BusinessObjects Administration & Security Guide
Managing Models Modify Model Properties 4 not displayed, and that the Administrator and Model Builders have this privilege by default. Great care should be taken when deleting a Model, as this operation cannot be undone. Before a model is deleted you will be required to confirm the operation. You will also be offered the options to delete the Audit records or Layouts associated with this model. Should you prefer to delete individual Layouts at a later date, rather than all at once, it will still be possible to delete them from your file store, using the Delete option in View Builder Load Layout, or to delete layouts from the database. Similarly, it will still be possible to delete Audit records from the database at a later date, if preferred. More information on selective deletion of Audit records can be found in the EPM Oracle Database User Guide. Note: You cannot delete a Model which another user currently has open. A message box will inform you of this when Delete is selected. 4.4 Modify Model Properties Selecting the Modify option from the Model Administration screen (see 4.2) will invoke the Model Properties screen. Note that without the required security privilege within the Model Definition Security descriptor this option is not displayed and that the Administrator has this privilege by default. Functions available on the Model Properties screen are: Amend Model Description Change Model Server Enable/Disable Model Audit Model 4.4.1 Amend Model Description A model s description is displayed against the model on the Administration tab of the Model Administration screen. The Modify function can be used to edit, add or change the description text. BusinessObjects Administration & Security Guide 35
Managing Models 4 Partitioning 4.4.2 Change Model Server This function is only available to users with the appropriate security privilege. It is located by selecting Modify from the Model Administration screen (see 4.2). The Model Properties screen then displays a drop down of the available Model Servers on which a model can run. This can be used to organize load spreading by allocating specific models to particular model servers. As each model must operate through a single model server, this is only of use when you have several models in use and wish to separate their model server loadings. This feature also provides a convenient means for dealing with model servers that break down or require maintenance, as it allows processing to be switched to another model server. However you should not exercise this option on existing models that are in use. You can see which users are using which models through the EPM Monitor application. 4.4.3 Enable/Disable Model The Model Administration screen (see 4.2) indicates whether the operational Status of a model is enabled or not. A User can only open a model if it is enabled. The model Status can be amended by selecting Modify from the Model Administration screen and the Model Properties screen is then displayed. If the Model Enabled box is cleared, the Model is disabled and is invisible to users until it is enabled again. This function is only available to users with the appropriate security privilege. 4.4.4 Audit Model The Model Administration screen (see 4.2) indicates whether auditing is enabled or disabled for a model. The function to turn auditing on or off is located by highlighting the model and selecting Modify from the Model Administration screen and the Model Properties screen is then displayed. Provided Database Auditing has been enabled during EPM Configure, you will have the option of recording audit information for this model (please refer to your Database User Guide for further information on Database Auditing). This function is only available to administrators. 4.5 Partitioning Model Partitioning is available within EPM to spread the load of model calculation over several processors or machines. This is an extension to the multi threading capabilities introduced in Version 1.5.4. This is available through the Partitioning tab within the Model Administration screen. To an end user a partitioned model will be indistinguishable from a non-partitioned model. In terms of processor power and calculation however the resources required to do this will be spread across several processors (on a multi processor machine) or machines according to Versions, Periods or Responsibility Centers depending how the model has been partitioned. More information on how to partition models and implications regarding dependencies is available within the EPM Model Partitioning document available separately. 36 BusinessObjects Administration & Security Guide
Language Capabilities
Language Capabilities 5 Localization Issues 5.1 Localization Issues Several additional functions have been provided to support a customized user interface. As EPM has to operate in a multi-national framework, it has been designed to operate in several international languages. When you select your preferred language, all of the EPM screen and dialog text should appear in that language providing the EPM Language Editor has been implemented. As your model is constructed new items can be given names with several selectable alternatives (Aliases) to further support individual language choice. It is possible to rename Dimension Line Items in EPM to a preferred alternative for different users using the Data Aliases function. The original name will be retained but a user may choose to view an item under an alternative alias. An example where this might be useful is for different languages or where certain users may prefer to use codes rather than names. The renaming of Dimension items is managed using the Data Alias functionality detailed below. Managing Data Aliases 5.2 Managing Data Aliases Alternative terms are grouped according to a Data Alias which must first be created by an administrator. To create a Data Alias, select Tools Manage Data Aliases to bring up a window in which you can carry out several basic Data Alias functions. The predefined default Aliases are present. To create a new Data Alias, select Add then type an Alias Name in the text box that appears, and press <Enter>. The new Data Alias will be displayed in the Available Data Aliases area and is now available for users to select as their Primary Alias. Data Aliases can be renamed using Manage Data Aliases. To rename an Alias, highlight the Data Alias to be renamed in the Available Data Aliases area, select Rename and then enter a name in the Alias Name text box. The selected Data Alias will now be renamed. To delete a Data Alias you highlight the required name in the Available Data Aliases area and select Delete. A message box will appear asking you to confirm your selected deletion. From here you can accept by selecting Yes or cancel the operation by selecting No. 38 BusinessObjects Administration & Security Guide
Language Capabilities Managing Data Aliases 5 Note: It is not possible to Delete or Rename the predefined default Aliases. BusinessObjects Administration & Security Guide 39
Language Capabilities 5 Managing Data Aliases 40 BusinessObjects Administration & Security Guide
EPM Monitor
EPM Monitor 6 Monitoring Current Usage 6.1 Monitoring Current Usage EPM has an additional feature available on the EPM Server, which can monitor users currently connected to the EPM suite. The EPM Monitor is an administration utility with limited but essential housekeeping functionality. It displays the Users currently logged into the EPM suite accompanied by useful information regarding User Types, the client machine that Users are connecting from and the time they logged on. It also allows you to forcibly log off connected users. The logout function also allows users who have been logged out as the result of a fault to reuse their login; however this does not constitute a forced logout. User Details Logging off a User License Details The EPM System Information utility can also be used in this role (for more information, see the EPM System Information guide). 6.2 User Details Logged in Users will appear in the User Details tab. This displays: the User Name defined in the User and Group Maintenance screen (see 2.2.6.1) the User Type which is the application User Group the user is assigned to (i.e. Model Builder, Book Builder, End User. See 2.2.6.2) the Client Machine which is the workstation the User is connected to as defined within your network the EPM Server which is the Server connected to (this could differ if the Web Server is set up on a different machine) the Logon Date which details the date and time the user logged onto EPM the Model Name Once you have launched the EPM Monitor you need to select Update to manually display the Users currently logged in. Here you can also choose to automatically refresh the screen using the Auto Refresh checkbox, which will display changes immediately rather than requiring a manual refresh. 42 BusinessObjects Administration & Security Guide
EPM Monitor Logging off a User 6 It is also possible to filter the list of logins by checking the Apply Filter check box, selecting the column to filter on from the Filter Column drop down menu and entering a value in the Filter Value text box. The functionality provided by the Logoff button is described in section 6.3. 6.3 Logging off a User A function that may be of use in certain circumstances within the EPM Monitor is the Logoff function within the User Details tab. This is used to forcibly log off a User who is apparently connected to the EPM Server. Although you might not want to log off an actively working User, this function is useful when a User is apparently logged into the Server but has no client application running (e.g. for some reason the user has encountered system problems). The server will generally monitor user activity behind the scenes and time-out a user session where no activity has occurred for some period of time. If the user needs to re-enter EPM quickly and cannot wait for this automatic log off or some additional factors have contributed towards this system discrepancy then an Administrator can log off a User. To log off a user select the user from the list displayed in the main window of EPM Monitor, which will enable the Logoff button. Select this button and you will be prompted to enter an Administrator User name and password. Successfully entering these details and clicking OK will cause the selected User to be logged out of the EPM suite. The user concerned will receive a message on their client machine informing them that they are about to logged out. Changes to books in the process of being edited may be lost and the book will appear to be locked the next time Model Builder or Book Builder is opened. A client application error may occur but since a user is only likely to be logged off due to database or application server issues this is of little or no significance. Note: You must belong to the Administrator group to log off another User. Logging out all users will allow the services to close, which will cause a forced logout for all users. Also restarting the EPM service will cause all users to be logged out. 6.4 License Details The License Details tab displays all the license options you have available within EPM according to the licenses purchased. Much of EPM is optional in terms of license agreements. BusinessObjects Administration & Security Guide 43
EPM Monitor 6 License Details For example some Dimensions may be purchased as add-ons to a basic Activity Analysis license. This screen also displays the current number of User types logged onto the system and the total number of licenses available for each of these User types. Once you have launched the EPM Monitor you need to select the Update button to manually display the Users currently logged in. Note: Some inbuilt groups have privileges to use other applications without requiring additional licenses i.e. a model builder can also use the web or book viewer. Users logging into an application in this way will be listed in the User Details tab but not in the License Details tab. 44 BusinessObjects Administration & Security Guide
Business Objects Information Resources
Business Objects Information Resources A Documentation and information services A1. Documentation and information services Business Objects offers a full documentation set covering its products and their deployment. Additional support and assistance are also available to help maximize the return on your business intelligence investment. The following sections detail where to get Business Objects documentation and how to use the resources at Business Objects to meet your needs for technical support, education, and consulting. Documentation Customer support, consulting and training Useful addresses at a glance A2. Documentation You can find answers to your questions on how to install, configure, deploy, and use Business Objects products from the documentation. What s in the documentation set? View or download the Business Objects Documentation Roadmap, available with the product documentation at http://www.businessobjects.com/support/. The Documentation Roadmap references all Business Objects guides and lets you see at a glance what information is available, from where, and in what format. Where is the documentation? You can access electronic documentation at any time from the product interface, the web, or from your product CD. Documentation from the products Online help and guides in Adobe PDF format are available from the product Help menus. Where only online help is provided, the online help file contains the entire contents of the PDF version of the guide. Documentation on the web The full electronic documentation set is available to customers on the web from support web site at: http://www.businessobjects.com/support/. Documentation on the product CD Look in the docs directory of your product CD for versions of guides in Adobe PDF format. Send us your feedback Do you have a suggestion on how we can improve our documentation? Is there something you particularly like or have found useful? Drop us a line, and we will do our best to ensure that your suggestion is included in the next release of our documentation: documentation@businessobjects.com. Note: If your issue concerns a Business Objects product and not the documentation, please contact our Customer Support experts. For information about Customer Support visit: http://www.businessobjects.com/ support/. 46 BusinessObjects Administration & Security Guide
Business Objects Information Resources Customer support, consulting and training A A3. Customer support, consulting and training A global network of Business Objects technology experts provides customer support, education, and consulting to ensure maximum business intelligence benefit to your business. How can we support you? Business Objects offers customer support plans to best suit the size and requirements of your deployment. We operate customer support centers in the following countries: USA Australia Canada United Kingdom Japan Online Customer Support The Business Objects Customer Support web site contains information about Customer Support programs and services. It also has links to a wide range of technical information including knowledgebase articles, downloads, and support forums. http://www.businessobjects.com/support/ Looking for the best deployment solution for your company? Business Objects consultants can accompany you from the initial analysis stage to the delivery of your deployment project. Expertise is available in relational and multidimensional databases, in connectivities, database design tools, customized embedding technology, and more. For more information, contact your local sales office, or contact us at: http://www.businessobjects.com/services/consulting/ Looking for training options? From traditional classroom learning to targeted e-learning seminars, we can offer a training package to suit your learning needs and preferred learning style. Find more information on the Business Objects Education web site: http://www.businessobjects.com/services/training BusinessObjects Administration & Security Guide 47
Business Objects Information Resources A Useful addresses at a glance A4. Useful addresses at a glance Address Business Objects product information http://www.businessobjects.com Content Information about the full range of Business Objects products. Product documentation http://www.businessobjects.com/ support Business Objects Documentation mailbox documentation@businessobjects.com Online Customer Support http://www.businessobjects.com/ support/ Business Objects Consulting Services http://www.businessobjects.com/ services/consulting/ Business Objects product documentation, including the Business Objects Documentation Roadmap. Send us feedback or questions about documentation. Information on Customer Support programs, as well as links to technical articles, downloads, and online forums. Information on how Business Objects can help maximize your business intelligence investment. Business Objects Education Services http://www.businessobjects.com/ services/training Information on Business Objects training options and modules. 48 BusinessObjects Administration & Security Guide
Security Descriptor Definitions
Security Descriptor Definitions B Action Access Security Group Definitions and Security Levels B1. Action Access Security Group Definitions and Security Levels Security Descriptor Security Access to Security Descriptors in EPM Model Builder Security Level Access allowed Additional EPM requirements View Only Every user must have this minimum level of access. Full Access 1. Add, rename, change the description and delete Security Descriptors. 2. Change the Security Level assigned to a group 3. Access the Security Descriptor dropdown list in Dimension windows Dimension Items Security bar 1. Must be a member of Administrators group. 2. Full Access to Open Models required. Book Security - Access to the Books functionality within the Win32 client and over the web. Security Level Access allowed Additional EPM requirements No Access Access to Books denied View Only View only access for (published) books 1. Must be a member Full Access 1. Change the security descriptor assigned to a book of Administrators, ModelBuilders or (in the book s Formatting tab, Book Security field) BookBuilders. 2. Add a new book 2. The security access 3. Rename a book assigned to the book 4. View and Edit a book via the Dimension 5. Publish books Access security 6. Re-arrange books hierarchy descriptor needs to be 7. Copy a book taken into account. 8. Delete a book 2. Full Access to Open Models required. 9. Unlock a book 10. Set Group/Default Book Assignment Import Security - Access to import data from an XML file. Security Level Access allowed Additional EPM requirements No Access Cannot perform imports into EPM Full Access Imports of data into EPM can be performed via: EPM Model Builder - Import function EPM Console Data Bridge Note: Users may import an xml file that could contain items that they do not have access to. E.g. books can be imported, even if the user does not have access to the Book Security descriptor. 1. Must be a member of either Administrators or ModelBuilders. 2. Full Access to Open Models required. Export Security - Access to export data to an XML file. Security Level Access allowed Additional EPM requirements No Access Cannot perform exports from EPM Full Access Exports of data from EPM can be performed via: EPM Model Builder - Export function 1. Must be a member of either Administrators or 50 BusinessObjects Administration & Security Guide
Security Descriptor Definitions Action Access Security Group Definitions and Security Levels B EPM Console Note: To ensure the integrity of an export file, it is possible to include items that the user does not have access to. ModelBuilders. 2. Full Access to Open Models required. Create Model Security - Access to create new models Security Level Access allowed Additional EPM requirements No Access Cannot create new models Full Access Able to create new a model via: EPM Console EPM Model Builder - Model Administration 1. Must be a member of either Administrators or ModelBuilders. Delete Model Security - Access to delete existing models Security Level Access allowed Additional EPM requirements No Access Cannot delete models Full Access Able to delete a model to which user has access, via: EPM Console EPM Model Builder - Model Administration 1. Must be a member of either Administrators or ModelBuilders. Copy Model Security - Access to copy existing models Security Level Access allowed Additional EPM requirements No Access Cannot copy models Full Access Able to copy a model to which user has access, via EPM Model Builder - Model Administration 1. Must be a member of either Administrators or ModelBuilders. Model Definition Security Security Level Access allowed Additional EPM requirements No Access Cannot alter model name or model properties or put the model in partitioning mode. Full Access Able to: 1. Alter the description of a model to which the user has access. 2. Rename a model to which the user has access. 3. Amend model properties of a model to which the user has access, including: Alter the description of the model Alter the Enable/Disable state of the model Change the Model Server Specify whether database auditing is operating for the model 4. Access the Model Calculation options 5. Maintain Navigator screens 6. Alter group dimension security 1. Must be a member of either Administrators or ModelBuilders. BusinessObjects Administration & Security Guide 51
Security Descriptor Definitions B Action Access Security Group Definitions and Security Levels Able to: 7. Alter the Admin Mode state of the model that the user has access to, therefore allowing Model Partitioning. 1. Must be a member of either Administrators or ModelBuilders. 2. Access affected by Dimension Security Descriptors Data Alias Management Security - Access to Manage Data Aliases Security Level Access allowed Additional EPM requirements No Access Full Access Access denied to EPM Model Builder - Manage Data Aliases Access to EPM Model Builder - Manage Data Aliases function allows user to Add, Rename or Delete a Data Alias. 1. Must be a member of either Administrators or ModelBuilders. 2. Full Access to Open Models required. 3. Access affected by Dimension Security Descriptors Driver Analysis Management Security - Access to the Driver Analysis functionality Security Level Access allowed Additional EPM requirements No Access Unable to perform Driver Analysis Calculation. Full Access Able to perform the EPM Model Builder - Driver Analysis Calculation functions: 1. Start New Analysis 2. Perform driver and cost analysis 3. Copy results between versions 1. Must be a member of either Administrators or ModelBuilders. 2. Full Access to Open Models required. 3. Access affected by Dimension Security Descriptors Process Definition Security - Access to the Work Manager application Security Level Access allowed Additional EPM requirements No Access Unable to login to Work Manager application Full Access Able to: 1. Manage Work Manager processes 2. Run Workflow processes and flows 3. Access the users information from within the Workflow application Resource Drivers Assignment - Access to the Resource Drivers Assignment functionality Security Level Access allowed Additional EPM requirements No Access Access denied to EPM Model Builder Resource Driver Assignment functionality. Full Access Access to all EPM Model Builder - Resource Driver Assignment functionality via the Resource Driver Assignment screen. 1. Must be a member of either Administrators or ModelBuilders. 52 BusinessObjects Administration & Security Guide
Security Descriptor Definitions Action Access Security Group Definitions and Security Levels B 2. Access affected by Dimension Security Descriptors Responsibility Center / Activity Assignment - Access to the Responsibility Center / Activity Assignment functionality Security Level Access allowed Additional EPM requirements No Access Full Access Access denied to EPM Model Builder Responsibility Center / Activity Assignment functionality. Access to all EPM Model Builder - Responsibility Center / Activity Assignment functionality via the Responsibility Center / Activity Assignment screen. 1. Must be a member of either Administrators or ModelBuilders. 2. Access affected by Dimension Security Descriptors Activity Reassignment - Access to the Activity Reassignment functionality Security Level Access allowed Additional EPM requirements No Access Access denied to EPM Model Builder Activity Reassignment functionality. Full Access Access to all EPM Model Builder Activity Reassignment functionality via the Activity Reassignment screen. 1. Must be a member of either Administrators or ModelBuilders. 2. Access affected by Dimension Security Descriptors Cost Object Assignment - Access to the Cost Object Assignment functionality Security Level Access allowed Additional EPM requirements No Access Access denied to EPM Model Builder Cost Object Assignment functionality. Full Access Access to all EPM Model Builder Cost Object Assignment functionality via the Cost Object Assignment screen. 1. Must be a member of either Administrators or ModelBuilders. 2. Access affected by Dimension Security Descriptors Open Models Security Level Access allowed Additional EPM requirements No Access Full Access Access denied to Open Model screen in EPM Model Builder and EPM Book Builder. This setting is appropriate for a user group that can administer users but not open models. Note: The ability of End Users to open models via web or Book Viewer is not affected. Able to open models in EPM Model Builder and EPM Book Builder. 1. Must be a member of either Administrators or ModelBuilders. BusinessObjects Administration & Security Guide 53
Security Descriptor Definitions B Field Access Security Group Definitions Maintain Users and Groups - Access to User and Group Maintenance and Model Group Assignments Security Level Access allowed Additional EPM requirements No Access Full Access Access in EPM Model Builder denied to: User and Group Maintenance Model Administration Security tab In EPM Model Builder able to: 1. Open the User and Group Maintenance screen to: Add/Delete a user Reset a user s password Get a list of users Add/Delete a group Get a list of groups Get a list of the user s group assignments Change a user s status Add/Remove a user to/from a group Rename a user Rename a group Amend user properties Set a user s Default Model Group 2. Access Model Administration Security tab to: Give a group access to a model Remove a group s access to a model 1. Must be a member of Administrators group B2. Field Access Security Group Definitions Security Descriptors Currency Rate Field Security Unit Price Field Security Units Sold Field Security Revenue Field Security Activity Value Field Security Activity Unit Rate Field Security Line Item Value Rate Field Security Resource Driver Value Field Security Resource Driver Unit Rate Field Security Activity Driver Value Field Security Service Driver Value Field Security Service Cost Value Field Security Service Value Income Field Security Service Variable Factor Field Security Service Fixed Unit Rate Field Security Spread Value Field Security Work Sheet Value Field Security Security Descriptor Definitions Access to the Currency rate in the Grid area. Access to the Unit Price Value in Grid area. Access to the Units Sold Value in the Grid area. Access to the Revenue Value in the Grid area. Access to the Activity Value in the Grid area. Access to the Activity Unit Rate Value in the Grid area. Access to the Line Item Value in the Grid area. Access to the Resource Driver Value in the Grid area. Access to the Resource Driver Split and Resource Driver Percentage Splits Values in the Grid area. Access to the Activity Driver Value in the Grid area. Access to the Service Driver Value in the Grid area. Access to the Service Cost Value in the Grid area. Access to the Service Value in the Grid area. Access to the Service Variable Factor Value in the Grid area. Access to the Service Fixed Unit Rate Value in the Grid area. Access to the Spread Value in the Grid area. Access to the Work Sheet Value in the Grid area. 54 BusinessObjects Administration & Security Guide
Security Descriptor Definitions Dimension Access Security Group B B3. Dimension Access Security Group Security Descriptor Default Dimension Security Security Descriptor Definition The default security descriptor initially assigned to all Dimension items and Books. B4. Report Task Access Security Group Security Descriptor Default Report task Security Security Descriptor Definition Access to the Report Manager application. BusinessObjects Administration & Security Guide 55
Security Descriptor Definitions B Report Task Access Security Group 56 BusinessObjects Administration & Security Guide
Index A Access, 8 Access Levels, 28 Administrator, 9 Book Builder Access, 9 Model Builder Access, 9 Security Access Interactions, 29 Web User Access, 9 Access Levels, 28 Access to Model Administration, 32 Action Access Security Descriptors, 26 Add, 27 Administrator Access, 9 Administrators, 7 Assign User Groups, 12 Audit Model, 36 B Book Builder Access, 9 Book Builders, 8 Book Security Assignment, 30 Bookbuilders, 8 Books Action Access, 29 Books Security, 29 Book Security Assignment, 30 Books Access Action, 29 Home Pages/Default Books, 29 C Change Model Server, 36 Configuring Login Failure Count, 19 Copy Model, 34 Create New Model, 34 Creating a new Group, 10 Creating a new User, 11 Creating and Maintaining Users, 10 D Data Alias Managing Data Aliases, 38 Default Books Home Pages/Default Books, 29 Default Model Group, 12 Delete Model, 34 Description Amend model description, 35 Dimension Access Security Descriptors, 26, 27 Disable Account, 14 E Enable Account, 14 Enable/Disable Model, 36 EPO Standard Security, 20 Everyone, 7 Export Security settings, 30 F Field Access Security Descriptors, 26 G Group / Descriptor Assignments, 27 Group Descriptor Assignments Access Interactions, 29 Group Dimension Security, 24 Group/Descriptor Assignments Access Levels, 28 H Home Pages/Default Books, 29 I Introduction, 4 L License Details - EPO Monitor, 43 Licenses, 8 Localization Issues, 38 Login Failure Count, 19 Logoff - EPO Monitor, 43 M Manage Models Audit Model, 36 Change Model Server, 36 Copy Model, 34 Create New Model, 34 Delete Model, 34 Enable/Disable Model, 36 Model Description, 35 Model Properties, 35 Model server, 35 Open Model, 34 Rename Model, 34 Managing Data Aliases, 38 Model Access User groups, 17 Model Administration, 32 BusinessObjects Administration & Security Guide 57
Access, 32 Administration tab, 34 Security tab, 17 Model Builder Access, 9 Model Builders, 8 Model Management functions, 34 Model Properties, 35 Model Security, 24 Model Server Change Model Server, 35 Modelbuilders, 8 Monitoring Current Usage, 42 N New model description, 35 O Open Model, 34 Oracle COREid security, 20 P Partitioning, 36 Password Expiry, 19 Properties, 13, 19 Reset, 13 Strong Passwords, 19 Password Security, 19 R Rename Model, 34 Report Task Access Security, 27 Reset Password, 13 S Security Administrators, 7 Book Builder Access, 9 Bookbuilders, 8 Everyone, 7 Model Builder Access, 9 Modelbuilders, 8 Web User Access, 9 Webusers, 8 Security Access Interactions, 29 Security Descriptors, 25 Action Access Security Descriptors, 26 Dimension Access Security Descriptors, 26, 27 Field Access Security Descriptors, 26 Report Task Access Security, 27 Security Export, 30 Single sign-on, 20 Strong Passwords, 19 System Administrator, 6 System defined User Groups, 7 System login options, 20 System Properties Security, 19 System security EPO Standard security, 20 Login options, 20 Oracle COREid, 20 Single sign on, 20 U User and Group Maintenance, 15 Group context menu, 17 User context menu, 16 Users & Groups sorting, 17 User Creation, 11 User Details tab - EPO Monitor, 42 User Group Definitions, 7 User Group Security Access Levels, 10 User Group Security Licenses, 8 User groups Model access, 17 User Groups Administrators, 7 Assign User Groups, 12 Book Builder Access, 9 Bookbuilders, 8 Creating a new Group, 10 Everyone, 7 Model Builder Access, 9 Modelbuilders, 8 Web User Access, 9 Webusers, 8 User Model Access, 17 User Properties, 13 General tab, 13 User Security Features, 6 Users, 11 Creating and Maintaining, 10 Default Model Group, 12 Users & Groups, 6 Information Panel, 15 User Group Security Licenses, 8 Users & Groups Additional Features, 15 W Web User Access, 9 Web Users, 8 Webusers, 8 58 BusinessObjects Administration & Security Guide