September 10-13, 2012 Orlando, Florida Delivering Personalized and Secure Business Intelligence Using the SAP BusinessObjects Business Intelligence 4.0 InformaAon Design Tool Session 1213
Breakout DescripAon Do you need to tailor semantic layer security to specific users or groups within your organization? Attend this session to learn about security profiles in the new Information Design Tool in SAP BusinessObjects Business Intelligence 4.0 (BI4.0). Understand how security profiles can control objects, rows, query types, and connections. See live demonstrations of each type of restriction and the effect they have on end users interactive experience. 2
About Dallas Marks Dallas Marks is a Principal Technical Architect and Trainer at EV Technologies, an SAP Software Solutions and Sybase partner focusing on business intelligence and business analytics. Dallas is an SAP Certified Application Associate and authorized trainer for Web Intelligence, Universe Design, Dashboards, and SAP BusinessObjects BI Platform administration. Dallas has worked with SAP BusinessObjects tools since 2003 and presented at the North American conference each year since 2006. Dallas has implemented SAP BusinessObjects solutions for a number of industries, including energy, health care, and manufacturing. He holds a master s degree in Computer Engineering from the University of Cincinnati. Dallas is a co-author of the upcoming SAP Press title SAP BusinessObjects Web Intelligence, 2nd edition, and blogs about various business intelligence topics at http://dallasmarks.org/. 3
EV Technologies is an SAP BusinessObjects solutions firm SAP Software Solutions Partner SAP Certified Solutions provider Sybase Certified Solutions provider SAP BusinessObjects Enterprise Certified ASUG Members/Volunteers Migration experts classic BusinessObjects products to SAP BusinessObjects XI R2 XI 3.1- BI4
Webinar Series Be a BeKer SAP BusinessObjects Administrator Beginning September 27, 2012, a series of 9 free webinars to help you improve the health and stability of your SAP BusinessObjects deployment. Visit http://evtechnologies.com/webinars to register. 5
Diversified Semantic Layer A podcast devoted to business intelligence with SAP BusinessObjects Recorded by a bunch of folks active in the SAP BusinessObjects global community Perfect companions for your morning commute Follow on twitter at @dslayered http://dslayer.net
Agenda The Information Design Tool The Need for Universe Security Introducing Security Profiles Creating Security Profiles Next Steps 7
Delivering Personalized and Secure Business Intelligence THE INFORMATION DESIGN TOOL
Disclaimer I'm just a simple man trying to make my way in the universe. Jango Fett 9
Disclaimer This presentation focuses on BI 4.0 universes created with the Information Design Tool. For XI R2 and XI 3.0/XI 3.1 universes created with Universe Design Tool (Designer), refer to the following presentation. Secure Universes Using Restriction Sets Insight 2007 BusinessObjects User Conference October 2007, Orlando, Florida 10
Learn more about InformaAon Design Tool Go, Universe, Go! Techniques for Performance Tuning David Rathbun Session 0607 Tuesday, September 11, 2012 11:15 AM - 12:15 AM ASUG SemanMc Layer Influence Council Derek Loranca & Pierpaolo Vezzosi Session 0906 Tuesday, September 11, 2012 10:00 AM - 11:00 PM InformaMon Design Tool Primer and Review Cindi Howson Session 0606 Tuesday, September 11, 2012 10:00 AM - 11:00 AM Preparing for Life on Planet UNX Alan Mayer Session 0611 Wednesday, September 12, 2012 8:00 AM - 9:00 AM SAP BusinessObjects Web Intelligence 4.0 on SAP NetWeaver BW Shawn Patrick Duffy Session 1209 Tuesday, September 11, 2012 2:45 PM - 3:45 PM This list represents only a portion of the 22 semantic layer breakout sessions at the ASUG SAP BusinessObjects User Group Conference. Please check the official conference schedule for a full listing. 11
What is a legacy UNV Universe? *.unv Connection 12
What is a tradiaonal UNV Universe? Business Layer Data Foundation Created with the Universe Design Tool, formerly known as Universe Designer or simply Designer. 13
What is a UNX Universe? Business Layer *.blx Data Foundation *.dfx Connection *.cns *.unx The term Common Semantic Layer is also used to describe this new universe format. 14
What is a UNX Universe? Data Foundation Business Layer *.blx *.dfx *.cns Created with the new Information Design Tool 15
Web Intelligence 4.0 Query Methods Web Intelligence now allows BEx (SAP NetWeaver BW) and Analysis View to be queried directly without a universe Related Sessions: SAP BusinessObjects Web Intelligence 4.0 on SAP NetWeaver BW Shawn Patrick Duffy Session 1209 Tuesday, September 11, 2012 2:45 PM - 3:45 PM 16 16
Web Intelligence Query Methods (cont.) Web Intelligence now allows BEx (SAP NetWeaver BW) and Analysis View to be queried directly without a universe Web Intelligence Rich Client (shown) adds support for Excel, Text, and Web Services 17 17
Web Intelligence Query Methods (cont.) Web Intelligence now allows BEx (SAP NetWeaver BW) and Analysis View to be queried directly without a universe Web Intelligence Rich Client (shown) adds support for Excel, Text, and Web Services This presentamon focuses on securing universes created with the new InformaMon Design Tool 4.0 18
Delivering Personalized and Secure Business Intelligence THE NEED FOR UNIVERSE SECURITY
Two Methods for Securing Universes Restrict access to enare universe by sehng universe rights in the Central Management Console (CMC) Create various forced and opaonal restricaons within InformaAon Design Tool Forced OpAonal Object restricaons Self- restricang joins Inferred extra tables Filter objects 20
Personalizing Ad Hoc Queries Need to secure business- crimcal data based on a user s role in the organizamon, but standard universe design solumons affect all users unilaterally a different solumon is required to apply security condi.onally to specific users and groups: Security profiles. 21
Personalizing Ad Hoc Queries Database- specific techniques such as Teradata Query Banding and Oracle Virtual Private Databases can be used but are beyond the scope of this discussion Security Profiles are ideal for organizamons that use mulmple database pladorms and need a single, integrated approach to data security 22
Securing and Personalizing efashion Gotta analyze those party pants sales! 23
Securing and Personalizing efashion How do we ensure that Bennett is limited to only Colorado Springs data 24
Securing and Personalizing efashion While allowing executives to look across the organization? 25
Delivering Personalized and Secure Business Intelligence SECURITY PROFILES
What is a Security Profile? A security profile is a group of security settings that apply to a universe published in the repository Similar features are available in the Universe Design Tool for traditional universes (UNV), known as access restrictions or restriction sets 27
What is a Security Profile? Data Security Profiles have security settings defined on objects in the data foundation and on data connections Business Security Profiles have security settings defined on objects in the business layer 28
What can be restricted in tradiaonal UNV universes? Type of restriction Connection Query controls SQL generation controls Row access Alternative table access Object access Description Override the default universe connection with an alternate connection Limit the size of the result set and query execution time Control how SQL is generated by user query Row-level security force restrictions into the WHERE clause of inferred SQL Replace a table referenced in the universe with another table in the database Column-level security 29
What can be restricted in new UNX universes? Data Foundation Restrictions Type of restriction Connection Query controls SQL generation controls Row access Alternative table access Description Override the default universe connection with an alternate connection Limit the size of the result set and query execution time Control how SQL is generated by user query Row-level security force restrictions into the WHERE clause of inferred SQL Replace a table referenced in the universe with another table in the database Similar restrictions exist in Universe Design Tool 30
What can be restricted in new UNX universes? Business Layer Restrictions Type of restriction Create Query Display Data Filters Description Defines the universe views* and business layer objects** available to the user in the query panel. Grants or denies access to the data retrieved by objects in the business layer when the user runs a query.* Defines filters using objects in the business layer.* * New feature of BI 4.0 ** Similar to object restrictions in Universe Design Tool 31
Delivering Personalized and Secure Business Intelligence CREATING SECURITY PROFILES
Securing Universes Design Process 5) Deploy using Lifecycle Manager 1) Create & Manage Security Model 4) Create Web Intelligence Documents* 2) Build and Export Universe * Crystal Reports and SAP BusinessObjects Dashboards (formerly Xcelsius ) based on universes can also leverage Security Profiles 3) Add Security Profile 33
ImporAng Secure Universes from XI R2 & XI 3.1 Import BIAR file into BI 4.0 using Upgrade Management Tool Import and Convert UNV to UNX using Information Design Tool (IDT) Validate Converted Security Profile Test and Deploy 34
Default Universe Parameters Data FoundaAon Layer 35 35
Default Universe Parameters Business Layer 36
Access RestricAons in the Universe Design Tool (UNV) Tools Menu Editing Toolbar Access restrictions can be accessed from either the tools menu or the editing toolbar 37
Security Profiles in InformaAon Design Tool (UNX) Access restrictions are available via Security Editor on Window menu or editing toolbar 38
InformaAon Design Tool Security Editor 39
Using the Security Editor Step 1 of 4 1. Select universe and create security profiles 40
Using the Security Editor Step 2 of 4 2. Assign Users or Groups 41 41
Using the Security Editor Step 3 of 4 3. Adjust Options 42
Using the Security Editor Step 4 of 4 4. Test Specific Users and Groups 43
Data Security Profile ConnecAons Replace default universe connecaon Use Case: Default connecaon may point to producaon but Security Profile points UAT users to UAT connecaon 44
Data Security Profile Controls Limit number of rows or execuaon Ame Use Case: ConservaAve default sehngs for all users but more aggressive sehngs for power users 45
Data Security Profile SQL Control complexity of user queries Use case: Default sehngs may allow sub- queries and combined queries, but security profile limits casual business users 46
Data Security Profile Rows Force restricaons into SQL WHERE clause Use case: Row level security for sales team so they only see their numbers TABLE.COLUMN= @VARIABLE( BOUSER ) May also desire to disable ability to view SQL in Web Intelligence 47
Data Security Profile Tables Point to different table in database schema Use Case: Default users point to one year of facts, but security profile points to three years of facts for power users Not necessary for replacement table to be defined in universe 48
Business Security Profile Create Query Hide business layer views or business layer objects from certain users Use Case: Control visibility of sensiave measures such as profit margin 49
Business Security Profile Display Data Prevents display of objects on report If AUTO_UPDATE_QUERY parameter is No, then refreshing report generates an error If AUTO_UPDATE_QUERY parameter is Yes, then the denied objects are removed from query and any business layer filters 50
Business Security Profile Filters Filter universe objects at the business layer, not database columns at data foundation layer Still applies filter to SQL statement 51
Delivering Personalized and Secure Business Intelligence DEMONSTRATIONS
Delivering Personalized and Secure Business Intelligence NEXT STEPS
Additional Resources SAP BusinessObjects Business Intelligence 4.0: Business Intelligence Platform Administrator Guide SAP BusinessObjects Business Intelligence 4.0: Information Design Tool Guide SAP BusinessObjects Business Intelligence 4.0: Web Intelligence User s Guide Quick Reference Getting Around Information Design Tool (SCN, June 2011). 54
Official Product Tutorials on SCN www.sap.com/learnbi 55
Thank You! Dallas Marks @dallasmarks Principal Technical Architect hkp://dallasmarks.org/ hkp://linkedin.com/in/dallasmarks/ Visit EV Technologies at Booth 210 in the Partner Showcase! 56
Thank you for participating. Please provide feedback on this session by completing a short survey via the event mobile application. SESSION CODE: 1213 Learn more year-round at www.asug.com