Inhaltsverzeichnis

Alle Kapitel aufklappen
Alle Kapitel zuklappen
Acknowledgments
21
1 Introduction to Security in SAP BusinessObjects Business Intelligence 4.0
23
1.1 Business Intelligence Overview
23
1.2 System Security Considerations
24
1.3 A Brief History of Business Objects
26
1.4 SAP Business­Objects Business Intelligence 4.0 Review
27
1.5 Book Roadmap
29
2 Administration and Security
33
2.1 BI 4.0 Deployment
34
2.2 BI 4.0 Installation
36
2.2.1 Components Installed with BI 4.0 Server Installer
36
2.2.2 BI 4.0 Server Installation Workflow
39
2.2.3 BI Platform Client Tools
43
2.2.4 Other BI 4.0 Suite Installers
44
2.3 Administration Tools
44
2.3.1 Central Configuration Manager (CCM)
45
2.3.2 Central Management Console (CMC)
46
2.4 CMS Repository and File Repository Server
47
2.4.1 InfoObjects and Physical Files
47
2.4.2 InfoObject Structure
48
2.4.3 CMS Database Structure
51
2.4.4 FRS File System
52
2.5 Cryptography
53
2.5.1 Cluster Key
53
2.5.2 Cryptographic Key
55
2.6 BI 4.0 Servers
58
2.6.1 Adaptive Job Server
60
2.6.2 Adaptive Processing Server
61
2.7 Auditing
62
2.7.1 Auditing Database
63
2.7.2 CMC Auditing Tab
65
2.8 Summary
65
3 Users and Authentication
67
3.1 User Authentication
68
3.1.1 Enterprise
69
3.1.2 Standalone
70
3.1.3 LDAP
70
3.1.4 Active Directory
72
3.1.5 Enabling Authentication Selection for BI Launch Pad
72
3.2 Enterprise Users and Groups
73
3.2.1 User Parameters
73
3.2.2 User Personal Folders
75
3.2.3 Groups Structure
76
3.2.4 Predefined Users
77
3.2.5 Predefined Groups
78
3.2.6 Deleting Users and Groups
79
3.3 Managing Users and Groups in the CMC
80
3.3.1 Viewing Users and Groups
80
3.3.2 Creating Enterprise Users
81
3.3.3 Creating Enterprise Groups
82
3.3.4 Creating Users and Groups from CSV File
82
3.3.5 Editing User Parameters
85
3.3.6 Enabling/Disabling Users
85
3.3.7 Adding Users and Groups to Groups
86
3.3.8 Removing Users or Groups From Groups
87
3.3.9 Deleting Users
88
3.3.10 Deleting Groups
88
3.3.11 Account Manager
89
3.3.12 Defining BI Launch Pad Preferences
91
3.3.13 Setting Enterprise Parameters
93
3.4 Trusted Authentication
94
3.4.1 Sharing Shared Secret Key
95
3.4.2 Passing Shared Secret
95
3.4.3 Passing User Name
96
3.5 Aliases and External Authentications
99
3.5.1 Aliases
100
3.5.2 Mapping Users from External Sources
101
3.5.3 Mapped Groups
104
3.5.4 Updating Groups and Users
104
3.5.5 Scheduling Groups and Users Update
106
3.6 Managing Aliases in the CMC
106
3.6.1 Creating an Alias
107
3.6.2 Assigning an Alias
108
3.6.3 Reassigning an Alias
109
3.6.4 Enabling/Disabling an Alias
110
3.6.5 Deleting an Alias
111
3.7 Managing LDAP Authentication in the CMC
111
3.7.1 Configuring LDAP Parameters
111
3.7.2 Editing LDAP Authentication Parameters
119
3.8 Managing Active Directory Authentication
121
3.8.1 Creating Dedicated Active Directory Accounts
122
3.8.2 Starting BI 4.0 with Dedicated Account
125
3.8.3 Configuring AD Authentication into a BI 4.0 System
128
3.8.4 Configuring BI 4.0 with Kerberos
131
3.8.5 Creating krb5.ini
132
3.8.6 Creating bscLogin.conf
133
3.8.7 Modifying the Java Options for Kerberos
133
3.8.8 Creating a Keytab File
135
3.8.9 Increasing Header Size
137
3.8.10 Configuring Web Applications
138
3.8.11 Configuring Browsers
139
3.8.12 Editing Active Directory Configuration
141
3.9 Summary
142
4 Rights Framework
145
4.1 Assigned Rights
145
4.2 General and Specific Rights
146
4.3 Inheritance
148
4.3.1 Group Inheritance
149
4.3.2 Folder Inheritance
150
4.3.3 General and Type-Specific Rights
152
4.3.4 Scope of Rights
153
4.3.5 Breaking Inheritance and Overriding Rights
154
4.4 Non-Owner and Owner Versions of Rights
155
4.5 Objects General Rights
157
4.5.1 General Rights in Detail
159
4.5.2 General Rights Related to Scheduling
162
4.6 Application General Rights
163
4.7 Managing Rights in the CMC
165
4.7.1 Viewing Rights
165
4.7.2 Assigning Advanced Rights
168
4.7.3 Assigning Advanced Rights to a Top-Root Folder
171
4.7.4 Unassigning Advanced Rights
171
4.8 Access Levels
171
4.8.1 Predefined Access Levels
172
4.8.2 Custom Access Levels
173
4.8.3 Aggregation
174
4.9 Managing Access Level in the CMC
175
4.9.1 Creating an Access Level
175
4.9.2 Setting Access Level Rights
176
4.9.3 Copying an Access Level
178
4.9.4 Renaming an Access Level
178
4.9.5 Assigning an Access Level to an Object
179
4.9.6 Deleting an Access Level
180
4.10 Running Administration Queries in the CMC
181
4.10.1 Running a Security Query
181
4.10.2 Running a Relationship Query
184
4.11 Summary
185
5 Applications and Rights Reference
187
5.1 Applications List
188
5.2 System Objects List
194
5.3 Content Object List
196
5.4 Analysis, Edition for OLAP
199
5.4.1 Analysis, Edition for OLAP Rights
199
5.4.2 Analysis View and Analysis Workspace Rights
200
5.5 BEx Web Applications
200
5.6 BI Launch Pad
200
5.7 Widgets
202
5.8 BI Workspaces
203
5.8.1 BI Workspaces Rights
203
5.8.2 BI Workspace Rights
205
5.8.3 Module Rights
206
5.9 Central Management Console
206
5.10 SAP Crystal Reports
207
5.10.1 Crystal Reports Configuration Rights
208
5.10.2 Crystal Reports Document Rights
208
5.11 Explorer
209
5.11.1 Explorer Overview
210
5.11.2 Information Space Security
211
5.11.3 Explorer Rights
214
5.11.4 Information Space Rights
221
5.11.5 Exploration View Set Rights
221
5.12 Information Design Tool
221
5.12.1 Information Design Tool Rights
222
5.12.2 Universe Rights
225
5.13 Promotion Management
228
5.13.1 Promoting Security
229
5.13.2 Promotion Management Rights
230
5.14 SAP Business­Objects Mobile
236
5.15 SAP StreamWork
237
5.16 Universe Design Tool
238
5.16.1 Universe Design Tool Rights
238
5.16.2 Universe Rights
241
5.17 Version Management
244
5.18 Visual Difference
249
5.19 Web Intelligence
250
5.19.1 Deployment Options
251
5.19.2 Offline Mode
253
5.19.3 Purge and Refresh on Open
254
5.19.4 Web Intelligence Rights
256
5.19.5 Web Intelligence Documents Rights
271
5.20 Users and Groups
277
5.21 Connections
279
5.21.1 Relational Connection Rights
280
5.21.2 OLAP Connection Rights
282
5.21.3 Data Federator Data Source Rights
282
5.21.4 Connection Rights
282
5.22 Note Rights
283
5.23 Schedule Output Format
284
5.24 Summary
285
6 Connections and Database Authentications
287
6.1 Secured Connections
288
6.1.1 Relational Connections
288
6.1.2 Data Federator Data Sources
289
6.1.3 OLAP Connections (Universe Design Tool)
290
6.1.4 OLAP Connections (Information Design Tool/CMC)
290
6.1.5 Relational Connections (Business View Manager)
291
6.1.6 Product Consumptions
292
6.2 Local Connections
293
6.2.1 Information Design Tool
293
6.2.2 Universe Design Tool
294
6.3 Connection Authentication Mode
295
6.3.1 Fixed Credentials
296
6.3.2 Credentials Mapping
297
6.3.3 Prompted Authentication
299
6.3.4 Single Sign-On
300
6.4 Using Credentials Mapping for Single Sign-On
301
6.5 Managing Connections
303
6.5.1 Managing Connections in Information Design Tool
303
6.5.2 Managing Connections in Universe Design Tool
309
6.5.3 Managing Connections in the CMC
312
6.6 Summary
314
7 Universe Security in Universe Design Tool
317
7.1 Universe
318
7.1.1 Relational Universe
320
7.1.2 OLAP Universe
320
7.1.3 Universe Security
322
7.1.4 @VARIABLE
323
7.2 Using Filters on Table, Object, Class, or Universe
323
7.2.1 Table Auto-join
324
7.2.2 Object Filters
325
7.2.3 Mandatory Filters
325
7.3 Using Filters in Universe Design Tool
325
7.3.1 Defining an Auto-join
326
7.3.2 Defining a WHERE Clause on an Object
327
7.3.3 Defining a Mandatory Filter
328
7.3.4 Exporting a Universe in a CMS Repository
329
7.4 Access Restriction Definition
330
7.4.1 Connection
331
7.4.2 Controls
332
7.4.3 SQL
333
7.4.4 Objects
334
7.4.5 Rows
335
7.4.6 Table Mapping
336
7.5 Access Restriction Aggregation
337
7.5.1 Connection, SQL, Controls, and Table Mapping
337
7.5.2 Objects
337
7.5.3 Row Restriction
338
7.6 Managing Access Restrictions in Universe Design Tool
339
7.6.1 Opening the Manage Access Restrictions Dialog Box
339
7.6.2 Creating and Editing Access Restrictions
340
7.6.3 Assigning Access Restrictions
347
7.6.4 Un-Assigning Access Restrictions
348
7.6.5 Defining Group Priority for Access Restrictions
348
7.6.6 Setting Row Restriction Aggregation
349
7.6.7 Preview Net Results
350
7.6.8 Deleting Access Restrictions
352
7.6.9 Setting AUTO_UPDATE_QUERY Parameter
353
7.7 Object Access Level
354
7.8 Managing Object Access Levels
355
7.8.1 Defining Object Access Levels in Universe Design Tool
356
7.8.2 Defining User Access Levels in CMC
357
7.8.3 Editing User Access Levels in CMC
358
7.8.4 Removing User Access Levels in CMC
358
7.9 Summary
359
8 Universe Security in Information Design Tool
361
8.1 Introduction to New Universe
362
8.1.1 Data Foundation
362
8.1.2 Business Layer
363
8.1.3 Security Model
365
8.2 Defining WHERE Clauses and Filters in Information Design Tool
366
8.2.1 Defining an Auto-join in Information Design Tool
367
8.2.2 Defining a WHERE Clause on an Object
367
8.2.3 Defining a Mandatory Filter
368
8.2.4 Publishing a Universe in CMS Repository
369
8.3 Security Profiles
370
8.3.1 Assigned Users and Groups
371
8.3.2 Aggregations
372
8.3.3 AND, ANDOR, and OR Aggregation
373
8.3.4 Consumption
375
8.4 Data Security Profiles
375
8.4.1 Connections
376
8.4.2 Controls
377
8.4.3 SQL
378
8.4.4 Rows
380
8.4.5 Tables
381
8.5 Business Security Profiles
382
8.5.1 Create Query
383
8.5.2 Display Data
387
8.5.3 Filters (Relational Universe)
390
8.5.4 Filters (Multidimensional Universe)
392
8.6 Managing Security Profiles in Information Design Tool
395
8.6.1 Opening the Security Editor
396
8.6.2 Switching Universe-Centric View and User-Centric View
398
8.6.3 Creating a Data Security Profile
400
8.6.4 Editing a Data Security Profile
408
8.6.5 Creating a Business Security Profile
408
8.6.6 Editing a Business Security Profile
421
8.6.7 Assigning and Unassigning a Security Profile
422
8.6.8 Show Universes with Assigned Security Profiles
424
8.6.9 Setting Aggregation Options
424
8.6.10 Setting Data Security Profile Priorities
425
8.6.11 Deleting Security Profiles
427
8.6.12 Show Inherited Security Profiles
428
8.6.13 Preview Net Result
429
8.6.14 Check Integrity
430
8.7 Object Access Level
431
8.7.1 Object Access Level Overview
431
8.7.2 User Access Level
432
8.7.3 Defining Object Access Level in Information Design Tool
433
8.8 User Attributes
434
8.8.1 Defining User Attributes
434
8.8.2 Using User Attributes
434
8.8.3 User Attributes Substitution
435
8.9 Managing User Attributes in the CMC
436
8.9.1 Defining User Attributes in the CMC
436
8.9.2 Setting User Attributes Value in the CMC
438
8.9.3 Deleting User Attributes in the CMC
439
8.10 Running a Secured Query
439
8.11 Summary
441
9 Scheduling and Publishing
443
9.1 Scheduling and Publishing Framework
444
9.1.1 Support for Schedule and Publication
444
9.1.2 Refresh During Schedule or Publication
444
9.2 Scheduling
445
9.2.1 Scheduling Parameters
445
9.2.2 Schedule For Option
447
9.3 Publishing
449
9.3.1 Publishing vs. Scheduling
449
9.3.2 Publication Parameters
450
9.4 Publication Recipients
452
9.4.1 Dynamic Recipient Document
452
9.4.2 Add Dynamic Recipients to a Publication
453
9.4.3 Subscription and Unsubscription to a Publication
455
9.5 Publication Personalization and Profile
456
9.5.1 Global Profile
456
9.5.2 Local Profile
457
9.5.3 Creating a Global Profile
458
9.5.4 Setting Profiles to a Publication
461
9.6 Report Bursting Options
463
9.6.1 One Database Fetch for All Recipients
463
9.6.2 One Database Fetch per Recipient
464
9.6.3 One Database Fetch for Each Batch of Recipients
465
9.7 Summary
466
10 Security for SAP NetWeaver BW Data Sources
467
10.1 SAP Authentication
468
10.1.1 SAP NetWeaver BW System Parameters
468
10.1.2 SAP Authentication Principles
469
10.1.3 Role and User Mapping
470
10.1.4 Users and Groups Updates
471
10.1.5 SAP Authentication Options
472
10.2 Configuring SAP Authentication
475
10.2.1 Creating a Dedicated SAP NetWeaver BW Account
476
10.2.2 Registering the SAP System
476
10.2.3 Defining Authentication Options
478
10.2.4 Importing Roles
479
10.2.5 Updating Users and Roles
480
10.2.6 Validating the SAP Authentication Configuration
481
10.3 SAP Connections
482
10.3.1 OLAP Connection Created in Information Design Tool or CMC
483
10.3.2 Relational Data Federator Data Source Created in Information Design Tool
484
10.3.3 Relational Connection Created in Universe Design Tool
484
10.3.4 Authentication Modes
485
10.4 Creating SAP NetWeaver BW Connections
486
10.4.1 Creating an OLAP Connection in Information Design Tool
486
10.4.2 Creating an OLAP Connection in CMC
488
10.4.3 Creating a Relational Data Federator Data Source in Information Design Tool
490
10.4.4 Creating a Relational Connection in Universe Design Tool
492
10.5 SAP Authentication and Single Sign-On
494
10.6 SNC and STS
495
10.6.1 Principles
495
10.6.2 Workflows
496
10.6.3 STS and SNC Coexistence
497
10.7 Configuring STS
498
10.7.1 Creating a Keystore File
499
10.7.2 Creating a Certificate
500
10.7.3 Importing the Certificate into the SAP NetWeaver BW Server
501
10.7.4 Importing the Keystore into the CMS Repository
503
10.8 User Attributes
505
10.9 Summary
505
11 Defining and Implementing a Security Model
507
11.1 General Recommendations
507
11.2 Defining Users and Groups
509
11.3 Defining Folders and Objects
511
11.4 Defining Rights
512
11.5 Defining Access Levels
514
11.6 Mandatory Rights for Common Workflows
517
11.6.1 Viewing a Web Intelligence Document
517
11.6.2 Creating a Web Intelligence Document
517
11.6.3 Saving a Web Intelligence Document
518
11.6.4 Refreshing a Web Intelligence Document
518
11.6.5 Editing a Web Intelligence Document
519
11.6.6 Moving a Category to Another Category
519
11.6.7 Adding a Document to a Category
520
11.6.8 Scheduling a Document
520
11.6.9 Sending a Document to Inbox
521
11.6.10 Adding a User or a Group to Another Group
521
11.7 Setting Security for External Groups
521
11.8 Delegated Administration
522
11.8.1 Using Rights to Delegate Administration
523
11.8.2 Restricting CMC Usage
524
11.9 Defining Database Filtering
525
11.9.1 Authentication Mode
525
11.9.2 Connection Overloads
526
11.10 Universe Security
527
11.10.1 Universe Scope
527
11.10.2 Row Filtering
527
11.10.3 Consistency Between Products
529
11.10.4 User Attributes
530
11.10.5 Business Layer Views
530
11.11 Combined Authentication
531
11.11.1 Importing SAP NetWeaver BW Users
531
11.11.2 Single Sign-On with SAP NetWeaver BW and Active Directory
532
11.12 Testing a Security Model
533
11.13 Summary
534
Appendices
535
A Universe Comparison and Conversion
535
A.1 Connections
535
A.2 Rights Comparison
537
A.3 Universe Security Comparison
539
A.4 Universe Conversion
546
A.5 Running Conversion in Information Design Tool
549
B The Authors
551
Index
553