ASUG Seman c Layer Influence Council ... ASUG SAP BusinessObjects User
Group Conference. Please check the ..... completing a short survey via the event.
September 10-‐13, 2012 Orlando, Florida
Delivering Personalized and Secure Business Intelligence Using the SAP BusinessObjects Business Intelligence 4.0 InformaAon Design Tool Session 1213
Breakout DescripAon Do you need to tailor semantic layer security to specific users or groups within your organization? Attend this session to learn about security profiles in the new Information Design Tool in SAP BusinessObjects Business Intelligence 4.0 (BI4.0). Understand how security profiles can control objects, rows, query types, and connections. See live demonstrations of each type of restriction and the effect they have on end users’ interactive experience. 2
About Dallas Marks § Dallas Marks is a Principal Technical Architect and Trainer at EV Technologies, an SAP Software Solutions and Sybase partner focusing on business intelligence and business analytics. § Dallas is an SAP Certified Application Associate and authorized trainer for Web Intelligence, Universe Design, Dashboards, and SAP BusinessObjects BI Platform administration. Dallas has worked with SAP BusinessObjects tools since 2003 and presented at the North American conference each year since 2006. § Dallas has implemented SAP BusinessObjects solutions for a number of industries, including energy, health care, and manufacturing. He holds a master’s degree in Computer Engineering from the University of Cincinnati. § Dallas is a co-author of the upcoming SAP Press title SAP BusinessObjects Web Intelligence, 2nd edition, and blogs about various business intelligence topics at http://dallasmarks.org/. 3
Agenda
§ The Information Design Tool § The Need for Universe Security § Introducing Security Profiles § Creating Security Profiles § Demonstrations § Next Steps 4
Delivering Personalized and Secure Business Intelligence
THE INFORMATION DESIGN TOOL
Disclaimer
“I'm just a simple man trying to make my way in the universe.” ―Jango Fett
6
Disclaimer
This presentation focuses on BI 4.0 universes created with the Information Design Tool. For XI R2 and XI 3.0/XI 3.1 universes created with Universe Design Tool (Designer), refer to the following presentation. Secure Universes Using Restriction Sets Insight 2007 BusinessObjects User Conference October 2007, Orlando, Florida
7
Learn more about InformaAon Design Tool § Go, Universe, Go! Techniques for Performance Tuning David Rathbun | Session 0607 Tuesday, September 11, 2012 11:15 AM -‐ 12:15 AM
§ ASUG SemanMc Layer Influence Council Derek Loranca & Pierpaolo Vezzosi | Session 0906 Tuesday, September 11, 2012 10:00 AM -‐ 11:00 PM
§ InformaMon Design Tool Primer and Review Cindi Howson | Session 0606 Tuesday, September 11, 2012 10:00 AM -‐ 11:00 AM
§ Preparing for Life on Planet UNX
Alan Mayer | Session 0611 Wednesday, September 12, 2012 8:00 AM -‐ 9:00 AM
§ SAP BusinessObjects Web Intelligence 4.0 on SAP NetWeaver BW Shawn Patrick Duffy | Session 1209 Tuesday, September 11, 2012 2:45 PM -‐ 3:45 PM
This list represents only a portion of the 22 semantic layer breakout sessions at the ASUG SAP BusinessObjects User Group Conference. Please check the official conference schedule for a full listing.
8
What is a legacy UNV Universe?
*.unv
Connection
9
What is a tradiAonal UNV Universe? Business Layer
Data Foundation
Created with the Universe Design Tool, formerly known as “Universe Designer” or simply “Designer”.
10
What is a UNX Universe?
Business Layer *.blx
Data Foundation *.dfx
Connection *.cns
*.unx
The term “Common Semantic Layer” is also used to describe this new universe format. 11
What is a UNX Universe?
Data Foundation
Business Layer *.blx *.dfx *.cns
12
Created with the new Information Design Tool
Web Intelligence 4.0 Query Methods § Web Intelligence now allows BEx (SAP NetWeaver® BW) and Analysis View to be queried directly without a universe
Related Sessions: SAP BusinessObjects Web Intelligence 4.0 on SAP NetWeaver BW Shawn Patrick Duffy | Session 1209 Tuesday, September 11, 2012 2:45 PM - 3:45 PM
13
13
Web Intelligence Query Methods (cont.) § Web Intelligence now allows BEx (SAP NetWeaver® BW) and Analysis View to be queried directly without a universe § Web Intelligence Rich Client (shown) adds support for Excel, Text, and Web Services
14
14
Web Intelligence Query Methods (cont.) § Web Intelligence now allows BEx (SAP NetWeaver® BW) and Analysis View to be queried directly without a universe § Web Intelligence Rich Client (shown) adds support for Excel, Text, and Web Services § This presentaMon focuses on securing universes created with the new InformaMon Design Tool 4.0
15
Delivering Personalized and Secure Business Intelligence
THE NEED FOR UNIVERSE SECURITY
Two Methods for Securing Universes
Restrict access to enAre universe by sefng universe rights in the Central Management Console (CMC)
17
Create various forced and opAonal restricAons within InformaAon Design Tool Forced Object restricAons Self-‐restricAng joins Inferred extra tables OpAonal Filter objects
Personalizing Ad Hoc Queries Need to secure business-‐criMcal data based on a user’s role in the organizaMon, but standard universe design soluMons affect all users unilaterally …
… a different soluMon is required to apply security condi.onally to specific users and groups: Security profiles. 18
Personalizing Ad Hoc Queries Database-‐specific techniques such as Teradata Query Banding and Oracle Virtual Private Databases can be used but are beyond the scope of this discussion
Security Profiles are ideal for organizaMons that use mulMple database pladorms and need a single, integrated approach to data security 19
Securing and Personalizing eFashion Gotta analyze those party pants sales!
20
Securing and Personalizing eFashion
How do we ensure that Bennett is limited to only Colorado Springs data…
21
Securing and Personalizing eFashion While allowing executives to look across the organization?
22
Delivering Personalized and Secure Business Intelligence
SECURITY PROFILES
What is a Security Profile? A security profile is a group of security settings that apply to a universe published in the repository Similar features are available in the Universe Design Tool for traditional universes (UNV), known as access restrictions or restriction sets
24
What is a Security Profile? Data Security Profiles have security settings defined on objects in the data foundation and on data connections Business Security Profiles have security settings defined on objects in the business layer
25
What can be restricted in tradiAonal UNV universes?
26
Type of restriction
Description
Connection
Override the default universe connection with an alternate connection
Query controls
Limit the size of the result set and query execution time
SQL generation controls
Control how SQL is generated by user query
Row access
Row-level security – force restrictions into the WHERE clause of inferred SQL
Alternative table access
Replace a table referenced in the universe with another table in the database
Object access
Column-level security
What can be restricted in new UNX universes? Data Foundation Restrictions Type of restriction
Description
Connection
Override the default universe connection with an alternate connection
Query controls
Limit the size of the result set and query execution time
SQL generation controls
Control how SQL is generated by user query
Row access
Row-level security – force restrictions into the WHERE clause of inferred SQL
Alternative table access
Replace a table referenced in the universe with another table in the database
Similar restrictions exist in Universe Design Tool 27
What can be restricted in new UNX universes? Business Layer Restrictions Type of restriction
Description
Create Query
Defines the universe views* and business layer objects** available to the user in the query panel.
Display Data
Grants or denies access to the data retrieved by objects in the business layer when the user runs a query.*
Filters
Defines filters using objects in the business layer.*
* New feature of BI 4.0 ** Similar to object restrictions in Universe Design Tool 28
Delivering Personalized and Secure Business Intelligence
CREATING SECURITY PROFILES
Securing Universes — Design Process 5) Deploy using Lifecycle Manager
1) Create & Manage Security Model
4) Create Web Intelligence Documents* * Crystal Reports and SAP BusinessObjects Dashboards (formerly Xcelsius®) based on universes can also leverage Security Profiles
30
2) Build and Export Universe
3) Add Security Profile
ImporAng Secure Universes from XI R2 & XI 3.1 Import BIAR file into BI 4.0 using Upgrade Management Tool Import and Convert UNV to UNX using Information Design Tool (IDT) Validate Converted Security Profile Test and Deploy 31
Default Universe Parameters — Data FoundaAon Layer
32
32
Default Universe Parameters — Business Layer
33
Access RestricAons in the Universe Design Tool (UNV)
Editing Toolbar Tools Menu
Access restrictions can be accessed from either the tools menu or the editing toolbar 34
Security Profiles in InformaAon Design Tool (UNX)
Access restrictions are available via Security Editor on Window menu or editing toolbar
35
InformaAon Design Tool — Security Editor
36
Using the Security Editor — Step 1 of 4 1. Select universe and create security profiles
37
Using the Security Editor — Step 2 of 4
2. Assign Users or Groups
38
38
Using the Security Editor — Step 3 of 4 3. Adjust Options
39
Using the Security Editor — Step 4 of 4
4. Test Specific Users and Groups
40
Data Security Profile — ConnecAons § Replace default universe connecAon § Use Case: Default connecAon may point to producAon but Security Profile points UAT users to UAT connecAon
41
Data Security Profile — Controls § Limit number of rows or execuAon Ame § Use Case: ConservaAve default sefngs for all users but more aggressive sefngs for power users
42
Data Security Profile — SQL § Control complexity of user queries § Use case: Default sefngs may allow sub-‐queries and combined queries, but security profile limits casual business users
43
Data Security Profile — Rows § Force restricAons into SQL WHERE clause § Use case: Row level security for sales team so they only see “their” numbers § May also desire to disable ability to view SQL in Web Intelligence
44
Data Security Profile — Tables § Point to different table in database schema § Use Case: Default users point to one year of facts, but security profile points to three years of facts for power users § Not necessary for replacement table to be defined in universe
45
Business Security Profile — Create Query § Hide business layer views or business layer objects from certain users § Use Case: Control visibility of sensiAve measures such as profit margin
46
Business Security Profile — Display Data § Prevents display of objects on report § If AUTO_UPDATE_QUERY parameter is No, then refreshing report generates an error § If AUTO_UPDATE_QUERY parameter is Yes, then the denied objects are removed from query and any business layer filters
47
Business Security Profile — Filters § Filter universe objects at the business layer, not database columns at data foundation layer § Still applies filter to SQL statement
48
Delivering Personalized and Secure Business Intelligence
DEMONSTRATIONS
Delivering Personalized and Secure Business Intelligence
NEXT STEPS
Additional Resources SAP BusinessObjects Business Intelligence 4.0: Business Intelligence Platform Administrator Guide SAP BusinessObjects Business Intelligence 4.0: Information Design Tool Guide
SAP BusinessObjects Business Intelligence 4.0: Web Intelligence User’s Guide
Quick Reference Getting Around Information Design Tool (SCN, June 2011).
51
Official Product Tutorials on SCN
www.sap.com/learnbi 52
Thank You!
Dallas Marks @dallasmarks Principal Technical Architect EV Technologies hpp://dallasmarks.org/ hpp://linkedin.com/in/dallasmarks/ Visit EV Technologies at Booth 210 in the Partner Showcase!
53
Thank you for participating. Please provide feedback on this session by completing a short survey via the event mobile application. SESSION CODE: 1213 Learn more year-round at www.asug.com
