A very common question when it comes to SAP BusinessObjects is: How should I manage my SAP BusinessObjects security authorizations?
Although that is an extremely broad topic, today I want to discuss the issue of leveraging an external corporate directory to manage user authorizations.
NOTE: It's important to remember that only the user/group membership gets delegated out. The group/object rights assignments must still be performed by the BI administrator.
In most large organizations, there is a security team which manages users ids and user groups. These users and groups are typically stored in a Corporate Directory such as LDAP, Windows Active Directory, etc.
The userid and password from the Corporate Directory is the method through which users are able to authenticate themselves (via secLDAP, secWinAD, secSAP, etc.) So the question naturally arises: Should I manage all my authorizations through groups managed via external security solutions?
The answer for your organization will depend on the answers to the following questions:
- How much cooperation is there between the BI Administrator and the Corporate Directory Team?
- How quickly can new groups be added to the Corporate Directory?
- How many groups would you need to add to the Corporate Directory to manage all the BI security scenarios?
- Do I want to delegate the bulk of my BI security management to the Corporate Directory Team?
There are pros and cons to any software implementation and the right solution must be made according to the culture and policies that fit your organization.
Leveraging External Security Exclusively
In certain cases the Corporate Directory team may be able to create and manage all the groups BI Administrators will need for security within the Corporate Directory and they are able to assign the correct security when a user is provisioned.
The advantages include:
- Single location for user/group membership
- Delegated Model – less for the BI administrator to manage
The disadvantages include:
- Delegating group creation and user group membership
This model has been successfully implemented at a large insurance company with 500+ BusinessObjects-related groups mapped to an external Active Directory server.
Leveraging A Mixed Model
At a high-level the mixed model leverages:
- External security management for course grain security
- Internal secEnterprise groups for fine grain security
I recommend course grain security to manage which users should have access to the BI environment (e.g. NY Users, Georgia Users, Reporting Users, etc.) Once the user has been imported into the system, we can fine tune their access via fine grain security.
NOTE: We refer to these as Data Access Roles because the users in the Georgia Users group only get to see Georgia reports and the corresponding Georgia data.
Administrators can use internal secEnterprise groups for managing fine grain security. You can create roles such as: WebI Viewer, WebI Developer, InfoView user, which can control the product specific rights allowed to the users of that role.
NOTE: We refer to these as Entitlement Roles because the users in the WebI Viewer group are allowed limited application functionality.
The advantages include:
- A clean delineation between the Corporate Directory and the BI Security
- Balance between corporate control and system flexibility
The disadvantages include:
- Security being managed in two places
- The need for the BI Administrator to be notified of fine grain role changes so users can be remapped
It’s hard to say for sure whether the Mixed Model tends to work better in most organizations than the delegated model. You need to determine which model will work best for your organization. What I can say is that both models allow for extremely flexible deployments amongst the multitude of different scenarios that I have come across.
Don’t Forget
Regardless of which model you use there is something you should know…
One organization which had communication problems with their LDAP server and as a result of a synchronization problem, most of their users were deleted from their BusinessObjects environment. Users – Inboxes – Personal Folders. Gone.
There is one extremely important rule when leveraging an external Corporate Directory. Make sure that every external user in your BusinessObjects environment is mapped to at least one secEnterprise group. This will guarantee the the mapped users id will never accidently be deleted from the system. For Java SDK samples around user management, go here.
«Good BI»
Hello Dave,
“Make sure that every external user in your BusinessObjects environment is mapped to at least one secEnterprise group”
Do you suggest even when we inherit SAP Roles, if so currently we dont have any secEnterprise groups as we are totally making use of SAP Roles.How can we achieve this, do you mean creating an equivalent enterprise groups as well ?
– Vamsi Ch
Every business application requires special authorization because it controls user before they accessing the application. As we all know that any business is only possible through a group of employees and they are from different criteria. So, security must be needed for the protection of any criminal activity by end-users to the business.