Archive for the ‘Administrators’ Category

Virtualization Support for SAP BusinessObjects

August 21st, 2012 8 comments

Do you need to virtualize your BI deployment?  Join the crowd.  Some say that by 2015, 80% of Business Intelligence deployments will be on virtualized in one way or another… and there are a lot of reasons to virtualize.  In fact, I’ve been doing BusinessObjects demos using VMWare for over 10 years.

So what about my production SAP BusinessObjects environment?

There are two things you need to consider:

  1. Does my existing license agreement provide me virtualization rights?
  2. Will SAP support BusinessObjects running on a virtualized environment?

The License Agreement

Virtualization language need to be included in the terms and conditions of your license agreement.  BusinessObjects license agreements from before February 2008 did not include virtualization rights… and even if you have purchased additional licenses in the last few years, you may have simply signed an addendum to the original contract which would not necessarily have included virtualization rights.
If you need virtualization rights, please contact your SAP sales representative and let them know.  They will be able to help you get virtualization language into your license agreement.
If you virtualize your BusinessObjects deployment without the associated
license terms in your contract, you will be out of license compliance.

SAP Support for Virtualization

SAP BusinessObjects has been supported on the VMWare platform for a number of years but as virtualization options have expanded it’s been harder and harder to find detailed information about exactly what SAP supports and doesn’t support and where to go to get the best information on this topic.

Earlier this year SAP support published a virtualization support statement which covers all the  SAP products, including SAP BusinessObjects. (Note: the key exceptions are HANA and BWA which are hardware solutions and virtualization doesn’t make sense.)

Here can find the statement here:

What does this mean for me?

This means that if you are using Hypervisor vendors such as Citrix XenServer, Microsoft Hyper-V, VMWare vSphere, you will be able to get support for your SAP environment leveraging these technologies.  The same is true for AIX partitioning and Solaris containers.

The core statement is:  SAP supports virtualization solutions that behave in a fully transparent manner to the application.  Therefore, functionally SAP will support a virtual environment in the same way that it supports physical environments.

Performance on Virtualized Environments

This is a great topic.

I’ve heard anecdotal evidence that running SAP BusinessObjects in a virtualized environment tacks on about a 30% performance hit, but I’ve not seen any whitepapers to support that claim.  What I have heard from SAP support is that the majority of performance related issues are associated with how the Hypervisor or host environments have been configured.

Key To Remember

Before you provision a virtual server for your BI environment think about the workload before you start.  It’s very different from traditional application environments.

Keep in mind that:

  • Transactional applications have fairly consistent load patterns, but BI applications tend to spike.
  • Aggregating millions records is much different than streaming transactions.
  • BI environments are very I/O intensive and behave more like an Exchange Server than an ERP application
  • Your BI environment should not underresourced.

Working With Your Infrastructure Team

Sometimes the infrastructure team, in an attempt to manage limited server resources will throttle down your BI environment.    The problem is that if BusinessObjects doesn’t get enough CPU or RAM, then it will begin swapping in ways that aren’t expected.  You want to avoid this problem.

Before you call support about performance, make sure that you also understand how the virtual environment is being controlled.  It may appear that SAP BusinessObjects is using 100% of the cpu, but after hours of troubleshooting, we often discover that in reality you are using 100% of the 25% you were allocated.  You’ve topped out your ‘share’ of the cpus.

SAP BusinessObjects  is architected to use all system resources available to it.  It will be greedy when it comes to leveraging available resources, so don’t be stingy.  On a shared environment a single server is going to share the same network card, the same host bus adapter so keep that in mind as well.

Best Practices

“Don’t believe everything you hear.” – Aesop

Virtualization vendors have traditionally provided guidance to their customers on how to configure virtual environments for specific applications; however sometimes those recommendations have unintended consequences to performance.

One notable article was recently published on SCN.  VMWare had provided a number of tuning best practices for customer running Java applications and yet these best practices did not have the intended effect.  Read more here:

The good news is that BusinessObjects doesn’t necessarily require special tuning when running in a virtual environment. The bad news is that there is a lot of misinformation out there which might lead you astray.

Although SAP doesn’t yet have a full configuration best practices guide for running SAP BusinessObjects within a virtualized environment, I know that there are folks who are eager to hear about your experiences.  Last week I heard from Ashish Morzaria and he asked me if I knew any customers who might be willing to get involved and provide some feedback.

Well, now is your chance.

Help Us Help You

Get in touch.

If you:

  • Have already virtualized and can share your lessons learned
  • Want to virtualize and are looking for a whitepaper
  • Want to tell us your story – either a case study, reference, etc.

Please let me know and help get you in touch with the right folks.

«Good BI»


Categories: Administrators Tags: ,

Fixing Permissions: Am I Allowed To Do That?

May 18th, 2012 16 comments

One of my least favorite topics is licensing.

It seems like every year as corporate strategies change and as customers push for simplified licensing, SAP comes out with a new way to sell it’s products.  If you’ve been around a while you’ll recognize some of these:

  • BusinessObjects Enterprise
  • BusinessObjects Enterprise with Interactive Viewing
  • BusinessObjects Enteprise Premium
  • BusinessObjects Edge
  • BusinessObjects Edge Premium
  • Premium Package, Visualization & Reporting
  • Premium Package, Query Reporting & Analysis
  • BI Package
  • BI Suite

What I’m not going to do is explain how SAP licenses it’s products.  That’s what the sales guy is for.

What I do want to explain is how the functionality within the licensing model breaks down and how it impacts you as the BusinessObjects administrator.

Licensed User Type

With BusinessObjects, licensing was pretty straight-forward.  You could either buy:

  • CPUs – unlimited active users running on a limited number of cpus (cores typically counted as 1/2).
  • Named users – one license per named system user on unlimited hardware.
  • Concurrent users – a delightful combination of unlimited users set up on unlimited hardware, but only a given number of those users could log in simultaneously.  (This license went away for a while and now it’s back for specific situations.  Typically customers can figure on 10:1 rate of potential users to concurrent users).

When SAP acquired BusinessObjects all that changed.  SAP introduced the idea of licensing both the ‘platform’ as well as the user count.

SAP customers who use BusinessObjects must purchase licenses for the platform (cpu or named users) as well as a named user license for every person who accesses the BusinessObjects environment.  The only problem is that there is typically a big difference between the capabilities a power user/administrator needs and a casual user who only accesses the system occasionally.

In order to provide try and keep licensing simple, while at the same time providing a differentiation between power users and casual users, SAP created the concept of a licensed user type.

There are two:

  1. Expert users – also know as Business Expert or Business Analyst Users
  2. Standard users – also known as Business Information, BI Viewer or Viewer Users.

What Is My User Allowed To Do

I’ve created a table which breaks down the each product and explains what the user is able to do within that product.  Note that an expert user can do everything a standard user can, plus the additional items listed in the Expert User Rights column (which is the equivalent of ‘full access”).

SAP BusinessObjects Platform

Product Standard User Rights Expert User Rights
BI Platform Access platform services and view environment Modify BI Platform environment, security definition and make modifications. Access and administer (profiles, configuration) platform services.
Live Office View integration with Microsoft Office for viewing reports, dashboards Design and edit queries
BI Workspaces Customize, view personalized reports, dashboards
BI Widgets Customize, view personalized BI widgets Design, author, and create BI widgets
BI Launchpad Personalize your user profile
SAP BusinessObjects Integration  (Oracle, PeopleSoft, JD Edwards) View data from business applications in a report, analysis or dashboard (indirect access)

SAP BusinessObjects Tools

Product Standard User Rights Expert User Rights
Crystal Reports View (refresh and schedule) reports Schedule, author, edit, and update reports
WebIntelligence View (refresh, schedule, export, zoom, sort, search, filter, drill, apply basic formatting) a predefined report Schedule, author, edit, and update analyses and queries
Dashboard View (refresh and interact) dashboard models Schedule, author, edit, and update models
Analysis for OLAP Customize, view personalized BI widgets Design, author, and create BI widgets
Explorer View (search, view and navigate) data sets  Schedule, author, edit, and update Infospaces
BI Mobile View (refresh and interact) documents Author, edit and update analyses and queries
Note that this information can change at any time,
so always check with your SAP sales team to make
sure you understand the capabilities of each license type.

Controlling Access

As administrators, it’s very important to make sure standard users are not using functionality of the expert users.  The good news, bad news is that in most cases this type of user differentiation is a paper license and not controlled by the license key.  This is good because it means that as SAP’s licensing model changes, you don’t have to run out and get new license key or download a new service pack.  The bad news is, you need to setup BusinessObjects security so that standard users don’t accidently extend the reach of what they are licensed to do.

Setting restrictions based on the tables above is pretty straight-forward for most of the application permissions.  In most cases access should be set to “View” and that takes care of it.  The one except is WebIntelligence.

Controlling WebIntelligence

In order to be a standard user, you should explicitly deny specific permissions within the WebIntelligence application.  To access these permissions from the CMC home page, choose Applications.  From the list of available Applications, scroll down the list to Web Intelligence.

Select Web Intelligence and select Manage > Properties from the menu (or user the right-click menu).  Next choose User Security from the navigation pane.

Add a new Principal (if one is not already there) or highlight an existing principal user or group.  We want to Assign Security and restrict WebI access.  The default access right should be View.  We will then want to modify this by clicking the Advanced tab and selecting Add/Remove Rights.  From the left navigation pane, select Application > Web Intelligence.

Manage WebIntelligence Application Security - Scroll down to see ALL the permissions

We are now going to explicitly deny the following rights:

  • Desktop Interface – * all permissions *
  • Documents – enable creation
  • Documents – enable publish and manage content as web service
  • Interfaces – enable Rich Internet Application
  • Interfaces – enable web query panel
  • Query script – enable editing (SQL , MDX…)
  • Query script – enable viewing (SQL , MDX…)
  • Reporting – create and edit breaks
  • Reporting – create and edit conditional formatting rules
  • Reporting – create and edit input controls
  • Reporting – create and edit predefined calculations
  • Reporting – create formulas and variables
  • Reporting – insert and remove reports, tables, charts and cells

If you look under the permissions for WebIntelligence, you will now see the only permission you can modify on a per report basis is Edit Query, which no longer matters because here we’ve explicitly denied Query script – enable editing (SQL, MDX…) within the WebI application.

Once the changes are complete, you should be able to access existing WebIntelligence documents and see that a number of features are now disabled (grayed out).

Standard User Access WebIntelligence With Restricted Permissions

If you have additional questions about permissions and how they might have changed from older versions of BusinessObjects, you can access the information here:

I hope this blog has been useful.  Please do NOT leave any comments below about licensing.  I won’t be able answer these.

What I did want to answer is any questions about the difference between the different user types and show you how to modify the security within BusinessObjects to make sure you are in compliance with your license agreement.  Hopefully it’s mission accomplished.

«Good BI»

SP5: Can’t Get There From Here

January 24th, 2012 2 comments

Administrators take note!

In case you missed it, the straight-forward upgrade between Service Packs has a little wrinkle that you need to be aware of.

Upgrading to XI 3.1 SP5

If it’s been a while since your last upgrade and you are still running BOE XI 3.1 SP2, you may be surprised to find out that you cannot go from SP2 to SP5 in a single upgrade.  I don’t have the details as to why other than the fact that SAP Note:  1664385 tells us it’s not supported.

Only the following upgrades paths are supported:

  • BOE XI 3.1 + SP3 + SP5
  • BOE XI 3.1 + SP2 + SP3+ SP5
  • BOE XI 3.1 + SP2 + SP4+ SP5
  • BOE XI 3.1 + SP3 + SP4+ SP5

I read through the note and there wasn’t any additional explanation as to why, but you can see for yourself:

Remember:  Always read the release notes.

«Good BI»


Installing BusinessObjects v4.0 – CMS Database

January 5th, 2012 No comments

I’ve installed BusinessObjects about a hundred times and there is very little that’s changed about the installation wizard from a user interface perspective since Crystal Enterprise 10.  BusinessObjects has always included “in the box” all the components necessary to successfully install BusinessObjects for a single server configuration.

That said, there is ONE change I make every time I do an installation.

History of the Embedded Database

On Windows, it’s gone from SQL Server Embedded (CE10) to MySQL (for support of Unix and Linux) and back to SQL Server.  Now that SAP has acquired it’s own database technology, don’t be too surprised if it comes bundled with Sybase in the future.

Personally I’ve never liked uses the embedded database and I wouldn’t recommend you use it either.  In fact, I recently has a situation with a client who due to any overly restrictive server/firewall configuration was unable to get the embedded database working and we wasted hours trying to troubleshoot the problem.

Installation Best Practice

I always choose “Custom Install” so that I can:

  • Modify the installation location
  • Uncheck the default embedded database (for the CMS)

I really don’t like to include the embedded database because I want to give BusinessObjects as much on-server resources as possible – especially with v4.0.

Always create space in an existing database environment to support BusinessObjects.  There are many supported CMS databases including:  SQL Server, MySQL, IBM DB2, Oracle, MaxDB and Sybase.

NOTE:  Always test connectivity to the database from the server on
which you will be installing BusinessObjects to make sure the connectivity
is working.

During the installation you will want to NOT include the embedded database.  That means doing a CUSTOM install and deselecting Integrated Database.

No Embedded Database

De-Select the Integrated Database

What I love about the installer is that it will check the database connectivity before the installation begins.  If there is an issue with the database client configuration, permissions, etc., the installation will warn me of the situation and not continue.  This gives me the confidence to know that assuming I have enough hard drive space, when I select “Begin Installation”,  it will complete successfully.

«Good BI»

Managing Security Authorizations

February 9th, 2011 2 comments

A very common question when it comes to SAP BusinessObjects is:  How should I manage my SAP BusinessObjects security authorizations?

Although that is an extremely broad topic, today I want to discuss the issue of leveraging an external corporate directory to manage user authorizations.

NOTE:  It's important to remember that only the
user/group membership gets delegated out.
The group/object rights assignments must still be
performed by the BI administrator.

In most large organizations, there is a security team which manages users ids and user groups.  These users and groups are typically stored in a Corporate Directory such as LDAP, Windows Active Directory, etc.

The userid and password from the Corporate Directory is the method through which users are able to authenticate themselves (via secLDAP, secWinAD, secSAP, etc.)  So the question naturally arises:  Should I manage all my authorizations through groups managed via external security solutions?

The answer for your organization will depend on the answers to the following questions:

  1. How much cooperation is there between the BI Administrator and the Corporate Directory Team?
  2. How quickly can new groups be added to the Corporate Directory?
  3. How many groups would you need to add to the Corporate Directory to manage all the BI security scenarios?
  4. Do I want to delegate the bulk of my BI security management to the Corporate Directory Team?

There are pros and cons to any software implementation and the right solution must be made according to the culture and policies that fit your organization.

Leveraging External Security Exclusively

In certain cases the Corporate Directory team may be able to create and manage all the groups BI Administrators will need for security within the Corporate Directory and they are able to assign the correct security when a user is provisioned.

The advantages include:

  • Single location for user/group membership
  • Delegated Model – less for the BI administrator to manage

The disadvantages include:

  • Delegating group creation and user group membership

This model has been successfully implemented at a large insurance company with 500+ BusinessObjects-related groups mapped to an external Active Directory server.

Leveraging A Mixed Model

At a high-level the mixed model leverages:

  1. External security management for course grain security
  2. Internal secEnterprise groups for fine grain security

I recommend course grain security to manage which users should have access to the BI environment (e.g. NY Users, Georgia Users, Reporting Users, etc.)  Once the user has been imported into the system, we can fine tune their access via fine grain security.

NOTE:  We refer to these as Data Access Roles because
the users in the Georgia Users group only get to see Georgia reports
and the corresponding Georgia data.

Administrators can use internal secEnterprise groups for managing fine grain security.  You can create roles such as:  WebI Viewer, WebI Developer, InfoView user, which can control the product specific rights allowed to the users of that role.

NOTE:  We refer to these as Entitlement Roles because
the users in the WebI Viewer group are allowed limited
application functionality.

The advantages include:

  • A clean delineation between the Corporate Directory and the BI Security
  • Balance between corporate control and system flexibility

The disadvantages include:

  • Security being managed in two places
  • The need for the BI Administrator to be notified of fine grain role changes so users can be remapped

It’s hard to say for sure whether the Mixed Model tends to work better in most organizations than the delegated model.  You need to determine which model will work best for your organization.  What I can say is that  both models allow for extremely flexible deployments amongst the multitude of different scenarios that I have come across.

Don’t Forget

Regardless of which model you use there is something you should know…

One organization which had communication problems with their LDAP server and as a result of a synchronization problem, most of their users were deleted from their BusinessObjects environment.  Users – Inboxes – Personal Folders.   Gone.

There is one extremely important rule when leveraging an external Corporate Directory.  Make sure that every external user in your BusinessObjects environment is mapped to at least one secEnterprise group.  This will guarantee the the mapped users id will never accidently be deleted from the system.  For Java SDK samples around user management, go here.

«Good BI»