Archive

Posts Tagged ‘licensing’

Fixing Permissions: Am I Allowed To Do That?

May 18th, 2012 16 comments

One of my least favorite topics is licensing.

It seems like every year as corporate strategies change and as customers push for simplified licensing, SAP comes out with a new way to sell it’s products.  If you’ve been around a while you’ll recognize some of these:

  • BusinessObjects Enterprise
  • BusinessObjects Enterprise with Interactive Viewing
  • BusinessObjects Enteprise Premium
  • BusinessObjects Edge
  • BusinessObjects Edge Premium
  • Premium Package, Visualization & Reporting
  • Premium Package, Query Reporting & Analysis
  • BI Package
  • BI Suite

What I’m not going to do is explain how SAP licenses it’s products.  That’s what the sales guy is for.

What I do want to explain is how the functionality within the licensing model breaks down and how it impacts you as the BusinessObjects administrator.

Licensed User Type

With BusinessObjects, licensing was pretty straight-forward.  You could either buy:

  • CPUs – unlimited active users running on a limited number of cpus (cores typically counted as 1/2).
  • Named users – one license per named system user on unlimited hardware.
  • Concurrent users – a delightful combination of unlimited users set up on unlimited hardware, but only a given number of those users could log in simultaneously.  (This license went away for a while and now it’s back for specific situations.  Typically customers can figure on 10:1 rate of potential users to concurrent users).

When SAP acquired BusinessObjects all that changed.  SAP introduced the idea of licensing both the ‘platform’ as well as the user count.

SAP customers who use BusinessObjects must purchase licenses for the platform (cpu or named users) as well as a named user license for every person who accesses the BusinessObjects environment.  The only problem is that there is typically a big difference between the capabilities a power user/administrator needs and a casual user who only accesses the system occasionally.

In order to provide try and keep licensing simple, while at the same time providing a differentiation between power users and casual users, SAP created the concept of a licensed user type.

There are two:

  1. Expert users – also know as Business Expert or Business Analyst Users
  2. Standard users – also known as Business Information, BI Viewer or Viewer Users.

What Is My User Allowed To Do

I’ve created a table which breaks down the each product and explains what the user is able to do within that product.  Note that an expert user can do everything a standard user can, plus the additional items listed in the Expert User Rights column (which is the equivalent of ‘full access”).

SAP BusinessObjects Platform

Product Standard User Rights Expert User Rights
BI Platform Access platform services and view environment Modify BI Platform environment, security definition and make modifications. Access and administer (profiles, configuration) platform services.
Live Office View integration with Microsoft Office for viewing reports, dashboards Design and edit queries
BI Workspaces Customize, view personalized reports, dashboards
BI Widgets Customize, view personalized BI widgets Design, author, and create BI widgets
BI Launchpad Personalize your user profile
SAP BusinessObjects Integration  (Oracle, PeopleSoft, JD Edwards) View data from business applications in a report, analysis or dashboard (indirect access)

SAP BusinessObjects Tools

Product Standard User Rights Expert User Rights
Crystal Reports View (refresh and schedule) reports Schedule, author, edit, and update reports
WebIntelligence View (refresh, schedule, export, zoom, sort, search, filter, drill, apply basic formatting) a predefined report Schedule, author, edit, and update analyses and queries
Dashboard View (refresh and interact) dashboard models Schedule, author, edit, and update models
Analysis for OLAP Customize, view personalized BI widgets Design, author, and create BI widgets
Explorer View (search, view and navigate) data sets  Schedule, author, edit, and update Infospaces
BI Mobile View (refresh and interact) documents Author, edit and update analyses and queries
Note that this information can change at any time,
so always check with your SAP sales team to make
sure you understand the capabilities of each license type.

Controlling Access

As administrators, it’s very important to make sure standard users are not using functionality of the expert users.  The good news, bad news is that in most cases this type of user differentiation is a paper license and not controlled by the license key.  This is good because it means that as SAP’s licensing model changes, you don’t have to run out and get new license key or download a new service pack.  The bad news is, you need to setup BusinessObjects security so that standard users don’t accidently extend the reach of what they are licensed to do.

Setting restrictions based on the tables above is pretty straight-forward for most of the application permissions.  In most cases access should be set to “View” and that takes care of it.  The one except is WebIntelligence.

Controlling WebIntelligence

In order to be a standard user, you should explicitly deny specific permissions within the WebIntelligence application.  To access these permissions from the CMC home page, choose Applications.  From the list of available Applications, scroll down the list to Web Intelligence.

Select Web Intelligence and select Manage > Properties from the menu (or user the right-click menu).  Next choose User Security from the navigation pane.

Add a new Principal (if one is not already there) or highlight an existing principal user or group.  We want to Assign Security and restrict WebI access.  The default access right should be View.  We will then want to modify this by clicking the Advanced tab and selecting Add/Remove Rights.  From the left navigation pane, select Application > Web Intelligence.

Manage WebIntelligence Application Security - Scroll down to see ALL the permissions

We are now going to explicitly deny the following rights:

  • Desktop Interface – * all permissions *
  • Documents – enable creation
  • Documents – enable publish and manage content as web service
  • Interfaces – enable Rich Internet Application
  • Interfaces – enable web query panel
  • Query script – enable editing (SQL , MDX…)
  • Query script – enable viewing (SQL , MDX…)
  • Reporting – create and edit breaks
  • Reporting – create and edit conditional formatting rules
  • Reporting – create and edit input controls
  • Reporting – create and edit predefined calculations
  • Reporting – create formulas and variables
  • Reporting – insert and remove reports, tables, charts and cells

If you look under the permissions for WebIntelligence, you will now see the only permission you can modify on a per report basis is Edit Query, which no longer matters because here we’ve explicitly denied Query script – enable editing (SQL, MDX…) within the WebI application.

Once the changes are complete, you should be able to access existing WebIntelligence documents and see that a number of features are now disabled (grayed out).

Standard User Access WebIntelligence With Restricted Permissions

If you have additional questions about permissions and how they might have changed from older versions of BusinessObjects, you can access the information here:
http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/f0543a8d-9155-2f10-c5a7-8d15688a5faa&overridelayout=true

I hope this blog has been useful.  Please do NOT leave any comments below about licensing.  I won’t be able answer these.

What I did want to answer is any questions about the difference between the different user types and show you how to modify the security within BusinessObjects to make sure you are in compliance with your license agreement.  Hopefully it’s mission accomplished.

«Good BI»