Thursday, May 29, 2014

Common SAP BusinessObjects Security Mistakes - Securing Content

SAP BusinessObjects security consulting

By Rick Epstein
ResolvIT Inc.

This post continues the list of common security mistakes begun in my earlier post, Abuse of the Everyone Group.

Content is an asset. It has value for your organization, is frequently subject to regulatory compliance requirements, and can cause damage to your organization if it falls into the wrong hands. Securing content requires your utmost attention.

Mistake #4: Not securing all content within the CMC
You should be able to have confidence that any user logging in to the CMC can only see what you want them to see, and perform only those actions you want them to perform.

Mistake # 5: Setting explicit denials
There may be a place for explicit denials somewhere in your security model, but as a rule, you should avoid them like the plague. They are just too difficult to document. Once you set explicit denials, undoing them can be difficult. It's very difficult to know what unintended consequences you've unleashed through the cascading effects of explicit denials.

Mistake #6: Breaking inheritance without a clear plan and good documentation of such
Users will potentially have new rights which are not controllable from a higher folder and/or group level. An administrator would likely not be aware that this situation exists and would mistakenly think that content is secure. In other words, if there is a parent folder which has subfolders and the parent folder has inheritance broken, that folder and its subfolders will have a set of permissions that are likely not consistent with all desired security settings and certainly different from those on folders levels above them.

Mistake #7: Not knowing who has rights to what content and what a user can do with that content
What if granular rights have been set? What if explicit denials have been used? What if inheritance has been broken? Any one or more of these leads to confusion and not only makes maintenance difficult but makes it nearly impossible to know who can see and do what. Ask yourself, "What is the summation of all rights for this user on this object?"

Are you aware of other common security mistakes, or do you have questions about what is written here? Use the Comments section for this post, or email me directly at

More common mistakes in my next post.

Friday, May 16, 2014

Common SAP BusinessObjects Security Mistakes - Abuse of the Everyone Group

By Rick Epstein

Resolvit Inc. - Rick Epstein
This post starts a list of the most common security mistakes committed by uninitiated SAP BusinessObjects administrators. The world of BI security is ruled by the law of unintended consequences. What you don't know can hurt you.

The mistakes documented in these posts are not in rigid order of importance. However, you may regard the three listed in this first post as foundational to your security model. If you don't get these ones right, your security model will almost certainly cause you grief.

Mistake #1: Applying security on the Everyone group rather than setting the group to "No Access"
To avoid inappropriate (and not necessarily apparent) access to folders, applications, and content, you should always set the Everyone group to "No Access." If you want to apply a security setting to all users, then create a custom group and add the Everyone group to it. Setting the Everyone group to "No Access" is the foundation upon which you will build a good security model.

Mistake #2: Forgetting to apply "No Access" to the Everyone group on all Top-Level folders (Folders, Personal Folders, Universe Folders, Connection Folders, Categories, Personal Categories)

Missing any one of these Top-Level folders potentially allows users inappropriate access to other users’ content.

Mistake #3: Forgetting to apply "No Access" to the Everyone group on all applications
Missing any application may allow users to have inappropriate access and permissions with regard to applications.

Are you aware of other common security mistakes, or do you have questions about what is written here? Use the Comments section for this post, or email me directly at

More common mistakes in my next post.

Monday, May 12, 2014

SAP BusinessObjects Security - Rights Assignment

By Rick Epstein

Resolvit Inc. - Rick Epstein
As I mentioned in my previous post, access levels are applied to users and groups. By contrast, there are three SAP BusinessObjects security settings that apply at the granular rights level.
  • No Access: This acts to not allow the right but can be overridden by an explicit grant or an explicit denial
  • Explicit Denial: Does not allow the right on an object and cannot be overridden
  • Explicit Grant: Allows the right on the object and can be overridden

There is another setting that is available for each right that is assigned: the Apply on This Object or All Sub-Objects setting. By default, a right assignment is applied to all sub-objects. Sub-objects can be sub folders or reports, categories, universes, or connections under the folder on which a right is applied. Assigning the right only to this object (not sub-objects) will prevent the right from cascading/inheriting down.

Okay, those are the basic elements of the Security Knowledge Framework.

What's next? In upcoming posts, I'll be discussing some common security mistakes. Hint: Everyone Group, Top Level Folder rights, CMC Rights, Explicit Denials, Broken Inheritance.)

Thursday, May 8, 2014

New Case Study - Melbourne Water

Melbourne Water recently implemented the Object Manager module of the APOS Administrator solution.

APOS Administrator simplifies and automates:
  • Security management
  • Object management
  • Report scheduling
  • Instance management
  • Structured content promotion
  • Administrative user impersonation

Melbourne Water is a utility operated by the Victoria state government in Australia. It sees its mission to be "Enhancing life and livability with secure and reliable water services, desirable urban spaces and environments, and healthy waterways and bays."
They were facing numerous challenges with their SAP BusinessObjects deployment, including:
  • Consolidating numerous data sources
  • Updating Crystal Reports objects to the new consolidated data source
  • Implementing SAP BusinessObjects Data Services
  • Designing universes to facilitate adoption of Web Intelligence for self-serve BI
  • Creating an inventory of all reports in the system to enable cleanup
  • Simplifying and codifying BI platform administration processes

This case study documents how Melbourne Water used APOS Object Manager to address these challenges.
Read the case study...