Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

Wednesday, September 17, 2014

Webinar Alert: Healthcare & BI Platform Management

When: Thursday, Sept. 18, 2014 - 10 am, 4 pm EDT

Register for the webinar

BI in the Healthcare sector is growing rapidly in response to US healthcare reform, and healthcare organizations are looking for proactive ways to manage and administer the BI platform in the face of increasing volume, complexity and compliance considerations.

Join us for a discussion of the major challenges facing SAP BusinessObjects BI platform managers and administrators in the healthcare industry. This webinar will examine ways to increase your BI platform management agility to help you:
  • Master complexity in data sources and information consumer requirements
  • Manage compliance through greater system visibility and high-volume administration
  • Maintain credibility through reliable, secure, accurate and timely delivery of information

Please join us as we explore techniques and best practices for SAP BusinessObjects platform management in healthcare.

Register for the webinar
Posted by Tom Woodhead at 8:45 AM 0 comments
Labels: , , , , , , , , , , , , ,

Wednesday, June 11, 2014

Common SAP BusinessObjects Security Mistakes - Miscellaneous

For information on using APOS solutions to help you bolster and manage security, visit our more recent series of security posts.

By Rick Epstein

This post concludes the list of most common security mistakes begun in these earlier posts:
We end our discussion of common SAP BusinessObjects security mistakes a couple of miscellaneous items.


Mistake #8: Allowing too many people to be able to see the SAP BusinessObjects License Key(s)
Allowing all administrators to see license keys is NOT a good practice. Only 1 or 2 people should have rights to see this as well as your company’s purchasing dept.

Mistake #9: Applying security on an Active Directory group directly
The problem with applying security directly on an Active Directory group is that it moves security outside of the BI deployment, creating a very large potential for unintended consequences.
If there is an Active Directory server upgrade, or service pack, or other maintenance, Active Directory communication may be interrupted, and groups may be "reset". While such a reset doesn’t affect the Windows environments, it can have an adverse effect on SAP BusinessObjects Active Directory integration. For example, an Active Directory group mapped in SAP BusinessObjects may become "unreadable" by SAP BusinessObjects. When you re-import or re-map that Active Directory group, you would need to set up all permissions on that group all over again. A far easier and better solution is to make Active Directory groups part of SAP BusinessObjects Enterprise groups and have security assigned on those Enterprise groups only.

Are you aware of other common security mistakes, or do you have questions about what is written here? Use the Comments section for this post, or email me directly at repstein@resolvitinc.com.

In my next post, I'll look at "top-down methodology and best practices."
Posted by Tom Woodhead at 8:19 AM 0 comments
Labels: , , , , , , , , ,

Thursday, May 29, 2014

Common SAP BusinessObjects Security Mistakes - Securing Content

For information on using APOS solutions to help you bolster and manage security, visit our more recent series of security posts.

By Rick Epstein
ResolvIT Inc.

 This post continues the list of common security mistakes begun in my earlier post, Abuse of the Everyone Group.

Content is an asset. It has value for your organization, is frequently subject to regulatory compliance requirements, and can cause damage to your organization if it falls into the wrong hands. Securing content requires your utmost attention.

Mistake #4: Not securing all content within the CMC
You should be able to have confidence that any user logging in to the CMC can only see what you want them to see, and perform only those actions you want them to perform.

 Mistake # 5: Setting explicit denials
There may be a place for explicit denials somewhere in your security model, but as a rule, you should avoid them like the plague. They are just too difficult to document. Once you set explicit denials, undoing them can be difficult. It's very difficult to know what unintended consequences you've unleashed through the cascading effects of explicit denials.

 Mistake #6: Breaking inheritance without a clear plan and good documentation of such
Users will potentially have new rights which are not controllable from a higher folder and/or group level. An administrator would likely not be aware that this situation exists and would mistakenly think that content is secure. In other words, if there is a parent folder which has subfolders and the parent folder has inheritance broken, that folder and its subfolders will have a set of permissions that are likely not consistent with all desired security settings and certainly different from those on folders levels above them.

 Mistake #7: Not knowing who has rights to what content and what a user can do with that content
What if granular rights have been set? What if explicit denials have been used? What if inheritance has been broken? Any one or more of these leads to confusion and not only makes maintenance difficult but makes it nearly impossible to know who can see and do what. Ask yourself, "What is the summation of all rights for this user on this object?"

Are you aware of other common security mistakes, or do you have questions about what is written here? Use the Comments section for this post, or email me directly at repstein@resolvitinc.com.

More common mistakes in my next post.
Posted by Tom Woodhead at 10:40 AM 0 comments
Labels: , , , , , ,

Friday, May 16, 2014

Common SAP BusinessObjects Security Mistakes - Abuse of the Everyone Group

For information on using APOS solutions to help you bolster and manage security, visit our more recent series of security posts.

By Rick Epstein

This post starts a list of the most common security mistakes committed by uninitiated SAP BusinessObjects administrators. The world of BI security is ruled by the law of unintended consequences. What you don't know can hurt you.

The mistakes documented in these posts are not in rigid order of importance. However, you may regard the three listed in this first post as foundational to your security model. If you don't get these ones right, your security model will almost certainly cause you grief.

Mistake #1: Applying security on the Everyone group rather than setting the group to "No Access"
To avoid inappropriate (and not necessarily apparent) access to folders, applications, and content, you should always set the Everyone group to "No Access." If you want to apply a security setting to all users, then create a custom group and add the Everyone group to it. Setting the Everyone group to "No Access" is the foundation upon which you will build a good security model.

Mistake #2: Forgetting to apply "No Access" to the Everyone group on all Top-Level folders (Folders, Personal Folders, Universe Folders, Connection Folders, Categories, Personal Categories)
Missing any one of these Top-Level folders potentially allows users inappropriate access to other users’ content.

Mistake #3: Forgetting to apply "No Access" to the Everyone group on all applications
Missing any application may allow users to have inappropriate access and permissions with regard to applications.

Are you aware of other common security mistakes, or do you have questions about what is written here? Use the Comments section for this post, or email me directly at repstein@resolvitinc.com.

More common mistakes in my next post.
Posted by Tom Woodhead at 9:06 AM 0 comments
Labels: , , , , , , , , , , ,

Monday, May 12, 2014

SAP BusinessObjects Security - Rights Assignment

For information on using APOS solutions to help you bolster and manage security, visit our more recent series of security posts.

 By Rick Epstein

As I mentioned in my previous post, access levels are applied to users and groups. By contrast, there are three SAP BusinessObjects security settings that apply at the granular rights level.
  • No Access: This acts to not allow the right but can be overridden by an explicit grant or an explicit denial
  • Explicit Denial: Does not allow the right on an object and cannot be overridden
  • Explicit Grant: Allows the right on the object and can be overridden

There is another setting that is available for each right that is assigned: the Apply on This Object or All Sub-Objects setting. By default, a right assignment is applied to all sub-objects. Sub-objects can be sub folders or reports, categories, universes, or connections under the folder on which a right is applied. Assigning the right only to this object (not sub-objects) will prevent the right from cascading/inheriting down.

Okay, those are the basic elements of the Security Knowledge Framework.

What's next? In upcoming posts, I'll be discussing some common security mistakes. Hint: Everyone Group, Top Level Folder rights, CMC Rights, Explicit Denials, Broken Inheritance.)
Posted by Tom Woodhead at 8:26 AM 0 comments
Labels: , , ,

Wednesday, April 30, 2014

SAP BusinessObjects Security - Access Levels


For information on using APOS solutions to help you bolster and manage security, visit our more recent series of security posts.

 By Rick Epstein
An access level is a set of permissions that apply to a user or group concerning an object such as a folder or report. SAP BusinessObjects lets you create custom access levels -- something I will write about in a future post -- but for now, let's restrict ourselves to the five pre-defined Access Levels in SAP BusinessObjects:
  • View: Can see the object and view instances of reports
  • View on Demand: Inherits rights of the View Access level and can run reports real time
  • Schedule: Inherits rights of the View On Demand Access level and can schedule reports
  • Full Control (owner): Inherits rights of the Schedule Access level and can add, copy, delete content if the user is also the owner
  • Full Control: Inherits rights of the Schedule Access level and can add, copy, and delete content regardless of the content's owner

Nothing too controversial there, but it does open up the topic of inheritance, a topic which will be important in all that follows, and which may be the source of many unintended consequences. So let's be clear about what we mean by inheritance:
  • Inheritance: Getting the rights of the parent group(s) and/or parent folder(s)

Access levels apply to users and groups. My next post will deal with rights settings, which are assigned at the object level.
Posted by Tom Woodhead at 11:33 AM 0 comments
Labels: , , , , , ,

Monday, April 28, 2014

Security Knowledge Framework

By Rick Epstein


For information on using APOS solutions to help you bolster and manage security, visit our more recent series of security posts.

 It is always difficult to dive into a topic that is both very large and very granular in nature. SAP BusinessObjects security is just such a topic. Where do we start?
Experienced administrators will have a good grasp on the basics of security administration, and will want to get granular very quickly. Those who are just coming to the topic of SAP BusinessObjects security, or who are not hands-on administrators, but need a better understanding of security to ensure corporate data governance objectives are being met, will benefit from more high-level discussion.

Well, as they say, you can't please everyone.

At the risk of alienating some security veterans, I'm going to start at the 30,000-foot level, just so we can all get onto the same page as quickly as possible. If we're going to have a meaningful conversation about security, we first have to make sure we're all speaking the same language. I promise we will get granular quickly, with tips and tricks that both veterans and beginners will be able to appreciate.

To start, let's establish a frame of reference -- a Security Knowledge Framework.
What is the Security Knowledge Framework? It is the collection of concepts and definitions that you need to understand to implement and manage an efficient and effective security model in SAP BusinessObjects. It helps you establish your security requirements and develop your security model.

At its most basic, security is about access -- ensuring that the appropriate people have access to the appropriate information. But the converse is equally important -- ensuring that sensitive information does not fall into inappropriate hands. Access is all-important, so my next post will examine access levels in SAP BusinessObjects.
Posted by Tom Woodhead at 8:50 AM 0 comments
Labels: , , , , , ,

Monday, April 21, 2014

Security Blogging with Rick Epstein

For information on using APOS solutions to help you bolster and manage security, visit our more recent series of security posts.

SAP BusinessObjects Security expert Rick Epstein of ResolvIT Inc. recently co-hosted a webinar with APOS concerning Security Architecture & Management in SAP BI 4. (View the recorded webinar.) The webinar touched on many areas of SAP BusinessObjects security., including security model design and migration, data governance, and regulatory compliance. Rick will be following up on that very well received webinar with a series of security-related guest posts on this blog.

Rick's professional focus is on SAP BusinessObjects security, report and universe design, process streamlining and data consolidation -- all with the objective of helping organizations establish their SAP BusinessObjects deployment as the single source of truth for operational excellence and efficient planning. He has implemented SAP BusinessObjects security models in numerous industries, including healthcare, aerospace and defense, and manufacturing.



Why You Need to Focus on Security

Those of you who attended the webinar, or watched the recorded webinar, will know that we started out with an overview of how growing BI volume and complexity have made the work of BI platform managers and administrators much more difficult. BI volume and complexity raise many issues for system analysis, administration, storage, query management and publishing, but none is more important than ensuring that the right people -- and only the right people -- have access to appropriate information within your system.

With the increasing emphasis on mobile and self-serve BI, the roles of BI platform managers and administrators will become even more demanding. If you are one of these people, the security of your BI platform has to be very high on your list of concerns.

Our first focus is generally on the accessibility of data -- getting our data into data warehouses, moving our reports between environments, bursting reports to a wide variety of information consumers, etc. We spend so much time getting these things right that we may not fully consider what can go wrong. Worse still, we may not know something can go wrong until it does. Bringing resources to bear on the issue of security is part of the solution. The other, equally important, parts are knowledge and experience.



Topics for Discussion

Rick will start his series of blog posts by taking a deeper look at the Security Knowledge Framework. What is the Security Knowledge Framework? It is the collection of concepts and definitions that you need to understand to implement and manage an efficient and effective security model in SAP BusinessObjects. It helps you establish your security requirements and develop your security model. The first order of business is to make sure we're speaking the same language.

Future entries will drill down into areas such as:
  • Security model design and implementation
  • Security model migration
  • Security assessment
  • Regulatory compliance
  • Data governance

Do you have a specific security-related question? Contact Rick Epstein at repstein@resolvitinc.com
Posted by Tom Woodhead at 2:56 PM 1 comments
Labels: , , , , , , , , , ,
Subscribe to: Posts (Atom)