The security editor is the out-of-the box solution provided by SAP to handle security in Universes. I explain how to create data security profiles related to connection, table, SQL parameters, and row-level security. Then, I explain how to create business security profiles related to folders, objects, filters, and so on. Finally, I discuss the importance of having a security matrix in place before implementing Universe security and I provide a sample that can be used as your template.
|Published (Last):||22 December 2017|
|PDF File Size:||18.92 Mb|
|ePub File Size:||19.14 Mb|
|Price:||Free* [*Free Regsitration Required]|
The security editor is the out-of-the box solution provided by SAP to handle security in Universes. I explain how to create data security profiles related to connection, table, SQL parameters, and row-level security.
Then, I explain how to create business security profiles related to folders, objects, filters, and so on. Finally, I discuss the importance of having a security matrix in place before implementing Universe security and I provide a sample that can be used as your template. In this article, I focus on the first approach, using the Information Design Tool security editor to implement Universe-level security.
Configuring Security in SAP BusinessObjects Universes Using the Security Editor Before I go into detail about using the security editor inside the Information Design Tool to implement security in Universes, you need to know that there are two options for adopting security models, as follows: Allow everyone by default to see everything, and just restrict access to a set of specific users by applying restrictions or security rules that affect only them.
Deny everyone access by default, and give access to only specific sets of users based on the type of data that they can access. This means that, by default, all users have access to all objects e.
In addition, everyone can see all the data generated from report queries based on this Universe, unless a security rule or restriction is created and assigned to those users. These security rules or restrictions are known as security profiles and can be assigned to a specific user or a set of users user group to restrict their access. Security profiles are a set of rules or restrictions related to data, connections, objects, or SQL limitations. There are two types of security profiles: data security and business security profiles.
Data security profiles are designed to secure data-connection or data-foundation resources inside a Universe. The Data Foundation Layer is the Universe layer that is used to design a physical model. Data security profiles aim to restrict access to database-related entities schemas, tables, views, or data that are maintained inside the Data Foundation Layer.
The Business Layer of the Universe is where the physical model is translated into business terms. The main goal of this layer is to hide any technical details like database table names, columns, joins, and so on, and to provide information in business terms that business people can understand and deal with.
The Business Layer, at the end, is a list of dimensions, measures, and attributes as well as some pre-defined filters and common business rules. Business security profiles are used to secure Business Layer resources in a Universe.
They restrict access based on specific business rules, conditions, and filters. Applying Security to Universes There are five key steps to applying security to a Universe: Log in to the repository.
Select a Universe. Create a new security profile. Assign the new security profile to users or groups of users. Test the restriction rules inside the security profile. The first step for creating a new security profile is to log in to the repository and establish a new SAP BusinessObjects server session. Select a Universe and then you can start creating your new security profile. Note that one security profile can have many restriction rules from the same type of restriction—one type—but not from any other type.
If you want to create restrictions for a business rule, you need to create a separate profile for storing business rules. In the screen that opens Figure 1 click the security editor icon to open it. Then you can assign this profile to users or groups of users in the right panel. Finally, you can change the Data Security Profile Options in the bottom. The main purpose of this screen is to show which users and groups of users are assigned to which specific security profiles.
This is used to display a list of Security Profiles assigned to a specific user or groups of users. First, select a user or a group in the left pane. Then the list of assigned security profiles is displayed on the right. Lists of the selected users or groups of users who are assigned security profiles data as well as business related to the selected Universe are displayed in the two bottom panels. In the next section, I show how to create data and business security profiles.
Creating Data Security Profiles Data security profiles are sets of rules and restrictions related to data. Usually they are based on data foundation resources. The Data Foundation Layer is one of the main three Universe resources that mainly focus on the physical data model represented by tables and joins.
This opens the screen shown in Figure 4. Figure 4 Open the data security profile to define it As you can see, there are five main categories tabs for defining data-restriction rules: Connections, Controls, SQL, Rows, and Tables. Defining Connection Rules In the Connections tab you can override the default connection used by the assigned user to connect to the Universe.
To achieve this, you need to create a security profile and assign it to the Universe tester user to restrict the access to the user acceptance testing UAT database. Then click the Edit button. This opens the Define Replacement Connection window Figure 5. You should receive a pop-up message that states that the new NorthWind UAT Database data security profile is successfully created not shown. Only the list of secured published connections is displayed in the Define Replacement Connection window, and this is only applicable for relational connections.
Once you receive the success message, the new definition for the NorthWind UAT data security profile is added to the Connections tab options, as shown in Figure 6. Figure 6 The new NorthWind UAT data security profile is added to the connections options The next step is to assign this new security profile to the Administrator user. Select the Administrator user from the right panel. Click the left arrow to assign this security profile for this user. After assigning this security profile to the Administrator user, he or she can display data retrieved from the UAT database instead of the production database when opening any report or BI document based on this Universe.
This happens at run time and it only affects users or groups who are assigned to this security profile. You can define a replacement connection for each connection specified in a Multi-Source Universe. In this example, you want to give a priority to BI and analytics reports, and limit the operational data inquires to a maximum of 10, rows or a minute-limited execution time.
To apply these restrictions, you can use a controls data security profile. Simply follow these steps and make these entries. Create a new data security profile under the NorthWind Universe by following the same steps outlined previously in the Defining Connections Rules section, but this time navigate to the Controls tab instead of Connections.
Figure 8 Define a new control data security profile 3. Make sure the Controls tab is selected, and in the screen at the bottom of Figure 8, make the following settings: Limit size of result set to: Select the check box and change the number to 10, rows Limit execution time to: Select the check box and set the number to 10 minutes Warn if cost estimate exceeds: Select the check box and set the number to 5 minutes Note that the control settings can be configured for the Universe under the Data Foundation Layer.
The values that are input here data security profile controls override the default settings that have been configured on the Universe Data Foundation Layer level. In this case, the new settings are displayed in bold as Limit size of result set to rows is in Figure 8 , while the other options Limit Execution Time to and Warn if cost estimates exceeds are not.
This is because they are not changed—they are the same value as configured on the Universe data foundation level. Defining SQL Rules Under the SQL tab Figure 9 , you can make the settings to allow or disallow the end user to use some SQL features such as: Subqueries Union, intersect, and minus operators Complex operands in the query panel Figure 9 Define a new data security profile based on SQL settings These SQL features are divided into three main categories: Query: Here you can control the query options, such as subqueries, set operations union, intersect, and minus operators , and complex operands.
Cartesian Products: Here you can allow or disallow Cartesian product. Cartesian product takes place if you are trying to query two un-joined tables. In this case, the database engine produces all the possible row combinations that impact performance.
This usually happens because the Universe designer forgets to join tables or when a business user tries to build an unrealistic query to retrieve data from two different, unrelated tables. The rules settings that you make here also override the default SQL options defined in the Universe for the assigned user only.
Defining Row Rules The Rows tab is used to restrict the data retrieved as per as the assigned user. To do this, follow these steps: 1.
Create a new data security profile under the NorthWind Universe by following the same steps outlined previously. Figure 10 Go to the Rows tab and click the Insert button 3.
Figure 11 Define the restrictions for rows 4. In the Table field, select Orders from the drop-down options. This action opens the screen in Figure 12, where you can see the restricted table in the Rows tab. Now, this profile adds the defined WHERE Clause to any query generated by the assigned user, but only if the user selects from the Orders table. Click the OK button to save your settings. Multiple row restrictions can be defined in the same data security profile.
This is because then they can edit the generated query and remove the WHERE clause line defined in this restriction from the SQL query generated by the report. Build a security matrix first to avoid assigning two contradicting profiles to the same user or user group. If you applied both of them to the same user or user group, then the end user will not get any records. You can select a table from one of the connections defined with the Universe or another table from the data foundation resource.
The first one contains the publicly published figures while the second one contains the actual proprietary , confidential figures. You want all users to have view access to the published figures, but you want only users in the executive user group to see the confidential information as well. In this case, you want to use the publicly published finance data table in your Universe. In addition, you need to create a data profile to switch this table at run time if any user from the executive group tries to access this table so that they can see the confidential data as well.
Figure 13 Define a new data security profile table 3. Click the Insert button and in the screen that opens Figure 14 define the original table Customers that you want to replace in the Original Table field. Then define the replacement Qualifier and Table for the original table in the replacement area. Finally, click the OK button to save and close this window. Figure 14 Define the new replacement table Understanding the Business Security Profiles Business security profiles are sets of rules and restrictions related to the Business Layer of your Universe.
The main purpose of this type of profile is to restrict or grant access to folders and objects inside the Business Layer to the right users. There are three main categories of security rules inside this type of security profile: Create query.
Universe Contexts in a Nutshell
With Universe Designer, you can build data foundation and business layer to meet your BI report requirements and perform different functions available in UDT tool before you develop BI reports and dashboards on top of these Universes. Universe Designer helps you to create semantic layer between your Relational database and BI tool. The benefits of using Universe for BI reporting is that end users can connect to Universe and run queries against database without understanding the complexity of underlying data structures. BI users can use objects used in Universe to create reports. The advantage of using Universe is to provide easy to use interface to business users which are non-technical, and they can simply drag objects to BI reports and perform ad-hoc reporting without any technical knowledge.
What is a Business Objects Universe?
March 13, What is a Business Objects Universe? It allows the user to interact with their data without having to know the complexities of their database or where the data is stored. The universe is created using familiar business terminology to describe the business environment and allows the user to retrieve exactly the data that interests them. A universe contains: A connection parameter to a single data structure.
Universe Designer -Table Browser does not show all the tables in dbo schema