Business Objects Xir2 Security Concept

13,894 views

Published on

Published in: Business, Technology
0 Comments
15 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
13,894
On SlideShare
0
From Embeds
0
Number of Embeds
144
Actions
Shares
0
Downloads
0
Comments
0
Likes
15
Embeds 0
No embeds

No notes for slide

Business Objects Xir2 Security Concept

  1. 1. BOE Xir2 security concepts
  2. 2. Synopsis BO5 or BO6 security concepts 1 BOE Xir2 new security concepts 2 Comparison. Examples 3 Migration: A double challenge 4 Our approach: 360view toolset 5
  3. 3. BO5 or BO6 security concepts 1 BOE Xir2 new security concepts 2 Comparison. Examples 3 Migration: A double challenge 4 Our approach: 360view toolset 5
  4. 4. BO5 or BO6 security: Concepts <ul><li>Security definition: User rights = links between actors (user or group) and universes - universe overloads, documents, applications - security commands, domains, stored procedures. </li></ul><ul><li>Supervisor: «  User centric  » security vision. </li></ul><ul><li>«  User centric  » security implementation: Publications, assignments. </li></ul><ul><li>Group inheritance: Nearest value selected. </li></ul><ul><li>A user can belong to more than one group: User instances . </li></ul><ul><li>Only three ways to implement security. Easy to administrate. </li></ul>
  5. 5. BO5 or BO6 security: Effective rights <ul><li>Effective rights (user real rights) = explicit rights aggregation. </li></ul><ul><li>Possible explicit values: </li></ul><ul><ul><li>Granted (OK): Right is given. </li></ul></ul><ul><ul><li>Denied or hidden (KO): Right is denied. </li></ul></ul><ul><ul><li>Not specified (NS): No right. </li></ul></ul><ul><li>(*) Rights depend also with domains rights. </li></ul>Nota: « NS » means not specified OK KO OK KO OK KO Universes (*) OK KO OK KO OK KO Documents (*) OK KO OK KO OK KO Domains OK KO OK KO OK KO Stored procedures KO KO OK KO OK OK Security commands OK OK + NS OK KO + NS OK KO OK OK Applications OK + KO KO OK NS
  6. 6. BO5 or BO6 security concepts 1 BOE Xir2 new security concepts 2 Comparison. Examples 3 Migration: A double challenge 4 Our approach: 360view toolset 5
  7. 7. BOE Xir2 security concepts: Folders <ul><li>Under BOE Xir2, universes and documents (objects) are stored in folders (before they were stored under the repository database). Folders are like domains under Business Objects. </li></ul><ul><li>Unlimited folders tree for documents and universes. Objects can be stored in one folder only. </li></ul>Objects folders tree (documents and universes)
  8. 8. <ul><li>Group structure is no longer a classic tree like under BO5 or BO6 with a root group: A group can belong to more than one group. A kind of acyclic graph. </li></ul><ul><li>A user can belong to more than one group. </li></ul>BOE Xir2 security concepts: Groups - Users Sales US sales Purchasing George George Deski group US sales Purchasing
  9. 9. BOE Xir2 security concepts: Concepts <ul><li>Security management under the CMC . </li></ul><ul><li>CMC : «  Object centric  » security vision. </li></ul><ul><li>«  Object centric  » security implementation: Assignments. </li></ul><ul><li>Universe overloads are now managed under Designer (« object centric »). </li></ul><ul><li>Double inheritance security: Group and folder inheritance. </li></ul>
  10. 10. Double inheritance example <ul><li>George could access to all documents of the folder « French sales » due to the double inheritance right given between his ancestor group « Worldwide sales » and the parent folder « Sales ». </li></ul>Worldwide sales US Sales George Worldwide sales group had an explicit right on Sales folder
  11. 11. Double inheritance implementation « Sales » folder « Worldwide sales » group Right creation
  12. 12. BOE Xir2 security concepts: Rights <ul><li>Assign an object gives rights to a user or a group stored like an ACL (Access Control List). </li></ul><ul><li>Possible explicit values: </li></ul><ul><ul><li>Explicitly granted (OK): User or group is given the right. </li></ul></ul><ul><ul><li>Explicitly denied (KO): User or group is denied the right. </li></ul></ul><ul><ul><li>Not specified (NS): No right assignment. </li></ul></ul><ul><li>Explicit rights override inherited rights. </li></ul><ul><li>New descending right rule to respect (group or folder): Descending explicit rights must be weaker or equal than those ascending. </li></ul>
  13. 13. BOE Xir2 security concepts: Effective rights <ul><li>Effective rights (user real rights) = explicit rights aggregation. </li></ul><ul><li>Aggregation rules are easier in BOE Xir2, because object independent. </li></ul><ul><li>But different (opposed) in comparison with BO5 or BO6 !!! </li></ul><ul><li>« NS » can be largely used because it does not have any effect on effective rights calculation. Used with « OK » or « KO », it is transparent. </li></ul><ul><li>Caution: A single «  NS » is equivalent to a « KO ». </li></ul>Nota: « NS » means not specified OK OK + NS KO KO + NS KO KO OK KO Xir2 objects OK + KO KO OK NS
  14. 14. BOE Xir2 security concepts: Granularity 1/2 <ul><li>Under BO5 or BO6 security commands were attached to applications. ( minimum value retained). </li></ul><ul><li>Under BOE Xir2, security commands are divided in two: </li></ul><ul><ul><li>Security Commands still attached to applications, thus no granularity (same minimum rule). </li></ul></ul><ul><ul><li>Security Commands now attached to folders and/or objects, and thus granularity possible. </li></ul></ul>
  15. 15. BOE Xir2 security concepts: Granularity 2/2
  16. 16. BO5 or BO6 security concepts 1 BOE Xir2 new security concepts 2 Comparison. Examples 3 Migration: A double challenge 4 Our approach: 360view toolset 5
  17. 17. Example 1/3: Rights comparison <ul><li>BOE Xir2 effective rights (user real rights): </li></ul>Nota : « NS » means not specified BO5 or BO6 effective rights (user real rights): In Version 5.x or 6.x you could denied access to a universe to a user in one group and allow him/her in another group. In Xi, not even an ‘ explicitly granted’ ( OK ) will over rule an ‘explicitly denied’ ( KO ). Morale: Use the ‘explicitly denied’ right wisely. OK OK + NS KO KO + NS KO KO OK KO Xir2 objects OK + KO KO OK NS OK OK + NS KO KO + NS OK KO OK KO universe OK + KO KO OK NS
  18. 18. Example 2/3: Current BO vision <ul><li>Under the Supervisor: Rights vision and assignment to a user or a group. </li></ul><ul><li>No « object centric » vision like: Which users can create a report on this universe ? </li></ul>
  19. 19. Example 3/3: BOE Xir2 vision <ul><li>In BOE Xir2, reversed effective right implementation. </li></ul><ul><li>In the CMC, rights visualisation and assignment for an object or a folder. </li></ul><ul><li>In the CMC, no « user centric » vision like: Which objects a user can access to. It’s now possible to see « user centric » effective and explicit rights using the Security Viewer. </li></ul>Audit group (maybe a new group) Georges Cedric form3 Rights
  20. 20. BO and BOE security comparison 1/2 <ul><li>BO5 or BO6 security vision and assignment « user centric » and not « object centric ». </li></ul><ul><li>Conversely, BOE Xir2 security vision and assignment « object centric » and not « user centric ». </li></ul><ul><li>Aggregation rules are harder in BO5 or BO6, because object dependency. </li></ul><ul><li>Aggregation rules are easier in BOE Xir2, because object independent. </li></ul><ul><li>Objects are stored under a folders tree in BOE Xir2. </li></ul><ul><li>Centralised security management in the Supervisor in BO5 or BO6. Managed in CMC and Designer in BOE Xir2. </li></ul>
  21. 21. BO and BOE security comparison 2/2 <ul><li>In BOE Xir2, don’t work with a closed system of decreasing rights. </li></ul><ul><li>Granularity is possible on some security commands in BOE Xir2, not in BO5 or BO6. </li></ul><ul><li>Only three ways to implement security under BO5 or BO6. </li></ul><ul><li>More than three hundred ways to implement security under BOE Xir2. </li></ul><ul><li>Conclusion and official BO migration practise: Redefine manually your security under BOE Xir2. </li></ul>
  22. 22. BO5 or BO6 security concepts 1 BOE Xir2 new security concepts 2 Comparison. Examples 3 Migration: A double challenge 4 Our approach: 360view toolset 5
  23. 23. Migration objectives: Recalls <ul><li>Main objective: Transparent technical migration for end-users. </li></ul><ul><li>For a given end-user: Same user rights and restrictions. </li></ul><ul><li>Except new functionalities (granularity) and possible cleansing. </li></ul><ul><li>Difficulties: </li></ul><ul><ul><li>Manual mapping of existing security: User access rights (universes, documents, domains) and restrictions (universe overloads and security commands). Manual calculation of effective rights. </li></ul></ul><ul><ul><li>Manual inversion of the security dynamic map (effective rights inversion). </li></ul></ul><ul><li>Post migration risks: </li></ul><ul><ul><li>Non visibility of user access rights errors: Only correctable through user feedback. </li></ul></ul><ul><ul><li>Restriction errors: Non-visible side effects ! </li></ul></ul>
  24. 24. BOE Xir2 security migration: Double challenge <ul><li>BOE Xir2 main evolution: Security management . Double challenge of security migration: </li></ul><ul><li>Challenge 1 : Manage the repository post migration, whilst limiting administration load and by offering an optimum quality of service to end-users. </li></ul><ul><li>Challenge 2 : Migrate current security: Manual redefinition of security with the CMC and Designer. </li></ul><ul><li>Extra tasks compared to the preceding migrations. </li></ul>
  25. 25. Challenge 1: Define a security model <ul><li>Define a « security conceptual model » allowing easiest administration. </li></ul><ul><li>Making a dynamic map of your current deployment: Groups and folders structure definition . Looking for matrices like documents / groups, groups / categories … </li></ul><ul><li>Rewrite all administration processes: Documents and universes management between environments, user's rights definition. </li></ul><ul><li>Essential security conceptual model documentation. </li></ul>
  26. 26. Challenge 2: Things to do pre-migration <ul><li>Essential preparation of migration data. Technical and functional preparation . Audit and cascading cleansing. </li></ul><ul><li>Work with end-users teams during all the project. </li></ul><ul><li>Migrate necessary objects only. Direct impact on migration tasks (documents and universes) and on security redefinition. The less you migrate (actors, objects and rights), the faster and cheaper the migration will be. </li></ul><ul><li>Delete all inconsistencies to deduce universes, categories assignments… Documents assignment is the master. </li></ul>
  27. 27. Challenge 2: Security migration - Alternatives <ul><li>« User centric » BO5 or BO6 vision. « Object centric » security assignments in BOE Xir2. </li></ul><ul><li>Manual re-definition of effective security with the CMC and Designer. </li></ul><ul><li>Security manual dynamic map to define rules and regrouping . Expensive and risky tasks. Errors need to be corrected after migration in the CMC and Designer. </li></ul><ul><li>Using a security dynamic map toolset allowing to reverse current security, to have an « object centric » vision and to prepare data to migrate. </li></ul><ul><li>Using a toolset allowing to have an accurate security dynamic map. Thus no related post migration effects to correct in CMC. Guaranteed cost saving. </li></ul>
  28. 28. Case study <ul><li>Context: Repository with 1000 users, 500 corporate documents, 60 universes, complex security (universe overloads). </li></ul><ul><li>Option 1: Manual migration. </li></ul><ul><ul><li>Cost: 100 days. </li></ul></ul><ul><ul><li>Estimated risk errors: 10%. </li></ul></ul><ul><ul><li>Post migration assistance and estimated corrections: 25 days. </li></ul></ul><ul><ul><li>Time and resource consuming. </li></ul></ul><ul><li>Option 2: Using 360view universes. </li></ul><ul><ul><li>Reducing costs and length of migration project (40%): Cost 60 days. </li></ul></ul><ul><ul><li>Mapping 100% Accurate => No more overlapping effects (cost and end-users satisfaction). </li></ul></ul><ul><ul><li>Involvement of your application Management team to the project: Providing them with an easy-to-use toolset. </li></ul></ul><ul><ul><li>Better preparation of migration data: Users and objects global audit and cleaning. </li></ul></ul><ul><ul><li>+ ROI on current deployment (administration). </li></ul></ul>
  29. 29. BO5 or BO6 security concepts 1 BOE Xir2 new security concepts 2 Comparison. Examples 3 Migration: A double challenge 4 Our approach: 360view toolset 5
  30. 30. Solution for security migration <ul><li>360view Solution description: </li></ul><ul><ul><li>Universes on BO’s repository (security domain). </li></ul></ul><ul><ul><li>Reports permitting current security dynamic mapping. </li></ul></ul><ul><ul><li>360view Solution is complementary with Auditor. </li></ul></ul><ul><ul><li>Easy to deploy and use . </li></ul></ul><ul><ul><li>Permits inheritance (at the heart of the security model). </li></ul></ul><ul><ul><li>Three modules : Audit, Cleaning and Dynamic map. </li></ul></ul><ul><ul><li>Audit : Allowing to make a complete audit of deployed security like useful affectations and useless ones not to be reproduced under Xi. </li></ul></ul><ul><ul><li>Cleaning : Allowing to reduce the number of objects (universes,d ocuments ..), rights and actors to migrate. </li></ul></ul><ul><ul><li>Dynamic map : All rights and rights overloads to be redefined under the CMC (object centric point of view) universes, universes connections, universes overloads, stored procedures, documents, categories, applications and security commands. Facilitate the definition of the security matrices to be implemented in Xir2. </li></ul></ul>
  31. 31. 360view solution benefits <ul><li>Solution benefits for security migration projects to BOE Xir2: </li></ul><ul><ul><li>Easier - Buy-in from end-users by providing them with an easy to use tool in their current environment. - Enabling a complete re-think of their security. </li></ul></ul><ul><ul><ul><ul><ul><li>- Easier administration of current environment. </li></ul></ul></ul></ul></ul><ul><ul><li>Faster - No manual mapping of current deployed security. </li></ul></ul><ul><ul><li>Cheaper - Reduced manpower and length of migration projects. </li></ul></ul><ul><ul><ul><ul><ul><li>- Optimise data for migration: Direct impact on project costs </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>(tests and security matrices). </li></ul></ul></ul></ul></ul><ul><ul><li>Safer - Security mapping 100% accurate. - Limited assistance needed post migration. - Avoid rejection of the migration. - Possible comparison with ‘security viewer’ csv export. </li></ul></ul><ul><li>The 360view solution use is recommended by Business Objects : </li></ul><ul><li>Official partnership with french Business Objects consulting </li></ul><ul><li>department. </li></ul>
  32. 32. Approach and requirements <ul><li>Standard service: </li></ul><ul><ul><li>Toolset installation and customisation and mapping of current security environment. </li></ul></ul><ul><ul><li>Knowledge transfer of Business Objects security management from version 5 or 6 to new target version. Xir2 security tips and tricks. </li></ul></ul><ul><ul><li>Actors, objects and rights cleaning and audit in the current repository: Preparation of data to be migrated. </li></ul></ul><ul><ul><li>Creation of reports set listing all exact rights and rights overloads to be redefined in BOE Xir2 between objects (documents, categories, universes, connections, overloads …) and groups. </li></ul></ul><ul><ul><li>Estimated 2 to 10 days of consulting intervention, depending on size of the environment. </li></ul></ul><ul><li>Requirements: </li></ul><ul><ul><li>V5 or v6 BO repository. </li></ul></ul><ul><ul><li>Oracle, SQL Server, Sybase, Informix or DB2 BO repository. </li></ul></ul><ul><ul><li>Internal champion/sponsor of migration project. </li></ul></ul>
  33. 33. About us <ul><li>In the Business Objects world since 1998. </li></ul><ul><li>Main Projects in Europe and AsiaPac: </li></ul><ul><ul><li>Total : BO3 – BO4 and BO4 – BO5 migrations. </li></ul></ul><ul><ul><li>Rhodia. </li></ul></ul><ul><ul><li>France Telecom : BO5 – BO6 migration. </li></ul></ul><ul><ul><li>Mars - Masterfoods (BOE Xi beta-tests): : BO5 – BO6 migration. </li></ul></ul><ul><ul><li>Air France (BOE Xir2 beta-tests): BO5 to BOE Xir2 migration study. </li></ul></ul><ul><ul><li>HBOSA. </li></ul></ul><ul><ul><li>Various presentations on security management and security migration to BOE Xir2 challenges: </li></ul></ul><ul><ul><ul><li>BO user group. </li></ul></ul></ul><ul><ul><ul><li>Xir2 beta-testers. </li></ul></ul></ul><ul><ul><ul><li>Online Forums. </li></ul></ul></ul>
  34. 34. Contacts Christophe Mallet Tel: +61 (0)424 961 998 [email_address] http://www.businessintelligentsia.com Sebastien Goiffon Tel: +33 (0)660 822 440 [email_address] http://www.goiffon.biz

×