Xir2 security
concepts and migration
1 BO5 or BO6 security concepts
2 BOE Xir2 new security concepts
3 Comparison. Examples
4 Migration: A double challenge
5 O...
1 BO5 or BO6 security concepts
2 BOE Xir2 new security concepts
3 Comparison. Examples
4 Migration: A double challenge
5 O...
• Security definition: User rights and restrictions = links between actors ( user or
group ) and universes – universe over...
BO5 or BO6 security:
Effective rights
• Effective rights (user real rights) = explicit rights aggregation.
• Possible expl...
1 BO5 or BO6 security concepts
2 BOE Xi R2 security concepts
3 Comparison. Examples
4 Migration: A double challenge
5 Our ...
BOE Xir2 security concepts:
Folders
• Under BOE Xir2, universes and documents (objects) are stored in folders (before
they...
BOE Xir2 security concepts:
Groups-Users
• Group structure is no longer a classic tree like under BO5 or BO6 with a root
g...
BOE Xir2 security concepts:
Concepts
• Security management under the CMC.
• CMC: « Object centric » security vision.
• Sec...
Double inheritance example
Worldwide sales
USA sales
George
Worldwide sales group
has an explicit right on
Sales folder
• ...
Double inheritance implementation
« Sales » folder Right assignment
« Worldwilde sales » group
BOE Xir2 security concepts: Rights
• Assign an object gives rights to a user or a group stored like an ACL (Access
Control...
BOE Xir2 security concepts:
Effective Rights
• Effective rights (user real rights) = explicit rights aggregation.
• Aggreg...
BOE Xir2 security concepts:
Granularity 1/2
• Under BO5 or BO6 security commands were attached to applications
(minimum va...
BOE Xir2 security concepts:
Granularity 2/2
1 BO5 or BO6 security concepts
2 BOE Xir2 new security concepts
3 Comparison. Examples
4 Migration: A double challenge
5 O...
Example: 1/3 Rights comparison
BOE Xir2 effective rights (user real rights):
BO5 or BO6 effective rights (user real rights...
Example: 2/3 Current BO vision
• Under the Supervisor: Rights vision and assignment to a user or a group.
• No « object ce...
Example: 3/3 Xir2 vision
• In BOE Xir2, reversed effective right implementation.
• In the CMC, rights visualisation and as...
BO and BOE security comparison 1/2
• BO5 or BO6 security vision and assignment « user centric » and not
« object centric »...
BO and BOE security comparison 2/2
• In BOE Xir2, don’t work with a locked system of increasing rights.
• Granularity is p...
BOE Xir2 security tips and tricks to
enjoy long-term benefits 1/2
Remodel your security when migrating from BO5 or BO6 to...
BOE Xir2 security tips and tricks to
enjoy long-term benefits 2/2
Use an open system of decreasing rights. (to navigate t...
1 BO5 or BO6 security concepts
2 BOE Xir2 new security concepts
3 Comparison. Examples
4 Migration: A double challenge
5 O...
BOE Xir2 security migration:
Double challenge
• BOE Xir2 main evolution: Security management. Double challenge of
security...
Challenge 1: define a security model
• Define a « security conceptual model » allowing easiest administration.
• Making a ...
Challenge 2: Things to do pre-migration
• Essential preparation of migration data. Technical and functional preparation.
A...
Migration objectives: Recalls
• Main objective: Transparent technical migration for end-users.
• For a given end-user: Sam...
Challenge 2: Security migration -
Alternatives - Risks
• « User centric » BO5 or BO6 vision. « Object centric » security a...
1 BO5 or BO6 security concepts
2 BOE Xir2 new security concepts
3 Comparison. Examples
4 Migration: A double challenge
5 O...
• Solutions for SAP BO administration & migration
• Supporting XIR2, XI3, BI4.0 and BI4.1
• Almost 400 customers worldwide:
360suite: Top ten features
1. Manage security using web matrices
2. Document (Excel export) your CMS (security matrices, g...
• User friendly web interface
to manage Xi security.
• Document your deployed
security.
• Audit and clean
your CMS.
• Backup, version and
restore content.
• Drag and drop objects
between CMS or
schedule migrations.
• Compare SAP Business ...
• Schedule SAP Business Objects reports from an Excel, CSV spreadsheet
or a SQL query.
• Dynamic scheduling and bursting:
...
• Load all your SAP Business Objects data within a data warehouse.
• Query and analyze these data using BO universes and W...
• Compare your SAP Business
Objects license pool with the
licenses you have deployed.
• License compliance is just a
mouse...
• SAP BusinessObjects custom
portals. Infoview or BI Launch
Pad substitution
• Fully integrated within intranet
BI4 Migration Pack
• The fusion of 360view and 360eyes in a same package.
• Find out exactly what you need to migrate
• Pr...
Save daily
administration time
Security
implementation made
easy
Document everything
Keep control over
your deployment
Ear...
Contact
See our solutions in action on
www.youtube.com/360suite
Ask for a FREE TRIAL!
Sébastien GOIFFON
+1 (347) 767 6836
...
BO XIr2 security concepts. Key benefits in using 360view and 360view release 2
BO XIr2 security concepts. Key benefits in using 360view and 360view release 2
Upcoming SlideShare
Loading in …5
×

BO XIr2 security concepts. Key benefits in using 360view and 360view release 2

3,066 views

Published on

This presentation came from our 10 years field experience on Business Objects migrations, securty implementations. It described first what is completly new concerning XI security management. Finally it explains why 360view and 360view release 2 (360view suite: security migration pack) are helpful within migrations, day to day administration.

Published in: Business, Technology
  • The usage of imagery in this presentation is really effective. You've done a fantastic job here friend.
    Sharika
    http://winkhealth.com http://financewink.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

BO XIr2 security concepts. Key benefits in using 360view and 360view release 2

  1. 1. Xir2 security concepts and migration
  2. 2. 1 BO5 or BO6 security concepts 2 BOE Xir2 new security concepts 3 Comparison. Examples 4 Migration: A double challenge 5 Our approach: 360view toolset SYNOPSIS
  3. 3. 1 BO5 or BO6 security concepts 2 BOE Xir2 new security concepts 3 Comparison. Examples 4 Migration: A double challenge 5 Our approach: 360view toolset
  4. 4. • Security definition: User rights and restrictions = links between actors ( user or group ) and universes – universe overloads, documents, applications-security commands, domains and stored procedures. • Supervisor: “user centric” security vision. • “user centric” security implementation: Publications and assignments. • Group inheritance: Nearest value selected. • Only 3 ways to implement security. Easy to administrate. But the repository is a black box. • A user can belong to more than one group: User instances. BO5 or BO6 security: Concepts
  5. 5. BO5 or BO6 security: Effective rights • Effective rights (user real rights) = explicit rights aggregation. • Possible explicit values: – Granted (OK): Right is given. – Denied or hidden (KO): Right is denied. – Not specified (NS): No right. NS OK KO OK+NS KO+NS OK+KO Application OK OK KO OK OK OK Security commands OK OK KO OK KO KO Stored procedures KO OK KO OK KO OK Domains KO OK KO OK KO OK Documents (*) KO OK KO OK KO OK Universes (*) KO OK KO OK KO OK (*) Rights depend also with domains rights. Nota: “NS” means “Not Specified”
  6. 6. 1 BO5 or BO6 security concepts 2 BOE Xi R2 security concepts 3 Comparison. Examples 4 Migration: A double challenge 5 Our approach: 360view toolset
  7. 7. BOE Xir2 security concepts: Folders • Under BOE Xir2, universes and documents (objects) are stored in folders (before they were stored under the repository database). Folders are like domains under Business Objects. • Unlimited folders tree for documents and universes. Objects can be stored in one folder only. Unlimited folder tree (documents & universes)
  8. 8. BOE Xir2 security concepts: Groups-Users • Group structure is no longer a classic tree like under BO5 or BO6 with a root group: A group can belong to more than one group. A kind of acyclic graph. • A user can belong to more than one group (usually belong to more than one group: Everyone group and other). Sales USA Sales George Purchasing George Deski Groups USA Sales Purchasing
  9. 9. BOE Xir2 security concepts: Concepts • Security management under the CMC. • CMC: « Object centric » security vision. • Security Viewer: « User centric » security vision. • « Object centric » security implementation: Publications and assignments. • Universe overloads are now managed under Designer (« object centric »). • Double inheritance security: Group and folder inheritance.
  10. 10. Double inheritance example Worldwide sales USA sales George Worldwide sales group has an explicit right on Sales folder • George could access to all documents of the folder « Sales UK » due to the double inheritance right given between his ancestor group « Worldwide sales » and the parent folder « Sales ». • Folder rights work like a set of doors, like Windows security.
  11. 11. Double inheritance implementation « Sales » folder Right assignment « Worldwilde sales » group
  12. 12. BOE Xir2 security concepts: Rights • Assign an object gives rights to a user or a group stored like an ACL (Access Control List). • 3 possible explicit values: – Explicitly granted (OK): User or group is given the right. – Explicitly denied (KO): User or group is denied the right. – Not specified (NS): No right assignment. • Explicit rights override inherited rights. • New descending right rule to respect: No locked system of increasing rights.
  13. 13. BOE Xir2 security concepts: Effective Rights • Effective rights (user real rights) = explicit rights aggregation. • Aggregation rules are easier in BOE Xir2, because object independent. • But different (opposed) in comparison with BO5 or BO6 ! • « NS » can be largely used because it does not have any effect on effective rights calculation. Used with « OK » or « KO », it is transparent. • Caution: A single « NS » is equivalent to a « KO ». NS OK KO OK+NS KO+NS OK+KO Xi r2 Objects KO OK KO OK KO KO Nota: “NS” means “Not Specified”
  14. 14. BOE Xir2 security concepts: Granularity 1/2 • Under BO5 or BO6 security commands were attached to applications (minimum value retained). • Under BOE Xir2, security commands are divided in two: 1. Security Commands still attached to applications, thus no granularity (same minimum rule). 2. Security Commands now attached to folders and/or objects, and thus granularity possible.
  15. 15. BOE Xir2 security concepts: Granularity 2/2
  16. 16. 1 BO5 or BO6 security concepts 2 BOE Xir2 new security concepts 3 Comparison. Examples 4 Migration: A double challenge 5 Our approach: 360view toolset
  17. 17. Example: 1/3 Rights comparison BOE Xir2 effective rights (user real rights): BO5 or BO6 effective rights (user real rights): In Version 5.x or 6.x you could denied access to a universe to a user in one group and allow him/her in another group. In Xi, not even an “Explicitly granted” OK will over rule an “Explicitly denied” KO. Morale: Use the “Explicitly denied” right wisely ! NS OK KO OK+NS KO+NS OK+KO Xir2 Objects KO OK KO OK KO KO Nota: “NS” means “Not Specified” NS OK KO OK+NS KO+NS OK+KO Xir2 Objects KO OK KO OK KO KO NS OK KO OK+NS KO+NS OK+KO Universes KO OK KO OK KO OK
  18. 18. Example: 2/3 Current BO vision • Under the Supervisor: Rights vision and assignment to a user or a group. • No « object centric » vision like: Which users can create a report on this universe ?
  19. 19. Example: 3/3 Xir2 vision • In BOE Xir2, reversed effective right implementation. • In the CMC, rights visualisation and assignment for an object or a folder. • In the CMC, no « user centric » vision like: Which objects a user can access to. But, it’s possible to see « user centric » effective and explicit rights using the Security Viewer. Rights Audit group (maybe a new group) Cédric Georges form3
  20. 20. BO and BOE security comparison 1/2 • BO5 or BO6 security vision and assignment « user centric » and not « object centric ». • Conversely, BOE Xir2 security vision and assignment « object centric » in the CMC and « user centric » vision in the Security Viewer. • Aggregation rules are harder in BO5/6, because object dependency. • Aggregation rules are easier in BOE Xir2 because object independency. • Objects are stored under a folders tree in BOE Xir2. • Centralised security management in the Supervisor in BO5 or BO6. Now managed in CMC and Designer in BOE Xir2.
  21. 21. BO and BOE security comparison 2/2 • In BOE Xir2, don’t work with a locked system of increasing rights. • Granularity is possible on some security commands in BOE Xir2, not in BO5 or BO6. • Only 3 ways to implement security under BO5 or BO6 keeping it easy to administrate. • More than 300 ways to implement security under BOE Xir2: Very powerful but can quickly become unadministrable. Conclusion and official BO migration practice: Redefine manually your security under BOE Xir2.
  22. 22. BOE Xir2 security tips and tricks to enjoy long-term benefits 1/2 Remodel your security when migrating from BO5 or BO6 to Xir2.  Apply rights at group and folder level.  Folders structure: content driven.  Groups structure: users with similar access rights.  Implement a group tree instead of an acyclic graph.  Use predefined access levels instead of customized access rights.  Use No Access right instead of Denied whenever possible.
  23. 23. BOE Xir2 security tips and tricks to enjoy long-term benefits 2/2 Use an open system of decreasing rights. (to navigate through folders)  Deploy and use the Security Viewer.  Do not break inheritance.  Don’t manage universe overloads in Designer but directly in the database.  Take advantage of the Everyone group.  Understand and master these security concepts.
  24. 24. 1 BO5 or BO6 security concepts 2 BOE Xir2 new security concepts 3 Comparison. Examples 4 Migration: A double challenge 5 Our approach: 360view toolset
  25. 25. BOE Xir2 security migration: Double challenge • BOE Xir2 main evolution: Security management. Double challenge of security migration or implementation: Challenge 1: Manage the repository post migration, whilst limiting administration load and by offering an optimum quality of service to end-users. Challenge 2: Migrate current security = security manual redefinition in the CMC and the Designer. • Extra tasks compared to the preceding migrations.
  26. 26. Challenge 1: define a security model • Define a « security conceptual model » allowing easiest administration. • Making a dynamic map of your current deployment: Groups and folders structure definition. Looking for matrices like documents / groups, categories / groups … • Rewrite all administration processes: Documents and universes management between environments, user's rights definition. • Essential security matrices documentation.
  27. 27. Challenge 2: Things to do pre-migration • Essential preparation of migration data. Technical and functional preparation. Audit and cascading cleaning. • Work with end-users teams during all the project. • Migrate necessary objects only. Direct impact on migration tasks (documents - universes) and on security redefinition. The less you migrate (actors, objects and rights), the faster and cheaper the migration will be. • Delete all inconsistencies to deduce universes, categories assignments… Documents assignment is the master.
  28. 28. Migration objectives: Recalls • Main objective: Transparent technical migration for end-users. • For a given end-user: Same user rights and restrictions. • Except new functionalities (granularity) and possible cleaning. • Difficulties: - Manual mapping of existing security: User access rights (universes, documents and domains) and restrictions (universe overloads and security commands). Manual calculation of effective rights. - Manual inversion of the security dynamic map (effective rights inversion). - Xi groups and folders definition. • Post migration risks: - Non visible user access rights errors: Only correctable through user feedback. - Restriction errors: Non-visible side effects !
  29. 29. Challenge 2: Security migration - Alternatives - Risks • « User centric » BO5 or BO6 vision. « Object centric » security assignments in BOE Xir2. • Manual re-definition of effective security with the CMC and Designer. • Security manual dynamic map to define rules and regrouping. Expensive and risky tasks. Errors need to be corrected after migration. • Two risks to be covered in SOX environment on strategic and sensitive data: - Project cost and length. - Post migration side effects. • Using an accurate security dynamic map toolset allowing to reverse current security, to have an « object centric » vision and to prepare data to migrate.
  30. 30. 1 BO5 or BO6 security concepts 2 BOE Xir2 new security concepts 3 Comparison. Examples 4 Migration: A double challenge 5 Our approach: 360view toolset
  31. 31. • Solutions for SAP BO administration & migration • Supporting XIR2, XI3, BI4.0 and BI4.1 • Almost 400 customers worldwide:
  32. 32. 360suite: Top ten features 1. Manage security using web matrices 2. Document (Excel export) your CMS (security matrices, groups, users, universe overloads …) 3. Schedule backup of your entire Business Objects platform 4. Selective restore of any version including deleted or corrupt content (like personal documents) 5. Perform impact analysis (universe object and SQL, unv and unx) 6. Run jobs (backup, import users, Excel exports …) using an Enterprise Job Scheduler (Control-M, Dollar Universe, UC4, TWS…) 7. Promote content using a drag and drop or schedule promotion. 8. Dynamically burst BO reports. 9. Optimize migration: audit, clean, compare versions. 10. Follow your BOE metadata evolution through time.
  33. 33. • User friendly web interface to manage Xi security. • Document your deployed security. • Audit and clean your CMS.
  34. 34. • Backup, version and restore content. • Drag and drop objects between CMS or schedule migrations. • Compare SAP Business Objects environments
  35. 35. • Schedule SAP Business Objects reports from an Excel, CSV spreadsheet or a SQL query. • Dynamic scheduling and bursting: - Fill in prompt, filter, format and destination values within Excel, CSV or SQL. - Any modification within Excel, CSV or SQL will dynamically impact your results. • Schedule your reports using your enterprise scheduler (Control M, Dollar Universe, VTOM…).
  36. 36. • Load all your SAP Business Objects data within a data warehouse. • Query and analyze these data using BO universes and Webi reports. • Document your deployment: - Detect unused documents and universes. - Run impact analysis. • Follow the evolution of your metadata through time. • Compare environment or BO versions during a migration.
  37. 37. • Compare your SAP Business Objects license pool with the licenses you have deployed. • License compliance is just a mouse click away.
  38. 38. • SAP BusinessObjects custom portals. Infoview or BI Launch Pad substitution • Fully integrated within intranet
  39. 39. BI4 Migration Pack • The fusion of 360view and 360eyes in a same package. • Find out exactly what you need to migrate • Prepare the Deski EOL. • Benefits: - As usual the less Objects you migrate the faster and cheaper the migration will be. - Migrate universes, documents and security. Test them and compare them with the source BO deployment.
  40. 40. Save daily administration time Security implementation made easy Document everything Keep control over your deployment Earn efficiency and keep working on high value added tasks Succeed in your migration project Benefits
  41. 41. Contact See our solutions in action on www.youtube.com/360suite Ask for a FREE TRIAL! Sébastien GOIFFON +1 (347) 767 6836 contact@gbandsmith.com EASIER. FASTER. CHEAPER. SAFER. www.gbandsmith.com

×