Xir2 security concepts and migration

1 BO5 or BO6 security concepts

2 BOE Xir2 new security concepts

3 Comparison. Examples

4 Migration: A double challenge

5 Our approach: 360view toolset

SYNOPSIS

1 BO5 or BO6 security concepts

2 BOE Xir2 new security concepts

3 Comparison. Examples

4 Migration: A double challenge

5 Our approach: 360view toolset

• Security definition: User rights and restrictions = links between actors ( user or group ) and universes – universe overloads, documents, applications-security commands, domains and stored procedures.

• Supervisor: “user centric” security vision.

• “user centric” security implementation: Publications and assignments.

• Group inheritance: Nearest value selected.

• Only 3 ways to implement security. Easy to administrate. But the repository is a black box.

• A user can belong to more than one group: User instances.

BO5 or BO6 security: Concepts

BO5 or BO6 security: Effective rights

• Effective rights (user real rights) = explicit rights aggregation.• Possible explicit values:

– Granted (OK): Right is given.– Denied or hidden (KO): Right is denied.– Not specified (NS): No right.

NS OK KO OK+NS KO+NS OK+KO

Application OK OK KO OK OK OK

Security commands OK OK KO OK KO KO

Stored procedures KO OK KO OK KO OK

Domains KO OK KO OK KO OK

Documents (*) KO OK KO OK KO OK

Universes (*) KO OK KO OK KO OK

(*) Rights depend also with domains rights.

Nota: “NS” means “Not Specified”

1 BO5 or BO6 security concepts

2 BOE Xi R2 security concepts

3 Comparison. Examples

4 Migration: A double challenge

5 Our approach: 360view toolset

BOE Xir2 security concepts: Folders• Under BOE Xir2, universes and documents (objects) are stored in folders (before

they were stored under the repository database). Folders are like domains under Business Objects.

• Unlimited folders tree for documents and universes. Objects can be stored in one folder only.

Unlimited folder tree (documents & universes)

BOE Xir2 security concepts: Groups-Users

• Group structure is no longer a classic tree like under BO5 or BO6 with a root group: A group can belong to more than one group. A kind of acyclic graph.

• A user can belong to more than one group (usually belong to more than one group: Everyone group and other).

Sales

USA Sales

George

Purchasing

George

Deski Groups

USA Sales Purchasing

BOE Xir2 security concepts: Concepts

• Security management under the CMC.

• CMC: « Object centric » security vision.

• Security Viewer: « User centric » security vision.

• « Object centric » security implementation: Publications and assignments.

• Universe overloads are now managed under Designer (« object centric »).

• Double inheritance security: Group and folder inheritance.

Double inheritance example

Worldwide sales

USA sales

George

Worldwide sales group has an explicit right on Sales folder

• George could access to all documents of the folder « Sales UK » due to the double inheritance right given between his ancestor group « Worldwide sales » and the parent folder « Sales ».

• Folder rights work like a set of doors, like Windows security.

Double inheritance implementation

« Sales » folder Right assignment

« Worldwilde sales » group

BOE Xir2 security concepts: Rights

• Assign an object gives rights to a user or a group stored like an ACL (Access Control List).

• 3 possible explicit values:

– Explicitly granted (OK): User or group is given the right.

– Explicitly denied (KO): User or group is denied the right.

– Not specified (NS): No right assignment.

• Explicit rights override inherited rights.

• New descending right rule to respect: No locked system of increasing rights.

BOE Xir2 security concepts: Effective Rights

• Effective rights (user real rights) = explicit rights aggregation.

• Aggregation rules are easier in BOE Xir2, because object independent.

• But different (opposed) in comparison with BO5 or BO6 !

• « NS » can be largely used because it does not have any effect on effective rights calculation. Used with « OK » or « KO », it is transparent.

• Caution: A single « NS » is equivalent to a « KO ».

NS OK KO OK+NS KO+NS OK+KOXi r2

Objects KO OK KO OK KO KO

Nota: “NS” means “Not Specified”

BOE Xir2 security concepts: Granularity 1/2

• Under BO5 or BO6 security commands were attached to applications (minimum value retained).

• Under BOE Xir2, security commands are divided in two:

1. Security Commands still attached to applications, thus no granularity (same minimum rule).

2. Security Commands now attached to folders and/or objects, and thus granularity possible.

BOE Xir2 security concepts: Granularity 2/2

1 BO5 or BO6 security concepts

2 BOE Xir2 new security concepts

3 Comparison. Examples

4 Migration: A double challenge

5 Our approach: 360view toolset

Example: 1/3 Rights comparison

BOE Xir2 effective rights (user real rights):

BO5 or BO6 effective rights (user real rights):

In Version 5.x or 6.x you could denied access to a universe to a user in one group and allow him/her in another group.

In Xi, not even an “Explicitly granted” OK will over rule an “Explicitly denied” KO.

Morale: Use the “Explicitly denied” right wisely !

NS OK KO OK+NS KO+NS OK+KOXir2 Objects KO OK KO OK KO KO

Nota: “NS” means “Not Specified”

NS OK KO OK+NS KO+NS OK+KO

Xir2 Objects KO OK KO OK KO KO

NS OK KO OK+NS KO+NS OK+KO

Universes KO OK KO OK KO OK

Example: 2/3 Current BO vision

• Under the Supervisor: Rights vision and assignment to a user or a group.

• No « object centric » vision like: Which users can create a report on this universe ?

Example: 3/3 Xir2 vision

• In BOE Xir2, reversed effective right implementation.

• In the CMC, rights visualisation and assignment for an object or a folder.

• In the CMC, no « user centric » vision like: Which objects a user can access to. But, it’s possible to see « user centric » effective and explicit rights using the Security Viewer.

Rights

Audit group (maybe a new group)

Cédric

Georges

form3

BO and BOE security comparison 1/2

• BO5 or BO6 security vision and assignment « user centric » and not « object centric ».

• Conversely, BOE Xir2 security vision and assignment « object centric » in the CMC and « user centric » vision in the Security Viewer.

• Aggregation rules are harder in BO5/6, because object dependency.

• Aggregation rules are easier in BOE Xir2 because object independency.

• Objects are stored under a folders tree in BOE Xir2.

• Centralised security management in the Supervisor in BO5 or BO6. Now managed in CMC and Designer in BOE Xir2.

BO and BOE security comparison 2/2

• In BOE Xir2, don’t work with a locked system of increasing rights.

• Granularity is possible on some security commands in BOE Xir2, not in BO5 or BO6.

• Only 3 ways to implement security under BO5 or BO6 keeping it easy to administrate.

• More than 300 ways to implement security under BOE Xir2: Very powerful but can quickly become unadministrable.

Conclusion and official BO migration practice: Redefine manually your security under BOE Xir2.

BOE Xir2 security tips and tricks to enjoy long-term

benefits 1/2Remodel your security when migrating from BO5 or BO6 to Xir2.

Apply rights at group and folder level.

Folders structure: content driven.

Groups structure: users with similar access rights.

Implement a group tree instead of an acyclic graph.

Use predefined access levels instead of customized access rights.

Use No Access right instead of Denied whenever possible.

BOE Xir2 security tips and tricks to enjoy long-term

benefits 2/2Use an open system of decreasing rights. (to navigate through

folders)

Deploy and use the Security Viewer.

Do not break inheritance.

Don’t manage universe overloads in Designer but directly in the database.

Take advantage of the Everyone group.

Understand and master these security concepts.

1 BO5 or BO6 security concepts

2 BOE Xir2 new security concepts

3 Comparison. Examples

4 Migration: A double challenge

5 Our approach: 360view toolset

BOE Xir2 security migration: Double challenge

• BOE Xir2 main evolution: Security management. Double challenge of security migration or implementation:

Challenge 1:Manage the repository post migration, whilst limiting administration load and by offering an optimum quality of service to end-users.

Challenge 2:Migrate current security = security manual redefinition in the CMC and the Designer.

• Extra tasks compared to the preceding migrations.

Challenge 1: define a security model

• Define a « security conceptual model » allowing easiest administration.

• Making a dynamic map of your current deployment: Groups and folders structure definition. Looking for matrices like documents / groups, categories / groups …

• Rewrite all administration processes: Documents and universes management between environments, user's rights definition.

• Essential security matrices documentation.

Challenge 2: Things to do pre-migration

• Essential preparation of migration data. Technical and functional preparation. Audit and cascading cleaning.

• Work with end-users teams during all the project.

• Migrate necessary objects only. Direct impact on migration tasks (documents - universes) and on security redefinition. The less you migrate (actors, objects and rights), the faster and cheaper the migration will be.

• Delete all inconsistencies to deduce universes, categories assignments… Documents assignment is the master.

Migration objectives: Recalls

• Main objective: Transparent technical migration for end-users.

• For a given end-user: Same user rights and restrictions.

• Except new functionalities (granularity) and possible cleaning.• Difficulties:

- Manual mapping of existing security: User access rights (universes, documents and domains) and restrictions (universe overloads and security commands). Manual calculation of effective rights.

- Manual inversion of the security dynamic map (effective rights inversion).

- Xi groups and folders definition.

• Post migration risks:

- Non visible user access rights errors: Only correctable through user feedback.

- Restriction errors: Non-visible side effects !

Challenge 2: Security migration - Alternatives - Risks

• « User centric » BO5 or BO6 vision. « Object centric » security assignments in BOE Xir2.

• Manual re-definition of effective security with the CMC and Designer.

• Security manual dynamic map to define rules and regrouping. Expensive and risky tasks. Errors need to be corrected after migration.

• Two risks to be covered in SOX environment on strategic and sensitive data:

- Project cost and length.

- Post migration side effects.

• Using an accurate security dynamic map toolset allowing to reverse current security, to have an « object centric » vision and to prepare data to migrate.

1 BO5 or BO6 security concepts

2 BOE Xir2 new security concepts

3 Comparison. Examples

4 Migration: A double challenge

5 Our approach: 360view toolset

• Solutions for SAP BO administration & migration

• Supporting XIR2, XI3, BI4.0 and BI4.1

• Almost 400 customers worldwide:

360suite: Top ten features

1. Manage security using web matrices

2. Document (Excel export) your CMS (security matrices, groups, users, universe overloads …)

3. Schedule backup of your entire Business Objects platform

4. Selective restore of any version including deleted or corrupt content (like personal documents)

5. Perform impact analysis (universe object and SQL, unv and unx)

6. Run jobs (backup, import users, Excel exports …) using an Enterprise Job Scheduler (Control-M, Dollar Universe, UC4, TWS…)

7. Promote content using a drag and drop or schedule promotion.

8. Dynamically burst BO reports.

9. Optimize migration: audit, clean, compare versions.

10. Follow your BOE metadata evolution through time.

• User friendly web interface

to manage Xi security.

• Document your deployed

security.

• Audit and clean

your CMS.

• Backup, version and restore content.

• Drag and drop objects between CMS or schedule migrations.

• Compare SAP Business Objects environments

• Schedule SAP Business Objects reports from an Excel, CSV spreadsheet or a SQL query.

• Dynamic scheduling and bursting:

- Fill in prompt, filter, format and destination values within Excel, CSV or SQL.

- Any modification within Excel, CSV or SQL will dynamically impact your results.

• Schedule your reports using your enterprise scheduler

(Control M, Dollar Universe, VTOM…).

• Load all your SAP Business Objects data within a data warehouse.

• Query and analyze these data using BO universes and Webi reports.

• Document your deployment:- Detect unused documents and universes.- Run impact analysis.

• Follow the evolution of your metadata through time.

• Compare environment or BO versions during a

migration.

• Compare your SAP Business Objects license pool with the licenses you have deployed.

• License compliance is just a

mouse click away.

• SAP BusinessObjects custom portals. Infoview or BI Launch Pad substitution

• Fully integrated within intranet

BI4 Migration Pack

• The fusion of 360view and 360eyes in a same package.

• Find out exactly what you need to migrate

• Prepare the Deski EOL.

• Benefits:

- As usual the less Objects you migrate the faster and

cheaper the migration will be.

- Migrate universes, documents and security. Test them and compare them

with the source BO deployment.

Save daily administration time

Security implementation made

easyDocument everything

Keep control over your deployment

Earn efficiency and keep working on high

value added tasks

Succeed in your migration project

Benefits

Contact

See our solutions in action on

www.youtube.com/360suite

Ask for a FREE TRIAL!

Sébastien GOIFFON+1 (347) 767 6836

contact@gbandsmith.com

EASIER. FASTER. CHEAPER. SAFER.www.gbandsmith.com