Security From The Trenches InfoSol, Inc. - Amy O’Neel
Security From the Trenches Security 101 – Precedence and Inheritance Security 102 – Application Rights Object only vs Object and Objects Within 4.x Changes Information Design Tool Security Profiles Auditing Security Infosol 2017
Security 101 © InfoSol 2017
Security 101 Denied > Granted > No Access Explicit Settings vs Group Settings Inherited unless Inheritance Broken
Explicit Settings "If a right is explicitly set on a child object that contradicts the rights inherited from the parent object, the right set on the child object overrides the inherited rights. This exception applies to users who are members of groups as well. If a user is explicitly granted a right that the user's group is denied, the right set on the user overrides the inherited rights."
Let’s have a look…. http://vm3.infosol.com:8080/BOE/CMC
Security 102 Application Rights vs Content Rights Sometimes it takes a combination
Security 102 Example - Inboxes Application Settings: 'Send' button 'BI launch pad': - 'Send to BO Inbox' - 'Send to email destination' - 'Send to file location' - 'Send to FTP location' - 'Organize' Copy Object (on from Folder) Add Objects to the Folder (on Inboxes) View Users (to select Users) 'Web Intelligence': - 'Desktop interface - send by mail' - 'Documents - enable publish and manage content as web service'
On Object Only vs On Object and Sub Objects (View at Top Level) © InfoSol 2017
Favorites In 3.x Users were set with principle rights on their own personal folder. In 4.x User has Everyone group right on their own personal folder Full Control vs View Object Only + Full Control (Owner)
Object Only Setting – View Object Only CMC tabs w/ top-level folders Access Levels Calendars Categories (Universe) Connections Cryptographic Keys Events Federations Folders Inboxes OLAP Connection Personal Categories Personal Folders Profiles Replication Lists Servers and Groups Temporary Storage Universes Users and Groups Web Service Query
Let’s have a look…. http://vm3.infosol.com:8080/BOE/CMC
4.x Changes © InfoSol 2017
Removed or Renamed Removed Renamed Enable drill mode Interactive: Hide/Show Toolbars Renamed Create document to Documents – enable creation …..and many more Rule of Thumb – Redo security settings
Drill Mode Requires Edit Query in 4.x if drilling out of scope From the Trenches 4.2 SP4 more secure SSL SSL – Regenerate certificate (new encryptions, key strength 2048+, enable FIPS Disable SSL for Upgrade Manager Drill Mode Requires Edit Query in 4.x if drilling out of scope Input Control Selection Requires Reporting – enable formatting in 4.x “Your security profile does not include permission to edit this document (WIS 30252)” ….. Additional work with CUSTOMIZATIONS if you do not want them to be able to edit -Hide Design Mode Toolbar -Hide Application Mode Buttons
From the Trenches Administrators Group: For improved security, only members of the Administrators group can access system configuration wizard. Only users who are part of the default Administrators group can add users in bulk. This feature is not supported for delegated admins. When users are added to the Administrators group, they do not inherit the rights required to perform management tasks on cryptographic keys. (Need to be Cryptographic Officers grp)
Administrators Group CMC tabs Auditing Authentications Cryptographic Keys License Keys Monitoring Sessions Settings User Attribute Management Only members of the Administrators group can change management settings, unless a user is explicitly granted rights to do so.
Information Design Tool Security Profiles © InfoSol 2017
Avoid the Refresh Error “You do not have sufficient rights to refresh the query” Secret: Allow Data AND Display Objects
Let’s have a look…. (If there’s time…..)
Set up security in IDT - Universe Information Design Tool Security Builder ROWS tab Assign Data Security Profile to a User Group In the security builder of the Information Design Tool, Insert a Data Security Profile for your required universe Add a Rows security restriction on the Customers table In our Example its SI_Country, assign this security to an appropriate group, you can do this for ‘Everyone’, and save your universe.
Information Design Tool Speaking of System Variables… © InfoSol 2017
IBIS 2009 -- June 14 - 17 -- Lake Las Vegas System Variables The built-in @Variables for XI 3.1 are BOUSER, DBUSER, DBPASS, DOCNAME, DPNAME, DPTYPE, UNVNAME, and UNVID XI 3.1 SP2 added DOMINANT_PREFERRED_VIEWING_LOCALE, PREFERRED_VIEWING_LOCALE XI 4.x added DOCID and removed DBPASS … And added User Defined Attributes IBIS 2009 -- June 14 - 17 -- Lake Las Vegas
IBIS 2009 -- June 14 - 17 -- Lake Las Vegas System Variables Use @variable() in SELECT - to display user on report WHERE – to filter results by user END_SQL – to track users and documents running queries in database logging ConnectInit in custom connection parameters SET QUERY_BAND = 'ApplicationName=YourAppHere; ClientUser=@variable('BOUSER');' FOR TRANSACTION (or SESSION) ; BEGIN_SQL SET QUERY_BAND='USER='@Variable('BOUSER'); Document='@Variable('DPNAME')';' for transaction; IBIS 2009 -- June 14 - 17 -- Lake Las Vegas
BOUser in @Execute Personalized, Multiple Values LOV Data Foundation LOV, “BOUserCustomer” SELECT distinct Customer.Last_Name FROM Customer, Employee, Orders WHERE Employee.Last_Name = @variable('BOUSER') and Customer.Customer_ID = Orders.Customer_ID and Orders.SalesPerson_ID=Employee.Emp_ID Table filter Customer.Last_Name in @Execute(BOUserCustomer)
Auditing Security © InfoSol 2017
How to Visualize a MATRIX? The Matrix GROUPS AND SUB GROUPS Denied > Granted > No Access Explicit Settings vs Group Settings Inherited unless Inheritance Broken FOLDERS and SUB FOLDERS How to Visualize a MATRIX?
3rd Party Tools 360View
3rd Party Tools 360Eyes
IBIS 2018 Open for Registration The Premier BusinessObjects Education & Knowledge Exchange Event of the Year! June 18- 20 | Park Hyatt Aviara Carlsbad, CA AttendIBIS.com ALL INCLUSIVE (HOTEL/FOOD/CONFERENCE) HANDS-ON TRAINING Organized in modules to allow for jumping between tracks as needed. https://www.youtube.com/watch?time_continue=15&v=h8yYTLUqoXM
Session: QUESTIONS??? Amy O’Neel aoneel@infosol.com text BOUG17 to 623-552-2272 to receive the slides from this presentation IBIS 2009 - June 14-17 - Lake Las Vegas