Skip to main content
insightsoftware Documentation insightsoftware Documentation
{%article.title%}
Published:
Was this article helpful?
0 out of 0 found this helpful

Managing Security

This section provides information about granting users access to the generated universes and report templates.

Overview

After a generation is complete, users must be given access to the generated universes and report templates before they are able to write or execute reports in BusinessObjects Enterprise against Noetix Views (NoetixViews), Noetix Analytics, or RapidDecision. Access to the generated universes and report templates is provided by making users members of the groups created during generation or through permission inheritance in BusinessObjects. This section provides information about how to use these groups to manage access to Noetix views, Noetix Analytics, and RapidDecision, and the generated report templates.

Group Organizational Structure

During the Export generated universes and history step, Angles Generator for SAP Business Objects (Angles Generator ) generates groups into Central Management Server.

For NoetixViews:

One group is created for each universe, both organizational unit and NoetixViews role types. These groups are named after the corresponding universe and are prefixed according to the User Group Prefix defined on the Target Parameters tab of the Angles for Oracle Generator for SAP BusinessObjects tool.

Each group has been granted the access level specified in the Security Group Access Level box of the generator tool to the corresponding universe and associated report templates. If both organizational unit and NoetixViews role universes have been generated and exported, the organizational unit groups will also be automatically added as a member of each of the NoetixViews role groups that make up the organizational unit. As a result, administrators can make advanced users members of an organizational unit group in order to grant them access to both the organizational unit universe and associated NoetixViews universes.

For Noetix Analytics/RapidDecision:

One group is created for each relationship set-based universe. These groups grant members access to the associated universe. The access level granted is based on the value selected in the Security Group Access Level box of the generator tool.

Groups are also generated for each of the information groups found in the Business Manager hierarchy in Metadata Manager. Each of these groups grants members access to the universes that were generated for relationship sets found under the information group. For example, the AP group provides members access to all relationship set-based universes related to accounts payable while the Financials group provides members with access to all of financials, including AP, AR and GL.

Granting Access to BusinessObjects Enterprise Users

Users can be added to the generated groups directly or indirectly to give them access to the necessary universes and report templates. Membership can be assigned in BusinessObjects Central Management Console by a user with sufficient administrative privileges. For more information on administering groups within Central Management Console, refer to the BusinessObjects Enterprise documentation.

The guidelines below should be followed when granting access:

  • If Inherit Universe Permissions From Above was selected during the generation, users will inherit access to the generated universes based on the security configuration set up in BusinessObjects Central Management Console prior to the generation. This may make the security groups created by the generator appear unnecessary. Instead of using them to provide basic end user access, however, they can then be used to provide an increased level of access to users that require it.
  • Existing groups in the environment should be given membership to the generated groups whenever possible, rather than directly to individual users. Adhering to this guideline will leverage BusinessObjects’ permission inheritance capabilities and minimize the time spent administering data security.
  • Since an organizational unit group has access to all of the NoetixViews roles associated with the organizational unit, adding members to an organizational unit group is equivalent to adding the same members to the individual NoetixViews role groups associated with the organizational unit. Therefore, organizational unit groups should be utilized whenever possible instead of using the individual NoetixViews role groups. Along the same line, groups corresponding to Noetix Analytics information groups at higher levels in the Business Manager hierarchy should be used whenever appropriate to minimize the number of lower level group grants required to provide a user with the necessary access.
  • If it is determined that utilizing an organizational unit group would provide too much access, individual NoetixViews role or relationship set groups should be used.

Security Example

The following example describes when to utilize organizational unit groups and NoetixViews role groups. In this security scenario, two organizational unit universes exist:

  • Set of Books1 contains the roles GL1 and FA1.
  • Set of Books2 contains the roles GL2 and FA2.

 

Two users need access to these sets of books:

  • User1 needs access to GL1 and FA1.
  • User2 needs access to GL1, GL2 and FA2.

User1:

User1 should be given membership to the organizational unit group for Set of Books1 because this set of books contains each of the roles that User 1 needs access to.

User2:

User2 should be given membership to the NoetixViews role group for GL1 because giving membership to the organizational unit group for Set of Books1 would provide too much access. In addition, User 2 should be given membership to the organizational unit group for Set of Books2 because it contains the GL2 and FA2 roles, which User2 needs access to.

Granting Access to NoetixAnswers

The organizational unit and NoetixViews role groups that provide users with access to the generated universe also used to provide access to associated report templates. For example, users that are members of the GL_Ledger group will be able to access all of the report templates built on the GL_Ledger universe. Users that are members of an organizational unit group will be able to see and execute all of the report templates associated with the NoetixViews roles in that organizational unit.

Users will only see NoetixAnswers folders if they have access to one or more of the report templates contained in those folders. If a user has not been given any access to any of the generated NoetixViews universes, he or she will not see the top level folder that contains NoetixAnswers.

The generator modifies the groups it creates to grant them permission to NoetixAnswers folders. Even if the groups are configured to provide users access to modify the report templates, they should not do so. Any changes made to the templates using BusinessObjects InfoView or BusinessObjects Web Intelligence will be overwritten during regeneration. Users should save their own copy of report templates that they want to customize.

Row Level Data Security

Starting with version 6.0, NoetixViews Global Extension enables security administrators to take advantage of the data access privileges that they have already set up in Oracle E-Business Suite. Reports built against the global views will have their data sets automatically filtered based on the access privileges configured for a user.

Global views look up a given user’s access privileges using the business intelligence tool user’s login name. This section defines the process that must be undertaken to configure the universe connection and generated universes in Designer to enable this login name look up. See the NoetixViews documentation for more information on the specifics of row level security in global views.

This section only applies to the Global Extension in NoetixViews 6.0 and higher. This form of row level security is not available for NoetixViews Standard or Cross Operations, Noetix Analytics, or RapidDecision.

To configure a universe connection for row level security:

  1. Open Universe Designer.
  2. Select Connections from the Tools menu.
  3. Select the existing connection used by the generated universes and Select Edit.
  4. On the Login Parameters page, change the connection details to use the APPS account to login to Oracle.
  5. The APPS account is required for row level security to work for certain modules because they utilize Oracle E-Business Suite security capabilities that require the APPS account.

  6. On the Configuration Parameters page, change the Connection Pool Mode to Disconnect after each transaction.
  7. This step disables connection pooling, and may have a negative effect on database performance. It is necessary because the initialization script described below must be used both against primary NoetixViews and their corresponding LoV views. While it would be preferable to move this code to each universe’s BEGIN_SQL block, a defect in current versions of SAP BusinessObjects (ADAPT01634036) currently prevents the BEGIN_SQL block from being used during LoV query execution.

  8. Fill out the details of each subsequent screen until you reach the Custom Parameters page.
  9. Paste the following script into Notepad or a similar text editor:
  10. begin

    apps.xxnao_map_user_apps_init(

    '[NOETIX_SYS Account Name]',

    @Variable('BOUSER'),

    '[Registered BI Tool Name]');

    end;

  11. Replace [NOETIX_SYS Account Name] in the code block above with the name of the NOETIX_SYS schema, in all upper case.
  12. Replace [Registered BI Tool Name] in the code block above with the name of the BI tool, as it was registered with NoetixViews Administrator. The case must match what's found in NoetixViews Administrator. See the Noetix Views Administrator Help File for more information on registering a BI tool server.
  13. Remove all line feed characters and paste the result into a custom ConnectInit parameter in, as shown below:
  14. Your actual ConnectInit parameter will now look something like the following: BEGIN apps.xxnao_map_user_apps_init('NOETIX_SYS','@Variable('BOUSER')','BOBJ');END;

  15. Save the changes and test the connection by logging in to Web Intelligence as different users. Confirm that row level security is working correctly and that users see the records they are expected to see, for both normal and List of Value queries
  16. If needed, adapt the ConnectInit parameter to work properly with non-US database settings, as described in the section below.
  17. After configuring the universe connection and generated universes to enable row level security, the SAP BusinessObjects administrative user (typically “Administrator”) specified on the Target Parameters tab of Angles for Oracle Generator must be mapped to a Noetix query user in NoetixViews Administrator. This is necessary for future NoetixAnswers regenerations to work properly. See the Noetix Views Administrator Guide for more information on mapping BI tool users to Noetix query users.

Adjusting row level security settings for non-US Oracle database settings:

  1. In some NoetixViews implementations, specifically ones which do not use the United States default

    NLS_DATE_FORMAT

    setting in the Oracle database, the above call to

    apps.xxnao_map_user_apps_init

    does not work properly. If this is the case for your system, proceed as follows.
  2. Using TOAD, PL/SQL Developer, or a similar tool, open a connection to your NOETIX_SYS schema and run the following script, replacing the [NOETIX_SYS Account Name] and [Registered BI Tool Name] code blocks as you did in Notepad above:
  3. create or replace procedure "init_bobj_user_session"(bobjuser varchar2) as

    begin

      declare

        ls_date_format varchar2(50);

      begin

        select value

          into ls_date_format

          from v$parameter

         where upper(name) = 'NLS_DATE_FORMAT';

     

        execute immediate

          'alter session set nls_date_format = ''DD-MM-RR''';

        apps.xxnao_map_user_apps_init(

           '[NOETIX_SYS Account Name]',

           bobjuser,

           '[Registered BI Tool Name]');

        execute immediate

          'alter session set nls_date_format =

              ''' || ls_date_format || '''';

      end;

    end;

    This code is nearly identical to the ConnectInit parameter above, but contains additional steps to normalize the date format. It is implemented as a stored procedure in Oracle only because it is too long to use inline in Designer.

  4. Ensure that the APPS account has permission to execute the newly created init_bobj_user_session procedure.
  5. Using Notepad and Designer as above, modify your ConnectInit block to a single line form of the following:
  6. BEGIN
      [NOETIX_SYS Account Name].init_bobj_user_session

    ('@Variable('BOUSER')');
    END;

    Your actual ConnectInit parameter will now look something like the following:
    BEGIN noetix_sys.init_bobj_user_session ('@Variable('BOUSER')');END;

  7. Save your changes to the universe connection and test as above. Changes should be in effect immediately.

Published:

Managing Security

This section provides information about granting users access to the generated universes and report templates.

Overview

After a generation is complete, users must be given access to the generated universes and report templates before they are able to write or execute reports in BusinessObjects Enterprise against Noetix Views (NoetixViews), Noetix Analytics, or RapidDecision. Access to the generated universes and report templates is provided by making users members of the groups created during generation or through permission inheritance in BusinessObjects. This section provides information about how to use these groups to manage access to Noetix views, Noetix Analytics, and RapidDecision, and the generated report templates.

Group Organizational Structure

During the Export generated universes and history step, Angles Generator for SAP Business Objects (Angles Generator ) generates groups into Central Management Server.

For NoetixViews:

One group is created for each universe, both organizational unit and NoetixViews role types. These groups are named after the corresponding universe and are prefixed according to the User Group Prefix defined on the Target Parameters tab of the Angles for Oracle Generator for SAP BusinessObjects tool.

Each group has been granted the access level specified in the Security Group Access Level box of the generator tool to the corresponding universe and associated report templates. If both organizational unit and NoetixViews role universes have been generated and exported, the organizational unit groups will also be automatically added as a member of each of the NoetixViews role groups that make up the organizational unit. As a result, administrators can make advanced users members of an organizational unit group in order to grant them access to both the organizational unit universe and associated NoetixViews universes.

For Noetix Analytics/RapidDecision:

One group is created for each relationship set-based universe. These groups grant members access to the associated universe. The access level granted is based on the value selected in the Security Group Access Level box of the generator tool.

Groups are also generated for each of the information groups found in the Business Manager hierarchy in Metadata Manager. Each of these groups grants members access to the universes that were generated for relationship sets found under the information group. For example, the AP group provides members access to all relationship set-based universes related to accounts payable while the Financials group provides members with access to all of financials, including AP, AR and GL.

Granting Access to BusinessObjects Enterprise Users

Users can be added to the generated groups directly or indirectly to give them access to the necessary universes and report templates. Membership can be assigned in BusinessObjects Central Management Console by a user with sufficient administrative privileges. For more information on administering groups within Central Management Console, refer to the BusinessObjects Enterprise documentation.

The guidelines below should be followed when granting access:

  • If Inherit Universe Permissions From Above was selected during the generation, users will inherit access to the generated universes based on the security configuration set up in BusinessObjects Central Management Console prior to the generation. This may make the security groups created by the generator appear unnecessary. Instead of using them to provide basic end user access, however, they can then be used to provide an increased level of access to users that require it.
  • Existing groups in the environment should be given membership to the generated groups whenever possible, rather than directly to individual users. Adhering to this guideline will leverage BusinessObjects’ permission inheritance capabilities and minimize the time spent administering data security.
  • Since an organizational unit group has access to all of the NoetixViews roles associated with the organizational unit, adding members to an organizational unit group is equivalent to adding the same members to the individual NoetixViews role groups associated with the organizational unit. Therefore, organizational unit groups should be utilized whenever possible instead of using the individual NoetixViews role groups. Along the same line, groups corresponding to Noetix Analytics information groups at higher levels in the Business Manager hierarchy should be used whenever appropriate to minimize the number of lower level group grants required to provide a user with the necessary access.
  • If it is determined that utilizing an organizational unit group would provide too much access, individual NoetixViews role or relationship set groups should be used.

Security Example

The following example describes when to utilize organizational unit groups and NoetixViews role groups. In this security scenario, two organizational unit universes exist:

  • Set of Books1 contains the roles GL1 and FA1.
  • Set of Books2 contains the roles GL2 and FA2.

 

Two users need access to these sets of books:

  • User1 needs access to GL1 and FA1.
  • User2 needs access to GL1, GL2 and FA2.

User1:

User1 should be given membership to the organizational unit group for Set of Books1 because this set of books contains each of the roles that User 1 needs access to.

User2:

User2 should be given membership to the NoetixViews role group for GL1 because giving membership to the organizational unit group for Set of Books1 would provide too much access. In addition, User 2 should be given membership to the organizational unit group for Set of Books2 because it contains the GL2 and FA2 roles, which User2 needs access to.

Granting Access to NoetixAnswers

The organizational unit and NoetixViews role groups that provide users with access to the generated universe also used to provide access to associated report templates. For example, users that are members of the GL_Ledger group will be able to access all of the report templates built on the GL_Ledger universe. Users that are members of an organizational unit group will be able to see and execute all of the report templates associated with the NoetixViews roles in that organizational unit.

Users will only see NoetixAnswers folders if they have access to one or more of the report templates contained in those folders. If a user has not been given any access to any of the generated NoetixViews universes, he or she will not see the top level folder that contains NoetixAnswers.

The generator modifies the groups it creates to grant them permission to NoetixAnswers folders. Even if the groups are configured to provide users access to modify the report templates, they should not do so. Any changes made to the templates using BusinessObjects InfoView or BusinessObjects Web Intelligence will be overwritten during regeneration. Users should save their own copy of report templates that they want to customize.

Row Level Data Security

Starting with version 6.0, NoetixViews Global Extension enables security administrators to take advantage of the data access privileges that they have already set up in Oracle E-Business Suite. Reports built against the global views will have their data sets automatically filtered based on the access privileges configured for a user.

Global views look up a given user’s access privileges using the business intelligence tool user’s login name. This section defines the process that must be undertaken to configure the universe connection and generated universes in Designer to enable this login name look up. See the NoetixViews documentation for more information on the specifics of row level security in global views.

This section only applies to the Global Extension in NoetixViews 6.0 and higher. This form of row level security is not available for NoetixViews Standard or Cross Operations, Noetix Analytics, or RapidDecision.

To configure a universe connection for row level security:

  1. Open Universe Designer.
  2. Select Connections from the Tools menu.
  3. Select the existing connection used by the generated universes and Select Edit.
  4. On the Login Parameters page, change the connection details to use the APPS account to login to Oracle.
  5. The APPS account is required for row level security to work for certain modules because they utilize Oracle E-Business Suite security capabilities that require the APPS account.

  6. On the Configuration Parameters page, change the Connection Pool Mode to Disconnect after each transaction.
  7. This step disables connection pooling, and may have a negative effect on database performance. It is necessary because the initialization script described below must be used both against primary NoetixViews and their corresponding LoV views. While it would be preferable to move this code to each universe’s BEGIN_SQL block, a defect in current versions of SAP BusinessObjects (ADAPT01634036) currently prevents the BEGIN_SQL block from being used during LoV query execution.

  8. Fill out the details of each subsequent screen until you reach the Custom Parameters page.
  9. Paste the following script into Notepad or a similar text editor:
  10. begin

    apps.xxnao_map_user_apps_init(

    '[NOETIX_SYS Account Name]',

    @Variable('BOUSER'),

    '[Registered BI Tool Name]');

    end;

  11. Replace [NOETIX_SYS Account Name] in the code block above with the name of the NOETIX_SYS schema, in all upper case.
  12. Replace [Registered BI Tool Name] in the code block above with the name of the BI tool, as it was registered with NoetixViews Administrator. The case must match what's found in NoetixViews Administrator. See the Noetix Views Administrator Help File for more information on registering a BI tool server.
  13. Remove all line feed characters and paste the result into a custom ConnectInit parameter in, as shown below:
  14. Your actual ConnectInit parameter will now look something like the following: BEGIN apps.xxnao_map_user_apps_init('NOETIX_SYS','@Variable('BOUSER')','BOBJ');END;

  15. Save the changes and test the connection by logging in to Web Intelligence as different users. Confirm that row level security is working correctly and that users see the records they are expected to see, for both normal and List of Value queries
  16. If needed, adapt the ConnectInit parameter to work properly with non-US database settings, as described in the section below.
  17. After configuring the universe connection and generated universes to enable row level security, the SAP BusinessObjects administrative user (typically “Administrator”) specified on the Target Parameters tab of Angles for Oracle Generator must be mapped to a Noetix query user in NoetixViews Administrator. This is necessary for future NoetixAnswers regenerations to work properly. See the Noetix Views Administrator Guide for more information on mapping BI tool users to Noetix query users.

Adjusting row level security settings for non-US Oracle database settings:

  1. In some NoetixViews implementations, specifically ones which do not use the United States default

    NLS_DATE_FORMAT

    setting in the Oracle database, the above call to

    apps.xxnao_map_user_apps_init

    does not work properly. If this is the case for your system, proceed as follows.
  2. Using TOAD, PL/SQL Developer, or a similar tool, open a connection to your NOETIX_SYS schema and run the following script, replacing the [NOETIX_SYS Account Name] and [Registered BI Tool Name] code blocks as you did in Notepad above:
  3. create or replace procedure "init_bobj_user_session"(bobjuser varchar2) as

    begin

      declare

        ls_date_format varchar2(50);

      begin

        select value

          into ls_date_format

          from v$parameter

         where upper(name) = 'NLS_DATE_FORMAT';

     

        execute immediate

          'alter session set nls_date_format = ''DD-MM-RR''';

        apps.xxnao_map_user_apps_init(

           '[NOETIX_SYS Account Name]',

           bobjuser,

           '[Registered BI Tool Name]');

        execute immediate

          'alter session set nls_date_format =

              ''' || ls_date_format || '''';

      end;

    end;

    This code is nearly identical to the ConnectInit parameter above, but contains additional steps to normalize the date format. It is implemented as a stored procedure in Oracle only because it is too long to use inline in Designer.

  4. Ensure that the APPS account has permission to execute the newly created init_bobj_user_session procedure.
  5. Using Notepad and Designer as above, modify your ConnectInit block to a single line form of the following:
  6. BEGIN
      [NOETIX_SYS Account Name].init_bobj_user_session

    ('@Variable('BOUSER')');
    END;

    Your actual ConnectInit parameter will now look something like the following:
    BEGIN noetix_sys.init_bobj_user_session ('@Variable('BOUSER')');END;

  7. Save your changes to the universe connection and test as above. Changes should be in effect immediately.

For an optimal Community experience, Please view on Desktop
Powered by Zendesk