How to Design a Successful SAP BusinessObjects BI 4.x platform: Q&A on Security and Authentication

Security is typically a top concern for any company that leverages business intelligence. As organizations migrate to SAP BusinessObjects Business Intelligence (BI) 4.x, there are various considerations regarding system security and user authentication.

In this live Q&A on February 25, Martin Macmaster, Principal Consultant at Xoomworks, answered questions on how to set up and manage authentications and best practices for user login issues. He discussed the different security models supported by SAP BusinessObjects BI 4.x and how to design the best platform for your business. Many questions were answered, such as:

• How can we configure a single tomcat to serve multiple SSO types?
• What are some of the road blocks when you have multiple business warehouse (BW) systems in a single BI system?
• What can be the potential downfalls when a user has accounts across multiple portals that link to BI?
• How can we still have a common security model when serving several business areas each with their own requirements?
• How can a security model have an impact on licensing costs?
• Is there any solid solution for securing Lumira and AOP offline storyboards and views?
• Can you please suggest the best approach to implementing SSO between HANA and BOBJ?

Read the full transcript below.

Transcript:

Natalie Miller, SAPinsider: Hello! Welcome to today’s live Q&A on designing a successful SAP BusinessObjects BI 4.x platform. I’m Natalie Miller, features editor of SAPinsider and insiderPROFILES, and I’m pleased to introduce today’s panelist, Martin Macmaster, Principal Consultant at Xoomworks.

Martin has 14 years of BI experience across the SAP BusinessObjects product suite, including experience with migrations and using Data Services for Data Warehouse development. He has been involved in very large-scale upgrades and migrations for a major oil and gas customer recently, which gives him a great overview of the potential problems faced in such large projects and the security issues with Shared BI platforms.

Hi Martin, thank you so much for being here today to answer readers’ questions!

Martin Macmaster, Xoomworks: Hi, everyone. Thanks for joining. Hopefully you’ll all find this nice and useful, so let’s get going.

Comment from Paul Kupers: Is it possible to configure Tomcat for the use of SAML2 SSO? Or do we have to use another webserver?

Martin Macmaster: Hi, Paul. I’ve not tried it (although it’s coming after our customer’s 4.2 upgrade), but as I understand it, this works through trusted authentication for mobile BI. It should cover you for the main platform, too. Try this link.

Comment from Stefan: Dear Martin, I want to realize single sign-on (SSO) for BI Launchpad (Active Directory [AD] authentication) in a Windows environment. It works if we manually add the alias of the SAP user to the AD user. However, we want to automate the alias mapping process. The difficulty is that the usernames in AD and SAP are different. However, we have one extension attribute in AD where the SAP username is stored. Is there a way that the BOE AD connector is mapping the SAP username with the AD username (which is stored in the extension attribute)? Many thanks!

Martin Macmaster: Hi, Stefan. This is a great question and an ongoing problem. There are several aspects to it, including deciding what you want the main user ID to be. This is particularly important when it comes to connecting to SAP HANA via SAML, where the account name is what matters. The SDK is probably your best bet if you don’t want to get an additional application (perhaps 360 Suite?) in.

You could compare the AD user account CN details if the CN and SAP user ID are the same. This is one of those questions where there’s no one-size-fits-all solution, but I think the using SDK and comparing CN with the user account is a good way to go.

Comment from Jayme: We have not enabled SSO for Chrome, and I understand it’s not officially supported, although there are workarounds. I’m going to test out our service count using constrained certification, which I understand is one of the workarounds. I have successfully altered Chrome settings to make SSO work, but due to IT constraints, we can’t alter Chrome settings for this set up. We are migrating from 4.0 to 4.1 as I write this. Are there any other solutions besides what I have mentioned to enable SSO for the BI Launchpad and OpenDocument to work in Chrome? Regards, Jayme.

Martin Macmaster: Hi, Jayme. To be honest, in my experience there shouldn’t be any issue in SSO via Chrome working at a basic level, and it’s often faster than Internet Explorer. The only issue I’m aware of at the moment is using SSL with TLS 1.2 and AD SSO. There’s an outstanding bug in Chrome that causes a “sad face” icon when you try to get the SSO into BI Launchpad.

Also, Jayme, if there’s a specific issue you’re hitting, please let me know, and I can see if there are any suggestions I can make.

Comment from Joe: How can we still have a common security model when serving several business areas, each with their own requirements?

Martin Macmaster: Thanks for the question, Joe. It’s a nice, broad topic. The idea is to make the CALs as flexible as possible and to make them cumulative. So Info Worker would include applying an Info Consumer CAL.

You can establish a set of CALs for each application you want to use. The usage of an application (for example, whether a user will refresh a report; whether they will save a report; whether they export it to PDF; etc.) is likely to be same regardless of the business. You can have additional “advanced” CALs to allow for advanced application usage (for example, editing and/or creating new content).

Then, establish functional profiles. For example, you can establish one for users who will just consume content, another for users who will create content, and then more for users who will perform administration duties.

Most likely, there will only really be a few different profiles across the entire company. Likewise, there are likely to only be a few application profiles across the entire company.

Then you can just have the business content within dedicated folders (a folder for finance, one for HR, etc.). These folders can then be controlled by user groups — for example, only users in the HR group are allowed to see the HR folder and contents, and so on.

Comment from Paul G: What is the best way to setup an SSO authentication with Chrome? I would like minimal configuration on the Chrome side.

Martin Macmaster: Hi, Paul. Thanks for the question. What type of SSO are you referring to? AD, SAP? Generally, the browser shouldn’t need any additional configuration. Once it’s set up on the server side, the browsers should follow on. Is there a specific issue you’re having?

Comment from MikeW: We have SAP HANA setup via SAML for SSO from BO. That works turnkey with no issues. I am looking for a solution to have it work in the other direction. For example, if I have an XS app in HANA and I want to make a REST or OpenDocument call to BO, I want to have BO trust HANA and be able to get a BO session for a logged in HANA user. All of our user names are the same across systems.

Martin Macmaster: This should be possible depending on which tool set/interface you will use. For example, SAP Design Studio dashboard within Hana XS portal-integration via OpenDocument can leverage the “only once per authentication” approach.

The OpenDocument call can operate with AD to authenticate into the application, and you can use an SDK to keep that session alive so you don’t lose time for each OpenDoc call to resolve the AD SSO.

Next, there will be a Zen Session per Enterprise Session, which will be responsible for CORBA communication, and each browser tab will be mapped to a controller.

The OpenDoc incoming request will then trigger the standard workflow, and SAML SSO will be utilized on the JDBC connection (if that’s the middleware used).

This will work as long as your enterprise account name matches the one in HANA Studio for the external identity. (Which ties back to the answer to Stefan’s question from earlier.)

Comment from Yoav: Hi, Martin. Is there any solid solution for securing Lumira and AOP offline storyboards and views? Is there a way to always force refresh on open to all local applications? In general, how can you prevent users from sending secured data through their inboxes?

Martin Macmaster: Hi, Yoav. Thanks for taking part! In Lumira, there is the option of saving documents without data to enforce refresh on open. This should provide enhanced security by restricting the users to viewing documents only with authorized data (also referred to as Refresh on Open).

Equally, it depends on the type of data source you’re using. For example:

1. XLS/CSV/TXT: Refresh goes through with no credential prompt
2. FHSQL: User would be prompted for credentials on database
3. Universe based on Query Panel Extension: DB authentication

This behavior depends on the authentication mode configured on connection:

• Pre-defined: Passed the pre-defined credential to DB for refresh

• SSO: Does SSO to DB with user credentials and mapping

In both cases the user wouldn’t be prompted for credentials.

Comment from Umair: This question is geared more towards administration. If a client or customer has lost the BO BI 4.1 administrator password, is there a possible way to retrieve this within the BO tables?

Martin Macmaster: Hi, Umair. Here’s a KB that you can use, but please be careful and read the warnings.

Comment from Cynthia: Is there a way to set up roles so users can refresh reports but also be limited to a single company’s data? We have multiple companies with the same structure and all the data is housed in one cube.

Martin Macmaster: Hi, Cynthia. Is this for HANA or BW? If this is a BW scenario, you can use analysis authorizations. Custom authorization variables can be used to generate the filter based on information about the user and his company, for example, stored in a custom table.

Comment from Cynthia: It was for BW. Thank you.

Comment from Guest: What are some of the roadblocks people often face when you have multiple BW systems in a single BI system?

Martin Macmaster: Hello. This is an issue that we see quite a lot. As long as the user IDs are the same and you set the short name registry fix on every server with a CMS, then once the security token service is configured, things should work. However, you might want to consider the number of roles that you have for each BW system. The more roles you have, the more groups each user is in. And once it reaches high numbers, you may well start to see a performance hit. This is usually caused by the number of groups and the depth of your security model. Please contact us if you would like more specifics, as there are a number of factors that could have a detrimental impact on performance.

Additionally, you might also want to consider the number of connections you have. In this case, you’ll have multiple connections that will probably look the same (except for the backend BW), and there will be a lot of switching connections depending on which BW data you want to hit. Also, if the BW user accounts are merged together, then login via SSO may “failover” to alternative BW systems. This can sometimes give unexpected results.

For example, if you login with “DEV” credentials but, for some reason, your DEV account login doesn’t work, then you may “failover” to alternative (e.g. PRD) credentials. This may mean that you’re hitting PRD data instead of DEV data — and it’s not necessarily obvious that it’s happening.

Comment from Naresh G: Hello. Can you please suggest the best approach to implementing SSO between HANA and BOBJ?

Martin Macmaster: The recommended approach would be to use the SAML functionality within BI 4 to create a trust with the HANA system and then specify unique identity providers in the user admin screens in HANA Studio.

Comment from Nick C.: We are just about to use SAML to connect to HANA from BI 4.1. We use Windows AD to import our users into BI 4. Do you know if there is anything available to do something similar when importing the AD users into HANA?

Martin Macmaster: Hi Nick, thanks for the question. There is no such out of the box functionality. However, if it’s just about getting the list of users from AD to HANA, then it can be achieved by exporting the list from AD and then using simple manipulations with the text file to generate a set of statements to create these users in HANA. For the overall set up for AD and HANA, see note 1837331.

Comment from Naresh G.: Thank you. This is what we are currently doing, but there is a lot of discussion about using AD or SAP Logon tickets. I am not sure if there are any pros to doing this. If there is any documentation to follow, that would be greatly helpful.

Martin Macmaster: Hi, Naresh. If you’re going back to BW SOAP Web Services, then an SAP Logon ticket would be the way to go. But most of the time with HANA, it’s AD that’s used, as the solution has moved on from originally using Kerberos SSO to HANA. With 4.1m this changed to SAML, though.

Comment from Ximena: When having a group-based security configuration on BO 4.1, is it possible to grant specific users rights on a specific document/universe without the user being able to view, modify, or use any other document/universe?

Martin Macmaster: Hi, Ximena. Thanks for attending. It’s best practice to only ever grant access/rights to user groups (even if the group only has a single user in it!). If the user will have access to several documents/universes, but will only have access to modify one document/universe from the list, then I would put the modifiable document/universe in its own in a subfolder. This means you can set separate rights on the modifiable content without resorting to use of “deny” rights — using “deny” is a bad idea, as it can quickly make your security become very complex and make things much harder to troubleshoot.

So, I would put modifiable content in a separate content sub-folder. Then I would establish a new group for your user who has elevated rights. You can then turn off inheritance (if needed) to prevent content in lower sub-folders from inheriting elevated rights that may apply higher up the tree.

I would definitely stay with group-based security, and avoid granting rights to individuals or granting rights on individual content objects within a folder. Best practice is to apply rights at content folder level, and best practice is to only apply rights to user groups. It will make your life much easier in the long run.

Comment from Tom D.: Have you worked on BI 4.2 (beta)? If so, what are the major improvements in this version, and did you face any issues with the upgrade process from BI 4.1? Thanks.

Martin Macmaster: Hi, Tom. I have used BI 4.2 quite a bit. My favorite improvement is its Promotion Management, which seems much faster and more stable than in 4.1. The upgrade process is something else, though. We found that Tomcat crashed out-of-the-box due to poor default options in the installer. However, the other issue we faced in the install (C re-distributables not being installed by the MSI) was resolved in 4.2 SP01. For our main install at our customer we’re doing a clean install to cut down on the install data directory size.

Comment from Nick C.: Thanks for the previous answer; it was my planned route. We’ve also got two BI 4 servers in our cluster and four HANA servers. To connect via SSO/SAML we have one HANA certificate we import onto both BI 4 servers, but I am unsure if we need to set up all four HANA servers in the SAML part in BI 4 or if HANA will automatically use all four. This is further complicated because when we switch HANA to DR, we will need to pre-configure the same.

Martin Macmaster: Hi, Nick. Due to some IDT issues, the best suggestion would be to configure all master servers — and any capable of being masters — with BI 4, but use the same unique identity provider.

And the certificate from BI4 should go on all HANA nodes.

Comment from Guest: Good day. I have a new BW 7.0 system. How can I go about implementing security measures on the system? Also, is it possible to copy security settings on an ERP system to a BW system? Thank you.

Martin Macmaster: Hello. I think I have more questions for you for this. Have you already implemented any security in your BW system? At which point do you have a problem?

Regarding your second question, yes, it is possible to integrate ECC security into a BW system. We have had this done on projects for customers who didn’t want to manually create BW security. If you have more specific settings, please contact me and we can get into the specifics.

Comment from GianFranco: Hi, Martin. Please consider a scenario in which many users log on to BO with their Windows AD user and they have no SAP user, so no alias mapping process is performed. No BW access is needed and data is coming from other relational sources. In this case, how can we profile AD users to view subsets of data at the reporting level? Do we have to profile them on those fields at universe level that they should not be able to query on? If yes, how can we manage this? Thanks in advance. Best Regards, Gian Franco

Martin Macmaster: Hi, Gian Franco. Thanks for your question. Assuming your source is relational, I think using restrictions in the universe would be the most straightforward way to go. Unfortunately, there’s no easy management way to do that other than placing restrictions on groups. Another option might be to have a control table that all queries join to. Then, if the user ID (using the @BOUSER option in UDT) is in that table, the query returns the appropriate data.

Comment from Pantry: Hi, Martin. Users and groups in BO 4.1 SP7 take about 12 minutes to populate instead of the normal two to three minutes. Do you have a resolution suggestion?

Martin Macmaster: Hi, Pantry. Thanks for taking part. Do you mean when pressing on the Users and Groups option in the CMC?

If so, this is likely to be related to the security set up. Do you get the same issue with the Administrator user? When selecting anything, the system is calculating the security applied to your user for the option you select. The more complex the security (number of groups and depth of security model are two examples) then the longer this will take.

Also, do you have a large number of users and groups?

Comment from Pantry: Yes, the issue occurs when we double click on user/group in CMC. We have large number of groups, but it works fine in DEV and PROD. QA is where the issue is.

Martin Macmaster: Hi, Pantry. I think we would need to trace the activity to understand, as well as check out your quality environment’s configuration to see the difference. I’ll be providing contact information at the end so feel free to follow up via email.

Comment from Emily L.: I have a website to open Dashboard file (version 4.1 sp6) that is saved in BI Launchpad. The website uses the dashboard file URL to open it. The dashboard runs with QAAWS queries, and all security is set for the dashboard file and queries. Users sometimes get a couple errors in Internet Explorer 11 when using the website address, but no error when opening the file directly in Launchpad, and no error opening the website in Firefox. The error messages are: “Cannot find service name [name of query varies]. You do not have the rights to view this service” and “Unable to reconnect to the CMS (FWM 01002)”. Do you have any idea if these errors are security related and where I can correct them? The cause of the errors seems to be due to users losing connection. Thank you.

Martin Macmaster: By first impressions, this sounds like there’s a problem establishing a session with CMS. No matter where the content is opened from, you will need to establish a session in order to view live content. In BI Launchpad you already have a session, so there is no problem there and that’s why it will always work. Outside of BI Launchpad, you won’t necessarily have a session, and it sounds like maybe this is a problem. If using AD authentication, then user sessions can be established in the background when you call the URL, but if not, then it would depend on whether the user already has a session (for example, if they have a BI Launchpad window open in another tab). It’s a difficult one to answer, and ideally I’d like to see the problem firsthand — or better yet, be able to trace it to have a clear idea of what’s happening. Maybe you could look at using the SAP Client Plugin to isolate and trace the workflow.

Comment from Emily L.: Thank you, Martin. That is very helpful, and we can troubleshoot the issue more.

Natalie Miller: As we come to the end of the Q&A, I’d like to thank you all again for joining us today. It was a great conversation. And a special thank you to Martin for being here today and for all your insightful answers!

Martin Macmaster: Thanks everyone for your questions! I hope you’ve found it helpful. If you would like to follow up on any of these topics, you can reach me at martin.macmaster@xoomworks.com, on Twitter @MartXWS or via the Xoomworks BI Twitter @xoomworks_bi. Thanks!