Technical white paper
HP Automation Insight
Managing HP AI User Accounts and Groups
1
Table of contents
1.
Introduction .......................................................................................................................................... 3
2.
Access Level - Definitions ..................................................................................................................... 3
3.
Assigning Access Levels ........................................................................................................................ 4
3.1
Access Levels for HP AI Pre-defined / Out Of Box reports ................................................................ 5
3.1.1
Provide access level permissions to Folders ................................................................................. 5
3.1.2
Provide access level permissions to Connections ......................................................................... 9
3.1.3
Provide access level permissions to Universes ........................................................................... 12
3.2
Access Levels for HP AI Universes ................................................................................................... 16
3.2.1
Provide Access levels permissions to Web Intelligence.............................................................. 16
3.2.2
Provide Access levels permission to Servers............................................................................... 19
3.2.3
Provide Access levels permission to Connections ...................................................................... 19
3.2.4
Provide Access levels permission to Universes ........................................................................... 20
4.
HP AI Access Levels for Scheduling Reports ...................................................................................... 22
4.1.
Configure the Adaptive Job Server ............................................................................................. 22
4.2.
Scheduling the Repots in HP BI Launch Pad................................................................................ 22
5.
Restricting access to an inherited folder ........................................................................................... 23
6.
Customer Access Levels...................................................................................................................... 25
6.1.
Create Custom Access Levels ...................................................................................................... 26
6.2.
Modify Rights in a Custom Access Level ..................................................................................... 28
2
1. Introduction
This whitepaper describes the tasks related to account management for users and
groups. It includes instructions that describe how to assign add, modify and remove access level
within Automation Insight (AI) by using SAP BusinessObjects Enterprise CMC console.
This document describes assigning security access level for Automation Insight (AI) users
and groups in BO. For simplicity it is recommended that access level be assigned at group level.
In Automation Insight (AI), users can either be created manually or imported from SA using AI
admin console. For more details please check AI admin guide.
By default users created in AI will not have permission to view/run/create reports. To
view/run/create reports, users/groups security access levels needs to be assigned for BI Folders,
Servers, Web Intelligence, Connections, and Universes. Below procedure describes setting
permission for AI users/groups.
Objectives
1.
1.
2.
3.
4.
5.
Create Custom Access Levels
Modify Rights in a Custom Access Level
Assign Access Levels for Groups on the Folders
Assign Access Levels for User Universe Access
Assign Access Levels for User Data connection Access
Assign Access Levels for User Application Access
The Central Management Console (CMC) is a web-based tool which offers a single interface
through which you can perform administrative task, including user management, content
management, and server management.
Note: Any user with valid credentials to SAP BusinessObjects Business Intelligence platform can
log onto the CMC and set preferences for users. However, users who are not members of the
Administrators group cannot perform any of the available management tasks unless they have
been granted rights to do so.
2. Access Level - Definitions
3
Inherited: the folder inherits the same rights as the folder above.
No Access: the group is not able to access the folder, unless rights are inherited due to being granted
explicitly at a higher level. This predefined access level actually means "not specified" (explained under
"advanced rights" below).
View: the group is able to view the folder, the objects contained within the folder, and all generated
instances of each object. The group cannot schedule an object or refresh it against the datasource.
Schedule: In addition to the rights granted by the View access level, the group can generate instances by
scheduling the object to run against the datasource once or on a recurring basis. The group can view,
delete and pause the scheduling of instances that they own. They can also schedule to different formats
and destinations, set parameters and database logon information, add contents to the folder and copy
the folder.
View on Demand: In addition to the rights granted the Schedule access level, the user gains the right to
refresh data on demand from the data source.
Full Control: In addition to the rights granted by the View on Demand access level, the user gains all of
the available advanced rights. This is the only access level that allows users to delete objects, folders and
instances.
Advanced Rights: provides administrators with full control over object security and allows you to make
advanced object rights settings for any group. Each folder right can be:
o
Explicitly Granted – the group is given the designated access right
o
Explicitly Denied – the group is not given the designated access right. If the group is granted the
access right through another group membership, the denial takes precedence
o
Not specified – the right is not assigned to the group, so it is not granted. Unlike an explicitly
denied access right, the user or group could be granted the access right through another group
membership, or inherit the rights from a higher group or folder level.
3. Assigning Access Levels
 Access Levels for HP AI Pre-defined / Out Of Box reports
 Access Levels for HP AI Universes
4
 Access Levels for Scheduling Reports
3.1 Access Levels for HP AI Pre-defined / Out Of Box reports
After deploying AI shipped Pre-defined / Out Of Box reports via HPLN-Solution Packs or for the
custom reports. HP AI Admin user need to grant Access levels for these reports to desired
Users/Groups. Based on granted access levels to the HP AI users, they can Update, create, view,
schedule reports. Following Sections provides how to provide access levels.
Important points


For Non-Administrator users/Groups,
o View, View on demand, schedule permissions should only be assigned
For Administrator Users/Groups,
o Full control, full control (owner) permissions should be assigned
For a HP AI users to work with AI reports. They need to be assigned permissions for following BO
entities,
 Folders
 Connections
 Universes
3.1.1 Provide access level permissions to Folders
“Folders” are the location where the HP AI Reports are stored in BI Platform. These needs to be
controlled via Access levels. Here are the steps,
1. Log in to CMC
2. Select “Folders” from the drop-down menu
3. Select top level folder (All folders) and click manage to assign security settings
5
4. Select ‘Top level security’ and then ‘all folders’
5. Click on ‘Add Principals’ button
6
6. Select User list to assign access permissions to Individual User (or) select Group list for Group level
permissions
7. From the list of Groups, select a required group(s) and click on the right arrow button and then click
on ‘Add and Assign security’ button
8. A new ‘Assign Security’ window opens up. Here you should select Access level for Group/user based
on his role (Administrator or Non-Administrator). Multiple Access levels can be provided for a
User/Group
Selection Criteria based on the User/Group role.
 For Non-Administrator users/Groups,
o View, View on demand, schedule permissions should only be assigned
 For Administrator Users/Groups,
o Full control, full control (owner) permissions should be assigned
7
9. Finally, we can see the User name or group name with the access levels accordingly.
8
3.1.2 Provide access level permissions to Connections
1. Log in to CMC
2. Select “Connections” from the drop-down menu
3. Select top level folder (Connections) and click manage to assign security settings
4. Select ‘Top level security’ and then ‘All Connections’
9
5. Click on ‘Add Principals’ button
6. Select User list to assign access permissions to Individual User (or) select Group list for Group level
permissions
7. From the list of Groups, select a required group(s) and click on the right arrow button and then click
on ‘Add and Assign security’ button
10
8. A new ‘Assign Security’ window opens up. Here you should select Access level for Group/user based
on his role (Administrator or Non-Administrator). Multiple Access levels can be provided for a
User/Group
Selection Criteria based on the User/Group role.
 For Non-Administrator users/Groups,
o View, View on demand, schedule permissions should only be assigned
 For Administrator Users/Groups,
o Full control, full control (owner) permissions should be assigned
Select the Access Level and Click ‘Apply’. Then, click ‘Ok’ button.
11
9. Finally, we can see the User or group with the access levels accordingly.
3.1.3 Provide access level permissions to Universes
1. Log in to CMC
2. Select “Universes” from the drop-down menu
3. Select top level folder (Universes) and click manage to assign security settings
12
4. Select ‘Top level security’ and then ‘All Universes’
5. Click on ‘Add Principals’ button
6. Select User list to assign access permissions to Individual User (or) select Group list for Group level
permissions
13
7. From the list of Groups, select a required group(s) and click on the right arrow button and then click
on ‘Add and Assign security’ button
8. A new ‘Assign Security’ window opens up. Here you should select Access level for Group/user based
on his role (Administrator or Non-Administrator). Multiple Access levels can be provided for a
User/Group
Selection Criteria based on the User/Group role.
 For Non-Administrator users/Groups,
o View, View on demand, schedule permissions should only be assigned
 For Administrator Users/Groups,
o Full control, full control (owner) permissions should be assigned
14
Select the Access Level and Click ‘Apply’. Then, click ‘Ok’ button.
9. Finally, we can see the User or group with the access levels accordingly.
15
3.2 Access Levels for HP AI Universes
After deploying AI shipped Universes via HPLN-Solution Packs. HP AI Admin user need to grant
Access levels for these universes to desired Users/Groups. Based on granted access levels to the HP
AI users, they can create, view, schedule reports using HP AI Universe. Following Sections provides
how to provide access levels.
Following HP AI universes needs to be granted access to users/Groups. These HP AI Universes will
be listed only after deployment of the respective Solution Pack in the HP AI Web Administration
For a HP AI users to work with Universes. They need to be assigned permissions for following BO
entities,




Web Intelligence
Servers
Connections
Universes
Note: HP AI Universes should be restricted to Administrator User/Group Roles only. As this
requires ‘Full Control’ for the above BO Entities.
3.2.1 Provide Access levels permissions to Web Intelligence
1
2
Log in to CMC
Select Applications from the drop-down, Right click on Web Intelligence and then click User Security
16
3. Select User list to assign access permissions to Individual User (or) select Group list for Group level
permissions
4. From the list of Groups, select a required group(s) and click on the right arrow button and then click
on Add and assign security button
17
5. Select ‘Full Control’ from the available access levels, and click apply and the ok
6. Finally, we can see the User name or group name with the access levels accordingly.
18
3.2.2 Provide Access levels permission to Servers
Assigning Access levels for Server Entity. Same procedure as listed under 3.2.1 section needs to be
followed after selecting ‘Servers’ from CMC Home Page drill down. i.e. all the 6 steps mentioned in 3.2.1
section needs to followed

Finally, we should be able to see the User name or group name with the access levels accordingly
3.2.3 Provide Access levels permission to Connections
Assigning Access levels for Connections Entity. Same procedure as listed under 3.2.1 section needs to
be followed after selecting ‘Connections’ from CMC Home Page drill down. i.e. all the 6 steps mentioned
in 3.2.1 section needs to followed

Finally, we can see the User name or group name with the access levels accordingly
19
3.2.4 Provide Access levels permission to Universes
Assigning Access levels for Universes Entity.
1. Select Universe from the drop-down, Right click on Audit Compliance Universe and then click
User Security
1. From the list of Groups, select a required group(s) and click on the right arrow button and then click
on Add and assign security button
20
2. Give full control , and Finally we can see the User name or group name with the access levels
accordingly
 After the above settings and when Logged into BI Launch Pad with any user from the Group (for
which permissions are granted ), and while clicking on the new web Intelligence Document
We can see the ‘SA Audit Compliance Universe ‘ accordingly .
Note: - Similarly repeat the steps for different User(s) or User group(s) and for different Universes
21
4. HP AI Access Levels for Scheduling Reports
HP AI reports can be scheduled to different destinations (FTP Server, BI Inbox, File System, or Email)
after following configurations
 Configuring Adaptive Job Servers in BO CMC
 Scheduling the Reports in HP BI Launch Pad
4.1. Configure the Adaptive Job Server
The adaptive job server is the server responsible for scheduling jobs for SAP BusinessObjects reporting.
To configure the adaptive job server, perform the following steps:
1.
2.
3.
4.
5.
6.
Log on to the CMC.
In the left pane, click Servers List.
In the Server Name column, right-click on ai.AdaptiveJobServer and select Properties.
In the Properties window, click Destination.
Select the destination type (FTP Server, BI Inbox, File System, or Email).
Click Save & Close to return to the CMC Servers window.
4.2. Scheduling the Repots in HP BI Launch Pad
Once Adaptive Job Server is configured by HP AI administrator role user. The AI users should be able
to schedule Reports with preferred destinations.
Note: In HP BI Launch Pad, the ‘Schedule’ option will be available only for the AI Users who have been
granted “Schedule’ as Access Level by AI Administrator in BO CMC during their Access level creation
phase in above sections.
Steps to Schedule any HP AI Reports are listed under “Schedule a Report” Section under About Web
Intelligence Reporting in HP Automation Insight (AI) user guide
22
5. Restricting access to an inherited folder
HP AI (BI Report) Subfolders permissions are always inherited from its parent folder. If HP AI
administrator wants to control permissions to its subfolders. Following sections helps to control access
to Sub-folders
For example, this section helps HP SA Audit User/Group needs to be restricted from viewing ‘Patch
Compliance’ & ‘Software Compliance’ sub folders.
1. Log in to CMC
2. Select “Folders” from the drop-down menu
3. Select patch folder and click manage and the select user security
4. Select the unwanted user(s) or group(s) and then click assign security
23
5. Click remove access, and then apply and ok
6. Finally we could able to see ‘No Access’ to the selected user(s) or group(s)
Before and after restricting access level permissions
24
6. Customer Access Levels
Access levels are groups of rights that users frequently need. They allow administrators to set common
security levels quickly and uniformly rather than requiring that individual rights be set one by one.
Predefined access levels are comes BO beginning with View and ending with Full Control, each access
level builds upon the rights granted by the previous level.
• View
• Schedule
• View on Demand
• Full Control
• No Access
Top-Level Folder Security
Top-level folder security is the default security set for each specific object type (for example Universes,
Web Intelligence Application, Groups and Folders). Each object type has its own top-level folder (root
folder) that all the objects below inherit rights from. If there are any access levels common to certain
object types that apply throughout the whole system, set them at the top-level folder specific to each
object type.
Folder-level security
Folder-level security enables you to set Access-Level rights for a Folder and the Objects contained within
that folder. While folders inherit security from the top-level folder (root folder), subfolders inherit the
security of their parent folder. Rights set explicitly at the folder level override inherited rights.
Object-level security
Objects in BIP inherit security from their parent Folder. Rights set explicitly at the object level override
inherited rights.
NOTE: Term ’Principal’ can mean either ’User’ or ’Group’.
Inheritance
The rights that users have to objects in the system come from a combination of their memberships in
different groups and subgroups and from objects which have inherited rights from parent folders and
subfolders. These users can inherit rights as the result of group membership; subgroups can inherit
rights from parent groups; and both users and groups can inherit rights from parent folders By default,
users or groups who have rights to a folder inherit the same rights for any objects that are subsequently
published to that folder. The best practice is to set the appropriate rights for users and groups at the
folder level first, then publish objects to that folder.
BO recognizes two types of inheritance:
1. Group Inheritance
25
Group inheritance allows principals to inherit rights as the result of group membership. Group
inheritance proves especially useful when you organize all of your users into groups that coincide with
your organization’s current security conventions.
2. Folder inheritance
Folder inheritance allows principals to inherit any rights that they have been granted on an object’s
parent folder. Folder inheritance proves especially useful when you organize SAP BusinessObjects
Business Intelligence platform content into a folder hierarchy that reflects your organization’s current
security conventions.
6.1. Create Custom Access Levels
To create new ACL
1. Log in to CMC
Click on CMC > Access Levels >
2. Click New > Create Access Level>
3. Name as “ViewThisLevelOnlyCAL “(name taken for example)
4. Click OK
The new ACL is created
ViewThisLevelOnlyCAL created
26
Click on newly created ViewThisLevelOnlyCAL > User Security > (By Default two groups are assigned for
this ACL)
Add Principlas to ACL > Select Groups from the list (Use Shift to select multiple groups) Groups are
assigned to ACL
27
6.2. Modify Rights in a Custom Access Level
Rights are the base units for controlling user access to the objects, users, applications, servers, and other
features in BusinessObjects Enterprise. They play an important role in securing the system by specifying
the individual actions that users can perform on objects. Besides allowing you to control access to your
BusinessObjects Enterprise content, rights enable you to delegate user and group management to
different departments It is important to note that rights are set on objects and folders rather than on
the principals who access them.
To set rights on users and groups
Go to the ACL management area of the CMC.
Select ViewThisLevelOnlyCAL you want to grant access to.
Click the Include Rights tab.
Click Add/Remove Rights
Select Rights Collection > Grant access to the specified rights for users.
Click OK.
Click on ViewThisLevelOnlyCAL > Included Rights > Add/Remove Rights
28
Click on Rights Collections > Grant Required rights from General
Note: - Once AI Administrator has created a ‘Custom Access Level’, this can be mapped to
User(s)/Group(s) as per the requirement .For mapping of users and groups to custom access levels refer
29
Below final list of rights are required for users to view and Read the reports
Rights from collections: General, Content, Application, System
Below rights are required for users to schedule the reports
30