1. Security From The Trenches
InfoSol, Inc. - Amy O’Neel

2. Security From the Trenches
Security 101 – Precedence and Inheritance
Security 102 – Application Rights
Object only vs Object and Objects Within
4.x Changes
Information Design Tool Security Profiles
Auditing Security
Infosol 2017

3. Security 101
© InfoSol 2017

4. Security 101 Denied > Granted > No Access
Explicit Settings vs Group Settings
Inherited unless Inheritance Broken

5. Explicit Settings
"If a right is explicitly set on a child object that contradicts the rights inherited from the parent object, the right set on the child object overrides the inherited rights. This exception applies to users who are members of groups as well. If a user is explicitly granted a right that the user's group is denied, the right set on the user overrides the inherited rights."

6. Let’s have a look….

7. Security 102 Application Rights vs Content Rights
Sometimes it takes a combination

8. Security 102 Example - Inboxes
Application Settings: 'Send' button 'BI launch pad':  - 'Send to BO Inbox'  - 'Send to destination'  - 'Send to file location'  - 'Send to FTP location'  - 'Organize' 
Copy Object (on from Folder)
Add Objects to the Folder (on Inboxes)
View Users (to select Users)
'Web Intelligence':  - 'Desktop interface - send by mail'  - 'Documents - enable publish and manage content as web service' 

9. On Object Only vs On Object and Sub Objects
(View at Top Level)
© InfoSol 2017

10. Favorites
In 3.x Users were set with principle rights on their own personal folder.
In 4.x User has Everyone group right on their own personal folder
Full Control vs
View Object Only + Full Control (Owner)

11. Object Only Setting – View Object Only
CMC tabs w/ top-level folders
Access Levels
Calendars
Categories
(Universe) Connections
Cryptographic Keys
Events
Federations
Folders
Inboxes
OLAP Connection
Personal Categories
Personal Folders
Profiles
Replication Lists
Servers and Groups
Temporary Storage
Universes
Users and Groups
Web Service Query

12. Let’s have a look….

13. 4.x Changes
© InfoSol 2017

14. Removed or Renamed Removed Renamed Enable drill mode
Interactive: Hide/Show Toolbars
Renamed
Create document to Documents – enable creation
…..and many more
Rule of Thumb – Redo security settings

15. Drill Mode Requires Edit Query in 4.x if drilling out of scope
From the Trenches
4.2 SP4 more secure SSL
SSL – Regenerate certificate (new encryptions, key strength 2048+, enable FIPS
Disable SSL for Upgrade Manager
Drill Mode Requires Edit Query in 4.x if drilling out of scope
Input Control Selection
Requires Reporting – enable formatting in 4.x
“Your security profile does not include permission to edit this document (WIS 30252)”
….. Additional work with CUSTOMIZATIONS if you do not want them to be able to edit
-Hide Design Mode Toolbar
-Hide Application Mode Buttons

16. From the Trenches Administrators Group:
For improved security, only members of the Administrators group can access system configuration wizard.
Only users who are part of the default Administrators group can add users in bulk. This feature is not supported for delegated admins.
When users are added to the Administrators group, they do not inherit the rights required to perform management tasks on cryptographic keys. (Need to be Cryptographic Officers grp)

17. Administrators Group CMC tabs Auditing Authentications
Cryptographic Keys
License Keys
Monitoring
Sessions
Settings
User Attribute Management
Only members of the Administrators group can change management settings, unless a user is explicitly granted rights to do so.

18. Information Design Tool
Security Profiles
© InfoSol 2017

19. Avoid the Refresh Error
“You do not have sufficient rights to refresh the query”
Secret: Allow Data AND Display Objects

20. Let’s have a look….
(If there’s time…..)

21. Set up security in IDT - Universe
Information Design Tool
Security Builder
ROWS tab
Assign Data Security Profile to a User Group
In the security builder of the Information Design Tool, Insert a Data Security Profile for your required universe
Add a Rows security restriction on the Customers table
In our Example its SI_Country, assign this security to an
appropriate group, you can do this for ‘Everyone’, and
save your universe.

22. Information Design Tool Speaking of System Variables…
© InfoSol 2017

23. IBIS 2009 -- June 14 - 17 -- Lake Las Vegas
System Variables
The for XI 3.1 are BOUSER, DBUSER, DBPASS, DOCNAME, DPNAME, DPTYPE, UNVNAME, and UNVID
XI 3.1 SP2 added DOMINANT_PREFERRED_VIEWING_LOCALE, PREFERRED_VIEWING_LOCALE
XI 4.x added DOCID and removed DBPASS
… And added User Defined Attributes
IBIS June Lake Las Vegas

24. IBIS 2009 -- June 14 - 17 -- Lake Las Vegas
System Variables in
SELECT - to display user on report
WHERE – to filter results by user
END_SQL – to track users and documents running queries in database logging
ConnectInit in custom connection parameters
SET QUERY_BAND = 'ApplicationName=YourAppHere; FOR TRANSACTION (or SESSION) ;
BEGIN_SQL
SET for transaction;
IBIS June Lake Las Vegas

25. BOUser in @Execute Personalized, Multiple Values LOV
Data Foundation LOV, “BOUserCustomer”
SELECT distinct Customer.Last_Name
FROM Customer, Employee, Orders
WHERE Employee.Last_Name
and Customer.Customer_ID = Orders.Customer_ID
and Orders.SalesPerson_ID=Employee.Emp_ID
Table filter
Customer.Last_Name

26. Auditing Security
© InfoSol 2017

27. How to Visualize a MATRIX?
The Matrix
GROUPS AND SUB GROUPS
Denied > Granted > No Access
Explicit Settings vs Group Settings
Inherited unless Inheritance Broken
FOLDERS and SUB FOLDERS
How to Visualize a MATRIX?

28. 3rd Party Tools
360View

29. 3rd Party Tools
360Eyes

30. IBIS 2018 Open for Registration
The Premier BusinessObjects Education & Knowledge Exchange Event of the Year! June | Park Hyatt Aviara Carlsbad, CA AttendIBIS.com
ALL INCLUSIVE (HOTEL/FOOD/CONFERENCE)
HANDS-ON TRAINING
Organized in modules to allow for jumping between tracks as needed.

31. Session:
QUESTIONS??? Amy O’Neel text BOUG17 to to receive the slides from this presentation
IBIS June Lake Las Vegas