September 14, 2009 · 1 Comment
With BO XI 3.1 SP2 out in July this year, it is probably time to make a trip down the years to find out how the XI platform has evolved and matured.
The timeline:
- XI R2 SP2 – service pack release in March 2007 with productivity pack – QaaWS and LiveOffice connectors
- XI 3.0 – new major release in February 2008 – the first release after SAP acquired BOBJ in October 2007
- XI 3.1 – upgrade release in September 2008
- XI 3.1 SP2 – service pack release on 24 July 2009 – with enhanced SAP integration
Where were we with XI R2:
- Change to Crystal service-oriented platform (Crystal 10 architecture)
- Ability to plug Crystal Reports, Web Intelligence, Desktop Intelligence, OLAP Intelligence, Dashboard Manager, Performance Manager directly into the framework
- Single repository, security, system management, publishing, portal
- Infoview (Replaced old BO Infoview and Crystal ePortfolio)
- Central Management Console (CMC)
- Import Wizard (upgrades from BO 5, 6, XI, Crystal 8.5, 9, 10)
- Desktop Intelligence (new name for BO full client + ability to query and display Unicode data)
- Publishing, Encyclopedia, Discussions, OLAP Intelligence, Performance Management
- Changes to Data Integrator, Composer, Metadata Manager
XI 3.0 (Titan)
- All administration moved to the Central Management Console – CMC – with new GUI
- Bulk action support in CMC
- Central Configuration Manager – CCM is still there (to manage multiple nodes) with 2 entries : Tomcat & SIA
- Server Intelligence Agent (SIA) – handles service dependencies
- Server Intelligence in CMC – clone server deployments
- Repository Federation – replicate repository on other BO cluster
- Repository Diagnostic Tool (Infostore vs FileStore – repair inconsistencies between CMS database entries and files in FRS)
- Improved Import Wizard
- Web Intelligence Rich Client (offline viewing of WebI reports, no session timeout)
- Data change tracking in Web Intelligence
- Designer – “Database delegated” projection on measures
- Universe based on stored procedures
- Prompt syntax extension (persistent/primary_key undocumented features, finally!)
- Personal data provider – combine data from Excel, text, csv and get into a single report
- Smart cubes – support for non-additive measures (percentages, ratios) and RDBMS analytical functions
- Multi language support – dimensions, measures, prompts automatically localized to report viewer’s language
- Native Web Intelligence printing (without PDF)
- Enbed image in Web Intelligence report
- Hyperlinks dialog box makes links easy to create – syntax generated by WebIntelligence (remember opendocument()?)
What’s new in XI 3.1
- Support for multi-forest Active Directory authentication
- IP v6 support
- Lifecycle Management Tool (LCMBIAR files, replace Import Wizard)
- Saving Web Intelligence documents as CSV (data-only files) – new sheets for every 65K rows of data
- Web Intelligence Autosave
- “Begin_SQL” SQL prefix variable
- Prompt syntax extension (support for key-value pairs!)
- Business Objects Voyager enhancements
- Live Office enhancements
- WebIntelligence – Automatic loading of cached LOVs, interactive drag-drop, report filter bar, cancel refresh-on-open
What’s new in XI 3.1 SP2
In one of my next posts, I’ll cover selected new features in detail.
-Maloy
Categories: Uncategorized
Tagged: @prompt, backward compatibility, BI services, BOBJ, CCM, CMC, csv, database delegated, fold-unfold, query on query, SAP, SIA, Web Intelligence, XI, XI 3.0, XI 3.1, XI 3.1 SP2, XI R2
While developing a Business Objects security model, you need to focus on the different types of security:
Functional Security – this would govern access to specific application features, e.g. editing reports, drilling down, ability to schedule reports etc.
Data Security – this governs access to specific data – rows or columns or cells as per authorization
Infrastructure Security – governs physical and electronic access to systems
The infrastructure security is the first to be designed. This typically happens when the architecture is being drawn up. It is important to get as much early visibility into the various ways the system is likely to be used, not only in the present but also in the foreseeable future, so that adjustments and capacity for future planning can be done to the extent possible. This also helps in deciding on the type of data security that would be required initially, though this can change over time.
The various security considerations for access control include:
Identification - whether it is a valid user? Usually taken care of by password management
Authentication - whether the user is allowed to use the system? This can be done by BO or externally with a third party tool, including but not limited to LDAP / Active Directory etc.
Authorization - governs fine grained entitlements or access – which parts of the application and data can the user access?
Let us look at the security approaches to authorization. (I will cover the various approaches to authentication and single-sign-on in a separate post).
Security policies can be held in the BO repository (functional + data security)
- Authentication can be performed by BO or externally
- Incorporates security policies in the BO repository
- Supports row-level and column-level security
- Data security can be controlled at application, connection, universe and report level
Custom security utilizing security tables, and joins forced in Universe Designer (functional + data security)
- Includes custom-built security tables to store users, groups, privileges etc. The joins to these are forced in report queries.
- BO users are mapped to data in these tables – the data can be maintained with ETL processes
- The @BOUSER variable can be used to get the user logins and can be used for implementing row/column level security
- Allows both user-centric and object-centric views by querying the security tables
Table mapping or virtual private views – can be implemented with Oracle VPD and label security
- Allows fine grained access control with airtight cell-level security if required
- Policies setup in Oracle VPD, labels control column access, multiple views for multiple users
- Works for ad-hoc queries also
- Requires thorough testing to prevent sql-injection attacks; can lead to performance problems due to additional predicates
- Can easily become overly complex; however a must-have where airtight security is required
Third party authorization using SiteMinder or LDAP or Active Directory
- Authorization is based on directory entries in LDAP or Active Directory (people/group/role/IP address or rule)
- Fine grained access control still requires some form of usage of BO or the database for auxiliary authorization.
What should be the preferred approach? The answer is “Well, it depends!” The approach depends on what is actually required and is feasible at your particular organization. In all cases however (except for VPD), there are a few best practices to be followed, if BO is used and CMC is used to configure security:
- Grant rights to groups on folders, rather than individual objects to minimize complexity
- Use pre-defined rights wherever possible, and Custom Access Levels instead of Advanced Rights
- Avoid breaking inheritance to minimize complexity and simplify maintenance
- Add multiple users to the Administrators group, rather than sharing the administrator account, for better traceability
- Set up an audit policy and periodically review your deployment
- Document and maintain the security structure outside the CMC - a spreadsheet can be a good choice.
- Use Permissions Explorer, Check Relationships and Security Query to diagnose and correct security issues. These are also useful to verify tasks are completed without issues, while adding/deleting/modifying principals/objects/rights.
- Allocate time and document the process for the administrators and support staff and prepare for their training on new workflows in CMC in BO XI 3.1
- Maloy
Categories: Uncategorized
Tagged: security model, XI 3.1
