Security Implmentation in Business Objects

[dasnani]

Hello all,
When viewing WebI or BO documnets through the InfoView, how is security implemented to ensure that users only see those documents and those pages in each document they have access to?

Has anyone created solutions to implement their own security framework over the BO security framework? How difficult is it?

 

[skrandel]

The security you are talking about REQUIRES that each user refresh the report at run-time. Row-level security can only be enforced when the queries are refreshed by the user.

If you have access to tech support, you should log on do a search for "Miami&Designer". You'll see a presentation on several methods for implementing row-level security.

Steve Krandel
Westbay Solutions

http://www.westbaysolutions.com

 

[dasnani]

Thanks Steve.

I appreciate your prompt suggestions and notice that you have been really involved in BO.
I went through your ppt presentation and this is what I understood:

We are limiting the access of users to the data objects they can view to implement security. Once users can only see their data objects, the queries they build and execute will only return data which they have access to. Is that correct and is this what is meant by row-level security?
Out of the four options for implementing row-level security, options 3 and 4 seem most likely for us.

If I may ask, what other security implementations are possible apart from row-level security ? How difficult is it to customize BO's security system, which is user profile based? Would it be possible to build an LDAP-JSP based solution insetad of using BO's security mechanism?

Thanks in advance,
Dheeraj Asnani

 

[skrandel]

BO only interfaces with outside systems(LDAP) for authentication. Authorization is done within the repository.

Row-level securit can be done a variety of ways. But, realistically, it's got to be done either in the BO repository, at the universe level or at the database level. Or, some combination of all 3. If you database supports security via LDAP, you can certainly pass the BO id to the database and take advantage of what you already have.

Steve Krandel
Westbay Solutions

http://www.westbaysolutions.com

 

[dasnani]

Steve,

Isn't there any security implementation that doesn't involve set-up on the database or Universe level? Can one have security implemented on the (JSP) WebIntelligence UI level?

As an example, Actuate reports can be run off the web by simply posting filters in an HTML form to a report. One can use a JSP and build a set of custom classes to limit the selection criteria for each filter that the report runs for. In this scenario, security is enforced by the custom application rather that by creating restrictions in the repository or enforcing database restrictions by forcing joins on object tables and security_header table.

If the only way BO security can be implemented is by either creating row-level restrictions in the Universe or passing USER_VAR to the Designer, my question is "Why did BO chose such an implementation that requires high initial set-up and high maintenance?

 

[skrandel]

I don't agree with your comment. It's not better or worse, it's just different. You're familiar with the Actuate method so it seems easy. BO's method is very similar, it just does it at the query level, which is more secure.

Steve Krandel
Westbay Solutions

http://www.westbaysolutions.com

 

[dasnani]

Sorry Steve, but you did not answer my original question.
Can I assume that BO security has to be at the query level only? Nothing can be done at the UI level?

Thanks,
Dheeraj.

 

[skrandel]

Security in BO is not at the UI level unless you are using Broadcast Agent Publisher.

Steve Krandel
Westbay Solutions

http://www.westbaysolutions.com