cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP BO Security Management (Windows AD)

Go to solution
Former Member

on ‎05-30-2013 10:15 AM

0 Kudos

Hi

 
     Now SAP BO is accessible in my organization at zonal office level and regional office level (using Windows AD). Now the data security for SAP BO (Dashboard and WebI) is managed manually by data security profile created for each zone and region using IDT. The Explorer security is managed by excel file. Now a user from a region/zone can see data of his region/zone only.

     There are 40 regions and 10 zones. New regions and zones are going to be added so soon. Also there may be transfer/promotion of the users among different regions and zones. So data security profile of existing users may change or new users are to be added. Also there may be a decision to give access to the branch level also (1100+ branches are there). As you know, then the above said process will be a tedious one.

  The user’s region/zone data is available in Windows AD parameters. Isn’t there any option which can automatically capture the profile of the user from the details/parameters available, when we integrate with Windows AD?

Please give me a solution.

Thanks & Regards

Sandeep

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member184468
Active Participant
‎05-31-2013 5:58 PM
0 Kudos

Yes, you can capture the user's region from AD data.

Check the user attribute mapping feature described here:

http://scn.sap.com/community/bi-platform/blog/2012/07/05/user-attribute-mapping-in-bi4

You can apply security or filter based on a user's country or region for example.

Not sure if this will match your requirement exactly, but it sounds like it's close to what you're trying to do.

Show replies
Show replies

Answers (2)

Answers (2)

Former Member
‎05-31-2013 6:30 AM
0 Kudos

Hi Sandeep,

Am not sure about a solution that is already built into BO. But you can work with your windows server team to find out a way to get the user's and their region/zone from Active Directory. Once you find a way to get this data, you can load the data to your reporting database. You can even schedule a program to load this data from AD into the reporting database on a regular basis.

With the data available in same DB, you can now include this table into your data foundation and restrict the data based on this table. You can search about how to use security tables to implement security in universe using BO_USER variable.

Cheers

Mohan

Show replies
Show replies
former_member190781
Active Contributor
‎05-30-2013 4:16 PM
0 Kudos

Hi Sandeep,

There is no option available to migrate security profiles from Windows AD to Enterprise. You can create different enterprise groups in BO as per your requirements and set the security using the groups as principals and when you add new AD users you can just make them member of specific group.

Regards,

Sohel

Show replies
Show replies
Former Member
‎05-31-2013 5:19 AM
0 Kudos

Hi Sohel

Thanks for the reply.

     I suppose you are trying to make it clear about the access level and other security. I have different user groups and access levele like zone level, region level. That's working fine.

     I am concerned with the data security ie the user of region Mumbai should see the data of Mumbai region only. Now its done through manual manitanance of data security profile.

      I have three universes. Now for each universe I have to create the 50 data security profile(40 regions + 10 zones). Whenever there is a transfer/promotion for the enduser I have to pick that employee and change the data security profile manually. Same in the case if there is any new universe (50 data security profile are to be created for the new universe). Now it is gonna give access to 1100+ branches also. Then branch 'A' user must see data of 'A' only. Then I have to create 1100+ data security profile which is not practical.

Windows AD has parameters which contain the details of the corresponding zone/region/branch of each user. If there is a way which can pick the zone/region/branch details of the user from the Windows AD parameters autimatically , it will be feasible to maintain the data security.

Please help me.

Thanks

Sandeep

Former Member
‎05-31-2013 9:36 AM
0 Kudos

Hi Sandeep,

If you refer to my earlier post, you can find a video on how to set this up from this video - http://www.youtube.com/watch?v=X9DJuV0_vY4

Cheers

Mohan

Ask a Question