Skip to Content
0

Row Level security - BO 4.2 SP3 - SAP HANA direct access Calculation views

Aug 07, 2017 at 03:09 PM

260

avatar image
Former Member

Hi,

I've been trying to see a possibility of implementing row level security in Business Objects 4.2 for SAP HANA direct access (Calculation / Analytic / Attribute views) without a Universe layer.

Can anyone advise if it is feasible to build data level security for BO on SAP HANA direct access views?

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Manikandan Elumalai Aug 07, 2017 at 04:04 PM
1

If SSO is enabled to your HANA DB along with your own credential in HANA with appropriate roles and previleges this is possible even without universe layer.

Thanks

Mani

Show 4 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Hi Mani,

Thanks for your response. Yes I believe the option is through HANA authentication feature where we have SSO (windows AD) on HANA DB. However if this is not the case, do you suggest any other option (either through SQL editor option at BO WEBI queries front or consuming HANA DB role security into Business Objects CMC)?

Thanks in advance for your advice.

Regards, Srikanth

0

Yes. You can do that through a HANA role however the data will not personalized for individual user rather set of users who has the HANA role. Also your connection will have a hard coded HANA service user account and not SSO

0
Former Member
Manikandan Elumalai

Thanks Mani, Would you mind sharing any relevant documentation over the configuration stated above. I would really like to look at whether it would actually serve my requirement. Thanks in advance.

0

I dont have anything for now. If I come across something I will definitely share it.

0
avatar image
Former Member Dec 06, 2017 at 05:05 PM
0

Hi, I need to design the same scenario.

Do you have some documentation to achieve it?

Share
10 |10000 characters needed characters left characters exceeded
avatar image
Former Member Feb 28 at 08:06 AM
0

Yes, this is definitely a solution that exists but it should be used. There are a few components that you need to understand in order to have this work:

1) Creation of Analytic Privileges with the necessary views with corresponding attributes that drive these row level security authorizations

2) If a view is not reporting, the Apply Privileges section within the Properties should be blank

3) If a view is a reporting view, then the Apply Privileges section should be set to SQL Analytic Privileges. Classical will be sunset in the future (these are XML based) so you should be positioning yourself for the future. When doing this, you have to have all reporting views that have this property set to be in an analytic privilege. This will apply to the end user roles but most importantly, it is important to create 1 developer analytic privilege for SQL, which contains all views but no restrictions on them. This will be part of the developer role so the developers can continue to work without receiving errors.

4) The biggest component here is the communication between SAP HANA and SAP BOBJ and this is done using SAML. At a high level, this is done using certificates that are imported between BOBJ and HANA at the OS level. SAP HANA receives a request from the OLAP or Relational connection (set up for SSO) and with the SAML configuration, HANA trusts BOBJ and receives an external identifier (BOBJ id). The external BOBJ ID is configured within the SAML configuration for the user within the HANA system and they don't have to be the same. A couple of things that you need to understand are what characters Linux accepts and doesn't accept, especially if you are using Windows AD or SAP BW authorizations. This is due to the fact how names are created. If there are issues, you have a few options but easiest would be to create enterprise names on top of these names to pass over to SAP HANA. Make sure that the user names are in lower case as HANA is case sensitive and easier to do this.

Please reach out if you want additional information.

Share
10 |10000 characters needed characters left characters exceeded