Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
Showing results for 
Search instead for 
Did you mean: 
Former Member

Securing Business Objects Content – Folder Level, Top Level and Application Security

Applies to:

Business Objects Enterprise XI 3.0 / 3.1, for more information, SAP Business objects Solutions Homepage.



Unlike SAP systems, Business Object Enterprise XI 3.0/3.1 do not comprise of Roles, Profiles and

Authorization objects. Security in Business Objects is different than SAP and it consists of: Folder level

security, Application Security, Object Level Security and inheritance concepts. This document begins with

simple example on how to create users, user groups and ends with creating access Levels and basic

troubleshooting techniques using the Security Query.

Author(s): Shikha Baxi Dhiraj Wamanacharya & Milind Desai

Company: IBM India Pvt. Ltd

Created on: 18th May 2011

Author Bio

Shikha Baxi,Dhiraj Wamanacharya  & Milind Desai are working with IBM and have more than 3.5 yrs of experience in SAP

Administration, Security, and have been extensively working in Business Objects in the area of

implementation and upgrade.

User and User Group Creation:

Users in Business Objects are of various types, and a user can login to Business Objects (CMC or InfoView)

using that particular authentication with which it has been created. The authentications are:

  1. 1. Enterprise
  2. 2. LDAP
  3. 3. Windows AD
  4. 4. SAP

The document covers Enterprise and SAP user administration from the above list.

Creating an Enterprise User:

The example below illustrates “How to create an Enterprise user” in Business Objects.

Login to CMC _ Go to Users and Groups

To create a new User click on and for User group creation click on


Click Manage:

Select the Authentication Type in the next screen and maintain the required fields.

1 ) Authentication Type as Enterprise :

2) Authentication Type as SAP :

When Authentication type is SAP (secSAPR3) then you only need to maintain Account Name as

<SAP SID>~<Client No.>/<SAP User ID> .

User will login in Business Object Using his SAP Login credentials.

Connection Type:

Concurrent - This user belongs to a license agreement that states the number of users allowed to be

connected at one time.

Named : This user belongs to a license agreement that associates a specific user with a license. Named

user licenses are useful for people who require access to Business Objects Enterprise regardless of the

number of other people who are currently connected.

Click Create & Close

Administrator” is the default user that comes along with the Business Objects installation.

User Group Creation:

The user group is a collection of users who require same kind of authorization. So instead of assigning

authorization to every new user that is created, we can create a user group and assign the requisite

authorization to it, and later simply assign the user to that particular user Group.

Click Create User group:

Name the User Group:

To add a user to the group click (Add member to user group)

You can add a newly created or existing group to some other group while you can also assign a user to a

  1. group.

Administrators and Everyone are the default groups that come along with the Business Objects installation.

Importing Roles from the backend SAP system:

Let us continue with ‘How to import roles’, which in turn import users from a backend SAP system to the

Business Objects System’.

Login to the CMC, Click Authentication _ SAP

Click the Options tab, now you need to check the field Automatic import User and click Update

Since your Business Objects System is connected to a Backend SAP System you are able to see a list of

Roles in the left Pane which belong to the SAP system. You can now Import the roles from the Backend SAP

system to the Business Objects system, select the role in the left pane and click to import the

roles then click Update :

When a role is imported all the users assigned to that role in your backend SAP system, will also get

imported into the Business Objects system.

Here, PBW is our SAP system Id, while 100 is the client number from where the users arrive, hence the

naming convention: PBW~100 /

Whenever a user assignment is done to a role in backend (already imported in Business Objects) and user

should get created in Business Objects automatically, then you should also check Force Synchronization

under Options tab and click Update:

Now when a user get assigned to a role in backend , only you need to click Update button under Role

Import tab and the user will get created in the Business Objects system. To automate this activity also, we

have elaborated the step in the next section.

Schedule a SAP Authentication Role / Group update in Business Objects XI 3.1 using a java program


To schedule (automate) the updating of SAP Users in the Business Objects system, you need to follow the

steps mentioned below:

1 .Download SAP Update. jar file from SAP Note : 1406037

2. Unzip the file

3. Login in Business Objects CMC ->Folders-->Manage_New _ folder called Objects ,

4. Select the folder "Objects" and click on Manage | Add | Program File

5. Choose as Program Type as Java and add SAPUpdate.jar

6. Right Click on SAPUpdate within your Objects folder and choose Properties | Default Settings | Program


Specify as "Class to run:" sapupdate.Main

Using the "Run Now" and schedule the Program Object

Set the Recurrence for this Program as desired.

Under Authentication tab -> Options, you need to check the field Automatic import User and Force User


Go to Authentication Tab -> Select Role and Import, click update.

Now, the SAP user will get imported every time when it is created and assigned the role in the SAP system

which is already imported in Business Objects CMC. As such, there is no need to create a user in the

Business Object CMC every time a new user is created in the SAP system. .

Note: The statement assumes that every user which is created in the SAP system needs to be created in

Business Objects system. Else,if all the users are not required in the Business Objects system , the role

which is imported in the Business Objects system should not be assigned to such users in the SAP backend.

Access Levels in Business Objects:

Pre-Defined access levels:

There are four default access levels that come along with the Business Objects Installation for securing the content. These levels are explained as below:

1. Full Control: A principal has full administrative control of the object.

2. Schedule: A principal can generate instances by scheduling an Schedule object to run against a

specified data source once or on a recurring basis.

3. View: If set on the folder level, a principal can view the folder, View objects within the folder, and

each object's generated instances.

4. View on Demand: A principal can refresh data on demand against a data source.

5. No Access: The user or group is not able to access the object or folder.

To see what rights are included in an access level; go to CMC -> select Access Level, right click -> Include


Custom Access Levels:

In addition to the predefined access levels, you can also create and customize your own access level, which

can greatly reduce administrative and maintenance costs associated with security.

How to create access levels: Login to CMC _ Select Access Levels.

Maintain Title and Description:

To include rights in an access level, select the Access level, right click -> included rights

Click Add/Remove Rights:

You will be able to see four types of rights collections in the left panel namely:

  • General
  • Content
  • Application
  • System

By default you will be guided to the “General Global rights” window. Now set your general global rights:

Each right can have a status of:

  • Granted
  • Denied
  • Not Specified.

You can also choose whether to apply these rights to the object only or to their sub-objects only, or both.

To set type-specific rights for the access level, in the navigation list, click the Rights collection, and then

click the Subcollection that applies to the object type you want to set the rights for.

Folder level Security:

Folder-level security enables you to set access-level rights for a folder and the objects contained within that

  1. folder. While folders inherit security from the top-level folder (root folder), subfolders inherit the security of

their parent folder. Rights set explicitly at the folder level override inherited rights.

To set folder level security:

1. Login to CMC _ Select Folders

2. Right click on the particular folder & select User Security.

Select the Principal (user / group) you wish to add:

On the same screen in the bottom right corner click:

Provide the requisite Access Level to this Principal. Here we have provided “Full Control” to the

“Basis_Monitors” group.

Click Apply, and then Click OK.

To View, what access has been provided to the Principal click “View Security

Assigned Rights:

Top Level Security:

The below example shows, how Top Level Security can be assigned to a principal against the Business

Objects Servers:

Manage the Top Level Security for Severs:

For this:

1. Login to CMC -> Servers-> Manage

2. Select Top Level Security _ All Servers/ All Server Groups.

Click OK.

Break Inheritance:

If your Principal is a part of multiple groups and to avoid “Conflict of Rights” you can uncheck the:

  1. 1. Inherit From Parent Folder
  2. 2. Inherit From Parent Group.

Now, provide access/advanced level security as required.

Application Level Security:

Users need access to particular Business Objects applications to perform their jobs effectively. As a

Business Objects Administrator you are responsible for setting appropriate application security levels

according to the needs of your organization.

Application security is used to control the functionality that users and groups have to the Business Objects

Enterprise applications. The Manage area of the CMC allows you to control access for the following

Business Objects Enterprise applications:

Manage CMC User Security:

To Manage CMC security:

Logon to CMC -> Click Applications _ Select CMC

Now Right Click and select User Security.

Click Add Principals:

Select the principal for which you want to assign security.

On the same screen in the bottom right corner click:

Now assign the security as required:

Now Click “View Security” on the Next screen to check what access has been provided to “test” user:

Similarly you can manage Security, and access for rest of the applications.

Advance Rights :

You may sometimes need to override certain granular rights in an access level. Advanced rights let you

customize the rights for a principal on top of the access levels, the principal already has.

There are 3 Type of rights exist as explained earlier:

  • Grant
  • Denied
  • Not Specified


• In general, the rights that are set on child objects override the rights that are set on parent

  1. Object.

• In general, the rights that are set on subgroups or members of groups override the rights that are set on

  1. groups.

If a user belongs to more than one group, and there is a conflict in rights assignments between the groups to

which the user belongs to, the Denied (D) right wins over a Granted (G) right, and the Granted (G) right wins

over a Not Specified

Case Study I: (Advanced Rights)

We will be explaining, how advanced rights are used through this Case Study:

Consider an example where your user needs to have following access:

i) Needs to be provided no access to any folder or report , ii) Need to have access to schedule a report

(Material Plant) , iii) Need to view, pause and resume its scheduled instances iv)Need to be restricted to

delete a instance and view a report.

We proceed as below:

  1. 1. Maintain No Access at root level security at Folders:

2. Select the Material plant report and click User Security

Break inheritance and click Advance tab ->Add/Remove Rights

Once done, you are able to view the General global rights, Now maintain the rights by clicking on radio

buttons for grant denied or not specified

  • Select the Grant radio button for providing access to schedule a report, view, pause and resume its

scheduled instances.

  • Select Deny radio button to deny access to any folder or report, and to view, delete a report.

Rights are divided into the following collections based on the object types they apply to:

  • You can also allow the rights to be applied to a Sub object, by checking the Object and Sub Object

check boxes, next to the Rights column.

  • Only after you click grant or deny radio button, object and sub-object check boxes are enabled. Now

you can maintain the scope of rights.

  • If you want to apply a right only for a folder and not for its sub folders, then uncheck sub-object check
  1. box.

Security Query:

Due to the complexities inherent in a security system as complicated as Business Objects Enterprise XI 3.1,

systems administrators sometimes find it difficult to pinpoint from where a particular user right is inherited.

Security queries let you determine which objects a principal has certain rights to and enables you to manage

user rights:

In the earlier part of our Case studies we have created a group called “Basis_Monitors”. In this exercise we

will find out what access Basis_Monitors have on Servers using the “Security Query”. For this:

Logon to CMC -> Select Query Results

Now select Security Queries -> Right click _ Create Security Query.

Provide the required inputs like :

i) Principal (Basis_Monitors).

ii) Check /Uncheck Query Permission as per the requirement.

iii) Select the Query Context (Servers)

After selecting the required parameters click OK.

Now, the next screen appears showing the result regarding what access the principal has on the Querycontext.

You can also click on the Source column to view, from where the Principal is obtaining its access:

In case you see, the source along with (Inherited) it implies that access comes either from the Parent group

or from the parent folder.

Related Content:

  1. 1.
  2. 2.
  3. 3.

For more information, visit


© Copyright 2010 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.

The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9,

iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server,

PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,

BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,

Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems

Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of

Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide WebConsortium, Massachusetts

Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by

  1. Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned

herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and

other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered

trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document

serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP

Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or

omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the

express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an

additional warranty.

Labels in this area