SAP has included a Universe Designer Users group since SAP BusinessObjects Enterprise XI Release 2 (XI R2). My typical routine is to assign users that create universes to the built-in Universe Designer Users group. Although I can add users directly, I generally prefer to assign users to one or more groups that become subgroups of the Universe Designer Users group (and therefore inherit all of its rights).
I recently noticed that SAP BusinessObjects Business Intelligence 4.0 assigns security differently between the two semantic layer tools. For the Universe Design Tool (or UDT, formerly known as Designer in XI 3.1 and earlier), SAP uses the built-in Full Control access level.
Using the Permissions Explorer, we can examine what Full Control actually provides to Universe Design Tool users.
But the new Information Design Tool, or IDT, assigns advanced rights, not Full Control, to the built-in Universe Designer Users group.
I’m guessing that the current situation is the result of multiple SAP development teams moving quickly. I doubt it will affect my approach to security.
But for Feature Pack 3 SAP BusinessObjects Business Intelligence 4.1 coming later in 2013, SAP should harmonize out-of-the-box security and:
- Adjust all of the predefined access levels (View, Schedule, View On-Demand, but especially Full Control) to provide varying levels of access to the Information Design Tool (consistent with Universe Design Tool)
- Assign Full Control of Information Design Tool to the Universe Designer Users group instead of advanced rights (consistent with Universe Design Tool)
- Consider giving Universe Designer Users group a less application-centric name like Semantic Layer Designers
How do you grant users access to the semantic layer tools? Do you leverage the Universe Designer Users group or create your own? I’m interested in learning from different approaches.
Dallas,
Can you recommend any material on designing a security strategy for BO 4.0? I.E. a large group who can create WEBIs and schedule but dependent upon BW roles & Universe/Connections security? Any help would be greatly appreciated! Love the site!
Dallas, I am a bit late getting into this post, well, okay, over a year late, but I still wanted to give you some information as to how we implement security for UDT and IDT. We also use the built-in Universe Designer Users as the parent Group for multiple subgroups of UDT users. We have multiple data sources and need to control which UDT user has access to which universes and the folders they reside in. As for the User Security level for the UDT, we created a custom Access Level called ‘UNV App Rights – Designers’ and added specific rights to this Access Level. We do not permit UDT users to create Connections to data sources so this is really the only right missing from this custom Access Level. We then use the ‘UNV App Rights – Designers’ Access Level to grant the Universe Designer Users Group the necessary rights to the Universe Design Tool.
Mickey, thanks for sharing from the field. I re-read my article today – and made a mental note to check the upcoming BI 4.1 release to see if they cleaned up the out-of-the-box security.