Metadata is for everyone- not just for administrators

Query Builder restricted by SAP security note 3313484

I’m grateful for the SAP BusinessObjects Query Builder. Oh, sure. I’d be really happy if SAP enhanced it, gave it the ability to export easily to Microsoft Excel, and so on. But at least it’s there, right? Or at least it used to be (see related article, Query Builder 4.0).

On May 9, 2023, SAP quietly released SAP Security Note 3313484 – [CVE-2023-30740] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform. Because “Under certain conditions Business Intelligent platform allows an attacker to access information which would otherwise be restricted”, SAP’s hasty solution was “Access has been restricted only to Administrator”. The change was introduced in BI 4.2 SP9 Patch 14, SAP BI 4.3 SP2 Patch 11, and SAP BI 4.3 SP3 Patch 3 and higher releases including the forthcoming SAP BI 4.3 SP4.

Query Builder restricted by SAP security note 3313484

This is a horrible idea for at least two reasons.

First, Administrators should be in the habit of logging into the system as themselves, not the ambiguous “administrator” for as many administrator tasks as possible. Organizations want to know who made a change and when, not just that some unidentified “administrator” who had the main password did something.

Second, metadata is for EVERYONE, not just administrators. This is particularly true for me now that I’m not “the” administrator and not even a member of the Administrators group. My current role places me into a custom “Delegated Administrators” group with limited view-only privileges in the Central Management Console. And even though there are a variety of relatively easy-to-use third-party add-ons for the SAP BusinessObjects platform, there’s such a large body of knowledge surrounding the Query Builder and it’s clunky quirkiness that it should be available- securely- to anyone that an organization’s SAP BusinessObjects administrator team wishes to give access.

It’s unclear how SAP Security Note 3313484 affects the CMS Database Access Driver introduced in SAP BI 4.2 SP3 and its “sample” universe and Web Intelligence reports, although I remember my first experience with said connector to be underwhelming (see related SAP

Sigh. I guess I will have to write up a suggestion for the SAP Idea Place, now the SAP Customer Influence site. But given that SAP BI 4.x may be the last on-premise version of SAP BusinessObjects that a customer may use before trusting SAP to put BI 2025 in the cloud, we need more and better metadata, not less. It’s in SAP’s interest to give us the best tools to help us retire obsolete or unsupported content and heighten our focus on what truly matters to move our organizations forward.

For further reading

  • SAP KB 2399962 – CMS database with new data access driver from BI 4.2 SP03
  • SAP KB 2622713 – SAP Scope of Support for QueryBuilder, AdminTools or other CMS Database Queries
  • SAP Security Note 3313484[CVE-2023-30740] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform.

What are your thoughts on metadata in general and Query Builder in particular? Is Security Note 3313484 cramping your style?

Dallas Marks

Dallas Marks

I am an analytics and cloud architect, author, and trainer. An AWS certified blogger, SAP Mentor Alumni and co-author of the SAP Press book SAP BusinessObjects Web Intelligence: The Comprehensive Guide, I prefer piano keyboards over computer keyboards when not blogging or tweeting.