23 tips for a bulletproof Business Objects Security

As a Business Objects Security expert and co-founder of 360Suite, I’ve met with a lot of customers around the world and have shared my expertise in BOBJ security, even before I started my company. As one of the most active users in the BOBJ forum (which now has a second lease of life 🤫), I remember a time when the security model of changing from one version to another and managing security was a hot topic.

Interestingly, we see that very same topic rising again nowadays among our customers, since more and more companies are subject to audits, and must answer the question of access to data, (re GDPR, CCPA, etc). Even though a security model is in place, Business Objects administrators are asked to answer the following questions: Where is my sensitive data? Who has access to it? Who did access it? How has my security changed through time? Eventually, these audit and new data privacy regulations are good opportunities to reassess security and update it; to make sure that the right person has access to the right content.

In this blog post, I wish to share my experience and what I’ve seen with customers to list some of the best practices and tips for implementing good Business Objects Security.

1. Assign security on folders rather than on a document, and to groups, not individual users. You can even create a group for one user.
2. To restrict access to data (for example a user can see only data from one specific country), implement security at the database level (universe restrictions) and then at the universe object level.
3. By default, assign the right “No Access” on all Top Level resources to the group Everyone. This way, you will create a closed system, meaning that if you add a new folder later by default it will be hidden for every user.
4. Document your security model and keep track of any changes.
5. Use naming conventions to easily recognize items.
6. Separate needs into user access to applications, data access through the application, and functional access of what they can do with data.
7. Gather rights into “access levels” – one type of rights per access level. Preferably, separate access levels for General rights, for Content and for System rights.
8. Do not assign individual rights as it is high maintenance and not reusable. Instead, create access levels that collect multiple rights.
9. Avoid breaking inheritance.
10. Minimize or refrain from explicit denies, i.e. Grant + Deny = Deny. 
11. If using 3rd party authentication (i.e. AD, LDAP), don’t assign permissions directly on these imported groups. Leverage user attributes mapping for filtering and applying security at the universe (UNX) level.
12. Structure user groups and sub-groups, preferably to mirror the structure of the folders and sub-folders.
13. Avoid too broad access to a resource. For example, granting access to the group Everyone.
14. Implement a matricial view of your permissions to cross resources (folders, documents) and actors (users, groups) and see the security in between.
15. Define alerts on security changes for sensitive resources or actors.
16. Monitor effective access to sensitive data.
17. When publishing documents outside of the platform to 3rd parties, make sure to put in place a password protect access to your document.
18. Recertify users once a year and archive old content.
19. Identify at which level data security needs to be secured – universe level, reporting database level or folder and/or document level.
20. Favor using SSO or Business Objects credentials mapping over using a technical user when creating connections to data — user’s account and security will be applied at the data source level.
21. Create access levels from minimal rights to full control.
22. If you have to manage security for multiple departments, consider using the multi-tenancy tool.
23. Although not strictly security, specify the CMC Tab Access for delegated administration.

This list is non-exhaustive and is not necessarily applicable to all customers. It is clear that having control over your security and its changes, is indispensable in complying with industry or data regulations and to answer internal or external security audits.

If you want to learn more about 360Suite and how it can help you to audit and modify your security while keeping track of the changes, you can read this article or get in touch with one of our Business Objects security experts.