21 tips for a bulletproof Business Objects Security
As a Business Objects Security expert, I’ve met with a lot of customers across the world and have shared my expertise on BOBJ security, even before I started my company and launched 360Suite. As one of the most active users in the BOB forum (which by the way will close soon 😢), I remember a time when the security model was changing from one version to another, and managing security was a hot topic.
Interestingly, we see that very same topic rising again nowadays among our customers, since more and more companies are subject to audits, and must answer the question of access to data, (re GDPR, CCPA, etc). Even though a security model is in place, Business Objects administrators are asked to answer the following questions: Where is my sensitive data? Who has access to it? Who did access it? How has my security changed through time? Eventually, these audit and new data privacy regulations are good opportunities to reassess security and update it; to make sure that the right person has access to the right content.
In this blog post, I wish to share my experience and what I’ve seen with customers to list some of the best practices and tips for implementing good Business Objects Security.
- Assign security on folders rather than on a document, and to groups, not individual users, and create a group even for one user.
- Identify at which level data security needs to be secured – universe level, reporting database level or folder and/or document level.
- Restrict access to data (such as a user can see only data from one specific country), Implement the security at the database level and then at the universe object level (via universe restrictions).
- By default assign to the Everyone group the “No Access” access right on Top Level resources. This way, you will create a closed system. Meaning if you add a new folder or object later, by default it will be hidden for every user. You can then create extra groups with more granular rights when needed.
- Document your security model and keep track of changes.
- Use naming conventions for easily recognizing items.
- Separate needs into user access to applications, data access through the application, and functional access of what they can do with data.
- Gather rights into “access levels” – one type of rights per access level. Preferably, separate access levels for General rights, for Content and for System rights. Assigning individual rights will increase future maintenance and is not reusable.
- Limit breaking inheritance if possible, and make sure to document any exceptions.
- Refrain from explicit denies, i.e. Grant + Deny = Deny.
- If using 3rd party authentication (i.e. AD, LDAP), don’t assign permissions directly on these imported groups. Instead, embed them into Business Objects Enterprise Groups and then assign those groups permissions. If something happens to the 3rd party groups, the security model still remains intact.
- Leverage user attribute mapping for filtering and applying security at the universe (unx) level.
- Structure user groups and sub-groups, preferably to mirror the structure of the folders and sub-folders.
- Avoid too broad access to a resource: like granting access to the group Everyone.
- Implement a matricial view of your permissions to cross resources (folders, documents) and actors (users, groups) and see the security in between.
- Define alerts on security changes for sensitive resources or actors.
- Monitor effective access to sensitive data.
- When publishing documents outside of the platform to 3rd parties, make sure to password protect access to your document.
- Recertify users frequently and archive stale content.
- Favor using SSO or SAP BusinessObjects credentials mapping over using a technical user when creating connections to data – user’s account and security will be applied at the data source level.
- Specify the CMC Tab Access for delegated administration.
This list is non-exhaustive and is not necessarily applicable to all customers. It is clear that having control over your security and its changes, is indispensable in complying with industry or data regulations and to answer internal or external security audits.
If you want to learn more about 360Suite and how it can help you to audit and modify your security while keeping track of the changes, you can read this article or get in touch with one of our Business Objects security experts.