Most important aspect of any software product is security and SAP Business Objects is great in terms of available security options and provides flexibility in controlling each module and activities associated with each module. Security for SAP BI Version Management (VMS) can be controlled within BI Platform and unlike other version management tools it does not need separate configuration (or) metadata transfer to external systems. This blog as a continuation of SAP BI Version Management series will throw some light on security setup for SAP BI VMS and some best practices.
Since SAP BI Version Management is available as module within the Central Management Console (CMC), any developer/manager/admin who manages content will need access to CMC. However, providing full access to CMC might be a security concern in most environments considering security factors. In such cases, delegated administrator permissions can be provided to users who need access to Version Management and that will restrict them to just the Version Management module and secure other modules.
Delegated Admin rights can be configured using the steps mentioned in this link
Once permissions are delegated, users will see only the modules which are granted to them. However, this will only provide permissions to see the option inside CMC and not to use it. Application level permissions should be provided separately for the users to use Version Management
Application Level Permissions
Application level permissions control what the users can do inside application/module once they are in that application. For users to make use of Version Management, they need the following Application level permissions
- “View” access on “Promotion Management” application
- Required access on “Version Management” application
Since Version Management is part of the LCM, users who need access to Version Management should have at least “view” access on promotion management application to view metadata and manage versions inside VMS.
View on Promotion Management
View access on Promotion Management can be provided at “Granular Level” and does not necessarily need the “View Access Level” or a custom access level
Version Management Permissions
These permissions control what the user can do inside version management. This part involves some planning/design and permissions that should be provided based on role played by each user. Every option inside VMS can be controlled through these permissions and it is recommended to bundle these permissions inside one access level and assign it to users/groups.
|Developer||Allow CheckIn, Allow Create Copy, Allow Get Revision, View Deleted Resources|
|Manager||Allow Lock and Unlock, Allow Create Copy, View Deleted Resources, Allow Delete Revision|
Apart from these permissions, there are others that control what users can see and version in VMS. Those can be selected based on requirement. Once the access level is created with these permissions, they can be assigned to users.
Once this is provided, users can login to CMC, Access VMS and Version objects.
- Restrict Lock and Unlock permission to Managers/Admins to avoid un-authorized check-in
- ‘Get revision’ permission should be provided to limited set of developers and used with caution as that will over-write changes with last checked-in version
- Delete revision should be provided only to content manager/owner as that will allow deletion of versions maintained in the VMS
- View and Version permissions for Universes, Security Objects, Connections, Calendar should be provided only to respective users/admins as they are critical objects and can have high impacts if not handled properly
Hope that helps! Click to find out more about SAP BI Version Management.