User manual BUSINESS OBJECTS ENTERPRISE XI ADMINISTRATORS GUIDE

[. . . ] BusinessObjects EnterpriseTM XI Administrator's Guide BusinessObjects Enterprise XI Patents Business Objects owns the following U. S. patents, which may cover products that are offered and sold by Business Objects: 5, 555, 403, 6, 247, 008 B1, 6, 578, 027 B2, 6, 490, 593 and 6, 289, 352. Business Objects, the Business Objects logo, Crystal Reports, and Crystal Enterprise are trademarks or registered trademarks of Business Objects SA or its affiliated companies in the United States and other countries. All other names mentioned herein may be trademarks of their respective owners. [. . . ] On the Accounts tab, make sure the following options are selected: · 1. · · In Windows 2000, ensure that the Account is trusted for delegation option has been selected for the account. In Windows 2003, ensure that the following two options have been selected for the account: Trust this user for delegation to specified service only and Use Kerberos only. If you are using Windows 2003, you may have to first add a service principal name (SPN) for the domain account. Set the machine running SQL Server as follows: · a. 3. Computer is trusted for delegation Click Apply, and then click OK. Add an SPN for the service account of the SQL Server: setspn -A MSSQLSvc/host:port serviceaccount Where host:port is the name of the machine running SQL Server and the port that, and serviceaccount is the name of the SQL Server service account. 314 BusinessObjects Enterprise Administrator's Guide Controlling User Access chapter 13 Controlling User Access Controlling user access overview Controlling user access overview Rights are the base units for controlling users' access to objects, users, applications, servers, and other features in BusinessObjects Enterprise. When granted, each right provides a user or group with permission to perform a particular action. Using rights, you can set security levels that affect individual users and groups. Rights allow you to control access to your BusinessObjects Enterprise content, to delegate user and group management to different departments, and to provide your IT people with administrative access to servers and server groups. To set rights within the Central Management Console (CMC), you first locate the object, user, or server and then you specify the rights for different users and groups. Each right can be Explicitly Granted, Explicitly Denied, or Inherited. The BusinessObjects Enterprise security model is designed such that, if a right is left "not specified, " the right is denied by default. Additionally, if contradictory settings result in a right being both granted and denied to a user or group, the right is denied by default. This "denial based" design assists in ensuring that users and groups do not automatically acquire rights that are not explicitly granted. To facilitate administration and maintenance, BusinessObjects Enterprise includes a set of predefined access levels that allow you to set common security levels quickly. Each access level grants a set of rights that combine to allow users to accomplish common tasks (such as view reports, schedule reports, and so on). It is recommended that you use the predefined access levels whenever possible, because they can greatly reduce the complexity of your object security model. For more information, see "Setting common access levels" on page 320. Whether or not you use access levels, you can also take advantage of the inheritance patterns recognized by BusinessObjects Enterprise: users can inherit rights as the result of group membership; subgroups can inherit rights from parent groups; and both users and groups can inherit rights from parent folders. When you need to disable inheritance or to customize security levels for particular objects, users, or groups, the Advanced Rights pages allow you to choose from the complete set of available object rights. Most importantly, the advanced object rights allow you to explicitly deny any user or group the right to perform a particular task. Users require specific licensing and rights to create or modify reports through the Report Application Server (RAS). For details, see "Object rights for the Report Application Server" on page 568. 316 BusinessObjects Enterprise Administrator's Guide Controlling User Access Controlling users' access to objects 13 Controlling users' access to objects To secure the content that you publish to BusinessObjects Enterprise, you can set rights for each object. By setting object rights, you can control users' access to specific content. [. . . ] Information on Customer Support programs, as well as links to technical articles, downloads, and online forums. 644BusinessObjects Enterprise Administrator's Guide Business Objects Information Resources Useful addresses at a glance I Address Business Objects Consulting Services http://www. businessobjects. com/ services/consulting/ Business Objects Education Services http://www. businessobjects. com/ services/training Content Information on how Business Objects can help maximize your business intelligence investment. Information on Business Objects training options and modules. BusinessObjects Enterprise Administrator's Guide 645 I Business Objects Information Resources Useful addresses at a glance 646BusinessObjects Enterprise Administrator's Guide Index A access to applications 349 to universe connections 355 to universes 354 Access Level column 319 access levels administration 351 Advanced 321, 322 available in the CMC 565 calendars 508 enabling and disabling inheritance 327 events 515 folders 364, 371 for RAS 568 Full Control 321 groups 352 InfoView 349 inheritance 325 No Access 321 NTFS 570 reference 563 restricting from the top-level folder 347 Schedule 321 server groups 353 servers 353 setting 320 specifying on folders 364, 371 tutorials 331 types of 320 users 352 View 321 View On Demand 321 when copying/moving folders 361, 369 access rights to Query HTML panel 48 accessibility 616 and BusinessObjects Enterprise 637 and Crystal Reports 616 benefits of 616 design considerations 619 guidelines 617 resources 640 accounts, managing 250 Active Directory 275 active sessions, viewing 81, 81 active trust relationship 242 AD authentication plug-in 240 adding CMS cluster members 92 servers 169 administration 36 configuration tools 78 delegating 343, 351 events 515 folders 364, 371 over the Web 37 remote UNIX machines 43 remote Windows machines 42 rights 351 servers and server groups 353 tools 36 users and groups 352 Administrator account 251 setting password 44 Administrator group 251 Administrators group, default rights 567 Advanced access level 321 advanced rights 322 and inheritance 325 priorities affecting 330 denied by default 330 enabling and disabling inheritance 328 precedence 330 reference 564 setting 322 viewing 322 Advanced Rights page 323 BusinessObjects Enterprise Administrator's Guide 647 Index reference 564 affinity, and SSL 243 alerts, setting notification 479 aliases assigning to a user 296 creating for existing user 296 for new user 294 deleting 297 disabling 298 managing 294 reassigning for a user 297 anonymous single sign-on 232 application servers 59 application tier 58 applications 56 CCM 57 CMC 56 Import Wizard 57 InfoView 56 Publishing Wizard 57 APS. See CMS apsdbsetup. sh 601 architecture 54 diagram 54 areas, management 38 assigning an alias 296 assistive technology 616 attributes, logon tokens 243 audience, intended 22 audit actions enabling auditing of 210 reference list 205 synchronizing records 212 auditee 204 auditing 204 configuring database 209 database schema 218 enabling 210 information flow 204 notification 477 optimizing performance 213 reporting results 214, 217 synchronizing records 212 user and system actions 205 web activity 247 auditing database configuring 209 database schema 218 Application_Type table 225 Audit_Detail table 219 Audit_Event table 218 Detail_Type table 226 Event_Type table 220 Server_Process table 220 auditor 204 authentication BusinessObjects Enterprise security plug-in 236 LDAP security plug-in 238 object packages 463 primary 229 program objects 458 secondary 230 security plug-ins 235 troubleshooting log on 520 Windows AD security plug-in 240 Windows NT Challenge/Response 237, 240 Windows NT security plug-in 236 authentication, types of 252 authorization. See also object rights authorization, effective rights 328 Automated Process Scheduler. [. . . ]