Sunteți pe pagina 1din 27

Lumira Security Aspects

Anja Rusch CEG November, 2014

Public

Lumira Security Aspects Anja Rusch CEG November, 2014 Public
Lumira Security Aspects Anja Rusch CEG November, 2014 Public

Legal disclaimer

The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of SAP. This presentation is not subject to your license agreement or any other service or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any related

presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation

and SAP's strategy and possible future developments, products and or platforms directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information in this document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational

purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP´s willful misconduct or gross negligence.

All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements,

which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

Agenda

DataSet Security Lumira Desktop Governance Lumira Document Security on

Cloud

Server

BI Platform

SAP Lumira: Server Desktop Cloud

On premise - in the cloud - on any device

– Cloud On premise - in the cloud - on any device BI Platform publish publish

BI Platform

publish
publish
premise - in the cloud - on any device BI Platform publish publish publish Lumira Server
premise - in the cloud - on any device BI Platform publish publish publish Lumira Server
premise - in the cloud - on any device BI Platform publish publish publish Lumira Server
premise - in the cloud - on any device BI Platform publish publish publish Lumira Server
premise - in the cloud - on any device BI Platform publish publish publish Lumira Server
premise - in the cloud - on any device BI Platform publish publish publish Lumira Server
publish
publish
- in the cloud - on any device BI Platform publish publish publish Lumira Server (on
publish
publish

Lumira Server

(on HANA) Excel / CSV
(on HANA)
Excel /
CSV

Lumira Desktop

(local) Excel / Clipboard RDBMS Universes HANA BW* CSV
(local)
Excel /
Clipboard
RDBMS
Universes
HANA
BW*
CSV
Excel / Clipboard RDBMS Universes HANA BW* CSV Lumira Cloud (on HANA) Excel / CSV *Desktop
Excel / Clipboard RDBMS Universes HANA BW* CSV Lumira Cloud (on HANA) Excel / CSV *Desktop
Excel / Clipboard RDBMS Universes HANA BW* CSV Lumira Cloud (on HANA) Excel / CSV *Desktop
Excel / Clipboard RDBMS Universes HANA BW* CSV Lumira Cloud (on HANA) Excel / CSV *Desktop

Lumira Cloud

(on HANA) Excel / CSV
(on HANA)
Excel /
CSV

*Desktop Visualization only

DataSet Security

DataSet Security

DataSet Security

Lumira Datasets

Download Approach keeps creator‘s access rights

MS Excel, Text, Clipboard

SAP HANA

Universe

Context and Prompt selection

Query with SQL

– Context and Prompt selection  Query with SQL Connect Approach respects user rights  SAP

Connect Approach respects user rights

SAP HANA

SAP Business Warehouse (with limitations)

 SAP HANA  SAP Business Warehouse (with limitations)  Forced BI server side refresh for

Forced BI server side refresh for universes

 Forced BI server side refresh for universes © 2014 SAP SE or an SAP affiliate
Lumira Desktop Governance

Lumira Desktop Governance

Lumira Desktop Governance

Configuring Desktop Governance

Desktop governance allows BI platform administrators to enforce security on SAP Lumira for

Data source type user can import from

Destinations user can share to

Configurability of URLs

Handling of updates

Enabling Desktop Governance

BI Platform with Lumira BI Add-on installed

Create a configuration file on each user’s machine

Define each user's settings in the Central Management Console (CMC)

SAP Lumira enforces desktop governance by contacting the BI platform at startup and querying for the user's rights and settings.

Creating a Desktop Governance Configuration File

Create a configuration file called LumiraGovernance.properties in C:\Users\<user>\.sapvi with the following parameters:

Parameter Description <enable> true = desktop governance enforced false = desktop governance not enforced
Parameter
Description
<enable>
true = desktop governance enforced
false = desktop governance not enforced
<adapter.type>
boe = system type that will be contacted to enforce desktop governance
<authentication.type>
Allowed BI platform authentication types: secEnterprise, secLDAP, secWinAD,
secSAPR3
<rest.url>
BI platform rest access URL. Example: http://vmboesrvr:6405/biprws
<useSSO>
true = use Single Sign On to contact the BI platform
false = user will be prompted for their BI platform credentials
To use SSO, it must be configured on user machine's domain and the BI platform
deployment

LumiraGovernance.properties

LumiraGovernance.properties Logon Popup after restart © 2014 SAP SE or an SAP affiliate company. All rights
Logon Popup after restart
Logon Popup after restart

Defining SAP Lumira Properties

Set default values for SAP Lumira in order to

improve user experience, or to enforce system security

Allow users to maintain Sharing URLs for

Lumira Cloud

Lumira Server

BI Server

Turn automatic updates on or off

Server – BI Server  Turn automatic updates on or off © 2014 SAP SE or

Before and after applying Lumira Properties

Before After
Before
After
Before and after applying Lumira Properties Before After © 2014 SAP SE or an SAP affiliate

Defining Access Rights to SAP Lumira Features

Use BI platform rights to control which data sources and destinations each user or group can access

data sources and destinations each user or group can access © 2014 SAP SE or an

All selectable Rights for SAP Lumira

All selectable Rights for SAP Lumira © 2014 SAP SE or an SAP affiliate company. All

Before and After applying DataSource Rights

Before denied denied
Before
denied
denied
and After applying DataSource Rights Before denied denied After © 2014 SAP SE or an SAP
After
After

Before and After applying Sharing Rights

Before

Share Datasets
Share Datasets
Share Stories
Share Stories

After

denied

Share Datasets
Share Datasets
Share Stories
Share Stories

Maintaining Access Rights for Groups / Everyone

Specific User rights have priority over group rights

Your Desktop user needs to be created in BOE

It is automatically assigned to the Everyone group and cannot be removed

Specific user rights will always apply first

If there are no user rights maintained for your user but group rights, like for Everyone, those will apply then

DEMO
DEMO
Lumira Document Security on Cloud, Server, BI Platform

Lumira Document Security on

Cloud, Server, BI Platform

Lumira Document Security on Cloud, Server, BI Platform

Infographics: Refresh Page on Open Option

Refreshes infographic page each time you open the infographic

Dynamical update according to data available

Can be used to secure dashboard after sharing If eg. removing dataset access

Static Infographics will not be affected from any dataset refreshes

Infographics will not be affected from any dataset refreshes © 2014 SAP SE or an SAP
Infographics will not be affected from any dataset refreshes © 2014 SAP SE or an SAP

SAP Lumira Cloud® Security

Level of protection of data

Sharing a story with your team or others will share the full dataset as well

You can stop sharing items that you shared

All users must sign in to view private items

Users can access stories publicized through public URLs without signing into SAP Lumira Cloud

through public URLs without signing into SAP Lumira Cloud Dataset sharing stopped © 2014 SAP SE
Dataset sharing stopped
Dataset sharing stopped
signing into SAP Lumira Cloud Dataset sharing stopped © 2014 SAP SE or an SAP affiliate

Set up HANA Users to Access Lumira Server

HANA admin needs to assign BI_DATA_CONSUMER or BI_DATA_ANALYST role for users

BI_DATA_CONSUMER BI_DATA_ANALYST
BI_DATA_CONSUMER
BI_DATA_ANALYST

Share your Stories and Datasets on Lumira Server

Stories & Dataset can be shared with

Roles you have access to

Roles which have access to the underlying data Members see the dataset based on their privileges

You will not be able to share to roles that do not have authorization

1 2
1
2

BI Platform Security for Lumira Documents

Control a user's access to datasets & stories by setting rights on the dataset and story objects in the

Central Management Console (CMC)

Stories are stored under Folders
Stories are stored
under Folders
Datasets are stored under Lumira Datasets
Datasets are stored
under Lumira Datasets

Universe Security on the BI Platform

Security during a Dataset Refresh

Datasets based on universes can be refreshed, ensuring your stories contain the most up-to-date data

on demand refresh

using the rights of the user doing the refresh

Maintain the Refresh on Open flag

creates a transient table per refreshing user

disables the schedule option for that dataset

scheduled refresh

using the rights of the user who published the dataset

creates a permanent table in SAP HANA

Universe specific settings
Universe specific settings
Thank you anja.rusch@sap.com © 2014 SAP SE or an SAP affiliate company. All rights reserved.

Thank you

anja.rusch@sap.com

© 2014 SAP SE or an SAP affiliate company. All rights reserved.

© 2014 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind,

and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

© 2014 SAP SE or an SAP affiliate company. All rights reserved.