In the prior Operations Bridge Reporter (OBR - formerly known as SHR) releases, there was a way of achieving multi-tenant reporting. Some of you would be familiar with this approach as detailed in a previous blog post. Given the architectural changes, there have been questions around how to achieve the same end in the new OBR release. My goal in this blog article is to explain a bit about how we can achieve this in OBR 10.
As you may already know, OBR supports grouping of dimensions (e.g. configuration items [CIs]). Topology Views from the Run-time Service Model of OMi/BSM or Node Groups from Operations Manager/NNMi serve as groups in OBR by default. Also, most OBR reports are parameterized by groups; therefore, users could filter reports based on groups. In addition to the default groups, users can provision Custom groups of dimensions as detailed in the Online help/Administrator Guide.
These groups, along with Security Profiles in Business Objects, provide a means of achieving multi-tenancy at reporting level.
OBR Administrators should define users/user groups in Business Objects and associate these users to specific OBR Groups. Once this association is created, users are restricted to data pertaining to their respective OBR Groups.
In this context, there are couple of points to note:
OBR reports support both Optional and Mandatory prompts. While Security profile work on both, users may skip Optional prompts and gain visibility to all groups. To avoid this, ensure prompts are made Mandatory.
Please make a copy of the BObj Universe before changing it!
Let us proceed to the rest of the details, which will describe the process of associating a BObj User to a OBR Group. This is a one-time activity that needs to be carried out for each BObj User/UserGroup.
But before you begin:
The universe for which you want to create security must be published to a repository. You can create security for .unx universes only (typically all ootb universes shipped in OBR are in .unx format; make sure that custom universes used are of the same format as well).
• Make sure you have the necessary rights defined in the BObj Central Management Console (CMC).
Ensure that you have the Information Design Tool installed (BObj client tools are installable on Windows only; the client tools are packaged with OBR media). Launch the Information Design Tool (IDT) and perform the following steps:
1. Open the Security Editor with a session in the repository where the universe is published.
On the information design tool toolbar, click the Security Editor icon .
In the "Open Session" dialog box, enter credentials and the Security Editor opens in a new tab .
2. Select the universe in the Universes / Profiles pane to define security profiles (To insert a profile, right-click the universe name and select Insert Data Security Profile)
3. In general, Data Security Profile can be used to define the following types of security:
Define replacement connections to override the connections defined in the universe.
Define overrides for the query options and query limits defined in the universe.
Define replacement tables.
Restrict data returned to specific rows using a WHERE clause (as we will use in our example below)
Switch to Rows tab, select K_Group as the table name (this is the table where OBR stores all group definitions). The following condition offers the restriction of viewing data only from the group ‘SM_PA’.
Note: You can create more than one Data Security Profile for a universe.
There is also the option of setting Business Security Profile to define the following types of security:
Restrict objects that appear in the Query Panel to create queries.
Restrict objects for which data is returned.
Filter data returned in queries.
Note: You can create more than one Business Security Profile for a universe.
4. Save the changes to the security settings in the repository by clicking the save icon in the main tool bar.
5. Select the Users / Groups pane to assign the profiles to users and groups.
6. Save the changes to the security settings in the repository by clicking the save icon in the main tool bar.
7. Test the security profiles for a particular user:
a. Open the Security Editor using the login information for the user who is being assigned the security profiles.
b. In the Universes / Profiles pane, right-click the universe and select Run Query.
The Query Panel opens. The security profiles assigned to the user are applied.
Because a user needs the "Administer security profiles" application right granted in order to open the Security Editor, this method of testing profiles is limited. The security profile for a user can as well be tested using a sample report in Web Intelligence.
Upon completion of the above steps, the associated users are now restricted to selecting SM_PA Group only on all OBR Reports and has no visibility to any other group that may be available to other users. This applies to all reports that include Business View(s)/Group(s) in their prompts.
This technique is applicable for all conformed dimensions/CIs available in OBR. Security Profiles may be used within a non-MSP/single-tenant installation as well.