Tuesday, December 23, 2014

Why Healthcare Data Breaches Are So Lucrative

Back in April, 2014, the FBI issued a Private Industry Notification (PIN) warning the healthcare sector that its vulnerability to attack remains high, primarily because it is a lucrative target for criminals. Why are healthcare data breaches so lucrative?

A Reuters report on the FBI PIN
indicates numerous reasons:
  • Healthcare data breaches are typically not detected as quickly as other data breaches (such as payment card information), and criminals have more time to use the data for profit. ($20 for health insurance credentials vs. $1 to $2 for US credit card numbers.)
  • Criminals can use medical records to impersonate patients with diseases and obtain prescriptions for controlled substances.
  • Identity theft and financial fraud are more complex, but very common, and very lucrative.

Clearly, it is essential that healthcare data breaches be top-of-mind for BI platform managers in the healthcare sector. They must do what they can to lower risk of data breaches occurring, to detect such breaches as quickly as possible, and to mitigate the damage done.

In an upcoming webinar, we will be exploring some of the ways you can mitigate the risks associated with breaches through proactive BI platform management, especially with regard to EHR integration considerations:



You can also access recordings of earlier Healthcare BI webinars at the APOS website.

Monday, December 8, 2014

Governance, Risk Management, Compliance in Healthcare - Whose Information Is It, Anyway?

Forrester's Nick Hayes recently posted a summary of a new Forrester report, Dissecting Global Risk Perceptions and the Effects of Customer Obsession. In his summary, he writes of a shift in the perception of governance, risk management, and compliance that is occurring in "customer-obsessed" organizations -- organizations that take the need to improve customer experience seriously.

This new-found interest in the security of customer information is really a case of self-interest aligning with customer interest. We see it in the healthcare industry, where HIPAA compliance is forcing BI practitioners to focus more and more on the flow of patient information through their BI environments. Patient privacy is paramount, because, let's be clear, it's not your information, it's their information. Your enterprise is entrusted with that information in order to provide the services for which your are contracted.


We'll be looking at some of the factors BI practitioners need to account for in our upcoming healthcare-focused webinar on EHR integration considerations. This webinar is the third installment in a series of webinars on BI best practices in the healthcare sector. In case you missed the earlier installments, you can review the recorded webinars here.

APOS Storage Center Now Includes LCMBIAR Backup & Selective Restore Capabilities

The latest update to APOS Storage Center for SAP BusinessObjects 4.1 includes some great new features and improvements.

For example, you can now use the familiar SAP LCMBIAR file technology to back up your standard, system and application objects. You also have the option to include object level security in your LCMBIAR backups. However, unlike the standard SAP LCMBIAR method, the APOS Storage Center LCMBIAR backup method allows you to restore objects selectively. It also overcomes any volume limitations you may have experienced in LCMBIAR backup and restore operations.

The latest version of APOS Storage Center also includes:
  • Backup and restore of other information object types such as Xcelsius, Office Documents, Infospaces
  • Archive/backup and restore of instances using LCMBIAR method
  • Ability to restore original creation date and original update date for instances
  • Rollback for any backup that uses the LCMBIAR method

Talk to your account manager to find out how you can benefit from these new APOS Storage Center features.

Wednesday, October 15, 2014

Migration Webinar Today - Web Intelligence Update

When: Wednesday, October 15, 2014, 10 am / 4 pm EDT
Guest Presenter: Gregory Botticchio, Solution Manager, SAP
Our migration webinar series continues as SAP's Gregory Botticchio joins us to to provide an update on the latest news for Web Intelligence in SAP BusinessObjects BI 4.1. Gregory will discuss new and incremental features, and provide glimpse into coming capabilities. Join us to learn about:
  • Performance improvements
  • New customization capabilities
  • Enhanced core capabilities

Wednesday, October 1, 2014

Webinar Today - Agile BI Platform Management at HP Enterprise Services

When: Oct. 1, 2014, 2 pm EDT - Today
Guest Presenter: Niladri Chowdhury, HP Enterprise Services
Register for the webinar. All registrants will receive a link to this and other recorded webinars.

Agility is now the defining quality for BI platform management, because the agile enterprise has become the norm, and an enterprise can only be as agile as its least agile component -- like the weakest link in a chain.

Niladri Chowdhury joins us today to discuss agile BI platform management at HP Services, an enterprise that specializes in helping other enterprises achieve agility. The "Always on" enterprise integrates mobility, connectivity and interactivity. "Always on" means 24/7, and if your business team is making decisions around the clock, your BI platform has to deliver on the same basis.

BI is central to enterprise decision making, but increasing volume and complexity make it increasingly difficult for BI platform managers and administrators to deliver on BI's promises. Everyone has heard the story of the frog in a pot of water that is slowly brought to a boil. The frog doesn't notice the increasing heat and is boiled alive. Being a BI platform manager can feel like that.

What's to be done? You can stand still and lower service levels; you can add resources; or you can look at strategies for achieving agile BI platform management. Join us today to see how HP Enterprise Services is employing the third option with the help of APOS well managed BI solutions.

Monday, September 22, 2014

APOS Announces Dashboard Auditor Product

APOS Systems Inc. today at the 2014 SAP Analytics & BusinessObjects Conference (SABOUC) announced the release of its new APOS Dashboard Auditor for SAP BusinessObjects.

Using the Dashboard Auditor, you can:
  • Audit Xcelsius and Design Studio dashboards, as well as Xcelsius components streamed into Design Studio using APOS Dashboard Migrator.
  • Implement usage auditing - know who is using your dashboards, and where and when.
  • Implement functional auditing - know how your dashboards are being used.
  • Verify that your investment in dashboards is paying off - that the dashboards are being used by your target audiences, and as you intended.
  • Analyze your current Dashboards environment in preparation for migration to Design Studio.

Dashboards are an increasingly important means of delivering business intelligence. Companies are investing substantial sums in dashboard development and want to know how effective they are in delivering that information, and how dashboards can be improved to meet user requirements and expectations.
Visit the APOS team at SABOUC, Booth #105, to learn firsthand how the APOS Dashboard Auditor can help you optimize the dashboard experience of your information consumers.

Read the press release.

Friday, September 19, 2014

See You at SABOC 2014, Booth #105

Will you be there in Dallas / Fort Worth? The APOS team will be at booth #105, ready and willing to talk to you about how we can help you become more agile in your SAP BusinessObjects BI platform management and administration.

We will also be hosting an education session on Agile BI Platform Management at HP Enterprise Services, featuring HP's Niladri Chowdhury. Niladri will be sharing his migration and platform management experiences.

The HP "Always On" initiative positions HP Enterprise Services as an agile enterprise enabling agility in other enterprises. Naturally, they need their SAP BusinessObjects BI 4 platform management to be agile as well. With customers such as the US Navy, the UK Ministry of Defense and NASA, HP ES must also be the agile enterprise which it sells. Using HP products such as HP Vertica and HP Autonomy with SAP BusinessObjects, their IT department is a model for the integration of complex information systems to produce real-time BI and effective data visualization.

If you are experiencing challenges with volume and complexity in your BI deployment, Niladri's experiences will be familiar to you. Find out how he brings agility to the HP Enterprise Services SAP BusinessObjects deployment.

Wednesday, September 17, 2014

Webinar Alert: Healthcare & BI Platform Management

When: Thursday, Sept. 18, 2014 - 10 am, 4 pm EDT

BI in the Healthcare sector is growing rapidly in response to US healthcare reform, and healthcare organizations are looking for proactive ways to manage and administer the BI platform in the face of increasing volume, complexity and compliance considerations.

Join us for a discussion of the major challenges facing SAP BusinessObjects BI platform managers and administrators in the healthcare industry. This webinar will examine ways to increase your BI platform management agility to help you:
  • Master complexity in data sources and information consumer requirements
  • Manage compliance through greater system visibility and high-volume administration
  • Maintain credibility through reliable, secure, accurate and timely delivery of information

Please join us as we explore techniques and best practices for SAP BusinessObjects platform management in healthcare.

Monday, August 11, 2014

Security Blogging - A Stitch in Time…

By Rick Epstein

Have you ever heard someone rationalize an important decision with a folksy saying? It may make one seem wise at the time, but you should be aware that, for every such "wise" saying, there is generally an equally wise and opposite saying. For example, "look before you leap," but "he who hesitates is lost."

If your rationale for not reconsidering your SAP BusinessObjects security model is "If it ain't broke, don't fix it," then my reply to you is that "A stitch in time saves nine." You won't know whether it's broken until you look.

There are, of course, other sorts of objections to taking action that I hear over and over again from normally risk-averse people who don't want to address necessary changes to their SAP BusinessObjects security model.

Here are the top five:

We don't have any data that needs to be secured.
Great. Just publish it all on the Internet. No? Every company has private data that they don't want to share with competitors and/or the public. The only difference is the degree to which a breach will hurt. What is your pain threshold?

We don't have time right now.
What will it take to get your attention? Delaying the discussion of your SAP BusinessObjects security model will almost inevitably lead to an unanticipated security breach. Implementing a well designed security model is an investment. Prioritize and make the time.

We don't have money in the budget.
Budgets are expressions of priorities. If you don't have money in the budget, then you need to re-examine your priorities. The potential cost to your company -- in terms of both money and reputation -- in the event private information is viewed by an unauthorized person or persons far exceeds what it would cost you to analyze and reengineer your SAP BusinessObjects security model.

Why should we change? Our security model works fine.
If it seems as though the pain of change is too much to bear, ask yourself how you will feel about the pain of regret. It is quite likely that there are unknown security holes in your security model. Designing and implementing a security model using a true top-down methodology is the only way to ensure that there are no such holes.

We don't have resources who know enough…
…about SAP BusinessObjects security to instantiate a true top-down security model. Then I guess today is your lucky day. Please reach out to me at repstein@resolvitinc.com. I would be glad to provide some tips and tricks and answer some questions in a 1-hour free consultation.

Thursday, July 17, 2014

SAP BusinessObjects Security - Remediation, or How to Find & Repair Gaping Holes in Your Current Security Model

By Rick Epstein

Ideally, you will want to plan your security architecture and design a bulletproof security model. However, sometimes assessment will uncover gaping holes in your current architecture, and you will want to close those holes as quickly as possible to reduce risk to your organization.

Here are the broad strokes for assessment and remediation. Keep in mind the best practices discussed in the previous post as you proceed through each of these steps:

  1. Inventory groups and group members (users)
  2. Look at each granular inherited & explicit permission for each principal for each content folder, universe folder, category folder, connection (connection folders in BI 4.x)
  3. Are there any permissions set specifically on content within these folders?
  4. Create groups for each application and apply the No Access to the Everyone group for each group on its respective application
  5. Create groups for every content folder, universe folder, category folder, connection (connection folders in BI 4.x)
  6. Apply the same security to each group on each folder
  7. Create generic groups for specific grants or denials of rights
  8. From your inventory of groups and users and permissions set for each, assign users to these new groups
  9. Remove users from the old groups
  10. Store the old groups in another group called something like "zzzToBeDeleted"

As I said, these are the broad strokes. They are a good start, but there remain traps for the unwary, and great potential for unintended consequences. If it reminds you of old mariners' charts with captions such as "There be dragons here," that may be a good thing.

Next in the security blogging series: Why companies don't update their security model.

Tuesday, June 24, 2014

SAP BusinessObjects Security - The Wonders of a Top-Down Methodology

By Rick Epstein

Forget the 7 Wonders of the World: these 7 wondrous tips will help you get started with building your own highly effective security model. Taken together, these best practices constitute a "top-down" methodology. That is, starting from these principles, we can easily drill down to enable efficient and effective management of the most granular aspects of SAP BusinessObjects security. They lay the groundwork. As every project manager knows, the more efficiently you prepare upstream, the less thrashing you'll do downstream.

So, here we go:

  1.  Create a structure that will allow you to add all of your users easily and to specify their rights clearly.
  2. Apply No Access to Everyone on all top level folders.
  3. Never break inheritance.
  4. Never use explicit denial of access.
  5. Enforce access rights on users by adding them to groups.
  6. Never apply security individually to users—only to groups.
  7. If you are using Active Directory authentication (with or without Single Sign On), never assign permissions directly on imported AD groups.

Let’s delve into these a little bit more:

1. Create a structure that will allow you to add all of your users easily and to specify their rights clearly;
There are many ways to structure your groups.  I would recommend having the groups mirror the structure of your folders.  In this way, users can inherit rights from parent groups and parent folders.  If you allow inheritance from both parent groups and folders and you haven’t set up one of their permission settings (the folder or group) correctly, a user will inherit unintended permissions.

2. Apply No Access to Everyone on all top level folders;
We’ve discussed the importance of this concept in a previous blog post.  I can’t stress enough how important it is to start with a clean slate.  Set the Everyone group to “No Access” for all top level folders and all applications.  Likewise, make sure that the Administrators group has “Full Control” in all of these areas.

3. Never break inheritance
Never is a strong word.  I was always taught in school that, on a multiple choice question, if one of the answers used the words always or never to not choose that choice as it would likely be wrong.  How true that advice was.  Let’s rephrase this tip by saying that most of the time you shouldn’t break inheritance.  If you follow tip 1 above, then it would be appropriate to break inheritance on each folder when assigning 1 group access to 1 folder and not wanting that to cascade down.  For example, let’s say that we have 3 folders:  A, B, & C.  B is a subfolder of A and C is a subfolder of B.  Likewise, we have 3 groups GroupA, GroupB, and GroupC.  We have arranged these groups hierarchically to inherit from their parent.  GroupB is beneath GroupA and GroupC is beneath GroupB.  We assign GroupA view access on Folder A.  By inheritance, GroupA would be able to have view access on Folders B and C.  Therefore, we would want to remove the inheritance on Folder B for GroupA.

4. Never use explicit denial of access;
In this case, the never is true.  The only circumstance under which you would consider setting an explicit denial is if you had a custom group set up where you wanted to deny its users the ability to do something that was granted by their other group memberships.  For example, I have occasionally created a group that denies a user to export a report’s data.  We assign this group to certain folders. We add users to this group.  When these users access any report in these folders, they are not able to export the report’s data.  The scope for this explicit denial should be viewed with a very narrow and specific focus.

5. Enforce access rights on users by adding them to groups
6. Never apply security individually to users—only to groups
Tips 5 and 6 are flipsides of the same coin. These are 2 simple rules that should make a lot of sense.  Apply security on groups and their access to folders/applications.  By adding users to these groups, the users will inherit the rights of the groups to which they belong.

7. If you are using Active Directory authentication (with or without Single Sign On), never assign permissions directly on imported AD groups
I talked about this in my last post.  The problem with applying security directly on an Active Directory group is that it moves security outside of the BI deployment, creating a very large potential for unintended consequences.

If there is an Active Directory server upgrade, or service pack, or other maintenance, Active Directory communication may be interrupted, and groups can be "reset". While such a reset doesn’t affect the Windows environments, it can have an adverse effect on SAP BusinessObjects Active Directory integration. For example, an Active Directory group mapped in SAP BusinessObjects may become "unreadable" by SAP BusinessObjects. When you re-import or re-map that Active Directory group, you would need to set up all permissions on that group all over again. A far easier and better solution is to make Active Directory groups part of SAP BusinessObjects Enterprise groups and have security assigned on those Enterprise groups only.

Next in the security blogging series: Remediation, or how to find and repair gaping holes in your current security model

Monday, June 23, 2014

Webinar: SAP BusinessObjects Security Management & Impact Analysis for Epic Deployments

When: June 25, 2014, 2pm EDT
Guest Presenter: Rick Epstein, President, ResolvIT Inc.

Healthcare business intelligence has many unique challenges. For healthcare providers, practice management, financial management, and the tracking of "meaningful use" information can be simplified by tight integration of the BI and EMR platforms. However, this integration has serious implications for security management and the safeguarding of electronic Protected Health Information (ePHI).

For organizations using Epic solutions, there is often a recurring need to update SAP BusinessObjects reports when an Epic update is implemented. We will look at ways to perform efficient and effective impact analysis of Epic updates, and to update your SAP BusinessObjects deployment accordingly.

Join security expert Rick Epstein of ResolvIT Inc. and Fred Walther of APOS Systems as they examine issues around SAP BusinessObjects security management and impact analysis for Epic deployments.

Register for this webinar…

Friday, June 13, 2014

2 Easy (Free) Ways to Get More from Your SAP BusinessObjects Deployment

If you're planning upgrades to your BI deployment, or planning your migration to BI 4, you'll first need to take stock of your current deployment's objects, schedules and instances. APOS Insight Elements is an excellent place to start your planning inventory.

If you've already migrated to BI 4, then you know that it was designed with mobile in mind. The APOS BI Mobile app for iPad / iPhone is an excellent, easy, and free way to realize that potential.

Check out both of these products, with our compliments:

2 Easy Ways to Get More from Your SAP BusinessObjects Deployment...

Wednesday, June 11, 2014

Common SAP BusinessObjects Security Mistakes - Miscellaneous

By Rick Epstein

This post concludes the list of most common security mistakes begun in these earlier posts:
We end our discussion of common SAP BusinessObjects security mistakes a couple of miscellaneous items.


Mistake #8: Allowing too many people to be able to see the SAP BusinessObjects License Key(s)
Allowing all administrators to see license keys is NOT a good practice. Only 1 or 2 people should have rights to see this as well as your company’s purchasing dept.

Mistake #9: Applying security on an Active Directory group directly
The problem with applying security directly on an Active Directory group is that it moves security outside of the BI deployment, creating a very large potential for unintended consequences.

If there is an Active Directory server upgrade, or service pack, or other maintenance, Active Directory communication may be interrupted, and groups may be "reset". While such a reset doesn’t affect the Windows environments, it can have an adverse effect on SAP BusinessObjects Active Directory integration. For example, an Active Directory group mapped in SAP BusinessObjects may become "unreadable" by SAP BusinessObjects. When you re-import or re-map that Active Directory group, you would need to set up all permissions on that group all over again. A far easier and better solution is to make Active Directory groups part of SAP BusinessObjects Enterprise groups and have security assigned on those Enterprise groups only.

Are you aware of other common security mistakes, or do you have questions about what is written here? Use the Comments section for this post, or email me directly at repstein@resolvitinc.com.

In my next post, I'll look at "top-down methodology and best practices."

Thursday, May 29, 2014

Common SAP BusinessObjects Security Mistakes - Securing Content


SAP BusinessObjects security consulting

By Rick Epstein
ResolvIT Inc.


This post continues the list of common security mistakes begun in my earlier post, Abuse of the Everyone Group.

Content is an asset. It has value for your organization, is frequently subject to regulatory compliance requirements, and can cause damage to your organization if it falls into the wrong hands. Securing content requires your utmost attention.

Mistake #4: Not securing all content within the CMC
You should be able to have confidence that any user logging in to the CMC can only see what you want them to see, and perform only those actions you want them to perform.

Mistake # 5: Setting explicit denials
There may be a place for explicit denials somewhere in your security model, but as a rule, you should avoid them like the plague. They are just too difficult to document. Once you set explicit denials, undoing them can be difficult. It's very difficult to know what unintended consequences you've unleashed through the cascading effects of explicit denials.

Mistake #6: Breaking inheritance without a clear plan and good documentation of such
Users will potentially have new rights which are not controllable from a higher folder and/or group level. An administrator would likely not be aware that this situation exists and would mistakenly think that content is secure. In other words, if there is a parent folder which has subfolders and the parent folder has inheritance broken, that folder and its subfolders will have a set of permissions that are likely not consistent with all desired security settings and certainly different from those on folders levels above them.

Mistake #7: Not knowing who has rights to what content and what a user can do with that content
What if granular rights have been set? What if explicit denials have been used? What if inheritance has been broken? Any one or more of these leads to confusion and not only makes maintenance difficult but makes it nearly impossible to know who can see and do what. Ask yourself, "What is the summation of all rights for this user on this object?"

Are you aware of other common security mistakes, or do you have questions about what is written here? Use the Comments section for this post, or email me directly at repstein@resolvitinc.com.

More common mistakes in my next post.

Friday, May 16, 2014

Common SAP BusinessObjects Security Mistakes - Abuse of the Everyone Group

By Rick Epstein

Resolvit Inc. - Rick Epstein
This post starts a list of the most common security mistakes committed by uninitiated SAP BusinessObjects administrators. The world of BI security is ruled by the law of unintended consequences. What you don't know can hurt you.

The mistakes documented in these posts are not in rigid order of importance. However, you may regard the three listed in this first post as foundational to your security model. If you don't get these ones right, your security model will almost certainly cause you grief.

Mistake #1: Applying security on the Everyone group rather than setting the group to "No Access"
To avoid inappropriate (and not necessarily apparent) access to folders, applications, and content, you should always set the Everyone group to "No Access." If you want to apply a security setting to all users, then create a custom group and add the Everyone group to it. Setting the Everyone group to "No Access" is the foundation upon which you will build a good security model.

Mistake #2: Forgetting to apply "No Access" to the Everyone group on all Top-Level folders (Folders, Personal Folders, Universe Folders, Connection Folders, Categories, Personal Categories)

Missing any one of these Top-Level folders potentially allows users inappropriate access to other users’ content.

Mistake #3: Forgetting to apply "No Access" to the Everyone group on all applications
Missing any application may allow users to have inappropriate access and permissions with regard to applications.

Are you aware of other common security mistakes, or do you have questions about what is written here? Use the Comments section for this post, or email me directly at repstein@resolvitinc.com.

More common mistakes in my next post.

Monday, May 12, 2014

SAP BusinessObjects Security - Rights Assignment

By Rick Epstein

Resolvit Inc. - Rick Epstein
As I mentioned in my previous post, access levels are applied to users and groups. By contrast, there are three SAP BusinessObjects security settings that apply at the granular rights level.
  • No Access: This acts to not allow the right but can be overridden by an explicit grant or an explicit denial
  • Explicit Denial: Does not allow the right on an object and cannot be overridden
  • Explicit Grant: Allows the right on the object and can be overridden

There is another setting that is available for each right that is assigned: the Apply on This Object or All Sub-Objects setting. By default, a right assignment is applied to all sub-objects. Sub-objects can be sub folders or reports, categories, universes, or connections under the folder on which a right is applied. Assigning the right only to this object (not sub-objects) will prevent the right from cascading/inheriting down.

Okay, those are the basic elements of the Security Knowledge Framework.

What's next? In upcoming posts, I'll be discussing some common security mistakes. Hint: Everyone Group, Top Level Folder rights, CMC Rights, Explicit Denials, Broken Inheritance.)

Thursday, May 8, 2014

New Case Study - Melbourne Water

Melbourne Water recently implemented the Object Manager module of the APOS Administrator solution.

APOS Administrator simplifies and automates:
  • Security management
  • Object management
  • Report scheduling
  • Instance management
  • Structured content promotion
  • Administrative user impersonation

Melbourne Water is a utility operated by the Victoria state government in Australia. It sees its mission to be "Enhancing life and livability with secure and reliable water services, desirable urban spaces and environments, and healthy waterways and bays."
They were facing numerous challenges with their SAP BusinessObjects deployment, including:
  • Consolidating numerous data sources
  • Updating Crystal Reports objects to the new consolidated data source
  • Implementing SAP BusinessObjects Data Services
  • Designing universes to facilitate adoption of Web Intelligence for self-serve BI
  • Creating an inventory of all reports in the system to enable cleanup
  • Simplifying and codifying BI platform administration processes

This case study documents how Melbourne Water used APOS Object Manager to address these challenges.
Read the case study...

Wednesday, April 30, 2014

SAP BusinessObjects Security - Access Levels

By Rick Epstein


Resolvit Inc. - Rick Epstein
An access level is a set of permissions that apply to a user or group concerning an object such as a folder or report. SAP BusinessObjects lets you create custom access levels -- something I will write about in a future post -- but for now, let's restrict ourselves to the five pre-defined Access Levels in SAP BusinessObjects:
  • View: Can see the object and view instances of reports
  • View on Demand: Inherits rights of the View Access level and can run reports real time
  • Schedule: Inherits rights of the View On Demand Access level and can schedule reports
  • Full Control (owner): Inherits rights of the Schedule Access level and can add, copy, delete content if the user is also the owner
  • Full Control: Inherits rights of the Schedule Access level and can add, copy, and delete content regardless of the content's owner

Nothing too controversial there, but it does open up the topic of inheritance, a topic which will be important in all that follows, and which may be the source of many unintended consequences. So let's be clear about what we mean by inheritance:
  • Inheritance: Getting the rights of the parent group(s) and/or parent folder(s)

Access levels apply to users and groups. My next post will deal with rights settings, which are assigned at the object level.

Monday, April 28, 2014

Security Knowledge Framework

By Rick Epstein


Resolvit Inc. - Rick Epstein
It is always difficult to dive into a topic that is both very large and very granular in nature. SAP BusinessObjects security is just such a topic. Where do we start?
Experienced administrators will have a good grasp on the basics of security administration, and will want to get granular very quickly. Those who are just coming to the topic of SAP BusinessObjects security, or who are not hands-on administrators, but need a better understanding of security to ensure corporate data governance objectives are being met, will benefit from more high-level discussion.

Well, as they say, you can't please everyone.

At the risk of alienating some security veterans, I'm going to start at the 30,000-foot level, just so we can all get onto the same page as quickly as possible. If we're going to have a meaningful conversation about security, we first have to make sure we're all speaking the same language. I promise we will get granular quickly, with tips and tricks that both veterans and beginners will be able to appreciate.

To start, let's establish a frame of reference -- a Security Knowledge Framework.

What is the Security Knowledge Framework? It is the collection of concepts and definitions that you need to understand to implement and manage an efficient and effective security model in SAP BusinessObjects. It helps you establish your security requirements and develop your security model.

At its most basic, security is about access -- ensuring that the appropriate people have access to the appropriate information. But the converse is equally important -- ensuring that sensitive information does not fall into inappropriate hands. Access is all-important, so my next post will examine access levels in SAP BusinessObjects.

Monday, April 21, 2014

Security Blogging with Rick Epstein

SAP BusinessObjects Security expert Rick Epstein of ResolvIT Inc. recently co-hosted a webinar with APOS concerning Security Architecture & Management in SAP BI 4. (View the recorded webinar.) The webinar touched on many areas of SAP BusinessObjects security., including security model design and migration, data governance, and regulatory compliance. Rick will be following up on that very well received webinar with a series of security-related guest posts on this blog.

Rick's professional focus is on SAP BusinessObjects security, report and universe design, process streamlining and data consolidation -- all with the objective of helping organizations establish their SAP BusinessObjects deployment as the single source of truth for operational excellence and efficient planning. He has implemented SAP BusinessObjects security models in numerous industries, including healthcare, aerospace and defense, and manufacturing.



Why You Need to Focus on Security

Those of you who attended the webinar, or watched the recorded webinar, will know that we started out with an overview of how growing BI volume and complexity have made the work of BI platform managers and administrators much more difficult. BI volume and complexity raise many issues for system analysis, administration, storage, query management and publishing, but none is more important than ensuring that the right people -- and only the right people -- have access to appropriate information within your system.

With the increasing emphasis on mobile and self-serve BI, the roles of BI platform managers and administrators will become even more demanding. If you are one of these people, the security of your BI platform has to be very high on your list of concerns.

Our first focus is generally on the accessibility of data -- getting our data into data warehouses, moving our reports between environments, bursting reports to a wide variety of information consumers, etc. We spend so much time getting these things right that we may not fully consider what can go wrong. Worse still, we may not know something can go wrong until it does. Bringing resources to bear on the issue of security is part of the solution. The other, equally important, parts are knowledge and experience.



Topics for Discussion

Rick will start his series of blog posts by taking a deeper look at the Security Knowledge Framework. What is the Security Knowledge Framework? It is the collection of concepts and definitions that you need to understand to implement and manage an efficient and effective security model in SAP BusinessObjects. It helps you establish your security requirements and develop your security model. The first order of business is to make sure we're speaking the same language.

Future entries will drill down into areas such as:
  • Security model design and implementation
  • Security model migration
  • Security assessment
  • Regulatory compliance
  • Data governance

Do you have a specific security-related question? Contact Rick Epstein at repstein@resolvitinc.com

Case Study: Social Services Agency, Santa Clara County

The Social Services Agency (SSA) of Santa Clara County, CA, spoke to us recently about their experience with our APOS Storage Center and APOS Insight solutions.

The SSA's 600-plus BI accounts currently use Desktop Intelligence and Web Intelligence as their primary report delivery media. At the time of writing, the SSA was in the process of planning its migration to BI 4, so investigation of and preparation for the inevitable full adoption of Web Intelligence was also under way. More recently, the BI team has been delivering BI to the agency's information consumers via SAP BusinessObjects Dashboards (formerly Xcelsius).

In 2011, after receiving recommendations from peers at an SAP BusinessObjects conference, SSA implemented APOS Storage Center. SSA needed a strategy and solution for backing up, archiving, and selectively restoring reports. Aside from needing to implement a reliable backup solution, they wanted to optimize system performance and have the means to comply quickly and easily with regulatory requirements through selective restore.

In 2013, as SSA was preparing for their migration to SAP BusinessObjects BI 4, they were looking for a means of doing an inventory and forming a complete understanding of their BI system and what is currently being used. Their positive experience with APOS led them to contact APOS again.
Thinh Hong, Information Systems Manager with SSA, summed up her experiences with these APOS solutions:

APOS Storage Center provides us with an efficient, rules-based means of cleaning up our BI environment, and the ease with which it allows us to back up and selectively restore objects has been very useful. We can archive and retrieve historical instances in a neutral format, which is important, because we maintain a five-year window on instances for regulatory compliance.
APOS Insight's impact analysis capabilities allow us to see what effect changes to our data model will have downstream. It has allowed us to analyze SAP BusinessObjects metadata effectively. The information we've gathered through Insight has been very useful in helping us to manage and troubleshoot our BI environment. We will be using APOS Insight to compare environments pre- and post-migration to benchmark performance and to ensure security has translated to the new system properly, and to build a list of reports for conversion from Desktop Intelligence to Web Intelligence.

Tuesday, April 1, 2014

Dashboard Design and Full-Spectrum BI

In a recent APOS webinar, SAP's Ian Mayor described SAP BusinessObjects BI 4 as a "full-spectrum" approach to business intelligence. While reporting remains the standard for attaining and maintaining operational excellence, the full spectrum approach to BI complements such reporting with mobility (dashboards and apps) and self-serve BI (agile visualization).

Mobility is one of the key themes in SAP BusinessObjects BI 4. Mobility is often cited by customers as a motivation to migrate. The increased emphasis on mobility and agile visualization are portents of the interactive, proactive and collaborative future of BI. This emphasis recognizes that the vast majority of enterprise employees are now knowledge workers who contribute to the enterprise through their interaction with and analysis of enterprise information.

Nowhere is the bright future of mobile BI more clear than in the increased emphasis on dashboards and Web apps. Mobile BI is no longer just for executives. As the role of the dashboard designer becomes more critical to the evolution of BI within the enterprise, SAP's Design Studio offering unites dashboard and Web app design in a single environment.

Using Design Studio, dashboard designers are building engaging experiences for a wide variety of enterprise users. The trend in dashboards is away from static presentations toward customized and interactive presentations, which not only deliver timely information in an easily digested format, but also allow information consumers to explore the data and find what they need quickly.

The transition to Design Studio is not without challenges, and we recently explored those challenges in an SAP Community Network blog post. You can manage some of those challenges with third-party solutions such as the APOS Dashboard Migrator, which will allow you to leverage your Xcelsius investment within Design Studio.

And, as always, there is help available in the APOS Migration Webinar series, particularly in the upcoming April 24 webinar on Design Studio with SAP's Ian Mayor.

Monday, March 24, 2014

APOS Announces Release of Dashboard Migrator for SAP BusinessObjects Design Studio

APOS Systems Inc., a leading provider of well managed business intelligence (BI) solutions for SAP BusinessObjects, announces its new Dashboard Migrator for SAP BusinessObjects Design Studio. The Dashboard Migrator is a plug-in that lets you leverage your existing SAP BusinessObjects Dashboards (formerly known as Xcelsius) development in the new SAP BusinessObjects BI 4.1 Design Studio environment. Using the Dashboard Migrator, dashboard developers can embed Xcelsius components and complete dashboards in their Design Studio projects.

Thursday, March 20, 2014

Query Governance and Self-Serve BI

We have seen the future of BI, and it is self-serve. The growth of BI has steadily tended away from simple, passive reporting toward engagement and interaction, and finally to providing the ability to build your own query and render it with statistical and visual impact.

SAP Lumira is a prime example of this trend. If you didn't get a chance to see Stefan Schmitz as a guest presenter for our SAP Lumira, SAP BusinessObjects Explorer, BI 4, and Self-Serve BI webinar, then you can check out the recorded webinar to see how Lumira is starting to change the way that BI users analyze, present, and consume information.

Standard reporting is a remnant of the old command and control hierarchies so common not so long ago, but we are all information workers now, and we need to be able to explore, digest, and present information in ways that help us contribute to the enterprise.

But self-serve BI is a good news/bad news story. The information consumer's liberation creates challenges for BI platform managers and administrators. To make self-serve BI work, administrators are ceding control of information and information sources to information consumers, and the administrative challenge is to maintain a robust BI system and consistent service levels while the system is receiving more information requests at different times and in different ways.

As a BI platform manager or administrator in a self-serve BI world, your objectives are clear:
  • Optimize queries
  • Optimize data connectivity
  • Foster data connectivity accountability

From these objectives flow your challenges:
  • Data connection visibility - so much of what happens in the delivery of business intelligence happens outside of your BI system, and typical BI monitoring does not account for these processes.
  • DBA dependency - even if you can identify problem queries that are affecting BI system performance, you may have to rely on DBAs external to your department to troubleshoot and remedy problems.
  • Bottlenecks - with standard reporting, you can optimize system performance by controlling when and where queries run, but self-serve BI is driven by events outside of your control.
  • Accountability - your best friend is an educated user, but you can't educate users if you can't track user behavior.
  • Service levels - in the final analysis, you'll be judged by your system's performance -- how well it delivers timely information -- regardless of how much control you have over how it is used.

Fortunately, you can use the APOS Intelligent Data Access Controller (IDAC) to help you become more proactive in monitoring, managing and auditing your BI data connectivity. With IDAC, you can:
  • Manage and monitor queries without creating a negative impact on system performance
  • Manage queries centrally
  • Monitor queries in real time
  • Cancel queries automatically
  • Cancel queries remotely
  • Analyze information offline to optimize performance
  • Monitor data access proactively per regulatory requirements
  • Encrypt credentials in property files
  • Track specific fields for sensitive data audit


Monday, March 3, 2014

New: Xcelsius Activity Logging with APOS Insight

APOS Insight for SAP BusinessObjects XI 3.1 and BI 4.x now has Xcelsius Activity Logging capabilities.

We've been hearing for some time from platform managers and dashboard designers that they need better ways to understand how their dashboards are being used so that they can improve their dashboards, and thus improve service to their users. As a result, we've added Xcelsius Activity Logging capabilities to APOS Insight.

While native Xcelsius logging (i.e., basic information such as who opened a dashboard and how long they used it) may be adequate for normal day-to-day operations, organizations that want to be proactive in their development and evolution of dashboards need more information. APOS Insight lets you ask much more specific questions about how your dashboards are being used.

The APOS Insight Xcelsius Activity Logging feature uses an add-on to Xcelsius (or Dashboards 4) to configure real-time logging of Xcelsius user activity to the Insight database. To configure logging, you bind the APOS logging control to cells in the spreadsheet that represent property name and value pairs. When a value changes it is logged to the database.

For example, if you want to know which tabs dashboard users are viewing or not viewing, you could bind the APOS Xcelsius Logging control to cells that control tab visibility. Using this and similar types of information for a group of users, developers, administrators and managers can judge how a dashboard is being used, and thus how effective the design of the dashboard is.

Friday, February 28, 2014

SAP's Ian Treleaven: BI4 Sizing Guide Updated

Not long ago, SAP's Ian Treleaven was a guest presenter for two APOS migration-themed webinars on the subject of BI4 sizing:

We had such a great response to these webinars that we thought we should pass along Ian's message to us that the BI4 Sizing Guide has very recently been updated.
The new guide has many additions to help you get the architecture and sizing of your new BI4 deployment right, including:
  • New content to help sizing and performance integration with HANA
  • Tips to help you make the CMS run better
  • Updated suggested limits for Web Intelligence
  • Suggestions for periodic re-sizing
  • Pre-sizing and post-sizing checklists to help you prepare for your sizing exercise

Make sure you also visit the companion Website, www.sap.com/bisizing, which also has some updates and new content to help you get your BI4.1 deployment running faster and leaner.

Monday, February 24, 2014

New: Administrative User Impersonation in SAP BusinessObjects

If you are a BI platform manager or BI administrator responsible for ensuring the proper implementation of your organization's security model, or if you're involved in BI user support, then you'll find administrative user impersonation to be an extremely useful new feature of APOS Administrator and APOS Security Manager.

User impersonation allows administrators to see what specific users see, so you can examine the implementation of your security model down to row-level security with more certainty than you can creating temporary accounts. If you are providing BI user support, user impersonation lets you experience precisely what the user is seeing while you are talking to them remotely. You can log in to BI Launchpad as the user and view reports just as that user would see them.

User impersonation can work with the user providing credentials, or without user credentials if you activate the SAP BusinessObjects Trusted Authentication feature.

Tuesday, January 14, 2014

SAP BI 4 Virtualization Best Practices Webinar Alert

When: Jan. 15, 2014, 10 am / 4 pm EST
Another in our series of SAP BusinessObjects BI 4 migration-focused webinars


Guest presenter: Ashish C. Morzaria, Director, Solution Management,
Large Enterprise BI Group, SAP

Virtualization is key to the BI strategy of many organizations. However, the performance penalty for virtualization can be heavy, particularly if you neglect best practices. Some estimates have this virtualization performance hit as high as 40%.

But does virtualization necessarily mean a performance hit? A recent SAP study with VMware, SuperMicro, and SAP’s own Co-Innovation Lab (COIL) suggests the impact can actually be very close to zero — if you implement virtualization properly.

SAP's Ashish C. Morzaria aims to save you from the seemingly inevitable "virtualization tax." Join us as Ashish discusses specific requirements developed by SAP for virtualizing BI 4 and minimizing the impact of virtualization on BI 4 performance.

Data Connectivity and Self-Serve BI

The business case for SAP BusinessObjects BI 4 is fairly simple: embrace SAP's vision of the future of business intelligence, including mobile BI and self-service BI, while lowering your total cost of ownership.

Self-service BI has its upside and its downside. The upside is that anyone in your organization that has access to SAP BusinessObjects can query enterprise data via universes, often with a Web Intelligence report, which allows them to make well informed decisions based on the most current and trusted enterprise information. This benefit justifies the adoption of self-service BI fully.

The downside of self-service BI falls on the platform management and administration side of the story, and it is two-fold. Firstly, self-service BI may lead to a proliferation of content -- more users creating more new reports, report iterations or exploration views, many of which may be for very limited use. If you've already migrated from XI 3 to BI 4, think back to the process you went through to rationalize content prior to migration. Think of self-service BI as a multiplier factor on that process, and you start to see the need for a proactive approach to BI content management. (Look at APOS Storage Center for such an approach.)

Secondly, and more importantly for the day-to-day operations of your BI platform, self-service BI takes some control of the volume and quality of the BI system's data connectivity away from platform managers and administrators and places it squarely in the hands of information consumers. This exchange is necessary for self-service BI to be of any benefit, but administrators are averse to giving up their control over data connectivity, as it impacts their ability to manage effectively and minimize bottlenecks.

If yours is one of those organizations that plan to take greater advantage of self-service BI across the enterprise, then BI data connectivity will become a bigger issue. In an ideal world, your universes would all be so well designed that there would be no issues with query performance, and end users would know better than to test the limits. But we don't live in that world. So your alternative is to monitor BI data connectivity proactively and act decisively to protect the integrity and dependability of your BI platform.

The APOS Intelligent Data Access Controller (IDAC)can help you become proactive with your data connectivity issues. Use it to monitor, manage and audit BI data connectivity. With IDAC, you can:

  • Track queries in real time
  • Receive automatic alerts when established thresholds are exceeded
  • Intervene manually in queries
  • Cancel runaway queries automatically
  • Audit BI data connectivity