Beruflich Dokumente
Kultur Dokumente
2
Agenda
Introduction
Glossary
LDAP Overview
Business Objects LDAP strategy
Scope details
Authentication/authorization
Installation/configuration
Modified workflows
Benefits and limitations
Roadmap
Copyright © 2003 Business Objects SA - All Rights Reserved
3
Glossary
Authentication
Validate user identity by checking username and password
Authorization
Provide access to products
Provide access to resources (web pages, documents,
universes, RDBMS)
LDAP
Lightweight Directory Access Protocol
LSI file
Security cache with user attributes calculated at login
(valid during one user session)
Copyright © 2003 Business Objects SA - All Rights Reserved
4
LDAP Overview 1/2
What is LDAP?
Directory of user information
Optimized for fast read (slower for write operations)
5
LDAP Overview 2/2
6
Business Objects LDAP Strategy
7
Agenda
Introduction
Scope details
Architecture
Mapping options
Handling exception
Authentication/authorization
Installation/configuration
Modified workflows
Benefits and limitations
Roadmap
Copyright © 2003 Business Objects SA - All Rights Reserved
8
Scope Details in 6.1
9
LDAP Architecture
How does it work? LDAP directory
Contains :
At login time : • Users
• Authenticate • Mapping between user and
BusObj Groups
• Get BusObj Groups
Business Objects
Security Connector
Security API
Calculate at login :
• List of user’s groups
• Product Access & LSI file
Functional Rights
• Universes, Unv Overloads
• Document List Stores :
• Documents
• Universes
Group level:
• Product Access
• Functional Rights
Repository • Document Access
• Universe Access
• Universe Overloads
Copyright © 2003 Business Objects SA - All Rights Reserved
10
LDAP Mapping Option 1
siness Objects repository groups attached to LDAP roles
Users Permissions
LDAP directory Repository
Ou = Board Group 1
Ou = America Group 11
Permissions
User = “John”
Group 2
· Cn = “John”
· roles = Group 21
Group 11,
Group 2
Ou = Marketing
11
LDAP Mapping Option 1
siness Objects repository groups attached to LDAP roles
12
LDAP Mapping Option 2
siness Objects repository groups attached to LDAP group
LDAP directory Repository
Ou = Board
Ou = America
User= “John”
· Cn = “John” Group 1
Ou = Marketing Group 2
Group 21
Group = “Group 2”
· Members=
“John”
“Paul”
…
Copyright © 2003 Business Objects SA - All Rights Reserved
13
LDAP Mapping Option 2
siness Objects repository groups attached to LDAP group
14
Handling Exceptions
Users Application Permissions
LDAP Business Objects Repository
Users Group 1
Permissions
User 1 Group 11
on resources
User 2 User 1 and
Profile 2 applications
Users to security profiles association
Specifics of Business Objects security model
Some users will still need their rights mapped to security
profiles
Supervisor, Designer
Need to be declared in both systems
Authenticated via LDAP
Authorized via the repository
Copyright © 2003 Business Objects SA - All Rights Reserved
15
Agenda
Introduction
Scope details
Authentication/authorization
Installation/configuration
Modified workflows
Benefits and limitations
Roadmap
Q&A
16
Authentication
17
Authorization
If users only exist in LDAP, authorization is made in
two phases
At login, the system retrieves the list of security profiles
associated to the user, by querying the LDAP corporate
directory
Then the system computes the user access rights by
combining the access rights associated to user security
profiles in the repository
If users are declared in both or only exist in repository
Authorization is calculated as in Enterprise 6.0 from the user
security attributes and its parent groups’ security attributes
18
SDEP LDAP Authorization Algorithm
Start Authentication &
Authorization
YES NO
Does User
exist in
Authenticate user using LDAP? User has not been
its corporate definition migrated yet
Authenticate user Authenticate and
through LDAP Authorize user
in the repository
YES NO as it was done in V5
Does User exist
in the
repository?
User is an SDEP user
User is a specific user Read user security profiles in
Calculate the LSI file LDAP
from repository user
rights, as it was done in V5 Calculate the LSI file by combining
the rights, defined in the repository
for each security profile
Copyright © 2003 Business Objects SA - All Rights Reserved
19
Agenda
Introduction
Scope details
Authentication/authorization
Installation/configuration
Modified workflows
Benefits and limitations
Roadmap
Q&A
20
Installation
21
Configuration
1/4
Configure authentication mode
Standard
Delegated
No authentication
22
Configuration
2/4
Authenticationand
authorization source
Repository
LDAP then
repository
LDAP
Server host
23
Configuration
3/4
LDAP configuration
LDAP naming
LDAP connection
24
Configuration
4/4
Mapping definition
LDAP user to
Business Objects
group
LDAP user to
Business Objects
user
25
Agenda
Introduction
Scope details
Authentication/authorization
Installation/configuration
Modified workflows
Login
Refresh list
Send to
Benefits and limitations
Roadmap
Copyright © 2003 Business Objects SA - All Rights Reserved
26
Modified Workflows 1/3
Authentication/login
27
Modified Workflows 2/3
Authorization
28
Modified Workflows 3/3
Send to user/group
29
Send To Interface
30
Agenda
Introduction
Scope details
Authentication/authorization
Installation/configuration
Modified workflows
Benefits and limitations
Roadmap
Q&A
31
Benefits and Limitations
1/2
Auditor
Will loose some granularity for audit based on user/group
hierarchy
BCA Publisher
Requires users to be stored in the repository
Uses user and group hierarchy
32
Benefits and Limitations
2/2
User granular-level security
LDAP users will inherit security from repository groups
Security is set on groups
The following overload can only be done at the group level
Connection
Object level restrictions
Row level restriction
33
Agenda
Introduction
Scope details
Authentication/authorization
Installation/configuration
Modified workflows
Benefits and limitations
Roadmap
Q&A
34
Roadmap
Support of variable
Expose an LDAP attribute as a Business Objects variable
Migration
Migrate users from the repository to the LDAP system
Synchronize users between the LDAP system and the
repository
Define Business Objects group in LDAP
Externalize Business Objects users
Support of SSO combined with LDAP
SSO can store users in LDAP system
35
Q&A
Contact information
Isabelle Nuage
Sr Product Marketing Manager
Isabelle.Nuage@businessobjects.com
Stephane Perdigeon
Senior Program Manager, Deployment
Stephane.Perdigeon@businessobjects.com
36