Supervisor

Supervisors Guide
Supervisor 6.1 Windows
Supervisors Guide
Copyright
No part of the computer software or this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without permission in writing from Business Objects S.A. The information in this document is subject to change without notice. If you find any problems with this documentation, please report them to Business Objects S.A. in writing at documentation@businessobjects.com. Business Objects S.A. does not warrant that this document is error free. Copyright Business Objects S.A. 2003. All rights reserved. Printed in France.
Trademarks
The Business Objects logo, WebIntelligence, BusinessQuery, the Business Objects tagline, BusinessObjects, BusinessObjects Broadcast Agent, Rapid Mart, Set Analyzer, Personal Trainer, and Rapid Deployment Template are trademarks or registered trademarks of Business Objects S.A. in the United States and/or other countries. Contains IBM Runtime Environment for AIX(R), Java(TM) 2 Technology Edition Runtime Modules (c) Copyright IBM Corporation 1999, 2000. All Rights Reserved. This product includes code licensed from RSA Security, Inc. Some portions licensed from IBM are available at http://oss.software.ibm.com/icu4j. All other company, product, or brand names mentioned herein, may be the trademarks of their respective owners.
Use restrictions
This software and documentation is commercial computer software under Federal Acquisition regulations, and is provided only under the Restricted Rights of the Federal Acquisition Regulations applicable to commercial computer software provided at private expense. The use, duplication, or disclosure by the U.S. Government is subject to restrictions set forth in subdivision (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at 252.2277013. U.S. Patent Numbers 5,555,403, 6,247,008, and 6,578,027. 311-10-610-01
Patents Part Number
Supervisors Guide
Contents
Preface Maximizing Your Information Resources 7 Information resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Useful addresses at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Chapter 1 Introduction 15
Where to start with Supervisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 User profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 The repository domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Chapter 2 Installing the Repository 27
Choosing a setup configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Running a default installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Running a custom installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Running a recovery installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Chapter 3 Basic Procedures 47
Starting Supervisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Creating user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Creating users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Testing your setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Creating a second general supervisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Creating a group reference profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Chapter 4 Customizing Your Environment 67
Setting your default options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Other options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Contents
Supervisors Guide
Chapter 5
Managing Users and Groups
89
Managing user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Managing users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Finding users or user groups in the repository . . . . . . . . . . . . . . . . . . . . . 124 Printing information on users, groups and resources . . . . . . . . . . . . . . . . 126 Chapter 6 Managing Resources 137
Managing the repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Changing or removing the schedule of tasks . . . . . . . . . . . . . . . . . . . . . . 148 Purging inbox documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Managing connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Importing/exporting universes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Managing resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Chapter 7 Assigning Resources to Users 171
Assigning and restricting resources to multiple user instances . . . . . . . . . 173 Assigning BusinessObjects products to users . . . . . . . . . . . . . . . . . . . . . 179 Assigning universes to users or groups . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Assigning stored procedures to users or groups . . . . . . . . . . . . . . . . . . . . 207 Assigning documents and templates to users . . . . . . . . . . . . . . . . . . . . . . 209 Assigning repository domains to users . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Chapter 8 Importing and Exporting Users and Groups 213
Generating the import file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Using batch mode and interactive mode . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Using import file commands and global commands . . . . . . . . . . . . . . . . . 219 Importing users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Generating the log file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Using undo files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Exporting your configuration to file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Chapter 9 Managing Categories 237
Managing categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Contents
Supervisors Guide
Appendix A
BusinessObjects 6.1 Security Command Reference
247
About security commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 BusinessObjects security commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Designer security commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Supervisor security commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 WebIntelligence security commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 BusinessQuery security commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 Index 355
Contents
Supervisors Guide
Contents
Maximizing Your Information Resources
preface
Supervisors Guide
Overview
Information, services, and solutions
The Business Objects business intelligence solution is supported by thousands of pages of documentation, available from the products, on the Internet, on CD, and by extensive online help systems and multimedia. Packed with in-depth technical information, business examples, and advice on troubleshooting and best practices, this comprehensive documentation set provides concrete solutions to your business problems. Business Objects also offers a complete range of support and services to help maximize the return on your business intelligence investment. See in the following sections how Business Objects can help you plan for and successfully meet your specific technical support, education, and consulting requirements.
Supervisors Guide
Information resources
Whatever your Business Objects profile, we can help you quickly access the documentation and other information you need.
Where do I start?
Below are a few suggested starting points; there is a summary of useful web addresses on page 12. Documentation Roadmap The Documentation Roadmap references all Business Objects guides and multimedia, and lets you see at a glance what information is available, from where, and in what format. View or download the Business Objects Documentation Roadmap at www.businessobjects.com/services/documentation.htm Documentation from the products You can access electronic documentation at any time from the product you are using. Online help, multimedia, and guides in Adobe PDF format are available from the product Help menus. Documentation on the web The full electronic documentation set is available to customers with a valid maintenance agreement on the Online Customer Support (OCS) website at www.businessobjects.com/services/support.htm Buy printed documentation You can order printed documentation through your local sales office, or from the online Business Objects Documentation Supply Store at www.businessobjects.com/services/documentation.htm Search the Documentation CD Search across the entire documentation set on the Business Objects Documentation CD shipped with our products. This CD brings together the full set of documentation, plus tips, tricks, multimedia tutorials, and demo materials. Order the Documentation CD online, from the Business Objects Documentation Supply Store, or from your local sales office.
Information resources
10
Supervisors Guide
Multimedia Are you new to Business Objects? Are you upgrading from a previous release or expanding, for example, from our desktop to our web solution? Try one of our multimedia quick tours or Getting Started tutorials. All are available via the Online Customer Support (OCS) website or on the Documentation CD.
How can I get the most recent documentation?

You can get our most up-to-date documentation via the web. Regularly check the sites listed below for the latest documentation, samples, and tips. Tips & Tricks Open to everyone, this is a regularly updated source of creative solutions to any number of business questions. You can even contribute by sending us your own tips. www.businessobjects.com/forms/tipsandtricks_login.asp Product documentation We regularly update and expand our documentation and multimedia offerings. With a valid maintenance agreement, you can get the latest documentation in seven languages on the Online Customer Support (OCS) website. Developer Suite Online Developer Suite Online provides documentation, samples, and tips to those customers with a valid maintenance agreement and a Developer Suite license via the Online Customer Support (OCS) website.
Send us your feedback

Do you have a suggestion on how we can improve our documentation? Is there something you particularly like or have found useful? Drop us a line, and we will do our best to ensure that your suggestion is included in the next release of our documentation: documentation@businessobjects.com
NOTE
If your issue concerns a Business Objects product and not the documentation, please contact our Customer Support experts. For information about Customer Support visit: www.businessobjects.com/services/support.htm
Supervisors Guide
11
Services
A global network of Business Objects technology experts provides customer support, education, and consulting to ensure maximum business intelligence benefit to your business.
How we can support you?

Business Objects offers customer support plans to best suit the size and requirements of your deployment. We operate three global customer support centers: Americas: San Jose, California and Atlanta, Georgia Europe: Maidenhead, United Kingdom Asia: Tokyo, Japan and Sydney, Australia Online Customer Support Our Customer Support website is open to all direct customers with a current maintenance agreement, and provides the most up-to-date Business Objects product and technical information. You can log, update, and track cases from this site using the Business Objects Knowledge Base.
Having an issue with the product?

Have you exhausted the troubleshooting resources at your disposal and still not found a solution to a specific issue? For support in deploying Business Objects products, contact Worldwide Customer Support at: www.businessobjects.com/services/support.htm
Looking for the best deployment solution for your company?

Business Objects consultants can accompany you from the initial analysis stage to the delivery of your deployment project. Expertise is available in relational and multidimensional databases, in connectivities, database design tools, customized embedding technology, and more. For more information, contact your local sales office, or contact us at: www. businessobjects.com/services/consulting.htm
Looking for training options?

From traditional classroom learning to targeted e-learning seminars, we can offer a training package to suit your learning needs and preferred learning style. Find more information on the Business Objects Education website: www.businessobjects.com/services/education.htm
Services
12
Supervisors Guide
Useful addresses at a glance

Address
Business Objects Documentation www.businessobjects.com/services/ documentation.htm
Content
Overview of Business Objects documentation. Links to Online Customer Support, Documentation Supply Store, Documentation Roadmap, Tips & Tricks, Documentation mailbox.
Business Objects Documentation mailbox documentation@businessobjects.com Product documentation www.businessobjects.com/services/ support.htm
Feedback or questions about documentation.
The latest Business Objects product documentation, to download or view online.
Business Objects product information Information about the full range of Business Objects products. www.businessobjects.com Developer Suite Online www.techsupport.businessobjects.com Knowledge Base (KB) www.techsupport.businessobjects.com Available to customers with a valid maintenance agreement and a Developer Suite license via the Online Customer Support (OCS) website. Provides all the documentation, latest samples, kits and tips. Technical articles, documents, case resolutions. Also, use the Knowledge Exchange to learn what challenges other users both customers and employees face and what strategies they find to address complex issues. From the Knowledge Base, click the Knowledge Exchange link. Practical business-focused examples.
Tips & Tricks www.businessobjects.com/forms/ tipsandtricks_login.asp
Supervisors Guide
13
Address Online Customer Support www.techsupport.businessobjects.com
Content
Starting point for answering questions, resolving issues. Information about registering with Worldwide Customer Support. The range of Business Objects training options and modules.
www.businessobjects.com/services Business Objects Education Services www.businessobjects.com/services/ education.htm
Business Objects Consulting Services Information on how Business Objects can help maximize your business intelligence investment. www.businessobjects.com/services/ consulting.htm
Useful addresses at a glance
14
Supervisors Guide
About this guide

This guide describes how to use Supervisor, the administration tool for BusinessObjects users and secured resources. You will learn how to use Supervisor to create the Business Objects repository, define user and group accounts, set options for administrators and users, control access to shared resources such as documents and universes, and use security commands to control rights to product functionality.
Audience
This guide is intended both for administrators (general supervisors) creating the repository and managing options for all and users, and for administrators in charge of managing user rights on a day-to-day basis (supervisors).
Conventions used in this guide

The conventions used in this guide are described in the table below. Convention This font
Some code more code
Indicates Code, SQL syntax, computer programs. For example: @Select(Country\Country Id) Placed at the end of a line of code, the symbol ( ) indicates that the next line should be entered continuously with no carriage return.
Introduction
chapter
16
Supervisors Guide
Overview
What is Supervisor? Supervisor is the product you need in order to set up and maintain a secure environment for Business Objects products. It provides you with a powerful and easy-to-use structure for distributing information to be shared by all users. This information is centralized through relational data accounts called repositories. It is with Supervisor that you create the Business Objects repository. You then define users and user groups, and assign profiles to users. User profiles include user identification (user name and password), the products and modules they can work with, the universes they can access, and the documents that they can share. You can control user access to Business Objects products, and manage the exchange and distribution of the universes and documents of all users. Supervisor can run only in client/server mode. Its use requires a connection to a relational database. Any operation you perform with Supervisor is stored in the repository you are working with.
NOTE
More than one administrator working on the same repository resources at the same time from different desks can interfere with one anothers work without this being immediately noticeable to them. We recommend that the same resources should not be granted to multiple supervisors without careful coordination of their work.
Introduction
Supervisors Guide
17
Where to start with Supervisor

The first time you launch Supervisor, you launch the Administration Setup wizard. This user-friendly tool helps you create the repository needed to define users and groups and to share resources. When you create the repository, a general supervisor is automatically created as the first user. As general supervisor you then create a series of supervisors who are to define the various user profiles, in addition to a second, backup general supervisor for security purposes. Users are then granted access to repository domains via a special key file that contains the address of the repository they are to work with.
Where to start with Supervisor
18
Supervisors Guide
User profiles
Supervisor offers several standard profiles for the various types of users of Business Objects products. The user profile determines by default what products a user can use: General Supervisor (all products) Supervisor (all products) Designer (all products but Supervisor) Supervisor-Designer (all products) User (all products but Designer and Supervisor) Versatile (configurable) You can customize these profiles to reflect the needs of the users. In this way, the role of each user in a user group will be clearly adapted to the actual position the person holds in your company.
General supervisor
The general supervisor is the senior system administrator. Using Supervisor, the general supervisor can: create repositories create any type of user, including other general supervisors create user groups administer user accounts and privileges for repository users import and export universes to and from the repository use any feature of all Business Objects products define a Broadcast Agent for a group launch a Broadcast Agent from the Broadcast Agent Administrator
Supervisor
The supervisor is responsible for user administration. The supervisor can: create users with any profile except general supervisor create user groups administer user accounts and privileges for repository users import and export universes to and from the repository By default, the supervisor can use any feature of all Business Objects products except Designer, but may be restricted in order to limit the ways in which he or she can manage users or resources.
Introduction
Supervisors Guide
19
Designer
The universe designer uses Designer to create and maintain universes for a particular group of users. A universe designer can distribute a universe as a file through the file system, or by exporting it to a repository.
Supervisor-Designer
A supervisor-designer creates user profiles, user groups, and universes. This user has all the rights of the supervisor and the universe designer combined. A supervisor-designer can use Supervisor and Designer, as well as the Business Objects end-user products (InfoView, BusinessObjects and WebIntelligence).
User
Users use the Business Objects end-user products to view, query, report and analyze data. They may also use the optional REPORTER and Explorer modules for multidimensional analysis. End users can produce documents containing data from one or more data sources.
Versatile
A versatile user is a customized user who may be given access by a supervisor to any combination of Business Objects products. We recommend that you not create a versatile user with rights only to BusinessQuery. BusinessQuery users should also have rights to BusinessObjects.
User profiles
20
Supervisors Guide
Resources
The resources that can be managed and controlled by Supervisor fall into the following categories: Business Objects products Universes Documents Repository domains Stored procedures
Products
The supervisor can grant or deny access to these Business Objects products: BusinessObjects, Supervisor, Designer, BusinessQuery and WebIntelligence. WebIntelligence access is granted to users of InfoView, which provides the core functionality of WebIntelligence, whether or not they also use the optional WebIntelligence modules, Reporter and Explorer.
Universes
A universe is the semantic layer that isolates the end user from the technical issues of the database structure. It lets you work with data in terms you can easily understand. With Supervisor, you can manage universes created by the designer(s), and you can authorize users and user groups to access one or more universes. As the supervisor, you can also define certain security levels within the universes based on the user type. For example, you can set restrictions on a class or object, and define other parameters pertaining to the components in universes. You can also redefine certain critical parameters such as the address of the connection to the RDBMS.
Documents
Supervisor lets you manage the assignment of documents or shared templates. You can also authorize specific users to update both the data and formats of these documents. Supervisor lets you manage categories, which are properties that end-users can assign documents they send to users, groups or the Broadcast Agent. You can also authorize specific users to manage categories. While general supervisors can manage categories without restriction, supervisors and authorized users can manage only the categories they create.
Introduction
Supervisors Guide
21
Repositories
With Supervisor, you set up the structure for distributing information which is to be shared by all users. This information is centralized through relational data accounts called repositories. When you launch Supervisor the first time, you use the Administration Setup Wizard to create a repository with a general supervisor. You can then use the Wizard to create other repositories as well. For each repository, you can create a series of supervisors who are authorized to create users and to define their access to the repositorys domains and resources. Users who belong to more than one repository choose which one they want to work with at login. We recommend that you work with a single repository as a matter of general practice. Multiple repositories should only be used by supervisors managing several sites or by very advanced users. For more information on the structure of the repository, refer to The repository domains on page 23.
Stored procedures
A stored procedure is a combination of SQL statements that are translated, optimized, and stored in executable form on certain SQL servers. End users can execute stored procedures on the universes assigned to them by the supervisor. The resource called stored procedure in Supervisor is the secured connection to the database account that stores the procedure. After creating that connection, you assign it as a stored procedure to a user or group. It is then visible in Supervisor as a stored procedure.
Resources
22
Supervisors Guide
User hierarchy and resource access

The role and the relationship of the supervisor with respect to other BusinessObjects and InfoView users and resources are depicted in the diagram below.
General Supervisor
defines Supervisor identifies and manages
creates and manages
Universe Designer creates
query
End Users create
repository
universes
BusinessObjects or WebIntelligence documents
The general supervisor defines the supervisor and creates the necessary structure (the data accounts on which the repository resides) for the purposes of resource-sharing. The general supervisor also ensures the security of access to the different products. The supervisor also creates user groups and defines user profiles such as the universe designer and end users. The universe designer creates universes from which end users can query data and create documents.
Introduction
Supervisors Guide
23
The repository domains

A Business Objects repository is a set of data structures stored on a database. A repository makes it possible to share the resources necessary for a distributed architecture. To ensure security and manage user resources, a repository comprises three types of domains: a security domain, which contains the definition of the other domains as well as the definition of users universe domains, which are meta-models of related databases, containing a description of the data to be accessed document domains, which contain the structures for storing shared documents and for executing tasks according to a timestamped definition. These three types of domains make it possible for all users to share resources.
Security
Reference
Universes
Documents
Although a general supervisor can create additional domains, two domains of the same type cannot be located in the same data account. You create repositories with the Administration Setup wizard, as explained in Installing the Repository on page 27.
24
Supervisors Guide
The security domain

The security domain is a set of data structures created with the Administration Setup wizard whenever a repository is created (see Installing the Repository on page 27). Each domain of a repository is identified in its security domain. When a domain is created, its reference is automatically stored in the security domain. The security domain also contains information on the identification of the users, and on the management of the different products. The address of the security domain must be recognized by all workstations using Business Objects products in client/server mode, so that all users can communicate with the other domains of the repository in a transparent manner. This address is contained in the key file, which is created at the same time as the security domain, and which must be distributed to all authorized users.
Security Domain
Key file (*.key)
references
Universes
Documents
Each time you create a domain, Supervisor automatically updates the repository.
The universe domain

The universe domain is a set of data structures containing universes created with Designer. In order for a universe to be shared, it must be exported to the universe domain by the designer or supervisor. When you create a repository using the Administration Setup wizard and the Default installation option, a universe domain is created automatically at the same time as the security and document domains. The wizard can be started by the Repository command on the Tools menu or the Admin button of the Supervisor login window.
Introduction
Supervisors Guide
25
The document domain

The document domain is a set of data structures containing documents. Documents stored in the document domain can include those created by end users with Business Objects products, or any other file format. In order to share documents or cause them to be refreshed during scheduled processing, end users must send them to the document domain. To submit documents for scheduled processing, end users send them to the Broadcast Agent. Documents submitted for scheduled processing can be monitored by the administrator from the Broadcast Agent console. For more information, refer to the Broadcast Agent Administrators Guide. When you create a repository using the Administration Setup wizard and the Default installation option, a document domain is created automatically at the same time as the security and universe domains. The wizard is launched the first time you launch Supervisor and can also be started by the Repository command on the Tools menu or the Admin button of the Supervisor login window.
26
Supervisors Guide
Introduction
Installing the Repository
chapter
28
Supervisors Guide
Overview
Supervisor runs in client/server mode. Before you can successfully start a Supervisor session, the following must be installed on the client and server workstations: On the server: an RDBMS, on which the repository resides an SQL communication driver a data communication protocol On the client workstation: a data communication protocol an SQL communication driver Supervisor The client and the server can be located on the same computer.
BusinessObjects
SQL Driver
Network SQL Driver
RDBMS
Client Workstation
Server
For information on the database configuration and network protocols, refer to the section in the Data Access Guide that corresponds to your RDBMS.
Supervisors Guide
29
Choosing a setup configuration

The Administration Setup wizard is automatically started when you launch Supervisor for the first time. The wizard allows you to set up a repository necessary for resource-sharing quickly and efficiently. During subsequent logins, you can start the wizard by clicking Admin in the Supervisor login window if you want to create another repository. To launch Supervisor: 1. Select Start, Programs, BusinessObjects, Supervisor. You can also launch Supervisor by entering Supervsr.exe in the Run command line. The User Identification dialog box appears.
30
Supervisors Guide
2. Click Admin. You can also start the Administration Setup wizard by entering the user name GENERAL and the password SUPERVISOR, and clicking OK. The Welcome dialog box appears.
The Welcome dialog box displays an overview of the main steps that you will perform with the wizard.
Supervisors Guide
31
3. Click Begin to start the wizard. The Choose Setup Configuration dialog box appears.
The Choose Setup Configuration dialog box prompts you to select one of the following installation options: Run a default installation (recommended): Automatically creates the three repository domainssecurity, universe and documenton the same data account. This is the option most frequently used. Run a custom installation: Allows you to distribute all repository domains in the database environments of your choice. This type of installation requires extensive knowledge of your database environment, and should only be selected if you want to manage several versions of your resources simultaneously. For more information, see Running a custom installation on page 40. Run a safe recovery: Allows you to perform a recovery installation. This is necessary in the following situations: - The location of the security domain has been modified. - One of the parameters in the connection string of the security domain, such as the user name or password, has been changed. - The key file of the repository you want to work with has been inadvertently moved, renamed or damaged. For more information on safe recovery, see Running a recovery installation on page 45.
32
Supervisors Guide
Running a default installation

The default installation comprises four successive steps in which you: define the general supervisor define a connection to the repository build the repository structures distribute repository access to users
Defining the general supervisor

In this step, you identify the general supervisor. 1. Select the option Run a default installation, and click Next. The Define the General Supervisor dialog box appears.
2. Enter your name, password, the confirmation of your password, and the name of your company. In this example the XYZCompany is given as the company name. The company name you enter becomes the first user group created and appears as the root group in the Supervisor interface. The user name and password you enter are the ones you will use each time you wish to log into Supervisor as the general supervisor. 3. Click Next. The Define the Repository Connection dialog box appears.
Supervisors Guide
33
Defining the connection to the repository

In this step, you create a connection to the database in which the wizard is to create the repository.
At any time after installation, you can run the wizard from the Supervisor main window in order to redefine the repository connection of document and universe domains. For information on how to do this, refer to Managing the repository on page 140. 1. From the Select the network layer drop-down list box, select a database driver. 2. Click Setup to display the Setup dialog box. 3. In the dialog box, enter the user name, password, and pathname of the database to be opened, and the repository in which it is to be created. The dialog box parameters will vary, depending on the database driver you selected. For more information, refer to the section in the Data Access Guide that applies to your RDBMS.
NOTE
Characters entered in the password field are displayed as asterisks. To avoid making typing errors in the Password field, you can first type the password in the User Name field; select it; press Ctrl-X to cut it; then paste it into the password field using Ctrl-V.
34
Supervisors Guide
4. Click Test to check the validity of the connection. If the connection is not valid, the wizard displays an error message, and does not allow you to proceed to the next step. 5. Click OK to return to the Define the Repository Connection dialog box. 6. Click Next. The Build the Repository dialog box appears.
Supervisors Guide
35
Building the repository

The Build the Repository dialog box informs you that the wizard is ready to create the repository.
1. Click Next to start building the repository. Once the creation process has begun, you cannot interrupt it. When the script has finished processing, the following dialog box appears.
If an error occurs during the creation of the repository, a dialog box appears informing you of the cause of the error.
36
Supervisors Guide
2. Save the SQL script which created the repository by clicking Save As, and specifying the location where the SQL script is to be stored. The SQL script contains useful structural information on the repository. We recommend you save the script in a safe location. 3. Click Next. The Repository Access dialog box appears.
Supervisors Guide
37
Defining repository access

The Repository Access dialog box is where you specify where to create the key file and what to name it. The key file contains the address of the repositorys security domain. All users of Business Objects products who will be using this repository must therefore have access to the key file. The wizard suggests an option based on the deployment method and installation folder selected during installation. The option you select determines how users will access the repository. 1. Select an option. - Create the file in a default shared folder on the network. The folder displayed is the shared folder defined during installation. In deployments using a shared key file, all Desktop and Administration Products should specify the same shared folder at installation. See the Installation and Configuration for Windows guide for a list of Desktop and Administration Products. Choose this option to allow users of Desktop and Administration Products to connect to the repository through a single access point on the network. - Create the file locally on your machine. Choose this option to allow users of Desktop and Administration Products to connect to the repository directly from their own machines. If you choose this option you must distribute this key file to users of Desktop and Administration Products. 2. If you want to name your key file something other than the default name, bomain.key, enter the name. Click Next. Once the file is copied, a message confirming the creation of the key file and the general supervisor appears.
NOTE
WebIntelligence works only with key files named "bomain.key" in lower-case letters. Choose this name if your deployment includes WebIntelligence.
38
Supervisors Guide
3. Click Finish to quit the wizard. A dialog box appears advising you to create a second general supervisor. This is important since if at any time you forget the general supervisors password, or you enter the password incorrectly three times in a row, you will no longer be able to access Supervisor as a general supervisor. You are therefore strongly advised to create a second backup general supervisor. For more information, refer to Creating a second general supervisor on page 62. 4. Click OK to clear the Supervisor message. The main window of Supervisor appears (see The Supervisor main window on page 50).
Distributing the key file

Distribute the key file according to the option you chose in the Repository Access step of the Administration Setup Wizard. For users of desktop and administration products Users of Desktop Products and Administration Products (BusinessObjects, Supervisor, Designer, BusinessQuery) can access the repository either through a single, shared point of access on the network, or directly from their own machines. To do so they must have the necessary middleware and network permissions. Shared folder (ShData) If, to create the key file, you chose the "shared folder" option in the Repository Access step of the Administration Setup Wizard, you must make sure all users of Desktop and Administration Products have access to that folder in the network. Local folder If, to create the key file, you chose the "LocData subfolder" option in the Repository Access step of the Administration Setup Wizard, you must send a copy of the key file to each user, or make it available on the network for them to copy, with instructions to store it in the following local folder: \\<installation folder>\BusinessObjects 5.1\LocData\ \\<Windows profile folder>\Application Data\Business Objects\Business Objects 6.1\MyLocData\ where <Windows profile folder> is, for example, C:\Documents and Settings\<user name>.
Supervisors Guide
39
Server products Users of Server Products, i.e. InfoView, WebIntelligence, Broadcast Agent, and 3-tier BusinessObjects, access the repository through the Business Objects server. You must log in as an administrator to the Business Objects server machine and store a copy of the key file in the locData folder whose location was defined at installation and configuration. By default its location is:
\\<installation folder>\BusinessObjects Enterprise 6\locData\
where <installation folder> is the location chosen at installation to store the Business Objects program files. If you modify the location of the security domain, you must re-create the key file and distribute it as described above. For more information, refer to Running a recovery installation on page 45.
40
Supervisors Guide
Running a custom installation

A custom installation allows you to distribute all repository domains in the database environments of your choice. This type of installation requires extensive knowledge of your database environment, and should only be selected in special situations (for example, if you want to manage several versions of your resources simultaneously). Running a custom installation is the only way you can manage different universes with the same name within the same repository. To perform a custom installation, proceed as follows: 1. Follow the procedures described in Choosing a setup configuration on page 29. 2. Select the Run a custom installation option from the Choose Setup Configuration dialog box. Before you can create other repository domains, you must first create the security domain. To create a domain, you need the following rights on your target database: - read/write access - the right to create tables, insert rows, create the index, create comments on system tables, and delete tables 3. Create the security domain. These steps are the same as those for the default installation (see Running a default installation on page 32). Once you have created the security domain and the key file is distributed to your users, you can create any other domain with the next three steps: - defining a connection to the domain - building the domain - viewing the domains created
Supervisors Guide
41
You can create the other domains as described below. Regardless of the domain type (such as universe or document), the procedure is always the same. Once the general supervisor, the key file, and the security domain are created, the Repository Access dialog box prompts you to create another domain, or to quit the wizard.
4. To create another repository domain, click Next. The Define the Repository Domain dialog box appears.
42
Supervisors Guide
Defining the connection to a new repository domain

You create the new repository domain in the database to which you are connected. To do so, you must first select the Select the network layer from the drop-down list box.
1. Click Setup. 2. In the Setup dialog box, enter the user name, password, and pathname of the database to be opened and in which the domain is to be created. Depending on the driver you selected, the parameters of this dialog box vary. For more information on this dialog box, refer to the section in the Data Access Guide that applies to your RDBMS. 3. Enter the name of the domain, and select a domain type from the drop-down list box. 4. Click Next. The Build the Repository dialog box appears.
Supervisors Guide
43
Building the repository domain

This dialog box informs you that the wizard is ready to create the new domain.
1. Click Next to begin the process. During the process, the SQL script which is used to create the repository domain is scrolled rapidly in a pane within the dialog box. If no errors occurred during the execution of the script, a message confirms the successful execution. If an error occurs during the creation of the repository, a message appears informing you of the cause of the error. 2. Click Next to display the result of the execution.
44
Supervisors Guide
Viewing the domains created

The list of repository domains created appears in the final dialog box. This list contains the name of the domain, its status, and its type. The status field indicates whether the domain was created successfully (OK) or not (Error).
3. If you want to create a new domain, click Next. For more information, refer to Defining the connection to a new repository domain on page 42. 4. Click Finish to quit the wizard. The main window of Supervisor appears (see The Supervisor main window on page 50).
Supervisors Guide
45
Running a recovery installation

You may need to perform a recovery installation in the following situations: The location of the security domain has been changed. One of the parameters in the connection string, such as the user name or password, has been changed. The key file has inadvertently been moved, renamed or damaged. In any of these situations, you can perform a recovery installation as follows: 1. Follow the procedures described in Choosing a setup configuration on page 29. 2. Select Run a Safe recovery from the Choose Setup Configuration dialog box, and then click Next. 3. Identify your work environment by selecting options for the database type and the network layer. 4. Click Setup, and in the dialog box, enter the name, password, and pathname of the database to be opened, and the security domain in which the repository was created. 5. Select the physical location in which the key file is to be created in one of the following: - the shared folder defined at installation and configuration - the local data folder You can also enter the name of the key file if you do not want to use the default name, bomain.key.
NOTE
WebIntelligence works only with key files named "bomain.key" in lower-case letters. Choose this name if your deployment includes WebIntelligence. Once the file is copied, a message appears confirming that the key file was created. To ensure that Business Objects users have access to the key file, see Distributing the key file on page 38. 6. Click Finish to quit the wizard. The User Identification dialog box appears. 7. Log into Supervisor by entering the same identification (user name and password) you entered previously with the wizard. The main window of Supervisor appears.
Running a recovery installation
46
Supervisors Guide
Basic Procedures
chapter
48
Supervisors Guide
Overview
This chapter shows you how to perform some basic tasks the first time you use Supervisor, and should help you to quickly acquire the main principles of user administration. Once you master the basics of using Supervisor, you will be ready for the more detailed information provided in the later chapters. You should follow each of the procedures in order, so that you can check the results you obtain with the tests provided at the end of the chapter. The procedures are repeated and subsequently enhanced by further, increasingly complex actions.
NOTE
If you enter the same values as those used in the examples in this chapter, you should be aware that Supervisor inserts these values into the security domain tables of the repository you are logged in to. You may want to start by creating a test repository in which to do these practice exercises. To do so, see Installing the Repository on page 27.
Basic Procedures
Supervisors Guide
49
Starting Supervisor
When you installed the repository, you defined the user name and password of the first general supervisor (see Choosing a setup configuration on page 29). You will now use these to launch your first Supervisor session. 1. To launch Supervisor select Start, Programs, BusinessObjects, Supervisor or enter Supervsr.exe in the Run command line. The User Identification dialog box appears.
2. In the User Name text box, enter the name you chose when you ran the installation (see Defining the general supervisor on page 32). By default, the last user name entered is already displayed in the User Name text box. 3. In the Password text box, enter the password you chose during installation. Depending on your database, user names and passwords may be casesensitive. 4. If there is more than one repository, choose which one you want to work with by choosing its Security Domain (this is the name of the repositorys key file). 5. Click OK. After a few seconds, the Supervisor main window appears.
NOTE
It is not possible to have two Supervisor sessions running at the same time on the same machine.
Starting Supervisor
50
Supervisors Guide
The Supervisor main window

The Supervisor main window comprises the following: the title bar, which displays the name of the application followed by your user name and, if you have more than one repository, the name of the repositorys key file the menu bar the toolbar the User pane, which lists the hierarchy of users and user groups created in the security domain of the repository the Resource pane, with five tabs for viewing and assigning resources
title bar menu toolbar
the User pane lists all users and user groups
the Resource pane lists tabs for assigning resources
Basic Procedures
Supervisors Guide
51
Creating user groups

The User pane is the area in which you manage all users and user groups. The root group in the User pane represents the organization (such as a corporation, company or bank for which you will set up user administration. This is the name you entered as the "company name" when you built the repository using the wizard (see Installing the Repository on page 27). Any operation resulting in the creation of a group or user is automatically recorded in the security domain of the repository. When you installed the repository, you created the root group. Well assume you called it XYZCompany as suggested in the previous chapter for performing these exercises. All groups you subsequently create will belong to this root group. Group names are unique within the repository. No two groups may have the same name.
Creating the first group

The first time you start Supervisor, the root group (XYZ company) is selected. To create the first group: 1. Do one of the following: - select User, New, Group - click New Group. The group symbol, a folder, appears immediately in the User pane under the New Group root group level. 2. In the name label, enter the name Finance, and press the Enter key on your keyboard. The Finance group is now displayed in the User pane.
Creating the second group

To create a second group in the root group: 1. Click the XYZ Company root group. 2. Click New Group. The group symbol appears. New Group 3. In the name label of the group, enter the name Human Resources, and press the Enter key on your keyboard. The Human Resources group is now displayed in the User pane.
Creating user groups
52
Supervisors Guide
Creating a subgroup
To create a subgroup within the Human Resources group: 1. Make sure that Human Resources is still selected. 2. Click New Group. 3. In the name label, enter the name Payroll, and press the Enter key on your New Group keyboard. The Payroll subgroup appears within the Human Resources group. In addition, you can define properties for groups and subgroups from the Group Properties dialog box. This procedure is described in Managing user groups on page 93.
Basic Procedures
Supervisors Guide
53
Creating users
You created the general supervisor when you ran the wizard. You can create additional users as described below. User names are unique within the repository. No two users may have the same name. However, the same user can belong to more than one group and appear in each in the User Pane. These are considered as different instances of a single user.
Creating the first user

To create a user belonging to the Finance group: 1. Click the Finance group. 2. Do one of the following: - Select User, New, User. - Click New User. The new user appears immediately in the User pane. 3. In the name label of the user, enter the name John, and press Enter. Johns default profile is User. This means user John can access only the Business Objects end-user products but not Designer or Supervisor. 4. If it is not already selected, click the Configuration tab in the Resource pane. In the Resource pane, BusinessObjects is followed by the word Profile, meaning John has access to BusinessObjects because that is the default setting for his profile. The products the user cannot access are flagged with a red X: .
New User
Creating users
54
Supervisors Guide
Assigning a profile to a user

To create a user belonging to the Payroll subgroup, and to assign a new profile to this user: 1. Click the Payroll subgroup. 2. Do one of the following: - Select User, New, User. - Click New User. The new user appears immediately in the User pane. 3. In the name label of the user, enter the name Anne, and press Enter. User Anne appears immediately in the User pane within the Payroll subgroup. By default, her profile is User. Anne can therefore access only the Business Objects end-user products. In the Resource pane, these products are followed by the word Profile. The products this user cannot access are flagged with red Xs. To modify this user profile: 1. Right-click user Anne. 2. Select the Set Profile To command, and then select the Designer profile. The symbol identifying Anne in the User pane changes to reflect her new profile. Her access authorizations are modified. By default, a universe designer can access Designer and the Business Objects End-user products. In the Resource pane, Designer is followed by the word Profile. Supervisor, which a designer cannot access, is flagged with a red X.
New User
Basic Procedures
Supervisors Guide
55
Assigning a password to a user

You can create a user belonging to a subgroup and assign a new profile and password to this user. Using the example from the previous section, user Anne should already be selected. If not click, click user Anne in the Payroll subgroup. 1. Do one of the following: - Select User, New, User. - Click New User. The new user appears immediately in the User pane. 2. In the name label of the user, enter the name Pat, and press Enter. User Pat appears immediately in the User pane in the Payroll subgroup. By default, Pats profile is User. 3. To change the profile of user Pat from User to Supervisor, right-click the user, and select Set Profile To, Supervisor. The symbol representing user Pat in the User pane changes to reflect his new profile. His access authorizations are modified. By default, the supervisor has access to Supervisor and to Business Objects end-user products. In the Resource pane, Supervisor is followed by the word Profile. Designer, which a supervisor cannot access, is flagged with a red X. 4. To assign a password, double-click Supervisor Pat. The Definition tab of the User Properties dialog box appears. 5. Enter the password Patty. Depending on your database, passwords may be case-sensitive. If you use any uppercase characters in the password (as in the example above, Patty), you may need to enter the password in exactly the same way. 6. Confirm the password by entering it in the Confirm Password text box, and click OK. The dialog box closes.
New User
Creating users
56
Supervisors Guide
Moving a user
If you want to move supervisor Pat from the Payroll subgroup to the Human Resources group: 1. Click supervisor Pat in the Payroll subgroup. Supervisor Pat is highlighted. 2. Drag and drop supervisor Pat to the Human Resources group (the Human Resources group is correctly selected when you see a box around the text). Pat now belongs to the Human Resources group. His icon appears on the same level in the tree structure as the Payroll subgroup.
Duplicating a user and modifying a user profile

The universe designer of the Payroll subgroup, Anne, can also belong to the Finance group as a User. To duplicate designer Anne in the Finance group: 1. Click designer Anne in the Payroll subgroup. Designer Anne is highlighted. 2. While holding down the Ctrl key on your keyboard, drag and drop Designer Anne to the Finance group. (The Finance group is correctly selected when you see a box around the text.) Anne appears in both the Payroll and Finance groups with the same profile. 3. To assign a User profile to Anne in the Finance group, right-click user Anne in the Finance group. 4. Select Set Profile To, User. The symbol identifying Anne in the Finance group changes to reflect her new profile. Her access authorizations are modified. By default, a User has access only to Business Objects end-user products. In the Resource pane, BusinessObjects is followed by the word Profile. The products that the user cannot access are flagged with a red X. You can also move a user via the Add to Group and User Properties dialog boxes. These methods are explained in Managing Users and Groups on page 89.
Basic Procedures
Supervisors Guide
57
Disabling a user
If you dont want user Anne to be able to use Business Objects products right away, you can disable this user. 1. Click user Anne in one of the groups to which she belongs. 2. Do one of the following: - Select User, Disable/Enable. - Click Disable/Enable User. The symbol for Anne in the User pane appears with a red X. Finance group. Why in both groups? Because although an instance of Anne appears in both groups, they represent a single user. Now Anne can no longer log into any Business Objects products.
Disable/ Enable User Supervisor automatically disables Anne in the Payroll subgroup and in the
Restricting user or group access to commands

You can restrict the use of any product by limiting access to certain commands or menus of its interface. Because some users in your organization may still be using an earlier release, you can manage command restrictions for both the current and the previous release. This feature is available through the Command Restrictions dialog box, called by double-clicking a Business Objects product in the Configuration tab or by selecting a product, then selecting Resource, Properties. See Restricting the use of commands in the interface on page 180 for a full explanation of how to restrict commands for users or groups.
Creating users
58
Supervisors Guide
Controlling rights of supervisors

By using the Command Restriction dialog box, you can prevent supervisors you create from having access to certain commands. For example, you can prevent a supervisor from creating users by setting the status of a secured command. However, all users inherit the secured command settings of the group they belong to. This means that if the secured command setting does not apply to the supervisors group, the supervisor need only create another user in the group, give that user a supervisor profile, and log in as that supervisor to get around the command restriction. To reliably restrict the rights of a supervisor, therefore, you must set the restriction not on the supervisor but on the group the supervisor belongs to. Proceed as follows to keep a supervisor from creating new users: 1. In the User pane of Supervisor, select the group the supervisor belongs to. 2. Double-click Supervisor in the Resource pane. The Command Restriction dialog box appears.
Basic Procedures
Supervisors Guide
59
3. Click the User and Group command family in the tree on the left, then click Create User in the list on the right.
4. Select Hidden in the Status box. A grey icon appears next to the command. 5. Click OK to close the dialog box. See Restricting the use of commands in the interface on page 180 for full information on how to use the Command Restriction dialog box. If a Supervisor applies a command restriction to the group to which he or she belongs, that restriction applies to the Supervisor as well as the rest of the group.
NOTE
Only the General Supervisor can then remove the restriction. If you are a Supervisor, only during the current session will you be able to remove any restrictions you apply to your own group. After you log out, you will not be able to remove them in future sessions.
Creating users
60
Supervisors Guide
Testing your setup

This section allows you to test the results you obtained while working through the procedures in this chapter. If you have followed these procedures step-by-step, you should now have the following results displayed in the User pane.
Checking user authorizations

To check whether you correctly assigned a password to supervisor Pat: 1. Select Tools, Login As. 2. Enter Pat as the user name, and PASS as the password. 3. Click OK. An error message appears informing you that the password is not correct. This means that you need to enter the password (Patty) you previously assigned to Pat. As indicated in the error message, you are allowed only two more attempts to enter the correct password.
NOTE
Depending on your database, the user name and password may be casesensitive. You may need to enter them exactly as they were when the user was created.
Basic Procedures
Supervisors Guide
61
4. Click OK. The User Identification dialog box is re-displayed. 5. Enter Patty as the password. The resulting window contains the title bar with the user name, Pat, and the name of the key file in parentheses.
The User pane displays only the group in which Pat has a supervisor profile (Human Resources). It also shows Payroll, a subgroup of the Human Resources group. The User menu no longer contains the New, User command, and the New User button does not appear on the toolbar, because you restricted this command for supervisor Pat.
Testing your setup
62
Supervisors Guide
Creating a second general supervisor

Normally, you should have only one general supervisor to manage and control all users, user groups, and resources. However, if at any time you forget the general supervisors password, or you fail to enter the password correctly three times in a row, then you will no longer be able to access Supervisor as a general supervisor. For this reason, you are strongly advised to create a second general supervisor soon after installing Supervisor. You should keep this backup general supervisor in reserve and keep secure a separate record of the password. If you should be unable to log in as the first general supervisor for the reasons described above, you will still be able to log in as the backup general supervisor. To create a second general supervisor: 1. Log in as the general supervisor. 2. Click the root XYZ Company group. 3. Click the New User button on the toolbar. The new user appears in the User pane. 4. In the name label of the user, enter a name (such as 2ndGenSup), and press Enter. By default, the new users profile is User. You need to modify this profile. 5. Right-click the new user, and select the Set Profile To, General Supervisor. 6. Right-click the new user again, and select Properties. The User Properties dialog box appears. 7. Enter and confirm a password in the Definition tab, then click OK. You have now defined your reserve general supervisor. Be sure to keep a record of the password secure for future reference.
NOTE
If you do not create a reserve general supervisor, Supervisor will remind you to do so each time you launch the program!
Basic Procedures
Supervisors Guide
63
Creating a group reference profile

When a document is distributed to a group of users using Broadcast Agent (BCA), BCA has to compute the rights of each individual user to filter out restricted data. This causes a performance problem. When you add a Group Reference profile (GRP) to a user profile, BCA uses the GRP rights to filter out restricted information for the whole group. This saves time and reduces server activity. If there is no GRP identified, a document cannot be sent to a group. The GRP profile should have: a user profile no access to Supervisor or Designer a disabled login Although the GRP can be applied to an existing user, it is best to create a specific GRP user for any group that receives batch distribution via BCA.
NOTE
The primary general supervisor cannot be the GRP.

REMINDER The removal of a GRP impacts the BCA tasks for the whole group.
64
Supervisors Guide
EXAMPLE Creating a GRP-specific user
1. Log in as the general supervisor. 2. Click the root XYZ Company group. 3. Click the New User button. The new user appears in the User pane. 4. In the name label of the user, enter GRP, and press Enter. 5. Right-click the new user, select Set Profile To, Group Reference.
The GRP user name is now in bold text.
a user assigned the Group Reference profile is in bold
An error message appears if a GRP has already been assigned in the group.
Basic Procedures
Supervisors Guide
65
Adding a group reference profile

You can use either the User Properties or Group Properties dialog box to add the General Reference profile to an existing user. 1. 2. 3. 4. Adding a general reference profile in the user properties dialog box Log in as the general supervisor. Click the root company group. Select from a group the user you want to designate as the GRP. Do one of the following: - Select User, Properties. - Right-click on the user and select Properties. The User Properties dialog box appears. Click the Group And Profile tab. Select the user. Activate Group Reference. Click OK to confirm. The GRP user name is now in bold text.
5. 6. 7. 8.
NOTE
You can also right-click a user and select Set Profile To, Group Reference.
66
Supervisors Guide
1. 2. 3. 4.
5. 6. 7. 8.
Adding a general reference profile in the group properties dialog box Log in as the general supervisor. Click the root company group. Select the group for which you want to designate a GRP. Do one of the following: - Select User, Properties. - Right-click on the group and select Properties. The Group Properties dialog box appears. Click the Users And Profile tab. Select a user. Activate Group Reference. If a user in the group already has this profile, an error message appears. Click OK to confirm. The GRP user name is now in bold text. The GRP user is also listed in the Group Properties dialog box. Click the Broadcast Agent tab, and in the Reference user text box is listed the GRP.
Finding the GRP in a group

To find the user that has the GRP profile: 1. Do one of the following: - Right-click in the User pane. - Select User in the toolbar menu.
2. Select Find Group Reference User. The GRP user is highlighted. If there is no user with the GRP profile, the option is in gray.
the option is grayed out because there is no GRP user assigned to the group
Basic Procedures
Customizing Your Environment
chapter
68
Supervisors Guide
Overview
You can customize your Supervisor environment to control default and other options. This chapter explains how to do so. A number of options are available for customizing your working environment. You to set the following default options: enable or disable confirmation messages quickly create new users and groups quickly rename users and groups select an interface language set user and group sorting options set options for all supervisors This section also shows you how to: move or hide the toolbar change your password log in as a different user run other products from Supervisor
Supervisors Guide
69
Setting your default options

Using the following four tabs in the Options dialog box you can select default options: General Tree List Repository Security Policy
Enabling/disabling confirmation messages

In the General tab of the Options dialog box, there are default options that allow you to control the messages that appear when you attempt to remove a user from a group, or delete a user or group. The procedure is as follows: 1. Select Tools, Options. The Options dialog box appears.
70
Supervisors Guide
NOTE
The Repository and Security Policy tabs are only visible to general supervisors. If you log in as a supervisor you will see only the General and Tree List tabs in the Options dialog box. 2. Select the General tab. The options in the Messages group allow you to control the confirmation messages that appear when you attempt to remove a user from a group, or delete a user or group. By default, all options are selected. 3. If you do not want a given message to appear, simply deactivate the corresponding check box, and click OK to confirm your selection. What is the difference between removing and deleting a user? When you remove a user from a group, the user is not removed from other groups to which he or she was assigned. If the user belongs to only one group, then you must delete (and not remove) the user. Deleting a user in Supervisor will permanently delete the user from the database. For more information, refer to Deleting a user and removing a user from a group on page 120.
Quickly creating new users and groups

In the General tab of the Options dialog box, there are default options that allow you to create a user or group simply by clicking the Insert key on your keyboard. This can be useful for creating a series of users or groups rapidly. To activate or deactivate this feature: 1. Select Tools, Options. 2. Select the General tab. 3. In the Insert Key group, click one of the options: Option Description
Insert Key is Not Active The Insert key has no assigned function. This is the default option. Use Insert Key to Create New User Use Insert Key to Create New Group Allows you to create new users using the Insert key on your keyboard. Allows you to create new groups using the Insert key on your keyboard.
Supervisors Guide
71
Quickly renaming a user or group

In the General tab of the Options dialog box, there are default options that allow you use to rename a user or group directly from the User pane without using the Rename command. To enable this feature 1. Select Tools, Options. 2. Select the General tab. 3. Select Enable Edit in Place and click OK to confirm. 1. 2. 3. 4. To test this feature In the User pane, click the name of the user or group to be renamed. The name is highlighted. Click the name again. A box appears around the name. Enter a new name. Press Enter. The user or group is renamed.
NOTE
User and group names are unique within the repository. No two users or groups may have the same name.
Changing the interface language

In the General tab of the Options dialog box, there are default options that allow you to choose the Business Objects product interface language to use. To enable this feature 1. Select Tools, Options. 2. Click the General tab. 3. Select a language in the Language drop-down list and click OK. The interface appears in the language you chose.
72
Supervisors Guide
Setting user and group sorting options

In the Tree List tab of the Options dialog box, there are default options that allow you to control the order in which users and user groups are displayed by customizing a series of sorting options. To do this: 1. Select Tools, Options. 2. Click the Tree List tab.
Options for sorting the users and groups are available under Sort. You can try out an option simply by clicking it. You can then view the effect on the display in the Preview pane. Activating the case sensitive option Activate Case Sensitive to sort users and/or groups while taking into account uppercase and lowercase characters. Names in uppercase characters have precedence over those in lowercase.
Supervisors Guide
73
Activating primary and secondary keys Two keys are used for sorting users and groups: the primary key the secondary key The primary key The primary key indicates whether the sort is by type or by name, in ascending or descending order. The options for defining the primary key are as follows: Option Type Description Sorts the users in a group by user profile. General supervisors are displayed first, followed by supervisors, designers, supervisor-designers, users, and finally versatile users. Users of a given user profile can be sorted in alphabetical or reverse alphabetical order. Sorts all users and groups by name. The names are listed in either alphabetical or reverse alphabetical order. Sorts user profiles or names in alphabetical order. Sorts user profiles or names in reverse alphabetical order.
Name Ascending Descending
The following rules apply for primary key options: If you click the Type and Ascending options, Supervisor displays users by user profile in order of type (see above). If you click the Type and Descending options, Supervisor displays users by user profile in reverse order of type (see above). If you click the Name and Ascending options, Supervisor displays users and groups in alphabetical order. If you click the Name and Descending options, Supervisor displays users and groups in reverse alphabetical order. The secondary key You can also define a secondary key to further refine the sorting process: If you select Type as the primary key, then the secondary key applies to Name, and will sort all names in ascending or descending order. If you select Name as the primary key, then the secondary key applies to Type, and will sort all types in ascending or descending order.
74
Supervisors Guide
Setting repository options

In the Repository tab of the Options dialog box, there are default options that allows the general supervisor to set options for all the supervisors working with SUPERVISOR, as well as for all users who access Business Objects products. The general supervisor can, for example:
restrict or extend the powers of supervisors on a session-to-session basis control access to the repository, set password options set default names for new users and groups
The options in this tab are organized in the following groups: Repository Access Refresh when idle for more than... Name Generated by Default Valid characters for repository.
NOTE
You can set the options in this section only if you are a general supervisor.
Supervisors Guide
75
Controlling repository access The options in the Repository Access group let you decide how Supervisor is to interact with the repository. They are described below.
NOTE
You should disable the Repository Access options if you do not intend to use them, since enabling these options will increase the time it takes for users to log in. Work with timestamps Supervisor collects timestamp information from the repository at login only if this is selected. This optimizes login when you are not working with timestamps and the option is not selected. For more information on timestamp logins, refer to Controlling user login times on page 117. Work with universe overrides Supervisor collects universe override information from the repository at login only if this is selected. This optimizes login when you are not working with universe overrides and the option is not selected. Refresh when idle for more than This option allows you to specify how often the Supervisor window is refreshed to reflect the most up-to-date information in the repository. 1. Select Tools, Options. 2. Click the Repository tab. 3. Select Refresh when idle for more than. By default, this option is not selected. When it is selected, the Minutes scroll box becomes available. 4. In the Minutes scroll box, select a value to indicate how often the Supervisor window is to be refreshed. 5. Click OK to confirm.
NOTE
A supervisor can also refresh the display at any time by clicking Refresh or F5.
76
Supervisors Guide
Setting default names You can set a default name for the users and/or groups created by supervisors: 1. Select Tools, Options. 2. Click the Repository tab. 3. Select New User Name. The text box beside the check box is activated. 4. In the text box, enter the name for the new user. By default, the name of the first user is New User, the name for the second user is New User2, and so on. 5. Click OK to apply the changes. To set the default name of a new group, select the New Group Name option, then follow the same procedure as above. Defining valid characters for repository You can determine which characters can be used in BusinessObjects operations with the repository. By default, valid characters are: a-z: all lowercase letters A-Z: all uppercase letters 0-9: integers from 0 to 9 the dash (-), underscore (_), and dollar ($) characters the blank space You can type other characters or character sequences here in a regular expression using the dash (-) in the syntax to express a sequence. For example, in A-Z the dash means all the characters in the alphabet between A and Z. Any characters may be authorized as valid, including the Euro symbol (), unless they are not supported by your database. To know which characters are supported by the database, see your database administrator. Click Test to make sure your expression is correct and see the list of valid characters.
NOTE
To use the dash (-) as a character in the repository, you must enter a back slash (\) before it in the list of valid characters. This is already done the first time you open the Repository tab, since the dash is a valid character by default.
Supervisors Guide
77
Setting security default options

In the Security Policy tab of the Options dialog box, there are default options that allows the General Supervisor to set for all supervisors the following: scope management password options Win NT authentication
78
Supervisors Guide
Scope management Scope management is a Supervisor option which allows you to control the extent of the access that all supervisors are granted to users and user groups. In a typical working environment, you create a series of supervisors who are responsible for a particular department or area of your business. You can do this, for example, by creating a group for each department, and then creating users within each group. At this point, you may also want to assign a supervisor to each group to handle the local group administration. As the general supervisor, whenever you log on you will always have a complete view of all the users and groups that have been created by you or by other supervisors. However, when one of your group supervisors logs on, he will only see the users and groups that have been defined locally within his own group. In other words, the group supervisor will not have a global overview (see example below).
general supervisors view (global) marketing supervisors view (local)
Supervisor lets you choose between three scope management options: Standard, Secured, and Extended. These options are described below. Standard mode was formerly the default setting, hence its name, but the standard scope management setting is now Secured.
Supervisors Guide
79
What is standard mode? In the scenario illustrated above, the Marketing supervisor has access only to the users within his group. He cannot see or manage any other users or groups. In addition, if he checks his group properties, he will see an empty All users pane.
The Marketing supervisor cannot add users from any of the other groups to his group. The scope of the Marketing manager is therefore restricted to his own group. This situation is useful if you want to strictly control the scope of your group supervisors, and is referred to as Standard Mode.
80
Supervisors Guide
What is extended mode? If, on the other hand, you want to allow your group supervisors access to users outside their own group(s) so that they can add or remove users to their own groups, then you can do so by setting Scope Management to Extended Mode. In this mode, when the Marketing supervisor checks his group properties, he will see that the All users pane now displays all of the users from all of the other groups.
In Extended Mode, the Marketing manager is free to add external users to his group and to remove them. Also, in extended mode, if a supervisor tries to create a user with a name that already exists in a group outside his scope, the following message appears:
The supervisor can then create another instance of the user within his own group.
Supervisors Guide
81
What is secured mode? As explained in Chapter 7, Assigning Resources to Users on page 171, you can restrict the access of specific users to specific commands. For example, you can select a user, double-click on BusinessObjects in the resource pane, and disable one or more commands (see Restricting the use of commands in the interface on page 180). However, if you are working in Standard Mode, any supervisors that you restrict in this way can continue to create new users of their ownand these users will have no command restrictions applied (in other words, all module commands will be enabled by default). In order to address this potential security hazard, the general supervisor by default uses the Secured mode of operation. In this mode, a supervisor can create new users, but can only control access of these users to resources, such as products, documents, or universes, to resources already granted to at least one user the supervisor administrates, if those resources have not disabled for the supervisor either directly or through inheritance. In addition, the supervisor cannot add users from other groups to their own. Setting your scope management option To set your scope management option: 1. Select Tools, Options. 2. Click the Security Policy tab. 3. From the Scope Management drop-down list box, select an option, and click OK.
82
Supervisors Guide
Setting passwords You can set options that determine how supervisors set passwords on the users they create. These options are described below: Option Number of logins allowed after password expiry Description Sets the number of times a user can log into a product once his or her password has expired. Enter the number in the text box. By default, a product allows three more logins before forcing the user to change the password. Prohibits supervisors from creating a new user without a password. If a supervisor attempts to create a user without assigning a password, Supervisor returns an error message. The new user has a default password which is the same as the user name. The supervisor can change this password if necessary. Allows supervisors to create a new user without a password. This option is the default. Lets you determine the minimum number of characters that a valid password can have. By default, the option is unchecked (i.e., no minimum password length). Checking this option automatically sets the mandatory password option as well. Select the number of times a user is allowed to enter an incorrect login. The default is 3.
Password is mandatory
Default password is user name No default password Minimum password length
Number of failed logins allowed
To set password options: 1. Select Tools, Options. 2. Click the Security Policy tab. 3. Select the options required, and click OK.
Supervisors Guide
83
WinNT authentication (for Windows NT and Windows 2000) The Windows NT authentication driver, used only on Windows NT and Windows 2000 machines, authenticates Business Objects users by reusing information from the Windows NT or 2000 system login. This makes it possible to avoid the redundant use of login dialog boxes in Business Objects Desktop and Administration Products. For information on how to install the Windows NT authentication driver, see the Deployment Guide. A PDF copy of the Deployment Guide is installed by default with Supervisor and can be opened from the Help menu. This group lets you enable Windows NT or Windows 2000 authentication for users in your deployment. When it is enabled, you can specify whether the authentication driver will accept users from all domains or from a list of trusted domains you specify. InfoView and WebIntelligence do not use this driver for NT authentication. For information on how to use NT or other authentication methods with WebIntelligence, see the System Administrators Guide for Windows.
To enable WinNT authentication: 1. Select Tools, Options. 2. Click the Security Policy tab. 3. Select Enable WinNT Authentication. This enables authentication of user identity by the Windows NT authentication driver. When selected, the relevant options become available. 4. Select one of the following: - To let the driver authenticate users from all NT domains, click From all domains. - To restrict authentication to users from trusted domains only, click From list.
84
Supervisors Guide
5. If you selected From list as the authentication option, click New to add a domain to the trusted list. The Define a Primary Domain Controller dialog box appears.
6. Enter the name of a domain from which login will be allowed using the Windows NT authentication driver, then click OK. The driver is used only on Windows NT and Windows 2000 machines. Only if the domain is a trusted one, and the user is defined in the repository, will access be granted. 7. Click OK to confirm.
NOTE
You can only enter the names of domains to which you have network access. Removing domains from the list To remove a domain name from the list of trusted domains: 1. Select the domain in the list. 2. Click Delete. The domain is immediately removed from the list.
Supervisors Guide
85
Other options
In addition to modifying your default settings, you can also: move or hide the tool bars change your password log in as a different user run other products from Supervisor
Moving or hiding the toolbar

The Supervisor window contains a toolbar called the Standard toolbar. By default, it is positioned within the Supervisor window as shown below:
click an area in the toolbar that is not an active button and drag and drop to change the Standard toolbar into a window
standard toolbar
You can click and drag this toolbar out of its position to make it a floating toolbar or dock it to any edge of the application frame. To do so: 1. Click in an area that is not an active button within the rectangle containing the toolbar. 2. Drag the toolbar down. 3. Release the mouse button. Depending on where you move it, the toolbar appears as a window or docked on an edge of the application frame.
The Standard toolbar displayed as a window
You can also toggle the display of the toolbar on or off by selecting the Toolbars command from the View menu. A checkmark indicates that the toolbar appears.
Other options
86
Supervisors Guide
Changing your password

Provided that the Enable Password Modification option is checked in your user properties (see Defining user properties on page 111), you can change your password at any time during a Supervisor session.
NOTE
This feature is not compatible with use of the Windows NT Authentication Driver. For information on how to activate and deactivate this driver, refer to the Deployment Guide. To change your password: 1. Select Tools, Change Password. The Change Password dialog box appears.
2. Enter your existing password in the Enter Old Password text box. 3. Enter your new password in the Enter New Password text box. 4. Confirm your new password by entering it again in the Confirm New Password text box. 5. Click OK to confirm.
Supervisors Guide
87
Logging in as a different user

You can log into Supervisor as a different user without quitting your work session. To do so, you need to know the user name and password of the user you want to log in as. This lets you view the users and resources that this person can administer. This operation is equivalent to exiting Supervisor, then running it again and logging in with a different user ID and password. If you are using the Windows NT Authentication Driver, you will only be able to log in again with your own user name and password. This can be useful if, for example, you are logged in as a supervisor and you wish to log in again because your General Supervisor has just modified your privileges. For information on how to activate and deactivate the Windows NT Authentication Driver, refer to the Deployment Guide. To quickly log in as a different user: 1. Select Tools, Login As. The User Identification dialog box appears. 2. Enter the user name in the User Name text box. 3. Enter the password in the Password text box. 4. Click OK. The title bar of the Supervisor window indicates the user name with which you logged in.
NOTE
When you log into Supervisor as another user, you are automatically entitled to all the rights of that user. However, you will also have any restrictions that any supervisor may have set on that user.
Running other products from supervisor

From a Supervisor work session, you can launch a BusinessObjects session by selecting Tools, Run, BusinessObjects. If you are a supervisor-designer, then you can launch a Designer session by selecting Tools, Run, Designer.
Other options
88
Supervisors Guide
chapter
90
Supervisors Guide
Overview
The general supervisor is responsible for creating users and assigning profiles to them. The users that are assigned the supervisor profile can then log in and create users of their own. When created, users and/or user groups are displayed in a tree list in the User pane of the Supervisor window. Resources that may be granted appear in the Resource pane of the window. Options for each type of resource appear in one of five tabs.
title bar menu toolbar
the User pane lists all users and user groups
the Resource pane has tabs for assigning resources
In the User pane, the root group (XYZ Company) represents the organization (company, hospital, agency) created with the wizard during the installation of the repository.
Supervisors Guide
91
The structure of the list proceeds from the general to the specific; it also displays the first general supervisor. The general supervisor has all the rights needed to carry out user administration, and can delegate all or part of these rights when defining other general supervisors or supervisors. Any action resulting in the creation of users or user groups is automatically written to the security domain of the repository. A user group is symbolized by a folder icon. This icon can be displayed in one of three states: open, closed, or empty.
Open Group
A group is open when it contains either users and/or groups displayed in the User pane. The icon for an open group is preceded by a minus sign (-).
A closed group is a group containing components (users and/or groups) that are not displayed in the User pane. You can display the components of a closed Closed Group group in the User pane by clicking the plus sign (+) beside the icon. An empty group contains no components at all; it has no users and no groups. There is no particular sign displayed with the empty group icon. Empty Group In the User pane, each user type is identified by a symbol as follows: Symbol User Profile User Supervisor Designer Supervisor-Designer Versatile User Disabled User General Supervisor For full explanations of each of these user types, refer to User profiles on page 18. You can also customize the display of users and groups in the User pane. For more information, refer to Setting user and group sorting options on page 72.
92
Supervisors Guide
Techniques for creating users and user groups

You can use three techniques to organize users and groups in the User pane: You can create all user groups, and then add users to each group. You can create all users, then assign them to groups. To do this refer to Managing users on page 110. You can create users and groups by importing a preformatted text file containing the information that describes them. To do this refer to Importing and Exporting Users and Groups on page 213. This section describes how to create user groups and users.
Supervisors Guide
93
Managing user groups

You define users and user groups via the commands of the User menu or their corresponding buttons on the toolbar.
a b a - to create a group b - to create or modify group properties
You can also use the commands of the shortcut menu that appears when you right-click a group. These commands are identical to those on the User menu.
Creating a group
The root group, which is automatically created during installation, represents your organization. All other groups that you create will belong to this group. Although you can rename the root group, you can never delete or lock it. To create an additional group: 1. Click the group in which you want to create a new group. During a first-time setup, you must click the root group. 2. Do one of the following: - Select User, New, Group. - Click the New Group button on the toolbar. New Group 3. In the name label, enter a name for the group, and press Enter. The new group appears immediately in the User pane.
NOTE
You can customize certain aspects of the creation process. For more information, refer to Quickly creating new users and groups on page 70.
94
Supervisors Guide
Defining group properties

You can simultaneously name and assign properties to the groups that you create. To do this do one of the following: Right-click the group in the User pane, and select Properties Click the Properties button on the toolbar. The Group Properties dialog box appears. Its title bar shows the name of the group you selected. By default, the Definition tab of the dialog box appears.
Properties
Defining a group In the Definition tab of the Group Properties dialog box, assign ascendant groups. To define the group: 1. Enter the name of the new group in the Name text box. 2. From the drop-down list box, select the group to which the new group is to belong. By default, the group displayed is the one in which you created the new group.
Supervisors Guide
95
Assigning users to a new group You can assign users to a new group in the Users and Profile tab of the Group Properties dialog box.
If you have created no users yet, the left-hand list shows only the general supervisor. Otherwise, it lists all the users you have already created. The name of the group to which you want to assign users is dynamically displayed both in the title bar and in the heading of the right-hand list: Users of group name. To assign a user to a group: 1. Select the user in the left-hand list. 2. Click Add. The user appears in the right-hand list.
96
Supervisors Guide
Defining user profiles You can also quickly define or redefine the user profile; however, this profile is valid only for the current group. To define the user profile: 1. Click the user in the right-hand list. 2. Select a profile from the Profile drop-down list box. At this point, you can do one of the following: Check the properties of the group by clicking OK. The Group Properties dialog box is closed, and the icon symbolizing the new group appears in the User pane. To view the new user in the group, double-click the group icon. The symbol for the user appears in the User pane. Click the Timestamp tab to set restrictions on when the group can log into a Business Objects product. See the next section for a description of this tab. Controlling group login times You can specify a time period during which the users in a given group can log into the Business Objects repository. This authorized login time is called a timestamp. There are three types of timestamp, and they can be combined to allow powerful and flexible control of authorized login times. If you have any problems with timestamps defined with earlier versions of Supervisor, you need to remove them and recreate them in the procedure described below.
NOTE
Timestamps will only be taken into account if the "Work With Timestamps" option is selected for the repository. This option is set in the Repository tab of the Options dialog box, which is accessed by selecting Tools, Options. See Work with timestamps on page 75 for details. Timestamp inheritance When a timestamp is created for a group, all users in the group and its subgroups inherit the timestamp. The timestamp can only be removed from the group for which it was created, at which point it is no longer inherited by the groups users and subgroups. If a user belongs to several groups, it is the Groups And Profile tab of the User Properties window that determines which timestamps govern that users login.
Supervisors Guide
97
To open the User Properties window, do one of the following: 1. Double-click the user in the User Pane. 2. Click the user and select User, Properties.
The group that is at the top of the Profile/Group list is the only group whose timestamps are taken into account. You can position a group in the list by clicking it, then clicking the Up or Down button.
98
Supervisors Guide
What about differing time zones? It is important to keep in mind that it is the users local time that determines login access. In other words, if a group is assigned a timestamp that authorizes login starting at noon, the users in the group can log in if their local system time is noon, even if the repository is housed in a machine in a different time zone. If the groups using your repository are located in several time zones, you must be sure to calculate authorized login times accordingly.
EXAMPLE
For example, if your repository is in time zone GMT-6 (6 hours earlier than Greenwich Mean Time, which corresponds to US Central Time), and you have groups who will be logging in from time zone GMT-5 (US Eastern Time), you have to remember that their time zone is an hour later than the repositorys time zone. Another example is if it is 12 PM in Chicago it is 1 PM in New York. Therefore, to let a group in New York log in as of noon Chicago time, their timestamp should start at 1 PM, because it is their local time that governs their access. If their timestamp started at 12 PM, they could log in when it was still only 11 AM for the repository.
Supervisors Guide
99
Choosing the timestamp By default, no timestamps are set and login is possible at all times. You can add login timestamps that authorize login according to calendar period, time range, or weekly or monthly criteria.
The following settings are: Setting Start/End Date Description A date-only timestamp is all you need to limit login authorization to a certain calendar period. You set the dates of the first and last days users in the group are allowed to log in. Any login attempted on days not within this period will fail. You should have no more than one date-only timestamp per repository. A time-only timestamp is all you need to limit login authorization to certain hours of the day, for example office hours. You set the beginning and end times of the period users in the group are allowed to log in. Any login attempted outside this time period will fail. You should have no more than one time-only timestamp per repository.
Start/End Time
How (weekly or You set the day of the week or the month in the year users monthly criteria) in the group are allowed to log in. You can also allow log in on the first or last day of every month.
100
Supervisors Guide
Combining timestamps Timestamps can be combined to authorize login according to a combination of criteria. To do so, you should be aware of how the timestamps are checked. The basic rule to remember is this: for repository access to be possible, date-only, time-only, and date + time timestamps must be satisfied; when they are, access is possible if any one how timestamp is satisfied. (In Boolean terms, all timestamps with date or time, but with no how are joined by AND; how timestamps are joined by OR.) Timestamp includes: Date X X X X X X X X X X X X Time How Effect on repository access Only one per repository. MUST be satisfied before any others are taken into account. Once date-only, time-only and dateand-time timestamps are OK, login is possible if any one is satisfied.
Supervisors Guide
101
Using timestamps for efficiency and security How you use timestamps with your repository all depends on your business logic. If there is a particularly sensitive period during which you want to deny a certain group access to the repository, you can assign it a date-only timestamp which excludes that period. If you know that certain key data is updated daily at a certain time, you may want to make it impossible for a group to log in before then. You can use a time-only timestamp with an appropriate start time. To avoid strain on the network, you may want your groups to take turns logging in, with some using the repository one day and some another day. Using a how timestamp, you can authorize login for group 1 on Monday, group 2 on Tuesday, group 3 on Wednesday, and so on. These could be assigned in addition to a date-only and/or time-only timestamp restricting calendar period and period of the day. By combining date, time, and how criteria, you can fine-tune repository access even more. For example, you could authorize a group to log into the repository from January through June (by setting start and end dates), from 9 AM to 2 PM (by setting start and end times), and only on Tuesdays (by selecting Tuesday as the how criterion).
102
Supervisors Guide
Adding a timestamp Whenever a timestamp is selected in the list box on the right, its settings are displayed on the left and any changes to them will be saved when you click OK. (See the next section, Modifying a timestamp.) When you want to add a new timestamp, be sure no existing timestamps are selected before specifying settings. 1. Right-click a group in the User pane and select Properties. The Group Properties box appears.
2. In the Timestamp tab of the Group Properties box, activate Start/End Date, Start/End Time, or How, depending on the type of timestamp you want to apply. You can activate two or three check boxes to make a combination timestamp. 3. Depending on the type of timestamp you select, specify the beginning and end dates, the beginning and end times, and/or the weekly or monthly how criteria defining the timestamp.
NOTE
Date and time formats correspond to your local system settings, which you can control by selecting Regional Settings from your Windows Control Panel. For a date timestamp, you can enter the day, month, or year value directly in the box or use the up and down arrows to change the setting. For a time timestamp, you can enter the hours or minutes directly in the box, or use the up and down arrows. For a How timestamp, just select a value from the list.
Supervisors Guide
103
4. Click Add. The timestamp appears in the list box to the right. The Timestamp column shows the type of timestamp, and the Inherited From column shows the group to which the timestamp was applied.
this timestamp applies to the Finance group
5. Click OK for the timestamp to be applied to the selected group.
104
Supervisors Guide
Modifying a timestamp 1. In the User pane, right-click the group to which the timestamp to be changed is assigned and select Properties. The Group Properties box appears. 2. Select the Timestamp tab of the Group Properties box.
3. In the list box to the right, click the timestamp to be modified. The timestamp definition appears in the relevant area on the left.
4. Modify the settings. 5. Click Replace. 6. Click OK for the timestamps new settings to be taken into account.
Supervisors Guide
105
Removing a timestamp 1. In the User pane, right-click the group to which the timestamp is assigned and select Properties. The Group Properties box appears. 2. Select the Timestamp tab of the Group Properties box. 3. In the list box to the right, click the timestamp to be removed. The timestamp definition appears in the relevant area on the left.
4. Click Remove. 5. Click OK to confirm. Creating a Broadcast Agent for a group Broadcast Agent is a product that can be integrated into a Business Objects deployment to provide scheduled document processing. You can create one Broadcast Agent per group, for one document domain to which that group has access. The Broadcast Agent and its schedule of tasks exist in the Business Objects repository. Broadcast Agent receives requests from end users, processes them at userdefined times, and then distributes the processed documents to the appropriate users. The benefit from an administrators point of view is that users can schedule document processing at off-peak hours, thus dramatically reducing network traffic at peak times. The integration of Broadcast Agent into the Business Objects deployment requires a new type of usera Broadcast Agent administrator. It is this administrators role to monitor and manage scheduling requests and distribution lists, using the Broadcast Agent Console. To launch Broadcast Agent, the administrator must have a general supervisor profile.
106
Supervisors Guide
Creating a Broadcast Agent 1. In the User pane, right-click the group for which you want to create a Broadcast Agent and select Properties. The Group Properties box appears. 2. Select the Broadcast Agent tab. 3. Select the Broadcast Agent option.
4. In the Name text box, enter a name for the Broadcast Agent. You can enter up to 32 alphanumeric characters. 5. If you choose to create a password for the Broadcast Agent, enter a password in the Password text box, and confirm it by entering it again in the Confirm Password text box. You can enter up to 32 alphanumeric characters. The password is optional. If one exists, the Broadcast Agent administrator will have to enter it when asked by the Broadcast Agent administration tool.
Supervisors Guide
107
6. Select a document domain from the list box in the Properties group. The Broadcast Agent will be able to process documents from this domain only. 7. Click OK. In the User pane, a group for which a Broadcast Agent has been created is identified with the symbol . BusinessObjects and InfoView users who belong to a group with a Broadcast Agent can send documents to it with a task schedule attached. Users who belong to more than one group with a Broadcast Agent can choose the Broadcast Agent to which to send the document from among those associated with their groups. Deleting a Broadcast Agent To delete a Broadcast Agent: 1. In the User pane, right-click a group for which a Broadcast Agent has been created and select Properties. The Group Properties box appears. 2. Select the Broadcast Agent tab of the Group Properties box. 3. Select the No Broadcast Agent option. The Broadcast Agent is removed from the repository and all its scheduled tasks are cancelled.
108
Supervisors Guide
Other options for Broadcast Agent In addition to choosing the document domain, the Properties group in the Broadcast Agent tab lets you choose the following options: Option Disable login UNIX-only Broadcast Agent Nb Max retries Description Select this option to make it impossible to launch Broadcast Agent. This option means that Broadcast Agent will send tasks for processing only to UNIX machines. Clear this option if you want Broadcast Agent to schedule tasks on available Windows and Unix machines. This value specifies how many times Broadcast Agent should try to connect to a UNIX machine before sending the task to a Windows machine in the cluster. This is useful because some tasks may include VBA scripts, for example, that cannot be executed on UNIX; if they consistently fail on a UNIX machine, Broadcast Agent will send them to a Windows machine. This option is not available if the UNIX-only Broadcast Agent option is selected.
For complete information on the Broadcast Agent, refer to the Broadcast Agent Administrators Guide.
Supervisors Guide
109
Deleting a group
You can always delete a group, regardless of whether it is empty, open, or closed. However, you should note that deleting a group also has an impact on the database. If a group contains users, Supervisor deletes the users according to the following rules: A user existing only in the group to be deleted is permanently deleted from the database. See When deleting InfoView/WebIntelligence users on page 120. A user existing in at least one other group is removed from the group but is not deleted from the database. To delete a group: 1. Click the group in the User pane. 2. Select User, Delete Group. By default, a message appears prompting you to confirm the deletion.
NOTE
N
If you wish, you can disable messages such as this by customizing your default options, as described in Enabling/disabling confirmation messages on page 69.
Renaming a group
To rename a group: 1. Click the group in the User pane. 2. Select the User, Rename Group. The selected group name is highlighted in a box. 3. Enter the new name, and press Enter.
110
Supervisors Guide
Managing users
The general supervisor is the first user created. The first general supervisor cannot be deleted, but can create other supervisors or general supervisors. These additional supervisors can be deleted. You define users with the commands of the User menu, or their corresponding buttons on the toolbar:
a - click to create a user b - click to verify or modify user properties c - click to enable or disable a user d - click to add a user to a group
By right-clicking a user in the User pane, you call a shortcut menu that contains the same commands as the User menu.
Creating a user
To create a user: 1. Click the group to which the user will be assigned. 2. Do one of the following: - Select User, New, User - Click the New User button The new user symbol appears in the User pane. 3. In the name label, enter a name for the user, and press Enter. The new user is created. You can customize certain aspects of the creation process. For more information, refer to Quickly creating new users and groups on page 70.
New User
Supervisors Guide
111
Defining user properties

The User Properties dialog box lets you define the following user properties: name password password checking on or off password modification rights password validity period and change options login authorization offline login real-time user rights update document deletion rights. To define specific properties for a user: 1. Do one of the following: - Click the Properties button. - Select User, Properties. The User Properties dialog box appears. Its title bar contains the name of the newly created user. By default, the Definition tab of the dialog box appears.
Properties
Managing users
112
Supervisors Guide
Defining a user To define a new user: 1. Enter a user name in the Name text box. This is the name with which the user will log into a Business Objects product. The name you enter cannot exceed 32 alphanumeric characters including special characters and spaces. Be aware of uppercase and lowercase characters since depending on your database, the user name and password may be case-sensitive for all Business Objects products. 2. Enter a password in the Password text box. The password is optional. Users with no assigned passwords can still launch a product by entering their user name. For security reasons, the password you enter appears as asterisks (*). 3. Confirm the password by entering it again in the Confirm Password text box. 4. If you want to force the user to change the assigned password at the first login, select Change Password At First Login. 5. If you want to force the user to change the password after a specified number of days have elapsed, select Password Validity, and use the up or down arrow to select the desired number of days from the Days scroll box. Although this option applies once by default, you can make it take effect periodically (based on the number of days specified) by selecting Periodic Action.
NOTE
Once the password has expired, a user can still log into the module three more times before being forced to change the password. If you are a general supervisor, you can modify the default number of logins allowed after a password has expired. For further information, refer to Setting passwords on page 82. 6. To control the password checking system associated with the user, select one of the following options from the Identification Strategy list box. Option Full Checking No Password Checking Description The default option. The Business Objects repository always checks the validity of the user password. Removes all password controls for this user as long as the option is selected. If you select this option, all items in the Security panel are disabled.
Supervisors Guide
113
7. To prohibit the user from logging in, select Disable Login. When disabled, the user symbol appears with a red X over it. You can reenable login at any time by clicking User, Disable/Enable. 8. To allow the user to log in without a connection to the repository, select Enable Offline Login. This allows a user to work in offline mode with locally stored data; there is no connection to the repository. 9. To allow the user to modify the password, select Enable Password Modification. 10. To dynamically display in real time the list of available universes, select Enable Real Time User Rights Update. This means the users list of available universes is checked and refreshed against the repository in real time, rather than against the users own security files at the beginning of a session. The user will not have to log in again to the repository to know, for example, that access to a universe has been granted or denied. In addition, the users local copy of a universe is checked against the universe in the repository each time a query is built or edited, and refreshed if necessary. This option has effect only when BusinessObjects is used in 2-tier. 11. To authorize the user to delete documents from the repository document domain, select Enable Delete Document. 12. To specify an object security level for a user, select the level from the Object Security Level list box. Objects are components in Business Objects universes that make data accessible to users. Their security level is defined by the designers who create them. By default, their security level is Public, meaning any user can work with them. If they are given a higher security level, only users granted the corresponding Object Security Level have access to them. The levels are, from highest to lowest: - private - confidential - restricted - controlled - public For more information on object security levels, refer to the Designers Guide. 13. Close the dialog box by clicking OK to confirm or click the Users and Profile tab in order to assign the new user to a group.
Managing users
114
Supervisors Guide
Changing a user profile

To modify a user profile, right-click the user. On the shortcut menu, click Set Profile To, and select one of the following profiles: General Supervisor Supervisor Designer Supervisor-Designer User Versatile The symbol identifying the user in the User pane changes accordingly. The products to which the selected user profile does not have access authorization are indicated by a red X over them in the Resources pane. For information on each of the above profiles, refer to User profiles on page 18.
Supervisors Guide
115
Assigning a user to a group

With Supervisor, you can assign a user to a group in one of two ways: adding the user duplicating the user Adding a user In the User Properties dialog box, you can add a user to a group. You can change the users profile for the new instance. 1. In the User pane, select the user you want to add to a group and click the User Properties button. The User Properties dialog box appears with the name of the user in the title bar. 2. Click the Groups and Profile tab.
All user groups you have previously created are listed in the Available groups list. If there are no groups, the left-hand list shows only the name of the root group created with the wizard. The user profile, the symbol of this profile, and the group to which the user belongs, are displayed in the right-hand list of the dialog box.
Managing users
116
Supervisors Guide
3. In the right-hand list, click the user. 4. In the left-hand list, click the group to which you want to add the user. 5. Click Add. The user appears selected in the right-hand list with the same profile as the instance you selected in step 1. 6. If you want the user to have a different profile for this groupfor example, if you want the user to be a supervisor for this group although the original profile is only Userselect the desired profile in the Profile list box. The name of the profile, and its symbol, are immediately displayed in the righthand list for this instance of the user. 7. Click OK to add the user to the group. This creates another instance of the user in the group you specified, with the profile specified. It does not move the user out of any group the user already belonged to or affect the users profile in other groups. To view the user just assigned to the group, click the group in the User pane. The symbol for the user appears within the group. Duplicating the user Whenever you create a user, you can duplicate the user so that he or she can belong to another group. There are two ways to duplicate a user: Drag and drop the user within the User pane, while keeping the Ctrl key pressed. This duplicates the user and keeps the same profile. Select User, Add to Group. This gives you the opportunity to modify the user profile while duplicating the user. Duplicating the user with the same profile To duplicate the user by drag and drop: 1. Press the Ctrl key and click the user in the User pane. 2. With the Ctrl key still pressed, drag the user to the desired group. 3. Drop the user in the group and release the Ctrl key. The user appears in the group with the same properties as those in the initial group.
Supervisors Guide
117
Duplicating the user and changing the profile To duplicate the user and change the profile: 1. Click the user to be duplicated in the User pane. 2. Do one of the following: - Select User, Add to Group. - Click the Add to Group button. The Add to Group dialog box appears with the name of the selected user in Add to Group the title bar.
3. In the Target Group drop-down list box, select the target group in which the user is to be duplicated. 4. In the With Profile drop-down list box, select the profile you wish to assign the user in the target group, and click OK. The duplicated user appears immediately in the new group in the User pane.
Controlling user login times

You can specify a time period during which a user can log into a Business Objects module or product. The procedure is the same as for group logins (see Controlling group login times on page 96).
Managing users
118
Supervisors Guide
Moving a user from one group to another

You can move a user from one group to another by drag and drop, or by using the User Properties dialog box. When a user is moved to a new group, he or she inherits the rights of that group. To move a user with the User Properties dialog box: 1. Double-click the user to be moved in the User pane. The User Properties dialog box appears. 2. Click the Groups and Profile tab. The User Properties dialog box for the user appears.
3. In the right-hand list, click the user, and then click Remove. You can also double-click the user in the right-hand list. 4. In the left-hand list, click the group to which you want to move the user, and click Add. You can also double-click this group. The user appears in the right-hand list. 5. From the Profile drop-down list, select a profile, and click OK.
Supervisors Guide
119
Disabling/enabling a user
By default, a users authorization to log into a Business Objects product is determined by the user profile. You may want to prevent a user from using certain products which are normally authorized. For example if a supervisor-designer is temporarily moved out of the universe designers role, you may want to prevent that user from logging into Designer until such time as he or she returns to that responsibility. You can prohibit any user except a general supervisor from accessing any Business Objects product. Preventing access like this is called disabling a user for a product. Removing this restriction is called enabling the user. Do one of the following to disable/enable a user: Select the user and the User, Disable/Enable. Right-click the user and select Disable/Enable. Disable/Enable Click the Disable/Enable User button on the toolbar. User Activate Disable Login in the Definition tab of the User Properties dialog box. In the User pane, the locked user is symbolized by a red X: .
Managing users
120
Supervisors Guide
Deleting a user and removing a user from a group

When a user belongs to more than one group, the instance of the user in any one group can be removed without permanently deleting the user from the database. This is called removing from a group. You can also choose to remove the user permanently from the database, which removes all instances of the user in all groups, and also deletes any documents that have been sent only to that user. This is called deleting a user. If a user belongs to only one group and the group is deleted, the user is deleted. Deleting a user To delete a user: 1. Click the user in the User pane. 2. Click User, Delete User. By default, a message appears prompting you to confirm the deletion. If you do not want this message to appear, first click Tools, Options. In the General tab of the Options dialog box, clear the Confirm User Delete option. When deleting InfoView/WebIntelligence users Rights to both InfoView and WebIntelligence are controlled through the WebIntelligence icon in the Configuration pane and the WebIntelligence security commands. Deleting a user with rights to InfoView or WebIntelligence does not delete the corresponding user-specific directories and data on the Business Objects server. When an InfoView or WebIntelligence user is deleted from the repository, the administrator with rights to the Business Objects server file system should delete these directories and their contents if necessary. User-specific directories on the Business Objects server are:
<installation directory>/nodes/<node name>/<cluster name>/ storage/list/<user name> <installation directory>/nodes/<node name>/<cluster name>/ storage/mail/<user name> <installation directory>/nodes/<node name>/<cluster name>/ storage/user/<user name>
Supervisors Guide
121
Removing a user from a group You can remove a user from a group while maintaining the same user in other groups. To do so, there are two methods: direct indirect Direct method To remove a user in the current group: 1. Click the user in the User pane. 2. Select User, Remove from Group. By default, a message appears prompting you to confirm the deletion. If you do not want this message to appear, select Tools, Options. In the General tab of the Options dialog box, clear the Confirm User Delete option. 3. Click OK to confirm.
NOTE
If the user belongs only to the current group, then this user is also deleted from the database.
Managing users
122
Supervisors Guide
Indirect method To remove a user in the current group using the indirect method: 1. Do one of the following: - Double-click the user in the User pane, or click the Properties button. - Select User, Properties. The User Properties dialog box appears with the name of the selected user in the title bar. 2. Click the Groups and Profile tab.
Properties
The right-hand list displays the name of the group to which the user is assigned and the profile of the user. 3. Click the user in the right-hand list.
Supervisors Guide
123
4. Click Remove. The user is deleted from the group. If the user belongs only to the current group, then this user is also deleted from the database.
NOTE
The first general supervisor created by the Administration Setup wizard at the same time as the repository cannot be disabled or deleted. Other general supervisors that you subsequently create can be both disabled or deleted by general supervisors only.
Renaming a user
The procedure for renaming a user is the same as for renaming groups (using the Rename User command from the User menu). For more information, refer to Renaming a group on page 109.
Managing users
124
Supervisors Guide
Finding users or user groups in the repository

You can search the repository for the full or partial name of the user or group you want to work with and go directly to that user or group. This is useful if you are working with a repository that has a large number of users and groups. To find a user or group: 1. Select Edit, Find. The Find User/Group box appears.
2. In the Find What text box, enter the full or partial name of the user or group you want to find (Marketing in the example above) and click Find Next. There are no wild-card characters. The first user or group whose name matches the search pattern is selected in the User pane.
3. Click Find Next. The next user or group whose name matches the search pattern is selected in the User pane. If no other users or groups are found, Supervisor tells you that it has finished searching the repository.
Supervisors Guide
125
Options: match case and match whole name only

For a case-sensitive search By default, searching for a user or group name in the repository is not casesensitive. In other words, if you enter Marketing in the Find What text box, Supervisor will find matches for Marketing, marketing and MARKETING, for example. To make the search case-sensitive, activate Match case. This means Supervisor will find only user or group names that match exactly the sequence of upper-case and lower-case characters entered in the Find What text box.
For a whole name only search By default, Supervisor will search the user and group names in the repository for any occurrence of the character string you enter in the Find What text box. For example, a search for Marketing would find Marketing, Retail marketing and Marketing Division, for example. To search for whole words only, activate Match whole name only. This means Supervisor will find only user and group names which include the search pattern as entered in the Find What text box.
Finding users or user groups in the repository
126
Supervisors Guide
Printing information on users, groups and resources

In the User and Groups pane of the Supervisor user interface, you can see at a glance the groups in your repository and the users belonging to each group. When a user or group is selected, the tabs corresponding to each type of resource (configuration, universe, stored procedure, document and repository) show which resources are assigned to it. The Print command on the File menu lets you print this information to a text file or printer for reference: user definitions, group definitions, or resource grants per user or group. In addition, there is an easy way to see, per resource, which users and groups have access to it. The Print to Table Format option lets you create two files in Comma-Separated Values (CSV) format. One file contains information on user and groups, the other on resources. These files can be used as a data source for a BusinessObjects report. You can then customize this report to give this information the presentation you choose.
Supervisors Guide
127
Printing a hard copy

The procedure for printing a hard copy report is as follows: 1. Do one of the following: - Click the Print button. - Select File, Print. The Print dialog box appears.
Print
2. Select the type of report you want to print: Report type User Definitions Description This report lists all properties assigned to users, including user name, login enable/disable status, and security level. The properties listed are the same as the settings displayed in the User Properties dialog box. This report lists the hierarchy of users and user groups. It also lists the user profiles, for example, Supervisor, Designer, and User. This report lists the resources assigned to each user or group. These resources may include Business Objects products, universes, documents, stored procedures, or domains. This choice is used to print to a CSV-format file on which a BusinessObjects report can be based. It is described in the "Print to File" section below.
Group Definitions Resources by User/Group Definition Print in table format
128
Supervisors Guide
If you choose to print a resources report, the Customize panel is activated. This allows you to customize your report by selecting specific resources: Resources Applications Universes Documents Domains Description Prints the names of the Business Objects products a user or group is authorized to access. Prints the names of the universes a user or group is authorized to access. Prints the names of the documents a user or group is authorized to access. Prints the name of repository domains a user or group can access.
Stored Procedures Prints the names of the stored procedures a user or group is authorized to access. TimeStamps Prints out information relating to a login timestamp assigned to a user or group.
3. If applicable, select your Customize options, and then click Print. A Print dialog box appears. By default, Supervisor selects the printer currently configured in your Windows environment. 4. Click OK to print your report.
Printing to a text file

You can print information on users, groups, and resources to a text file that can be read on screen or printed. To print this information to a text file: 1. Do one of the following: - Click the Print button. - Select File, Print. The Print dialog box appears. 2. Select the type of report you want to print. 3. If applicable, select your Customize options, and then click To File. A Print to File dialog box appears. 4. Select a folder in which to save the file, enter a file name (by default, this is export.txt), and click Save. The report is saved in text format under the file name you entered.
Supervisors Guide
129
Printing to a CSV table file

You can print information on users, groups, and resources in the form of two files in the comma-separated values (CSV) table format, on which you can base a BusinessObjects report. 1. Do one of the following: - Click the Print button. - Select File, Print. The Print dialog box appears. 2. Click Print in CSV files in table format. The Customize options and the Print command become unavailable.
3. Click To File. The Print to File dialog box appears.
The default file name is "print". The default location is the \\...\UserDocs\ folder. If you want, you can browse to another folder and enter the file name of your choice (the .csv extension is added automatically, so do not enter it).
130
Supervisors Guide
4. When you have specified the file name and storage location you want, click Save. Two CSV files are saved, one containing information on users and groups, the other containing information on resources. File name entered... <filename> Files saved... <filename>_usr.csv <filename>_res.csv File contains information on... Users and groups in the repository Resources in the repository
Understanding the CSV files

The files you generate by means of the Print to Table Format command are in comma-separated value format. This is a format which can be interpreted as a table by programs such as Microsoft Excel, and which is accepted as a data source for BusinessObjects reports. This means that you can generate with ease full information on the users, groups, and resources in your repository, then build a report which you can format in BusinessObjects to provide a legible presentation of the data.
NOTE
The CSV files produce tables that are not normalized. Although this makes the tables larger, it makes it easier to build the report since no relational database structure is involved.
Supervisors Guide
131
The "user" file The file ending in _usr includes information on groups, subgroups, users, user profiles, and user properties. Column name Type Possible values 0 1 2 3 4 5 6 7 Name Parent Child <text> <text> <text> Blank Child type Password strategy Same as "Type" Full Checking Blank 1 Offline login enabled Change Password enabled 0 1 0 1 Meaning Group User: General Supervisor profile User: Supervisor profile User: Supervisor-Designer profile User: Designer profile User: User profile User: Versatile User profile Broadcast Agent Name of group, user or Broadcast Agent Name of parent group, if applicable (set to "(None)" for root group) Name of subgroup or user in group Record does not refer to a group (Type is not 0) See values for "Type" User must enter password at login User need not enter password at login User may log in User may not log in User may use products off line User may not use products off line User may not use the "Change Password" command User may use the "Change Password" command
Login disabled 0
132
Supervisors Guide
Column name Real-time user
Possible values 0
Meaning Universes, and users rights to them, are checked against users locally stored universe and security files at the beginning of a session Universes, and users rights to them, are checked against repository in real time User may not delete documents from the repository document domain User may delete documents from the repository document domain User may work with universe objects whose security level is "Public." User may work with universe objects whose security level is "Controlled" or lower. User may work with universe objects whose security level is "Restricted" or lower. User may work with universe objects whose security level is "Confidential" or lower. User may work with universe objects whose security level is "Private." User need not change password at first login User must change password at first login
1 Delete Documents 0 1 Object Security level Public Controlled
Restricted
Confidential
Private Change Password at first login 0 1
Supervisors Guide
133
Column name Password validity Periodic action
Possible values 0 <other number> 0
Meaning User is never asked to change password User is asked to change password after the number of days specified The password validity period (when password validity is not 0) applies only once The password validity period (when password validity is not 0) is cyclical
1 The "resource" file
The file ending in _res includes information on which resources are granted to each user or group. This is also a flat table, meaning that each resource is repeated for each user or group that has access to it. Column name Type Possible values 0 1 2 3 4 User/Group Name <text> <text> Meaning Resource is an application (visible in the Configuration pane of Supervisor) Resource is a domain (visible in the Repository pane of Supervisor) Resource is a universe (visible in the Universe pane of Supervisor) Resource is a document (visible in the Document pane of Supervisor) Resource is a stored procedure (visible in the Stored Procedure pane of Supervisor) Name of user or group which has access to the resource Name of the resource The level at which inheritance of the resource begins.
Inherited from <text>
134
Supervisors Guide
Print in table format from the command line

You can also print information on users, groups and resources in the CSV table format from the command line. The -printtofile command prints information on the repositorys resources to a resource file and a user file, as described above, with the file name you specify. The -printtodirectory command creates the files and gives them a name based on the key file name and the ISO timestamp format. The -printtofile command To create the user and resource files with the name you specify from the command line, open the DOS command prompt at the directory containing the key file and enter the following command:
supervsr -user "<user name>" -pass "<password>" -keyfile "<keyfile>" -printtofile "<path>\<filename.csv>" (...)
Where: <user name> is your user name. <password> is your password. <keyfile> is the name of the key file to access the repository, without the .key extension. <path> is the access path including the directory where the files are to be located. <filename.csv> is the name of the file, including the obligatory .csv extension. The command creates two files: <filename>_usr.csv: includes information on groups, subgroups, users, user profiles and user properties. <filename>_res.csv: includes information on which resources are granted to each user or group.
Supervisors Guide
135
The -printtodirectory command To create the user and resource files from the command line and give them a name based on the key file name and the ISO timestamp format, open the DOS command prompt at the directory containing the key file and enter the following command:
supervsr -user "<user name>" -pass "<password>" -keyfile "<keyfile>" -printtodirectory "<path>" (...)
Where: <user name> is your user name. <password> is your password. <keyfile> is the name of the key file to access the repository, without the .key extension. <path> is the access path including the directory where the files are to be located. The command creates two files: print_<keyfile>_yyyymmdd_hhmm_usr.csv. This file includes information on groups, subgroups, users, user profiles and user properties. print_<keyfile>_yyyymmdd_hhmm_res.csv. This file includes information on which resources are granted to each user or group. Where: <keyfile> is the name of the key file to access the repository. yyyymmdd_hhmm is the file creation timestamp (year, month, day, hour, minute).
136
Supervisors Guide
Managing Resources
chapter
138
Supervisors Guide
Overview
There are resources that you can manage using Supervisor. These include: Resource Business Objects products Description The supervisor grants or denies access to Business Objects products including: BusinessObjects, Supervisor, Designer, BusinessQuery and WebIntelligence. The supervisor grants WebIntelligence access to users of InfoView, which provides the core functionality of WebIntelligence, whether or not they also use the optional WebIntelligence modules, Reporter and Explorer. The repository is a set of data structures stored on a database. The repository makes it possible to share the resources necessary for client/server architecture. The repository is made up of three types of domains which allow all users to share resources: the security domain, which contains all the characteristics of the other domains as well as the definition of users the universe domain, which is a meta-model of the database containing a description of the data to be accessed the document domain, which contains the structures for storing shared documents. A Business Objects universe is linked to a database via a connection. This connection defines the path to the RDBMS, as well as the network layer. A universe is a mapping of the data structure found in databases: tables, columns, joins, etc. It is the semantic layer that isolates end users from the technical issues of the database structure. Universes are created by designers, assigned to one or more groups, and then exported to the universe domain of the repository. It is from here that they are accessible by end users and other designers.
Repository domains
Connections
Universes
Managing Resources
Supervisors Guide
139
Resource Documents
Description Documents and templates are created by end users with BusinessObjects or WebIntelligence: A BusinessObjects or WebIntelligence document contains one or more reports that present the data obtained from a query. End users can store documents as files, with a .rep or .qty extension A template is a special type of document that is used to apply report layout and formats to other documents. End users can store templates as files, with a .ret extension. End users can assign documents or templates to specific users or user groups, and can then export them to the document domain of the repository. Users of other Business Objects products create documents in their specific formats.
Lists of values
A list of values (LOV) is a file that contains the data values associated with an object. LOV files allow end users to set conditions on objects, since they can see the exact format of the corresponding data values. LOV files are created by a designer with Designer. When a designer exports a universe to the universe domain, he or she can also export all the related LOV files to the document domain. A macro is a set of commands, written in VBA, that is used to automate tasks. Macros are created and executed by end users from BusinessObjects. End users can save macros in a BusObj file with a .rep extension. Macros can also be grouped in VBA AddIn saved with a .rea extension.
Macros
NOTE
Only a general supervisor can manage repository domains. A general supervisor can also create new domains on different data accounts.
140
Supervisors Guide
Managing the repository

As the general supervisor, you can view the list of repository domains at any time, as well as create or delete domains.
Creating a domain
To view the existing repository domains, or to create a new domain: 1. Do one of the following: - Select Tools, Repository. - Click the Repository button. The Repository Management dialog box appears.
Repository
The Repository Management dialog box lists all the existing repository domains together with their type, the RDBMS on which they are stored, the network layer used, and complete definitions of their connections.
Managing Resources
Supervisors Guide
141
2. To create a new domain, click Add. The Administration Setup Wizard is started, and the Define the repository Domain dialog box appears. This is the first in a series of steps for a customized installation.
3. Select a network layer to specify the type of database in which you want to create the repository domain. 4. Click Setup to specify the RDBMS account user name and password, and the relative path to the database in which the domain is to be created.
NOTE
The contents of the Setup dialog box vary depending on the database driver. For more information on this dialog box, refer to the section in the Data Access Guide that applies to your RDBMS. 5. Enter the name of the domain and select the domain type. To ensure compatibility with different databases, use only numbers from 0 to 9, letters of the alphabet in upper- or lower-case, and the underscore character.
142
Supervisors Guide
6. Click Begin. The next dialog box informs you that the wizard is ready to create the domain.
7. Click Next to run the script. During execution, the SQL creation script appears in a pane in the dialog box. A dialog then informs you that the domain was successfully created, or displays an SQL error message. The next dialog box lists the name of the domain, its status, type and database.
The status reveals whether the domain was successfully created. The status OK means the execution was successful; the status Error means that it failed.
Managing Resources
Supervisors Guide
143
After a few minutes of execution, the list of repository domains created appears in the dialog box. 8. Click Finish to quit the wizard, or click Next to create a new domain. All the new domains that you create are displayed dynamically in the Repository Management dialog box. 9. If you wish, you can make a new domain available to a user by selecting Resource, Link, Domain. For more information on assigning a repository domain, refer to Restricting the use of commands in the interface on page 180.
Deleting a domain
Any domain that you create appears in the Repository Management dialog box, which you call by clicking the Repository command on the Tools menu. A domain is a set of tables created in a database. To delete a domain: 1. Select Tools, Repository. The Repository Management dialog box appears. 2. Click the name of the domain in the Available Repository Domains pane. 3. Click Delete. A message box prompts you to confirm the operation. 4. Click OK. After a few seconds, the domain disappears from the list.
Checking the validity of a domain

As you work with the repository, you should periodically check the physical integrity of the universes or document domains you are managing. 1. Select Tools, Repository. The Repository Management dialog box appears. 2. Click the name of the domain on the list in the Available Repository Domains pane. 3. Click Integrity. After a few seconds, a message appears which indicates the status of the domain. If the domain is corrupted, contact your database administrator.
144
Supervisors Guide
Checking the connection to a domain

From the Repository Management dialog box, you can test the validity of a connection to a universe or document domain. 1. Select Tools, Repository. The Repository Management dialog box appears. 2. Click the name of the domain in the Available Repository Domains pane. 3. Click Test. After a few seconds, a message appears indicating whether the server is responding. 4. If the connection is invalid, you can redefine it by clicking Modify.
Scanning and repairing domains

Supervisor can check the integrity of the security and document domains. While the security domain contains all the characteristics of the other domains, as well as the definition of all users, the document domain contains the reports and documents created by end users. This feature allows you to scan these domains, and to detect errors related to structure and consistency, such as: users or resources not assigned to groups invalid user identifications in the database tables inappropriate values originating from the database (for example, the value of the security level)
Managing Resources
Supervisors Guide
145
Scanning the security domain 1. Select Tools, Repository. The Repository Management dialog box appears. 2. Select a repository domain in the Available Repository Domains list box. 3. Click Scan. The Scan and Repair dialog box appears.
4. If you would like a very detailed report, click Verbose. 5. Click Interactive to be alerted each time the Results scroll box memory is full. This box lists the results of the scan, repair, and compact actions, the details of which you can review. If you have a large repository, this selection is not recommended. Amessage appears each time the Results scroll box memory is full and you need to click through this message each time to continue your selected action.
146
Supervisors Guide
6. If you want the Result scroll box information to be saved to a file, click Output to file. 7. Select a reporting level value between 1 and 10 in the Reporting Level box. Warning and error messages are categorized in 10 levels according to their importance: level 10 represents the most important messages; Level 1 represents the least important messages. You set error reporting to any one of 10 levels. If you select a reporting level of 10, Supervisor reports only the most important warnings and errors (level 10 only). If you select a reporting level between 2-9, Supervisor reports warnings and errors according to the selected level. For example, level 5 reports all warnings and errors between levels 5-10 inclusive. If you select a reporting level of 1, Supervisor reports all warnings and errors, regardless of their importance (levels 1-10 inclusive). This can result in a very long list. 8. Click Scan. Supervisor scans the domain, and lists its progress in the Result scroll box. Any errors found in the domain will be listed in the displayed report.
9. Click Close to return to the Repository Management dialog box. Repairing and compressing the security domain To fix any errors that were reported, or if you want to compress the security domain to save disk space, you can proceed as follows: 1. Select Tools, Repository. The Repository Management dialog box appears. 2. Select a repository domain in the Available Repository Domains list box. 3. Click Scan. The Scan and Repair dialog box appears. 4. If you would like a very detailed report, activate Verbose. 5. For an unattended Repair or Compact action, verify Interactive is deactivated.
Managing Resources
Supervisors Guide
147
6. If you want the Results scroll box information to be saved to a file, activate Output to file. 7. Select a reporting level value between 1 and 10 in the Reporting Level box. 8. If you want to: Action scan and repair the repository, click Repair. Results Supervisor scans the domain and repairs any errors encountered, and lists its progress in the Results scroll box.
compress the contents of Supervisor physically deletes from the security the security domain, click domain any information which has already Compact. been logically deleted. scan, repair, and compress the security domain, click Repair & Compact. Supervisor first compresses the domain, and then scans and repairs any errors encountered, loging the results in the output file. Because the compress is done first, any records deleted during the repair are still visible, appearing as logically deleted. To eliminate them, click Compact again. 9. Click Close to return to the Repository Management dialog box.
NOTE
Compact your repository domains regularly. In particular, you should compact following large-scale deletion of user accounts.
148
Supervisors Guide
Changing or removing the schedule of tasks

When users schedule documents to be processed by Broadcast Agent, the tasks and scheduling options they choose are stored in the repository. From Supervisor, you can change the schedule of these tasks or unschedule documents by removing them from the Broadcast Agent queue altogether. You can also change the documents description.
Changing the schedule of tasks

Supervisors Document tab shows the list of all the documents in the repository. You can see if a document has any tasks scheduled for processing by Broadcast Agent by checking the Schedule column in this tab. Documents marked Yes have scheduled tasks.
Managing Resources
Supervisors Guide
149
To change a documents schedule: 1. In the Document tab, select a document which has tasks scheduled for processing by Broadcast Agent. 2. Select Resource, Change Schedule. The Task Properties dialog box appears.
The General tab shows three things: in the Server drop-down list box, the name of the Broadcast Agent responsible for processing the tasks. This cannot be modified. in the Priority drop-down list box, the priority assigned to the scheduled tasks. in the Description text box, the description of the document which the end user may have entered when sending the document to be processed. 3. Make sure the priority you want is selected in the Priority list. Change it if necessary. 4. Add or modify the document description. This is optional.
150
Supervisors Guide
5. Click the Actions tab. The Actions tab appears.
The Actions tab shows the scheduled tasks. They cannot be modified. It also lets you choose faster document viewing over the Web. See Faster document viewing over the web on page 152 below for more information on this option. 6. Click the Scheduling tab. The Scheduling tab appears. The current schedule is shown in the Time Schedule group.
Managing Resources
Supervisors Guide
151
7. Click Change to change the current schedule. The Change Schedule dialog box appears.
8. Click an option in the Run box, then change the settings in the Start At box. The options in the Start At box change according to the Run option you select. For example, if you click Monthly in the Run box, the Start At options let you select the day(s) of the month on which you want Broadcast Agent to process the document:
9. Click OK to return to the Scheduling tab. 10. Specify the date and time you want Broadcast Agent to start processing the document by entering values in the Start date and Expiration date fields.
152
Supervisors Guide
11. Select the File Watcher option if you want Broadcast Agent to process the document based on the existence of another file.
12. Click Browse to locate the file. Use the name of the server machine where the file will be located, not the absolute path. In other words, if you enter C:\My documents, you are pointing to the C: drive of the machine you are working on, not the C: drive of the server. 13. Select the Delete the file each time the task starts option if you want Broadcast Agent to watch for the file every time it processes the document. Using this option enables report chaining, whereby the file that triggers processing has to be present every time the document is due.
TIP You can combine the Time Schedule and File Watcher options.
14. Click OK to confirm.
Faster document viewing over the web

By default, a document processed by Broadcast Agent is stored in the repository, generated the first time a user accesses it, and then cached in the repository. Subsequent users download the document directly from the cache rather than having it to generate it again. In a large deployment, you can expect Broadcast Agent to be used heavily. This means that a large number of documents which may be processed at various times, for example throughout the night, may all be accessed around the same time, for example at the beginning of the work day. To ease the load on the repository, an option in Supervisor can be used to instruct Broadcast Agent to generate BusinessObjects documents immediately after processing and cache them in the repository. All users accessing a processed BusinessObjects document can then take it right from the cache, avoiding a bottleneck where many documents are being generated at once.
Managing Resources
Supervisors Guide
153
Users choose, in their browser, whether to view the Windows metafile version of their BusinessObjects documents, the standard HTML version, or a PDF version. Although the metafile is a more efficient and attractive way to view documents, some earlier versions of browsers do not support it and must view the standard HTML. With Supervisors option to pre-load documents to the repository cache, you specify whether to cache the file in enhanced document format (that is, the Windows metafile), in standard HTML format, in PDF format, or a combination of the three.
NOTE
This option does not apply to WebIntelligence documents. To set Broadcast Agent to pre-load BusinessObjects documents to the repository cache for faster viewing: 1. In the Document tab, select a document which has tasks scheduled for processing by Broadcast Agent. 2. Select Resource, Change Schedule. The Task Properties dialog box appears. 3. Click the Actions tab. The Actions tab appears.
154
Supervisors Guide
4. Select the Faster Document Viewing Over the Web option and click Options. The Select the document format box appears.
5. Select one or more formats: If you select... Enhanced Document Viewing The following happens... Broadcast Agent generates a processed BusinessObjects document in Windows metafile format immediately after processing and cache it in the repository.
Standard HTML Format Broadcast Agent generates a processed BusinessObjects document in standard HTML format immediately after processing and cache it in the repository. Optimize for PDF viewing Broadcast Agent generates the file in PDF format.
6. Click OK, or click another tab to select more options.
Managing Resources
Supervisors Guide
155
Purging inbox documents

Users of BusinessObjects and WebIntelligence can send documents to other users, either directly or by scheduling via Broadcast Agent. These documents are stored in the repository until the users to whom they are sent retrieve them. BusinessObjects users find them in the "Retrieve" dialog box when they "Retrieve from users," and InfoView and WebIntelligence users can view the list of them on their Inbox page. These documents are called Inbox documents. Once a user retrieves an Inbox document, that document is automatically purged from the repository. Supervisor lets you, the general supervisor, purge all or selected Inbox documents older than a given number of days from the repository with a single command. This applies to all Inbox documents of all repository users. Documents deleted in this way cannot be retrieved or undeleted later.
Why should I purge inbox documents?

If you have a large and active repository, users may send hundreds or even thousands of documents to each other every week. As long as the documents are retrieved promptly upon reception, this should be no problem. However, if users let their Inbox documents accumulate without retrieving them, valuable server space is lost to this "uncollected mail." You may need to recover it to make sure performance is optimal. The purge feature is especially useful in conjunction with the Broadcast Agent feature known as report bursting. With report bursting, you can send a document to large numbers of users and be sure they will receive only the data they are allowed to see according to their profile. To do this, Broadcast Agent generates a separate copy of the document for each user. In other words, a single document sent to one hundred users means one hundred Inbox documents on the repository server waiting to be retrieved. Sending ten documents daily to a hundred users each would mean 1,000 documents a day, or 5,000 documents in a working week! In addition, a regularly updated document distributed weekly, for example, does not overwrite previous versions of the same document. If users dont retrieve their Inbox documents promptly, a server can quickly fill up with documents, many of which may no longer be current. In cases like this, you may eventually run out of room on your repository server. The ability to purge all Inbox documents older than a given number of days can free up the storage and memory space you need.
156
Supervisors Guide
How do I purge inbox documents?

REMINDER Before purging Inbox documents, notify your users well in advance so they will have a chance to retrieve the documents they need!
To purge Inbox documents: 1. Click Tools, Purge Inbox Documents. The Delete Inbox Documents dialog box appears. The default value is 90 days.
2. In the text box, accept the default or enter the cut-off age of Inbox documents to be purged.
3. Click Show to see the list of Inbox documents that meet the age criterion. You can then select some or all documents to purge. 4. Click Purge. A warning appears telling you that the action is irreversible and noting how many Inbox documents will be purged. If there is a very large number of documents to be purged, the operation may take a long time. Use this information to help you decide whether to purge right away or wait.
NOTE
The Inbox documents you purge are immediately deleted. It is impossible to retrieve them later. Do not use this command until users have been given a chance to retrieve their documents. 5. Click OK to purge all Inbox documents. A message box appears telling you the purge was successful.
Managing Resources
Supervisors Guide
157
Best practice tips for purging inbox documents

Depending on how large and active your repository is, and how much server space you have, you may need to recover space from the "uncollected mail" represented by Inbox documents. Small number of inbox documents, no report bursting If your repository rarely contains a large amount of documents sent to users with Broadcast Agent using report bursting, you may not need this feature at all. If you need to purge Inbox documents as an exceptional measure, inform your users in advance and recommend that they retrieve all their Inbox documents before the purge is scheduled to take place. Repository server close to capacity, many Inbox documents If keeping repository server space available is a problem due to a large and active repository in comparison with the server size, you will want to purge Inbox documents regularly. How old? A good rule of thumb would be to keep your repository server clear of Inbox documents that are over 30 days old. This is ample time for any user to retrieve documents sent by other users. Purging Inbox documents that are only, for example, two weeks old, could be inconvenient to users who have not been at their desk due to outside assignments or vacation. How often? Base the frequency of the purge operation on your own server space needs. One possibility would be to make this part of your daily routinesimply use the Purge Inbox Documents command once every morning or evening. Let your users know that as a matter of course, any Inbox document that was sent, for example, a month ago and not yet retrieved will be considered obsolete and removed from the repository. Depending on your needs and your preferred way of working, you might choose to purge Inbox documents less frequently.
158
Supervisors Guide
Notifying users beforehand Because the purge cannot be undone, you need to notify users beforehand, to give them a chance to retrieve any documents they dont want to lose. A regularly scheduled purge of Inbox documents helps users get in the habit of clearing out their Inbox accordingly.
NOTE
In addition to regularly scheduled documents sent via Broadcast Agent, users can also send one another documents directly. There may be documents that have arrived in the Inbox only shortly before a regular purge. This is another reason to be sure to send a notification or reminder to all users long enough before the purge to give them a reasonable amount of time to see the notice and retrieve their Inbox documents.
Managing Resources
Supervisors Guide
159
Managing connections
Business Objects products let end users work with business data without having to know the techniques of relational database management systems. This is possible thanks to universes, which map to the data in databases to provide the semantic layer end users can work with easily. The connections that give universes and stored procedures access to corporate databases can be defined in Supervisor. They are stored in the repository and can be used by universe designers.
Defining a connection
To define a connection: 1. Do one of the following: - Select Tools, Connections - Click the Connections button. Connections The Connections dialog box appears:
160
Supervisors Guide
2. Click Add. The Add a Connection dialog box appears.
3. Click the network layer used. A description of the driver appears in the Description box. 4. Click OK. The dialog box is closed, and the connection dialog box for the driver appears. 5. Enter the necessary parameters. For more information on the dialog box displayed, refer to the section in the Data Access Guide that applies to your RDBMS. 6. Click Test to test the connection. If the connection is valid, a message confirms it. If the connection to the server failed, an error message appears. In this case, refer to the Data Access Guide or the documentation of your RDBMS. 7. Click OK to close the dialog box.
Managing Resources
Supervisors Guide
161
Deleting a connection
To delete a connection from a database: 1. Do one of the following: - Select Tools, Connections - Click the Connections button. The Connections dialog box appears. 2. Click the connection to be deleted. 3. Click Remove. A message box appears prompting you to confirm the operation. 4. Click OK. The connection is deleted and is no longer displayed in the dialog box.
162
Supervisors Guide
Modifying a connection
You can modify a connection at any time. 1. Do one of the following: - Select Tools, Connections - Click the Connections button. The Connections dialog box appears.
2. Click the connection to be modified. 3. Click Edit. A dialog box appears from which you can modify the connection parameters. For more information on this dialog box, refer to the section in the Data Access Guide for your particular RDBMS. 4. Modify the parameters as necessary. 5. Click Test to check whether the modified connection is valid. If the connection is valid, a message confirms it. If the connection to the server failed, an error message appears. In this case, refer to the Data Access Guide or the documentation of your RDBMS.
Assigning a connection as a stored procedure

When you have created a connection to a data account containing a stored procedure, you can assign the connection to a user or group as a stored procedure. The connection will then become visible in the Stored Procedures tab of the Resource pane. For more details on assigning connections, see Assigning stored procedures to users or groups on page 207.
Managing Resources
Supervisors Guide
163
Importing/exporting universes
Supervisor lets you import universes from the repository to your hard disk and export your local universes to the repository, for access by specific groups. This lets you manage universes in a production environment that may not include Designer. A general supervisor can export to all groups. A supervisor can export to all groups to which he or she belongs with a profile including designer or supervisor rights, in other words not just the "user" profile.
Understanding universe security and revision numbers

The lock mechanism A universe stored in a universe domain can be shared by several designers provided that they have been granted the necessary privileges by the supervisor. Nonetheless, only one designer can work on a given universe at a time. A designer who wishes to develop a universe can do so only if no other designer or supervisor has set a lock on it. The lock mechanism is an option by which a designer or supervisor can import a universe from a universe domain while locking it so that no one else can export it to the universe domain. You can lock a universe from the Import Universe or Export Universe dialog box by double-clicking it. When you do so, the universe appears beside a padlock symbol. When another designer or supervisor locks the universe, the padlock symbol is unavailable. The lock status is a property of the universe stored in the universe domain. The revision number Each time you export a universe to a universe domain, Supervisor increments the revision number of the universe. In this way, you can determine which is the latest version of the universe.
Locked Symbol
164
Supervisors Guide
Importing a universe
With the Import Universe command, you can import to your local hard disk one or more universes stored in a universe domain of the repository. A universe that you import becomes available to you as a file in the Universe subfolder or in any other folder that you specify. As general supervisor you can import any universe. As supervisor, you can import universes to which you are granted access, regardless of your profile for that access. In other words, if your profile for a given group is less than Supervisor or Designer, you can still import the universes assigned to that group. To import a universe: 1. Select Tools, Import Universe. The Import Universe dialog box appears.
2. In the Domain list box, click the universe domain from which you want to import the universe. 3. Lock the universe by double-clicking it. A padlock symbol appears. To unlock a universe, double-click it again.
Padlock Symbol
Managing Resources
Supervisors Guide
165
4. From the Available Universes pane, click the name of the universe you wish to import. To select several universes, click each universe while holding down the Ctrl key. 5. Check the name of the import subfolder to which the universe is to be imported. By default the subfolder is Universe. You can specify another folder by clicking Browse, and using the file browser. 6. Click OK. At the end of the import operation, Supervisor displays the following message box:
7. Click OK to close the message box.
166
Supervisors Guide
Exporting universes
With the Export Universe command, you can export a universe or group of universes from a location on your local disk or network to the repository. This may be a universe you have imported with the Import Universe command or that has been made available to you by a designer. To be exported to the repository, the universe must be associated with a secured connection also on the repository. You set the universes connection from the Export Universe dialog box. You can export universes to any group in the repository when these two conditions are met: You belong to the group with a General Supervisor, Supervisor, Designer or Supervisor-Designer profile. You have access to the universe domain with a General Supervisor, Supervisor, or Supervisor-Designer profile at the moment of export. To export a universe: 1. Select Tools, Export Universes. The Export Universe dialog box appears.
2. From the Domain drop-down list, select the universe domain to which you want to export the universe.
Managing Resources
Supervisors Guide
167
3. In the Groups drop-down list box, click the group or groups to which the universe to be exported is assigned. 4. In the Universes drop-down list box, click the universe to be exported. If necessary, click Add to open the Universe to Export browse window to browse and select one or more universes to add to the list.
168
Supervisors Guide
5. When you have selected a universe, click Parameters to be able to associate a secured connection with the universe. The Universe Parameters dialog box appears
6. Choose a connection in the Connection list and click OK. The universe now has a secured connection and can be exported to the repository. 7. If you want to export more than one universe, choose each universe to export, one by one, and set a secured connection for each. 8. In the Export Universe dialog box, select all universes to be exported. 9. Click OK to export. A dialog box may appear asking you to confirm save of the universe(s).
10. Click Continue to close the dialog box and complete export.
Managing Resources
Supervisors Guide
169
Managing resources
Enabling a resource
To enable a resource in Supervisor: 1. Select a user. 2. Select the tab for the resource to be assigned. To select the following resource... Configuration Universe Stored Procedure Document Domain Select this tab Configuration Universe Stored Procedure Document Repository
3. Do one of the following: - Right-click the item you want to enable and select the Enable option. - Select the item you want to enable and click the Enable button. - Select the item you want to enable, Resource on the toolbar, then the Enable option.
Disabling a resource
To disable a resource in Supervisor: 1. Select a user. 2. Select the tab for the resource to be assigned. 3. Do one of the following: - Right-click the item you want to enable and select the Disable option. - Select the item you want to disable and click the Disable button. - Select the item you want to disable, Resource on the toolbar, then the Disable option.
Managing resources
170
Supervisors Guide
Deleting resources
To delete resources other than repository domains and connections: 1. From the Tools menu, select one of the following: - Delete Universe - Delete Document - Delete List of Values - Delete Script The Delete dialog box for the selected resource appears (in this case, for deleting documents).
2. Click the resource that you want to delete within the selected category. To select more than one resource, click each item while holding down the Ctrl key. 3. Click OK. The selected resource is deleted. You can print out a variety of reports which provide detailed information on the resources assigned to specific users or groups. For more information, refer to Printing information on users, groups and resources on page 126.
Managing Resources
Assigning Resources to Users
chapter
172
Supervisors Guide
Overview
Once you have created your list of users and user groups as explained in Chapter 5, you can proceed to assign resources to them. The resources that can be assigned to users are as follows: Business Objects products Universes Documents Stored procedures Repository domains For more information on these resources, refer to the section There are resources that you can manage using Supervisor. on page 138. To assign a resource, you must first select the user or group in the User pane. The procedure you follow when assigning any resource to a user or group is as follows: 1. Assign a resource to a user or group. 2. Optionally customize the properties of the resource. When assigning products to a user or group, you can either assign the product with full default functionality, or restrict access to certain features of a product by means of the Command Restriction box.
Supervisors Guide
173
Assigning and restricting resources to multiple user instances

When assigning and restricting resources to users and groups, you must be aware of the rules of inheritance and the rules of resolution among multiple instances of a user. Here are the basics: A user is always assigned to at least one group. A user may belong to one or more groups; the root group is the first group, which includes all others. A user who belongs to more than one group is said to have one instance for each group to which he or she belongs. Privileges, assigned resources and restrictions applied to a user, are assigned per instance. Every user instance or group inherits the privileges of its direct ascendants (that is, the group to which it belongs). A user instance or group may be granted privileges (rights or restrictions) in addition to those of the group to which it belongs. The privileges assigned to descendants override those assigned to ascendants. Unlike users, who may belong to several groups, groups are unique in the hierarchy and cannot have instances in more than one group. Summary All users and groups inherit the privileges of their direct ascendant. However, any specific privileges assigned to a user or group override the privileges of the ascendant group. If a user belongs to more than one group, the instances of that user may have different privileges, due to inheritance from the different parent groups. There are four cases in which you must know the rules that determine which privileges apply in such a case: resources universe properties timestamps command restrictions
174
Supervisors Guide
Resources
If one instance of a user has access to a given resource, then all instances of the user will have access to the resource. In other words, there is no point disabling a resource for one instance of a user if another instance continues to have access to it.
Universe properties
If you double-click a universe in the Universe pane of Supervisor, the Universe Properties dialog box that lets you define the universes properties appears.
You can set universe properties in the following tabs: definition controls SQL objects rows table mapping
Supervisors Guide
175
When a restriction is set on only one instance If a restriction is set on only one instance of a user, that restriction will apply to all instances. For example, if you limit the size of the result set to 100 rows for one instance of a user, that limitation will always apply to the user, who will never be able to retrieve more than 100 rows with a query to that universe. Similarly, if different instances receive different restrictions on different properties or objects, all the restrictions will always apply to the user. For example, let us say User 1 has three instances. If Instance 1 has a restriction on the size of the result set, Instance 2 is not allowed to use subqueries, and Instance 3 is denied access to a certain object in the universe. All these restrictions apply to User 1.
176
Supervisors Guide
When a restriction is set on more than one instance Youll need to be more careful, however, when different instances receive different restrictions on the same property or objectfor example, if Instance 1 and Instance 2 each have a restriction on the size of the result set, but one can have up to 100 rows and the other can have up to 1000. When this happens, you can control which restriction is taken into account by using the Groups and Profiles tab of the User Properties dialog box. To define which restrictions are taken into account: 1. Do one of the following: - Double-click the user in the User pane. - Select User, Properties. The User Properties dialog box opens.
The list on the right shows the instances of the user in the repository, each group to which the user belongs, and the users profile in that group. If there are conflicting restrictions on the instances, it is the instance which is at the top of the list which determines how restrictions are taken into account. 2. Use the Up and Down buttons, to move to the top of the list the instance whose restrictions must apply to the user. 3. Click OK to confirm.
Supervisors Guide
177
Definition, controls, and SQL When the properties in these tabs of the Universe Properties dialog box are defined differently for different instances, the user is assigned the properties defined for the instance that is at the top of the list in the Groups and Profiles tab of the User Properties dialog box. The Restrictions of other instances are ignored. Objects and rows All the restrictions defined in these tabs for any instance apply to all instances. If an object is restricted for one instance, it is always restricted for the user. Row restrictions (defined by a Where clause) for all instances are combined for the user.
TIP Be very careful when making row restrictions that apply to different instances of the same user. For example, if you force Group1 to see only rows where "Country=US" and Group2 to see only rows where "Country=France," the two conditions will be combined for a user belonging to both groupsand since the two conditions can never be true at the same time, no rows will be returned.
Table mapping If user instances have mappings on different tables, they will all be taken into account, since no conflicts will occur. However, if some instances map the same tables differently, it is the instance which is at the top of the list in the Groups and Profiles tab of the User Properties dialog box that determines which table mapping to use.
Timestamps
Timestamps are used to control when users can log into the repository. With multiple instances, a user might inherit different timestamps from the different groups he or she belongs to. When this is the case, the user is assigned the timestamp defined for the instance which is at the top of the list in the Groups and Profiles tab of the User Properties dialog box.
178
Supervisors Guide
Command restrictions
By selecting a user or group, then double-clicking a product in the Configuration tab of Supervisor, you call the Command Restrictions dialog box to fine-tune access to the products functionality for that user or group. For more information, refer to "Restricting the use of commands in the interface on page 180. Each security command can have one of three statuses: Disabled, Hidden, or Enabled. A fourth status, Inherit, simply means the status of the parent group applies. The default status inherited by the root group is Enabled. Among the three possible statuses for security commands, the Hidden status overrides the Disabled status, and the Disabled status overrides the Enabled status. The following table shows the way security command status precedence works with a user belonging to three different groups. Status in Group 1 Enabled Disabled Enabled Status in Group 2 Enabled Enabled Disabled Status in Group 3 Hidden Enabled Hidden Status applied to all instances Hidden Disabled Hidden
Supervisors Guide
179
Assigning BusinessObjects products to users

The Business Objects products administered by Supervisor are: Designer BusinessObjects BusinessObjects always includes the BusinessObjects Reader, and may include the optional modules BusinessObjects Reporter and/or Explorer. In the Configuration tab of the Resource pane, BusinessObjects refers to any configuration. Supervisor BusinessQuery WebIntelligence WebIntelligence always includes InfoView, and may include the optional modules WebIntelligence Reporter and/or Explorer. In the Configuration tab of the Resource pane, WebIntelligence refers to any configuration. The Resource pane displays the Business Objects products that a selected user or group can access. The Configuration tab displays the name of the product and, if appropriate, inheritance information, and allows you to disable or enable products for the selected user or group. By default, all users have access to the products matching their profile. Listed below are the primary products with their corresponding user profiles. User Profiles General Supervisor Supervisor Designer Supervisor-Designer End User Versatile User Products Designer Yes No Yes Yes No Supervisor Yes Yes No Yes No BusinessObjects Yes Yes Yes Yes Yes
Combination determined by the Supervisor
When a product is assigned to a user or group, all functionality is assigned by default. You can then restrict assigned functionality by means of security command settings. BusinessQuery and WebIntelligence are also available.
180
Supervisors Guide
Assigning a full product to a user

To assign a full Business Objects product to a user, or to all the users in a group: 1. In the User pane, click the user or group to which you want to assign a product. 2. Click the Configuration tab of the Resource pane, and then click the product(s) to be assigned to the selected user. Products which are preceded by a crossed red X are currently not assigned to the selected user. 3. Do one of the following: - Click the Enable Configuration button. Enable - Right-click on the product and select Enable Configuration. Configuration - Select Resource, Enable Configuration from the toolbar. The user or group now has access only to the products that are not disabled, that are displayed without a red X symbol.
NOTE
Disable Configuration
If you want to disable a users access to a product, do one of the following: Click the Disable Configuration button. Right-click on the product and select Disable Configuration. Select Resource, Disable Configuration from the toolbar.
Restricting the use of commands in the interface

You can restrict the use of any product by disabling user or group access to certain menu commands or interface elements such as toolbar buttons. Because some users in your organization may still be using the previous release while migrating to the current release, the current release lets you manage command restrictions for both releases. You can restrict access to areas of functionality by using security commands, grouped thematically into families. A security command corresponds to a set of one or more menu items and other interface elements such as toolbar buttons or shortcut menu commands.
Supervisors Guide
181
NOTE
See Appendix B of this guide, "Business Objects Security Command Reference", for a full description of security commands and the functionalities each affects. The command restriction dialog box To call the Command Restriction dialog box: 1. Select a user or group in the Supervisor User pane. 2. Do one of the following: - Double-click a Business Objects product in the Configuration tab - Click the product, and select Resource, Properties from the toolbar. The Command restriction dialog box appears.
security commands
list box
command family
Family view The box on the left of the dialog box shows a tree structure whose root level contains security command families or groups of security commands.
182
Supervisors Guide
Security command view The list box on the right shows details of the selection in the command tree. The details shown are: the name of the security command its status its inheritance source (Default, or the name of the user or group for which the status was set) Status The Status drop-down list box is available when a security command is selected in the list box, and then you can choose the status of the commands. The table below shows the four available choices. Status Enabled Disabled Inherit Hidden Security command is: Available Unavailable Icon A green sphere A red sphere
The status is inherited from the parent None group. Unavailable. In addition, related interface elements are removed. A grey sphere
Negative security commands In order for all security commands to have the default setting Enabled, some of them are phrased in the negative. For example, users of WebIntelligence are not allowed by default to delete other users corporate documents, so the security command is Do Not Delete Other Users Corporate Documents, enabled by default. When a negative security command is Disabled, the functionality is made available to the user (when Not Delete Other Users Corporate Documents is disabled, the user can delete other users corporate documents). The Hidden status removes interface elements related to the functionality of a security command. You may want to use Hidden to keep users from even suspecting a certain functionality exists. But Hidden also sets the status of the functionality to Disabled. This means that for a negative security command, Hidden removes the interface but at the same time makes the functionality available. The only way to access the functionality in this case is through the Automation Object Model, if applicable for the product in question (see the BusinessObjects Developers Guide), but that access is possible.
Supervisors Guide
183
There are few negative security commands. When you come across one, remember that the only way to fully remove the functionality for a user is to set the commands status to Enabled. Command help The Command Help section gives a brief description of the command selected in the list box. Apply predefined settings From the Command Restriction dialog box, you can choose a predefined setting from those defined for the product whose commands you are securing. For further information on predefined settings, see Managing predefined settings on page 184. Inheritance of command restrictions Before any command restrictions are made, security commands for all users and groups have the status Inherit, and inherit from the default setting. The default value of all security commands is equivalent to Enabled. In other words, in the Command Restriction dialog box a security command whose status is Inherit and whose Inherited From information is Default will have the same effect on the application as if it had Enabled status. Inheritance works as described in the following table: Status other than Inherit Inherit status Unaffected by inheritance Inherits behavior from security command status of parent lineage.
Setting the status of a security command 1. Select the security command family in the command tree. 2. Select the command in the drop-down list box. Alternatively, you can view the commands by double-clicking the security command family, which expands the commands in the command tree; then click a command to view it and select it in the drop-down list box. 3. Choose a status from the list and click OK.
184
Supervisors Guide
Managing predefined settings

If you wish, you can assign a predefined access level to a product. This level automatically determines which commands are enabled or disabled for the selected user or group. Supervisor lets you apply several standard predefined settings provided with the product, and lets you create your own custom predefined settings. A predefined setting is a macrocommand that sets a number of security commands in one operation. Modifying a custom predefined setting has no effect on users or groups to which it has already been applied. Nor is it possible to see, for a given user or group, which if any predefined setting has been applied to it, apart from looking at the settings per security command in the Command Restriction dialog box. Applying a predefined setting to the current user or group 1. In the User pane, select the user or group to which to apply a predefined setting. 2. Select Tools, Manage Predefined Settings. The Apply Predefined Settings dialog box appears.
3. From the Select a Resource drop-down list, select a Business Objects product to which you want to apply a predefined setting for the current user or group.
Supervisors Guide
185
4. From the Select a Predefined Setting drop-down list, select a predefined setting. The standard predefined settings and the Business Objects products they are available for are: Standard Setting Default Description Product
All security commands in the product are BusinessObjects set to Inherit. BusinessQuery The right of the user or group to access Designer commands is inherited from the parent Supervisor group or from ascendant groups of this WebIntelligence parent group. All security commands in the product are BusinessObjects set to Disabled. BusinessQuery Designer Supervisor WebIntelligence
Everything Revoked
Expert All security commands in the product are BusinessObjects (Everything set to Enabled. BusinessQuery Granted) Designer Supervisor WebIntelligence Novice The Novice setting prevents access to advanced functionality. The Standard setting gives access to commands likely to be used by the typical user. The InfoView setting gives access to commands likely to be used by the typical InfoView user. BusinessObjects BusinessQuery Supervisor Standard BusinessObjects Supervisor WebIntelligence
InfoView
186
Supervisors Guide
Standard Setting Explorer
Description
Product
The Explorer setting gives access to WebIntelligence commands likely to be used by the typical user of WebIntelligence including InfoView and the Explorer module. An Explorer user can work in HTML (with drill) and PDF, as well as download to an XLS file. The Reporter setting gives access to WebIntelligence commands likely to be used by the typical user of WebIntelligence including InfoView and the Reporter module. A Reporter user can work in HTML (without drill), PDF, the WebIntelligence HTML Report Panel and the WebIntelligence Java Report Panel (full functionality without drill mode), as well as download to an XLS file. The Explorer-Reporter setting combines WebIntelligence the capabilities of the Explorer and Reporter predefined settings.
Reporter
ReporterExplorer
5. To view the security command statuses associated with a predefined setting, click Edit. The Editing dialog box appears, indicating the name of the standard predefined setting and the product it applies to. This dialog box is identical to the Command Restriction dialog box except that the Apply Predefined Settings button does not appear. See The command restriction dialog box on page 181. Standard predefined settings cannot be modified. Allowing WebIntelligence users to create and edit reports The InfoView predefined setting for WebIntelligence restricts access to functionality making it possible to create and edit reports. It is applied at the root group and inherited as Default by all groups and users. To give WebIntelligence users the right to create and edit reports, apply another predefined setting such as Reporter, Explorer, or Reporter-Explorer.
Supervisors Guide
187
Creating custom predefined settings You can create your own custom predefined settings. 1. Select Tools, Manage Predefined Settings. The Manage Predefined Settings dialog box appears.
2. Select a product from the Select a resource drop-down list and click New. The Define the Predefined Setting Name dialog box appears.
3. Enter a name for your custom predefined setting and click OK. The Editing dialog box appears, indicating the name of your predefined setting and the product it applies to. This dialog box is identical to the Command Restriction dialog box except that the Apply Predefined Settings button does not appear. See The command restriction dialog box on page 181. 4. Set the security commands to the settings you need as described in Restricting the use of commands in the interface on page 180. 5. Click Save to save your predefined setting. This predefined setting now appears in the Apply Predefined Settings dialog box and can be applied to users or groups.
188
Supervisors Guide
Editing predefined settings Only custom predefined settings can be modified. The standard predefined settings can only be viewed. To edit a custom predefined setting: 1. Select Tools, Manage Predefined Settings. The Manage Predefined Settings dialog box appears. 2. From the Select a Resource drop-down list box, select a Business Objects product. 3. From the Select a Predefined Setting drop-down list box, select a predefined setting. You may also select a standard predefined setting to view it in detail, but you cannot modify it. 4. Click Edit. The Editing dialog box appears, indicating the name of the custom predefined setting and the product it applies to. This box is identical to the Command Restriction box except that the Apply Predefined Settings button does not appear. See The command restriction dialog box on page 181. 5. Set the security commands to the settings you need as described above in Restricting the use of commands in the interface on page 180. 6. Click Save to save the custom predefined setting. The custom predefined setting is saved with the modifications you added. It appears in the Apply Predefined Settings dialog box and can be applied to users or groups.
Supervisors Guide
189
Applying predefined settings from the manage predefined settings box You can also apply predefined settings directly from the Manage Predefined Settings dialog box. 1. Select Tools, Manage Predefined Settings. The Manage Predefined Settings dialog box appears. 2. From the Select a Resource drop-down list box, select a Business Objects product. 3. From the Select a Predefined Setting drop-down list box, select a predefined setting. 4. Click Apply to Users. The Apply dialog box appears, indicating the name of the predefined setting and the product it applies to. It shows all the users and groups in your repository.
5. Select the users or groups to which to apply the predefined setting. Multiple continuous selection is possible by clicking on users or groups while holding down the Shift key. Multiple discontinuous selection is possible by clicking on users or groups while holding down the Ctrl or Alt key. 6. Click OK to apply the predefined setting to the selected users and/or groups.
190
Supervisors Guide
Assigning universes to users or groups

When a universe has been designed, a supervisor or designer can export it to be stored in the repository, and assign it to a group to which he or she belongs, or the users in that group. Assigning a universe to a user or group controls the inheritance of universe permissions. The permission is controlled on that level and inherited by subgroups, if any, rather than being inherited from the parent group.
Assigning a universe to a user or group

To assign a universe to a user or group: 1. Select a user or group in the User pane. 2. Do one of the following: - Select Resource, Assign Universe. - Click the Assign Universe button. The Assign Universes dialog box appears with a list of all the universes available to the user or group you selected.
Supervisors Guide
191
3. Select one or more universes. To select more than one universe, hold down the Ctrl key while making your selections. 4. Click OK.
The Inherited From column in the Universe tab of the Resource pane now shows the name of the user or group. If the universe has been assigned to a group, the name of the group will be shown in the Inherited From column for users in the groups, subgroups and their users, unless and until the universe is assigned specifically to one of them.
NOTE
You may need to refresh this display by selecting the Refresh command from the View menu.
Reverting a universe to inherited permissions

To revert control of access to a universe to the permission inherited from the parent group: 1. Click the user in the User pane. 2. Click the universe which the user can access in the Universe tab. 3. Select Resource, Revert Universe to Inherited Permissions. The name of the group or the user to which the universe was assigned no longer appears in the Inherited From column. The Inherited From column now displays the parent group to which the universe was assigned (or the root group if no assignment has been made).
192
Supervisors Guide
Customizing a universe
Once you have linked a universe to a user or group, you may want to examine its characteristics or modify its properties. You can use the Universe Properties dialog box to customize any universe on a user or group basis. To access the Universe Properties dialog box, do one of the following: Double-click the universe name. Right-click on the universe name and select Properties. Select Resource, Properties. The Universe Properties dialog box appears, with the name of the universe in the title bar.
This dialog box comprises six tabs: Tab Definition Controls SQL Objects Rows Description (displayed by default) The options in this tab allow you to modify the universe connection. The options in this tab allow you to put limits on query size. The options in this tab allow you to put controls on SQL queries. The options in this tab allow you to control object use. The options in this tab allow you to limit row access.
Table Mapping The options in this tab allow you to control access to tables.
Supervisors Guide
193
The first three tabs also appear in Designer. The parameters in these tabs were set by the designer but you can customize them for a particular user or group. Only you can enter values in the parameters of the remaining tabs. The parameters pertain to the structures of the components manipulated: objects of the universe, or the tables or rows of a database.
NOTE
You can set restrictions on any universe even if you do not have access to the universe domain in which it is stored. Modifying the definition of a universe Universe parameters, as defined by the designer, are located in the Definition tab of the Universe Properties dialog box. The two parameters that define a universe are its: name connection to an RDBMS. The name and the description of the universe are visible to the end user working from within BusinessObjects or WebIntelligence. You can also modify the connection to the database in which the security domain of the repository resides. For more information, refer to "Faster document viewing over the web on page 152.
194
Supervisors Guide
Limiting query results When defining a universe, a designer can set controls on the queries that the end user can run. You can modify any of these controls from the Controls tab of the Universes Properties dialog box.
NOTE
When you make a change in any of the check boxes, the check box appears in red to indicate that you have altered the default setting. You can return to the default settings at any time by clicking the Reset button.
Supervisors Guide
195
The following controls are available: Click... To...
Limit size of result set Limit the maximum number of rows returned by a to query. Specify the maximum number of rows that a query can retrieve from a database. When the query reaches this limit, it stops; however the end user can still retrieve the partial results. Limit execution time to Limit the execution time of a query. Enter a value (in minutes) beyond which the execution of the query is halted. An error message indicates that the execution time has expired, and that the query was partially executed. The partial result is returned. Warn if cost estimate exceeds Receive a warning message if the execution time of the query exceeds the limit. Specify a time limit (in minutes) for the execution of the query. If the specified time is exceeded, a warning message is sent to the user. This feature is only supported by certain RDBMSs. Limit size of long text objects to Limit the size of long text objects. Specify the maximum number of characters that a user can retrieve from the database. This number depends on the RDBMS which contains the data. A long text object can contain up to 32,000 characters and take up 4 Gb of disk space.
196
Supervisors Guide
Limiting SQL syntax You can set restrictions on the creation and execution of queries by clicking the SQL tab of the Universe Properties dialog box.
NOTE
When you make a change in any of the check boxes, the check box appears in red to indicate that you have altered the default setting. You can return to the default settings at any time by clicking the Reset button. Setting limits on SQL syntax in queries In the Query group box, you can set limits on certain elements in the syntax of the SQL language: To... allow the use of set operators: intersection, union and minus enable the display of complex operators in the Query Panel Click... Allow use of union, intersect, and minus operators Allow complex operators in Query Panel
allow the use of nested SELECT statements Allow use of subqueries
Supervisors Guide
197
Authorizing executions of queries with loops In the Multiple Paths group box, you can authorize the execution of queries in the event that loops exist in the structure of the universe. To... enable a query, using objects belonging to two different joins, to generate two distinct sets of results simultaneously execute a query using measure objects originating from different tables Click... Multiple SQL statements for each context
Multiple SQL statements for each measure This splits the SQL into several statements whenever a query includes measure objects derived from columns in different tables. If the measure objects are based on columns in the same table, then the SQL is not split, even if the option is checked.
execute a query along different paths Allow selection of multiple contexts within a loop and to generate two different sets of results simultaneously Setting the cartesian products warning The Cartesian Products group box allows you to specify how BUSINESSOBJECTS is to handle a Cartesian product. This is a situation in which a query includes two or more tables that are not linked by a join. If executed, this type of query retrieves all possible combinations between each table, and may lead to inaccurate results. To... Click...
prohibit the execution of a query generating Prevent radio button a Cartesian product warn but not prevent an end user from executing a query resulting in a Cartesian product Warn radio button
198
Supervisors Guide
Limiting objects in a universe You can restrict the use of certain objects in a universe by groups or users. Such a restriction on a group is inherited by users. If a user inherits an object restriction from the parent group, that restriction cannot be changed for the user. To restrict the use of objects in a universe: 1. Click the Objects tab in the Universe Properties dialog box.
Supervisors Guide
199
2. To select an object or class to be restricted, click Add. The New Restricted Object dialog box appears.
3. If you know the exact name of the object or class, enter it in the Object Name text box, and click OK. 4. If you do not know the name of the object, click Select. A connection to the universe domain is opened, and the object classes are displayed in the Object Browser dialog box.
5. Click the plus sign (+) beside the name of a class to view its objects. 6. Click the object or class to be restricted, and click OK. The name of the class and object to be restricted are displayed in the New Restricted Object dialog box.
7. Click OK. The dialog box is closed and the name of the object appears within the list of restricted objects in the Objects tab.
200
Supervisors Guide
Check the syntax of the object you selected 1. Click the object in the list. 2. Click Check. A message indicates whether the object is valid. Limiting access to rows in a database table You can restrict access by groups or users to the rows of a database table used to create a universe. Such a restriction on a group is inherited by users. If a user inherits a row restriction from the parent group, that restriction cannot be changed for the user. To restrict access to the rows of a database table: 1. Click the Rows tab of the Universe Properties dialog box.
Supervisors Guide
201
2. Click Add. The New Row Restriction dialog box appears.
3. If you know the name of the table, enter it in the Table box.
202
Supervisors Guide
4. If you do not know the name of the table, click >> to the right of the Table box. This opens a connection to the universe domain and displays the Table Browser dialog box.
5. Select a table from the list, and double-click it. The New Row Restriction dialog box appears, with your selection entered in the Table text box. 6. Enter the SQL Where clause that sets a condition restricting the rows of the table. You can do this manually, or you can click Browse to the right of the Where Clause box to display the Where Clause Definition dialog box. This is an SQL editor, which allows you to dynamically formulate an SQL clause by selecting your components from the three panes of this window. You can quickly build up your definition by simply double-clicking on any of the tables, operators, and functions displayed. All components that you select in this way are displayed in the upper pane of the window.
NOTE
This is the same SQL editor that appears in Designer.
Supervisors Guide
203
7. When you have finished entering your definition, click OK.
8. Click OK again to return to the Universe Properties dialog box. The name of the table, together with the condition set on the rows now appears in the Rows tab. 9. Verify the correctness of the syntax of the table and its SQL condition by selecting the table, and then clicking Check. The Status appears as OK if the selected table and its associated condition are correctly specified. 10. If necessary, alter the definition by clicking Modify and changing the displayed values. 11. Click OK to close the dialog box and apply the restrictions.
204
Supervisors Guide
Using row restrictions in queries In using row-level security for your users, you should be aware that there is an important limitation to its use. Row restrictions do not apply unless the users query includes either the dimension on which the restriction is refined or another dimension in the same table. For example, you have set row restrictions that prevent a user from seeing information for any state but California. If the user sends queries that involve the geographical dimension, the restriction will apply, but queries without that dimension will return results that encompass other states, as illustrated below. Dimensions in query Sales revenue by year and by country Sales revenue by year and by region Sales revenue by year and by state Sales revenue by year Row restriction applies Yes Yes Yes No
Sales revenue by year with country as part of scope Yes of analysis (that is, part of the query but hidden) Table mapping Table mapping allows you to switch the tables that are referenced by a universe. You may wish to use this feature for security purposes. For example, you might want to restrict a designer from working with tables containing critical data. With table mapping, you can replace these tables with others. Alternatively, some users or groups may wish to re-use the same universe with a different set of tables, views, or synonyms.
NOTE
For table mapping to be possible, all columns in the original table must also exist in the replacement table.
Supervisors Guide
205
EXAMPLE Changing table mapping
Suppose you want the sales representatives of the Northern region to see the Resort table view instead of the Country table. To achieve this, in all the SQL generated from the sales universe, the Country table must be replaced by the Resort table. To carry out the substitution: 1. Click the Table Mapping tab of the Universe Properties dialog box.
2. To map one table to another, click Add. The New Table Mapping dialog box appears.
206
Supervisors Guide
3. Enter the name of the original table in the Original Table text box. If you do not know the name but you have a connection to the data account, click Select, and then click the name of the table from the dialog box. 4. Enter the name of the replacement table in the Replacement Table text box, and click OK. The dialog box closes and the names of the tables appear dynamically in the Table Mapping tab. 5. Click OK to close the dialog box.
Supervisors Guide
207
Assigning stored procedures to users or groups

Some RDBMSs allow the use of stored procedures. A stored procedure is an SQL script which is stored in a database account. Supervisor lets you assign users or groups to the data account that includes stored procedures that can be used in queries. Assigning a stored procedure to a user or group controls the inheritance of permissions on that connection. The permission is controlled on that level and inherited by subgroups, if any, rather than being inherited from the parent group. Only existing connections can be assigned. For complete information on the creation and management of connections, refer to Managing Resources on page 137.
NOTE
A connection to a stored procedure does not appear in the Stored Procedures tab of the Resources Pane until it has been assigned as a stored procedure. It is only defined as a stored procedure when its connection has been assigned to a user or group as described below. To assign users or groups the connection to a data account containing stored procedures: 1. Click the user or user group in the User pane. 2. Select Resource, Assign, Stored Procedure. The Assign Stored Procedures dialog box appears with the list of connections defined in the repository.
3. Click the connection you wish to assign to a user or group, and click OK. The name of the connection appears in the Stored Procedure tab followed by the name of the user or group.
Assigning stored procedures to users or groups
208
Supervisors Guide
Disabling access to a stored procedure

To temporarily prohibit a user or user group from accessing stored procedures: 1. Click the user or user group in the User pane. 2. Select the connection(s) to be disabled in the Stored Procedure tab of the Resource pane. 3. Do one of the following: - Select Resource, Disable Stored Procedure. Disable Stored - Right-click on the connection and select Disable Stored Procedure. Procedure The disabled connection appears in the Stored Procedure tab flagged with a red X: .
Enabling access to a stored procedure

To temporarily prohibit a user or user group from accessing stored procedures: 1. Click the user or user group in the User pane. 2. Select the connection(s) to be disabled in the Stored Procedure tab of the Resource pane. 3. Do one of the following: Enable Stored - Select Resource, Enable Stored Procedure. Procedure - Right-click on the connection and select Enable Stored Procedure.
Reverting a stored procedure to inherited permissions

To revert access to a stored procedure to the permission inherited from the parent group: 1. Click the user or user group in the User pane. 2. In the Stored Procedure tab, click the connection(s) to the data account assigned to the user or group. 3. Select Resource, Revert Stored Procedure to Inherited Permissions. The name of the group or the user to which the stored procedure was assigned no longer appears in the Inherited From column. The Inherited From column now displays the parent group to which the stored procedure was assigned (or the root group if no assignment has been made).
Supervisors Guide
209
Assigning documents and templates to users

Supervisor lets you assign documents and templates, created with BusinessObjects or WebIntelligence and sent to the repository, to users or groups. Assigning a document or template to a user or group controls the inheritance of permissions. The permission on the document or template is controlled on the user or group level and inherited by subgroups, if any, rather than being inherited from the parent group. Once you have assigned documents or templates, you can disable them.
Assigning a document or template

To assign a document or template to a group or user 1. Do one of the following: - Select Resource, Assign, Document. - Click the Assign Document button. The Assign Documents dialog box appears:
Assign Document
2. Click the document or template to be assigned, and then click OK. The dialog box closes, and the document or template name appears within the Document tab followed by the name of the user and the group to which it belongs.
Assigning documents and templates to users
210
Supervisors Guide
Disabling access to a document or template

To prohibit a group or user from access to a document or template: 1. Click the user or user group in the User pane. 2. Click the document(s) in the Document tab of the User pane. 3. Do one of the following: - Select Resource, Disable Document. - Click the Disable Document button. - Right-click on the document and select Disable Document. The disabled document or template appears with a white X on a red dot within the Document tab.
Disable Document
Disabling access to a document or template

To allow access to a document or template: 1. Click the user or user group in the User pane. 2. Click the document(s) in the Document tab of the User pane. 3. Do one of the following: - Select Resource, Enable Document. - Click the Enable Document button. - Right-click on the document and select Enable Document.
Enable Document
Reverting a document or template to inherited permissions

To revert access to a document or template to the permission inherited from the parent group: 1. Click the user or user group in the User pane. 2. In the Document tab, click the document(s) or template(s) which was assigned to the user or user group. 3. Select Resource, Revert Document to Inherited Permissions. The name of the group or the user to which the document or template was assigned no longer appears in the Inherited From column. The Inherited From column now displays the parent group to which the document or template was assigned (or the root group if no assignment has been made).
Supervisors Guide
211
Assigning repository domains to users

Supervisor lets you assign the repository domains created by the general supervisor during the installation of the product to users or groups. Assigning a repository domain to a user or group controls the inheritance of permissions. The permission on the domain is controlled on the user or group level and inherited by subgroups, if any, rather than being inherited from the parent group. Once you have assigned document domains, you can disable them.
Assigning a domain
To assign a domain to a user or user group: 1. Click the Repository tab. In this tab, the Supervisor lists all available domains. 2. Select Resource, Assign, Domain. The Assign Repository Domains dialog box appears.
3. From the dialog box, select the domain(s) to be assigned, and then click OK. The assigned domains appear in the Repository tab of the Resource pane followed by the name of the user or user group in the Inherited From field.
Assigning repository domains to users
212
Supervisors Guide
Disabling access to a domain

To temporarily disable a user or user group from accessing a domain: 1. Click the user or user group in the User pane. 2. Click the domain(s) in the Repository tab of the User pane. 3. Do one of the following: - Select Resource, Disable Domain. - Click the Disable Domain button. - Right-click on the document and select Disable Domain. The disabled document appears with a white X on a red dot within the Document tab.
Disable Domain
Enabling access to a domain

To temporarily disable a user or user group from accessing a domain: 1. Click the user or user group in the User pane. 2. Click the domain(s) in the Repository tab of the User pane. 3. Do one of the following: - Select Resource, Enable Domain. - Click the Enable Domain button. - Right-click on the document and select Enable Domain.
Enable Domain
Reverting a domain to inherited permissions

To revert access to a repository domain to the permission inherited from the parent group: 1. Click the user or user group in the User pane. 2. In the Repository tab, click the domain(s) assigned to the user or group. 3. Select Resource, Revert Domain to Inherited Permissions. The name of the group or the user to which the domain was assigned no longer appears in the Inherited From column. The Inherited From column now displays the parent group to which the domain was assigned (or the root group if no assignment has been made).
Importing and Exporting Users and Groups
chapter
214
Supervisors Guide
Overview
You can automate much of the process of creating and updating users, user properties, and groups by entering the relevant information from a text file. This file must be preformatted with appropriate commands. BusinessObjects and WebIntelligence users are usually already defined somewhere in the companys information systemin the Human Resources Department database, for example. As administrator, you must devise a way to collect the information from existing data sources and generate the import file. Then you use Supervisor to import the file and create the users and groups in the Business Objects repository. This can cut down considerably on your administration workload. User properties that are usually defined with the Supervisor interface can be defined using the import file. However, resource grants (such as universes, documents, etc.) cannot. You can import users and groups in interactive mode or batch mode. You can also choose whether or not to generate log and undo files. In addition, you can export the user and group configuration of your current repository to a text file. The text file can be stored as a record of the repositorys groups and users and imported to recreate that configuration in a repository.
Supervisors Guide
215
Importing within your scope

If you are a General Supervisor, you can use import files unrestrictedly. If you are a supervisor, you can use import file commands in the Scope Management mode that applies to you. How your scope management mode affects the way you can import users and groups is described in the following table. Import File Command NU (New User) Supervisor (Standard mode) Only within own scope. Supervisor (Extended mode) Only within own scope. If the user exists, but outside your scope, you are asked in interactive mode if you want to add the user to your scope. Not permitted if instances Not permitted if instances exist exist outside your scope. outside your scope. You cannot add users from outside your scope. You can add users from outside your scope.
DU (Delete User) AG (Add to Group)
Supervisors operating in Secure Mode have the restrictions applied to Standard mode, and in addition cannot create users with access to commands or resources which they themselves have not been granted by the General Supervisor. This is true for import files and for operations through the interface. Finally, the General Supervisor can disable or hide the Import Users and Groups commands for supervisors (see Restricting the use of commands in the interface on page 180).
216
Supervisors Guide
Generating the import file

You use Supervisor only to import the text file containing information on the users and groups to be created or updated. You cannot generate the file itself with Supervisor. It is up to you, the administrator, to determine where in your companys information and security systems the data you need is located, and then to collect it and generate the import file in the format described here. This can be done with SQL, the export function of an administration tool, or PERL, for example.
Supervisors Guide
217
Using batch mode and interactive mode

The Import Users and Groups command can be run in batch mode or interactive mode.
Batch mode
The purpose of batch mode is to automate user and group import operations with no intervention from the interface. For instance, an import file can be run automatically on a regular basis to behave like incremental import (newly created users are inserted, newly removed users are deleted, existing users are updated as applicable, etc.). To import in batch mode, open the command prompt at the directory containing the key file and run the command with these options (enter on one line): - IMPORTUSERS <import file> -USER <user name> -PASS <password> -KEYFILE <key file name> where: <import file> is the name and extension of the import file. <user name> is your Business Objects user name. <password> is your Business Objects password. <keyfile> is the name, without the .key extension, of the key file pointing to your repositorys security domain. When run with this command and these options, Supervisor will start automatically, run the import, and then quit.
Using batch mode and interactive mode
218
Supervisors Guide
Interactive mode
Interactive mode is the default mode. 1. Select File, Import Users and Groups. The Select the file to import dialog box appears.
2. Select an input file and click Open. The dialog box closes and the file is imported as a progress bar shows the progress of the operation. Error messages inform you of any errors. When the import is complete, a dialog box appears to recap the total errors (if any) and give the path of the log file and undo file, if any.
Supervisors Guide
219
Using import file commands and global commands

Start a new line in the import file for each of the following commands and global commands.
Commands
Command Name NU UU AG RG DU NG RR DG # Purpose New User Update User Add to Group Remove from Group Delete User New Group Rename gRoup Delete Group Comment
In the import file, commands are followed by parameters. The separator character is the tab character, comma, or semi-colon. The comma is used as the separator in the examples of command syntax provided in the rest of this chapter. You can use any of the three separators in your own import files. The supported characters in user and group properties are those valid for the repository. See Defining valid characters for repository on page 76. The asterisk (*) is a special character interpreted as keep the existing value. This is very useful in the UNDO file as it means the password does not have to be displayed.
220
Supervisors Guide
Global commands
Global commands, placed at the beginning of an input file, control whether import will be in interactive or batch mode, whether it will generate a log file and undo file, and whether password encryption mode is on or off. Command Name INTERACTIVE Purpose Dialog boxes appear as the file is imported to allow you to confirm the information. This is the default mode. The file is imported with no questions asked, no dialog box displayed. A log file is generated for the rest of the import. This is the default mode. No log file is generated. An undo file is generated for the rest of the import. When the import is complete, importing the undo file brings the repository back to its original configuration. This is the default mode. No undo file is generated. User passwords are encrypted when exported to file, and decrypted when imported to the repository. This command is included automatically in export files and should not be removed when importing them because the passwords in them are encrypted. NO_ENCRYPTED_PASSWORD User passwords are not decrypted when imported to the repository. This is the default mode.
BATCH LOG NOLOG UNDO
NOUNDO ENCRYPTED_PASSWORD
Supervisors Guide
221
Here is an example of an input file using global commands. Notice that the global commands are placed at the beginning of the file.
BATCH # import takes place with no import from user NOLOG # no log file will be generated NOUNDO # no undo file will be generated # next lines create new groups NG,Acme,Sales NG,Acme,Marketing # next lines create new users in new groups NU,Marketing,Young,,S,N,Y,Y,Y,Y,PE,F,N,31,Y NU,Marketing,Eldridge,,S,N,Y,N,Y,N,CL,F,Y,N NU,Marketing,Hawkins,,U,N,N,Y,N,Y,PC,F,N,31,Y NU,Marketing,Armstrong,,U,N,Y,Y,N,Y,R,F,N,N NU,Sales,Gillespie,,S,N,Y,Y,Y,Y,PE,F,N,N NU,Sales,Davis,,U,N,N,Y,N,Y,PC,F,N,15,N NU,Sales,Parker,,D,N,Y,N,Y,N,CL,F,Y,N NU,Sales,Coleman,,U,N,Y,Y,N,Y,R,F,N,N # next lines update existing users UU,IT,Henderson,,,S,N,Y,Y,Y,Y,PE,F,N,7,Y UU,IT,Ellington,,,U,N,N,Y,N,Y,PC,F,N,N UU,IT,Goodman,,,U,N,Y,Y,N,Y,R,F,N,N UU,IT,Lunceford,,,D,N,Y,N,Y,N,CL,F,Y,N UU,IT,Webb,,,U,N,N,Y,N,Y,PC,F,N,21,N UU,IT,Hines,,,U,N,Y,Y,N,Y,R,F,N,N UU,IT,Eckstine,,,V,N,Y,Y,N,Y,R,F,N,N UU,IT,Kenton,,,U,N,Y,Y,N,Y,R,F,N,N UU,IT,Powell,,,U,N,Y,Y,N,Y,CD,F,N,N UU,IT,Tatum,,,U,N,Y,Y,N,Y,PC,F,N,N UU,IT,Hancock,,,U,N,Y,Y,N,Y,PC,F,N,N UU,IT,Evans,,, U,N,Y,Y,N,Y,R,F,N,N
This example does not use the command ENCRYPTED_PASSWORD, because it is only used when reimporting export files. With an input file like the example above, the passwords you enter in the file are not encrypted. NO_ENCRYPTED_PASSWORD, like INTERACTIVE, LOG and UNDO, is the default value.
222
Supervisors Guide
Importing users and groups

Creating a new user
To create a new user and specify the user properties, start a new line in the import file with the NU command.
NOTE
If the user name in the import file is already in use, the command will be interpreted as an Update User command (UU). You are asked to confirm, and if you click OK the parameters update the existing users settings. Syntax: NU, Group, UserName, UserPassword, Profile[GS,S,SD,D,U,V], DisableLogin[Y,N], EnableOfflineLogin[Y,N], EnablePasswordModification[Y,N], EnableRealTimeUserRightsUpdate[Y,N], EnableDeleteDocument[Y,N], ObjectSecurityLevel[PC,CD,R,Cl,PE], IdentificationStrategy[F,N], ChangePasswordAtFirstLogin[Y,N], PasswordValidityDays[N,1-365], PeriodicAction[Y,N] Replace parameter names by the value to be imported or, when followed by options between brackets, by one of the options. Parameter Group Value The group to which the new user will belong. Since group names are unique in a repository, it is unnecessary to enter the path. User Name User Password Profile The new users user name. The new users password. GS, S, SD, D, U, or V The new users profile will be: GS: General Supervisor S: Supervisor SD: Supervisor/Designer D: Designer U: User V: Versatile User
Supervisors Guide
223
Parameter Disable Login Enable Offline Login
Value Y or N The new user will (N) or will not (Y) be able to log in. Y or N The new user will (Y) or will not (N) be able to log in without a repository connection.
Enable Password Modification Enable Real Time User Rights Update Enable Delete Document Object Security Level
Y or N The new user will (Y) or will not (N) be able to change his or her password. Y or N The new user will (Y) or will not (N) see the list of available universes in real time. Y or N The user will (Y) or will not (N) be able to delete documents from the repository document domain. PE, CL, R, CD or PC Defines which universe objects the new user will have access to, according to their security level: PE: Private CL: Confidential R: Restricted CD: Controlled PC: Public
Identification Strategy F or N F: Full N: None The BUSINESSOBJECTS repository will always (F) or never (N) check the new users password at login.
224
Supervisors Guide
Parameter Change Password At First Login
Value Y or N The new user will be obliged (Y) or not (N) to change his or her password at the first login to a BUSINESSOBJECTS module. N or a number from 1 to 365 The new user will not be forced to change his or her password (N) or will be forced to change the password after the number of days specified (1 to 365). Y or N Only taken into account if the Password Validity Days option is not N. Y: the password must be changed periodically every time that number of days has passed. N: the new user will be forced to change his or her password only once, after the number of password validity days is up.
Password Validity Days
Periodic Action
Supervisors Guide
225
Updating a user
To update the properties of an existing user, start a new line in the import file with the UU command. Syntax: UU, Group, CurrentUserName, NewName, UserPassword, Profile[GS,S,SD,D,U,V], DisableLogin[Y,N], EnableOfflineLogin[Y,N], EnablePasswordModification[Y,N], EnableRealTimeUserRightsUpdate[Y,N], EnableDeleteDocument[Y,N], ObjectSecurityLevel[PC,CD,R,Cl,PE], IdentificationStrategy[F,N], ChangePasswordAtFirstLogin[Y,N], PasswordValidityDays[N,1-365], PeriodicAction[Y,N] The parameters and values are identical to those of the NU command with these exceptions: Parameter Value
CurrentUserName The current name of the user whose properties are being updated. NewName The new name of the user, if the user namer is to be changed. Leave blank to keep the same user name.
226
Supervisors Guide
Creating or updating a general supervisor

Only a General Supervisor can create a General Supervisor. A General Supervisor can only be created at the root level, not in a group. Because a General Supervisor can only exist at root level, the profile of a user in a group cannot be changed to General Supervisor. When a user is created with a General Supervisor profile, or updated to a General Supervisor profile, parameters specified after the user profile will be ignored. This is because a General Supervisor has mandatory settings which will be applied, namely: Parameter Disable Login Enable Offline Login Enable Password Modification Enable Delete Document Object Security Level Change Password at First Login Password Validity Days Identification Strategy Value N Y Y Y PE (Private) N N F (Full Checking)
Enable Real Time User Rights Update Y
Supervisors Guide
227
Using default values when creating or updating users

Except for the group and user names, which are mandatory, you can omit any parameters in the NU and UU commands in order to use the default values.
NOTE
Even when you omit parameters in the NU and UU commands in order to use the default values, you must enter the separators or any following parameters are not interpreted correctly. The exception is that after the password parameter, which must always be followed with a comma if the ENCRYPTED_PASSWORD global command is used, you can end the command with the last explicitly specified parameter, without entering any more separators. Default values will be used for any following parameters. The default values for the parameters of the NU and UU commands are listed in the tables below.
228
Supervisors Guide
NU command default value Parameter Group User Name User Password Profile Disable Login Enable Offline Login Enable Password Modification Enable Real Time User Rights Update Enable Delete Document Object Security Level Identification Strategy Change Password At First Login Password Validity Days Object Security Level Default value None (Mandatory) None (Mandatory) Empty U (User) N (No) Y (Yes) Y (Yes) N (No) Y (Yes) PC (Public) F (Full checking) N (No) N (No) PC (Public)
Here is an example of the NU command to create a new user with default values for all parameters except "Profile" (we want the user to have the Designer profile) and "Change Password At First Login" (we want the user to do so):
NU,Marketing,jsmith,,D,,,,,,,,Y
Notice that a separator was entered for each unspecified parameter before the last specified parameter. The default values will be used for unspecified parameters, including those after the "Change Password At First Login" parameter, which do not require separators since there are no following parameters specified. Another way to write this command would be to use the asterisk to stand for default values. You may find this easier to keep track of the number of parameters entered:
NU,Marketing,jsmith,*,D,*,*,*,*,*,*,*,Y
Supervisors Guide
229
UU command default values Parameter Group Current User Name NewName User Password Profile Disable Login Enable Offline Login Enable Password Modification Enable Real Time User Rights Update Enable Delete Document Object Security Level Identification Strategy Change Password At First Login Password Validity Days Periodic Action Default value None (Mandatory) None (Mandatory) Existing user name Existing value Existing value Existing value Existing value Existing value Existing value Existing value Existing value Existing value Existing value Existing value Existing value
230
Supervisors Guide
Adding a user to a group

To add a user to a group, start a new line in the import file with the AG command. Syntax: AG, Group, UserName, Profile[GS, S, SD, D, U, V] Parameter Group User Name Profile Value The group to which the user will be added. The name of the user to be added to a group. (If the user does not already exist, it will be created.) GS, S, SD, D, U, or V The users profile in the group will be: GS: S: SD: D: U: V: General Supervisor Supervisor Supervisor/Designer Designer User: Versatile User
Adding a general supervisor: restrictions General Supervisors can only exist at root level, and a user with a General Supervisor profile cannot have any other profile. Therefore: A user in a group cannot be added either to the root level or to another group with the General Supervisor profile. A General Supervisor cannot be added to a group.
Supervisors Guide
231
Removing a user from a group

To remove a user from a group, start a new line in the import file with the RG command. Syntax: RG, Group, ExistingUserName Parameter Group Existing User Name Value The group from which the user will be removed. The name of the user to be removed from the group. The user must already exist.
Deleting a user
To delete a user, start a new line in the import file with the DU command. Syntax: DU, Group, UserName Parameter Group User Name Value The group from which the user is to be deleted. The name of the user to be deleted.
Creating a new group

To create a new group, start a new line in the import file with the NG command. Syntax: NG, ParentGroup, GroupName Parameter ParentGroup Group Name Value The group in which the new group will be created. The name of the group to be created.
232
Supervisors Guide
Renaming a group
To rename a group, start a new line in the import file with the RR command. Syntax: RR, ParentGroup, GroupName, NewName Parameter ParentGroup GroupName NewName Value The parent group of the group to be renamed. The existing name of the group to be renamed. The new name to give the group.
Deleting a group
To delete a group, start a new line in the import file with the DG command. Syntax: DG, ParentGroup, GroupName Parameter ParentGroup Group Name Value The parent group of the group to be deleted. The name of the group to be deleted.
Supervisors Guide
233
Generating the log file

The log file is a text file detailing each action of the import file and whether or not it was successful. It is created at the same location as the import file. You can use it to keep track of exactly what changes you made to the repository when importing, and to be informed of any errors that may have occurred. A log file is generated by default when you import users and groups. If you do not want to generate a log file, you must include the global command NOLOG at the beginning of the import file. To create a partial log file, include NOLOG before the operations which you do not want to log and LOG before those you do want to log.
Generating the log file
234
Supervisors Guide
Using undo files

An undo file is generated by default when you import users and groups. If you run an import file to create or update users and groups, you can run the undo file immediately afterwards to revert to the original situation that existed before your import. We recommend that you keep this default option. However, if you do not want to generate an undo file, you must include the global command NOUNDO at the beginning of the import file. The commands in the undo file cancel the effects of the commands in the import file and are generated in reverse order. The undo file cannot restore a users password once it is changed, nor can it restore a user or groups resource grants after the user or group has been deleted. The table below shows the import file commands and the corresponding undo file commands generated. Import File command NU, Group, UserName... Undo File command DU, Group, UserName
NU interpreted as update NU with original values, with the password an asterisk and ignored UU, Group, UU, Group, NewName, CurrentUserName, former CurrentUserName, values... NewName, new values... (Note that this replaces the NewName imported with the CurrentUserName that it replaced.) AG, Group, UserName, Profile... RG, Group, UserName RG, Group,UserName AG, Group, UserName or NU, Group, UserName + AG, Group, UserName DU, Group, UserName NU, Group, UserName or NU, Group, UserName + AG, Group, UserName
Supervisors Guide
235
Import File command NG, ParentGroup, GroupName RR, ParentGroup, GroupName, NewName DG, ParentGroup, GroupName
Undo File command DG, ParentGroup, GroupName RR, ParentGroup, NewName, GroupName NG, ParentGroup, GroupName or NG, ParentGroup, GroupName + NU, Group, UserName + AG, Group, UserName + NG, ParentGroup, GroupName
Using undo files
236
Supervisors Guide
Exporting your configuration to file

You can make a record of the user and group configuration of your current repository by automatically exporting it to a text file. This file, called the export file, is written with the Business Objects import file syntax described in this chapter. It can then be imported to recreate that configuration in a repository. 1. Select File, Export Users and Groups. 2. In the Export Repository Configuration to File window, select a location and enter a file name. Click OK to save.
NOTE
The user and group configuration that is exported to the text file does not include resource grants. To protect their security, passwords are encrypted before being placed in the export file. Be sure to use the ENCRYPTED_PASSWORDS global command when re-importing users from an export file.
Managing Categories
chapter
238
Supervisors Guide
Overview
A category is a keyword or phrase end-users can assign to documents when they send them to users, groups, or Broadcast Agent. Users can filter their document searches to find only documents or available documents corresponding to selected categories, no categories, or all categories. For example, documents of interest to the Marketing Department could be assigned the Marketing category when sent. Marketing personnel could search the repository by this category to find documents concerning them. Categories exist per repository. Categories can contain subcategories. Documents in the repository can have no categories or any number of categories, but they have no categories attached when they are not in the repository. It is not possible to restrict a user or groups access to documents based on the categories they are associated with. Although categories cannot be associated with documents from Supervisor, their creation, naming, deletion and ownership are managed in Supervisor by general supervisors and supervisors, who can also grant specific users the right to manage all categories or only the categories which they create from BusinessObjects or WebIntelligence. They do this using security commands. General supervisors, as well as users for whom the Manage All Categories security command is enabled for the application they are using, can create, delete, and rename categories and subcategories without restriction, including use of the Reproduce Owner command to make the owner of a category become the owner of all its subcategories. Users for whom Manage All Categories is not enabled but for whom the Manage My Categories security command is enabled can create categories at root level or under a category which they own. They can change the name of categories they own and delete a category they own if they own all its subcategories.
NOTE
If a supervisor deletes an authorized user who had created categories, the categories remain in the repository and the supervisor inherits the rights to those categories. The categories assigned to each document appear in the Document tab of the Resource pane. You can set the order in which you see the categories listed on your screen.
Managing Categories
Supervisors Guide
239
Managing categories
Two Supervisor security commands control category management: Manage All Categories and Manage My Categories. See Security command family: miscellaneous on page 276 for details on how these security commands work.
Creating a category
When you create a category in the repository, users of the repository will see it in the list of categories they can assign to documents when sending. General supervisors, supervisors, and authorized users can create categories and subcategories. 1. Select Tools, Manage Categories. The Categories dialog box appears showing the home category which exists by default at the root.
2. In the Categories dialog box, click Add. A new category appears below the Home Category.
Managing categories
240
Supervisors Guide
3. Type a name for the new category, Marketing, and press Enter.
In the Selection box, the following information about the category appears: - its location in the category tree - its owner (the administrator or authorized user who is authorized to manage the category, by default the creator of the category) - the date the category was created or updated - the number of documents associated with the category
Managing Categories
Supervisors Guide
241
Adding a subcategory
To add a subcategory to the category, select the category and follow the same steps: 1. In the Categories dialog box, select the category Marketing. 2. Click Add. 3. Type a name for the subcategory, Managers, and click OK. The subcategory Managers appears below Marketing in the category tree.
Managing categories
242
Supervisors Guide
Editing a category
You may want to rename a category if, for example, it corresponds to the name of a department or corporate function whose description has changed. If the Marketing Department is rechristened the Marketing and Public Relations Department, you can rename the Marketing category Marketing/PR. You can also change the owner of a category if, for example, the current owner has left the company or changed responsibilities. General supervisors can modify the name and owner of all categories. Supervisors and authorized users can modify them only for those categories they created. When a category is renamed, all documents to which it has been assigned are automatically updated in the repository. 1. In the Categories dialog box, select the category Marketing and click Edit. The Edit Category box appears.
2. Type the new name, Marketing PR, in the Name text box and click OK. In the Categories dialog box, the name is changed and the information under Selection is updated. 3. Select the category Marketing and click Edit again. 4. Change the name in the Owner text box and click OK. In the Categories dialog box, the name is changed and the information in the Selection box is updated to reflect the new owner name.
Managing Categories
Supervisors Guide
243
Deleting a category
When a category is deleted, all documents to which it has been assigned are automatically updated in the repository but not deleted. General supervisors can delete all categories. Supervisors and authorized users can delete only those categories of which they are the owner (by default, they own the categories they created). To delete a category: 1. Do one of the following: - Select Tools, Categories. - Click the Manage Categories button. 2. In the Categories dialog box, click a category in the list and click Delete. 3. Click OK to confirm. Deleting a category is irreversible. You can create the category again, but any association with documents is lost and must be re-applied from BusinessObjects or WebIntelligence.
Managing categories
244
Supervisors Guide
Allowing users or groups to manage categories

As general supervisor or supervisor, you can grant specific users or groups the right to create categories, and to rename and delete the categories they create, from BusinessObjects or WebIntelligence. You do this by enabling the security command Manage All Categories or Manage My Categories. These commands are described in Managing categories on page 239 and in Appendix A. To allow a user or group to manage categories: 1. Select a user or group in the User pane of the Supervisor main window. This is the user or users whom you want to be able to manage categories. 2. Double-click BusinessObjects or WebIntelligence in the Configuration pane. The Command restriction dialog box appears.
Managing Categories
Supervisors Guide
245
3. Click Documents in the tree view on the left. 4. Click Manage All Corporate categories or Manage My Corporate Categories in the list box on the right.
5. Choose Enabled in the Status list. 6. Click OK to confirm. The user will now be able to manage categories.
Managing categories
246
Supervisors Guide
Managing Categories
BusinessObjects 6.1 Security Command Reference
appendix
248
Supervisors Guide
Overview
This appendix lists all security command in all Business Objects products. It should be used in conjunction with Restricting the use of commands in the interface on page 180, which describes in detail how security commands are applied. The security commands are described below per product in families as they are seen in the Command Restrictions dialog box of Supervisor. Each security command family has three tables: The first table shows which security command family to choose according to the functionality you want to restrict. Use this table to decide which security command families to work with. The second table shows the effects on the user interface of disabling or hiding each security command. Use this table to know exactly what will happen for your user and group when you disable or hide a security command. The third table shows the effect on the object model of disabling or hiding each security command. Use this table to know exactly how disabling or hiding a security command affects the programmability of functionalities.
Supervisors Guide
249
About security commands

Security commands are a means you have, as a supervisor, to restrict the access that the groups or individual users in your repository have to functionalities in Business Objects products. A security command can be set to one of four states: State Enabled Disabled Hidden Inherit Description Access to the functionality is granted. Access to the functionality is denied. Access to the functionality is denied, and the related interface elements do not appear. The setting of the next highest level of inheritance is applied (for example, when you set a security command for a group, the status for the groups members will be "Inherit").
This is done through the Command Restrictions dialog box.
Wheres the command restrictions dialog box?

To open the Command Restrictions dialog box: 2. Select a user or group in the User pane of Supervisor. 3. Select the Configuration pane. 4. In the Configuration pane, double-click the product for which you want to restrict functionality, or select the product and on the Resource menu, click Properties.
Command restrictions through predefined settings

Command restrictions can also be applied through the use of predefined settings, as described in Managing predefined settings on page 184. A predefined setting is a macrocommand that sets a number of security commands in one operation. Supervisor comes with a few standard predefined settings, which cannot be modified. You can also create and edit custom predefined settings by choosing Manage Predefined Settings on the Tools menu of Supervisor.
250
Supervisors Guide
Predefined settings have some important limitations: It is not possible to see, for a given user or group, which if any predefined setting has been applied to it. All you can see are the settings of each security command in the Command Restriction dialog box. Predefined settings are not dynamic. In other words, if you apply a custom predefined setting to one group, then change the predefined setting, the settings of the group do not change. You have to select the group again and apply the modified predefined setting to it.
Command restrictions and batch import of users and groups

Even if you use command restrictions to keep users with the Supervisor profile from creating users and groups and setting their properties in Supervisor, they can still access many of those functionalities through the Import Users/Groups command (on the File menu) unless that command is also restricted. What is the Import Users/Groups command? Available on the File menu, this command is used to automatically create users and groups and define or edit their properties in a single batch operation. You can restrict many of the equivalent actions in Supervisors user interface by using command restrictions, for example on creating new users or changing user profiles. However, even if they are restricted in the interface they will remain possible through the Import User/Group command unless the batch import function is also restricted. If you restrict any security commands affecting the creation or update of users, groups, or their properties, remember to also restrict the Import Users/Groups command in the Miscellaneous security command family of Supervisor. For more information on batch import of users and groups, see Importing and Exporting Users and Groups on page 213.
What about users who belong to more than one group?

You may have users who belong to more than one group and therefore have several instances. What happens if a users instances have different settings for a security command? The rule is simple: it is the most restrictive setting that has precedence. Because login does not take group membership into account, the repository does not grant any permission to a user unless all instances of that user have that permission. Group and user inheritance is described fully in Assigning and restricting resources to multiple user instances on page 173. Briefly, if a users setting is Inherit, the user inherits the setting applied to the group. If the user has a setting
Supervisors Guide
251
other than Inherit, that setting has precedence over the groups setting. But no matter how inheritance affects a users security command setting, when the user logs in, the most restrictive setting of all the users instances are applied. The following table shows what happens on login for a user with instances in three different groups. The settings shown do not include Inherit, since that setting, when followed to the beginning of the inheritance chain, corresponds to one of the three others. Group 1 User A User B User C Disabled Enabled Disabled Group 2 Disabled Disabled Hidden Group 3 Hidden Enabled Enabled At Login Hidden Disabled Hidden
252
Supervisors Guide
BusinessObjects security commands

Security commands are grouped in families according to area of functionality. The security command families for BusinessObjects are: Analysis: Drill Mode and Slice-and-Dice Mode Business Applications: SAP BAPI Connection: create and edit connections Documents: document handling, data providers, categories, etc. Free-hand SQL Miscellaneous Multidimensional Data: OLAP use Personal Data Files: editing and using them Programmability: scripts and VBA code Query Technique Stored Procedure Tools: login and password
Security command family: analysis

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want my group/user to... Drill further in a report by retrieving new data Edit the scope of analysis I disable or hide Security Command... Drill Through Edit Scope of Analysis
Drill down to a finer level of analysis in Work in Drill Mode reports Use the Slice and Dice Panel Work with BusinessMiner Work in Slice-and-Dice Mode Work with BusinessMiner
Supervisors Guide
253
Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Drill Through Effects on user interface are... Open a report; click the Drill button on the Standard tool bar, or click Drill on the Analysis menu; in the report, select a cell: Right-click the cell; the Drill Through command on the shortcut menu is unavailable. On the Analysis menu, the Drill Through command is unavailable. Open a report; click the Drill button on the Standard tool bar, or click Drill on the Analysis menu; in the report, select a cell: Right-click the cell; the Scope of Analysis command on the shortcut menu is unavailable. On the Analysis menu, the Scope of Analysis command is unavailable.
Edit Scope of Analysis
254
Supervisors Guide
I disable or hide Security Command... Work in Drill Mode
Effects on user interface are... The Drill button on the Standard tool bar is not available. Right-click a report tab in the document (at the bottom of the report); the Drill command on the shortcut menu is not available. On the Tools menu, click Options; in the Options dialog box, the Drill tab is unavailable. The Drill button on the Standard tool bar is not available. Right-click a report tab in the document (at the bottom of the report); the Drill command on the shortcut menu is not available. On the Tools menu, click Options; in the Options dialog box, the Drill tab is unavailable. On the Analysis menu, the following commands are unavailable: - Drill - Drill Down - Drill Up - Expand - Collapse - Snapshot - Hierarchies - Scope of Analysis The Slice and Dice button on the Standard tool bar is not available. On the Analysis menu, the Slice and Dice command is unavailable. The BusinessMiner button on the Standard Tool bar is not available. On the Analysis menu, the BusinessMiner command is not available.
Work in Slice-and-Dice Mode
Work with BusinessMiner
Supervisors Guide
255
Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Drill Through Edit Scope of Analysis Work in Drill Mode Work in Slice-and-Dice Mode Work with BusinessMiner Effects on object model are... Not Applicable Not Applicable Not applicable Not applicable Not applicable
Security command family: connections

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want my group/user to... Create a new connection or edit an existing one I disable or hide Security Command... Create and Edit Connections
256
Supervisors Guide
Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Create and Edit Connections Effects on user interface are... Click the View Data button on the Standard tool bar or, on the Data menu, click View Data; click Export in the Data Manager dialog box; in the Export to External Format dialog box, the following are unavailable: - The Export to RDBMS option - The Connection button In the Free-Hand SQL Editor, the Create Connection and Edit Connection buttons are not available.
Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Create and Edit Connections Effects on object model are... Not applicable
Supervisors Guide
257
Security command family: documents

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want my group/user to... Send documents to Broadcast Agent with attached VBA scripts I disable or hide Security Command... Attach Scripts to Scheduled Processing
Change the folders in which user Change File Locations documents, user templates, universes, scripts, and BusinessMiner documents are stored by default. Hide or display report components based on conditions Cut or Copy material to the clipboard Create a new document Conditional Formatting Copy to Clipboard Create Documents
Use a universe data provider to create Refresh Documents a new document or refresh an existing document Save documents as templates Create Templates Modify a query or change the universe Data Provider Manipulation it is based on Delete documents from the repository Delete Corporate Documents Sent By that were sent by other users Other Users I do want my group/user to add, modify, or delete channels Do Not Manage Channels Applies to version 5.x users only
I do want my group/user to use the Do Not Refresh With the Profile of Report Bursting feature with Broadcast Each Recipient Agent Rename, duplicate, insert or delete a report in a document Modify the Euro exchange rates used by the Euro Converter function Document Interactions Edit Euro Converter Rate
258
Supervisors Guide
I dont want my group/user to... Convert currency figures in reports to and from Euros Export data from a data provider to another format (file, RDBMS or clipboard) Create, edit or delete any corporate categories Create, edit or delete corporate categories the user has created Print documents Publish documents to channels Refresh documents Select individual elements of a report to cut, copy, clear, duplicate or delete Add a new data provider for a report Retrieve documents sent by other users Retrieve documents from the repository Retrieve documents from Broadcast Agent Save documents Save documents without security constraints for offline use
I disable or hide Security Command... Euro Converter Export to External Format Applies to version 5.x users only Manage All Corporate Categories Manage My Corporate Categories Print Documents Push Documents Applies to version 5.x users only Refresh Documents Report Interactions Report Interactions Applies to version 5.x users only Retrieve Documents from Other Users Retrieve Documents from Repository Retrieve Documents from Scheduled Processing Save Documents Save for All Users
Send documents to the repository with Schedule Corporate Documents scheduled processing by Broadcast Agent Send documents to Broadcast Agent Send Documents for Scheduled Processing
Supervisors Guide
259
I dont want my group/user to... Send documents as email from BusinessObjects Send documents to users Publish to corporate documents Monitor and control Broadcast Agent tasks
I disable or hide Security Command... Send Documents to MAPI Send Documents to Other Users Send Documents to Repository Use Broadcast Agent Console
Create reports with templates or apply Use Templates templates to existing reports Use Broadcast Agent to publish documents to a Web server in HTML format Work with Web Server
260
Supervisors Guide
Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Attach Scripts to Scheduled Processing Effects on user interface are... Click the Send to Broadcast Agent button on the Document Exchange tool bar or, on the File menu, click Send To and select Broadcast Agent; in the Send to Broadcast Agent dialog box, choose the Actions tab; select Custom macros in the list of available standard actions, then click Add; an error message is returned saying you are not authorized to use the option. On the Tools menu, click Options; in the Options dialog box, select the File Locations tab; the Change button is unavailable. In a report: Select a table, crosstab or chart; click the Format Block button in the Report tool bar, or, on the Format menu, click Table, or right-click and choose Format Table on the shortcut menu; select the Appearance tab; the Hide Block option is unavailable. Select a section; on the Format menu, click Section, or right-click and select Format Section on the shortcut menu; the Hide Section Header and Hide Section Footer options (if applicable) are unavailable. Select a cell; right-click and select Format Cell on the shortcut menu; the Hide Cell option is unavailable.
Change File Locations
Conditional Formatting
Supervisors Guide
261
I disable or hide Security Command... Copy to Clipboard
Effects on user interface are... Click the View Data button on the Standard tool bar or, on the Data menu, click View Data; in the Data Manager dialog box, select the results tab and click Export; in the Export to External Format dialog box, the Copy to DDE option is unavailable. In the Standard tool bar, the following buttons are unavailable: - Cut - Copy On the Edit menu, the following commands are unavailable: - Cut - Copy - Copy All Select a title, cell or table and right-click; on the shortcut menu, the following commands are unavailable: - Cut - Copy On the Standard tool bar, the New button is unavailable. On the File menu, the New command is unavailable. On the Tools menu, click Options; in the Options dialog box, the New Document tab is unavailable. On the Tools menu, click Options; in the Options dialog box, select the General tab; under StartUp Options, the Show Welcome Wizard option is unavailable. On the standard tool bar, the New Report Wizard button is unavailable.
Create Documents
262
Supervisors Guide
I disable or hide Security Command... Create Templates
Effects on user interface are... On the File menu, click Save As; in the Save As dialog box, BusinessObjects Templates (*.ret) does not appear in the Save as type list. On the Standard tool bar, the Edit Data Provider button is unavailable. On the Data menu, the Edit command is unavailable. On the Data menu, the New Data Provider Command is unavailable. On the Data menu, click View Data; in the Data Manager dialog box, under Data Providers: - The Edit button is unavailable. - The Delete button is unavailable. In the Definition tab of the Data Manager dialog box: - The Editable option is unavailable. - The button next to the Universe name, which is used to call the Change Universe dialog box, is unavailable. When building a new report, you cannot select a universe, but it is possible to select personal data files or OLAP.
Data Provider Manipulation
Delete Corporate Documents Sent By Other Users
Click the Retrieve from Corporate Documents button on the Document Exchange tool bar or, on the File menu, click Retrieve From and select Corporate Documents; in the Retrieve dialog box, select a document; the Delete button is unavailable. Click the Send to Broadcast Agent button on the Document Exchange tool bar or, on the File menu, click Send To and select Broadcast Agent; in the Send Document to Broadcast Agent dialog box, select the Actions tab; the Refresh with the Profile of Each Recipient option is available.
Do Not Refresh With the Profile of Each Recipient
Supervisors Guide
263
I disable or hide Security Command... Document Interactions
Effects on user interface are... On the Insert menu, the Report command is unavailable. On the Edit menu, the Duplicate Report and Delete Report commands are unavailable. On the Format menu, click Report; on the submenu, the Rename command is unavailable. Right-click a report tab in a document (at the bottom of the report); on the shortcut menu, the following commands are unavailable: - Rename Report - Insert Report - Duplicate Report - Delete Report
Do not Manage Channels Click the Publish to Channels button on the tool bar or, on the File menu, click Publish To and select Applies to version 5.x Channels; in the Publish to Channel dialog box, the users only Manage button is available. Export to External Format Applies to version 5.x users only Click the View Data button on the Standard tool bar or, on the Data menu, click View Data; in the Data Manager dialog box, select the Results tab; the Export button is unavailable. Click the Edit Data Provider button on the Standard tool bar or, on the Data menu, click Edit Data Provider; in the Query Panel, click View; in the Data Manager dialog box, select the Results tab; the Export button is unavailable.
Edit Euro Converter Rates
Select a currency figure in a report; on the Data menu, click Euro Converter; on the submenu, click Display Conversion Rates; in the Conversion Rates dialog box, the Add, Remove, and Edit buttons are unavailable.
264
Supervisors Guide
I disable or hide Security Command... Euro Converter
Effects on user interface are... Select a currency figure in a report; on the Data menu, click Euro Converter; on the submenu, all the commands are unavailable: Convert to Euros Convert from Euros Display Rounding Errors Display Conversion Rates. When Manage All Corporate Categories and Manage My Corporate Categories are set to Disabled or Hidden: On the Tools menu, the Manage Categories command is unavailable. When Manage All Corporate Categories is set to Disabled or Hidden and Manage My Corporate Categories is set to Enabled: On the Tools menu, click Manage Categories; in the Categories dialog box, click any category of which you are not the owner; the Add, Delete, Edit, and Propagate Owner buttons are unavailable. When Manage All Corporate Categories is set to Enabled and Manage My Corporate Categories is set to Disabled or Hidden: Full rights to all category management functionality.
Manage My Corporate Categories and Manage All Corporate Categories
Supervisors Guide
265
I disable or hide Security Command... Print Documents
Effects on user interface are... On the File menu, the following commands are unavailable: - Print - Print Preview - Page Setup On the Standard tool bar, the following buttons are unavailable: - Print - Print Preview Click the Send to Broadcast Agent button on the Document Exchange tool bar or, on the File menu, click Send To and select Broadcast Agent; in the Send Document to Broadcast Agent dialog box, select the Actions tab; select Print in the list of available standard actions, then click Add; an error message is returned saying you are not authorized to use the option. The Publish to Channels button in the Document Exchange tool bar is unavailable. On the File menu, click Publish To; the Channels submenu command is unavailable.
Push Document Applies to version 5.x users only
266
Supervisors Guide
I disable or hide Security Command... Refresh Documents
Effects on user interface are... On the Data menu, the Refresh command is unavailable. On the Data menu, the Insert New Data Provider command is unavailable. On the Insert menu, click Table, Crosstab or Chart; click in the current report; in the New Table Wizard, the choices "Build a new query on the universe currently in use" and "Access new data in a different way" are not offered. Click the View Data button on the Standard tool bar or, on the Data menu, click View Data; select the Results tab: - The Refresh button is unavailable. - Click Options; in the Query Options dialog box, the Do Not Retrieve Data option is selected and unavailable. Select the Definition tab: - The Refreshable option is unavailable. - The Automatic Refresh option is unavailable. - the button next to the Universe name, which calls the Change Universe dialog box, is unavailable. Launch BusinessObjects, or if it is already launched, open the File menu and click New; in the New Report Wizard, choose Generate a Standard Report; click Begin; the Universe option for data access is unavailable. On the File menu, click Retrieve From > Corporate Documents; in the Retrieve dialog box, select a document and click OK; when the document opens, the Edit Data Provider command on the Data menu is unavailable.
Supervisors Guide
267
I disable or hide Security Command... Report Interactions Applies to version 5.x users only
Effects on user interface are... It is impossible to select any part of a report (title, cell, graphic, crosstab, etc.). As a result, the following commands on the Edit menu are never available: - Cut - Copy - Clear - Delete Because no title, cell, graphic, crosstab, etc., in a report can be selected, it is impossible to see a shortcut menu for them by right-clicking. On the Document Exchange tool bar, the Retrieve from Users button is unavailable. On the File menu, click Retrieve From; the Users submenu command is unavailable. On the Document Exchange tool bar, the Retrieve from Corporate Documents button is unavailable. On the File menu, click Retrieve From; the Corporate Documents submenu command is unavailable. On the Document Exchange tool bar, the Retrieve from Broadcast Agent button is unavailable. On the File menu, click Retrieve From; the Broadcast Agent submenu command is unavailable.
Retrieve Documents from Other Users Retrieve Documents from Repository
Retrieve Documents from Scheduled Processing
268
Supervisors Guide
I disable or hide Security Command... Save Documents
Effects on user interface are... On the Standard tool bar, the Save button is unavailable. On the File menu, the following commands are unavailable: - Save - Save As - Save As HTML - Save All
Save Documents For All Users Schedule Corporate Documents
On the File menu, click Save As; in the Save As dialog box, the Save For All Users option is unavailable. On the Document Exchange tool bar, click the Publish to Corporate Documents button or, on the File menu, click Publish To and select Corporate Documents; in the Send dialog box, the Scheduling button is unavailable. On the Document Exchange tool bar, the Send to Broadcast Agent button is unavailable. On the File menu, click Send To; the Broadcast Agent submenu command is unavailable. On the Document Exchange tool bar, the Send to Mail button is unavailable. On the File menu, click Send To; the Mail submenu command is unavailable. On the Document Exchange tool bar, the Send to Users button is unavailable. On the File menu, click Send To; the Users submenu command is unavailable. On the Document Exchange tool bar, the Publish to Corporate Documents button is unavailable. On the File menu, click Publish To; the Corporate Documents submenu command is unavailable.
Send Documents for Scheduled Processing
Send Documents to MAPI Send Documents to Other Users Send Documents to Repository
Supervisors Guide
269
I disable or hide Security Command... Use Broadcast Agent Console Use Templates
Effects on user interface are... On the Tools menu, the Console command is unavailable. Launch the New Report Wizard; in the Create a New Report step, the Select a template option is unavailable. On the Format menu, click Report; the Apply Template submenu command is unavailable. On the Tools menu, click Options; in the Options dialog box, the following options are unavailable: - Prompt User - Select a Template - Use a Default Template
Work with Web Server
On the Document Exchange tool bar, click Send to Broadcast Agent or, on the File menu, click Send To and select Broadcast Agent; in the Send to Broadcast Agent dialog box, select the Distribution tab; select the Distribute via Web Server option; an error message is returned saying you are not authorized to use the option.
270
Supervisors Guide
Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Attach Scripts to Scheduled Processing Change File Locations Conditional Formatting Copy to Clipboard Create Documents Create Templates Data Provider Manipulation Effects on object model are... DocAgentOption.CustomScript: (R) instead of (R/W). Application.GetInstallDirectory returns an error. Not applicable Not applicable Documents.Add returns an error. Document.SaveAs(*.ret) returns an error. DataProvider.Edit and DataProvider.Queries generate errors.
Delete Corporate Documents Sent By Not applicable Other Users Do Not Refresh With the Profile of Each Recipient Do Not Manage Channels Applies to version 5.x users only Document Interactions Export to External Format Applies to version 5.x users only Edit Euro Converter Rates Euro Converter Manage All Corporate Categories Manage My Corporate Categories Document.Reports generates an error. DataProvider.ConvertTo and DataProvider.ExportToRDBMS generate errors. Not applicable Not applicable Not applicable Not applicable DocAgentOption.RefreshInTheName OfTheRecipient=TRUE generates an error. Not applicable
Supervisors Guide
271
I disable or hide Security Command... Print Documents
Effects on object model are... Document.PrintOut, Document.PrintDialog and Report.PrintOut generate errors.
Push Document Applies to version 5.x users only Refresh Documents Report Interactions Applies to version 5.x users only
Not applicable Document.Refresh and DataProvider.Refresh generate errors. Document.Reports generates an error.
Retrieve Documents from Other Users Documents.Receive generates an error when Application.ExchangeMode = boUserMode. Retrieve Documents from Repository Documents.Receive generates an error when Application.ExchangeMode = boRepositoryMode or Application.ExchangeMode = boRepositoryModeNoOverwrite. Retrieve Documents from Scheduled Processing Documents.Receive generates an error when Application.ExchangeMode = boBroadcastServerMode or Application.ExchangeMode = boDocAgentMode. Save Documents Document.ExportToPDF, Document.ExportSheetsAsHtml, Document.Save, Document.SaveAs, Report.ExportAsRtf, Report.ExportAsText, Report.ExportAsHtml and Report.ExportToPDF generate errors.
272
Supervisors Guide
I disable or hide Security Command... Save Documents For All Users Schedule corporate documents Send Documents for Scheduled Processing Send Documents to MAPI Send Documents to Other Users
Effects on object model are... Not applicable Not applicable Document.DocAgentOption generates an error. Not applicable Document.Send generates an error when Application.Exchange Mode = boUserMode. Document.Send generates an error when Application.ExchangeMode = boRepositoryMode or Application.ExchangeMode = boRepositoryModeNoOverwrite.
Send Documents to Repository
Use Broadcast Agent Console Use Templates Work with Web Server
Not applicable Report.ApplyTemplate generates an error. Not applicable
Supervisors Guide
273
Security command family: free-hand SQL

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want my group/user to... Edit a query which uses free-hand SQL scripts as a data provider Create a query using free-hand SQL scripts as a data provider Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Edit Free-hand SQL Scripts Effects on user interface are... Open a document made with free-hand SQL scripts; on the Standard tool bar, click the Edit Data Provider button or, on the Data menu, click Edit Data Provider; if the List of Data Providers dialog box appears, click the script you want to edit, then OK; in the Free-Hand SQL Editor, the following are unavailable: the Open button the Save button the Parse button the list of connections the "Test the connection" button the "Edit connection" button the "Create a new connection" button I disable or hide Security Command... Edit Free-hand SQL Scripts Use Free-hand SQL
274
Supervisors Guide
I disable or hide Security Command... Use Free-hand SQL
Effects on user interface are... On the Report tool bar, click the Insert Table, Insert Crosstab or Insert Chart button, or on the Insert menu, click Table, Crosstab or Chart; in the New Table wizard, New Crosstab wizard or New Chart wizard, respectively, select "Access new data in a different way" and click Begin; in the Specify Data Access step, select Others; in the list box, the Free-Hand SQL choice is not offered. On the Tools menu, click Options; in the Options dialog box, select the New Document tab; select Use a Different Data Provider; in the list box, the Free-Hand SQL choice is not offered. Open a document made with free-hand SQL scripts; on the Standard tool bar, click the Edit Data Provider button or, on the Data menu, click Edit Data Provider; if the List of Data Providers dialog box appears, click the script you want to edit, then OK; in the Free-Hand SQL Editor, the following are unavailable: - the Open button - the Save button - the Parse button - the list of connections - the "Test the connection" button - the "Edit connection" button - the "Create a new connection" button
Supervisors Guide
275
I disable or hide Security Command... Use Free-hand SQL (continued)
Effects on user interface are... Open an existing document made with Visual Basic procedures as the data provider; on the Standard tool bar, click View Data or, on the Data menu, click View Data; in the Data Manager dialog box, click Edit; in the Query Panel, all options except Cancel are unavailable. Open an existing document made with Visual Basic procedures as the data provider; on the Standard tool bar, click Edit Data Provider or, on the Data menu, click Edit Data Provider; in the Query Panel, all options except Cancel are unavailable.
Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Edit Free-hand SQL Scripts Use Free-hand SQL Effects on object model are... Not applicable (code in data provider) Not applicable (code in data provider)
276
Supervisors Guide
Security command family: miscellaneous

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want my group/user to... I disable or hide Security Command...
I do want my user/group to see which Cannot view user/groups hierarchy users belong to which groups when sending documents Send documents to users outside own View All Users group
Supervisors Guide
277
Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Cannot View User/ Groups Hierarchy Effects on user interface are... Create or open a document: Click the Send to Users button on the Document Exchange tool bar, or, on the File menu, click "Send to," then click Users in the submenu; in the Send dialog box, click To; in the Select Users and Groups dialog box, the Groups option is available. Click the Send to Broadcast Agent button on the Document Exchange tool bar, or, on the File menu, click "Send to", then click Broadcast Agent in the submenu; in the Send Document to Broadcast Agent dialog box, go to the Distribution tab; select the Distribute via the BusinessObjects Repository option; click To; in the Select Users and Groups dialog box, the Groups option is available. Create or open a document; on the File menu, click Send To, then Users; in the Send dialog box, click To; in the Select Users and Groups dialog box, only the groups the user belongs to and the members of those groups appear as available document recipients. Create or open a document; on the Document Exchange tool bar, click the Send to Users button; in the Select Users and Groups dialog box, only the groups the user belongs to and the members of those groups appear as available document recipients.
View All Users
278
Supervisors Guide
Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Cannot view user/groups hierarchy View All Users Effects on object model are... Not applicable Not applicable
Security command family: multidimensional data

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want my group/user to... Edit a query which uses DB2 OLAP as a data provider I disable or hide Security Command... Edit DB2 OLAP Data
Edit a query which uses Essbase as a data provider Edit Essbase Query Edit a query which uses Express as a data provider Edit Express query Create a query which uses DB2 OLAP as a data provider Create a query which uses Essbase as a data provider Create a query which uses Express as a data provider Use DB2 OLAP Data Use Essbase data Use Express data
Supervisors Guide
279
Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Edit DB2 OLAP Data Edit Essbase Query Edit Express Query Effects on user interface are... Disabling or hiding these security commands has similar effects for each: Open a document that was created using the OLAP data provider referred to in the command; on the Standard tool bar, click the Edit Data Provider button or, on the Data menu, click Edit Data Provider; an error message is returned telling you that you are not authorized to edit the data provider. Disabling or hiding these security commands has similar effects for each: In the New Report wizard, go to the Specify Data Access step; the type of query or data referred to by the security command does not appear in the Others list of data providers. Click the Insert Chart button on the Report tool bar, or click Chart on the Insert menu; in the Specify Data Access step of the New Chart wizard, the type of query or data referred to by the security command does not appear in the Others list of data providers. On the Tools menu, click Options; in the Options dialog box, choose the New Document tab; the type of query or data referred to by the security command does not appear in the Use a Different Data Provider list.
Use DB2 OLAP Data Use Essbase data Use Express data
280
Supervisors Guide
Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Edit DB2 OLAP Data Edit Essbase Query Edit Express query Use DB2 OLAP Data Use Essbase data Use Express data Effects on object model are... Not applicable (code in data provider) Not applicable (code in data provider) Not applicable (code in data provider) Not applicable (code in data provider) Not applicable (code in data provider) Not applicable (code in data provider)
Security command family: personal data files

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want my group/user to... Edit a report which uses Excel, dBase or ASCII files as a data provider I choose Security Command... Edit Personal Data Files
Create a report using Excel, dBase or ASCII Use Personal Data Files text files as a data provider
Supervisors Guide
281
Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Effects on user interface are... Open a document that was created using personal data files (Excel, dBase or ASCII text files); on the Standard tool bar, click the Edit Data Provider button or, on the Data menu, click Edit Data Provider; in the Access Personal Data dialog box, all the options in the File and Worksheet/ Workbook File sections are unavailable. Open a document that was created using personal data files (Excel, dBase or ASCII text files); on the Standard tool bar, click the View Data button or, on the Data menu, click View Data; in the Data Manager dialog box, click Edit; in the Access Personal Data dialog box, all the options in the File and Worksheet/Workbook File sections are unavailable. All the effects of the Edit Personal Data Files security command; in addition, the View and Run options in the Access Personal Data dialog box are unavailable. In the New Report wizard, go to the Specify Data Access step; "Personal Data Files" does not appear in the Others list of data providers. Click the Insert Chart button on the Report tool bar, or click Chart on the Insert menu; in the Specify Data Access step of the New Chart wizard, the type of query or data referred to by the security command does not appear in the Others list of data providers. On the Tools menu, click Options; in the Options dialog box, choose the New Document tab; the type of query or data referred to by the security command does not appear in the Use a Different Data Provider list.
Edit Personal Data Files
Use Personal Data Files
282
Supervisors Guide
Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Edit Personal Data Files Use Personal Data Files Effects on object model are... Not applicable (code in data provider) Not applicable (code in data provider)
Security command family: programmability

Download Microsoft VBA cab files Download VBA from WebIntelligence when BusinessObjects is installed via Applies to 5.x users only the InfoView portal for use in 3-tier mode. Edit VBA macros used in reports Edit Scripts/VBA code Applies to 5.x users only Run VBA code Install or Uninstall VBA add-ins Run Scripts/VBA Code Install/Uninstall Add-Ins Convert Report Scripts to VBA macros Import/Convert Scripts
Supervisors Guide
283
Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Download VBA from WebIntelligence Applies to 5.x users only Effects on user interface are... None. When this is disabled, InfoView users who download BusinessObjects via the InfoView portal for use in 3-tier mode do not download Microsoft VBA cab files at the same time. These files provide a VBA editor. When the editor is not needed, disabling this command before BusinessObjects is downloaded saves disk space. Open a document containing a VBA macro; on the Tools menu, click Macro or, on the Visual Basic tool bar, click the Edit Macros button; the Visual Basic Editor submenu command is unavailable. Open a document containing a VBA macro; on the Tools menu, click Macro or, on the Visual Basic tool bar, click the Edit Macros button; click Macros; in the Macros dialog box, all options except Run, Cancel and Help are unavailable. Open a document containing a VBA macro; on the Visual Basic tool bar, all the buttons are unavailable.
Edit Scripts/VBA code
Note: For a 4.1 user, the effects will be equivalent on Report Scripts. Import/Convert Scripts Applies to 5.x users only Run Scripts/VBA Code On the Tools menu, click Macro; the Convert from Report Script submenu command is unavailable. Open a document containing a VBA macro; on the Tools menu, click Macro or, on the Visual Basic tool bar, click the Edit Macros button; click Macros; in the Macros dialog box, the Run option is unavailable. On the Tools menu, the Add-Ins command is unavailable.
Install/Uninstall Add-Ins
284
Supervisors Guide
Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Download VBA from WebIntelligence server Edit Scripts/VBA code Import/Convert Scripts Effects on object model are... Not applicable. Applies to 5.x users only Application.VBE generates an error. Application.ReceiveScript generates an error. Applies to 5.x users only Run Scripts/VBA Code Application.ExecuteMacro, Application.VBE and Document.ExecuteMacro generate errors. Install/Uninstall Add-Ins Document.Installed=TRUE returns an error.
Supervisors Guide
285
Security command family: query technique

I do want the SQL of my group/users Do not always regenerate SQL queries to be regenerated with each refresh Edit lists of values in universes Modify existing queries Modify the SQL of queries Refresh lists of values in universes I do want my group/user to be able to use other SQL statements than "Select" Use Lists of Values in universes Create new queries Create, edit or delete user objects Edit Lists of Values Edit Query Edit Query SQL Refresh Lists of Values Restrict SQL to Select only Use Lists of Values Use Queries Use User Objects
View and edit the SQL generated by a query View Query SQL
286
Supervisors Guide
Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Effects on user interface are...
Do not always regenerate None. The SQL of the query is regenerated with SQL each refresh cycle. Edit Lists of Values On the Tools menu, click Universes; in the Universes dialog box, select a universe and click Lists of Values; in the Lists of Values dialog box, select an object; the Edit option is unavailable. On the Standard toolbar, the Edit Data Provider button is unavailable. On the Data menu, the Edit Data Provider command is unavailable. On the Standard tool bar, click the View Data Provider button or, on the Data menu, click View Data Provider; in the Data Manager dialog box, the Edit button is unavailable. Create a report, or open an existing report and open the Query Panel; in the Query Panel, click the View SQL button in the toolbar; the SQL commands cannot be edited in the window and the following are unavailable: - the Regenerate button - the Parse button - the "Do not generate SQL before running" check box
Edit Query
Supervisors Guide
287
I disable or hide Security Command... Edit Query SQL
Effects on user interface are... On the Standard toolbar, click the Edit Data Provider button or, on the Data Menu, click Edit Data Provider; in the Query panel, click the View SQL button; in the SQL Viewer dialog box, the X and Y buttons and the "Do not generate SQL before running" option are unavailable. On the Standard toolbar, click the View Data button or, on the Data Menu, click View Data; in the Data Manager dialog box, click Edit; in the Query panel, click the View SQL button; in the SQL Viewer dialog box, the X and Y buttons and the "Do not generate SQL before running" option are unavailable. On the Standard toolbar, click the Edit Data Provider button or, on the Data menu, click Edit Data Provider; in the Conditions pane of the Query panel, add or modify a condition; in the condition, select an operand and double-click "Show list of values" in the list of operands in the left-hand pane; in the List of Values dialog box, the Refresh option is unavailable. On the Standard toolbar, click the View Data button or, on the Data menu, click View Data; in the Data Manager dialog box, click Edit; in the Conditions pane of the Query panel, add or modify a condition; in the condition, select an operand and double-click "Show list of values" in the list of operands in the left-hand pane; in the List of Values dialog box, the Refresh option is unavailable. On the Tools menu, click Universes; in the Universes dialog box, select a universe and click Lists of Values; in the Lists of Values dialog box, the Edit, Purge and Refresh options are unavailable; select an object and click Display; in the List of Values of... dialog box, the Refresh option is unavailable.
Refresh Lists of Values
288
Supervisors Guide
I disable or hide Security Command... Restrict SQL to Select only
Effects on user interface are... None. (When this command is disabled, you are not restricted to using only "select" clauses in SQL you send; when it is enabled and the restriction applies, you will receive an error message if you try to send anything but "select" clauses in your SQL.) On the Tools menu, click Universes; in the Universes dialog box, the Lists of Values option is unavailable. On the Standard toolbar, click the Edit Data Provider button or, on the Data menu, click Edit Data Provider; in the Conditions pane of the Query panel, add or modify a condition that includes operands; "Show list of values" does not appear in the list of operands in the left-hand pane. On the Standard toolbar, click the View Data button or, on the Data menu, click View Data; in the Data Manager dialog box, click Edit; in the Conditions pane of the Query panel, add or modify a condition that includes operands; "Show list of values" does not appear in the list of operands in the left-hand pane.
Use Lists of Values
Supervisors Guide
289
I disable or hide Security Command... Use Queries
Effects on user interface are... In the New Report wizard, go to the Specify Data Access step; the Universe option is unavailable. On the Tools menu, click Options; in the Options dialog box, select the New Document tab; under Data Access, the Select a Universe and Use the Default Universe options are unavailable. Open a report and, on the Insert menu, click Table, Crosstab, or Chart, or, on the Report toolbar, click the Table, Crosstab, or Chart button; click in the report; in the Insert a New Table (or Crosstab or Chart) wizard, the "Build a new query on the universe currently in use" is unavailable. On the Data menu, click New Data Provider; in the Insert New Data wizard, the "Build a new query on the universe currently in use" is unavailable. On the Tools menu, click Universes; in the Universes dialog box, the User Objects option is unavailable. On the Standard toolbar, click the Edit Data Provider button or, on the Data menu, click Edit Data Provider; in the Query panel, the User Objects button on the toolbar is unavailable. On the Standard toolbar, click the View Data button or, on the Data menu, click View Data; in the Data Manager dialog box, click Edit; in the Query panel, the User Objects button on the toolbar is unavailable.
Use User Objects
290
Supervisors Guide
I disable or hide Security Command... View Query SQL
Effects on user interface are... On the Standard toolbar, click the Edit Data Provider button or, on the Data menu, click Edit Data Provider; in the Query panel, the View SQL button on the toolbar is unavailable. On the Standard toolbar, click the View Data button or, on the Data menu, click View Data; in the Data Manager dialog box, click Edit; in the Query panel, the View SQL button on the toolbar is unavailable.
Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Do not always regenerate SQL Edit Lists of Values Edit Query Edit Query SQL Refresh Lists of Values Restrict SQL to Select only Use Lists of Values Use Queries Use User Objects View Query SQL Effects on object model are... Not applicable ListofValues.Edit generates an error. Queries to Data Providers class and child classes generate an error. Not applicable (code in data provider) ListofValues.Refresh generates an error. Not applicable (error is generated on SQL generation). Object.ListofValues generates an error. DataProvider.Queries generates an error. Not applicable Not applicable (error is generated when SQL is retrieved).
Supervisors Guide
291
Security command family: stored procedure

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want my group/user to... I disable or hide Security Command... Edit stored procedures Create stored procedures Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Effects on user interface are... Open a document that was created using a stored procedure; on the Standard toolbar, click the Edit Data Provider button or, on the Data menu, click Edit Data Provider; in the dialog box that appears, all options are unavailable. Open a document that was created using a stored procedure; on the Standard toolbar, click the View Data button or, on the Data menu, click View Data; in the Data Manager dialog box, click Edit; in the dialog box that appears, all options are unavailable. Edit Stored Procedures Use Stored Procedures
Edit Stored Procedures
292
Supervisors Guide
I disable or hide Security Command...
Effects on user interface are... On the File menu, click Open or, on the Standard toolbar, click the Open button; in the Open dialog box, select a document built using stored procedures and click Open; the document will not open and you will receive an error message telling you that you are not authorized to use the document. In the New Report wizard, go to the Specify Data Access step; Stored Procedures does not appear in the Others list of data providers. Click the Insert Table button on the Report toolbar, or click Table on the Insert menu; in the Specify Data Access step of the New Table wizard, Stored Procedures does not appear in the Others list of data providers. Click the Insert Crosstab button on the Report toolbar, or click Crosstab on the Insert menu; in the Specify Data Access step of the New Crosstab wizard, Stored Procedures does not appear in the Others list of data providers. Click the Insert Chart button on the Report toolbar, or click Chart on the Insert menu; in the Specify Data Access step of the New Chart wizard, Stored Procedures does not appear in the Others list of data providers. On the Tools menu, click Options; in the Options dialog box, choose the New Document tab; Stored Procedures does not appear in the Use a Different Data Provider list.
Use Stored Procedures
Supervisors Guide
293
Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Edit Stored Procedures Use Stored Procedures Effects on object model are... Not applicable (code in data provider) Not applicable (code in data provider)
Security command family: tools

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want my group/user to... I disable or hide Security Command... Log in as another user from a BusinessObjects session Change their own password Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Effects on user interface are... Login As Change Password Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Change Login Change Password Effects on object model are... Not applicable Not applicable On the Tools menu, the Login As option is unavailable. On the Tools menu, the Change Password option is unavailable. Login As Change Password
294
Supervisors Guide
Designer security commands

Security commands are grouped in families according to area of functionality. The security command families for Designer are: Connection Miscellaneous Tools: login and password Universe
Security command family: connection

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want my designer to... I disable or hide Security Command...
Create, modify or remove connections Create, Modify and Remove Connection See and use any secured connections View All Secured Connections other than those created by the user
Supervisors Guide
295
Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Create, Modify and Remove Connection Effects on user interface are... On the Tools menu, click Connections; in the Connections dialog box, the Add, Remove and Edit options are unavailable. On the Standard toolbar, click the Quick Design Wizard button; in the Quick Design wizard, go to step 1; the New and Edit options are unavailable. On the Tools menu, click Options; in the General tab of the Options dialog box, select "File/New starts Quick Design wizard"; on the File menu, click New; in the Quick Design wizard, go to step 1; the New and Edit options are unavailable. On the Tools menu, click Options; in the General tab of the Options dialog box, clear the "File/New starts Quick Design wizard" option; on the File menu, click New; in the Definition tab of the Universe Parameters dialog box, the New and Edit options are unavailable. On the File menu, click Parameters or, on the Standard toolbar, click the Parameters button; in the Definition tab of the Universe Parameters dialog box, the New and Edit options are unavailable. On the Standard toolbar, click the New button; in the Definition tab of the Universe Parameters dialog box, the New and Edit options are unavailable.
296
Supervisors Guide
I disable or hide Security Command... View All Secured Connections
Effects on user interface are... On the Tools menu, click Connections; in the Connections dialog box, no secured connections are visible except those the user created. On the Standard toolbar, click the Quick Design Wizard button; in the Quick Design wizard, go to step 1; no secured connections appear in the "Select the database connection" list except those the user created. On the Tools menu, click Options; in the General tab of the Options dialog box, select "File/New starts Quick Design wizard"; on the File menu, click New; in the Quick Design wizard, go to step 1; no secured connections appear in the "Select the database connection" list except those the user created. On the Tools menu, click Options; in the General tab of the Options dialog box, clear the "File/New starts Quick Design wizard" option; on the File menu, click New; in the Definition tab of the Universe Parameters dialog box, no secured connections appear in the Connections list except those the user created. On the File menu, click Parameters or, on the Standard toolbar, click the Parameters button; in the Definition tab of the Universe Parameters dialog box, no secured connections appear in the Connections list except those the user created. On the Standard toolbar, click the New button; in the Definition tab of the Universe Parameters dialog box, no secured connections appear in the Connections list except those the user created.
Supervisors Guide
297
Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Create, Modify and Remove Connection Effects on object model are... Connections.Add, Connection.Delete generate errors. All properties in Connection are (R) instead of (R/W). View All Secured Connections Application.Connections generates an error.

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want my designer to... Refresh the structure window Use the Table Browser I disable or hide Security Command... Refresh Structure Window Use Table Browser
Check the integrity of a universe Check Universe Integrity
298
Supervisors Guide
Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Check Universe Integrity Effects on user interface are... Refresh Structure Window Use Table Browser On the Tools menu, the Check Integrity command is unavailable. On the Editing toolbar, the Check Integrity button is unavailable.
On the View menu, the Refresh Structure command is unavailable. On the Insert menu, the Tables command is unavailable On the Editing toolbar, the Table Browser button is unavailable. Double-click the Structure Window; the Table Browser does not appear.
Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Check Universe Integrity Refresh Structure Window Use Table Browser Effects on object model are... Universe.CheckedItem generates an error Universe.RefreshStructure generates an error Universe.DbTables generates an error
Supervisors Guide
299

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want my designer to... I disable or hide Security Command... Change Password
Log in as another user from a Designer session Login As Change their own password Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Login As Change Password Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Login As Change Password Effects on object model are... Application.LoginAs generates an error. Not applicable Effects on user interface are... On the Tools menu, the Login As command is unavailable. On the Tools menu, the Change Password command is unavailable.
300
Supervisors Guide
Security command family: universe

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want my designer to... Apply, to the users of an imported universe, constraints made on that universe by the supervisor Export the list of values associated with an object Export a universe Import a universe Add links to a universe or edit existing links Associate a new list of values with an object or edit an existing one Create a new universe I disable or hide Security Command... Apply Universe Constraints
Export List of Values Export Universe Import Universe Link Universe New List of Values New Universe
I do want my group/user to have the possibility Prevent from Overwriting of exporting a universe to overwrite an existing Universe universe of the same name Print a universe Print Universe See the values associated with a table or object Show Table or Object Values
Supervisors Guide
301
Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Apply Universe Constraints Effects on user interface are... There are no effects on the user interface. The effects are: Enabled: when a designer imports a universe to which constraints have been applied in Supervisor, those constraints apply to the universe as it is imported and exported back to the repository. Disabled: when a designer imports a universe to which constraints have been applied in Supervisor, those constraints do not apply to the universe as it is imported and exported back to the repository. Export List of Values Open a universe; in the Universe pane, select an object; on the Edit menu, click Object Properties; (alternatively, right-click the object and on the shortcut menu, click Object Properties); in the Edit Properties dialog box, select the Properties tab; the "Export with universe" option is unavailable. On the File menu, the Export command is unavailable. On the File menu, the Import command is unavailable. On the Edit menu, the Links command is unavailable. On the Insert menu, the Universe command is unavailable. On the File menu, click Parameters or, on the Standard toolbar, click the Parameters button; in the Universe Parameters dialog box, select the Links tab; the Add Link and Change Source buttons are unavailable.
Export Universe Import Universe Link Universe
302
Supervisors Guide
I disable or hide Security Command... New List of Values
Effects on user interface are... On the Tools menu, click Lists of Values; in the Lists of Values dialog box, select an object; the Edit button and the "Corporate Data (Query Panel)" and "Personal Data" options are unavailable. Open a universe; in the Universe pane, select an object; on the Edit menu, click Object Properties; (alternatively, right-click the object and on the shortcut menu, click Object Properties); in the Edit Properties dialog box, select the Properties tab; the following are unavailable: The Associate a List of Values option; The List Name text box; The Restore Default button; The Edit button.
New Universe
On the File menu, the New command is unavailable; on the Standard toolbar, the New button and the Quick Design Wizard buttons are unavailable.
Supervisors Guide
303
Effects on user interface are...
Prevent from Overwriting There are no effects on the user interface. The Universe effects are: Enabled: An error message (indicating that the universe already exists) appears when you export a universe to two different domains, or when you try to import a universe from one domain and export it to another. Disabled: A warning message (asking if you want to overwrite the universe) appears when you try to import a universe from one domain and export it to another. Print Universe On the File menu, the following commands are unavailable: Page Setup Print Preview Print In the Quick Design Wizard, go to step 2, "Create Initial Classes and Objects"; select a column or value; the View Values button is unavailable. Open a universe; in the Structure pane: - Right-click a table name; on the shortcut menu, the View Table Values command is unavailable. - Right-click a column of a table; on the shortcut menu, the View Column Values command is unavailable. Double-click outside a table in the Structure pane or, on the Insert menu, click Tables; in the Table Browser dialog box: - Right-click a table; on the shortcut menu, the View Table Values command is unavailable. - Right-click a column of a table; on the shortcut menu, the View Column Values command is unavailable.
Show Table or Object Values
304
Supervisors Guide
Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Apply Universe Constraints Export List of Values Export Universe Import Universe Link Universe New List of Values New Universe Prevent from Overwriting Universe Print Universe Show Table or Object Values Effects on object model are... Not applicable Object.ExportLovWithUniverse = TRUE generates an error. Universes.Export generates an error. Universe.Import generates an error. Linked.Universes.Add generates an error. ListofValues.Edit generates an error. Universes.Add generates an error. Not applicable Universe.PrintDialog and Universe.PrintOut generate errors. Not applicable
Supervisors Guide
305
Supervisor security commands

Security commands are grouped in families according to area of functionality. The security command families for Supervisor are: Administration Console Configuration: command restrictions, predefined settings, user profiles Connection Document Miscellaneous Repository: domains Stored Procedure Tools: login and password Universes User and Group: timestamps, user administration
Security command family: administration console

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want the supervisor to... I disable or hide Security Command... Administrate Broadcast Agents Use Cluster, Module or Audit administration capabilities Administrate user sessions Log into the Business Objects Administration Console Administrate Broadcast Agents Administrate Cluster, Modules and Audit Administrate User Sessions Log Into Administration Console
306
Supervisors Guide
Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Administrate Broadcast Agents Effects on user interface are... Log into the Business Objects Administration Console; on the left, select Broadcast Agent Manager; on the right, select a Broadcast Agent: The On and Off buttons are unavailable. The Monitor One More Broadcast Agent button is unavailable. The Stop Monitoring Broadcast Agent(s) button is unavailable. The Disable All Broadcast Agents button is unavailable. The Enable All Broadcast Agents button is unavailable. Click the Parameters button; in the Settings dialog box, change any value; the Apply button is unavailable.
Administrate Cluster, Module Log into the Business Objects Administration and Audit Console: The modules enabled or disabled status cannot be changed. Click a module on the left; on the right; change any parameter; the Apply button is unavailable. In the top bar, click Audit: The User Activity on and off buttons are unavailable. The Log to File and Log to Database buttons are unavailable. Change the path of the user log file or the site manager log file; the Apply button is unavailable.
Supervisors Guide
307
I disable or hide Security Command... Administrate User Sessions
Effects on user interface are... Log into the Business Objects Administration Console; in the top bar, click Site Properties: Change the Locale or Charset; the Apply button is unavailable. The Cluster .key Files Synchronization button is unavailable. Click the List of Logged-In Users button; in the WebIntelligence Logged-in User(s) dialog box, select a user; the End User Sessions button is unavailable. Launch the Business Objects Administration Console; login is impossible.
Log Into Administration Console Effects on object model
The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Effects on object model are... Administrate Broadcast Agents Administrate Cluster, Module and Audit Administrate User Sessions N/A N/A Manager.getLoggedWebiUsers and Manager.endWebiUserSession generate an exception. N/A
Log Into Administration Console
308
Supervisors Guide
Security command family: configuration

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want the supervisor to... Restrict access to functionality using the Command Restriction dialog box, or apply predefined settings to users I disable or hide Security Command... Change Command Attributes
Change a users profile or enable or disable an Change Profile application for a user
Supervisors Guide
309
Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Effects on user interface are...
Change Command Attributes
Select a user in the User pane; double-click a product in the Configuration pane, or on the Resources menu click Properties, or click the Resource Properties button; in the Command Restriction dialog box: - Select a security command in the list box on the right; the Status list is unavailable. - The Apply Predefined Settings button is unavailable. On the Tools menu, click Manage Predefined Settings; in the Manage Predefined Settings dialog box: - The Apply to Users button is unavailable. Select a user or group in the User pane, then open the User or Group Properties dialog box; select the Groups and Profiles or Users and Profiles tab; the Profile list is unavailable. Select a user in the User pane and click the Add to Group button, or right-click a user in the User pane and, on the shortcut menu, click Add to Group; in the Add to Group dialog box, the With Profile list is unavailable. Right-click a user in the User pane; on the shortcut menu, the Set Profile To command is unavailable. Select a user or group in the User pane, then: - Select a product in the Configuration pane; on the Resource menu, the Disable Configuration and Enable Configuration commands are unavailable. - Right-click a product in the Configuration pane; on the shortcut menu, the Disable Configuration and Enable Configuration commands are unavailable. - Select a product in the Configuration pane; on the standard toolbar, the Disable Stored Configuration and Enable Stored Configuration commands are unavailable.
Change Profile
310
Supervisors Guide
Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Change Command Attributes Change Profile Effects on object model are... Not applicable User.setProfile generates an exception.
Security command family: connection

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want the supervisor to... Create, edit or remove connections I disable or hide Security Command... Create/Edit Connection
See and use any secured connections View All Secured Connections other than those created by the user
Supervisors Guide
311
Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Create/Edit Connection Effects on user interface are... On the Tools menu, click Connections or, on the Standard toolbar, click the Connections button; in the Connections dialog box, the Add, Remove and Edit buttons are unavailable. In the Universe pane, select a universe, then click Properties in the Resources menu, or rightclick a universe and click Properties in the shortcut menu; in the Definition tab of the Universe Properties dialog box, the New and Edit buttons are unavailable. On the Tools menu, click Connections or, on the Standard toolbar, click the Connections button; in the Connections dialog box, no secured connections are displayed except those the user created. In the Universe pane, select a universe, then click Properties in the Resources menu, or rightclick a universe and click Properties in the shortcut menu; in the Definition tab of the Universe Properties dialog box, no secured connections are displayed except those the user created.
View All Secured Connections
Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Create/Edit Connection View All Secured Connections Effects on object model are... Not applicable Not applicable
312
Supervisors Guide
Security command family: document

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want the supervisor to... Assign documents to a user or group Delete documents Delete lists of values Delete script I disable or hide Security Command... Assign Document Delete Document Delete List of Values Delete Script
Disable a document for a user or group Disable Document Enable a document for a user or group Enable Document Revert documents to inherited permissions Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Assign Document Effects on user interface are... Select a user or group in the User pane: Select the Document pane; on the Resource menu, click Assign; the Document submenu command is unavailable. Select a document in the Document pane; on the standard toolbar, the Assign Document button is unavailable. On the Tools menu, the Delete Document command is unavailable. On the Tools menu, the Delete List of Values command is unavailable. On the Tools menu, the Delete Script command is unavailable. Revert Document to Inherited Permissions
Delete Document Delete List of Values Delete Script
Supervisors Guide
313
I disable or hide Security Command... Disable Document
Effects on user interface are... Select a user or group in the User pane: Select the Document pane; on the Resources menu, the Disable Document command is unavailable. In the Document pane, right-click a document; on the shortcut menu, the Disable Document command is unavailable. Select a document in the Document pane; on the standard toolbar, the Disable Document button is disabled. Select a user or group in the User pane: Select the Document pane; on the Resources menu, the Enable Document command is unavailable. In the Document pane, right-click a document; on the shortcut menu, the Enable Document command is unavailable. Select a document in the Document pane; on the standard toolbar, the Enable Document button is disabled. Select a user or group: Select a document inherited from the user or group in the Document pane; on the Resource menu, the Revert Document to Inherited Permissions command is unavailable. In the Document pane, right-click a document inherited from the user or group; on the shortcut menu, the Revert Document to Inherited Permissions command is unavailable.
Enable Document
Revert Document to Inherited Permissions
314
Supervisors Guide
Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Assign Document Delete Document Delete List of Values Delete Script Disable Document Enable Document Revert Document to Inherited Permissions Effects on object model are... Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want the supervisor to... Export universes Export users and groups Import universes Import users and groups Manage all corporate categories I disable or hide Security Command... Export Universes Export Users/Groups Import Universes Import Users/Groups Manage All Corporate Categories
Manage corporate categories he or Manage My Corporate Categories she has created Manage predefined settings Manage Predefined Settings
Supervisors Guide
315
Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Export Universes Export Users/Groups Import Universes Import Users/Groups Manage My Corporate Categories and Manage All Corporate Categories Effects on user interface are... On the Tools menu, the Export Universes command is unavailable. On the File menu, the Export Users/Groups command is unavailable. On the Tools menu, the Import Universes command is unavailable. On the File menu, the Import Users/Groups command is unavailable. When Manage All Corporate Categories and Manage My Corporate Categories are set to Disabled or Hidden: On the Tools menu, the Manage Categories command is unavailable. When Manage All Corporate Categories is set to Disabled or Hidden and Manage My Corporate Categories is set to Enabled: On the Tools menu, click Manage Categories; in the Categories dialog box, click any category of which you are not the owner; the Add, Delete, Edit, and Propagate Owner buttons are unavailable. When Manage All Corporate Categories is set to Enabled and Manage My Corporate Categories is set to Disabled or Hidden: Full rights to all category management functionality. Manage Predefined Settings On the Tools menu, the Manage Predefined Settings command is unavailable.
316
Supervisors Guide
Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Effects on object model are... Export Universes Export Users/Groups Import Users/Groups Import Universes Manage All Corporate Categories Manage My Corporate Categories Manage Predefined Settings N/A N/A N/A N/A N/A N/A N/A
Security command family: repository

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want the supervisor to... I disable or hide Security Command...
Assign a document or universe domain to a user Assign Domain or group Disable a document or universe domain for a user or group Enable a document or universe domain for a user or group Revert a document or universe domain to inherited permissions Disable Domain Enable Domain Revert Domain to Inherited Permissions
Supervisors Guide
317
Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Assign Domain Effects on user interface are... Select a user or group in the User pane; select the Repository pane; on the Resource menu, click Assign; the Domain submenu command is unavailable. Select a user or group in the User pane: Select the Repository pane; on the Resources menu, the Disable Domain command is unavailable. In the Repository pane, right-click a domain; on the shortcut menu, the Disable Domain command is unavailable. Select a domain in the Repository pane; on the standard toolbar, the Disable Domain button is unavailable. Select a user or group in the User pane: Select the Repository pane; on the Resources menu, the Enable Domain command is unavailable. In the Repository pane, right-click a domain; on the shortcut menu, the Enable Domain command is unavailable. Select a domain in the Repository pane; on the standard toolbar, the Enable Domain button is unavailable.
Disable Domain
Enable Domain
318
Supervisors Guide
I disable or hide Security Command... Revert Domain to Inherited Permissions
Effects on user interface are... Select a user or group in the User pane: Select a domain inherited from the user or group in the Repository pane; on the Resource menu, the Revert Domain to Inherited Permissions command is unavailable. In the Repository pane, right-click a domain inherited from the user or group; on the shortcut menu, the Revert Domain to Inherited Permissions command is unavailable.
Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Assign Domain Disable Domain Enable Domain Revert Domain to Inherited Permissions Effects on object model are... Not applicable Not applicable Not applicable Not applicable
Supervisors Guide
319
Security command family: stored procedure

Assign a stored procedure to a user or Assign Stored Procedure group Disable a stored procedure for a user or group Enable a stored procedure for a user or group Disable Stored Procedure Enable Stored Procedure
Revert a stored procedure to inherited Revert Stored Procedure to Inherited permissions Permissions Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Assign Stored Procedure Effects on user interface are... Select a user or group in the User pane; select the Stored Procedure pane; on the Resource menu, click Assign; the Stored Procedure submenu command is unavailable.
320
Supervisors Guide
I disable or hide Security Command... Disable Stored Procedure
Effects on user interface are... Select a user or group in the User pane: Select the Stored Procedure pane; on the Resources menu, the Disable Stored Procedure command is unavailable. In the Stored Procedure pane, right-click a stored procedure; on the shortcut menu, the Disable Stored Procedure command is unavailable. Select a stored procedure in the Stored Procedure pane; on the standard toolbar, the Disable Stored Procedure button is unavailable. Select a user or group in the User pane: Select the Stored Procedure pane; on the Resources menu, the Enable Stored Procedure command is unavailable. In the Stored Procedure pane, right-click a stored procedure; on the shortcut menu, the Enable Stored Procedure command is unavailable. Select a stored procedure in the Stored Procedure pane; on the standard toolbar, the Enable Stored Procedure button is unavailable. Select a user or group in the User pane: Select a stored procedure inherited from the user or group in the Stored Procedure pane; on the Resource menu, the Revert Stored Procedure to Inherited Permissions command is unavailable. In the Stored Procedure pane, right-click a stored procedure; on the shortcut menu, the Revert Stored Procedure to Inherited Permissions command is unavailable.
Enable Stored Procedure
Revert Stored Procedure to Inherited Permissions
Supervisors Guide
321
Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Effects on object model are... Disable Stored Procedure Enable Stored Procedure Assign Stored Procedure Revert Stored Procedure to Inherited Permissions Not applicable Not applicable Not applicable Not applicable

Change his or her own password, or Change Password those of the users managed Log in as another user from a Supervisor session Login As
322
Supervisors Guide
Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Change Password Effects on user interface are... On the Tools menu, the Change Password option is unavailable. Select a user in the User pane, then click Properties in the User menu or click the User or Group Properties button on the standard toolbar, or right-click the user and click Properties in the shortcut menu; on the Definition tab of the User Properties dialog box, the Password text box is unavailable.
Login As
On the Tools menu, the Login As option is unavailable.
Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Change Password Login As Effects on object model are... User.changePassword generates an exception. Actor.setName and Group.addUser generate an exception.
Supervisors Guide
323
Security command family: universe

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want the supervisor to... Assign a universe to a user or group Delete universes Enable a universe for a user or group Edit the properties of a universe Revert a universe to inherited permissions Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Assign Universe Effects on user interface are... Select a user or group in the User pane; select the Universe pane; on the Resource menu, click Assign; the Universe submenu command is unavailable. On the Tools menu, the Delete Universe command is unavailable. I disable or hide Security Command... Assign Universe Delete Universe Enable Universe Edit Universe Attributes Revert Universe to Inherited Permissions
Disable a universe for a user or group Disable Universe
Delete Universe
324
Supervisors Guide
I disable or hide Security Command... Disable Universe
Effects on user interface are... Select a user or group in the User pane: In the Universe pane, select a universe; on the Resource menu, the Disable Universe command is unavailable. In the Universe pane, right-click a universe; on the shortcut menu, the Disable Universe command is unavailable. In the Universe pane, select a universe; on the standard toolbar, the Disable Universe button is unavailable. Select a user or group in the User pane: In the Universe pane, select a universe; on the Resource menu, the Enable Universe command is unavailable. In the Universe pane, right-click a universe; on the shortcut menu, the Enable Universe command is unavailable. In the Universe pane, select a universe; on the standard toolbar, the Enable Universe button is unavailable. Open the Universe Properties dialog box: The Reset button is unavailable. On the Definition tab, the New and Edit buttons are unavailable. On the Controls, SQL, Objects, Rows and Table Mapping tabs, all options and buttons are unavailable.
Enable Universe
Edit Universe Attributes
Supervisors Guide
325
I disable or hide Security Command... Revert Universe to Inherited Permissions
Effects on user interface are... Select a user or group in the User pane: Select a universe inherited from the user or group in the Universe pane; on the Resource menu, the Revert Universe to Inherited Permissions command is unavailable. In the Universe pane, right-click a universe inherited from the user or group; on the shortcut menu, the Revert Universe to Inherited Permissions command is unavailable.
Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Effects on object model are... Assign Universe Delete Universe Disable Universe Enable Universe Edit Universe Attributes Not applicable Not applicable Not applicable Not applicable Not applicable
Revert Universe to Inherited Permissions Not applicable
326
Supervisors Guide
Security command family: user and group

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want the supervisor to... Add an instance of a user to a group Create a new group Create a new user Delete a group Delete a user Disable or enable a user Edit the properties of a user or group Create or delete timestamps for a user or group Rename a user or group I disable or hide Security Command... Add to Group Create Group Create User Delete Group Delete User Disable/Enable User Edit User/Group Properties Manage Timestamps
Remove an instance of a user from a group Remove User from Group Rename User/Group
Supervisors Guide
327
Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Add to Group Effects on user interface are... Select a user in the User pane: On the User menu, the Add to Group command is unavailable. Right-click the user; in the shortcut menu, the Add to Group command is unavailable. On the standard toolbar, the Add to Group button is unavailable. On the User menu, click Properties, or click the User or Group Properties button on the standard toolbar, or right-click the user and click Properties in the shortcut menu; in the Groups and Profiles tab of the User Properties dialog box, select a group in the Available Groups list on the left; the Add to Group button is unavailable. On the Edit menu, the Copy command is unavailable. On the standard toolbar, the Copy button is unavailable. The Ctrl + C keyboard shortcut for the Copy command is unavailable. The Ctrl + drag-and-drop method for the Copy command is unavailable. On the User menu, click Properties, or click the User or Group Properties button on the standard toolbar, or right-click the group and click Properties in the shortcut menu; in the Users and Profiles tab of the Group Properties dialog box, select a user in the All Users list on the left; the Add button is unavailable.
328
Supervisors Guide
I disable or hide Security Command... Create Group
Effects on user interface are... On the User menu, click New; the Group submenu command is unavailable. In the User pane, right-click a user or group; on the shortcut menu, click New; the Group submenu command is unavailable. On the standard toolbar, the New Group button is unavailable. On the User menu, click New; the User submenu command is unavailable. In the User pane, right-click a user or group; on the shortcut menu, click New; the User submenu command is unavailable. On the standard toolbar, the New User button is unavailable. In the User pane, select a group; on the User menu, the Delete Group command is unavailable. In the User pane, right-click a group; on the shortcut menu, the Delete Group command is unavailable. In the User pane, select a group; pressing the Delete key on the keyboard has no effect. In the User pane, select a user; on the User menu, the Delete User command is unavailable. In the User pane, right-click a user; on the shortcut menu, the Delete User command is unavailable.
Create User
Delete Group
Delete User
Supervisors Guide
329
I disable or hide Security Command... Disable/Enable User
Effects on user interface are... In the User pane, select a user; on the User menu, the Disable/Enable command is unavailable. In the User pane, right-click a user; on the shortcut menu, the Disable/Enable command is unavailable. In the User pane, select a user and, on the User menu, click Properties, or double-click the user; in the Definition tab of the User Properties dialog box, the Disable Login option is unavailable. In the User pane, select a user or group; on the User menu, the Properties command is unavailable. In the User pane, right-click a user or group; on the shortcut menu, the Properties command is unavailable. In the User pane, double-click a user or an empty group; the User or Group Properties dialog box does not appear. In the User pane, select a user or group; on the standard toolbar, the User/Group Properties button is unavailable.
Edit User/Group Properties
Manage Timestamps
Select a user or group and, on the User menu, click Properties, or double-click a user; in the User or Group Properties dialog box, select the Timestamp tab; none of the buttons or options are available.
330
Supervisors Guide
Effects on user interface are... In the User pane, right-click a user; on the shortcut menu, the Remove from Group command is unavailable. In the User pane, select a user: - On the User menu, the Remove from Group command is unavailable. - Pressing the Delete key on the keyboard has no effect. - On the Edit menu, the Cut command is unavailable. - On the standard toolbar, the Cut button is unavailable. - The Ctrl + X keyboard shortcut for the Cut command is without effect. - Drag-and-drop is unavailable. In the User pane, select a user and open the User Properties dialog box: - Select the Groups and Profiles tab; select a profile and group in the list on the right; the Remove button is unavailable. - Select the Users and Profiles tab; select a user in the list on the right; the Remove button is unavailable. In the User pane, select a user or group; on the User menu, the Rename command is unavailable. In the User pane, select a user or group; open the User or Group Properties dialog box; in the Definition tab, the Name text box is unavailable. In the User pane, right-click a user or group; on the shortcut menu, the Rename command is unavailable.
Remove User from Group
Rename User/Group
Supervisors Guide
331
Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Add Timestamps Add to Group Create Group Effects on object model are... Not applicable Group.addUser generates an exception. Manager.createGroup, Manager.createGroups, and Group.createSubGroup generate an exception. Manager.createUser and Manager.createUsers generate an exception. Manager.deleteActor and Group.deleteSubGroup generate an exception. Manager.deleteActor generates an exception. Manager.setEnable generates an exception. Not applicable Group.removeUser generates an exception. Actor.setName generates an exception.
Create User Delete Group Delete User Disable/Enable User Edit User/Group Properties Remove User from Group Rename User/Group
332
Supervisors Guide
WebIntelligence security commands

Security commands are grouped in families according to area of functionality. The security command families for WebIntelligence are: Administration Analysis InfoView: document handling, categories Query and Reporting
Security command family: administration

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want my group/user to... Change their own password Create or edit BusinessObjects documents Use interactive viewing Use the WebIntelligence HTLM Report Panel Use the WebIntelligence Java Report Panel I disable or hide Security Command... Change Password Download 3-Tier BusinessObjects Use Interactive Viewing Use WebIntelligence HTML Report Panel Use WebIntelligence Java Report Panel
Supervisors Guide
333
Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Change Password Effects on user interface are... Click Options in the navigation bar; the Change Password section of the Options page does not appear. When the document list is expanded, the Edit button does not appear in the list of options. When the Full Client document is opened, the Edit button does not appear in the tool bar. Use Interactive Viewing Click Options in the navigation bar; on the Options page, click View; under View Format, select HTML - Interactive; click OK; click Home; from the Home page, create or open a document in HTLM format; interactive sort and filter operations are unavailable. Note: the availability of interactive HTML viewing depends on your license. The HTML Report Panel is not available. The Java Report Panel is not available.
Download 3-Tier BusinessObjects
Use WebIntelligence HTML Report Panel Use WebIntelligence Java Report Panel
334
Supervisors Guide
Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Change Password Download 3-Tier BusinessObjects Use Interactive Viewing Use WebIntelligence HTML Report Panel Use WebIntelligence Java Report Panel Effects on object model are... WISession.ChangePassword generates an error. Not applicable Report.getview(DHTML) returns an exception. Not applicable Not applicable
Supervisors Guide
335
Security command family: analysis

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want my group/user to... Extend scope of analysis Drill outside the cube without answering a prompt Work in drill mode Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Extend Scope of Analysis Effects on user interface are... Create or open a drillable document; drill links are not available to drill beyond the documents scope of analysis. I disable or hide Security Command... Extend Scope of Analysis Transparent Drill Outside of Cube Applies to 5.x users only Work in Drill Mode
Transparent Drill Outside of Cube Create a query with drillable objects and run the query in Drill Mode; attempt to drill Applies to 5.x users only on an object; a page appears prompting For version 6 documents, this you to choose values for a new query. functionality is controlled by a user option set in InfoView. Work in Drill Mode Create a document or open a drillable document; the drill icon and drill links are not available.
336
Supervisors Guide
Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Extend Scope of Analysis Transparent Drill Outside of Cube Applies to 5.x users only Work in Drill Mode Not applicable. Effects on object model are... Not applicable. Not applicable.
Security command family: InfoView

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want my group/user to... Add external content to My InfoView Change the skin I disable or hide Security Command... Add External Content to My InfoView Change Skin
See document list options or change the Customize the Interface default home page I do want my group/user to be able to Do Not Delete Other Users delete corporate documents published by Corporate Documents other users Download documents in BusinessObjects 5.x format Download WebIntelligence documents Generate documents in Excel format Generate documents in PDF format Manage all corporate categories Manage corporate categories they created Download BusinessObjects Documents Download WebIntelligence Documents Generate in Excel Format Generate in PDF Format Manage All Corporate Categories Manage My Corporate Categories
Supervisors Guide
337
I dont want my group/user to...
I disable or hide Security Command... Read Corporate Documents Read Inbox Documents Refresh View of Document List and Categories Run and Refresh Documents Save and Read Personal Documents Save to Corporate Documents
Create, edit or delete personal categories Manage Personal Categories See the Corporate Documents page See the Inbox Documents page Refresh the lists of documents and categories Run and refresh documents Save documents Publish documents to the repository
Send documents to users in other groups Send Documents to Users in Other Groups Send documents to any users Send Documents to Users in Other Groups and Send Documents to Users in Own Groups Upload documents Upload Documents
338
Supervisors Guide
Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Add External Content to My InfoView Effects on user interface are... On the Options page, click Display; under My InfoView, click Add a Portlet in My InfoView; on the My InfoView: Add a Portlet: Choose Type page, in the Choose Type list, the Web Page option is unavailable. On the Options page, click Display; on the Display tab page, the Default Skin section is unavailable. Click Options in the navigation bar: In the Global Options section of the Options page, only the Welcome Page option for Default Start Page appears. The Document List Options section does not appear. Go to the Corporate Documents page or the Inbox Documents page; click Expand on the toolbar, if the page is not already in expanded mode; the Delete option is available for corporate documents to which the user has access and which were published by other users. Go to the Corporate Documents page: Click Expand on the toolbar, if the page is not already in expanded mode; the "Load BusinessObjects Document" option does not appear for BusinessObjects 5.x documents. Click on the title of a BusinessObjects 5.x document; when the document appears, the Download option does not appear on the menu bar.
Change Skin Customize the Interface
Do Not Delete Other Users Corporate Documents
Download BusinessObjects Documents
Supervisors Guide
339
I disable or hide Security Command... Download WebIntelligence Documents
Effects on user interface are... Go to the Corporate Documents page: Click Expand on the toolbar, if the page is not already in expanded mode; the "Load into spreadsheet" option does not appear for WebIntelligence documents. Click on the title of a WebIntelligence document; when the document appears, the Download option does not appear on the menu bar.
Generate in Excel Format Open a document; the Download as Excel button is unavailable; on the Save menu, the Save to My Computer as Excel command is unavailable. Generate in PDF Format Cannot download, view or generate in PDF format. If you are using the Java Report Panel, print is impossible. When Manage All Corporate Documents and Manage My Corporate Documents are Disabled or Hidden, it is impossible to add, edit or delete categories. When Manage All Corporate Documents is Disabled or Hidden and Manage My Corporate Documents is Enabled, you cannot add subcategories to, or delete or edit categories of which you are not the owner. When Manage All Corporate Documents is Enabled and Manage My Corporate Documents is Disabled or Hidden, you can add categories and delete or edit all categories.
Manage My Corporate Categories and Manage All Corporate Categories
Manage Personal Categories Read Corporate Documents Read Inbox Documents
Go to the Personal Documents page; the Personal Categories hyperlink to the left of the list of categories is unavailable. The Corporate Documents page is unavailable. The Inbox Documents page is unavailable.
340
Supervisors Guide
I disable or hide Security Command... Refresh View of Document Lists and Categories Run and Refresh Documents
Effects on user interface are... Go to the Corporate Documents or Scheduled Documents page; the Refresh List icon button is unavailable. Go to the Corporate Documents page, the Personal Documents page, or the Inbox Documents page; click Edit underneath an editable document; in the Web Panel, the Run Query button is unavailable. Click Create Documents in the navigation bar; select a universe; in the Web Panel, create a query; the Run Query button is unavailable. Go to the Corporate Documents page, the Personal Documents page, or the Inbox Documents page; click the name of a document to open it; when the document is open, the Refresh option does not appear on the menu bar.
Save and Read Personal Go to the Corporate Documents page or the Inbox Documents Documents page: Click Expand on the toolbar, if the page is not already in expanded mode; under each document, the Save option does not appear. Click on the title of a document, when the document appears, the Save option does not appear on the menu bar. Save to Corporate Documents Go to the Corporate Documents page: Click Expand on the toolbar, if the page is not already in expanded mode; under each document, the Publish option does not appear. Click on the title of a document; when the document appears, the Publish option does not appear on the menu bar.
Supervisors Guide
341
I disable or hide Security Command... Schedule Documents
Effects on user interface are... Go to the Personal Documents or the Inbox Documents page; click Expand on the toolbar, if the page is not already in expanded mode; click Publish underneath a document; on the "Publish as corporate document" page, "Scheduled refresh" does not appear among the Refresh options. Click Create Documents on the navigation bar; select a universe; in the Web panel, create and run a query; when the document appears, click Publish in the menu bar; on the "Publish as corporate document" page, "Scheduled refresh" does not appear among the Refresh options.
Send Documents to Users in Other Groups
Go to the Corporate Documents page, the Personal Documents page, or the Inbox Documents page: Click Expand on the toolbar, if the page is not already in expanded mode; click the Send option under a document; on the "Send document to the following user(s)" page, the list of destination users includes only users in groups to which you belong. Click on the title of a document; when the document appears, click Send on the menu bar; on the "Send document to the following user(s)" page, the list of destination users includes only users in groups to which you belong. Note: See the "Send Documents to Users in Own Groups" security command below for a description of the effects on the user interface of disabling or hiding both these security commands simultaneously.
342
Supervisors Guide
I disable or hide Security Command... Send Documents to Users in Own Groups
Effects on user interface are... No effect when the "Send Documents to Users in Other Groups" command is enabled. When the "Send Documents to Users in Other Groups" command is also disabled or hidden, go to the Corporate Documents page, the Personal Documents page, or the Inbox Documents page: The "Send to Users" option does not appear below each document. Click the title of a document; when the document appears, the Send option does not appear on the menu bar.
Upload Documents
On the Home page, under New Document, the Add a Document link is unavailable.
Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Add External Content to My InfoView Customize the Interface Change Skin Do Not Delete Other Users Corporate Documents Download BusinessObjects Documents Download WebIntelligence Documents Effects on object model are... Not applicable WISession.UserProfile (R) instead of (R/ W). Not applicable WIDocument.Delete generates an error when the document was published by another user. Not applicable WIDocument.GetDPResult generates an error.
Supervisors Guide
343
I disable or hide Security Command... Generate in Excel Format
Effects on object model are... Report.getView(XLS) and DocumentInstance.getView(XLS) return an exception. Report.getView(PDF) and DocumentInstance.getView(PDF) return an exception. All APIs concerned return an exception. All APIs concerned return an exception. WISession.AddCategory, WISession.DeleteCategory, WISession.RenameCategory and WISession.GetCategoryDetails generate errors when RepoType=Personal.
Generate in PDF Format
Manage All Corporate Categories Manage My Corporate Categories Manage Personal Categories
Save to Corporate Documents Read Corporate Documents
WIDocument.Publish generates an error. WIDocument.GetDPResult, WIDocument.GetHtmlView, and WIDocument.GetPrompts generate errors when RepoType=Corporate.
Read Inbox Documents
WIDocument.GetDPResult, WIDocument.GetHtmlView, and WIDocument.GetPrompts generate errors when RepoType=Inbox.
Refresh View of Document Lists and Categories Run and Refresh Documents
Not applicable WIDocument.GetDPResult and WIDocument.GetHtmlView generate errors when Refresh = TRUE. WIDocument.Save and WIDocument.SaveAs generate errors. Not applicable
Save and Read Personal Documents Save to Corporate Documents
344
Supervisors Guide
I disable or hide Security Command... Schedule Documents
Effects on object model are... Not applicable
Send Documents to Users in Other WIDocument.Send generates an error. Groups Send Documents to Users in Own Groups Upload Documents WIDocument.Send generates an error. WIDocument.upload() returns an exception.
Security command family: publications (applies to Broadcast Agent Publisher)

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want my group/user to... Manage email publications and subscriptions with Broadcast Agent Publisher Manage web publications and subscriptions with Broadcast Agent Publisher I disable or hide Security Command... Manage Email Publications Manage Web Publications
Supervisors Guide
345
Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Manage Email Publications Effects on user interface are...
When either Manage Email Publications or Manage Web Publications is Enabled, and regardless of the status of the other command: Manage Web Publications Full rights to Broadcast Agent Publisher Applicable when publication and subscription functionality Broadcast Agent Publisher through the Publications link on the Home is installed Page. When both Manage Email Publications and Manage Web Publications are Disabled or Hidden: Go to the Home Page; instead of the Publications link there is a Subscriptions link giving rights to Broadcast Agent Publisher subscription rights only. Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Manage Email Publications Manage Web Publications Effects on object model are... Not applicable Not applicable
346
Supervisors Guide
Security command family: query and web panel

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want my group/user to... Create a new document I do want the SQL of my group/users queries to be regenerated with each refresh Edit an existing document Edit an existing query Refresh lists of values Use the formatting toolbar Use formula language and create variables Use or refresh lists of values View the SQL of a query I disable or hide Security Command... Create Documents Do Not Always Regenerate SQL
Edit Documents Edit Query Refresh Lists of Values Use Formatting Toolbar Use Formula Language/Create Variables Use Lists of Values View SQL
Supervisors Guide
347
Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Create Documents Effects on user interface are... Click Expand on the toolbar, if the page is not already in expanded mode; the Create Documents option does not appear on the navigation bar. None. The SQL of the query is regenerated with each refresh cycle. Go to the Corporate Documents page, the Personal Documents page, or the Inbox Documents page; click Expand on the toolbar, if the page is not already in expanded mode; the Edit option does not appear under editable documents. You cant edit queries. Go to the Corporate Documents page, the Personal Documents page, or the Inbox Documents page; click Expand on the toolbar, if the page is not already in expanded mode; click Edit underneath a document; in the Web Panel, create or edit an object using a list of values in the Conditions tab; in list-of-values dialog boxes, the Refresh button is unavailable. Open a document; in the top right of the screen, just to the right of the Delete command link, the icon that opens the formatting toolbar is not available. The icon is in the shape of a "less than" symbol and its tool tip is "Show/hide turn to chart bar."
Do Not Always Regenerate SQL Edit Documents
Edit Query Refresh Lists of Values
Use Formatting Toolbar
348
Supervisors Guide
Effects on user interface are...
Use Formula Language / Click Options in the navigation bar; on the Options Create Variables page, click Create; under Options for WebIntelligence Documents, click Java Report Panel; click OK; click Home; on the Home page, click New Document; the Formula Bar icon is unavailable. Use Lists of Values Create a document; drag an object from the Classes and Objects panel to the Conditions tab; click on the operand of the object; the "Show values from list" and "Prompt values from list" options are unavailable. Go to the Corporate Documents page, the Personal Documents page, or the Inbox Documents page; click Expand on the toolbar, if the page is not already in expanded mode; click Edit underneath a document; in the Web Panel, create or edit an object using a list of values in the Conditions tab; in list-of-values dialog boxes, the Refresh button is unavailable. View SQL Create a document or open an existing document; in the Web Panel, the SQL button is not available.
Supervisors Guide
349
Effects on object model The following table shows the effects on the object model of disabling or hiding each security command. I disable or hide Security Command... Effects on object model are... Create Documents WISession.NewDocument and WIObjectContext.NewDocument generate errors. Do Not Always Regenerate SQL Edit Documents Formatting Toolbar Refresh Lists of Values Transparent Drill Outside of Cube Use Formula Language / Create Variables Use List of Values View SQL Not applicable WiDocument.GetPanelToken generates an error. Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable
350
Supervisors Guide
BusinessQuery security commands

Security commands are grouped in families according to area of functionality. The security command families for BusinessQuery are: Queries Queries in Workbook Miscellaneous
Security command family: queries

Functionalities The following table shows which security command to choose according to the functionality you want to restrict. I dont want my group/user to... Delete an existing query Edit a list of values Edit the query panel of an existing query Insert a query in a workbook Create a new query Refresh a list of values Refresh a query Rename a BusinessQuery file (*.bqy) I disable or hide Security Command... Delete Query File Edit Lists of Values ReportEngine.getStructure() returns an exception. Insert Query New Query Refresh Lists of Values Refresh Query Rename Query File
Retrieve a query from the repository or Retrieve From from users Send a query to corporate documents Send To or users
Supervisors Guide
351
Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command. I disable or hide Security Command... Delete Query File Effects on user interface are... Open a new or existing workbook; on the BusinessQuery menu, click Insert Query, or on the BusinessQuery toolbar, click the Insert Query button; in the Insert Queries dialog box, select and right-click a query in the Available Queries tree-list; in the shortcut menu, the Delete command is unavailable. Open a new or existing workbook; on the BusinessQuery menu, click Universes; in the Universes dialog box, click Lists of Values; in the Lists of Values dialog box, select a value; the Edit button is unavailable. Open an existing workbook: On the BusinessQuery menu, the Edit Query command is unavailable. On the BusinessQuery toolbar, the Edit Query button is unavailable. Insert Query Open a new or existing workbook: On the BusinessQuery menu, the Insert Query command is unavailable. On the BusinessQuery toolbar, the Insert Query command is unavailable. New Query Open a new or existing workbook: On the BusinessQuery menu, the New Query command is unavailable. On the BusinessQuery toolbar, the New Query button is unavailable.
Edit Lists of Values
Edit Query
352
Supervisors Guide
I disable or hide Security Command... Refresh Lists of Values
Effects on user interface are... Open a new or existing workbook; on the BusinessQuery menu, click Universes; in the Universes dialog box, click Lists of Values; in the Lists of Values dialog box, the Edit, Refresh and Purge buttons are unavailable. Open an existing workbook: On the BusinessQuery menu, the Refresh Query command is unavailable. On the BusinessQuery toolbar, the Refresh Query button is unavailable.
Refresh Query
Rename Query File
Open a new or existing workbook; on the BusinessQuery menu, click Insert Query, or on the BusinessQuery toolbar, click the Insert Query button; in the Insert Queries dialog box, select and right-click a query in the Available Queries tree-list; in the shortcut menu, the Rename command is unavailable. On the BusinessQuery menu, click Retrieve From; the Users and Corporate Document submenu commands are unavailable. On the BusinessQuery menu, click Send To; the Users and Corporate Document submenu commands are unavailable.
Retrieve From
Send To
Supervisors Guide
353
Security command family: queries in workbook

Modify the SmartSpace strategy for Modify Query in Workbook a query Remove a query from a workbook Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command.. I disable or hide Security Command... Modify Query in Workbook Effects on user interface are... Open an existing workbook; on the BusinessQuery menu, click the Query Director command, or on the BusinessQuery toolbar, click the Query Director button; on the Workbook tab of the Query Director dialog box, select a query; click the Properties button; in the Query Properties dialog box, go to the View in Sheet tab; the Change button under SmartSpace Strategy is unavailable. Open an existing workbook; on the BusinessQuery menu, click Query Director, or on the BusinessQuery toolbar, click the Query Director button; on the Workbook tab of the Query Director dialog box, select a query; the Remove button is unavailable. Remove Query From Workbook
Remove Query From Workbook
354
Supervisors Guide

Change the setting of the Autoload option Autoload controlling whether or not BusinessQuery is loaded automatically when the plugin is activated Change the setting of the Autologin feature controlling the automatic login feature of BusinessQuery Work with universes Effects on user interface The following table shows the effects on the user interface of disabling or hiding each security command I disable or hide Security Command... Autoload Effects on user interface are... Open a new or existing workbook; on the BusinessQuery menu, click Options; in the General tab of the Options dialog box, the Autoload Business Query option is unavailable. Open a new or existing workbook; on the BusinessQuery menu, click Options; in the General tab of the Options dialog box, the Prompt User Login and Use Automatic Login options are unavailable. Open a new or existing workbook; on the BusinessQuery menu, the Universes command is unavailable. Autologin
Universes
Autologin
Universes
Supervisors Guide
355
Index
A
adding users to a group 115 import 230 Administration Setup wizard 17, 29 Apply predefined settings 189 assigning a domain to a user or user group 211 a password to a user 55 a profile to a user 54 BusinessObjects products to users 179-180 database connections to users 207 documents to users 209 full product to a user 180 privileges to users (rules) 92 stored procedures to users 207 templates to users 209 users to a group 95, 115 authentication driver 83 UNIX 108 UNIX-only 108 user profile required to launch 105 building the repository 35 Business Objects consulting services 11, 13 documentation 10 Documentation Supply Store 9 support services 11 training services 11, 13 BusinessObjects administrator 18 BusinessObjects products administered by Supervisor 179 BusinessObjects resources 20 documents 20 repositories 21 stored procedures 21 BusinessObjects security command families Analysis 252 Connections 255 Documents 257 Free-hand SQL 273 Miscellaneous 276 Multidimensional Data 278 Personal Data Files 280 Programmability 282 Query Techniques 285 Stored Procedure 291 Tools 293 BusinessQuery security command families Miscellaneous 354 Queries 350 Queries In Workbook 353 Queries in Workbook 353
252
B
basic procedures 47 batch import file 216 batch import of users and groups 217 Broadcast Agent 18, 25 administrator 105 allowing users to choose a Broadcast Agent 107 changing or removing task schedule 148 Console 25, 105 creating for a user group 105, 106 deleting 107 Disable login option 108 document domains 107 maximum name/password length 106 report chaining 152 scheduling document processing 151
Index
356
Supervisors Guide
C
caching documents 152 standard HTML 153 Windows metafile 153 Cartesian products 197 categories creating 239 deleting 243 description 238 Document tab, Resource pane 238 enabling management 244 in repository 238 renaming 242 Change Schedule command 149 changing a documents task schedule 149 a user profile 114 passwords 86 passwords at first login 112 characters, defining for repository 76 checking document domain 143 universe domain 143 client/server mode 28 Command Restriction dialog box 181 Command Help 183 Command Set view 181 Menu view 181 to open 249 command restrictions 57 applying 249 batch import of users and groups and command restrictions 250 for different user instances 178 inheritance 183 through predefined settings 249 compacting the security domain 146 company name (root group) 51 configuration disabling 180 enabling 180 confirmation messages enabling/disabling 69
connections 138 checking 144 defining in recovery installation 45 deleting 161 modifying 162 redefining for document and universe domains 33 stored procedures 207 string not correct 31, 45 to a repository 33 consultants Business Objects 11 controlling user login times 117 creating a group 93 a second general supervisor 62 Broadcast Agent for a group 106 domains 140 new group (import) 231 subgroups 52 user groups 51 users 53, 110 custom installation 31, 40 custom predefined settings 187 customer support 11 customizing a universe 192 your environment 67
D
data communication protocol 28 database configuration 28 database connections assigning to users 207 database driver choosing 33, 45 default installation 32 default names for users and groups 75 setting 75 default options 69 Define Predefined Setting Name box 187
Index
Supervisors Guide
357
defining connection to a repository 33 group properties 94 the general supervisor 32 user passwords 112 user properties 111 users 112 Delete the file each time the task starts (option) 152 deleting connection to a repository 161 domains 143 InfoView/WebIntelligence users 120 user (import) 231 user groups 109 users 120 demo materials 9 Designer 19 designer profile 19 role 22 Designer security command families 294 Connection 294 Tools 299 Universe 300 Developer Suite 10, 12 disabling access to a domain 212 access to documents or templates 210 access to stored procedures 208 configuration 180 document 210 disabling/enabling users 57 distributing universes 163, 165 document disabling 210 enabling 210 document domain 138 and Broadcast Agent 107 redefining connection 33 Document tab scheduled tasks 148
documentation CD 9 feedback on 10 on the web 9 printed, ordering 9 roadmap 9 search 9 Documentation Supply Store 9 documents 20 assigning to users 209 domain 23, 25 documents and templates 139, 209 disabling access to 210 enabling access to 210 domains assigning to a user or user group 211 building 43 checking connection 144 checking integrity 143 creating 140 deleting 143 disabling access to 212 document 23, 25 enabling access to 212 errors creating 43 of the repository 23 one per type per data account 23 redefining connection 33 removing access to 212 scanning and repairing 144 security 23, 24 universe 23, 24 viewing 44 duplicating users 56, 116
E
editing predefined settings 188 education see training enabling access to a domain 212 access to documents or templates 210 access to stored procedures 208 configuration 180 document 210
Index
358
Supervisors Guide
enabling/disabling confirmation messages 69 users 119 end user role 22 enhanced document format (faster viewing) Euro 76 Export Users and Groups command 236 exporting configuration to file 236 exporting universes 163 required profile 166 exporting users and groups 214 extended supervisor mode 80
153
F
Faster Document Viewing Over the Web 152 file key 24 printing to 128 Supervsr.exe 29, 49 File menu /Print 127, 128, 129 File Watcher 152 Delete the file each time the task starts (option) 152 finding users/groups in repository 124 case-sensitive search 125 whole-name-only search 125
INTERACTIVE 220 LOG 220 NO_ENCRYPTED_PASSWORD NOLOG 220 NOUNDO 220 UNDO 220 groups assigning users to 95 creating 51, 93 creating subgroups 52 deleting 109 finding in repository 124 hierarchy 50 login times 96 names unique in repository 51 properties 94 renaming 109 reports 127 root 90 setting default names 75 sorting 72 UI symbol 51
220
H
hard copy printing 127
I
identification strategy passwords 112 import file 216 import file commands 219 Add to Group (AG) 219 comment 219 Delete Group (DG) 219 Delete User (DU) 219 New Group (NG) 219 New User (NU) 219 Remove from Group (RG) 219 Rename gRoup (RR) 219 separator 219 Update User (UU) 219 import log file 233 import new user 222 import update of user 225
G
general supervisor and Broadcast Agent 105 backup 17 creating a "reserve" 62 modifying 123 profile 18 role 22 second 38 GENERAL/SUPERVISOR login 30 generating the import file 216 global import commands 220 BATCH 220 ENCRYPTED_PASSWORD 220 example 221
Index
Supervisors Guide
359
importing universes 163, 164-165 importing users default values 227 importing users and groups 214 batch mode 217 interactive mode 217 Inbox documents how many 156 purging 155 InfoView 20 NT authentication 83 inheritance of command restrictions 183 Insert key 70 installation custom 31, 40 default 31, 32 options 31 recovery 31, 45 requirements for Supervisor 28 installing the repository 27 integrity check 143 interactive mode (importing and exporting users and groups) 218 Interface Status Disabled 182 Enabled 182 Hidden 182 Inherit 182
L
limiting objects in a universe 198 query results 194 SQL syntax 196 lists of values 139 lock mechanism for universes 163 log file (import) 233 login 29, 45 as a different user 87 GENERAL/SUPERVISOR 30 group login times 96 user name displayed 49 LOV 139
M
Manage Categories command (Tools menu) 239 Manage Predefined Settings (Tools menu) 187 Manage Predefined Settings dialog box 187 managing connections 152 user groups 93 users 110 mapping tables 204 menu bar 50 mode extended 80 secured 81 standard 79 modifying (first) general supervisor 123 connection to a repository 162 properties of a universe 191, 193, 208 moving a user 56 the toolbar 85 users to another group 118 multimedia quick tours 10
K
key file 17 creating 37 creation 24 damaged 31, 45 distributing 38 if security domain is moved moved 31, 45 naming 37, 45 renamed 31 WebIntelligence 21 Knowledge Base 12
39
Index
360
Supervisors Guide
multiple repositories choosing the one to work with 21, 49 not used by WebIntelligence 21 who should use them 21 multiple supervisors 123
N
naming users 53 negative security commands 182 network layer choosing 33, 45 network protocol 28 New Group toolbar button 51 NT authentication 83 from all domains 83 trusted domains 83
O
object browser dialog 199 security level 113 Online Customer Support 11
P
password assigning 55 case-sensitive 49 changing 86 changing at first login 112 identification strategy 112 no checking 112 setting options for supervisors 82 three strikes, youre out 38 user 112 validity 112 predefined settings 184 allowing use of WebIntelligence 186 apply 189 applying to current user/group 184 custom 187 Default 185 define name 187 editing 188 Everything Revoked 185
Expert 185 Explorer 186 InfoView 185 Novice 185 Reporter 186 Standard 185 standard 185 preload to repository cache 153 primary key sorting 73 print in table format basis for BusinessObjects report 129 CSV files created 130 from the command line 134 -printtodirectory command 135 -printtofile command 134 resources CSV file 133 users CSV file 131 printing a hard copy 127 to file 128 to table format 129 -printtodirectory command 135 -printtofile command 134 products assigning to users 180 restricting functionalities of 180 profiles assigning 54 changing 114 protocol data communication 28 network 28 Purge Inbox Documents command 155 and report bursting 155 best practices tips 157 procedure 156
Q
query results limiting 194 quickly creating new users and groups
70
Index
Supervisors Guide
361
R
RDBMS 28 recovery installation 31, 45 Refresh command 191 refreshing the supervisor window 75 removing access to a domain 212 removing access to a stored procedure 208 removing user from group (import) 231 renaming group (import) 232 groups 109 users 123 repairing domains 144 the security domain 146 report chaining 152 reporting level scan and repair 146, 147 reports group definitions 127 resources by user/group 127 user definition 127 repository 21 access (distributing the key file) 38 building 35 cache for reports 152 creating 17 customizing access to 75 defined 23 defining access 37 defining connection 33 defining valid characters 76 distributing domains 40 document domain for Broadcast Agent 107 domains 23, 138, 211 errors creating 35 finding users/groups 124 installing 27 recommended number 21 storage of Inbox documents 155 repository domains creating 31 distributing 31
Resource menu /Assign Document 209 /Assign Domain 143, 211 /Assign Stored Procedure 207, 208 /Assign Universe 190 /Disable Domain 212 /Disable Stored Procedure 208 /Enable Domain 212 /Enable Stored Procedure 208 /Properties 192 /Revert Document to Inherited Permissions 210 /Revert Domain to Inherited Permissions 212 /Revert Stored Procedure to Inherited Permissions 208 /Revert Universe to Inherited Permissions 191 resource pane 50 resources 20 access 22 Business Objects products 20 documents 20 managing versions 31, 40 multiple user instances 173 overview 138 report by user/group 127 repositories 21 resolving access for different user instances 174 restrictions for more than one instance 176 restrictions on one instance 175 rules of inheritance 173 stored procedures 21 restricting execution time of a query 195 functionalities of a product 180 objects of a universe 198, 200 size of long text objects 195 size of results returned by a query 195 use of commands in interface 180 revision numbers for universe 163 root group 90 company name 51 Run command 29, 49 running other modules from Supervisor 87
Index
362
Supervisors Guide
S
safe recovery 31, 45 scan and repair domains 144 reporting level 146, 147 schedule of tasks 148 scheduled document processing enabling for a user group 105 scope management batch import 215 setting default 81 scripts 139 searching repository for users/groups 124 case-sensitive search 125 whole-name-only search 125 secondary key sorting 73 secured supervisor mode 81 security command families BusinessObjects 252 BusinessQuery 350 Designer 294 Supervisor 305 WebIntelligence 332 security commands allowing use of WebIntelligence 186 definition 249 families 248 organization 248 possible states 249 priority for different user instances 178 viewing status 186 security domain 23, 24, 138 access by clients 24 changed connection string 31 moved 31, 45 repairing and compacting 146 scanning 145 security levels 113 semantic layer 20 sending documents to Broadcast Agent File Watcher 152 report chaining 152 setting start and stop dates 151
setting default options 69 options for all supervisors 74 password options for supervisors predefined 184 setup wizard 29 sorting primary key 73 secondary key 73 users and groups 72 SQL communication driver 28 domain creation script 43 in stored procedures 21 limiting syntax 196 repository creation script 36 standard supervisor mode 79 toolbar 50, 85 starting Supervisor 49 stored procedures 207-208 connection to 207 creating (assigning) 207 defined 21 disabling access to 208 enabling access to 208 removing access 208 subgroups creating 52 Supervisor description 16 installation requirements 28 main window 50 starting 49 supervisor extended mode 80 profile 18 refreshing window 75 restrictions 18 role 22 running other modules from 87 secured mode 81 selecting mode 78 setting options for 74
82
Index
Supervisors Guide
363
setting password options for 82 standard mode 79 working with several 123 Supervisor main window 50 menu bar 50 resource pane 50 title bar 50 toolbar 50 user pane 50, 51 Supervisor security command families Configuration 305, 308 Connection 310 Document 312 Repository 314, 316 Stored procedure 319 Tools 321 Universe 323 User and Group 326 supervisor-designer profile 19 supervsr.exe 29, 49
305
T
table format printing to 129 table mapping 204 task schedule changing 148 removing 148 templates 139, 209 assigning to users 209 enabling access to 210 testing connection to a domain 144 timestamps adding 102 avoiding strain on the network 101 combining 100 date-only 101 for different user instances 177 guidelines for efficiency and security modifying 104 removing 105 Start/End Date 99 Start/End Time 99 time-only 101 weekly or monthly criteria 99
Tips & Tricks 10 title bar 50 toolbar 50 moving or hiding 85 Tools menu /Change Password 86 /Connections 159, 161, 162 /Delete Document 170 /Delete List of Values 170 /Delete Script 170 /Delete Universe 170 /Login As 60, 87 /Options 120, 121 /Repository 140 training on Business Objects products 11 Tree List tab 72 trusted domains for NT authentication 83 accessible domains 84 adding domains 84 removing domains 84 types of users 91
U
undo files (import) 234 universe 20, 138 cost estimate 195 created by designer 19 customizing 192 different properties for different user instances 174 distributed by designer 19 distributing 163, 165 domain 23, 24, 138 import/export 163 importing 164-165 limiting size of long text objects 195 limiting size of results returned by query 195 lock mechanism 163 more than one with same name 40 properties 191, 193, 208 restricting execution time of a query 195 restricting objects of 198, 200
101
Index
364
Supervisors Guide
revision numbers 163 security 163 sharing 24 universe domain 24 created 24 redefining connection 33 UNIX-only Broadcast Agent 108 unscheduling tasks 148 user groups closed 91 creating 51 deleting 109 empty 91 enabling Broadcast Agent for 105 managing 93 open 91 sorting 72 User Identification dialog box 29 user instances 173 User menu /Add to Group 117 /Delete Group 109 /Disable/Enable 119 /New Group 93 /New User 110 /Rename Group 109 /Rename User 123 New => Group command 51 New => User command 53, 54, 55 user pane 50, 51 user profiles 18 access to products 179 default 53 designer 19 end user 19 general supervisor 18 required for Broadcast Agent 105 supervisor 18 supervisor-designer 19 users adding to a group 115 assigning stored procedures to 207 assigning to a group 115 Broadcast Agent administrator 105 changing profiles 114
controlling login times 117 creating 53, 110 defining 112 defining properties 111 deleting 120 disabling 57, 119 duplicating 56, 116 enabling 119 finding in repository 124 hierarchy 22, 50 in more than one group 250 managing 110 modifying 56 moving from one group to another names unique in repository 53 passwords 112 renaming 123 reports 127 security levels 113 setting default names 75 sorting 72 type 91
56, 118
V
verbose scan and repair option 145, 146 versatile user profile 19 View menu /Refresh 191 /Toolbars 85 viewing security command status 186
W
web customer support 11 getting documentation via 9 useful addresses 12 WebIntelligence administrator 18 Explorer 20 InfoView 20 NT authentication 83 predefined settings to allow use Reporter 20
186
Index
Supervisors Guide
365
WebIntelligence security command families Document 336 Options 332, 335 Query and Web Panel 344, 346 Windows NT authentication driver 83 wizard, setup 29
Index
366
Supervisors Guide
Index

Supervisor

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Supervisor

Uploaded by

Copyright:

Available Formats

Supervisors Guide

Supervisor 6.1 Windows

Patents Part Number

Setting your default options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Other options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Managing Users and Groups

Managing categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

BusinessObjects 6.1 Security Command Reference

Maximizing Your Information Resources

Maximizing Your Information Resources

How can I get the most recent documentation?

Send us your feedback

Maximizing Your Information Resources

How we can support you?

Having an issue with the product?

Looking for the best deployment solution for your company?

Looking for training options?

Useful addresses at a glance

Business Objects Documentation mailbox documentation@businessobjects.com Product documentation www.businessobjects.com/services/ support.htm

Feedback or questions about documentation.

The latest Business Objects product documentation, to download or view online.

Tips & Tricks www.businessobjects.com/forms/ tipsandtricks_login.asp

Maximizing Your Information Resources

Address Online Customer Support www.techsupport.businessobjects.com

www.businessobjects.com/services Business Objects Education Services www.businessobjects.com/services/ education.htm

Useful addresses at a glance

About this guide

Conventions used in this guide

Maximizing Your Information Resources

Where to start with Supervisor

Where to start with Supervisor

User hierarchy and resource access

defines Supervisor identifies and manages

creates and manages

Universe Designer creates

End Users create

BusinessObjects or WebIntelligence documents

The repository domains

The repository domains

The security domain

Key file (*.key)

The universe domain

The document domain

The repository domains

Installing the Repository

Network SQL Driver

Installing the Repository

Choosing a setup configuration

Choosing a setup configuration

Installing the Repository

Choosing a setup configuration

Running a default installation

Defining the general supervisor

Installing the Repository

Defining the connection to the repository

Running a default installation

Installing the Repository

Building the repository

Running a default installation

Installing the Repository

Defining repository access

Running a default installation

Distributing the key file

Installing the Repository