Lumira Security Aspects

Anja Rusch CEG

November, 2014

Public

Legal disclaimer
The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the
permission of SAP. This presentation is not subject to your license agreement or any other service or subscription
agreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any related
presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation
and SAP's strategy and possible future developments, products and or platforms directions and functionality are all
subject to change and may be changed by SAP at any time for any reason without notice. The information in this
document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This
document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied
warranties of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational
purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this
document, except if such damages were caused by SAPs willful misconduct or gross negligence.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements,
which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

Agenda
DataSet Security
Lumira Desktop Governance
Lumira Document Security on
Cloud
Server
BI Platform

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

SAP Lumira: Server Desktop Cloud

On premise - in the cloud - on any device

BI Platform
publish

publish

publish

Lumira Server

Lumira Desktop

Lumira Cloud

(on HANA)

(local)

(on HANA)

Excel /
CSV

Excel /
CSV

2014 SAP SE or an SAP affiliate company. All rights reserved.

Clipboard

RDBMS

Universes

HANA

BW*

Excel /
CSV

*Desktop Visualization only

Public

DataSet Security

Lumira Datasets
Download Approach keeps creators access rights
MS Excel, Text, Clipboard
SAP HANA
Universe
Context and Prompt selection

Query with SQL

Connect Approach respects user rights

SAP HANA
SAP Business Warehouse (with limitations)
Forced BI server side refresh for universes
2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

Lumira Desktop Governance

Configuring Desktop Governance

Desktop governance allows BI platform administrators to enforce security on SAP Lumira for

Data source type user can import from

Destinations user can share to
Configurability of URLs
Handling of updates

Enabling Desktop Governance

BI Platform with Lumira BI Add-on installed

Create a configuration file on each users machine
Define each user's settings in the Central Management Console (CMC)
SAP Lumira enforces desktop governance by contacting the BI platform at startup and querying for the user's
rights and settings.

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

Creating a Desktop Governance Configuration File

Create a configuration file called LumiraGovernance.properties in C:\Users\<user>\.sapvi with the
following parameters:
Parameter

Description

<enable>

true = desktop governance enforced

false = desktop governance not enforced

<adapter.type>

boe = system type that will be contacted to enforce desktop governance

<authentication.type>

Allowed BI platform authentication types: secEnterprise, secLDAP, secWinAD,

secSAPR3

<rest.url>

BI platform rest access URL. Example: http://vmboesrvr:6405/biprws

<useSSO>

true = use Single Sign On to contact the BI platform

false = user will be prompted for their BI platform credentials
To use SSO, it must be configured on user machine's domain and the BI platform
deployment

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

LumiraGovernance.properties

Logon Popup after restart

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

10

Defining SAP Lumira Properties

Set default values for SAP Lumira in order to
improve user experience, or to enforce system
security
Allow users to maintain Sharing URLs for
Lumira Cloud
Lumira Server
BI Server
Turn automatic updates on or off

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

11

Before and after applying Lumira Properties

Before

After

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

12

Defining Access Rights to SAP Lumira Features

Use BI platform rights to control which data sources and destinations each user or group can access

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

13

All selectable Rights for SAP Lumira

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

14

Before and After applying DataSource Rights

Before

After

denied

denied
2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

15

Before and After applying Sharing Rights

Before
Share Datasets

Share Stories

denied

After
Share Datasets

Share Stories

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

16

Maintaining Access Rights for Groups / Everyone

Specific User rights have priority over group rights

Your Desktop user needs to be created in BOE

It is automatically assigned to the Everyone group and cannot be removed
Specific user rights will always apply first
If there are no user rights maintained for your user but group rights, like for Everyone, those will apply then

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

17

DEMO

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

18

Lumira Document Security on

Cloud, Server, BI Platform

Infographics: Refresh Page on Open Option

Refreshes infographic page each time you open the infographic
Dynamical update according to data available
Can be used to secure dashboard after sharing
If eg. removing dataset access
Static Infographics will not be affected from any
dataset refreshes

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

20

SAP Lumira Cloud Security

Level of protection of data
Sharing a story with your team or others will share the full
dataset as well
You can stop sharing items that you shared
All users must sign in to view private items
Users can access stories publicized through public URLs
without signing into SAP Lumira Cloud

2014 SAP SE or an SAP affiliate company. All rights reserved.

Dataset sharing stopped

Public

21

Set up HANA Users to Access Lumira Server

HANA admin needs to assign BI_DATA_CONSUMER or BI_DATA_ANALYST role for users

BI_DATA_CONSUMER

BI_DATA_ANALYST

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

22

Share your Stories and Datasets on Lumira Server

Stories & Dataset can be shared with
Roles you have access to
Roles which have access to the underlying data
Members see the dataset based on their privileges

You will not be able to share to roles that do not

have authorization

2
2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

23

BI Platform Security for Lumira Documents

Control a user's access to datasets & stories by setting rights on the dataset and story objects in the
Central Management Console (CMC)

Datasets are stored

under Lumira Datasets

Stories are stored

under Folders

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

24

Universe Security on the BI Platform

Security during a Dataset Refresh
Datasets based on universes can be refreshed, ensuring your stories contain the most up-to-date data
on demand refresh

using the rights of the user doing the refresh

Maintain the Refresh on Open flag
creates a transient table per refreshing user
disables the schedule option for that dataset

scheduled refresh
using the rights of the user who published the dataset
creates a permanent table in SAP HANA

2014 SAP SE or an SAP affiliate company. All rights reserved.

Universe specific settings

Public

25

Thank you
anja.rusch@sap.com

2014 SAP SE or an SAP affiliate company. All rights reserved.

 2014 SAP SE or an SAP affiliate company.

All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an
SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE
(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional
trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind,
and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or
SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related
presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated
companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be
changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment,
promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties
that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking
statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

2014 SAP SE or an SAP affiliate company. All rights reserved.