Using explicitly denied rights to globally remove privileges for non-administrators

Deny overrides grant in Business Objects

The way that "explicitly denied" rights work (on the advanced rights
tab) enables us to globally remove rights for groups or individuals.

Important: "explicitly denied" rights will always override an "explicit grant"

For any given right, if a user is a member of any group where that specific right is denied, the net right is denied.

Deny always trumps grant.

Using explicit denies at the highest level

We can set folder rights in CMC at the highest level, the "Settings"
level. Doing this will effectively deny the right at all levels (since
the "settings" level is the parent folder of all folders). Setting
rights at this level avoids needing to individually remove rights at
the folder level for various groups.

businessobjects global settings

Go to the "Rights" tab in the settings.

business objects rights tab

On the rights tab, add a group that you wish to explicitly deny rights.

In our case we created a "non-administrators"
group. We wanted to deny all non-administrators certain rights, like
scheduling reports. We added all non-admins to the non-administrators
group. Added an entry on the rights tab for the non-admin group and set
the advanced rights.

On the "Advanced Rights" each individual right
(row) can be set to either "Explicitly Granted," "Explicitly Denied,"
or "Not Specified."

advanced rights explictly denied granted

By setting rights that are explicitly denied, it
effectively denies the right for any members of the specified group
(non-administrators in our case).

Here is a list of the rights that can be set in this way in BusinessObjects:

General Rights

  • Add objects to the folder
  • View objects
  • Edit objects
  • Modify the rights users have to objects
  • Schedule the document to run
  • Delete objects
  • Define server groups to process jobs
  • Delete instances
  • Copy objects to another folder
  • Schedule to destinations
  • View document instances
  • Pause and Resume document instances
  • Securely modify rights users have to objects.
  • Reschedule instances
  • Schedule on behalf of other users
  • Allow discussion threads
  • View objects that the user owns
  • Edit objects that the user owns
  • Modify the rights users have to objects that the user owns
  • Delete objects that the user owns
  • Delete instances that the user owns
  • View document instances that the user owns
  • Pause and Resume document instances that the user owns
  • Securely modify rights users have to objects that the user owns.
  • Reschedule instances that the user owns

Desktop Intelligence Rights

  • Refresh the report's data
  • Refresh List of Values
  • Use Lists of Values
  • View SQL
  • Export the report's data
  • Download files associated with the object

Desktop Intelligence Add in

  • Download files associated with the object


  • Print the report's data
  • Refresh the report's data
  • Export the report's data
  • Download files associated with the report

Web Intelligence Document

  • Refresh the report's data
  • Edit Query
  • Refresh List of Values
  • Use Lists of Values
  • View SQL
  • Export the report's data
  • Download files associated with the object

Configuring a Clustered Server on Business Objects XI-R2

What is Clustering?

Clustering is connecting two or more computers together in such a
way that they behave like a single computer. Clustering can be used for
parallel processing, load balancing and fault tolerance. That is as far
as the definition goes.

What exactly happens in real life? Let's consider an example. John
is the administrator in a company responsible for administering BO. On
a typical day,several reports are run on the CMS (Central Management
Server). One day, John finds that CMS is down for some reason. Yes, the
service will mail system engineers that it is down. But, there are many
reports that are waiting to be run. What can John do to better handle
the situation in the future?

Enter Clustering. John can set up a Clustered environment, where in
two or three CMS will run in parallel. So, one CMS will be active, and
the others will be passive. If the active one is down for some reason,
the other CMS will be up automatically. The end users would not even
know that one of the servers is down. It is that quick.

Why is Clustering important for Business Objects?

If for some reason the hardware crashes then BO environment will be on its knees.

•With Clustered environment, if one of the server goes down the other
comes up immediately and this is done automatically by BusinessObjects
without any external interference.

•With Clustered environment, we can have multiple Job Servers which can
run the jobs (reports) in parallel, distributing them between servers.

•We can load balance the server so that resources are distributed evenly between servers.

When is using Clustering recommended?

If there is an Environment with thousands of Jobs running everyday and would need high availability of BO.

What is the procedure to setup a Clustered environment?

Make sure you have all the requirements to build a server like
Oracle Client, Java. For SSO, IIS need to be installed on the server.
It is better if IIS is installed before installing BO, as BO will
install the Web Component Adaptors for IIS and Java during install.



Install: First Sever

a) Insert the BO XI CD.


b) Select “Perform Server Installation”, click “Next”.

c) Enter Product Registration Code, click “Next”.

d) Select the location for BusinessObjects, click “Next”.

e) Setting up the Repository, click “Next”.


f) Setting up the BusinessObjects Repository, click “Next”. Make a note
of the credentials as they are needed in second server with same
credentials and they are also case sensitive.


g) Select the Web Component Adapter, click “Next”.


h) Click “Next”.


i) Installation will begin once “Next” is clicked. If any changes have
to be made it can be made at this time by clicking “Back”.


j) Follow the instructions.


k) Leave the Administrator credentials empty, Click “Finish”.

Install: Second Server (Clustering)

a) Insert the BO XI CD.


b) Select “Perform Server Installation”, click “Next”.

c) Enter Product Registration Code, click “Next”.

d) Select the location for BusinessObjects, click “Next”.

e) Setting up the Clustered Environment, select “Expand”


•Type in the existing CMS Name ex: ASVMB0S302 (First server)

•Check the services which you want to be clustered

Note: It is better to uncheck “File Repository Servers” as each BO
XI Environment would have one location to get the reports and post the
reports. Once you uncheck “File Repository Servers”, “Enable servers
upon install” will be highlighted. Check this box so that the servers
are enabled after the install.


f) This is the important part about setting the repository, make
sure the credentials are same as the first server (case sensitive)


g) Follow the instructions.


Setting up Single Sign-On (SSO):

This needs to be done on all the servers which are in the cluster.

I - Modifying IIS Settings on the Server

a) Go to IIS Manager on the server


b) Right Click on “businessobjects” by expanding “Web Sites”->”Default Web Site”

c) Click on Properties


d) Click on Directory Security tab


e) Click “Edit” in Authentication and access control

i. Uncheck “Enable Anonymous Access”

ii. Check “Integrated Windows authentication”


f) Click OK and Apply

g) Repeat the steps for “crystalreportviewers115” and “Styles” under “Default Web Site”

II. Modifying web.config file

•Open the web.config (C:\Program Files\BusinessObjects Enterprise
11.5\Web Content) add the below line under <authentication
mode="Windows" />. This is to enable the use of SSO in CMC.

<identity impersonate="true" />

If authentication mode is set to “None” change it to “Windows”.


•Save and close the file

Note: This file is different from the one in BusinessObjects Enterprise 11.5\ \InfoView

•Open the web.config using Notepad (C:\Program Files\BusinessObjects
Enterprise 11.5\Web Content\Enterprise115\InfoView). This is to enable
the use of SSO in InfoView.

a. In the <configuration> section, find the line which reads,
<add key="cmsdefault" value="" />. Fill the “” with default CMS
machine name.

Note: For the second server (clustered) make sure have the same Default CMC machine name.

<add key="cmsDefault" value="ASVMBOS301" />

b. Find

<add key="authenticationDefault" value="secEnterprise" />

and replace with

<add key="authenticationDefault" value="secWinAD" />

c. Find

<add key="ssoEnabled" value="false" />

and replace with

<add key="ssoEnabled" value="true" />

d. In the <system.web> section under <!– AUTHENTICATION, find the line which reads

<authentication mode="None" />

replace with

<authentication mode="Windows" />

<identity imperonate="true" />

•Save and close the file

•Restart IIS by restarting World Wide Web Publishing Service in CCM (Central Configuration Manager)


Note: Login to CMC -> Manage->Authentication, if the tabs
are grayed out go to License Keys and check if the License keys are
present. If they are Restart the Server.

•Login to CMC and go to Manage->Authentication, click on Windows AD tab.

•Check “Windows Active Directory Authentication is enabled”


•Click in the box under “Windows AD Configuration Summary” where it says “”



•Click “Update”

•This is how it looks after the credentials are accepted.


Mapping the AD groups

•Click “Add”


•Check the first option under “New Alias Options”. This option will
assign the AD account to an Enterprise account, if Enterprise account
is already available.

•Check the second option under “Update Options”. This option will not
create an account in BO until the first time access BO XI using Windows


•Click Update

•The mapped AD group will be converted something like


Note: The group is added in BO XI under Groups but there will be no
Users in that group. The Users will shows up as they login to BO
Enterprise using Windows AD credentials.

Note: The AD credentials should have administration privileges.

•Right click on Central Management Server and click on Properties,
under the configuration tab the CMC Data Source should point to the
same cluster on both servers.


•For all of the other servers on the second server CMS name should be pointed to the first server.


This completes the process of clustering multiple servers with SSO.