BPM Admin Guide

USync

This section describes the steps you need to follow to work with USync.

You can use the USync tool to create users, user groups, and user aliases in BusinessObjects. USync creates BusinessObjects users and groups that correspond to the users in the Maconomy system. You can configure USync to create only users for which certain criteria are met.

USync can also remove BusinessObjects users or groups. This is convenient if users and groups have been removed from Maconomy.

Use the USync tool to complete the following tasks:

  1. Create users and groups in BusinessObjects that correspond to the ones that are defined in Maconomy. This allows users to access Maconomy data when running reports.
  • Create aliases for each user so that, when logged in using another name by means of SSO, users can still access data.
  • Synchronize users and groups for a tenant in a multitenant environment.

It is assumed that both Maconomy and BusinessObjects are set up for SSO.

Install USync

To install and prepare the USync tool:

  1. Log in to the Maconomy server system.
  2. Start MConfig and select the appropriate Maconomy application.
  3. Click Web products and select the web server.
  4. Click OK and apply the change with MConfig.
  5. On the Web Products screen, enable Web Services.
  6. Download the file USync.zip from the download server:

    \\dl\applications\Released\BPM\Tools\USync

    Select the latest BO version folder, for example BO 4.X folder.

  7. Extract the zip file to a folder on the server where BusinessObjects is installed. Make sure that both the USync.jar file and the "external" folder are within the same folder.

Create Users and Groups

To transfer users and groups from Maconomy with USync:

  1. Log in to the server on which BusinessObjects is installed.
  2. Open a command prompt.
  3. Run the USync java tool and enter the following parameters in the exact sequence as listed:
    • <Maconomy administrator username> - Enter the username of the Maconomy administrator to access the Web Service.
    • <Maconomy administrator password> - Enter the password of the Maconomy administrator to access the Web Service.
    • <URL to MaconomyWS executable on web server> - Enter the Maconomy web service URL from which USync derives the list of users to create in BusinessObjects.
    • <BO username> - Enter the username of the BusinessObjects user that has access to view, create, modify, and delete users in the CMS.
    • <BO password> - Enter the password of the BusinessObjects user that have the rights to view, create, modify and delete users in the CMS.
    • <BO Server name> - Enter the BusinessObjects server where users are created.
    • <BO Authentication Type> - Enter the authentication type that USync uses to log in the provided BO user above. It is recommended to use secEnterprise.
    • <Log level> - Set the value to 100 to show the minimum amount of information in the logs or to 500 to show a detailed trace of information.
    • <Path and file name of log file> - If there is no log file, the tool creates a new log file. If a log file already exists, the tool appends the logs to it. Note that USync does not create folders.
    • <Delete-user-data (true/false)> - This determines whether to allow USync to automatically delete a user in BusinessObjects that no longer matches with a user in Maconomy.
    • <Create named BO users (true/false)> - This determines the license type used to create the users. Set this to true to create named users (one license required per user) or false to create concurrent users (number of license pertains to the number of users that can login at the same time, no limit on the number of users that can exist in the CMS).
    • <Create AD aliases in BO (true/false)> - This determines whether BusinessObjects requires the configuration of the Windows AD plugin. Set this to true to automatically assign an alias to users that exists in Windows Active Directory.
    • <Domain name used for AD alias creation> - Enter the combined prefix and extension of the domain name used for AD alias creation (for example, trifolium.com). This is only necessary if the "Create AD aliases in BO" parameter is set to true.
    • <Default password for new BO users> - Enter a default password that all new created BusinessObjects users can use. This is only used for Enterprise authentication.
    • <Passwords never expire (true/false)> - To determine the expiration of passwords, enter true to ensure the user's password will never expire. If you enter false, the user's password expires according to the configured user restriction in CMC » Authentication » Enterprise. By default, this parameter's value is set to false.
    • <Must change password (true/false)> - To determine whether the user must change the default password when first logging in, enter true to force users to change password on first log in. Note that you cannot set this parameter to true if the "Can't change password" parameter is also set to true.
    • <Can't change password (true/false)> - To determine whether who can set passwords, enter true to allow only the system administrators to set passwords. Note that you cannot set this parameter to true if the "Must change password" parameter is also set to true.
    • <Whitelisted group> - Use this parameter to determine which users should not be deleted by USync when the "delete-user-data" parameter is set to true. Leave this blank if no group needs to be whitelisted.
    • <Allow update of existing BO users> - This parameter controls whether the properties of an existing user in BusinessObjects is updated by USync. By default, this parameter's value is set to false.

      For example, if you enter:

      java -jar USync.jar "Administrator" "123456" "http://BPMServer:20001/cgi-bin/Maconomy/MaconomyWS.w15p2mc.US_MCS.exe/" "Administrator" "ppu" "macsrv.trifolium.com" "secEnterprise" "100" "C:\temp\usync.log" "false" "false" "true" "trifolium.com" "1234-Pass" "true" "false" "false" "" "true"

      This does the following:

      • Creates users and groups that correspond to users and groups that are set up in Maconomy. If only certain users are wanted, you can define criteria for them.
        Note: Refer to Configuring a Tenant in a Multitenant Environment (Optional Installation).
      • Creates aliases for these users to handle access control.
      • Does not remove existing users that are defined in BusinessObjects. The users that are created are in addition to the users that are already there.
      • Sets the default password of the new users to 1234-Pass.
      • Uses the web server executable (a 15.0 sp 2 MCS system in the preceding example) to determine the Maconomy system that is used.
      • Stores the log output from USync in the file C:\temp\usync.log.

  4. Open the Central Management Console and click Groups or Users to confirm that the synchronization succeeded.

    For each user, you can see the group memberships on the Member of tab. For each group, you can see the members of the group on the Users tab. If you chose to create AD aliases, you can see them under each user in the lower part of the window.

Configuring a Tenant in a Multitenant Environment (Optional Installation)

Multitenancy enables you to host multiple clients on one server where each client has their own access sites and properties. These additional steps are optional and not part of the Usync default installation.

The setup of multitenancy includes the following steps:

  • Tenant configuration in the Maconomy Workspace client.
  • Set up corresponding tenant in BusinessObjects server.
  • Synchronize users using Usync.

Set Up a Tenant Name in Maconomy

To set up a tenant name in Maconomy:

  1. Open the System Information single dialog workspace.
  2. Scroll down to the Tenant Name island and enter a unique name in the Tenant Name field.

    Note: To check if a tenant name is already in use, go to BusinessObjects CMC » Multitenancy.

  3. Click Save.

Validate the Tenant Name in Maconomy

To validate the tenant name in Maconomy:

  1. Log in to the Maconomy Workspace Client with the necessary rights to access system setup, preferably as Administrator.
  2. Open the Users workspace (Setup » Users) and expand the User Information tab.
  3. Add the Tenant Name column to the Roles tab.
    1. Right-click any column on the Roles tab and click Customize columns.
    2. In the Available Columns section, select Tenant Login Name.
    3. Click Add and move the column up or down, depending on the desired location.
    4. Click OK.
  4. In the Tenant Login Name column, verify that the tenant name is prefixed in the login name with the format tenantName#LoginName.

Register Tenant with BusinessObjects Multitenancy Management Tool (Windows)

BusinessObjects (from version 4.2) Business Intelligence Platform comes pre-installed with the Multitenancy Management Tool (MTM). This tool handles the registration of a tenant and other configurations controlled through a template definition file.

Tip: Refer to the SAP Multitenancy Guide for more information.

To define MTM properties:

  1. Open the tenant_template_def.properties file in a text editing application. The file is located in the same directory as the BusinessObjects 4.X Multitenancy Management Tool.

    Note: The default location and file name is <InstallDir>\SAP BusinessObjects Enterprise XI 4.0\java\apps\multitenancyManager\jars\multitenancymanager.jar.

  2. In the tenant_template_def.properties file:
    1. Add the desired tenant name to the tenantName parameter. For example, tenantName=XXX.
    2. Add the mandatory login information:
      • cms
      • auth
      • user
      • pwd (Optional. If left blank, user is prompted for password to proceed.)
  3. Save the file.

Run the MTM tool

To run the MTM tool:

  1. Open a command prompt. It is recommended that you run this as Administrator to avoid permission conflicts.
  2. Change the directory to the location of the multitenancymanager.jar file (<InstallDir>\SAP BusinessObjects Enterprise XI 4.0\java\apps\multitenancyManager\jars)
  3. Run the following command:
    java -jar multitenancymanager.jar -configFile

Verify the Tenant is Created Successfully

To verify the tenant is created successfully:

  1. Log in to the Central Management Console.
  2. On the Multitenancy tab, verify the tenant name is listed in the Name column.

Synchronize Users with USync

To synchronize users with USync:

  1. Download the USync.zip from the dl server at \\dl\applications\Released\BPM\Tools\USync folder.
  2. Extract the zip files.
  3. Open a command prompt (run as Administrator).
  4. Change the directory to the location of the extracted zip file, USync.jar.
  5. Run the command: java -jar USync.jar with the following parameters:
    PARAMETER VALUE
    Maconomy Username Maconomy Admin username
    Maconomy Password Maconomy Admin password
    Web Service URL MaconomyWS URL found in ..\maconomy\index.html
    BO Username BO Admin username
    BO Password BO Admin password
    CMS BO Server
    BO Authentication secEnterprise, secWinAD, etc.
    Log Level 0 = no message, 500 = debug mode
    Log File Name File for the log file including directory
    Delete User Data delete users that does not exist in Maconomy
    Named Users Boolean, true=named user or false=concurrent user
    Create AD Aliases Boolean, create AD Alias for SSO
    AD Domain used for AD Alias Creation
    Default Password Password assigned to created BO users
    Passwords Never Expire Boolean, user attribute
    Must Change Password Boolean, user attribute
    Can't Change Password Boolean, user attribute
    White List Groups Groups ignored by delete user data parameter
    Allow Update Allows USync to update existing users
  6. When completed, verify that the users and groups are created in BusinessObjects CMC.
    1. Log in to Central Management Console.
    2. On the Users and Groups tab, verify both users and groups are prefixed with the tenant name.

Control which Users to Create

To create only specific users, or users that satisfy certain conditions, configure USync.

To configure USync, follow these steps:

  1. In the Maconomy web server folder \MaconomyWS\Services\Standard locate the USyncSQL.txt file.
  2. Edit the file so that it contains an SQL-like expression that selects the users.

Examples

Example 1: Select Users by Means of Popup 1

You want to control which user to import by using Popup 1 on the employee who is associated with the user. If you set up this pop-up with one value, BusinessObjects, so that it either has this value or is blank on each employee, you can insert the following additional condition in the WHERE clause for the import of user data and role membership data.

0 = (select EmployeePopup1 from Employee
    where EmployeeNumber = UserInformation.EmployeeNumber)

If there is no employee on the user, the selected value is null. If Popup 1 is blank on the employee, the selected value is -1.

Example 2: Select Users Based on Roles

You want to import only those users who have certain roles. In this case, use the following additional condition:

EXISTS (SELECT 'OK' FROM EXUserDialogGroup
   WHERE NameOfUser = UserInformation.NameOfUser
      AND GroupName IN ('FinancialManagement', 'LineManagement'))

In an MAS solution, this imports 19 users, including Andy Polansky, Lisa Welsh, and Sue French. In the MCS solution you could change the restriction on the group name to GroupName IN (FinancialManagement, DepartmentManagement, AccountManagement), and then you would get 17 users, including Edward Powers and Micho Spring.

Error Handling

The output message may contain errors.

  • If the output message contains:
    • “This user does not exist” - You did not enter a valid Maconomy user name.
    • "Password is not correct" - You did not enter a correct password for the Maconomy user.
    • "Enterprise authentication could not log you on" - There is a problem with the BusinessObjects username or password.
    • § If you cannot open the http://localhost/index.html page, there may be an error in the global parameters in M-Config. Open M-Config, click the Global settings button and make sure that the Export HTML index file to field has the correct value (for example: C:\Apache\Apache2\htdocs).

(404) Not Found

  • If the output message contains "(404) Not Found," there is a problem with the URL in the Web service URL field. This is also the case if the output message refers to SAXParseException, ConnectException, UnknownHostException, or "unknown protocol."

One possible reason for the 404 error could be that the Webserver URL in M-Config is incorrect.

To fix the 404 error, follow these steps:

  1. Open M-Config.
  2. Select the relevant application.
  3. Click Web products.
  4. Select the appropriate web server.
  5. Click Web server parameters and make sure that the Webserver URL (host and port) field has the correct value.

For example, if the installation uses a virtual web server, the field should be http:// followed by the name of the server, followed by the virtual web server port number (separated by a colon), with a / (slash) at the end. If you make a change in M-Config, you may need to restart the web daemon before the changes take effect.

Assign Report and Universe Rights

Before you perform this procedure, you must consider which users or groups should be given access to which reports and universes.

To manually set up access rights in BusinessObjects, follow these steps:

  1. Open the Central Management Console.
  2. Click Folders and then locate the reports in the Maconomy folder.
  3. For each report, set up the access rights by clicking on the report and opening the Rights tab.
  4. Make sure that the rights for the group Everyone are set to No Access, click Add/Remove to insert a line (for example, a new group), and then click OK.
  5. Change the rights to a different setting, for example, View On Demand.
Note: You must grant each universe and connection to the specific groups of users. This may take some time if there are many groups and many reports.

It is recommended that you assign rights to groups (containing users), rather than directly to users.